Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
yoyrJ.dll

Overview

General Information

Sample Name:yoyrJ.dll
Analysis ID:750476
MD5:dd7105e9748a29b5bd61ea57214d57e3
SHA1:827b323bda769ba7fb838a231aa4160209266b14
SHA256:c987ad0cc79b598bdee9ec7da96b07e82a04cadd73cb3caf85b799731deef9a1
Infos:

Detection

Emotet
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected Emotet
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Snort IDS alert for network traffic
Creates an autostart registry key pointing to binary in C:\Windows
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Queries the volume information (name, serial number etc) of a device
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to dynamically determine API calls
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
PE file contains an invalid checksum
Tries to load missing DLLs
Drops PE files to the windows directory (C:\Windows)
Detected TCP or UDP traffic on non-standard ports
Connects to several IPs in different countries
Registers a DLL
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • loaddll64.exe (PID: 3692 cmdline: loaddll64.exe "C:\Users\user\Desktop\yoyrJ.dll" MD5: C676FC0263EDD17D4CE7D644B8F3FCD6)
    • conhost.exe (PID: 3096 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • cmd.exe (PID: 976 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\yoyrJ.dll",#1 MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
      • rundll32.exe (PID: 5288 cmdline: rundll32.exe "C:\Users\user\Desktop\yoyrJ.dll",#1 MD5: 73C519F050C20580F8A62C849D49215A)
        • regsvr32.exe (PID: 5412 cmdline: C:\Windows\system32\regsvr32.exe "C:\Windows\system32\RPhOZPFULSaJ\nMwLrZYwR.dll" MD5: D78B75FC68247E8A63ACBA846182740E)
        • WMIADAP.exe (PID: 5412 cmdline: wmiadap.exe /F /T /R MD5: 9783D0765F31980950445DFD40DB15DA)
    • regsvr32.exe (PID: 5020 cmdline: regsvr32.exe /s C:\Users\user\Desktop\yoyrJ.dll MD5: D78B75FC68247E8A63ACBA846182740E)
      • regsvr32.exe (PID: 5908 cmdline: C:\Windows\system32\regsvr32.exe "C:\Windows\system32\UgFJoEzLBQVtMeg\qohQcmrlRynEDAUP.dll" MD5: D78B75FC68247E8A63ACBA846182740E)
    • rundll32.exe (PID: 5284 cmdline: rundll32.exe C:\Users\user\Desktop\yoyrJ.dll,DllRegisterServer MD5: 73C519F050C20580F8A62C849D49215A)
      • regsvr32.exe (PID: 4644 cmdline: C:\Windows\system32\regsvr32.exe "C:\Windows\system32\YbSMYJyTdzumryV\WWgeEzfCEnB.dll" MD5: D78B75FC68247E8A63ACBA846182740E)
    • regsvr32.exe (PID: 5132 cmdline: C:\Windows\system32\regsvr32.exe "C:\Windows\system32\OGxcy\dYkxHTuA.dll" MD5: D78B75FC68247E8A63ACBA846182740E)
    • regsvr32.exe (PID: 5132 cmdline: C:\Windows\system32\regsvr32.exe" "C:\Windows\system32\UgFJoEzLBQVtMeg\qohQcmrlRynEDAUP.dll MD5: D78B75FC68247E8A63ACBA846182740E)
      • regsvr32.exe (PID: 4192 cmdline: C:\Windows\system32\regsvr32.exe "C:\Users\user\AppData\Local\ArkmTuxCaKyXkTDZ\fBEZnVEOT.dll" MD5: D78B75FC68247E8A63ACBA846182740E)
  • cleanup

Malware Configuration

Threatname: Emotet

{"C2 list": ["173.255.211.88:443", "45.63.99.23:7080", "182.162.143.56:443", "91.187.140.35:8080", "212.24.98.99:8080", "119.59.103.152:8080", "45.235.8.30:8080", "172.104.251.154:8080", "72.15.201.15:8080", "169.57.156.166:8080", "103.75.201.2:443", "213.239.212.5:443", "164.90.222.65:443", "201.94.166.162:443", "94.23.45.86:4143", "183.111.227.137:8080", "186.194.240.217:443", "107.170.39.149:8080", "147.139.166.154:8080", "5.135.159.50:443", "206.189.28.199:8080", "104.168.155.143:8080", "129.232.188.93:443", "82.223.21.224:8080", "103.43.75.120:443", "103.132.242.26:8080", "139.59.56.73:8080", "164.68.99.3:8080", "202.129.205.3:8080", "167.172.199.165:8080", "110.232.117.186:8080", "209.97.163.214:443", "167.172.253.162:8080", "1.234.2.232:8080", "159.65.88.10:8080", "95.217.221.146:8080", "153.92.5.27:8080", "91.207.28.33:8080", "188.44.20.25:443", "153.126.146.25:7080", "163.44.196.120:8080", "172.105.226.75:8080", "115.68.227.76:8080", "159.65.140.115:443", "139.59.126.41:443", "197.242.150.244:8080", "45.176.232.124:443", "45.118.115.99:8080", "149.56.131.28:8080", "79.137.35.198:8080", "173.212.193.249:8080", "160.16.142.56:8080", "159.89.202.34:443", "185.4.135.165:8080"], "Public Key": ["RUNTMSAAAABAX3S2xNjcDD0fBno33Ln5t71eii+mofIPoXkNFOX1MeiwCh48iz97kB0mJjGGZXwardnDXKxI8GCHGNl0PFj5J0rtUQAbAIw=", "RUNLMSAAAADzozW1Di4r9DVWzQpMKT588RDdy7BPILP6AiDOTLYMHkSWvrQO5slbmr1OvZ2Pz+AQWzRMggQmAtO6rPH7nyx2AkoOUQAUAJA="]}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000007.00000002.828364693.0000000180001000.00000020.00001000.00020000.00000000.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
    00000007.00000002.828364693.0000000180001000.00000020.00001000.00020000.00000000.sdmpWindows_Trojan_Emotet_db7d33faunknownunknown
    • 0x171c2:$chunk_0: 4C 8D 9C 24 80 00 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3
    • 0x2a90c:$chunk_0: 4C 8D 9C 24 80 00 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3
    • 0x24ac0:$chunk_1: 8B C7 41 0F B7 4C 45 00 41 8B 1C 8C 48 03 DD 48 3B DE 72 1B
    • 0x1b568:$chunk_2: 48 8B C4 48 89 48 08 48 89 50 10 4C 89 40 18 4C 89 48 20 C3
    • 0x216e4:$chunk_4: 48 39 3B 4C 8D 9C 24 80 00 00 00 49 8B 5B 10 49 8B 73 18 40 0F 95 C7 8B C7 49 8B 7B 20 49 8B E3 5D C3
    • 0x2ae01:$chunk_4: 48 39 3B 4C 8D 9C 24 80 00 00 00 49 8B 5B 10 49 8B 73 20 40 0F 95 C7 8B C7 49 8B 7B 28 49 8B E3 5D C3
    • 0x24ad4:$chunk_6: 43 8B 84 FE 8C 00 00 00 48 03 C6 48 3B D8 73 0B
    0000000C.00000002.496080462.0000000000D20000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
      0000000C.00000002.496080462.0000000000D20000.00000040.00001000.00020000.00000000.sdmpWindows_Trojan_Emotet_db7d33faunknownunknown
      • 0x175c2:$chunk_0: 4C 8D 9C 24 80 00 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3
      • 0x2ad0c:$chunk_0: 4C 8D 9C 24 80 00 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3
      • 0x24ec0:$chunk_1: 8B C7 41 0F B7 4C 45 00 41 8B 1C 8C 48 03 DD 48 3B DE 72 1B
      • 0x1b968:$chunk_2: 48 8B C4 48 89 48 08 48 89 50 10 4C 89 40 18 4C 89 48 20 C3
      • 0x21ae4:$chunk_4: 48 39 3B 4C 8D 9C 24 80 00 00 00 49 8B 5B 10 49 8B 73 18 40 0F 95 C7 8B C7 49 8B 7B 20 49 8B E3 5D C3
      • 0x2b201:$chunk_4: 48 39 3B 4C 8D 9C 24 80 00 00 00 49 8B 5B 10 49 8B 73 20 40 0F 95 C7 8B C7 49 8B 7B 28 49 8B E3 5D C3
      • 0x24ed4:$chunk_6: 43 8B 84 FE 8C 00 00 00 48 03 C6 48 3B D8 73 0B
      00000000.00000002.322442190.0000000180001000.00000020.00001000.00020000.00000000.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
        Click to see the 20 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        0.2.loaddll64.exe.141aeea0000.0.raw.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
          0.2.loaddll64.exe.141aeea0000.0.raw.unpackWindows_Trojan_Emotet_db7d33faunknownunknown
          • 0x175c2:$chunk_0: 4C 8D 9C 24 80 00 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3
          • 0x2ad0c:$chunk_0: 4C 8D 9C 24 80 00 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3
          • 0x24ec0:$chunk_1: 8B C7 41 0F B7 4C 45 00 41 8B 1C 8C 48 03 DD 48 3B DE 72 1B
          • 0x1b968:$chunk_2: 48 8B C4 48 89 48 08 48 89 50 10 4C 89 40 18 4C 89 48 20 C3
          • 0x21ae4:$chunk_4: 48 39 3B 4C 8D 9C 24 80 00 00 00 49 8B 5B 10 49 8B 73 18 40 0F 95 C7 8B C7 49 8B 7B 20 49 8B E3 5D C3
          • 0x2b201:$chunk_4: 48 39 3B 4C 8D 9C 24 80 00 00 00 49 8B 5B 10 49 8B 73 20 40 0F 95 C7 8B C7 49 8B 7B 28 49 8B E3 5D C3
          • 0x24ed4:$chunk_6: 43 8B 84 FE 8C 00 00 00 48 03 C6 48 3B D8 73 0B
          7.2.regsvr32.exe.ba0000.0.raw.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
            7.2.regsvr32.exe.ba0000.0.raw.unpackWindows_Trojan_Emotet_db7d33faunknownunknown
            • 0x175c2:$chunk_0: 4C 8D 9C 24 80 00 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3
            • 0x2ad0c:$chunk_0: 4C 8D 9C 24 80 00 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3
            • 0x24ec0:$chunk_1: 8B C7 41 0F B7 4C 45 00 41 8B 1C 8C 48 03 DD 48 3B DE 72 1B
            • 0x1b968:$chunk_2: 48 8B C4 48 89 48 08 48 89 50 10 4C 89 40 18 4C 89 48 20 C3
            • 0x21ae4:$chunk_4: 48 39 3B 4C 8D 9C 24 80 00 00 00 49 8B 5B 10 49 8B 73 18 40 0F 95 C7 8B C7 49 8B 7B 20 49 8B E3 5D C3
            • 0x2b201:$chunk_4: 48 39 3B 4C 8D 9C 24 80 00 00 00 49 8B 5B 10 49 8B 73 20 40 0F 95 C7 8B C7 49 8B 7B 28 49 8B E3 5D C3
            • 0x24ed4:$chunk_6: 43 8B 84 FE 8C 00 00 00 48 03 C6 48 3B D8 73 0B
            4.2.rundll32.exe.1ebd2220000.0.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
              Click to see the 19 entries

              Sigma Signatures

              No Sigma rule has matched

              Snort Signatures

              Timestamp:192.168.2.4173.255.211.88496954432404312 11/21/22-04:20:47.613393
              SID:2404312
              Source Port:49695
              Destination Port:443
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.4182.162.143.56497004432404314 11/21/22-04:21:09.058938
              SID:2404314
              Source Port:49700
              Destination Port:443
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.445.63.99.234969970802404330 11/21/22-04:20:53.767379
              SID:2404330
              Source Port:49699
              Destination Port:7080
              Protocol:TCP
              Classtype:A Network Trojan was detected

