Windows Analysis Report
2V7zjcga5L.dll

Overview

General Information

Sample Name: 2V7zjcga5L.dll
Analysis ID: 626492
MD5: b65d38f56203a50c2354abaa5af38aa4
SHA1: 81fb867e785b6e8505ca59b5de7f46d598a37fc3
SHA256: 18ad1fa8e0dcb3b64ff7ef042649fdc602668b4a0978f0351c98177162916139
Tags: exetrojan
Infos:

Detection

Emotet
Score: 76
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected Emotet
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Hides that the sample has been downloaded from the Internet (zone.identifier)
Queries the volume information (name, serial number etc) of a device
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
Internet Provider seen in connection with other malware
Detected potential crypto function
Found evasive API chain (may stop execution after checking a module file name)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to dynamically determine API calls
HTTP GET or POST without a user agent
Program does not show much activity (idle)
IP address seen in connection with other malware
PE file contains an invalid checksum
Tries to load missing DLLs
Drops PE files to the windows directory (C:\Windows)
Checks if the current process is being debugged
Registers a DLL
Queries disk information (often used to detect virtual machines)
Creates a process in suspended mode (likely to inject code)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: 2V7zjcga5L.dll Virustotal: Detection: 32% Perma Link
Antivirus detection for URL or domain
Source: https://23.239.0.12/S9 Avira URL Cloud: Label: malware
Source: https://23.239.0.12/w9 Avira URL Cloud: Label: malware
Source: unknown HTTPS traffic detected: 23.239.0.12:443 -> 192.168.2.5:49754 version: TLS 1.2
Source: 2V7zjcga5L.dll Static PE information: DYNAMIC_BASE, NX_COMPAT
Source: Binary string: msacm32.pdb source: regsvr32.exe, 00000007.00000002.828634313.0000000000C95000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: msacm32.pdbGCTL source: regsvr32.exe, 00000007.00000002.828634313.0000000000C95000.00000004.00000010.00020000.00000000.sdmp
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_000000018000D26C FindFirstFileW,FindNextFileW,FindClose, 7_2_000000018000D26C

Networking
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\System32\regsvr32.exe Network Connect: 23.239.0.12 443 Jump to behavior
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: LINODE-APLinodeLLCUS LINODE-APLinodeLLCUS
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 51c64c77e60f3980eea90869b68c58a8
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Cookie: IGSITR=HJk2yqksn3jmOrlkjuqjRrOytL36Pszs0ofIX1jQk/Be1o+ZJK3BH16JgDf6yAW8We2QNZiNZF73x9i8Cr/2lwvuBtCMCqzhtUwH+utXxsaxxeFDiVcXHUnp3RcBPjBK+vqM6Yo3emfENRl9L6E53er+8Ox9ZdSnyBQfUVQqeHCdHLzs9KZ3O1oQ2HgwwRbSVRqsfC5SKTAY5vWLOF/LM1SbrwAwiegfKUsIcWEPMGL5FEJ++dJKJpd/eExNxiNWyzVFKkd3XdxdxGxunr8=Host: 23.239.0.12Connection: Keep-AliveCache-Control: no-cache
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 23.239.0.12 23.239.0.12
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown TCP traffic detected without corresponding DNS query: 23.239.0.12
Source: unknown TCP traffic detected without corresponding DNS query: 23.239.0.12
Source: unknown TCP traffic detected without corresponding DNS query: 23.239.0.12
Source: unknown TCP traffic detected without corresponding DNS query: 23.239.0.12
Source: unknown TCP traffic detected without corresponding DNS query: 23.239.0.12
Source: unknown TCP traffic detected without corresponding DNS query: 23.239.0.12
Source: unknown TCP traffic detected without corresponding DNS query: 23.239.0.12
Source: unknown TCP traffic detected without corresponding DNS query: 23.239.0.12
Source: unknown TCP traffic detected without corresponding DNS query: 23.239.0.12
Source: unknown TCP traffic detected without corresponding DNS query: 23.239.0.12
Source: svchost.exe, 00000014.00000003.801812539.00000280A8B72000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG", equals www.facebook.com (Facebook)
Source: svchost.exe, 00000014.00000003.801812539.00000280A8B72000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG", equals www.twitter.com (Twitter)
Source: svchost.exe, 00000014.00000003.801848371.00000280A8B83000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.801812539.00000280A8B72000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2022-05-13T10:00:01.2192622Z||.||8adb3f26-c14b-4fc0-afb3-91b3c6daaa3f||1152921505694830749||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailab
Source: svchost.exe, 00000014.00000003.801848371.00000280A8B83000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.801812539.00000280A8B72000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2022-05-13T10:00:01.2192622Z||.||8adb3f26-c14b-4fc0-afb3-91b3c6daaa3f||1152921505694830749||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailab
Source: regsvr32.exe, 00000007.00000003.501652096.0000000000ED3000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000002.828852768.0000000000ED3000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.780383902.000001A1C4A63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000002.829069253.00000280A8B00000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: svchost.exe, 00000008.00000002.780383902.000001A1C4A63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000002.829009677.00000280A80ED000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.ver)
Source: svchost.exe, 00000014.00000003.818773677.00000280A8B7A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.818709765.00000280A8B9B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://help.disneyplus.com.
Source: regsvr32.exe, 00000007.00000002.828762679.0000000000E61000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://23.239.0.12/
Source: regsvr32.exe, 00000007.00000003.501740704.0000000000E61000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.501820998.0000000000E61000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000002.828762679.0000000000E61000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://23.239.0.12/S9
Source: regsvr32.exe, 00000007.00000003.501740704.0000000000E61000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.501820998.0000000000E61000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000002.828762679.0000000000E61000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://23.239.0.12/s9
Source: regsvr32.exe, 00000007.00000003.501740704.0000000000E61000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.501820998.0000000000E61000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000002.828762679.0000000000E61000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://23.239.0.12/w9
Source: svchost.exe, 00000014.00000003.818773677.00000280A8B7A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.818709765.00000280A8B9B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://disneyplus.com/legal.
