Windows Analysis Report
aOHLlvfakv.dll

Overview

General Information

Sample Name: aOHLlvfakv.dll
Analysis ID: 828936
MD5: 362f48619364efe57ecd00f83d1bca62
SHA1: ae142315393512fe3f3e03dc07aed88428b6e29b
SHA256: a873911592c3ce95d36e009f40bb376f587ad0ba6971a150a2ac10c87a2465f5
Infos:

Detection

Emotet
Score: 96
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected Emotet
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Snort IDS alert for network traffic
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Queries the volume information (name, serial number etc) of a device
Contains functionality to query locales information (e.g. system language)
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to dynamically determine API calls
HTTP GET or POST without a user agent
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Found inlined nop instructions (likely shell or obfuscated code)
Tries to load missing DLLs
Drops PE files to the windows directory (C:\Windows)
Detected TCP or UDP traffic on non-standard ports
Checks if the current process is being debugged
Connects to several IPs in different countries
Registers a DLL
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: aOHLlvfakv.dll Virustotal: Detection: 53% Perma Link
Source: aOHLlvfakv.dll ReversingLabs: Detection: 28%
Antivirus detection for URL or domain
Source: https://186.194.240.217:443/pescnrsqtrnp/icjmpjlu/ Avira URL Cloud: Label: malware
Source: https://164.68.99.3:8080/pescnrsqtrnp/icjmpjlu/0 Avira URL Cloud: Label: malware
Source: https://139.59.126.41/0/ Avira URL Cloud: Label: malware
Source: https://164.68.99.3:8080/pescnrsqtrnp/icjmpjlu/p Avira URL Cloud: Label: malware
Source: https://164.68.99.3:8080/wW Avira URL Cloud: Label: malware
Source: https://66.228.32.31:7080/ Avira URL Cloud: Label: malware
Source: https://95.217.221.146:8080/pescnrsqtrnp/icjmpjlu/ Avira URL Cloud: Label: malware
Source: https://66.228.32.31:7080/pescnrsqtrnp/icjmpjlu/ Avira URL Cloud: Label: malware
Source: https://164.90.222.65/pescnrsqtrnp/icjmpjlu/ Avira URL Cloud: Label: malware
Source: https://139.59.126.41/ Avira URL Cloud: Label: malware
Source: https://139.59.126.41/pescnrsqtrnp/icjmpjlu/ Avira URL Cloud: Label: malware
Source: https://164.68.99.3:8080/ Avira URL Cloud: Label: malware
Source: https://167.172.199.165:8080/D Avira URL Cloud: Label: malware
Source: https://91.121.146.47:8080/pescnrsqtrnp/icjmpjlu/ Avira URL Cloud: Label: malware
Source: https://91.121.146.47:8080/pescnrsqtrnp/icjmpjlu/d Avira URL Cloud: Label: malware
Source: https://95.217.221.146:8080/pescnrsqtrnp/icjmpjlu//CW Avira URL Cloud: Label: malware
Source: https://167.172.199.165:8080/pescnrsqtrnp/icjmpjlu/ Avira URL Cloud: Label: malware
Source: https://139.59.126.41/jlu/_E Avira URL Cloud: Label: malware
Source: https://95.217.221.146:8080/ Avira URL Cloud: Label: malware
Source: https://164.68.99.3:8080/pescnrsqtrnp/icjmpjlu/L Avira URL Cloud: Label: malware
Source: https://66.228.32.31:7080/#Ws Avira URL Cloud: Label: malware
Source: https://164.68.99.3:8080/pescnrsqtrnp/icjmpjlu/ Avira URL Cloud: Label: malware
Source: https://186.194.240.217/3WC Avira URL Cloud: Label: malware
Source: https://91.121.146.47:8080/ Avira URL Cloud: Label: malware
Source: 00000007.00000002.3282958811.000000000098B000.00000004.00000020.00020000.00000000.sdmp Malware Configuration Extractor: Emotet {"C2 list": ["91.121.146.47:8080", "66.228.32.31:7080", "182.162.143.56:443", "187.63.160.88:80", "167.172.199.165:8080", "164.90.222.65:443", "104.168.155.143:8080", "91.207.28.33:8080", "72.15.201.15:8080", "183.111.227.137:8080", "103.132.242.26:8080", "159.65.88.10:8080", "173.212.193.249:8080", "82.223.21.224:8080", "172.105.226.75:8080", "103.43.75.120:443", "167.172.253.162:8080", "1.234.2.232:8080", "159.89.202.34:443", "186.194.240.217:443", "185.4.135.165:8080", "139.59.126.41:443", "164.68.99.3:8080", "95.217.221.146:8080", "129.232.188.93:443", "45.176.232.124:443", "163.44.196.120:8080", "79.137.35.198:8080", "153.92.5.27:8080", "160.16.142.56:8080", "202.129.205.3:8080", "201.94.166.162:443", "119.59.103.152:8080", "153.126.146.25:7080", "188.44.20.25:443", "115.68.227.76:8080", "147.139.166.154:8080", "149.56.131.28:8080", "107.170.39.149:8080", "213.239.212.5:443", "197.242.150.244:8080", "206.189.28.199:8080", "5.135.159.50:443", "169.57.156.166:8080", "103.75.201.2:443", "110.232.117.186:8080", "94.23.45.86:4143", "45.235.8.30:8080", "101.50.0.91:8080"], "Public Key": ["RUNTMSAAAABAX3S2xNjcDD0fBno33Ln5t71eii+mofIPoXkNFOX1MeiwCh48iz97kB0mJjGGZXwardnDXKxI8GCHGNl0PFj5LpP78wADAJA=", "RUNLMSAAAADzozW1Di4r9DVWzQpMKT588RDdy7BPILP6AiDOTLYMHkSWvrQO5slbmr1OvZ2Pz+AQWzRMggQmAtO6rPH7nyx2VJJV8wAlAJA="]}
Source: unknown HTTPS traffic detected: 164.90.222.65:443 -> 192.168.11.20:49810 version: TLS 1.2
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Windows\System32\regsvr32.exe Code function: 4x nop then push rbp 3_2_004040E5
Source: C:\Windows\System32\regsvr32.exe Code function: 4x nop then push rbp 3_2_004088B7
Source: C:\Windows\System32\regsvr32.exe Code function: 4x nop then push rbp 3_2_004088B9
Source: C:\Windows\System32\regsvr32.exe Code function: 4x nop then push rbp 3_2_004111FA
Source: C:\Windows\System32\regsvr32.exe Code function: 4x nop then push rbp 3_2_004082D0
Source: C:\Windows\System32\regsvr32.exe Code function: 4x nop then push rbp 3_2_00410D65
Source: C:\Windows\System32\regsvr32.exe Code function: 4x nop then push rbp 3_2_00420D70
Source: C:\Windows\System32\regsvr32.exe Code function: 4x nop then push rbp 3_2_004086C2
Source: C:\Windows\System32\regsvr32.exe Code function: 4x nop then push rbp 3_2_004086C4
Source: C:\Windows\System32\regsvr32.exe Code function: 4x nop then push rbp 3_2_004086C6
Source: C:\Windows\System32\regsvr32.exe Code function: 4x nop then push rbp 3_2_004086DC
Source: C:\Windows\System32\regsvr32.exe Code function: 4x nop then push rbp 3_2_004086DE
Source: C:\Windows\System32\regsvr32.exe Code function: 4x nop then push rbp 3_2_004086E0
Source: C:\Windows\System32\regsvr32.exe Code function: 4x nop then push rbp 3_2_00408704
Source: C:\Windows\System32\rundll32.exe Code function: 4x nop then push rbp 4_2_004040E5
Source: C:\Windows\System32\rundll32.exe Code function: 4x nop then push rbp 4_2_004088B7
Source: C:\Windows\System32\rundll32.exe Code function: 4x nop then push rbp 4_2_004088B9
Source: C:\Windows\System32\rundll32.exe Code function: 4x nop then push rbp 4_2_004111FA
Source: C:\Windows\System32\rundll32.exe Code function: 4x nop then push rbp 4_2_004082D0
Source: C:\Windows\System32\rundll32.exe Code function: 4x nop then push rbp 4_2_00410D65
Source: C:\Windows\System32\rundll32.exe Code function: 4x nop then push rbp 4_2_00420D70
Source: C:\Windows\System32\rundll32.exe Code function: 4x nop then push rbp 4_2_004086C2
Source: C:\Windows\System32\rundll32.exe Code function: 4x nop then push rbp 4_2_004086C4
Source: C:\Windows\System32\rundll32.exe Code function: 4x nop then push rbp 4_2_004086C6
Source: C:\Windows\System32\rundll32.exe Code function: 4x nop then push rbp 4_2_004086DC
Source: C:\Windows\System32\rundll32.exe Code function: 4x nop then push rbp 4_2_004086DE
Source: C:\Windows\System32\rundll32.exe Code function: 4x nop then push rbp 4_2_004086E0
Source: C:\Windows\System32\rundll32.exe Code function: 4x nop then push rbp 4_2_00408704

Networking
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\System32\regsvr32.exe Network Connect: 159.65.88.10 8080 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 172.105.226.75 8080 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 164.90.222.65 443 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 186.194.240.217 443 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 103.132.242.26 8080 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 104.168.155.143 8080 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 159.89.202.34 443 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 91.121.146.47 8080 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 91.207.28.33 8080 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 103.43.75.120 443 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 72.15.201.15 8080 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 82.223.21.224 8080 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 173.212.193.249 8080 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 187.63.160.88 80 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 66.228.32.31 7080 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 185.4.135.165 8080 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 183.111.227.137 8080 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 95.217.221.146 8080 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 164.68.99.3 8080 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 182.162.143.56 443 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 139.59.126.41 443 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 167.172.253.162 8080 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 1.234.2.232 8080 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 167.172.199.165 8080 Jump to behavior