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Multi AV Scanner detection for submitted file
              Source: yoyrJ.dllReversingLabs: Detection: 88%
              Source: yoyrJ.dllMetadefender: Detection: 47%Perma Link
              Antivirus detection for URL or domain
              Source: https://45.63.99.23:7080/ltqyvaphgamn/iuduszibmmiode/zgmecigm/lvlmwwim/Avira URL Cloud: Label: malware
              Source: https://182.162.143.56/ltqyvaphgamn/iuduszibmmiode/zgmecigm/lvlmwwim/Avira URL Cloud: Label: malware
              Source: 00000007.00000002.827986155.0000000000C38000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Emotet {"C2 list": ["173.255.211.88:443", "45.63.99.23:7080", "182.162.143.56:443", "91.187.140.35:8080", "212.24.98.99:8080", "119.59.103.152:8080", "45.235.8.30:8080", "172.104.251.154:8080", "72.15.201.15:8080", "169.57.156.166:8080", "103.75.201.2:443", "213.239.212.5:443", "164.90.222.65:443", "201.94.166.162:443", "94.23.45.86:4143", "183.111.227.137:8080", "186.194.240.217:443", "107.170.39.149:8080", "147.139.166.154:8080", "5.135.159.50:443", "206.189.28.199:8080", "104.168.155.143:8080", "129.232.188.93:443", "82.223.21.224:8080", "103.43.75.120:443", "103.132.242.26:8080", "139.59.56.73:8080", "164.68.99.3:8080", "202.129.205.3:8080", "167.172.199.165:8080", "110.232.117.186:8080", "209.97.163.214:443", "167.172.253.162:8080", "1.234.2.232:8080", "159.65.88.10:8080", "95.217.221.146:8080", "153.92.5.27:8080", "91.207.28.33:8080", "188.44.20.25:443", "153.126.146.25:7080", "163.44.196.120:8080", "172.105.226.75:8080", "115.68.227.76:8080", "159.65.140.115:443", "139.59.126.41:443", "197.242.150.244:8080", "45.176.232.124:443", "45.118.115.99:8080", "149.56.131.28:8080", "79.137.35.198:8080", "173.212.193.249:8080", "160.16.142.56:8080", "159.89.202.34:443", "185.4.135.165:8080"], "Public Key": ["RUNTMSAAAABAX3S2xNjcDD0fBno33Ln5t71eii+mofIPoXkNFOX1MeiwCh48iz97kB0mJjGGZXwardnDXKxI8GCHGNl0PFj5J0rtUQAbAIw=", "RUNLMSAAAADzozW1Di4r9DVWzQpMKT588RDdy7BPILP6AiDOTLYMHkSWvrQO5slbmr1OvZ2Pz+AQWzRMggQmAtO6rPH7nyx2AkoOUQAUAJA="]}
              Source: unknownHTTPS traffic detected: 182.162.143.56:443 -> 192.168.2.4:49700 version: TLS 1.2
              Source: yoyrJ.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
              Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_000000018001E0D4 FindFirstFileW,FindNextFileW,FindClose,

              Networking

              barindex
              System process connects to network (likely due to code injection or exploit)
              Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 45.63.99.23 7080
              Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 173.255.211.88 443
              Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 182.162.143.56 443
              Snort IDS alert for network traffic
              Source: TrafficSnort IDS: 2404314 ET CNC Feodo Tracker Reported CnC Server TCP group 8 192.168.2.4:49700 -> 182.162.143.56:443
              Source: TrafficSnort IDS: 2404312 ET CNC Feodo Tracker Reported CnC Server TCP group 7 192.168.2.4:49695 -> 173.255.211.88:443
              Source: TrafficSnort IDS: 2404330 ET CNC Feodo Tracker Reported CnC Server TCP group 16 192.168.2.4:49699 -> 45.63.99.23:7080
              C2 URLs / IPs found in malware configuration
              Source: Malware configuration extractorIPs: 173.255.211.88:443
              Source: Malware configuration extractorIPs: 45.63.99.23:7080
              Source: Malware configuration extractorIPs: 182.162.143.56:443
              Source: Malware configuration extractorIPs: 91.187.140.35:8080
              Source: Malware configuration extractorIPs: 212.24.98.99:8080
              Source: Malware configuration extractorIPs: 119.59.103.152:8080
              Source: Malware configuration extractorIPs: 45.235.8.30:8080
              Source: Malware configuration extractorIPs: 172.104.251.154:8080
              Source: Malware configuration extractorIPs: 72.15.201.15:8080
              Source: Malware configuration extractorIPs: 169.57.156.166:8080
              Source: Malware configuration extractorIPs: 103.75.201.2:443
              Source: Malware configuration extractorIPs: 213.239.212.5:443
              Source: Malware configuration extractorIPs: 164.90.222.65:443
              Source: Malware configuration extractorIPs: 201.94.166.162:443
              Source: Malware configuration extractorIPs: 94.23.45.86:4143
              Source: Malware configuration extractorIPs: 183.111.227.137:8080
              Source: Malware configuration extractorIPs: 186.194.240.217:443
              Source: Malware configuration extractorIPs: 107.170.39.149:8080
              Source: Malware configuration extractorIPs: 147.139.166.154:8080
              Source: Malware configuration extractorIPs: 5.135.159.50:443
              Source: Malware configuration extractorIPs: 206.189.28.199:8080
              Source: Malware configuration extractorIPs: 104.168.155.143:8080
              Source: Malware configuration extractorIPs: 129.232.188.93:443
              Source: Malware configuration extractorIPs: 82.223.21.224:8080
              Source: Malware configuration extractorIPs: 103.43.75.120:443
              Source: Malware configuration extractorIPs: 103.132.242.26:8080
              Source: Malware configuration extractorIPs: 139.59.56.73:8080
              Source: Malware configuration extractorIPs: 164.68.99.3:8080
              Source: Malware configuration extractorIPs: 202.129.205.3:8080
              Source: Malware configuration extractorIPs: 167.172.199.165:8080
              Source: Malware configuration extractorIPs: 110.232.117.186:8080
              Source: Malware configuration extractorIPs: 209.97.163.214:443
              Source: Malware configuration extractorIPs: 167.172.253.162:8080
              Source: Malware configuration extractorIPs: 1.234.2.232:8080
              Source: Malware configuration extractorIPs: 159.65.88.10:8080
              Source: Malware configuration extractorIPs: 95.217.221.146:8080
              Source: Malware configuration extractorIPs: 153.92.5.27:8080
              Source: Malware configuration extractorIPs: 91.207.28.33:8080
              Source: Malware configuration extractorIPs: 188.44.20.25:443
              Source: Malware configuration extractorIPs: 153.126.146.25:7080
              Source: Malware configuration extractorIPs: 163.44.196.120:8080
              Source: Malware configuration extractorIPs: 172.105.226.75:8080
              Source: Malware configuration extractorIPs: 115.68.227.76:8080
              Source: Malware configuration extractorIPs: 159.65.140.115:443
              Source: Malware configuration extractorIPs: 139.59.126.41:443
              Source: Malware configuration extractorIPs: 197.242.150.244:8080
              Source: Malware configuration extractorIPs: 45.176.232.124:443
              Source: Malware configuration extractorIPs: 45.118.115.99:8080
              Source: Malware configuration extractorIPs: 149.56.131.28:8080
              Source: Malware configuration extractorIPs: 79.137.35.198:8080
              Source: Malware configuration extractorIPs: 173.212.193.249:8080
              Source: Malware configuration extractorIPs: 160.16.142.56:8080
              Source: Malware configuration extractorIPs: 159.89.202.34:443
              Source: Malware configuration extractorIPs: 185.4.135.165:8080
              Source: Joe Sandbox ViewASN Name: RACKCORP-APRackCorpAU RACKCORP-APRackCorpAU
              Source: Joe Sandbox ViewASN Name: INPL-IN-APIshansNetworkIN INPL-IN-APIshansNetworkIN
              Source: Joe Sandbox ViewJA3 fingerprint: 8916410db85077a5460817142dcbc8de
              Source: global trafficHTTP traffic detected: POST /ltqyvaphgamn/iuduszibmmiode/zgmecigm/lvlmwwim/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedContent-Length: 334Host: 182.162.143.56
              Source: Joe Sandbox ViewIP Address: 110.232.117.186 110.232.117.186
              Source: Joe Sandbox ViewIP Address: 103.132.242.26 103.132.242.26
              Source: global trafficTCP traffic: 192.168.2.4:49699 -> 45.63.99.23:7080
              Source: unknownNetwork traffic detected: IP country count 20
              Source: unknownNetwork traffic detected: HTTP traffic on port 49698 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49700
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49698
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49697
              Source: unknownNetwork traffic detected: HTTP traffic on port 49695 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49696
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49695
              Source: unknownNetwork traffic detected: HTTP traffic on port 49696 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49697 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49700 -> 443
              Source: unknownTCP traffic detected without corresponding DNS query: 173.255.211.88
              Source: unknownTCP traffic detected without corresponding DNS query: 173.255.211.88
              Source: unknownTCP traffic detected without corresponding DNS query: 173.255.211.88
              Source: unknownTCP traffic detected without corresponding DNS query: 173.255.211.88
              Source: unknownTCP traffic detected without corresponding DNS query: 173.255.211.88
              Source: unknownTCP traffic detected without corresponding DNS query: 173.255.211.88
              Source: unknownTCP traffic detected without corresponding DNS query: 173.255.211.88
              Source: unknownTCP traffic detected without corresponding DNS query: 173.255.211.88
              Source: unknownTCP traffic detected without corresponding DNS query: 173.255.211.88
              Source: unknownTCP traffic detected without corresponding DNS query: 173.255.211.88
              Source: unknownTCP traffic detected without corresponding DNS query: 173.255.211.88
              Source: unknownTCP traffic detected without corresponding DNS query: 173.255.211.88
              Source: unknownTCP traffic detected without corresponding DNS query: 45.63.99.23
              Source: unknownTCP traffic detected without corresponding DNS query: 45.63.99.23
              Source: unknownTCP traffic detected without corresponding DNS query: 45.63.99.23
              Source: unknownTCP traffic detected without corresponding DNS query: 182.162.143.56
              Source: unknownTCP traffic detected without corresponding DNS query: 182.162.143.56
              Source: unknownTCP traffic detected without corresponding DNS query: 182.162.143.56
              Source: unknownTCP traffic detected without corresponding DNS query: 182.162.143.56
              Source: unknownTCP traffic detected without corresponding DNS query: 182.162.143.56
              Source: unknownTCP traffic detected without corresponding DNS query: 182.162.143.56
              Source: unknownTCP traffic detected without corresponding DNS query: 182.162.143.56
              Source: unknownTCP traffic detected without corresponding DNS query: 182.162.143.56
              Source: unknownTCP traffic detected without corresponding DNS query: 182.162.143.56
              Source: unknownTCP traffic detected without corresponding DNS query: 182.162.143.56
              Source: unknownTCP traffic detected without corresponding DNS query: 182.162.143.56
              Source: regsvr32.exe, 00000007.00000003.455831993.0000000000CD5000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.456335668.0000000000CD5000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000002.828167119.0000000000CD5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
              Source: regsvr32.exe, 00000007.00000003.585372915.0000000000C91000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000002.828083663.0000000000C91000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.585447802.0000000000C91000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.585835870.0000000000C91000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.584690393.0000000000C91000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.456292772.0000000000C91000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://17.63.99.23:7080/
              Source: regsvr32.exe, 00000007.00000003.585862169.0000000000CBE000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000002.828134623.0000000000CC0000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.584870026.0000000000CB9000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.456389200.0000000000CB8000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.456205938.0000000000CAB000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.584908649.0000000000CBA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://182.162.143.56/
              Source: regsvr32.exe, 00000007.00000003.585426852.0000000000C87000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.585862169.0000000000CBE000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000002.828093556.0000000000C98000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.584653863.0000000000C86000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.585285064.0000000000C97000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.585349266.0000000000C86000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000002.828075611.0000000000C8D000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.584870026.0000000000CB9000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.585656644.0000000000C98000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.584690393.0000000000C91000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.456292772.0000000000C91000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.456277440.0000000000C86000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.456389200.0000000000CB8000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.585829274.0000000000C8D000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.456205938.0000000000CAB000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.584908649.0000000000CBA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://182.162.143.56/ltqyvaphgamn/iuduszibmmiode/zgmecigm/lvlmwwim/
              Source: regsvr32.exe, 00000007.00000003.585426852.0000000000C87000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.584653863.0000000000C86000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.585349266.0000000000C86000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000002.828075611.0000000000C8D000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.456277440.0000000000C86000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.585829274.0000000000C8D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://45.63.99.23:7080/ltqyvaphgamn/iuduszibmmiode/zgmecigm/lvlmwwim/
              Source: unknownHTTP traffic detected: POST /ltqyvaphgamn/iuduszibmmiode/zgmecigm/lvlmwwim/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedContent-Length: 334Host: 182.162.143.56
              Source: unknownHTTPS traffic detected: 182.162.143.56:443 -> 192.168.2.4:49700 version: TLS 1.2