Source: svchost.exe, 00000014.00000003.815381462.00000280A9019000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.815281390.00000280A8BAC000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.815239422.00000280A8B9B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.815120027.00000280A9002000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.815330686.00000280A8B7B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.815148701.00000280A9003000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://support.hotspotshield.com/
Source: svchost.exe, 00000014.00000003.818773677.00000280A8B7A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.818709765.00000280A8B9B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.disneyplus.com/legal/privacy-policy
Source: svchost.exe, 00000014.00000003.818773677.00000280A8B7A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.818709765.00000280A8B9B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.disneyplus.com/legal/your-california-privacy-rights
Source: svchost.exe, 00000014.00000003.815381462.00000280A9019000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.815281390.00000280A8BAC000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.815239422.00000280A8B9B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.815120027.00000280A9002000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.815330686.00000280A8B7B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.815148701.00000280A9003000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.hotspotshield.com/terms/
Source: svchost.exe, 00000014.00000003.815381462.00000280A9019000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.815281390.00000280A8BAC000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.815239422.00000280A8B9B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.815120027.00000280A9002000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.815330686.00000280A8B7B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.815148701.00000280A9003000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.pango.co/privacy
Source: svchost.exe, 00000014.00000003.822548470.00000280A9002000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.822494594.00000280A8B9B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.822517778.00000280A8B79000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.tiktok.com/legal/report/feedback
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00000001800132F0 InternetReadFile,RtlAllocateHeap, 7_2_00000001800132F0
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Cookie: IGSITR=HJk2yqksn3jmOrlkjuqjRrOytL36Pszs0ofIX1jQk/Be1o+ZJK3BH16JgDf6yAW8We2QNZiNZF73x9i8Cr/2lwvuBtCMCqzhtUwH+utXxsaxxeFDiVcXHUnp3RcBPjBK+vqM6Yo3emfENRl9L6E53er+8Ox9ZdSnyBQfUVQqeHCdHLzs9KZ3O1oQ2HgwwRbSVRqsfC5SKTAY5vWLOF/LM1SbrwAwiegfKUsIcWEPMGL5FEJ++dJKJpd/eExNxiNWyzVFKkd3XdxdxGxunr8=Host: 23.239.0.12Connection: Keep-AliveCache-Control: no-cache
Source: unknown HTTPS traffic detected: 23.239.0.12:443 -> 192.168.2.5:49754 version: TLS 1.2

E-Banking Fraud
barindex
Yara detected Emotet
Source: Yara match File source: 4.2.rundll32.exe.230423c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.28dc9d20000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.28dc9d20000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.regsvr32.exe.1050000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.regsvr32.exe.f30000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.regsvr32.exe.1050000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.regsvr32.exe.f30000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.230423c0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000007.00000002.828897000.0000000000F30000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.443771907.0000000001050000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.445135436.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.443873760.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.447104613.00000230423C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.829091404.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.444094574.0000028DC9D20000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.446272102.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Deletes files inside the Windows folder
Source: C:\Windows\System32\rundll32.exe File deleted: C:\Windows\System32\TvhlOU\CPyd.dll:Zone.Identifier Jump to behavior
Creates files inside the system directory
Source: C:\Windows\System32\regsvr32.exe File created: C:\Windows\system32\JoOzHOkj\ Jump to behavior
Detected potential crypto function
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00007FFA526A6F0C 3_2_00007FFA526A6F0C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00007FFA526AE6C0 3_2_00007FFA526AE6C0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00007FFA526AA77C 3_2_00007FFA526AA77C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00007FFA526AFB6C 3_2_00007FFA526AFB6C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00007FFA526AAF70 3_2_00007FFA526AAF70
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00007FFA526AEB60 3_2_00007FFA526AEB60
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00007FFA526AFCA0 3_2_00007FFA526AFCA0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00007FFA526A895C 3_2_00007FFA526A895C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00007FFA526A5944 3_2_00007FFA526A5944
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00007FFA526AAA0C 3_2_00007FFA526AAA0C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00007FFA526AB5CC 3_2_00007FFA526AB5CC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_01020000 3_2_01020000
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180010FF4 3_2_0000000180010FF4
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180028C20 3_2_0000000180028C20
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018002C058 3_2_000000018002C058
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180009100 3_2_0000000180009100
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001C964 3_2_000000018001C964
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000C608 3_2_000000018000C608
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180021618 3_2_0000000180021618
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001E3AC 3_2_000000018001E3AC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001DBE8 3_2_000000018001DBE8
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001FC0C 3_2_000000018001FC0C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000580C 3_2_000000018000580C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180022010 3_2_0000000180022010
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001481C 3_2_000000018001481C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018002A42C 3_2_000000018002A42C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180011834 3_2_0000000180011834
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180023831 3_2_0000000180023831
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180021C3C 3_2_0000000180021C3C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000703C 3_2_000000018000703C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000AC48 3_2_000000018000AC48
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000FC48 3_2_000000018000FC48
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180006458 3_2_0000000180006458
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001C05C 3_2_000000018001C05C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001A460 3_2_000000018001A460
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180029888 3_2_0000000180029888
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001D49C 3_2_000000018001D49C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180008CA0 3_2_0000000180008CA0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800248A8 3_2_00000001800248A8
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180015CB0 3_2_0000000180015CB0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800124B4 3_2_00000001800124B4
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000C4B4 3_2_000000018000C4B4
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800288B8 3_2_00000001800288B8
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800024B8 3_2_00000001800024B8
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000D8C4 3_2_000000018000D8C4
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800250CC 3_2_00000001800250CC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800190D4 3_2_00000001800190D4
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180017CE4 3_2_0000000180017CE4
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800264F0 3_2_00000001800264F0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800014F8 3_2_00000001800014F8
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180020CFC 3_2_0000000180020CFC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018002C904 3_2_000000018002C904