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2404308 ET CNC Feodo Tracker Reported CnC Server TCP group 5 192.168.11.20:49810 -> 164.90.222.65:443
Source: Traffic Snort IDS: 2404344 ET CNC Feodo Tracker Reported CnC Server TCP group 23 192.168.11.20:49793 -> 91.121.146.47:8080
Source: Traffic Snort IDS: 2404330 ET CNC Feodo Tracker Reported CnC Server TCP group 16 192.168.11.20:49795 -> 66.228.32.31:7080
Source: Traffic Snort IDS: 2404312 ET CNC Feodo Tracker Reported CnC Server TCP group 7 192.168.11.20:49799 -> 182.162.143.56:443
Source: Traffic Snort IDS: 2404308 ET CNC Feodo Tracker Reported CnC Server TCP group 5 192.168.11.20:49808 -> 167.172.199.165:8080
Source: Traffic Snort IDS: 2404302 ET CNC Feodo Tracker Reported CnC Server TCP group 2 192.168.11.20:49811 -> 104.168.155.143:8080
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor IPs: 91.121.146.47:8080
Source: Malware configuration extractor IPs: 66.228.32.31:7080
Source: Malware configuration extractor IPs: 182.162.143.56:443
Source: Malware configuration extractor IPs: 187.63.160.88:80
Source: Malware configuration extractor IPs: 167.172.199.165:8080
Source: Malware configuration extractor IPs: 164.90.222.65:443
Source: Malware configuration extractor IPs: 104.168.155.143:8080
Source: Malware configuration extractor IPs: 91.207.28.33:8080
Source: Malware configuration extractor IPs: 72.15.201.15:8080
Source: Malware configuration extractor IPs: 183.111.227.137:8080
Source: Malware configuration extractor IPs: 103.132.242.26:8080
Source: Malware configuration extractor IPs: 159.65.88.10:8080
Source: Malware configuration extractor IPs: 173.212.193.249:8080
Source: Malware configuration extractor IPs: 82.223.21.224:8080
Source: Malware configuration extractor IPs: 172.105.226.75:8080
Source: Malware configuration extractor IPs: 103.43.75.120:443
Source: Malware configuration extractor IPs: 167.172.253.162:8080
Source: Malware configuration extractor IPs: 1.234.2.232:8080
Source: Malware configuration extractor IPs: 159.89.202.34:443
Source: Malware configuration extractor IPs: 186.194.240.217:443
Source: Malware configuration extractor IPs: 185.4.135.165:8080
Source: Malware configuration extractor IPs: 139.59.126.41:443
Source: Malware configuration extractor IPs: 164.68.99.3:8080
Source: Malware configuration extractor IPs: 95.217.221.146:8080
Source: Malware configuration extractor IPs: 129.232.188.93:443
Source: Malware configuration extractor IPs: 45.176.232.124:443
Source: Malware configuration extractor IPs: 163.44.196.120:8080
Source: Malware configuration extractor IPs: 79.137.35.198:8080
Source: Malware configuration extractor IPs: 153.92.5.27:8080
Source: Malware configuration extractor IPs: 160.16.142.56:8080
Source: Malware configuration extractor IPs: 202.129.205.3:8080
Source: Malware configuration extractor IPs: 201.94.166.162:443
Source: Malware configuration extractor IPs: 119.59.103.152:8080
Source: Malware configuration extractor IPs: 153.126.146.25:7080
Source: Malware configuration extractor IPs: 188.44.20.25:443
Source: Malware configuration extractor IPs: 115.68.227.76:8080
Source: Malware configuration extractor IPs: 147.139.166.154:8080
Source: Malware configuration extractor IPs: 149.56.131.28:8080
Source: Malware configuration extractor IPs: 107.170.39.149:8080
Source: Malware configuration extractor IPs: 213.239.212.5:443
Source: Malware configuration extractor IPs: 197.242.150.244:8080
Source: Malware configuration extractor IPs: 206.189.28.199:8080
Source: Malware configuration extractor IPs: 5.135.159.50:443
Source: Malware configuration extractor IPs: 169.57.156.166:8080
Source: Malware configuration extractor IPs: 103.75.201.2:443
Source: Malware configuration extractor IPs: 110.232.117.186:8080
Source: Malware configuration extractor IPs: 94.23.45.86:4143
Source: Malware configuration extractor IPs: 45.235.8.30:8080
Source: Malware configuration extractor IPs: 101.50.0.91:8080
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: RACKCORP-APRackCorpAU RACKCORP-APRackCorpAU
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 72a589da586844d7f0818ce684948eea
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: POST /pescnrsqtrnp/icjmpjlu/ HTTP/1.1Connection: Keep-AliveContent-Length: 0Host: 164.90.222.65
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 110.232.117.186 110.232.117.186
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.11.20:49793 -> 91.121.146.47:8080
Source: global traffic TCP traffic: 192.168.11.20:49795 -> 66.228.32.31:7080
Source: global traffic TCP traffic: 192.168.11.20:49808 -> 167.172.199.165:8080
Source: global traffic TCP traffic: 192.168.11.20:49811 -> 104.168.155.143:8080
Source: global traffic TCP traffic: 192.168.11.20:49812 -> 91.207.28.33:8080
Source: global traffic TCP traffic: 192.168.11.20:49814 -> 72.15.201.15:8080
Source: global traffic TCP traffic: 192.168.11.20:49815 -> 183.111.227.137:8080
Source: global traffic TCP traffic: 192.168.11.20:49822 -> 103.132.242.26:8080
Source: global traffic TCP traffic: 192.168.11.20:49823 -> 159.65.88.10:8080
Source: global traffic TCP traffic: 192.168.11.20:49824 -> 173.212.193.249:8080
Source: global traffic TCP traffic: 192.168.11.20:49825 -> 82.223.21.224:8080
Source: global traffic TCP traffic: 192.168.11.20:49831 -> 167.172.253.162:8080
Source: global traffic TCP traffic: 192.168.11.20:49832 -> 1.234.2.232:8080
Source: global traffic TCP traffic: 192.168.11.20:49840 -> 185.4.135.165:8080
Source: global traffic TCP traffic: 192.168.11.20:49844 -> 164.68.99.3:8080
Source: global traffic TCP traffic: 192.168.11.20:49845 -> 95.217.221.146:8080
Connects to several IPs in different countries
Source: unknown Network traffic detected: IP country count 18
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49843
Source: unknown Network traffic detected: HTTP traffic on port 49842 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49842
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49841
Source: unknown Network traffic detected: HTTP traffic on port 49838 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49834 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49800 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49836 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49828 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49801 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49810 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49799 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49839
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49838
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49837
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49836
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49835
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49834
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49799
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49810
Source: unknown Network traffic detected: HTTP traffic on port 49841 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49830
Source: unknown Network traffic detected: HTTP traffic on port 49839 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49837 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49843 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49835 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49829 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49830 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49829
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49828
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49801
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49800
Source: unknown TCP traffic detected without corresponding DNS query: 91.121.146.47
Source: unknown TCP traffic detected without corresponding DNS query: 91.121.146.47
Source: unknown TCP traffic detected without corresponding DNS query: 91.121.146.47
Source: unknown TCP traffic detected without corresponding DNS query: 91.121.146.47
Source: unknown TCP traffic detected without corresponding DNS query: 91.121.146.47
Source: unknown TCP traffic detected without corresponding DNS query: 91.121.146.47
Source: unknown TCP traffic detected without corresponding DNS query: 91.121.146.47
Source: unknown TCP traffic detected without corresponding DNS query: 91.121.146.47
Source: unknown TCP traffic detected without corresponding DNS query: 91.121.146.47
Source: unknown TCP traffic detected without corresponding DNS query: 91.121.146.47
Source: unknown TCP traffic detected without corresponding DNS query: 91.121.146.47
Source: unknown TCP traffic detected without corresponding DNS query: 91.121.146.47
Source: unknown TCP traffic detected without corresponding DNS query: 66.228.32.31
Source: unknown TCP traffic detected without corresponding DNS query: 66.228.32.31