              E-Banking Fraud

              barindex
              Yara detected Emotet
              Source: Yara matchFile source: 00000007.00000002.827986155.0000000000C38000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0.2.loaddll64.exe.141aeea0000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 7.2.regsvr32.exe.ba0000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.rundll32.exe.1ebd2220000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 12.2.regsvr32.exe.d20000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.loaddll64.exe.141aeea0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 7.2.regsvr32.exe.ba0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.regsvr32.exe.a90000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 12.2.regsvr32.exe.d20000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.2.rundll32.exe.1bbc5810000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.2.rundll32.exe.1bbc5810000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.regsvr32.exe.a90000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.rundll32.exe.1ebd2220000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000007.00000002.828364693.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000002.496080462.0000000000D20000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.322442190.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.321064194.0000000000A90000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.321445782.000001BBC5810000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.318945591.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.322205921.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.319306896.000001EBD2220000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000002.496539435.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000007.00000002.827883820.0000000000BA0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.320548872.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.322977789.00000141AEEA0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: 0.2.loaddll64.exe.141aeea0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown
              Source: 7.2.regsvr32.exe.ba0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown
              Source: 4.2.rundll32.exe.1ebd2220000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown
              Source: 12.2.regsvr32.exe.d20000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown
              Source: 0.2.loaddll64.exe.141aeea0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown
              Source: 7.2.regsvr32.exe.ba0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown
              Source: 3.2.regsvr32.exe.a90000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown
              Source: 12.2.regsvr32.exe.d20000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown
              Source: 5.2.rundll32.exe.1bbc5810000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown
              Source: 5.2.rundll32.exe.1bbc5810000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown
              Source: 3.2.regsvr32.exe.a90000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown
              Source: 4.2.rundll32.exe.1ebd2220000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown
              Source: 00000007.00000002.828364693.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown
              Source: 0000000C.00000002.496080462.0000000000D20000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown
              Source: 00000000.00000002.322442190.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown
              Source: 00000003.00000002.321064194.0000000000A90000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown
              Source: 00000005.00000002.321445782.000001BBC5810000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown
              Source: 00000004.00000002.318945591.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown
              Source: 00000003.00000002.322205921.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown
              Source: 00000004.00000002.319306896.000001EBD2220000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown
              Source: 0000000C.00000002.496539435.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown
              Source: 00000007.00000002.827883820.0000000000BA0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown
              Source: 00000005.00000002.320548872.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown
              Source: 00000000.00000002.322977789.00000141AEEA0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown
              Source: 0.2.loaddll64.exe.141aeea0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Emotet_db7d33fa reference_sample = 08c23400ff546db41f9ddbbb19fa75519826744dde3b3afb38f3985266577afc, os = windows, severity = x86, creation_date = 2022-05-09, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = eac196154ab1ad636654c966e860dcd5763c50d7b8221dbbc7769c879daf02fd, id = db7d33fa-e50c-4c59-ab92-edb74aac87c9, last_modified = 2022-06-09
              Source: 7.2.regsvr32.exe.ba0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Emotet_db7d33fa reference_sample = 08c23400ff546db41f9ddbbb19fa75519826744dde3b3afb38f3985266577afc, os = windows, severity = x86, creation_date = 2022-05-09, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = eac196154ab1ad636654c966e860dcd5763c50d7b8221dbbc7769c879daf02fd, id = db7d33fa-e50c-4c59-ab92-edb74aac87c9, last_modified = 2022-06-09
              Source: 4.2.rundll32.exe.1ebd2220000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Emotet_db7d33fa reference_sample = 08c23400ff546db41f9ddbbb19fa75519826744dde3b3afb38f3985266577afc, os = windows, severity = x86, creation_date = 2022-05-09, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = eac196154ab1ad636654c966e860dcd5763c50d7b8221dbbc7769c879daf02fd, id = db7d33fa-e50c-4c59-ab92-edb74aac87c9, last_modified = 2022-06-09
              Source: 12.2.regsvr32.exe.d20000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Emotet_db7d33fa reference_sample = 08c23400ff546db41f9ddbbb19fa75519826744dde3b3afb38f3985266577afc, os = windows, severity = x86, creation_date = 2022-05-09, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = eac196154ab1ad636654c966e860dcd5763c50d7b8221dbbc7769c879daf02fd, id = db7d33fa-e50c-4c59-ab92-edb74aac87c9, last_modified = 2022-06-09
              Source: 0.2.loaddll64.exe.141aeea0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Emotet_db7d33fa reference_sample = 08c23400ff546db41f9ddbbb19fa75519826744dde3b3afb38f3985266577afc, os = windows, severity = x86, creation_date = 2022-05-09, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = eac196154ab1ad636654c966e860dcd5763c50d7b8221dbbc7769c879daf02fd, id = db7d33fa-e50c-4c59-ab92-edb74aac87c9, last_modified = 2022-06-09
              Source: 7.2.regsvr32.exe.ba0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Emotet_db7d33fa reference_sample = 08c23400ff546db41f9ddbbb19fa75519826744dde3b3afb38f3985266577afc, os = windows, severity = x86, creation_date = 2022-05-09, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = eac196154ab1ad636654c966e860dcd5763c50d7b8221dbbc7769c879daf02fd, id = db7d33fa-e50c-4c59-ab92-edb74aac87c9, last_modified = 2022-06-09
              Source: 3.2.regsvr32.exe.a90000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Emotet_db7d33fa reference_sample = 08c23400ff546db41f9ddbbb19fa75519826744dde3b3afb38f3985266577afc, os = windows, severity = x86, creation_date = 2022-05-09, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = eac196154ab1ad636654c966e860dcd5763c50d7b8221dbbc7769c879daf02fd, id = db7d33fa-e50c-4c59-ab92-edb74aac87c9, last_modified = 2022-06-09
              Source: 12.2.regsvr32.exe.d20000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Emotet_db7d33fa reference_sample = 08c23400ff546db41f9ddbbb19fa75519826744dde3b3afb38f3985266577afc, os = windows, severity = x86, creation_date = 2022-05-09, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = eac196154ab1ad636654c966e860dcd5763c50d7b8221dbbc7769c879daf02fd, id = db7d33fa-e50c-4c59-ab92-edb74aac87c9, last_modified = 2022-06-09
              Source: 5.2.rundll32.exe.1bbc5810000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Emotet_db7d33fa reference_sample = 08c23400ff546db41f9ddbbb19fa75519826744dde3b3afb38f3985266577afc, os = windows, severity = x86, creation_date = 2022-05-09, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = eac196154ab1ad636654c966e860dcd5763c50d7b8221dbbc7769c879daf02fd, id = db7d33fa-e50c-4c59-ab92-edb74aac87c9, last_modified = 2022-06-09
              Source: 5.2.rundll32.exe.1bbc5810000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Emotet_db7d33fa reference_sample = 08c23400ff546db41f9ddbbb19fa75519826744dde3b3afb38f3985266577afc, os = windows, severity = x86, creation_date = 2022-05-09, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = eac196154ab1ad636654c966e860dcd5763c50d7b8221dbbc7769c879daf02fd, id = db7d33fa-e50c-4c59-ab92-edb74aac87c9, last_modified = 2022-06-09
              Source: 3.2.regsvr32.exe.a90000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Emotet_db7d33fa reference_sample = 08c23400ff546db41f9ddbbb19fa75519826744dde3b3afb38f3985266577afc, os = windows, severity = x86, creation_date = 2022-05-09, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = eac196154ab1ad636654c966e860dcd5763c50d7b8221dbbc7769c879daf02fd, id = db7d33fa-e50c-4c59-ab92-edb74aac87c9, last_modified = 2022-06-09
              Source: 4.2.rundll32.exe.1ebd2220000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Emotet_db7d33fa reference_sample = 08c23400ff546db41f9ddbbb19fa75519826744dde3b3afb38f3985266577afc, os = windows, severity = x86, creation_date = 2022-05-09, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = eac196154ab1ad636654c966e860dcd5763c50d7b8221dbbc7769c879daf02fd, id = db7d33fa-e50c-4c59-ab92-edb74aac87c9, last_modified = 2022-06-09
              Source: 00000007.00000002.828364693.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Emotet_db7d33fa reference_sample = 08c23400ff546db41f9ddbbb19fa75519826744dde3b3afb38f3985266577afc, os = windows, severity = x86, creation_date = 2022-05-09, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = eac196154ab1ad636654c966e860dcd5763c50d7b8221dbbc7769c879daf02fd, id = db7d33fa-e50c-4c59-ab92-edb74aac87c9, last_modified = 2022-06-09
              Source: 0000000C.00000002.496080462.0000000000D20000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Emotet_db7d33fa reference_sample = 08c23400ff546db41f9ddbbb19fa75519826744dde3b3afb38f3985266577afc, os = windows, severity = x86, creation_date = 2022-05-09, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = eac196154ab1ad636654c966e860dcd5763c50d7b8221dbbc7769c879daf02fd, id = db7d33fa-e50c-4c59-ab92-edb74aac87c9, last_modified = 2022-06-09
              Source: 00000000.00000002.322442190.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Emotet_db7d33fa reference_sample = 08c23400ff546db41f9ddbbb19fa75519826744dde3b3afb38f3985266577afc, os = windows, severity = x86, creation_date = 2022-05-09, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = eac196154ab1ad636654c966e860dcd5763c50d7b8221dbbc7769c879daf02fd, id = db7d33fa-e50c-4c59-ab92-edb74aac87c9, last_modified = 2022-06-09
              Source: 00000003.00000002.321064194.0000000000A90000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Emotet_db7d33fa reference_sample = 08c23400ff546db41f9ddbbb19fa75519826744dde3b3afb38f3985266577afc, os = windows, severity = x86, creation_date = 2022-05-09, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = eac196154ab1ad636654c966e860dcd5763c50d7b8221dbbc7769c879daf02fd, id = db7d33fa-e50c-4c59-ab92-edb74aac87c9, last_modified = 2022-06-09
              Source: 00000005.00000002.321445782.000001BBC5810000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Emotet_db7d33fa reference_sample = 08c23400ff546db41f9ddbbb19fa75519826744dde3b3afb38f3985266577afc, os = windows, severity = x86, creation_date = 2022-05-09, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = eac196154ab1ad636654c966e860dcd5763c50d7b8221dbbc7769c879daf02fd, id = db7d33fa-e50c-4c59-ab92-edb74aac87c9, last_modified = 2022-06-09
              Source: 00000004.00000002.318945591.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Emotet_db7d33fa reference_sample = 08c23400ff546db41f9ddbbb19fa75519826744dde3b3afb38f3985266577afc, os = windows, severity = x86, creation_date = 2022-05-09, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = eac196154ab1ad636654c966e860dcd5763c50d7b8221dbbc7769c879daf02fd, id = db7d33fa-e50c-4c59-ab92-edb74aac87c9, last_modified = 2022-06-09
              Source: 00000003.00000002.322205921.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Emotet_db7d33fa reference_sample = 08c23400ff546db41f9ddbbb19fa75519826744dde3b3afb38f3985266577afc, os = windows, severity = x86, creation_date = 2022-05-09, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = eac196154ab1ad636654c966e860dcd5763c50d7b8221dbbc7769c879daf02fd, id = db7d33fa-e50c-4c59-ab92-edb74aac87c9, last_modified = 2022-06-09
              Source: 00000004.00000002.319306896.000001EBD2220000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Emotet_db7d33fa reference_sample = 08c23400ff546db41f9ddbbb19fa75519826744dde3b3afb38f3985266577afc, os = windows, severity = x86, creation_date = 2022-05-09, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = eac196154ab1ad636654c966e860dcd5763c50d7b8221dbbc7769c879daf02fd, id = db7d33fa-e50c-4c59-ab92-edb74aac87c9, last_modified = 2022-06-09
              Source: 0000000C.00000002.496539435.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Emotet_db7d33fa reference_sample = 08c23400ff546db41f9ddbbb19fa75519826744dde3b3afb38f3985266577afc, os = windows, severity = x86, creation_date = 2022-05-09, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = eac196154ab1ad636654c966e860dcd5763c50d7b8221dbbc7769c879daf02fd, id = db7d33fa-e50c-4c59-ab92-edb74aac87c9, last_modified = 2022-06-09
              Source: 00000007.00000002.827883820.0000000000BA0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Emotet_db7d33fa reference_sample = 08c23400ff546db41f9ddbbb19fa75519826744dde3b3afb38f3985266577afc, os = windows, severity = x86, creation_date = 2022-05-09, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = eac196154ab1ad636654c966e860dcd5763c50d7b8221dbbc7769c879daf02fd, id = db7d33fa-e50c-4c59-ab92-edb74aac87c9, last_modified = 2022-06-09
              Source: 00000005.00000002.320548872.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Emotet_db7d33fa reference_sample = 08c23400ff546db41f9ddbbb19fa75519826744dde3b3afb38f3985266577afc, os = windows, severity = x86, creation_date = 2022-05-09, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = eac196154ab1ad636654c966e860dcd5763c50d7b8221dbbc7769c879daf02fd, id = db7d33fa-e50c-4c59-ab92-edb74aac87c9, last_modified = 2022-06-09
              Source: 00000000.00000002.322977789.00000141AEEA0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Emotet_db7d33fa reference_sample = 08c23400ff546db41f9ddbbb19fa75519826744dde3b3afb38f3985266577afc, os = windows, severity = x86, creation_date = 2022-05-09, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = eac196154ab1ad636654c966e860dcd5763c50d7b8221dbbc7769c879daf02fd, id = db7d33fa-e50c-4c59-ab92-edb74aac87c9, last_modified = 2022-06-09
              Source: C:\Windows\System32\regsvr32.exeFile deleted: C:\Windows\System32\UgFJoEzLBQVtMeg\qohQcmrlRynEDAUP.dll:Zone.IdentifierJump to behavior
              Source: C:\Windows\System32\loaddll64.exeFile created: C:\Windows\system32\OGxcy\Jump to behavior
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF88C314574
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF88C305D68
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF88C3115B0
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF88C30D720
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF88C31C7C0
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF88C30EFA4
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF88C31C0E8
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF88C31D118
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF88C3119D4
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF88C30EAB8
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF88C30732C
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF88C31DBCC
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF88C31C420
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF88C313CE8
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000180001864
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000180012108
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000180027AE4
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000018000EB3C
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000018000FBB4
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000180008470
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001800274F4
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000180007F20
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000180019F38
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000180001FE8
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001800197F8
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000180003800
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000180007014
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000180015020
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000018000E850
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000018000B888
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000180021894
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000180021094
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000180026098
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001800180C8
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001800278D8
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000018001E8E4
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001800258E8
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001800138F0
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000018001C108
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000180015120
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000180007130
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000018002C144
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000018000795C
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000018000E97C
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000180003990
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001800099A0
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001800299A4
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000018000B9B4
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001800131C8
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000018000D1CC
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001800029CC
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001800191E0
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000018001A9F0
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000018000320C
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000180011A19
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000018001BA34
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000018002BA3C
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000180015240
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000180017A40
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000018000FA60
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000018001A27C
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000180025280
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000018002228C
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000018001428C
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001800072A4
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000018000CAB4
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000018000BAD0
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000180025B0C
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000180021B10
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000180003310
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000018000E310
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000180010330
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000018000C334
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000180015344
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000180006B54
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000180013B6C
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000018001337C
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000180009B84
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000018001F388
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000180019B88
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000018001238C
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000180023B90
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000018001BB98
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000018002B39C
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000018000B3A4
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000180010BAE
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001800293B4
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000018000BBD4
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000018000ABDC
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000180012BFC
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000018001EBFC
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000180008BFC
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000018002A43C
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000180002C5C
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000180013468
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000018001A470
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000180016C70
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000180014C80
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000180011C90
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000180005498
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000180017CB0
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000180025CB8
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000018000CCB8
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001800094BC
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000018001B4CC
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000180003CD8
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000180002504
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000018000E50C
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000180014514
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000180026518
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000180015524
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000180008D40
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000180001560
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000018001C57C
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000180013DBC
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000018001FDC0
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000018000B5CC
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001800245D0
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000180014DD0
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000018000FDE4
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001800055F4
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000180019E08
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000018001F624
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000180003E2C
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000180013634
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000180007658
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000018000C65C
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000180025668
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000180006668
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000180008E68
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000018001B670
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000018001BE70
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000018000A678
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000180005684
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000018000CE88
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000180021E8C
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000180018698
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000180023E9C
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001800016A0
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000018000D6A4
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000018002B6AC
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001800026B0
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000018001EEE0
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000180027F1C
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000018001FF28
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000180011F30
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000180003F54
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000180029F58
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000018001A764
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000180024788
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000018000C788
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001800167C4
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000018000AFD4
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001800137DC
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000141AEED0000
              Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00970000
              Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180001864
              Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180008470
              Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800274F4
              Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180012108
              Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180027AE4
              Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180007F20
              Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180019F38
              Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018000EB3C
              Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018000FBB4
              Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180001FE8
              Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800197F8
              Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180012BFC
              Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018001EBFC
              Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180008BFC
              Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180003800
              Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180007014
              Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180015020
              Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018002A43C
              Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018000E850
              Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180002C5C
              Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180013468
              Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018001A470
              Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180016C70
              Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180014C80
              Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018000B888
              Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180011C90
              Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180021894
              Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180021094
              Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180026098
              Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180005498
              Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180017CB0
              Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180025CB8
              Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018000CCB8
              Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800094BC
              Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800180C8
              Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018001B4CC
              Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800278D8
              Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180003CD8
              Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018001E8E4
              Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800258E8
              Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800138F0
              Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180002504
              Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018001C108
              Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018000E50C
              Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180014514
              Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180026518
              Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180015120
              Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180015524
              Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180007130
              Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180008D40
              Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018002C144
              Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018000795C
              Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180001560
              Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018001C57C
              Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018000E97C
              Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180003990
              Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800099A0
              Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800299A4
              Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018000B9B4
              Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180013DBC
              Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018001FDC0
              Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800131C8
              Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018000D1CC
              Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800029CC
              Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018000B5CC
              Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800245D0
              Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180014DD0
              Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800191E0
              Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018000FDE4
              Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018001A9F0
              Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800055F4
              Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180019E08
              Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018000320C
              Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180011A19
              Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018001F624
              Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180003E2C
              Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180013634
              Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018001BA34
              Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018002BA3C
              Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180015240
              Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180017A40
              Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180007658
              Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018000C65C
              Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018000FA60
              Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180025668
              Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180006668
              Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180008E68
              Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018001BE70
              Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018001B670
              Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018000A678
              Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018001A27C
              Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180025280
              Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180005684
              Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018000CE88
              Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180021E8C
              Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018002228C
              Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018001428C
              Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180018698
              Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180023E9C
              Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800016A0
              Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800072A4
              Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018000D6A4
              Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018002B6AC
              Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800026B0
              Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018000CAB4
              Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018000BAD0
              Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018001EEE0
              Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180025B0C
              Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180021B10
              Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018000E310
              Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180003310
              Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180027F1C
              Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018001FF28
              Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180011F30
              Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180010330
              Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018000C334
              Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180015344
              Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180003F54
              Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180006B54
              Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180029F58
              Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018001A764
              Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180013B6C
              Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018001337C
              Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180009B84
              Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180024788
              Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018001F388
              Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180019B88
              Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018000C788
              Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018001238C
              Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180023B90
              Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018001BB98
              Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018002B39C
              Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018000B3A4
              Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180010BAE
              Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800293B4
              Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800167C4
              Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018000AFD4
              Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018000BBD4
              Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800137DC
              Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018000ABDC
              Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180001864
              Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180008470
              Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800274F4
              Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180012108
              Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180027AE4
              Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180007F20
              Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180019F38
              Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018000EB3C
              Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018000FBB4
              Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180001FE8
              Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800197F8
              Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180012BFC
              Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001EBFC
              Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180008BFC
              Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180003800
              Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180007014
              Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180015020
              Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018002A43C
              Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018000E850
              Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180002C5C
              Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180013468
              Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001A470
              Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180016C70
              Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180014C80
              Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018000B888
              Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180011C90
              Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180021894
              Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180021094
              Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180026098
              Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180005498
              Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180017CB0
              Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180025CB8
              Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018000CCB8
              Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800094BC
              Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800180C8
              Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001B4CC
              Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800278D8
              Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180003CD8
              Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001E8E4
              Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800258E8
              Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800138F0
              Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180002504
              Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001C108
              Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018000E50C
              Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180014514
              Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180026518
              Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180015120
              Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180015524
              Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180007130
              Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180008D40
              Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018002C144
              Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018000795C
              Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180001560
              Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001C57C
              Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018000E97C
              Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180003990
              Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800099A0
              Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800299A4
              Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018000B9B4
              Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180013DBC
              Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001FDC0
              Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800131C8
              Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018000D1CC
              Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800029CC
              Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018000B5CC
              Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800245D0
              Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180014DD0
              Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800191E0
              Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018000FDE4
              Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001A9F0
              Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800055F4
              Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180019E08
              Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018000320C
              Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180011A19
              Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001F624
              Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180003E2C
              Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180013634
              Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001BA34
              Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018002BA3C
              Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180015240
              Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180017A40
              Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180007658
              Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018000C65C
              Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018000FA60
              Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180025668
              Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180006668
              Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180008E68
              Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001BE70
              Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001B670
              Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018000A678
              Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001A27C
              Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180025280
              Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180005684
              Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018000CE88
              Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180021E8C
              Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018002228C
              Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001428C
              Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180018698
              Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180023E9C
              Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800016A0
              Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800072A4
              Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018000D6A4
              Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018002B6AC
              Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800026B0
              Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018000CAB4
              Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018000BAD0
              Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001EEE0
              Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180025B0C
              Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180021B10
              Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018000E310
              Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180003310
              Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180027F1C
              Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001FF28
              Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180011F30
              Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180010330
              Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018000C334
              Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180015344
              Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180003F54
              Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180006B54
              Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180029F58
              Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001A764
              Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180013B6C
              Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001337C
              Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180009B84
              Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180024788
              Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001F388
              Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180019B88
              Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018000C788
              Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001238C
              Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180023B90
              Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001BB98
              Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018002B39C
              Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018000B3A4
              Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180010BAE
              Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800293B4
              Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800167C4
              Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018000AFD4
              Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018000BBD4
              Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800137DC
              Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018000ABDC
              Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000001EBD2250000
              Source: C:\Windows\System32\rundll32.exeCode function: 5_2_0000000180001864
              Source: C:\Windows\System32\rundll32.exeCode function: 5_2_0000000180008470
              Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00000001800274F4
              Source: C:\Windows\System32\rundll32.exeCode function: 5_2_0000000180012108
              Source: C:\Windows\System32\rundll32.exeCode function: 5_2_0000000180027AE4
              Source: C:\Windows\System32\rundll32.exeCode function: 5_2_0000000180007F20
              Source: C:\Windows\System32\rundll32.exeCode function: 5_2_0000000180019F38
              Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000000018000EB3C
              Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000000018000FBB4
              Source: C:\Windows\System32\rundll32.exeCode function: 5_2_0000000180001FE8
              Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00000001800197F8
              Source: C:\Windows\System32\rundll32.exeCode function: 5_2_0000000180012BFC
              Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000000018001EBFC
              Source: C:\Windows\System32\rundll32.exeCode function: 5_2_0000000180008BFC
              Source: C:\Windows\System32\rundll32.exeCode function: 5_2_0000000180003800
              Source: C:\Windows\System32\rundll32.exeCode function: 5_2_0000000180007014
              Source: C:\Windows\System32\rundll32.exeCode function: 5_2_0000000180015020
              Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000000018002A43C
              Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000000018000E850
              Source: C:\Windows\System32\rundll32.exeCode function: 5_2_0000000180002C5C
              Source: C:\Windows\System32\rundll32.exeCode function: 5_2_0000000180013468
              Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000000018001A470
              Source: C:\Windows\System32\rundll32.exeCode function: 5_2_0000000180016C70
              Source: C:\Windows\System32\rundll32.exeCode function: 5_2_0000000180014C80
              Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000000018000B888
              Source: C:\Windows\System32\rundll32.exeCode function: 5_2_0000000180011C90
              Source: C:\Windows\System32\rundll32.exeCode function: 5_2_0000000180021894
              Source: C:\Windows\System32\rundll32.exeCode function: 5_2_0000000180021094
              Source: C:\Windows\System32\rundll32.exeCode function: 5_2_0000000180026098
              Source: C:\Windows\System32\rundll32.exeCode function: 5_2_0000000180005498
              Source: C:\Windows\System32\rundll32.exeCode function: 5_2_0000000180017CB0
              Source: C:\Windows\System32\rundll32.exeCode function: 5_2_0000000180025CB8
              Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000000018000CCB8
              Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00000001800094BC
              Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00000001800180C8
              Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000000018001B4CC
              Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00000001800278D8
              Source: C:\Windows\System32\rundll32.exeCode function: 5_2_0000000180003CD8
              Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000000018001E8E4
              Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00000001800258E8
              Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00000001800138F0
              Source: C:\Windows\System32\rundll32.exeCode function: 5_2_0000000180002504
              Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000000018001C108
              Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000000018000E50C
              Source: C:\Windows\System32\rundll32.exeCode function: 5_2_0000000180014514
              Source: C:\Windows\System32\rundll32.exeCode function: 5_2_0000000180026518
              Source: C:\Windows\System32\rundll32.exeCode function: 5_2_0000000180015120
              Source: C:\Windows\System32\rundll32.exeCode function: 5_2_0000000180015524
              Source: C:\Windows\System32\rundll32.exeCode function: 5_2_0000000180007130
              Source: C:\Windows\System32\rundll32.exeCode function: 5_2_0000000180008D40
              Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000000018002C144
              Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000000018000795C
              Source: C:\Windows\System32\rundll32.exeCode function: 5_2_0000000180001560
              Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000000018001C57C
              Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000000018000E97C
              Source: C:\Windows\System32\rundll32.exeCode function: 5_2_0000000180003990
              Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00000001800099A0
              Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00000001800299A4
              Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000000018000B9B4
              Source: C:\Windows\System32\rundll32.exeCode function: 5_2_0000000180013DBC
              Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000000018001FDC0
              Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00000001800131C8
              Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000000018000D1CC
              Source: C:\Windows\System32\regsvr32.exeSection loaded: sfc.dll
              Source: C:\Windows\System32\regsvr32.exeSection loaded: sfc.dll
              Source: C:\Windows\System32\regsvr32.exeSection loaded: sfc.dll
              Source: C:\Windows\System32\regsvr32.exeSection loaded: sfc.dll
              Source: C:\Windows\System32\regsvr32.exeSection loaded: sfc.dll
              Source: C:\Windows\System32\regsvr32.exeSection loaded: sfc.dll
              Source: C:\Windows\System32\regsvr32.exeSection loaded: sfc.dll
              Source: yoyrJ.dllReversingLabs: Detection: 88%
              Source: yoyrJ.dllMetadefender: Detection: 47%
              Source: C:\Windows\System32\loaddll64.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
              Source: unknownProcess created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\yoyrJ.dll"
              Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\yoyrJ.dll",#1
              Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\yoyrJ.dll
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\yoyrJ.dll",#1
              Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\yoyrJ.dll,DllRegisterServer
              Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\RPhOZPFULSaJ\nMwLrZYwR.dll"
              Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\UgFJoEzLBQVtMeg\qohQcmrlRynEDAUP.dll"
              Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\YbSMYJyTdzumryV\WWgeEzfCEnB.dll"
              Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\OGxcy\dYkxHTuA.dll"
              Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Users\user\AppData\Local\ArkmTuxCaKyXkTDZ\fBEZnVEOT.dll"
              Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\wbem\WMIADAP.exe wmiadap.exe /F /T /R
              Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\yoyrJ.dll",#1
              Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\yoyrJ.dll
              Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\yoyrJ.dll,DllRegisterServer
              Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\OGxcy\dYkxHTuA.dll"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\yoyrJ.dll",#1
              Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\UgFJoEzLBQVtMeg\qohQcmrlRynEDAUP.dll"
              Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\RPhOZPFULSaJ\nMwLrZYwR.dll"
              Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\YbSMYJyTdzumryV\WWgeEzfCEnB.dll"
              Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Users\user\AppData\Local\ArkmTuxCaKyXkTDZ\fBEZnVEOT.dll"
              Source: C:\Windows\System32\loaddll64.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32
              Source: C:\Windows\System32\regsvr32.exeFile created: C:\Users\user\AppData\Local\ArkmTuxCaKyXkTDZ\Jump to behavior
              Source: classification engineClassification label: mal100.troj.evad.winDLL@21/2@0/54
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF88C3038E8 CreateWindowExW,RegisterTouchWindow,MessageBoxW,CoCreateInstance,ShowWindow,UpdateWindow,
              Source: C:\Windows\System32\loaddll64.exeFile read: C:\Users\desktop.iniJump to behavior
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001800274F4 FindCloseChangeNotification,Process32FirstW,CreateToolhelp32Snapshot,
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\yoyrJ.dll",#1
              Source: C:\Windows\System32\wbem\WMIADAP.exeMutant created: \BaseNamedObjects\Global\RefreshRA_Mutex
              Source: C:\Windows\System32\wbem\WMIADAP.exeMutant created: \BaseNamedObjects\Global\RefreshRA_Mutex_Flag
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3096:120:WilError_01
              Source: C:\Windows\System32\wbem\WMIADAP.exeMutant created: \BaseNamedObjects\Global\ADAP_WMI_ENTRY
              Source: C:\Windows\System32\wbem\WMIADAP.exeMutant created: \BaseNamedObjects\Global\RefreshRA_Mutex_Lib
              Source: C:\Windows\System32\regsvr32.exeAutomated click: OK
              Source: C:\Windows\System32\regsvr32.exeAutomated click: OK
              Source: C:\Windows\System32\regsvr32.exeAutomated click: OK
              Source: C:\Windows\System32\regsvr32.exeAutomated click: OK
              Source: C:\Windows\System32\regsvr32.exeAutomated click: OK
              Source: C:\Windows\System32\regsvr32.exeAutomated click: OK
              Source: C:\Windows\System32\wbem\WMIADAP.exeAutomated click: OK
              Source: C:\Windows\System32\wbem\WMIADAP.exeAutomated click: OK
              Source: Window RecorderWindow detected: More than 3 window changes detected
              Source: yoyrJ.dllStatic PE information: Image base 0x180000000 > 0x60000000
              Source: yoyrJ.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000180005098 push ebp; ret
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001800118AD push esp; retn 0000h
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001800170C8 push eax; retf
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001800170DD push ecx; iretd
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000018000512B push ebp; retf
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000180004938 push eax; ret
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001800171F0 push eax; retf
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000180010F42 push 8B48E1F7h; retf
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001800117D6 pushad ; ret
              Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180005098 push ebp; ret
              Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800118AD push esp; retn 0000h
              Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800170C8 push eax; retf
              Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800170DD push ecx; iretd
              Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018000512B push ebp; retf
              Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180004938 push eax; ret
              Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800171F0 push eax; retf
              Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180010F42 push 8B48E1F7h; retf
              Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800117D6 pushad ; ret
              Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180005098 push ebp; ret
              Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800118AD push esp; retn 0000h
              Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800170C8 push eax; retf
              Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800170DD push ecx; iretd
              Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018000512B push ebp; retf
              Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180004938 push eax; ret
              Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800171F0 push eax; retf
              Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180010F42 push 8B48E1F7h; retf
              Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800117D6 pushad ; ret
              Source: C:\Windows\System32\rundll32.exeCode function: 5_2_0000000180005098 push ebp; ret
              Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00000001800118AD push esp; retn 0000h
              Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00000001800170C8 push eax; retf
              Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00000001800170DD push ecx; iretd
              Source: yoyrJ.dllStatic PE information: section name: text
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF88C312ED4 LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,
              Source: yoyrJ.dllStatic PE information: real checksum: 0x6e4a7 should be: 0x72327
              Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\yoyrJ.dll
              Source: C:\Windows\System32\regsvr32.exePE file moved: C:\Windows\System32\UgFJoEzLBQVtMeg\qohQcmrlRynEDAUP.dllJump to behavior