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180017908 3_2_0000000180017908
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180021510 3_2_0000000180021510
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000F917 3_2_000000018000F917
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000551C 3_2_000000018000551C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000F128 3_2_000000018000F128
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001CD38 3_2_000000018001CD38
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180016D3C 3_2_0000000180016D3C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001F944 3_2_000000018001F944
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180018148 3_2_0000000180018148
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001ED50 3_2_000000018001ED50
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180013150 3_2_0000000180013150
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001D950 3_2_000000018001D950
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001E960 3_2_000000018001E960
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180019D60 3_2_0000000180019D60
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180001D68 3_2_0000000180001D68
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001496C 3_2_000000018001496C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180002D70 3_2_0000000180002D70
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180002178 3_2_0000000180002178
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180024D80 3_2_0000000180024D80
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180018598 3_2_0000000180018598
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180003598 3_2_0000000180003598
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018002A9A8 3_2_000000018002A9A8
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800119A8 3_2_00000001800119A8
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180025DAC 3_2_0000000180025DAC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180018DAC 3_2_0000000180018DAC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800269B0 3_2_00000001800269B0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800059B8 3_2_00000001800059B8
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800029BC 3_2_00000001800029BC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800141C0 3_2_00000001800141C0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800125C4 3_2_00000001800125C4
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800121CC 3_2_00000001800121CC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000BDD0 3_2_000000018000BDD0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800075D4 3_2_00000001800075D4
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800095DC 3_2_00000001800095DC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000F9E8 3_2_000000018000F9E8
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180002610 3_2_0000000180002610
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180019618 3_2_0000000180019618
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180013E28 3_2_0000000180013E28
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001FA38 3_2_000000018001FA38
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000A270 3_2_000000018000A270
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180019E78 3_2_0000000180019E78
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001DA80 3_2_000000018001DA80
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180024698 3_2_0000000180024698
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000EE98 3_2_000000018000EE98
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800176B8 3_2_00000001800176B8
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001AAB8 3_2_000000018001AAB8
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180011AD0 3_2_0000000180011AD0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180008AD8 3_2_0000000180008AD8
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800296EC 3_2_00000001800296EC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000A6EC 3_2_000000018000A6EC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800132F0 3_2_00000001800132F0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180019300 3_2_0000000180019300
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001BB04 3_2_000000018001BB04
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018002870C 3_2_000000018002870C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180026B10 3_2_0000000180026B10
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000131C 3_2_000000018000131C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000671C 3_2_000000018000671C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180029B28 3_2_0000000180029B28
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180012F28 3_2_0000000180012F28
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000BB28 3_2_000000018000BB28
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001EB30 3_2_000000018001EB30
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180020334 3_2_0000000180020334
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180010758 3_2_0000000180010758
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001435C 3_2_000000018001435C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180009F5C 3_2_0000000180009F5C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180029368 3_2_0000000180029368
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180020768 3_2_0000000180020768
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180017378 3_2_0000000180017378
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180013780 3_2_0000000180013780
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180015388 3_2_0000000180015388
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000338C 3_2_000000018000338C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000738C 3_2_000000018000738C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180002790 3_2_0000000180002790
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180027F9C 3_2_0000000180027F9C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800197A0 3_2_00000001800197A0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018002C7B4 3_2_000000018002C7B4
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001DFB4 3_2_000000018001DFB4
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001F7C0 3_2_000000018001F7C0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800097C0 3_2_00000001800097C0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800157D8 3_2_00000001800157D8
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180019FDC 3_2_0000000180019FDC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180017BDC 3_2_0000000180017BDC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000F7E0 3_2_000000018000F7E0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180001FE0 3_2_0000000180001FE0
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180010FF4 4_2_0000000180010FF4
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180028C20 4_2_0000000180028C20
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018002C058 4_2_000000018002C058
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180009100 4_2_0000000180009100
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180007958 4_2_0000000180007958
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018000C608 4_2_000000018000C608
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180021618 4_2_0000000180021618
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180013E28 4_2_0000000180013E28
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018001E3AC 4_2_000000018001E3AC
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018001DBE8 4_2_000000018001DBE8
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018001FC0C 4_2_000000018001FC0C
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018000580C 4_2_000000018000580C
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180022010 4_2_0000000180022010
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018001481C 4_2_000000018001481C
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018002A42C 4_2_000000018002A42C
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180011834 4_2_0000000180011834
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180023831 4_2_0000000180023831
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180021C3C 4_2_0000000180021C3C
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018000703C 4_2_000000018000703C
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018000AC48 4_2_000000018000AC48
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018000FC48 4_2_000000018000FC48
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180006458 4_2_0000000180006458
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018001C05C 4_2_000000018001C05C
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018001A460 4_2_000000018001A460
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180029888 4_2_0000000180029888