Source: unknown TCP traffic detected without corresponding DNS query: 66.228.32.31
Source: unknown TCP traffic detected without corresponding DNS query: 66.228.32.31
Source: unknown TCP traffic detected without corresponding DNS query: 66.228.32.31
Source: unknown TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown TCP traffic detected without corresponding DNS query: 187.63.160.88
Source: unknown TCP traffic detected without corresponding DNS query: 187.63.160.88
Source: unknown TCP traffic detected without corresponding DNS query: 187.63.160.88
Source: unknown TCP traffic detected without corresponding DNS query: 187.63.160.88
Source: unknown TCP traffic detected without corresponding DNS query: 187.63.160.88
Source: unknown TCP traffic detected without corresponding DNS query: 167.172.199.165
Source: unknown TCP traffic detected without corresponding DNS query: 167.172.199.165
Source: unknown TCP traffic detected without corresponding DNS query: 167.172.199.165
Source: unknown TCP traffic detected without corresponding DNS query: 167.172.199.165
Source: unknown TCP traffic detected without corresponding DNS query: 167.172.199.165
Source: unknown TCP traffic detected without corresponding DNS query: 167.172.199.165
Source: unknown TCP traffic detected without corresponding DNS query: 167.172.199.165
Source: unknown TCP traffic detected without corresponding DNS query: 167.172.199.165
Source: unknown TCP traffic detected without corresponding DNS query: 167.172.199.165
Source: unknown TCP traffic detected without corresponding DNS query: 167.172.199.165
Source: unknown TCP traffic detected without corresponding DNS query: 167.172.199.165
Source: unknown TCP traffic detected without corresponding DNS query: 164.90.222.65
Source: unknown TCP traffic detected without corresponding DNS query: 164.90.222.65
Source: unknown TCP traffic detected without corresponding DNS query: 164.90.222.65
Source: unknown TCP traffic detected without corresponding DNS query: 164.90.222.65
Source: unknown TCP traffic detected without corresponding DNS query: 164.90.222.65
Source: unknown TCP traffic detected without corresponding DNS query: 164.90.222.65
Source: unknown TCP traffic detected without corresponding DNS query: 164.90.222.65
Source: regsvr32.exe, 00000007.00000002.3284094347.0000000000A28000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1512104522.0000000000A1A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1236480763.0000000000A1A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1513381084.0000000000A1A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1502020156.0000000000A1A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1238112714.0000000000A1A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1501043629.0000000002ECE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: regsvr32.exe, 00000007.00000002.3284094347.0000000000A28000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1512104522.0000000000A1A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1236480763.0000000000A1A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1513381084.0000000000A1A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1502020156.0000000000A1A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1238112714.0000000000A1A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: regsvr32.exe, 00000007.00000003.1212529823.0000000002C97000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1213684958.0000000002C97000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1237911678.0000000002C97000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1211632236.0000000002C90000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1211632236.0000000002C97000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/
Source: regsvr32.exe, 00000007.00000003.1214356942.0000000002C90000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1211632236.0000000002C90000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1237911678.0000000002C90000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1212529823.0000000002C90000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update
Source: regsvr32.exe, 00000007.00000003.1514297126.00000000009EC000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1236480763.00000000009EC000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1502020156.00000000009EC000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000002.3282958811.00000000009DB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: regsvr32.exe, 00000007.00000003.1502020156.0000000000A65000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1238888691.0000000000A63000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1515080100.0000000000A63000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000002.3284094347.0000000000A63000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.7.dr String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: regsvr32.exe, 00000007.00000003.1236480763.0000000000A1A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1238112714.0000000000A1A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?65a00d22ec036
Source: regsvr32.exe, 00000007.00000002.3284094347.0000000000A63000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://139.59.126.41/
Source: regsvr32.exe, 00000007.00000002.3284094347.0000000000A63000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://139.59.126.41/0/
Source: regsvr32.exe, 00000007.00000002.3284094347.0000000000A63000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://139.59.126.41/jlu/_E
Source: regsvr32.exe, 00000007.00000002.3284094347.0000000000A19000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://139.59.126.41/pescnrsqtrnp/icjmpjlu/
Source: regsvr32.exe, 00000007.00000002.3284094347.0000000000A63000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://164.68.99.3:8080/
Source: regsvr32.exe, 00000007.00000002.3284094347.0000000000A63000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://164.68.99.3:8080/pescnrsqtrnp/icjmpjlu/
Source: regsvr32.exe, 00000007.00000002.3284094347.0000000000A28000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://164.68.99.3:8080/pescnrsqtrnp/icjmpjlu/0
Source: regsvr32.exe, 00000007.00000002.3284094347.0000000000A19000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://164.68.99.3:8080/pescnrsqtrnp/icjmpjlu/L
Source: regsvr32.exe, 00000007.00000002.3284094347.0000000000A63000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://164.68.99.3:8080/pescnrsqtrnp/icjmpjlu/p
Source: regsvr32.exe, 00000007.00000002.3284094347.0000000000A63000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://164.68.99.3:8080/wW
Source: regsvr32.exe, 00000007.00000003.1501981002.0000000002CF5000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000002.3285581454.0000000002CF5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://167.172.199.165:8080/D
Source: regsvr32.exe, 00000007.00000003.1502020156.0000000000A1A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://167.172.199.165:8080/pescnrsqtrnp/icjmpjlu/
Source: regsvr32.exe, 00000007.00000002.3284094347.0000000000A63000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://186.194.240.217/3WC
Source: regsvr32.exe, 00000007.00000002.3282958811.000000000098B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://186.194.240.217:443/pescnrsqtrnp/icjmpjlu/
Source: regsvr32.exe, 00000007.00000003.1515080100.0000000000A63000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://66.228.32.31:7080/
Source: regsvr32.exe, 00000007.00000003.1502020156.0000000000A65000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1515080100.0000000000A63000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://66.228.32.31:7080/#Ws
Source: regsvr32.exe, 00000007.00000003.1502020156.0000000000A65000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1515080100.0000000000A63000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://66.228.32.31:7080/pescnrsqtrnp/icjmpjlu/
Source: regsvr32.exe, 00000007.00000003.1514297126.00000000009EC000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1236480763.00000000009EC000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1502020156.00000000009EC000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000002.3282958811.00000000009DB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://91.121.146.47:8080/
Source: regsvr32.exe, 00000007.00000003.1238112714.0000000000A05000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1514297126.0000000000A05000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1502020156.0000000000A05000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000002.3282958811.000000000098B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://91.121.146.47:8080/pescnrsqtrnp/icjmpjlu/
Source: regsvr32.exe, 00000007.00000002.3282958811.000000000098B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://91.121.146.47:8080/pescnrsqtrnp/icjmpjlu/d
Source: regsvr32.exe, 00000007.00000002.3285581454.0000000002C90000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://95.217.221.146:8080/