              Boot Survival

              barindex
              Creates an autostart registry key pointing to binary in C:\Windows
              Source: C:\Windows\System32\regsvr32.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run qohQcmrlRynEDAUP.dllJump to behavior
              Source: C:\Windows\System32\regsvr32.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run qohQcmrlRynEDAUP.dllJump to behavior
              Source: C:\Windows\System32\regsvr32.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run qohQcmrlRynEDAUP.dllJump to behavior

              Hooking and other Techniques for Hiding and Protection

              barindex
              Hides that the sample has been downloaded from the Internet (zone.identifier)
              Source: C:\Windows\System32\loaddll64.exeFile opened: C:\Windows\system32\OGxcy\dYkxHTuA.dll:Zone.Identifier read attributes | delete
              Source: C:\Windows\System32\regsvr32.exeFile opened: C:\Windows\system32\UgFJoEzLBQVtMeg\qohQcmrlRynEDAUP.dll:Zone.Identifier read attributes | delete
              Source: C:\Windows\System32\rundll32.exeFile opened: C:\Windows\system32\RPhOZPFULSaJ\nMwLrZYwR.dll:Zone.Identifier read attributes | delete
              Source: C:\Windows\System32\rundll32.exeFile opened: C:\Windows\system32\YbSMYJyTdzumryV\WWgeEzfCEnB.dll:Zone.Identifier read attributes | delete
              Source: C:\Windows\System32\regsvr32.exeFile opened: C:\Users\user\AppData\Local\ArkmTuxCaKyXkTDZ\fBEZnVEOT.dll:Zone.Identifier read attributes | delete
              Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\wbem\WMIADAP.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
              Source: C:\Windows\System32\regsvr32.exe TID: 5396Thread sleep time: -60000s >= -30000s
              Source: C:\Windows\System32\wbem\WMIADAP.exe TID: 1664Thread sleep count: 2698 > 30
              Source: C:\Windows\System32\wbem\WMIADAP.exe TID: 1664Thread sleep count: 2698 > 30
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\wbem\WMIADAP.exeWindow / User API: threadDelayed 2698
              Source: C:\Windows\System32\wbem\WMIADAP.exeWindow / User API: threadDelayed 2698
              Source: C:\Windows\System32\loaddll64.exeProcess information queried: ProcessInformation
              Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_000000018001E0D4 FindFirstFileW,FindNextFileW,FindClose,
              Source: C:\Windows\System32\regsvr32.exeFile Volume queried: C:\ FullSizeInformation
              Source: C:\Windows\System32\rundll32.exeFile Volume queried: C:\ FullSizeInformation
              Source: C:\Windows\System32\regsvr32.exeFile Volume queried: C:\ FullSizeInformation
              Source: regsvr32.exe, 00000007.00000003.585862169.0000000000CBE000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000002.828134623.0000000000CC0000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.584870026.0000000000CB9000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.584622965.0000000000C77000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000002.828052946.0000000000C77000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.456389200.0000000000CB8000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.456205938.0000000000CAB000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.456259811.0000000000C77000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.584908649.0000000000CBA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: regsvr32.exe, 00000007.00000003.585862169.0000000000CBE000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000002.828134623.0000000000CC0000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.584870026.0000000000CB9000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.456389200.0000000000CB8000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.456205938.0000000000CAB000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.584908649.0000000000CBA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWf
              Source: loaddll64.exe, 00000000.00000003.320147566.00000141AEF45000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{e6e9dfd8-98f2-11e9-90ce-806e6f6e6963}\C
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF88C304980 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF88C312ED4 LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF88C304980 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF88C3091F4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

              HIPS / PFW / Operating System Protection Evasion

              barindex
              System process connects to network (likely due to code injection or exploit)
              Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 45.63.99.23 7080
              Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 173.255.211.88 443
              Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 182.162.143.56 443
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\yoyrJ.dll",#1
              Source: C:\Windows\System32\regsvr32.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\System32\loaddll64.exeCode function: _getptd,GetLocaleInfoA,GetLocaleInfoW,
              Source: C:\Windows\System32\loaddll64.exeCode function: EnumSystemLocalesA,
              Source: C:\Windows\System32\loaddll64.exeCode function: EnumSystemLocalesA,
              Source: C:\Windows\System32\loaddll64.exeCode function: EnumSystemLocalesA,
              Source: C:\Windows\System32\loaddll64.exeCode function: _getptd,EnumSystemLocalesA,GetUserDefaultLCID,GetLocaleInfoW,GetLocaleInfoW,GetACP,IsValidCodePage,IsValidLocale,GetLocaleInfoA,GetLocaleInfoA,_itow_s,
              Source: C:\Windows\System32\loaddll64.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,
              Source: C:\Windows\System32\loaddll64.exeCode function: _getptd,GetLocaleInfoA,
              Source: C:\Windows\System32\loaddll64.exeCode function: GetLocaleInfoW,
              Source: C:\Windows\System32\loaddll64.exeCode function: _getptd,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoW,
              Source: C:\Windows\System32\loaddll64.exeCode function: GetLastError,free,free,GetLocaleInfoW,GetLocaleInfoW,free,GetLocaleInfoW,
              Source: C:\Windows\System32\loaddll64.exeCode function: GetLocaleInfoW,GetLocaleInfoW,WideCharToMultiByte,free,
              Source: C:\Windows\System32\regsvr32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF88C308C48 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF88C3075D0 HeapCreate,GetVersion,HeapSetInformation,

              Stealing of Sensitive Information

              barindex
              Yara detected Emotet
              Source: Yara matchFile source: 00000007.00000002.827986155.0000000000C38000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0.2.loaddll64.exe.141aeea0000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 7.2.regsvr32.exe.ba0000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.rundll32.exe.1ebd2220000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 12.2.regsvr32.exe.d20000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.loaddll64.exe.141aeea0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 7.2.regsvr32.exe.ba0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.regsvr32.exe.a90000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 12.2.regsvr32.exe.d20000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.2.rundll32.exe.1bbc5810000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.2.rundll32.exe.1bbc5810000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.regsvr32.exe.a90000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.rundll32.exe.1ebd2220000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000007.00000002.828364693.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000002.496080462.0000000000D20000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.322442190.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.321064194.0000000000A90000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.321445782.000001BBC5810000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.318945591.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.322205921.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.319306896.000001EBD2220000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000002.496539435.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000007.00000002.827883820.0000000000BA0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.320548872.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.322977789.00000141AEEA0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

              Mitre Att&ck Matrix

              Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
              Valid Accounts1
              Native API              		11
              Registry Run Keys / Startup Folder              		111
              Process Injection              		21
              Masquerading              		OS Credential Dumping1
              System Time Discovery              		Remote Services1
              Archive Collected Data              		Exfiltration Over Other Network Medium11
              Encrypted Channel              		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
              Default AccountsScheduled Task/Job1
              DLL Side-Loading              		11
              Registry Run Keys / Startup Folder              		1
              Virtualization/Sandbox Evasion              		LSASS Memory11
              Security Software Discovery              		Remote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth1
              Non-Standard Port              		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
              Domain AccountsAt (Linux)Logon Script (Windows)1
              DLL Side-Loading              		111
              Process Injection              		Security Account Manager1
              Virtualization/Sandbox Evasion              		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration1
              Non-Application Layer Protocol              		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
              Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
              Hidden Files and Directories              		NTDS2
              Process Discovery              		Distributed Component Object ModelInput CaptureScheduled Transfer12
              Application Layer Protocol              		SIM Card SwapCarrier Billing Fraud
              Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
              Obfuscated Files or Information              		LSA Secrets1
              Application Window Discovery              		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
              Replication Through Removable MediaLaunchdRc.commonRc.common1
              Regsvr32              		Cached Domain Credentials2
              File and Directory Discovery              		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
              External Remote ServicesScheduled TaskStartup ItemsStartup Items1
              Rundll32              		DCSync25
              System Information Discovery              		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
              Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job1
              DLL Side-Loading              		Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
              Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)1
              File Deletion              		/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 750476 Sample: yoyrJ.dll Startdate: 21/11/2022 Architecture: WINDOWS Score: 100 35 129.232.188.93 xneeloZA South Africa 2->35 37 45.235.8.30 WIKINETTELECOMUNICACOESBR Brazil 2->37 39 49 other IPs or domains 2->39 47 Snort IDS alert for network traffic 2->47 49 Malicious sample detected (through community Yara rule) 2->49 51 Antivirus detection for URL or domain 2->51 53 3 other signatures 2->53 9 loaddll64.exe 3 2->9         started        signatures3 process4 signatures5 61 Hides that the sample has been downloaded from the Internet (zone.identifier) 9->61 12 regsvr32.exe 2 9->12         started        15 cmd.exe 1 9->15         started        17 rundll32.exe 2 9->17         started        19 3 other processes 9->19 process6 signatures7 63 Hides that the sample has been downloaded from the Internet (zone.identifier) 12->63 21 regsvr32.exe 1 12->21         started        25 rundll32.exe 2 15->25         started        27 regsvr32.exe 17->27         started        29 regsvr32.exe 19->29         started        process8 dnsIp9 41 173.255.211.88, 443, 49695, 49696 LINODE-APLinodeLLCUS United States 21->41 43 182.162.143.56, 443, 49700 LGDACOMLGDACOMCorporationKR Korea Republic of 21->43 45 45.63.99.23, 7080 AS-CHOOPAUS United States 21->45 55 System process connects to network (likely due to code injection or exploit) 21->55 57 Creates an autostart registry key pointing to binary in C:\Windows 21->57 59 Hides that the sample has been downloaded from the Internet (zone.identifier) 25->59 31 WMIADAP.exe 4 25->31         started        33 regsvr32.exe 25->33         started        signatures10 process11