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018001D49C 4_2_000000018001D49C
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180008CA0 4_2_0000000180008CA0
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00000001800248A8 4_2_00000001800248A8
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180015CB0 4_2_0000000180015CB0
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00000001800124B4 4_2_00000001800124B4
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018000C4B4 4_2_000000018000C4B4
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00000001800288B8 4_2_00000001800288B8
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00000001800024B8 4_2_00000001800024B8
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018000D8C4 4_2_000000018000D8C4
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00000001800250CC 4_2_00000001800250CC
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00000001800190D4 4_2_00000001800190D4
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180017CE4 4_2_0000000180017CE4
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00000001800264F0 4_2_00000001800264F0
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00000001800014F8 4_2_00000001800014F8
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180020CFC 4_2_0000000180020CFC
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018002C904 4_2_000000018002C904
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180017908 4_2_0000000180017908
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180021510 4_2_0000000180021510
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018000F917 4_2_000000018000F917
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018000551C 4_2_000000018000551C
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018000F128 4_2_000000018000F128
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018001CD38 4_2_000000018001CD38
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180016D3C 4_2_0000000180016D3C
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018001F944 4_2_000000018001F944
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180018148 4_2_0000000180018148
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018001D950 4_2_000000018001D950
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180013150 4_2_0000000180013150
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018001ED50 4_2_000000018001ED50
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018001E960 4_2_000000018001E960
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180019D60 4_2_0000000180019D60
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018001C964 4_2_000000018001C964
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180001D68 4_2_0000000180001D68
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018001496C 4_2_000000018001496C
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180002D70 4_2_0000000180002D70
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180002178 4_2_0000000180002178
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180024D80 4_2_0000000180024D80
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180018598 4_2_0000000180018598
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180003598 4_2_0000000180003598
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018002A9A8 4_2_000000018002A9A8
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00000001800119A8 4_2_00000001800119A8
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180025DAC 4_2_0000000180025DAC
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180018DAC 4_2_0000000180018DAC
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00000001800269B0 4_2_00000001800269B0
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00000001800059B8 4_2_00000001800059B8
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00000001800029BC 4_2_00000001800029BC
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00000001800141C0 4_2_00000001800141C0
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00000001800125C4 4_2_00000001800125C4
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00000001800121CC 4_2_00000001800121CC
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00000001800075D4 4_2_00000001800075D4
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00000001800095DC 4_2_00000001800095DC
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018000F9E8 4_2_000000018000F9E8
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180002610 4_2_0000000180002610
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180019618 4_2_0000000180019618
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018001FA38 4_2_000000018001FA38
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018000A270 4_2_000000018000A270
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180019E78 4_2_0000000180019E78
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018001DA80 4_2_000000018001DA80
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180024698 4_2_0000000180024698
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018000EE98 4_2_000000018000EE98
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00000001800176B8 4_2_00000001800176B8
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018001AAB8 4_2_000000018001AAB8
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180011AD0 4_2_0000000180011AD0
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180008AD8 4_2_0000000180008AD8
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00000001800296EC 4_2_00000001800296EC
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018000A6EC 4_2_000000018000A6EC
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00000001800132F0 4_2_00000001800132F0
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180019300 4_2_0000000180019300
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018001BB04 4_2_000000018001BB04
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018002870C 4_2_000000018002870C
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180026B10 4_2_0000000180026B10
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018000131C 4_2_000000018000131C
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018000671C 4_2_000000018000671C
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180029B28 4_2_0000000180029B28
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180012F28 4_2_0000000180012F28
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018000BB28 4_2_000000018000BB28
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018001EB30 4_2_000000018001EB30
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180020334 4_2_0000000180020334
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180010758 4_2_0000000180010758
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018001435C 4_2_000000018001435C
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180009F5C 4_2_0000000180009F5C
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180029368 4_2_0000000180029368
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180020768 4_2_0000000180020768
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180017378 4_2_0000000180017378
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180013780 4_2_0000000180013780
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180015388 4_2_0000000180015388
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018000338C 4_2_000000018000338C
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018000738C 4_2_000000018000738C
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180002790 4_2_0000000180002790
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180027F9C 4_2_0000000180027F9C
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00000001800197A0 4_2_00000001800197A0
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018002C7B4 4_2_000000018002C7B4
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018001DFB4 4_2_000000018001DFB4
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018001F7C0 4_2_000000018001F7C0
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00000001800097C0 4_2_00000001800097C0
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00000001800157D8 4_2_00000001800157D8
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180019FDC 4_2_0000000180019FDC
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180017BDC 4_2_0000000180017BDC
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018000F7E0 4_2_000000018000F7E0
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180001FE0 4_2_0000000180001FE0
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00000230423B0000 4_2_00000230423B0000
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_0000000180010FF4 5_2_0000000180010FF4
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000000018002C058 5_2_000000018002C058
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_0000000180009100 5_2_0000000180009100
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000000018000C608 5_2_000000018000C608