Source: regsvr32.exe, 00000007.00000002.3284094347.0000000000A28000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000002.3284094347.0000000000A63000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://95.217.221.146:8080/pescnrsqtrnp/icjmpjlu/
Source: regsvr32.exe, 00000007.00000002.3284094347.0000000000A63000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://95.217.221.146:8080/pescnrsqtrnp/icjmpjlu//CW
Source: unknown HTTP traffic detected: POST /pescnrsqtrnp/icjmpjlu/ HTTP/1.1Connection: Keep-AliveContent-Length: 0Host: 164.90.222.65
Source: unknown HTTPS traffic detected: 164.90.222.65:443 -> 192.168.11.20:49810 version: TLS 1.2

E-Banking Fraud
barindex
Yara detected Emotet
Source: Yara match File source: 00000007.00000002.3282958811.000000000098B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 7.2.regsvr32.exe.2410000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.25255cd0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.1b91a160000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.regsvr32.exe.1370000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.25255cd0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.regsvr32.exe.1370000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.regsvr32.exe.2410000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.1b91a160000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.861337089.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.3286848282.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.860427801.0000000001370000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.858909413.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.860809198.0000025255CD0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.3285052145.0000000002410000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.858695133.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.860577207.000001B91A160000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Deletes files inside the Windows folder
Source: C:\Windows\System32\rundll32.exe File deleted: C:\Windows\System32\HRYKmuIti\sEzrCiJYDniwfP.dll:Zone.Identifier Jump to behavior
Creates files inside the system directory
Source: C:\Windows\System32\regsvr32.exe File created: C:\Windows\system32\YDgQnzosNBGOURNE\ Jump to behavior
Detected potential crypto function
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00401730 3_2_00401730
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0041D100 3_2_0041D100
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0042E190 3_2_0042E190
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_004161A0 3_2_004161A0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0041F200 3_2_0041F200
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00414AC0 3_2_00414AC0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_004172F0 3_2_004172F0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00440BD0 3_2_00440BD0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0040A387 3_2_0040A387
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00441BA0 3_2_00441BA0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00424C40 3_2_00424C40
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00414420 3_2_00414420
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_004165D0 3_2_004165D0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_004186C7 3_2_004186C7
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_004186C9 3_2_004186C9
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_004186ED 3_2_004186ED
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_004186FB 3_2_004186FB
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_004186FD 3_2_004186FD
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_004186FF 3_2_004186FF
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0041869B 3_2_0041869B
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0041869D 3_2_0041869D
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0041869F 3_2_0041869F
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_004186A1 3_2_004186A1
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00439760 3_2_00439760
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00418701 3_2_00418701
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00418703 3_2_00418703
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00418705 3_2_00418705
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_01360000 3_2_01360000
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001A000 3_2_000000018001A000
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000CC14 3_2_000000018000CC14
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001709C 3_2_000000018001709C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180007D6C 3_2_0000000180007D6C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000263C 3_2_000000018000263C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180018FC8 3_2_0000000180018FC8
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180008BC8 3_2_0000000180008BC8
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800227EC 3_2_00000001800227EC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000A7F0 3_2_000000018000A7F0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180001000 3_2_0000000180001000
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180009408 3_2_0000000180009408
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180007C08 3_2_0000000180007C08
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018002181C 3_2_000000018002181C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180011030 3_2_0000000180011030
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001EC30 3_2_000000018001EC30
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000B83C 3_2_000000018000B83C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180007840 3_2_0000000180007840
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001C44C 3_2_000000018001C44C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180025450 3_2_0000000180025450
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001C058 3_2_000000018001C058
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001B460 3_2_000000018001B460
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180016C70 3_2_0000000180016C70
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000D474 3_2_000000018000D474
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180002C78 3_2_0000000180002C78
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000C078 3_2_000000018000C078
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000B07C 3_2_000000018000B07C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180015880 3_2_0000000180015880
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001CC84 3_2_000000018001CC84
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180004C84 3_2_0000000180004C84
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000AC94 3_2_000000018000AC94
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800098AC 3_2_00000001800098AC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001A8B0 3_2_000000018001A8B0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000DCB8 3_2_000000018000DCB8
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800294BC 3_2_00000001800294BC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180015CC4 3_2_0000000180015CC4
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000F8C4 3_2_000000018000F8C4
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800108CC 3_2_00000001800108CC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800080CC 3_2_00000001800080CC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180013CD4 3_2_0000000180013CD4
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800014D4 3_2_00000001800014D4
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800018DC 3_2_00000001800018DC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800120E0 3_2_00000001800120E0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180003CF4 3_2_0000000180003CF4
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800090F8 3_2_00000001800090F8
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800048FC 3_2_00000001800048FC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180028500 3_2_0000000180028500
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001610C 3_2_000000018001610C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180029910 3_2_0000000180029910
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180017518 3_2_0000000180017518
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180014D20 3_2_0000000180014D20
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180011924 3_2_0000000180011924
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001AD28 3_2_000000018001AD28
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001B130 3_2_000000018001B130
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180007530 3_2_0000000180007530
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180006138 3_2_0000000180006138