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              yoyrJ.dll88%ReversingLabsWin64.Trojan.Emotet
              yoyrJ.dll48%MetadefenderBrowse

              Dropped Files

              No Antivirus matches

              Unpacked PE Files

              SourceDetectionScannerLabelLinkDownload
              12.2.regsvr32.exe.d20000.0.unpack100%AviraHEUR/AGEN.1215461Download File
              5.2.rundll32.exe.1bbc5810000.0.unpack100%AviraHEUR/AGEN.1215461Download File
              7.2.regsvr32.exe.ba0000.0.unpack100%AviraHEUR/AGEN.1215461Download File
              0.2.loaddll64.exe.141aeea0000.0.unpack100%AviraHEUR/AGEN.1215461Download File
              3.2.regsvr32.exe.a90000.0.unpack100%AviraHEUR/AGEN.1215461Download File
              4.2.rundll32.exe.1ebd2220000.0.unpack100%AviraHEUR/AGEN.1215461Download File

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              https://182.162.143.56/0%URL Reputationsafe
              https://17.63.99.23:7080/0%Avira URL Cloudsafe
              https://182.162.143.56/ltqyvaphgamn/iuduszibmmiode/zgmecigm/lvlmwwim/100%Avira URL Cloudmalware
              https://45.63.99.23:7080/ltqyvaphgamn/iuduszibmmiode/zgmecigm/lvlmwwim/100%Avira URL Cloudmalware

              Domains and IPs

              Contacted Domains

              No contacted domains info

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              https://182.162.143.56/ltqyvaphgamn/iuduszibmmiode/zgmecigm/lvlmwwim/true
              • Avira URL Cloud: malware
              		unknown

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              https://45.63.99.23:7080/ltqyvaphgamn/iuduszibmmiode/zgmecigm/lvlmwwim/regsvr32.exe, 00000007.00000003.585426852.0000000000C87000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.584653863.0000000000C86000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.585349266.0000000000C86000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000002.828075611.0000000000C8D000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.456277440.0000000000C86000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.585829274.0000000000C8D000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: malware
              		unknown
              https://182.162.143.56/regsvr32.exe, 00000007.00000003.585862169.0000000000CBE000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000002.828134623.0000000000CC0000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.584870026.0000000000CB9000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.456389200.0000000000CB8000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.456205938.0000000000CAB000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.584908649.0000000000CBA000.00000004.00000020.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              https://17.63.99.23:7080/regsvr32.exe, 00000007.00000003.585372915.0000000000C91000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000002.828083663.0000000000C91000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.585447802.0000000000C91000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.585835870.0000000000C91000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.584690393.0000000000C91000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.456292772.0000000000C91000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown

              World Map of Contacted IPs

              • No. of IPs < 25%
              • 25% < No. of IPs < 50%
              • 50% < No. of IPs < 75%
              • 75% < No. of IPs

              Public IPs

              IPDomainCountryFlagASNASN NameMalicious
              110.232.117.186
              		unknownAustralia
              		56038RACKCORP-APRackCorpAUtrue
              103.132.242.26
              		unknownIndia
              		45117INPL-IN-APIshansNetworkINtrue
              104.168.155.143
              		unknownUnited States
              		54290HOSTWINDSUStrue
              79.137.35.198
              		unknownFrance
              		16276OVHFRtrue
              45.118.115.99
              		unknownIndonesia
              		131717IDNIC-CIFO-AS-IDPTCitraJelajahInformatikaIDtrue
              172.104.251.154
              		unknownUnited States
              		63949LINODE-APLinodeLLCUStrue
              115.68.227.76
              		unknownKorea Republic of
              		38700SMILESERV-AS-KRSMILESERVKRtrue
              163.44.196.120
              		unknownSingapore
              		135161GMO-Z-COM-THGMO-ZcomNetDesignHoldingsCoLtdSGtrue
              206.189.28.199
              		unknownUnited States
              		14061DIGITALOCEAN-ASNUStrue
              45.63.99.23
              		unknownUnited States
              		20473AS-CHOOPAUStrue
              107.170.39.149
              		unknownUnited States
              		14061DIGITALOCEAN-ASNUStrue
              197.242.150.244
              		unknownSouth Africa
              		37611AfrihostZAtrue
              185.4.135.165
              		unknownGreece
              		199246TOPHOSTGRtrue
              183.111.227.137
              		unknownKorea Republic of
              		4766KIXS-AS-KRKoreaTelecomKRtrue
              45.176.232.124
              		unknownColombia
              		267869CABLEYTELECOMUNICACIONESDECOLOMBIASASCABLETELCOCtrue
              139.59.56.73
              		unknownSingapore
              		14061DIGITALOCEAN-ASNUStrue
              169.57.156.166
              		unknownUnited States
              		36351SOFTLAYERUStrue
              164.68.99.3
              		unknownGermany
              		51167CONTABODEtrue
              139.59.126.41
              		unknownSingapore
              		14061DIGITALOCEAN-ASNUStrue
              167.172.253.162
              		unknownUnited States
              		14061DIGITALOCEAN-ASNUStrue
              147.139.166.154
              		unknownUnited States
              		45102CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdCtrue
              202.129.205.3
              		unknownThailand
              		45328NIPA-AS-THNIPATECHNOLOGYCOLTDTHtrue
              167.172.199.165
              		unknownUnited States
              		14061DIGITALOCEAN-ASNUStrue
              153.92.5.27
              		unknownGermany
              		47583AS-HOSTINGERLTtrue
              159.65.140.115
              		unknownUnited States
              		14061DIGITALOCEAN-ASNUStrue
              159.65.88.10
              		unknownUnited States
              		14061DIGITALOCEAN-ASNUStrue
              172.105.226.75
              		unknownUnited States
              		63949LINODE-APLinodeLLCUStrue
              164.90.222.65
              		unknownUnited States
              		14061DIGITALOCEAN-ASNUStrue
              213.239.212.5
              		unknownGermany
              		24940HETZNER-ASDEtrue
              5.135.159.50
              		unknownFrance
              		16276OVHFRtrue
              173.255.211.88
              		unknownUnited States
              		63949LINODE-APLinodeLLCUStrue
              212.24.98.99
              		unknownLithuania
              		62282RACKRAYUABRakrejusLTtrue
              186.194.240.217
              		unknownBrazil
              		262733NetceteraTelecomunicacoesLtdaBRtrue
              91.187.140.35
              		unknownSerbia
              		13092UB-ASRStrue
              119.59.103.152
              		unknownThailand
              		56067METRABYTE-TH453LadplacoutJorakhaebuaTHtrue
              159.89.202.34
              		unknownUnited States
              		14061DIGITALOCEAN-ASNUStrue
              201.94.166.162
              		unknownBrazil
              		28573CLAROSABRtrue
              160.16.142.56
              		unknownJapan9370SAKURA-BSAKURAInternetIncJPtrue
              103.75.201.2
              		unknownThailand
              		133496CDNPLUSCOLTD-AS-APCDNPLUSCOLTDTHtrue
              91.207.28.33
              		unknownKyrgyzstan
              		39819PROHOSTKGtrue
              103.43.75.120
              		unknownJapan20473AS-CHOOPAUStrue
              188.44.20.25
              		unknownMacedonia
              		57374GIV-ASMKtrue
              45.235.8.30
              		unknownBrazil
              		267405WIKINETTELECOMUNICACOESBRtrue
              153.126.146.25
              		unknownJapan7684SAKURA-ASAKURAInternetIncJPtrue
              72.15.201.15
              		unknownUnited States
              		13649ASN-VINSUStrue
              82.223.21.224
              		unknownSpain
              		8560ONEANDONE-ASBrauerstrasse48DEtrue
              173.212.193.249
              		unknownGermany
              		51167CONTABODEtrue
              95.217.221.146
              		unknownGermany
              		24940HETZNER-ASDEtrue
              149.56.131.28
              		unknownCanada
              		16276OVHFRtrue
              209.97.163.214
              		unknownUnited States
              		14061DIGITALOCEAN-ASNUStrue
              182.162.143.56
              		unknownKorea Republic of
              		3786LGDACOMLGDACOMCorporationKRtrue
              1.234.2.232
              		unknownKorea Republic of
              		9318SKB-ASSKBroadbandCoLtdKRtrue
              129.232.188.93
              		unknownSouth Africa
              		37153xneeloZAtrue
              94.23.45.86
              		unknownFrance
              		16276OVHFRtrue

              General Information

              Joe Sandbox Version:36.0.0 Rainbow Opal
              Analysis ID:750476
              Start date and time:2022-11-21 04:19:06 +01:00
              Joe Sandbox Product:CloudBasic
              Overall analysis duration:0h 9m 21s
              Hypervisor based Inspection enabled:false
              Report type:light
              Sample file name:yoyrJ.dll
              Cookbook file name:default.jbs
              Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
              Number of analysed new started processes analysed:17
              Number of new started drivers analysed:0
              Number of existing processes analysed:0
              Number of existing drivers analysed:0
              Number of injected processes analysed:0
              Technologies:
              • HCA enabled
              • EGA enabled
              • HDC enabled
              • AMSI enabled
              Analysis Mode:default
              Analysis stop reason:Timeout
              Detection:MAL
              Classification:mal100.troj.evad.winDLL@21/2@0/54
              EGA Information:
              • Successful, ratio: 100%
              HDC Information:
              • Successful, ratio: 67.7% (good quality ratio 58.8%)
              • Quality average: 65.2%
              • Quality standard deviation: 35.3%
              HCA Information:
              • Successful, ratio: 100%
              • Number of executed functions: 0
              • Number of non-executed functions: 0
              Cookbook Comments:
              • Found application associated with file extension: .dll
              • Override analysis time to 240s for rundll32

              Warnings

              • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, conhost.exe, backgroundTaskHost.exe
              • Not all processes where analyzed, report is missing behavior information
              • Report size exceeded maximum capacity and may have missing behavior information.
              • Report size getting too big, too many NtOpenKeyEx calls found.
              • Report size getting too big, too many NtProtectVirtualMemory calls found.
              • Report size getting too big, too many NtQueryValueKey calls found.
              • VT rate limit hit for: yoyrJ.dll

              Simulations

              Behavior and APIs

              TimeTypeDescription
              04:20:48API Interceptor3x Sleep call for process: regsvr32.exe modified
              04:21:17AutostartRun: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run qohQcmrlRynEDAUP.dll C:\Windows\system32\regsvr32.exe "C:\Windows\system32\UgFJoEzLBQVtMeg\qohQcmrlRynEDAUP.dll"