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_0000000180021618 5_2_0000000180021618
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000000018001E3AC 5_2_000000018001E3AC
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000000018001DBE8 5_2_000000018001DBE8
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000000018001FC0C 5_2_000000018001FC0C
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000000018000580C 5_2_000000018000580C
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_0000000180022010 5_2_0000000180022010
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000000018001481C 5_2_000000018001481C
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000000018002A42C 5_2_000000018002A42C
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_0000000180011834 5_2_0000000180011834
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_0000000180021C3C 5_2_0000000180021C3C
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000000018000703C 5_2_000000018000703C
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000000018000AC48 5_2_000000018000AC48
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000000018000FC48 5_2_000000018000FC48
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_0000000180006458 5_2_0000000180006458
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000000018001C05C 5_2_000000018001C05C
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000000018001A460 5_2_000000018001A460
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_0000000180029888 5_2_0000000180029888
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000000018001D49C 5_2_000000018001D49C
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_0000000180008CA0 5_2_0000000180008CA0
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_00000001800248A8 5_2_00000001800248A8
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_0000000180015CB0 5_2_0000000180015CB0
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_00000001800124B4 5_2_00000001800124B4
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000000018000C4B4 5_2_000000018000C4B4
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_00000001800288B8 5_2_00000001800288B8
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_00000001800024B8 5_2_00000001800024B8
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000000018000D8C4 5_2_000000018000D8C4
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_00000001800250CC 5_2_00000001800250CC
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_00000001800190D4 5_2_00000001800190D4
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_0000000180017CE4 5_2_0000000180017CE4
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_00000001800264F0 5_2_00000001800264F0
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_00000001800014F8 5_2_00000001800014F8
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_0000000180020CFC 5_2_0000000180020CFC
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000000018002C904 5_2_000000018002C904
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_0000000180017908 5_2_0000000180017908
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_0000000180021510 5_2_0000000180021510
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000000018000F917 5_2_000000018000F917
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000000018000551C 5_2_000000018000551C
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000000018000F128 5_2_000000018000F128
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000000018001CD38 5_2_000000018001CD38
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_0000000180016D3C 5_2_0000000180016D3C
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000000018001F944 5_2_000000018001F944
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_0000000180018148 5_2_0000000180018148
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000000018001ED50 5_2_000000018001ED50
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_0000000180013150 5_2_0000000180013150
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000000018001D950 5_2_000000018001D950
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000000018001E960 5_2_000000018001E960
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_0000000180019D60 5_2_0000000180019D60
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000000018001C964 5_2_000000018001C964
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_0000000180001D68 5_2_0000000180001D68
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000000018001496C 5_2_000000018001496C
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_0000000180002D70 5_2_0000000180002D70
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_0000000180002178 5_2_0000000180002178
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_0000000180024D80 5_2_0000000180024D80
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_0000000180018598 5_2_0000000180018598
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_0000000180003598 5_2_0000000180003598
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000000018002A9A8 5_2_000000018002A9A8
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_00000001800119A8 5_2_00000001800119A8
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_0000000180025DAC 5_2_0000000180025DAC
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_0000000180018DAC 5_2_0000000180018DAC
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_00000001800269B0 5_2_00000001800269B0
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_00000001800059B8 5_2_00000001800059B8
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_00000001800029BC 5_2_00000001800029BC
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_00000001800141C0 5_2_00000001800141C0
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_00000001800125C4 5_2_00000001800125C4
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_00000001800121CC 5_2_00000001800121CC
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_00000001800075D4 5_2_00000001800075D4
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_00000001800095DC 5_2_00000001800095DC
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000000018000F9E8 5_2_000000018000F9E8
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_0000000180002610 5_2_0000000180002610
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_0000000180019618 5_2_0000000180019618
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_0000000180013E28 5_2_0000000180013E28
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000000018001FA38 5_2_000000018001FA38
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000000018000A270 5_2_000000018000A270
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_0000000180019E78 5_2_0000000180019E78
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000000018001DA80 5_2_000000018001DA80
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_0000000180024698 5_2_0000000180024698
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000000018000EE98 5_2_000000018000EE98
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_00000001800176B8 5_2_00000001800176B8
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000000018001AAB8 5_2_000000018001AAB8
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_0000000180011AD0 5_2_0000000180011AD0
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_0000000180008AD8 5_2_0000000180008AD8
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_00000001800296EC 5_2_00000001800296EC
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000000018000A6EC 5_2_000000018000A6EC
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_00000001800132F0 5_2_00000001800132F0
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_0000000180019300 5_2_0000000180019300
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000000018001BB04 5_2_000000018001BB04
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000000018002870C 5_2_000000018002870C
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_0000000180026B10 5_2_0000000180026B10
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000000018000131C 5_2_000000018000131C
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000000018000671C 5_2_000000018000671C
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_0000000180029B28 5_2_0000000180029B28
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_0000000180012F28 5_2_0000000180012F28
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000000018000BB28 5_2_000000018000BB28
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000000018001EB30 5_2_000000018001EB30
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_0000000180020334 5_2_0000000180020334
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_0000000180010758 5_2_0000000180010758
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000000018001435C 5_2_000000018001435C
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_0000000180009F5C 5_2_0000000180009F5C
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_0000000180029368 5_2_0000000180029368