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001BDA0 3_2_000000018001BDA0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800095BC 3_2_00000001800095BC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800115C8 3_2_00000001800115C8
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001D5F0 3_2_000000018001D5F0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180028A00 3_2_0000000180028A00
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180015A00 3_2_0000000180015A00
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180018E08 3_2_0000000180018E08
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001020C 3_2_000000018001020C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180003E0C 3_2_0000000180003E0C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180004214 3_2_0000000180004214
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000461C 3_2_000000018000461C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180018A2C 3_2_0000000180018A2C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180010E2C 3_2_0000000180010E2C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001662C 3_2_000000018001662C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000BA2C 3_2_000000018000BA2C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001A244 3_2_000000018001A244
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000B258 3_2_000000018000B258
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000F65C 3_2_000000018000F65C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000A660 3_2_000000018000A660
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180010A70 3_2_0000000180010A70
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180003274 3_2_0000000180003274
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180024E8C 3_2_0000000180024E8C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180008A8C 3_2_0000000180008A8C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180014A90 3_2_0000000180014A90
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000BE90 3_2_000000018000BE90
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000AAB8 3_2_000000018000AAB8
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180004EB8 3_2_0000000180004EB8
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001A6BC 3_2_000000018001A6BC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180003ABC 3_2_0000000180003ABC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001EAC0 3_2_000000018001EAC0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000D6CC 3_2_000000018000D6CC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800196D4 3_2_00000001800196D4
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800092F0 3_2_00000001800092F0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001E310 3_2_000000018001E310
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180013B14 3_2_0000000180013B14
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000EF14 3_2_000000018000EF14
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180014F18 3_2_0000000180014F18
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000D33C 3_2_000000018000D33C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001E750 3_2_000000018001E750
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180004758 3_2_0000000180004758
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000975C 3_2_000000018000975C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001D770 3_2_000000018001D770
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001CF70 3_2_000000018001CF70
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180008378 3_2_0000000180008378
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000F77C 3_2_000000018000F77C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180015384 3_2_0000000180015384
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180001B94 3_2_0000000180001B94
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000DBA0 3_2_000000018000DBA0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180008FB0 3_2_0000000180008FB0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180018BB8 3_2_0000000180018BB8
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000FFB8 3_2_000000018000FFB8
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800197CC 3_2_00000001800197CC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180013FD0 3_2_0000000180013FD0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180002FD4 3_2_0000000180002FD4
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800033D4 3_2_00000001800033D4
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00401730 4_2_00401730
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0041D100 4_2_0041D100
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0042E190 4_2_0042E190
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_004161A0 4_2_004161A0
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0041F200 4_2_0041F200
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00414AC0 4_2_00414AC0
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_004172F0 4_2_004172F0
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00440BD0 4_2_00440BD0
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0040A387 4_2_0040A387
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00441BA0 4_2_00441BA0
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00424C40 4_2_00424C40
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00414420 4_2_00414420
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_004165D0 4_2_004165D0
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_004186C7 4_2_004186C7
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_004186C9 4_2_004186C9
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_004186ED 4_2_004186ED
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_004186FB 4_2_004186FB
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_004186FD 4_2_004186FD
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_004186FF 4_2_004186FF
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0041869B 4_2_0041869B
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0041869D 4_2_0041869D
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0041869F 4_2_0041869F
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_004186A1 4_2_004186A1
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00439760 4_2_00439760
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00418701 4_2_00418701
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00418703 4_2_00418703
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00418705 4_2_00418705
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018001A000 4_2_000000018001A000
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018001709C 4_2_000000018001709C
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180008BC8 4_2_0000000180008BC8
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018000CC14 4_2_000000018000CC14
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180007D6C 4_2_0000000180007D6C
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018000263C 4_2_000000018000263C
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180018FC8 4_2_0000000180018FC8
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00000001800227EC 4_2_00000001800227EC
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018000A7F0 4_2_000000018000A7F0
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180001000 4_2_0000000180001000
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018002181C 4_2_000000018002181C
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180011030 4_2_0000000180011030
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018000B83C 4_2_000000018000B83C
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180007840 4_2_0000000180007840
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018001C058 4_2_000000018001C058
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018000C078 4_2_000000018000C078
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018000B07C 4_2_000000018000B07C
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180015880 4_2_0000000180015880
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00000001800098AC 4_2_00000001800098AC
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018001A8B0 4_2_000000018001A8B0
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018000F8C4 4_2_000000018000F8C4
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00000001800108CC 4_2_00000001800108CC
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00000001800080CC 4_2_00000001800080CC
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00000001800018DC 4_2_00000001800018DC
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00000001800120E0 4_2_00000001800120E0
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00000001800090F8 4_2_00000001800090F8
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00000001800048FC 4_2_00000001800048FC
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018001610C 4_2_000000018001610C