              Joe Sandbox View / Context

              IPs

              No context

              Domains

              No context

              ASNs

              No context

              JA3 Fingerprints

              No context

              Dropped Files

              No context

              Created / dropped Files

              C:\Windows\System32\wbem\Performance\WmiApRpl_new.h

              Download File
              Process:C:\Windows\System32\wbem\WMIADAP.exe
              File Type:ASCII text, with CRLF line terminators
              Category:dropped
              Size (bytes):3444
              Entropy (8bit):5.011954215267298
              Encrypted:false
              SSDEEP:48:ADPo+gDMIuK54DeHNg9dqbEzCJGGgGDU3XgLBgaGKFijiVJtVAAF/XRgW:ADw+gDMhK54qHC7aBvGKFijiV7XRgW
              MD5:B133A676D139032A27DE3D9619E70091
              SHA1:1248AA89938A13640252A79113930EDE2F26F1FA
              SHA-256:AE2B6236D3EEB4822835714AE9444E5DCD21BC60F7A909F2962C43BC743C7B15
              SHA-512:C6B99E13D854CE7A6874497473614EE4BD81C490802783DB1349AB851CD80D1DC06DF8C1F6E434ABA873A5BBF6125CC64104709064E19A9DC1C66DCDE3F898F5
              Malicious:false
              Preview://////////////////////////////////////////////////////////////////////////////////////////////..//..// Copyright (C) 2000 Microsoft Corporation..//..// Module Name:..// WmiApRpl..//..// Abstract:..//..// Include file for object and counters definitions...//..//////////////////////////////////////////////////////////////////////////////////////////////......#define.WMI_Objects.0..#define.HiPerf_Classes.2..#define.HiPerf_Validity.4....#define.MSiSCSI_ConnectionStatistics_00000.6....#define.BytesReceived_00000.8..#define.BytesSent_00000.10..#define.PDUCommandsSent_00000.12..#define.PDUResponsesReceived_00000.14....#define.MSiSCSI_InitiatorInstanceStatistics_00001.16....#define.SessionConnectionTimeoutErrorCount_00001.18..#define.SessionDigestErrorCount_00001.20..#define.SessionFailureCount_00001.22..#define.SessionFormatErrorCount_00001.24....#define.MSiSCSI_InitiatorLoginStatistics_00002.26....#define.LoginAcceptRsps_00002.28..#define.LoginAuthenticateFails_00002.30..#define.LoginAuthFai

              C:\Windows\system32\wbem\Performance\WmiApRpl.h (copy)

              Download File
              Process:C:\Windows\System32\wbem\WMIADAP.exe
              File Type:ASCII text, with CRLF line terminators
              Category:dropped
              Size (bytes):3444
              Entropy (8bit):5.011954215267298
              Encrypted:false
              SSDEEP:48:ADPo+gDMIuK54DeHNg9dqbEzCJGGgGDU3XgLBgaGKFijiVJtVAAF/XRgW:ADw+gDMhK54qHC7aBvGKFijiV7XRgW
              MD5:B133A676D139032A27DE3D9619E70091
              SHA1:1248AA89938A13640252A79113930EDE2F26F1FA
              SHA-256:AE2B6236D3EEB4822835714AE9444E5DCD21BC60F7A909F2962C43BC743C7B15
              SHA-512:C6B99E13D854CE7A6874497473614EE4BD81C490802783DB1349AB851CD80D1DC06DF8C1F6E434ABA873A5BBF6125CC64104709064E19A9DC1C66DCDE3F898F5
              Malicious:false
              Preview://////////////////////////////////////////////////////////////////////////////////////////////..//..// Copyright (C) 2000 Microsoft Corporation..//..// Module Name:..// WmiApRpl..//..// Abstract:..//..// Include file for object and counters definitions...//..//////////////////////////////////////////////////////////////////////////////////////////////......#define.WMI_Objects.0..#define.HiPerf_Classes.2..#define.HiPerf_Validity.4....#define.MSiSCSI_ConnectionStatistics_00000.6....#define.BytesReceived_00000.8..#define.BytesSent_00000.10..#define.PDUCommandsSent_00000.12..#define.PDUResponsesReceived_00000.14....#define.MSiSCSI_InitiatorInstanceStatistics_00001.16....#define.SessionConnectionTimeoutErrorCount_00001.18..#define.SessionDigestErrorCount_00001.20..#define.SessionFailureCount_00001.22..#define.SessionFormatErrorCount_00001.24....#define.MSiSCSI_InitiatorLoginStatistics_00002.26....#define.LoginAcceptRsps_00002.28..#define.LoginAuthenticateFails_00002.30..#define.LoginAuthFai

              Static File Info

              General

              File type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
              Entropy (8bit):6.773063357716462
              TrID:
              • Win64 Dynamic Link Library (generic) (102004/3) 86.43%
              • Win64 Executable (generic) (12005/4) 10.17%
              • Generic Win/DOS Executable (2004/3) 1.70%
              • DOS Executable Generic (2002/1) 1.70%
              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.01%
              File name:yoyrJ.dll
              File size:433152
              MD5:dd7105e9748a29b5bd61ea57214d57e3
              SHA1:827b323bda769ba7fb838a231aa4160209266b14
              SHA256:c987ad0cc79b598bdee9ec7da96b07e82a04cadd73cb3caf85b799731deef9a1
              SHA512:beca102422697e4cd50b81289bdc5097935f11c0c5acc86b7a69893fb819a3cd225e4b2594a2bb40163fbd68d7ac281b0ff260f30b55cf188112445eb26986b7
              SSDEEP:6144:PZUCuTJlyIOziaTGy+IeIt1xJh5eWhv/w62LcuPv8cD4mRKqdONyAzDxkMwp2/uw:Py7EzZ4+HvY62LxHJ4KTGDlT
              TLSH:1C94E141365506F1C9378334CA931E4BE832740A5335A64F02A9D5F67F7B761AB2F32A
              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........?...l...l...l...l...l...l...l../l...l..2l...l.."l...l...l...l...l...l..*l...l..+l...l..,l...lRich...l................PE..d..

              File Icon

              Icon Hash:74f0e4ecccdce0e4

              Static PE Info

              General

              Entrypoint:0x180005bdc
              Entrypoint Section:.text
              Digitally signed:false
              Imagebase:0x180000000
              Subsystem:windows gui
              Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, DLL
              DLL Characteristics:DYNAMIC_BASE, NX_COMPAT
              Time Stamp:0x636D291C [Thu Nov 10 16:38:52 2022 UTC]
              TLS Callbacks:
              CLR (.Net) Version:
              OS Version Major:5
              OS Version Minor:2
              File Version Major:5
              File Version Minor:2
              Subsystem Version Major:5
              Subsystem Version Minor:2
              Import Hash:b3da9e0a2ac4751e0c486ad7cdc326f7

              Entrypoint Preview

              Instruction
              dec eax
              mov dword ptr [esp+08h], ebx
              dec eax
              mov dword ptr [esp+10h], esi
              push edi
              dec eax
              sub esp, 20h
              dec ecx
              mov edi, eax
              mov ebx, edx
              dec eax
              mov esi, ecx
              cmp edx, 01h
              jne 00007FFA20ABA017h
              call 00007FFA20ABD060h
              dec esp
              mov eax, edi
              mov edx, ebx
              dec eax
              mov ecx, esi
              dec eax
              mov ebx, dword ptr [esp+30h]
              dec eax
              mov esi, dword ptr [esp+38h]
              dec eax
              add esp, 20h
              pop edi
              jmp 00007FFA20AB9EBCh
              int3
              int3
              int3
              dec eax
              mov dword ptr [esp+08h], ecx
              dec eax
              sub esp, 00000088h
              dec eax
              lea ecx, dword ptr [00062F31h]
              call dword ptr [0001C543h]
              dec eax
              mov eax, dword ptr [0006301Ch]
              dec eax
              mov dword ptr [esp+58h], eax
              inc ebp
              xor eax, eax
              dec eax
              lea edx, dword ptr [esp+60h]
              dec eax
              mov ecx, dword ptr [esp+58h]
              call 00007FFA20AD2638h
              dec eax
              mov dword ptr [esp+50h], eax
              dec eax
              cmp dword ptr [esp+50h], 00000000h
              je 00007FFA20ABA053h
              dec eax
              mov dword ptr [esp+38h], 00000000h
              dec eax
              lea eax, dword ptr [esp+48h]
              dec eax
              mov dword ptr [esp+30h], eax
              dec eax
              lea eax, dword ptr [esp+40h]
              dec eax
              mov dword ptr [esp+28h], eax
              dec eax
              lea eax, dword ptr [00062EDCh]
              dec eax
              mov dword ptr [esp+20h], eax
              dec esp
              mov ecx, dword ptr [esp+50h]
              dec esp
              mov eax, dword ptr [esp+58h]
              dec eax
              mov edx, dword ptr [esp+60h]
              xor ecx, ecx
              call 00007FFA20AD25E6h
              jmp 00007FFA20ABA034h
              dec eax
              mov eax, dword ptr [eax+eax+00000000h]

              Rich Headers

              Programming Language:
              • [C++] VS2010 build 30319
              • [ C ] VS2010 build 30319
              • [ASM] VS2010 build 30319
              • [ C ] VS2008 SP1 build 30729
              • [IMP] VS2008 SP1 build 30729
              • [EXP] VS2010 build 30319
              • [RES] VS2010 build 30319
              • [LNK] VS2010 build 30319

              Data Directories

              NameVirtual AddressVirtual Size Is in Section
              IMAGE_DIRECTORY_ENTRY_EXPORT0x667700x57.rdata
              IMAGE_DIRECTORY_ENTRY_IMPORT0x65cb40x64.rdata
              IMAGE_DIRECTORY_ENTRY_RESOURCE0x6d0000x254.rsrc
              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x6a0000x1ac4.pdata
              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
              IMAGE_DIRECTORY_ENTRY_BASERELOC0x6e0000x3ec.reloc
              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_IAT0x220000x338.rdata
              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

              Sections

              NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
              .text0x10000x201820x20200False0.5494513010700389data6.563588075042218IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              .rdata0x220000x447c70x44800False0.6747904311131386data6.184568591532381IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .data0x670000x2fd00x1c00False0.291015625data3.404968127612506IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              .pdata0x6a0000x1ac40x1c00False0.46861049107142855data5.279471356455433IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              text0x6c0000x91d0xa00False0.389453125data5.167000712138923IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE
              .rsrc0x6d0000x2540x400False0.3134765625data4.723033814693597IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .reloc0x6e0000x7f60x800False0.35693359375data3.497910650248424IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

              Resources

              NameRVASizeTypeLanguageCountry
              RT_STRING0x6d0a00x58dataEnglishUnited States
              RT_MANIFEST0x6d0f80x15aASCII text, with CRLF line terminatorsEnglishUnited States

              Imports

              DLLImport
              USER32.dllTranslateMessage, DefWindowProcW, UpdateWindow, MessageBoxW, CreateWindowExW, EndPaint, DestroyWindow, TranslateAcceleratorW, GetMessageW, PostQuitMessage, LoadCursorW, BeginPaint, DispatchMessageW, GetTouchInputInfo, RegisterClassExW, RegisterTouchWindow, InvalidateRect, CloseTouchInputHandle, LoadStringW, ShowWindow, UnregisterTouchWindow
              GDI32.dllLineTo, DeleteObject, SelectObject, Polyline, CreatePen, MoveToEx
              ole32.dllCoUninitialize, CoInitialize, CoLoadLibrary, CoCreateInstance
              KERNEL32.dllHeapReAlloc, GetLocaleInfoW, LoadLibraryW, FreeLibrary, SetConsoleCtrlHandler, IsValidCodePage, GetOEMCP, LCMapStringW, GetCPInfo, GetStringTypeW, EnterCriticalSection, FatalAppExitA, LeaveCriticalSection, GetSystemTimeAsFileTime, GetCurrentProcessId, MultiByteToWideChar, GetUserDefaultLCID, GetLocaleInfoA, EnumSystemLocalesA, IsValidLocale, GetACP, GetModuleHandleW, GetTickCount, QueryPerformanceCounter, GetEnvironmentStringsW, WideCharToMultiByte, FreeEnvironmentStringsW, HeapAlloc, EncodePointer, DecodePointer, GetCurrentThreadId, FlsSetValue, GetCommandLineA, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, RtlVirtualUnwind, RtlLookupFunctionEntry, RtlCaptureContext, GetLastError, HeapFree, GetProcAddress, ExitProcess, WriteFile, GetStdHandle, GetModuleFileNameW, HeapSetInformation, GetVersion, HeapCreate, HeapDestroy, Sleep, HeapSize, RtlUnwindEx, RaiseException, RtlPcToFileHeader, FlsGetValue, FlsFree, SetLastError, GetCurrentThread, FlsAlloc, SetHandleCount, InitializeCriticalSectionAndSpinCount, GetFileType, GetStartupInfoW, DeleteCriticalSection, GetModuleFileNameA

              Exports

              NameOrdinalAddress
              DllRegisterServer10x180003854

              Possible Origin

              Language of compilation systemCountry where language is spokenMap
              EnglishUnited States

              Network Behavior

              Snort IDS Alerts

              TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
              192.168.2.4173.255.211.88496954432404312 11/21/22-04:20:47.613393TCP2404312ET CNC Feodo Tracker Reported CnC Server TCP group 749695443192.168.2.4173.255.211.88
              192.168.2.4182.162.143.56497004432404314 11/21/22-04:21:09.058938TCP2404314ET CNC Feodo Tracker Reported CnC Server TCP group 849700443192.168.2.4182.162.143.56
              192.168.2.445.63.99.234969970802404330 11/21/22-04:20:53.767379TCP2404330ET CNC Feodo Tracker Reported CnC Server TCP group 16496997080192.168.2.445.63.99.23