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_0000000180020768 5_2_0000000180020768
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_0000000180017378 5_2_0000000180017378
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_0000000180013780 5_2_0000000180013780
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_0000000180015388 5_2_0000000180015388
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000000018000338C 5_2_000000018000338C
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000000018000738C 5_2_000000018000738C
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_0000000180002790 5_2_0000000180002790
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_00000001800197A0 5_2_00000001800197A0
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000000018002C7B4 5_2_000000018002C7B4
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000000018001DFB4 5_2_000000018001DFB4
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000000018001F7C0 5_2_000000018001F7C0
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_00000001800097C0 5_2_00000001800097C0
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_00000001800157D8 5_2_00000001800157D8
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_0000000180019FDC 5_2_0000000180019FDC
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_0000000180017BDC 5_2_0000000180017BDC
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000000018000F7E0 5_2_000000018000F7E0
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_0000000180001FE0 5_2_0000000180001FE0
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_0000028DC9D10000 5_2_0000028DC9D10000
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00F20000 7_2_00F20000
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0000000180010FF4 7_2_0000000180010FF4
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0000000180028C20 7_2_0000000180028C20
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_000000018002C058 7_2_000000018002C058
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_000000018001ACA4 7_2_000000018001ACA4
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_000000018000551C 7_2_000000018000551C
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0000000180018148 7_2_0000000180018148
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_000000018001496C 7_2_000000018001496C
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_000000018000E1E0 7_2_000000018000E1E0
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_000000018000C608 7_2_000000018000C608
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0000000180021618 7_2_0000000180021618
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0000000180013E28 7_2_0000000180013E28
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_000000018002AE44 7_2_000000018002AE44
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_000000018000D26C 7_2_000000018000D26C
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0000000180025278 7_2_0000000180025278
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_000000018000EE98 7_2_000000018000EE98
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00000001800046A8 7_2_00000001800046A8
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0000000180004ACA 7_2_0000000180004ACA
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00000001800132F0 7_2_00000001800132F0
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0000000180026B10 7_2_0000000180026B10
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_000000018001DBE8 7_2_000000018001DBE8
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_000000018001FC0C 7_2_000000018001FC0C
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_000000018000580C 7_2_000000018000580C
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0000000180022010 7_2_0000000180022010
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_000000018001481C 7_2_000000018001481C
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_000000018002A42C 7_2_000000018002A42C
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0000000180011834 7_2_0000000180011834
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0000000180021C3C 7_2_0000000180021C3C
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_000000018000703C 7_2_000000018000703C
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_000000018000AC48 7_2_000000018000AC48
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_000000018000FC48 7_2_000000018000FC48
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0000000180024458 7_2_0000000180024458
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0000000180006458 7_2_0000000180006458
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_000000018001C05C 7_2_000000018001C05C
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_000000018001A460 7_2_000000018001A460
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0000000180029888 7_2_0000000180029888
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_000000018001D49C 7_2_000000018001D49C
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0000000180008CA0 7_2_0000000180008CA0
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00000001800248A8 7_2_00000001800248A8
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0000000180015CB0 7_2_0000000180015CB0
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00000001800124B4 7_2_00000001800124B4
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_000000018000C4B4 7_2_000000018000C4B4
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00000001800288B8 7_2_00000001800288B8
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00000001800024B8 7_2_00000001800024B8
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_000000018000D8C4 7_2_000000018000D8C4
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00000001800250CC 7_2_00000001800250CC
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00000001800190D4 7_2_00000001800190D4
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0000000180017CE4 7_2_0000000180017CE4
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00000001800264F0 7_2_00000001800264F0
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00000001800014F8 7_2_00000001800014F8
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0000000180020CFC 7_2_0000000180020CFC
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0000000180009100 7_2_0000000180009100
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_000000018002C904 7_2_000000018002C904
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0000000180017908 7_2_0000000180017908
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0000000180021510 7_2_0000000180021510
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_000000018000F917 7_2_000000018000F917
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_000000018000F128 7_2_000000018000F128
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_000000018001CD38 7_2_000000018001CD38
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0000000180016D3C 7_2_0000000180016D3C
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_000000018001F944 7_2_000000018001F944
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_000000018001D950 7_2_000000018001D950
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0000000180013150 7_2_0000000180013150
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_000000018001ED50 7_2_000000018001ED50
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_000000018001E960 7_2_000000018001E960
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0000000180019D60 7_2_0000000180019D60
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_000000018001C964 7_2_000000018001C964
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_000000018001C568 7_2_000000018001C568
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0000000180001D68 7_2_0000000180001D68
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0000000180002D70 7_2_0000000180002D70
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0000000180024574 7_2_0000000180024574
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0000000180002178 7_2_0000000180002178
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0000000180024D80 7_2_0000000180024D80
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0000000180018598 7_2_0000000180018598
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0000000180003598 7_2_0000000180003598
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_000000018001F1A4 7_2_000000018001F1A4
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_000000018002A9A8 7_2_000000018002A9A8
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00000001800119A8 7_2_00000001800119A8
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0000000180025DAC 7_2_0000000180025DAC
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0000000180018DAC 7_2_0000000180018DAC
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00000001800269B0 7_2_00000001800269B0