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180029910 4_2_0000000180029910
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180011924 4_2_0000000180011924
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018001B130 4_2_000000018001B130
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180006138 4_2_0000000180006138
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180028A00 4_2_0000000180028A00
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180015A00 4_2_0000000180015A00
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018001020C 4_2_000000018001020C
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180004214 4_2_0000000180004214
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180018A2C 4_2_0000000180018A2C
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018000BA2C 4_2_000000018000BA2C
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018001A244 4_2_000000018001A244
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018000B258 4_2_000000018000B258
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180010A70 4_2_0000000180010A70
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180003274 4_2_0000000180003274
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180008A8C 4_2_0000000180008A8C
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180014A90 4_2_0000000180014A90
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018000AAB8 4_2_000000018000AAB8
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180003ABC 4_2_0000000180003ABC
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018001EAC0 4_2_000000018001EAC0
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00000001800092F0 4_2_00000001800092F0
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018001E310 4_2_000000018001E310
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180013B14 4_2_0000000180013B14
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018000D33C 4_2_000000018000D33C
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180008378 4_2_0000000180008378
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180015384 4_2_0000000180015384
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180001B94 4_2_0000000180001B94
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018000DBA0 4_2_000000018000DBA0
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180018BB8 4_2_0000000180018BB8
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00000001800033D4 4_2_00000001800033D4
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180009408 4_2_0000000180009408
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180007C08 4_2_0000000180007C08
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018001EC30 4_2_000000018001EC30
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018001C44C 4_2_000000018001C44C
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180025450 4_2_0000000180025450
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018001B460 4_2_000000018001B460
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180016C70 4_2_0000000180016C70
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018000D474 4_2_000000018000D474
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180002C78 4_2_0000000180002C78
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018001CC84 4_2_000000018001CC84
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180004C84 4_2_0000000180004C84
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018000AC94 4_2_000000018000AC94
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018000DCB8 4_2_000000018000DCB8
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00000001800294BC 4_2_00000001800294BC
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180015CC4 4_2_0000000180015CC4
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180013CD4 4_2_0000000180013CD4
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00000001800014D4 4_2_00000001800014D4
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180003CF4 4_2_0000000180003CF4
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180028500 4_2_0000000180028500
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180017518 4_2_0000000180017518
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180014D20 4_2_0000000180014D20
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018001AD28 4_2_000000018001AD28
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180007530 4_2_0000000180007530
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018001BDA0 4_2_000000018001BDA0
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00000001800095BC 4_2_00000001800095BC
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00000001800115C8 4_2_00000001800115C8
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018001D5F0 4_2_000000018001D5F0
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180018E08 4_2_0000000180018E08
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180003E0C 4_2_0000000180003E0C
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018000461C 4_2_000000018000461C
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180010E2C 4_2_0000000180010E2C
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018001662C 4_2_000000018001662C
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018000F65C 4_2_000000018000F65C
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018000A660 4_2_000000018000A660
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180024E8C 4_2_0000000180024E8C
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018000BE90 4_2_000000018000BE90
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180004EB8 4_2_0000000180004EB8
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018001A6BC 4_2_000000018001A6BC
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018000D6CC 4_2_000000018000D6CC
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00000001800196D4 4_2_00000001800196D4
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018000EF14 4_2_000000018000EF14
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180014F18 4_2_0000000180014F18
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018001E750 4_2_000000018001E750
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180004758 4_2_0000000180004758
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018000975C 4_2_000000018000975C
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018001D770 4_2_000000018001D770
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018001CF70 4_2_000000018001CF70
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018000F77C 4_2_000000018000F77C
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180008FB0 4_2_0000000180008FB0
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018000FFB8 4_2_000000018000FFB8
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00000001800197CC 4_2_00000001800197CC
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180013FD0 4_2_0000000180013FD0
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180002FD4 4_2_0000000180002FD4
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000001B9186F0000 4_2_000001B9186F0000
Found potential string decryption / allocating functions
Source: C:\Windows\System32\rundll32.exe Code function: String function: 00401F90 appears 87 times
Source: C:\Windows\System32\regsvr32.exe Code function: String function: 00401F90 appears 87 times
Tries to load missing DLLs
Source: C:\Windows\System32\regsvr32.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: edgegdi.dll Jump to behavior
Source: aOHLlvfakv.dll Virustotal: Detection: 53%
Source: aOHLlvfakv.dll ReversingLabs: Detection: 28%
Source: aOHLlvfakv.dll Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll64.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\aOHLlvfakv.dll"
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\aOHLlvfakv.dll",#1
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\aOHLlvfakv.dll
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\aOHLlvfakv.dll",#1
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\aOHLlvfakv.dll,DllRegisterServer
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\HRYKmuIti\sEzrCiJYDniwfP.dll"
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\LwITFj\lcEQL.dll"
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\YDgQnzosNBGOURNE\pquwSRMRvDBcLA.dll"
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\aOHLlvfakv.dll,__CPPdebugHook
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\aOHLlvfakv.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\aOHLlvfakv.dll Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\aOHLlvfakv.dll,DllRegisterServer Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\aOHLlvfakv.dll,__CPPdebugHook Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\aOHLlvfakv.dll",#1 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\YDgQnzosNBGOURNE\pquwSRMRvDBcLA.dll" Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\HRYKmuIti\sEzrCiJYDniwfP.dll" Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\LwITFj\lcEQL.dll" Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: classification engine Classification label: mal96.troj.evad.winDLL@18/2@0/49