              Network Port Distribution

              TCP Packets

              TimestampSource PortDest PortSource IPDest IP
              Nov 21, 2022 04:20:47.613393068 CET49695443192.168.2.4173.255.211.88
              Nov 21, 2022 04:20:47.613487959 CET44349695173.255.211.88192.168.2.4
              Nov 21, 2022 04:20:47.613646030 CET49695443192.168.2.4173.255.211.88
              Nov 21, 2022 04:20:47.621453047 CET49695443192.168.2.4173.255.211.88
              Nov 21, 2022 04:20:47.621525049 CET44349695173.255.211.88192.168.2.4
              Nov 21, 2022 04:20:47.796107054 CET44349695173.255.211.88192.168.2.4
              Nov 21, 2022 04:20:47.797595978 CET49696443192.168.2.4173.255.211.88
              Nov 21, 2022 04:20:47.797673941 CET44349696173.255.211.88192.168.2.4
              Nov 21, 2022 04:20:47.797794104 CET49696443192.168.2.4173.255.211.88
              Nov 21, 2022 04:20:47.798702002 CET49696443192.168.2.4173.255.211.88
              Nov 21, 2022 04:20:47.798731089 CET44349696173.255.211.88192.168.2.4
              Nov 21, 2022 04:20:47.975795984 CET44349696173.255.211.88192.168.2.4
              Nov 21, 2022 04:20:47.977385998 CET49697443192.168.2.4173.255.211.88
              Nov 21, 2022 04:20:47.977452040 CET44349697173.255.211.88192.168.2.4
              Nov 21, 2022 04:20:47.977592945 CET49697443192.168.2.4173.255.211.88
              Nov 21, 2022 04:20:47.979526997 CET49697443192.168.2.4173.255.211.88
              Nov 21, 2022 04:20:47.979572058 CET44349697173.255.211.88192.168.2.4
              Nov 21, 2022 04:20:48.151135921 CET44349697173.255.211.88192.168.2.4
              Nov 21, 2022 04:20:48.152781963 CET49698443192.168.2.4173.255.211.88
              Nov 21, 2022 04:20:48.152836084 CET44349698173.255.211.88192.168.2.4
              Nov 21, 2022 04:20:48.152923107 CET49698443192.168.2.4173.255.211.88
              Nov 21, 2022 04:20:48.153774023 CET49698443192.168.2.4173.255.211.88
              Nov 21, 2022 04:20:48.153799057 CET44349698173.255.211.88192.168.2.4
              Nov 21, 2022 04:20:48.328830957 CET44349698173.255.211.88192.168.2.4
              Nov 21, 2022 04:20:53.767379045 CET496997080192.168.2.445.63.99.23
              Nov 21, 2022 04:20:56.771694899 CET496997080192.168.2.445.63.99.23
              Nov 21, 2022 04:21:02.787986040 CET496997080192.168.2.445.63.99.23
              Nov 21, 2022 04:21:09.058938026 CET49700443192.168.2.4182.162.143.56
              Nov 21, 2022 04:21:09.059000969 CET44349700182.162.143.56192.168.2.4
              Nov 21, 2022 04:21:09.059458971 CET49700443192.168.2.4182.162.143.56
              Nov 21, 2022 04:21:09.062942028 CET49700443192.168.2.4182.162.143.56
              Nov 21, 2022 04:21:09.063020945 CET44349700182.162.143.56192.168.2.4
              Nov 21, 2022 04:21:09.821538925 CET44349700182.162.143.56192.168.2.4
              Nov 21, 2022 04:21:09.821768045 CET49700443192.168.2.4182.162.143.56
              Nov 21, 2022 04:21:09.830401897 CET49700443192.168.2.4182.162.143.56
              Nov 21, 2022 04:21:09.830475092 CET44349700182.162.143.56192.168.2.4
              Nov 21, 2022 04:21:09.830936909 CET44349700182.162.143.56192.168.2.4
              Nov 21, 2022 04:21:09.882251024 CET49700443192.168.2.4182.162.143.56
              Nov 21, 2022 04:21:10.165709019 CET49700443192.168.2.4182.162.143.56
              Nov 21, 2022 04:21:10.165743113 CET44349700182.162.143.56192.168.2.4
              Nov 21, 2022 04:21:10.165755987 CET49700443192.168.2.4182.162.143.56
              Nov 21, 2022 04:21:10.165762901 CET44349700182.162.143.56192.168.2.4
              Nov 21, 2022 04:21:11.838960886 CET44349700182.162.143.56192.168.2.4
              Nov 21, 2022 04:21:11.839132071 CET44349700182.162.143.56192.168.2.4
              Nov 21, 2022 04:21:11.839271069 CET49700443192.168.2.4182.162.143.56
              Nov 21, 2022 04:21:11.840809107 CET49700443192.168.2.4182.162.143.56
              Nov 21, 2022 04:21:11.840810061 CET49700443192.168.2.4182.162.143.56
              Nov 21, 2022 04:21:11.840852022 CET44349700182.162.143.56192.168.2.4
              Nov 21, 2022 04:21:11.840873957 CET44349700182.162.143.56192.168.2.4

              HTTP Request Dependency Graph

              • 182.162.143.56

              Statistics

              Behavior

              Click to jump to process

              System Behavior

              General

              Target ID:0
              Start time:04:20:01
              Start date:21/11/2022
              Path:C:\Windows\System32\loaddll64.exe
              Wow64 process (32bit):false
              Commandline:loaddll64.exe "C:\Users\user\Desktop\yoyrJ.dll"
              Imagebase:0x7ff76b0a0000
              File size:139776 bytes
              MD5 hash:C676FC0263EDD17D4CE7D644B8F3FCD6
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000000.00000002.322442190.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
              • Rule: Windows_Trojan_Emotet_db7d33fa, Description: unknown, Source: 00000000.00000002.322442190.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Author: unknown
              • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000000.00000002.322977789.00000141AEEA0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
              • Rule: Windows_Trojan_Emotet_db7d33fa, Description: unknown, Source: 00000000.00000002.322977789.00000141AEEA0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
              Reputation:high

              General

              Target ID:1
              Start time:04:20:01
              Start date:21/11/2022
              Path:C:\Windows\System32\conhost.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Imagebase:0x7ff7c72c0000
              File size:625664 bytes
              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high

              General

              Target ID:2
              Start time:04:20:02
              Start date:21/11/2022
              Path:C:\Windows\System32\cmd.exe
              Wow64 process (32bit):false
              Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\yoyrJ.dll",#1
              Imagebase:0x7ff632260000
              File size:273920 bytes
              MD5 hash:4E2ACF4F8A396486AB4268C94A6A245F
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high

              General

              Target ID:3
              Start time:04:20:02
              Start date:21/11/2022
              Path:C:\Windows\System32\regsvr32.exe
              Wow64 process (32bit):false
              Commandline:regsvr32.exe /s C:\Users\user\Desktop\yoyrJ.dll
              Imagebase:0x7ff7458f0000
              File size:24064 bytes
              MD5 hash:D78B75FC68247E8A63ACBA846182740E
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000003.00000002.321064194.0000000000A90000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
              • Rule: Windows_Trojan_Emotet_db7d33fa, Description: unknown, Source: 00000003.00000002.321064194.0000000000A90000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
              • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000003.00000002.322205921.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
              • Rule: Windows_Trojan_Emotet_db7d33fa, Description: unknown, Source: 00000003.00000002.322205921.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Author: unknown
              Reputation:high

              General

              Target ID:4
              Start time:04:20:02
              Start date:21/11/2022
              Path:C:\Windows\System32\rundll32.exe
              Wow64 process (32bit):false
              Commandline:rundll32.exe "C:\Users\user\Desktop\yoyrJ.dll",#1
              Imagebase:0x7ff6a4af0000
              File size:69632 bytes
              MD5 hash:73C519F050C20580F8A62C849D49215A
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000002.318945591.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
              • Rule: Windows_Trojan_Emotet_db7d33fa, Description: unknown, Source: 00000004.00000002.318945591.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Author: unknown
              • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000002.319306896.000001EBD2220000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
              • Rule: Windows_Trojan_Emotet_db7d33fa, Description: unknown, Source: 00000004.00000002.319306896.000001EBD2220000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
              Reputation:high

              General

              Target ID:5
              Start time:04:20:02
              Start date:21/11/2022
              Path:C:\Windows\System32\rundll32.exe
              Wow64 process (32bit):false
              Commandline:rundll32.exe C:\Users\user\Desktop\yoyrJ.dll,DllRegisterServer
              Imagebase:0x7ff6a4af0000
              File size:69632 bytes
              MD5 hash:73C519F050C20580F8A62C849D49215A
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000005.00000002.321445782.000001BBC5810000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
              • Rule: Windows_Trojan_Emotet_db7d33fa, Description: unknown, Source: 00000005.00000002.321445782.000001BBC5810000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
              • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000005.00000002.320548872.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
              • Rule: Windows_Trojan_Emotet_db7d33fa, Description: unknown, Source: 00000005.00000002.320548872.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Author: unknown
              Reputation:high

              General

              Target ID:6
              Start time:04:20:07
              Start date:21/11/2022
              Path:C:\Windows\System32\regsvr32.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\system32\regsvr32.exe "C:\Windows\system32\RPhOZPFULSaJ\nMwLrZYwR.dll"
              Imagebase:0x7ff7458f0000
              File size:24064 bytes
              MD5 hash:D78B75FC68247E8A63ACBA846182740E
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high

              General

              Target ID:7
              Start time:04:20:07
              Start date:21/11/2022
              Path:C:\Windows\System32\regsvr32.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\system32\regsvr32.exe "C:\Windows\system32\UgFJoEzLBQVtMeg\qohQcmrlRynEDAUP.dll"
              Imagebase:0x7ff7458f0000
              File size:24064 bytes
              MD5 hash:D78B75FC68247E8A63ACBA846182740E
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000007.00000002.828364693.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
              • Rule: Windows_Trojan_Emotet_db7d33fa, Description: unknown, Source: 00000007.00000002.828364693.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Author: unknown
              • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000007.00000002.827883820.0000000000BA0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
              • Rule: Windows_Trojan_Emotet_db7d33fa, Description: unknown, Source: 00000007.00000002.827883820.0000000000BA0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
              • Rule: JoeSecurity_Emotet_3, Description: Yara detected Emotet, Source: 00000007.00000002.827986155.0000000000C38000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security

              General

              Target ID:8
              Start time:04:20:07
              Start date:21/11/2022
              Path:C:\Windows\System32\regsvr32.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\system32\regsvr32.exe "C:\Windows\system32\YbSMYJyTdzumryV\WWgeEzfCEnB.dll"
              Imagebase:0x7ff7458f0000
              File size:24064 bytes
              MD5 hash:D78B75FC68247E8A63ACBA846182740E
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language

              General

              Target ID:9
              Start time:04:20:08
              Start date:21/11/2022
              Path:C:\Windows\System32\regsvr32.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\system32\regsvr32.exe "C:\Windows\system32\OGxcy\dYkxHTuA.dll"
              Imagebase:0x7ff7458f0000
              File size:24064 bytes
              MD5 hash:D78B75FC68247E8A63ACBA846182740E
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language

              General

              Target ID:12
              Start time:04:21:26
              Start date:21/11/2022
              Path:C:\Windows\System32\regsvr32.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\system32\regsvr32.exe" "C:\Windows\system32\UgFJoEzLBQVtMeg\qohQcmrlRynEDAUP.dll
              Imagebase:0x7ff7458f0000
              File size:24064 bytes
              MD5 hash:D78B75FC68247E8A63ACBA846182740E
              Has elevated privileges:false
              Has administrator privileges:false
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000C.00000002.496080462.0000000000D20000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
              • Rule: Windows_Trojan_Emotet_db7d33fa, Description: unknown, Source: 0000000C.00000002.496080462.0000000000D20000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
              • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000C.00000002.496539435.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
              • Rule: Windows_Trojan_Emotet_db7d33fa, Description: unknown, Source: 0000000C.00000002.496539435.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Author: unknown

              General

              Target ID:13
              Start time:04:21:30
              Start date:21/11/2022
              Path:C:\Windows\System32\regsvr32.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\system32\regsvr32.exe "C:\Users\user\AppData\Local\ArkmTuxCaKyXkTDZ\fBEZnVEOT.dll"
              Imagebase:0x7ff7458f0000
              File size:24064 bytes
              MD5 hash:D78B75FC68247E8A63ACBA846182740E
              Has elevated privileges:false
              Has administrator privileges:false
              Programmed in:C, C++ or other language

              General

              Target ID:14
              Start time:04:21:50
              Start date:21/11/2022
              Path:C:\Windows\System32\wbem\WMIADAP.exe
              Wow64 process (32bit):false
              Commandline:wmiadap.exe /F /T /R
              Imagebase:0x7ff7ece50000
              File size:177664 bytes
              MD5 hash:9783D0765F31980950445DFD40DB15DA
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language

              Disassembly

              No disassembly