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00000001800059B8 7_2_00000001800059B8
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00000001800029BC 7_2_00000001800029BC
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00000001800141C0 7_2_00000001800141C0
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00000001800125C4 7_2_00000001800125C4
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00000001800121CC 7_2_00000001800121CC
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_000000018000BDD0 7_2_000000018000BDD0
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00000001800075D4 7_2_00000001800075D4
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00000001800095DC 7_2_00000001800095DC
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_000000018000F9E8 7_2_000000018000F9E8
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0000000180002610 7_2_0000000180002610
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0000000180019618 7_2_0000000180019618
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_000000018001FA38 7_2_000000018001FA38
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_000000018000A270 7_2_000000018000A270
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0000000180019E78 7_2_0000000180019E78
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_000000018001DA80 7_2_000000018001DA80
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0000000180024698 7_2_0000000180024698
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00000001800176B8 7_2_00000001800176B8
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_000000018001AAB8 7_2_000000018001AAB8
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_000000018002CAD0 7_2_000000018002CAD0
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0000000180011AD0 7_2_0000000180011AD0
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0000000180008AD8 7_2_0000000180008AD8
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00000001800296EC 7_2_00000001800296EC
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_000000018000A6EC 7_2_000000018000A6EC
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0000000180019300 7_2_0000000180019300
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_000000018001BB04 7_2_000000018001BB04
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_000000018002870C 7_2_000000018002870C
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_000000018000131C 7_2_000000018000131C
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_000000018000671C 7_2_000000018000671C
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0000000180029B28 7_2_0000000180029B28
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0000000180012F28 7_2_0000000180012F28
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_000000018000BB28 7_2_000000018000BB28
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_000000018001EB30 7_2_000000018001EB30
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0000000180020334 7_2_0000000180020334
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0000000180010758 7_2_0000000180010758
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_000000018001435C 7_2_000000018001435C
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0000000180009F5C 7_2_0000000180009F5C
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0000000180029368 7_2_0000000180029368
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0000000180020768 7_2_0000000180020768
Tries to load missing DLLs
Source: C:\Windows\System32\regsvr32.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: sfc.dll Jump to behavior
Source: 2V7zjcga5L.dll Virustotal: Detection: 32%
Source: 2V7zjcga5L.dll Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll64.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\2V7zjcga5L.dll"
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\2V7zjcga5L.dll",#1
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\2V7zjcga5L.dll
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\2V7zjcga5L.dll",#1
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\2V7zjcga5L.dll,DllRegisterServer
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\2V7zjcga5L.dll,DllUnregisterServer
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\TvhlOU\CPyd.dll"
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\2V7zjcga5L.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\2V7zjcga5L.dll Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\2V7zjcga5L.dll,DllRegisterServer Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\2V7zjcga5L.dll,DllUnregisterServer Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\2V7zjcga5L.dll",#1 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\TvhlOU\CPyd.dll" Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D105A4D4-344C-48EB-9866-EE378D90658B}\InProcServer32 Jump to behavior
Source: classification engine Classification label: mal76.troj.evad.winDLL@19/5@0/3
Source: C:\Windows\System32\regsvr32.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00000001800046A8 CreateToolhelp32Snapshot,Process32FirstW,FindCloseChangeNotification, 7_2_00000001800046A8
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\2V7zjcga5L.dll",#1
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: 2V7zjcga5L.dll Static PE information: Image base 0x180000000 > 0x60000000
Source: 2V7zjcga5L.dll Static PE information: DYNAMIC_BASE, NX_COMPAT
Source: Binary string: msacm32.pdb source: regsvr32.exe, 00000007.00000002.828634313.0000000000C95000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: msacm32.pdbGCTL source: regsvr32.exe, 00000007.00000002.828634313.0000000000C95000.00000004.00000010.00020000.00000000.sdmp
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001AFFD push ebp; retf 3_2_000000018001AFFE
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800051D1 push ebp; iretd 3_2_00000001800051D2
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001BA32 push ebp; retf 3_2_000000018001BA33
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180004E83 push es; ret 3_2_0000000180004E84
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001B694 push es; ret 3_2_000000018001B6E9
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001BADD push ebp; iretd 3_2_000000018001BADE
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001B717 push ebp; iretd 3_2_000000018001B718
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180007B3F push esp; retf 3_2_0000000180007B40
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001AF4E push ebp; retf 3_2_000000018001AF4F
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018001AFFD push ebp; retf 4_2_000000018001AFFE
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00000001800051D1 push ebp; iretd 4_2_00000001800051D2
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018001BA32 push ebp; retf 4_2_000000018001BA33
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180004E83 push es; ret 4_2_0000000180004E84
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018001B694 push es; ret 4_2_000000018001B6E9
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018001BADD push ebp; iretd 4_2_000000018001BADE
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018001B717 push ebp; iretd 4_2_000000018001B718
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018001AF4E push ebp; retf 4_2_000000018001AF4F
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000000018001AFFD push ebp; retf 5_2_000000018001AFFE
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_00000001800051D1 push ebp; iretd 5_2_00000001800051D2
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000000018001BA32 push ebp; retf 5_2_000000018001BA33
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_0000000180004E83 push es; ret 5_2_0000000180004E84
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000000018001B694 push es; ret 5_2_000000018001B6E9
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000000018001BADD push ebp; iretd 5_2_000000018001BADE
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000000018001B717 push ebp; iretd 5_2_000000018001B718
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_0000000180007B3F push esp; retf 5_2_0000000180007B40
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000000018001AF4E push ebp; retf 5_2_000000018001AF4F
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00000001800051D1 push ebp; iretd 7_2_00000001800051D2
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0000000180004E83 push es; ret 7_2_0000000180004E84
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0000000180007B3F push esp; retf 7_2_0000000180007B40
Contains functionality to dynamically determine API calls
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00007FFA526A7BE8 DecodePointer,_errno,LoadLibraryA,GetProcAddress,_errno,GetLastError,GetLastError,EncodePointer,FreeLibrary,_errno,_errno, 3_2_00007FFA526A7BE8
PE file contains an invalid checksum
Source: 2V7zjcga5L.dll Static PE information: real checksum: 0x85ab6 should be: 0x9110a