Source: C:\Windows\System32\regsvr32.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180008BC8 Process32NextW,Process32FirstW,CreateToolhelp32Snapshot,FindCloseChangeNotification, 3_2_0000000180008BC8
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\aOHLlvfakv.dll",#1
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9020:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9020:120:WilError_03
Source: C:\Windows\System32\regsvr32.exe Automated click: OK
Source: C:\Windows\System32\regsvr32.exe Automated click: OK
Source: C:\Windows\System32\rundll32.exe Automated click: OK
Source: Window Recorder Window detected: More than 3 window changes detected
Source: aOHLlvfakv.dll Static file information: File size 571122142 > 1048576
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180006C9F pushad ; ret 3_2_0000000180006CAA
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800180D7 push ebp; retf 3_2_00000001800180D8
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180006CDE push esi; iretd 3_2_0000000180006CDF
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000A0FC push ebp; iretd 3_2_000000018000A0FD
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180017D25 push 4D8BFFFFh; retf 3_2_0000000180017D2A
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180017D3C push ebp; retf 3_2_0000000180017D3D
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180017D4E push ebp; iretd 3_2_0000000180017D4F
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180009D51 push ebp; retf 3_2_0000000180009D5A
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180018157 push ebp; retf 3_2_0000000180018158
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180017987 push ebp; iretd 3_2_000000018001798F
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000A1D2 push ebp; iretd 3_2_000000018000A1D3
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000A26E push ebp; ret 3_2_000000018000A26F
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180009E8B push eax; retf 3_2_0000000180009E8E
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180017EAF push 458BCC5Ah; retf 3_2_0000000180017EBC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001C731 push esi; iretd 3_2_000000018001C732
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00000001800180D7 push ebp; retf 4_2_00000001800180D8
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018000A0FC push ebp; iretd 4_2_000000018000A0FD
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180018157 push ebp; retf 4_2_0000000180018158
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180017987 push ebp; iretd 4_2_000000018001798F
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018000A1D2 push ebp; iretd 4_2_000000018000A1D3
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018000A26E push ebp; ret 4_2_000000018000A26F
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180006C9F pushad ; ret 4_2_0000000180006CAA
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180006CDE push esi; iretd 4_2_0000000180006CDF
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180017D25 push 4D8BFFFFh; retf 4_2_0000000180017D2A
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180017D3C push ebp; retf 4_2_0000000180017D3D
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180017D4E push ebp; iretd 4_2_0000000180017D4F
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180009D51 push ebp; retf 4_2_0000000180009D5A
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180009E8B push eax; retf 4_2_0000000180009E8E
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000000180017EAF push 458BCC5Ah; retf 4_2_0000000180017EBC
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000000018001C731 push esi; iretd 4_2_000000018001C732
PE file contains sections with non-standard names
Source: aOHLlvfakv.dll Static PE information: section name: .rodata
Source: aOHLlvfakv.dll Static PE information: section name: .xdata
Contains functionality to dynamically determine API calls
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00401C80 LoadLibraryW,GetProcAddress,ExitProcess, 3_2_00401C80
Registers a DLL
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\aOHLlvfakv.dll
Drops PE files to the windows directory (C:\Windows)
Source: C:\Windows\System32\rundll32.exe PE file moved: C:\Windows\System32\HRYKmuIti\sEzrCiJYDniwfP.dll Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Windows\System32\regsvr32.exe File opened: C:\Windows\system32\YDgQnzosNBGOURNE\pquwSRMRvDBcLA.dll:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Windows\system32\HRYKmuIti\sEzrCiJYDniwfP.dll:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Windows\system32\LwITFj\lcEQL.dll:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\regsvr32.exe TID: 6532 Thread sleep time: -690000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Found large amount of non-executed APIs
Source: C:\Windows\System32\regsvr32.exe API coverage: 6.1 %
Source: C:\Windows\System32\rundll32.exe API coverage: 6.1 %
Source: C:\Windows\System32\regsvr32.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\System32\regsvr32.exe API call chain: ExitProcess graph end node
Source: C:\Windows\System32\rundll32.exe API call chain: ExitProcess graph end node
Source: C:\Windows\System32\regsvr32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: regsvr32.exe, 00000007.00000003.1512104522.0000000000A1A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1236480763.00000000009CC000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1236480763.0000000000A1A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1512104522.00000000009CC000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1513381084.0000000000A1A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000002.3282958811.00000000009CC000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1502020156.00000000009CC000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1502020156.0000000000A1A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1238112714.0000000000A1A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1513381084.00000000009CC000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000002.3284094347.0000000000A19000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Contains functionality to dynamically determine API calls
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00401C80 LoadLibraryW,GetProcAddress,ExitProcess, 3_2_00401C80
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00448C90 TlsGetValue,GetProcessHeap,TlsSetValue,TlsGetValue, 3_2_00448C90
Checks if the current process is being debugged
Source: C:\Windows\System32\loaddll64.exe Process queried: DebugPort Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\System32\regsvr32.exe Network Connect: 159.65.88.10 8080 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 172.105.226.75 8080 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 164.90.222.65 443 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 186.194.240.217 443 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 103.132.242.26 8080 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 104.168.155.143 8080 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 159.89.202.34 443 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 91.121.146.47 8080 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 91.207.28.33 8080 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 103.43.75.120 443 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 72.15.201.15 8080 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 82.223.21.224 8080 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 173.212.193.249 8080 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 187.63.160.88 80 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 66.228.32.31 7080 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 185.4.135.165 8080 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 183.111.227.137 8080 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 95.217.221.146 8080 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 164.68.99.3 8080 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 182.162.143.56 443 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 139.59.126.41 443 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 167.172.253.162 8080 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 1.234.2.232 8080 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 167.172.199.165 8080 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\aOHLlvfakv.dll",#1 Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\regsvr32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Contains functionality to query locales information (e.g. system language)
Source: C:\Windows\System32\regsvr32.exe Code function: EnterCriticalSection,GetLocaleInfoA,LeaveCriticalSection,EnterCriticalSection,IsValidLocale,SetThreadLocale,LeaveCriticalSection,LeaveCriticalSection,SetLastError,SetLastError,LeaveCriticalSection,LeaveCriticalSection,GetCPInfo,IsValidLocale,SetThreadLocale,SetLastError,SetLastError, 3_2_0043F160