Registers a DLL
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\2V7zjcga5L.dll
Drops PE files to the windows directory (C:\Windows)
Source: C:\Windows\System32\rundll32.exe PE file moved: C:\Windows\System32\TvhlOU\CPyd.dll Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Windows\System32\regsvr32.exe File opened: C:\Windows\system32\JoOzHOkj\lOBjGnbzgLJQ.dll:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Windows\system32\TvhlOU\CPyd.dll:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Windows\system32\EyNaV\uwKfjswbvPYcDYp.dll:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\svchost.exe TID: 5832 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 3000 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 6224 Thread sleep time: -30000s >= -30000s Jump to behavior
Found evasive API chain (may stop execution after checking a module file name)
Source: C:\Windows\System32\regsvr32.exe Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Queries disk information (often used to detect virtual machines)
Source: C:\Windows\System32\svchost.exe File opened: PhysicalDrive0 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_000000018000D26C FindFirstFileW,FindNextFileW,FindClose, 7_2_000000018000D26C
Source: C:\Windows\System32\regsvr32.exe API call chain: ExitProcess graph end node
Source: C:\Windows\System32\regsvr32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: svchost.exe, 00000008.00000002.780129790.000001A1BF22A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW`b
Source: svchost.exe, 00000014.00000002.828878679.00000280A8088000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW(@
Source: svchost.exe, 00000008.00000002.780383902.000001A1C4A63000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: @Hyper-V RAW
Source: regsvr32.exe, 00000007.00000003.501740704.0000000000E61000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000002.828796250.0000000000E8F000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.501793764.0000000000E8E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.780368082.000001A1C4A4D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000002.829009677.00000280A80ED000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: svchost.exe, 0000000A.00000002.828725718.000002830B402000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcDsSvcfhsvcWPDBusEnumsvsvcwlansvcEmbeddedModeirmonSensorServicevmicvssNgcSvcsysmainDevQueryBrokerStorSvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionNcbServiceNetmanDeviceAssociationServiceTabletInputServicePcaSvcIPxlatCfgSvcCscServiceUmRdpService
Source: svchost.exe, 00000014.00000002.828872295.00000280A8082000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWp`
Source: regsvr32.exe, 00000007.00000003.501740704.0000000000E61000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.501820998.0000000000E61000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000002.828762679.0000000000E61000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWP~
Source: svchost.exe, 0000000A.00000002.828769088.000002830B428000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00007FFA526A20E0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 3_2_00007FFA526A20E0
Contains functionality to dynamically determine API calls
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00007FFA526A7BE8 DecodePointer,_errno,LoadLibraryA,GetProcAddress,_errno,GetLastError,GetLastError,EncodePointer,FreeLibrary,_errno,_errno, 3_2_00007FFA526A7BE8
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Checks if the current process is being debugged
Source: C:\Windows\System32\loaddll64.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00007FFA526AD318 RtlCaptureContext,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_00007FFA526AD318
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00007FFA526A20E0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 3_2_00007FFA526A20E0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00007FFA526A6550 RtlCaptureContext,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 3_2_00007FFA526A6550

HIPS / PFW / Operating System Protection Evasion
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\System32\regsvr32.exe Network Connect: 23.239.0.12 443 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\2V7zjcga5L.dll",#1 Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\regsvr32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Contains functionality to query locales information (e.g. system language)
Source: C:\Windows\System32\regsvr32.exe Code function: GetLocaleInfoW, 3_2_00007FFA526ADF20
Source: C:\Windows\System32\regsvr32.exe Code function: _getptd,GetLocaleInfoA, 3_2_00007FFA526AC6E4
Source: C:\Windows\System32\regsvr32.exe Code function: GetLocaleInfoA, 3_2_00007FFA526AC39C
Source: C:\Windows\System32\regsvr32.exe Code function: GetLocaleInfoW,GetLastError,GetLocaleInfoW,GetLocaleInfoW,WideCharToMultiByte,free,GetLocaleInfoA, 3_2_00007FFA526ADF98
Source: C:\Windows\System32\regsvr32.exe Code function: GetLocaleInfoW, 3_2_00007FFA526ADF3C
Source: C:\Windows\System32\regsvr32.exe Code function: EnumSystemLocalesA, 3_2_00007FFA526AC834
Source: C:\Windows\System32\regsvr32.exe Code function: EnumSystemLocalesA, 3_2_00007FFA526AC7F4
Source: C:\Windows\System32\regsvr32.exe Code function: _getptd,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA, 3_2_00007FFA526AC450
Source: C:\Windows\System32\regsvr32.exe Code function: _getptd,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,GetLocaleInfoA,_itow_s, 3_2_00007FFA526AC934
Source: C:\Windows\System32\regsvr32.exe Code function: EnumSystemLocalesA, 3_2_00007FFA526AC8C8
Source: C:\Windows\System32\regsvr32.exe Code function: GetLocaleInfoA,GetLocaleInfoA,GetACP, 3_2_00007FFA526AC16C
Source: C:\Windows\System32\regsvr32.exe Code function: GetLocaleInfoA, 3_2_00007FFA526AE1E8
Source: C:\Windows\System32\regsvr32.exe Code function: _getptd,GetLocaleInfoA, 3_2_00007FFA526AC2B4
Source: C:\Windows\System32\regsvr32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00007FFA526A4558 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 3_2_00007FFA526A4558
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00007FFA526AE6C0 _lock,___lc_codepage_func,free,free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte, 3_2_00007FFA526AE6C0

Stealing of Sensitive Information
barindex
Yara detected Emotet
Source: Yara match File source: 4.2.rundll32.exe.230423c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.28dc9d20000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.28dc9d20000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.regsvr32.exe.1050000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.regsvr32.exe.f30000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.regsvr32.exe.1050000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.regsvr32.exe.f30000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.230423c0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000007.00000002.828897000.0000000000F30000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.443771907.0000000001050000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.445135436.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.443873760.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.447104613.00000230423C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.829091404.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.444094574.0000028DC9D20000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.446272102.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 626492 Sample: 2V7zjcga5L.dll Startdate: 14/05/2022 Architecture: WINDOWS Score: 76 39 Antivirus detection for URL or domain 2->39 41 Multi AV Scanner detection for submitted file 2->41 43 Yara detected Emotet 2->43 8 loaddll64.exe 1 2->8         started        10 svchost.exe 9 1 2->10         started        13 svchost.exe 2->13         started        15 4 other processes 2->15 process3 dnsIp4 17 cmd.exe 1 8->17         started        19 rundll32.exe 2 8->19         started        22 regsvr32.exe 2 8->22         started        24 rundll32.exe 8->24         started        33 127.0.0.1 unknown unknown 10->33 35 192.168.2.1 unknown unknown 13->35 process5 signatures6 26 rundll32.exe 2 17->26         started        45 Hides that the sample has been downloaded from the Internet (zone.identifier) 19->45 process7 signatures8 47 Hides that the sample has been downloaded from the Internet (zone.identifier) 26->47 29 regsvr32.exe 26->29         started        process9 dnsIp10 37 23.239.0.12, 443, 49754 LINODE-APLinodeLLCUS United States 29->37 49 System process connects to network (likely due to code injection or exploit) 29->49 signatures11
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
23.239.0.12
 unknown United States
63949 LINODE-APLinodeLLCUS true

Private

IP
192.168.2.1
127.0.0.1

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://23.239.0.12/ true
  • URL Reputation: safe
 unknown