Source: C:\Windows\System32\regsvr32.exe Code function: GetLocaleInfoA,GetLocaleInfoA,SetLastError,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,SetLastError,GetLocaleInfoA,SetLastError,GetLocaleInfoA,SetLastError,GetLocaleInfoA,SetLastError,GetLocaleInfoA,SetLastError,GetLocaleInfoA,SetLastError,GetLocaleInfoA,SetLastError, 3_2_00440BD0
Source: C:\Windows\System32\regsvr32.exe Code function: GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,SetLastError,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,SetLastError, 3_2_00441BA0
Source: C:\Windows\System32\regsvr32.exe Code function: GetLocaleInfoA, 3_2_0043FC60
Source: C:\Windows\System32\regsvr32.exe Code function: GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,SetLastError, 3_2_0043FDE0
Source: C:\Windows\System32\regsvr32.exe Code function: GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,SetLastError,GetLocaleInfoA,SetLastError,GetLocaleInfoA,SetLastError,GetLocaleInfoA,SetLastError,GetLocaleInfoA,SetLastError,GetLocaleInfoA,SetLastError,GetLocaleInfoA,SetLastError,GetLocaleInfoA,SetLastError,GetLocaleInfoA,SetLastError,GetLocaleInfoA,SetLastError, 3_2_00440610
Source: C:\Windows\System32\rundll32.exe Code function: EnterCriticalSection,GetLocaleInfoA,LeaveCriticalSection,EnterCriticalSection,IsValidLocale,SetThreadLocale,LeaveCriticalSection,LeaveCriticalSection,SetLastError,SetLastError,LeaveCriticalSection,LeaveCriticalSection,GetCPInfo,IsValidLocale,SetThreadLocale,SetLastError,SetLastError, 4_2_0043F160
Source: C:\Windows\System32\rundll32.exe Code function: GetLocaleInfoA,GetLocaleInfoA,SetLastError,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,SetLastError,GetLocaleInfoA,SetLastError,GetLocaleInfoA,SetLastError,GetLocaleInfoA,SetLastError,GetLocaleInfoA,SetLastError,GetLocaleInfoA,SetLastError,GetLocaleInfoA,SetLastError, 4_2_00440BD0
Source: C:\Windows\System32\rundll32.exe Code function: GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,SetLastError,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,SetLastError, 4_2_00441BA0
Source: C:\Windows\System32\rundll32.exe Code function: GetLocaleInfoA, 4_2_0043FC60
Source: C:\Windows\System32\rundll32.exe Code function: GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,SetLastError, 4_2_0043FDE0
Source: C:\Windows\System32\rundll32.exe Code function: GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,SetLastError,GetLocaleInfoA,SetLastError,GetLocaleInfoA,SetLastError,GetLocaleInfoA,SetLastError,GetLocaleInfoA,SetLastError,GetLocaleInfoA,SetLastError,GetLocaleInfoA,SetLastError,GetLocaleInfoA,SetLastError,GetLocaleInfoA,SetLastError,GetLocaleInfoA,SetLastError, 4_2_00440610
Source: C:\Windows\System32\regsvr32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00446AA0 GetVersion,GetCurrentThreadId,EnumThreadWindows,MessageBoxA,WriteFile,WriteFile, 3_2_00446AA0

Stealing of Sensitive Information
barindex
Yara detected Emotet
Source: Yara match File source: 00000007.00000002.3282958811.000000000098B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 7.2.regsvr32.exe.2410000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.25255cd0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.1b91a160000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.regsvr32.exe.1370000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.25255cd0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.regsvr32.exe.1370000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.regsvr32.exe.2410000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.1b91a160000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.861337089.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.3286848282.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.860427801.0000000001370000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.858909413.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.860809198.0000025255CD0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.3285052145.0000000002410000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.858695133.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.860577207.000001B91A160000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 828936 Sample: aOHLlvfakv.dll Startdate: 17/03/2023 Architecture: WINDOWS Score: 96 31 129.232.188.93 xneeloZA South Africa 2->31 33 45.235.8.30 WIKINETTELECOMUNICACOESBR Brazil 2->33 35 23 other IPs or domains 2->35 43 Snort IDS alert for network traffic 2->43 45 Antivirus detection for URL or domain 2->45 47 Multi AV Scanner detection for submitted file 2->47 49 2 other signatures 2->49 9 loaddll64.exe 1 2->9         started        signatures3 process4 process5 11 cmd.exe 1 9->11         started        13 rundll32.exe 2 9->13         started        16 regsvr32.exe 2 9->16         started        18 2 other processes 9->18 signatures6 20 rundll32.exe 2 11->20         started        55 Hides that the sample has been downloaded from the Internet (zone.identifier) 13->55 23 regsvr32.exe 13->23         started        25 regsvr32.exe 16->25         started        process7 signatures8 51 Hides that the sample has been downloaded from the Internet (zone.identifier) 20->51 27 regsvr32.exe 20->27         started        process9 dnsIp10 37 185.4.135.165, 49840, 8080 TOPHOSTGR Greece 27->37 39 1.234.2.232, 49832, 8080 SKB-ASSKBroadbandCoLtdKR Korea Republic of 27->39 41 22 other IPs or domains 27->41 53 System process connects to network (likely due to code injection or exploit) 27->53 signatures11
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
110.232.117.186
 unknown Australia
56038 RACKCORP-APRackCorpAU true
103.132.242.26
 unknown India
45117 INPL-IN-APIshansNetworkIN true
104.168.155.143
 unknown United States
54290 HOSTWINDSUS true
79.137.35.198
 unknown France
16276 OVHFR true
115.68.227.76
 unknown Korea Republic of
38700 SMILESERV-AS-KRSMILESERVKR true
163.44.196.120
 unknown Singapore
135161 GMO-Z-COM-THGMO-ZcomNetDesignHoldingsCoLtdSG true
206.189.28.199
 unknown United States
14061 DIGITALOCEAN-ASNUS true
107.170.39.149
 unknown United States
14061 DIGITALOCEAN-ASNUS true
66.228.32.31
 unknown United States
63949 LINODE-APLinodeLLCUS true
185.4.135.165
 unknown Greece
199246 TOPHOSTGR true
197.242.150.244
 unknown South Africa
37611 AfrihostZA true
183.111.227.137
 unknown Korea Republic of
4766 KIXS-AS-KRKoreaTelecomKR true
45.176.232.124
 unknown Colombia
267869 CABLEYTELECOMUNICACIONESDECOLOMBIASASCABLETELCOC true
169.57.156.166
 unknown United States
36351 SOFTLAYERUS true
164.68.99.3
 unknown Germany
51167 CONTABODE true
139.59.126.41
 unknown Singapore
14061 DIGITALOCEAN-ASNUS true
167.172.253.162
 unknown United States
14061 DIGITALOCEAN-ASNUS true
167.172.199.165
 unknown United States
14061 DIGITALOCEAN-ASNUS true
202.129.205.3
 unknown Thailand
45328 NIPA-AS-THNIPATECHNOLOGYCOLTDTH true
147.139.166.154
 unknown United States
45102 CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC true
153.92.5.27
 unknown Germany
47583 AS-HOSTINGERLT true
159.65.88.10
 unknown United States
14061 DIGITALOCEAN-ASNUS true
172.105.226.75
 unknown United States
63949 LINODE-APLinodeLLCUS true
101.50.0.91
 unknown Indonesia
55688 BEON-AS-IDPTBeonIntermediaID true
164.90.222.65
 unknown United States
14061 DIGITALOCEAN-ASNUS true
213.239.212.5
 unknown Germany
24940 HETZNER-ASDE true
5.135.159.50
 unknown France
16276 OVHFR true
186.194.240.217
 unknown Brazil
262733 NetceteraTelecomunicacoesLtdaBR true
119.59.103.152
 unknown Thailand
56067 METRABYTE-TH453LadplacoutJorakhaebuaTH true
159.89.202.34
 unknown United States
14061 DIGITALOCEAN-ASNUS true
91.121.146.47
 unknown France
16276 OVHFR true
160.16.142.56
 unknown Japan 9370 SAKURA-BSAKURAInternetIncJP true
201.94.166.162
 unknown Brazil
28573 CLAROSABR true
91.207.28.33
 unknown Kyrgyzstan
39819 PROHOSTKG true
103.75.201.2
 unknown Thailand
133496 CDNPLUSCOLTD-AS-APCDNPLUSCOLTDTH true
103.43.75.120
 unknown Japan 20473 AS-CHOOPAUS true
188.44.20.25
 unknown Macedonia
57374 GIV-ASMK true
45.235.8.30
 unknown Brazil
267405 WIKINETTELECOMUNICACOESBR true
153.126.146.25
 unknown Japan 7684 SAKURA-ASAKURAInternetIncJP true
72.15.201.15
 unknown United States
13649 ASN-VINSUS true
187.63.160.88
 unknown Brazil
28169 BITCOMPROVEDORDESERVICOSDEINTERNETLTDABR true
173.212.193.249
 unknown Germany
51167 CONTABODE true
82.223.21.224
 unknown Spain
8560 ONEANDONE-ASBrauerstrasse48DE true
95.217.221.146
 unknown Germany
24940 HETZNER-ASDE true
149.56.131.28
 unknown Canada
16276 OVHFR true
182.162.143.56
 unknown Korea Republic of
3786 LGDACOMLGDACOMCorporationKR true
1.234.2.232
 unknown Korea Republic of
9318 SKB-ASSKBroadbandCoLtdKR true
129.232.188.93
 unknown South Africa
37153 xneeloZA true
94.23.45.86
 unknown France
16276 OVHFR true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://164.90.222.65/pescnrsqtrnp/icjmpjlu/ true
  • Avira URL Cloud: malware
 unknown