Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
aOHLlvfakv.dll

Overview

General Information

Sample Name:aOHLlvfakv.dll
Analysis ID:828936
MD5:362f48619364efe57ecd00f83d1bca62
SHA1:ae142315393512fe3f3e03dc07aed88428b6e29b
SHA256:a873911592c3ce95d36e009f40bb376f587ad0ba6971a150a2ac10c87a2465f5
Infos:

Detection

Emotet
Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected Emotet
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Snort IDS alert for network traffic
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Queries the volume information (name, serial number etc) of a device
Contains functionality to query locales information (e.g. system language)
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to dynamically determine API calls
HTTP GET or POST without a user agent
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Found inlined nop instructions (likely shell or obfuscated code)
Tries to load missing DLLs
Drops PE files to the windows directory (C:\Windows)
Detected TCP or UDP traffic on non-standard ports
Checks if the current process is being debugged
Connects to several IPs in different countries
Registers a DLL
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)

Classification

  • System is w10x64native
  • loaddll64.exe (PID: 9132 cmdline: loaddll64.exe "C:\Users\user\Desktop\aOHLlvfakv.dll" MD5: C676FC0263EDD17D4CE7D644B8F3FCD6)
    • conhost.exe (PID: 9020 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 2940 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\aOHLlvfakv.dll",#1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • rundll32.exe (PID: 4616 cmdline: rundll32.exe "C:\Users\user\Desktop\aOHLlvfakv.dll",#1 MD5: EF3179D498793BF4234F708D3BE28633)
        • regsvr32.exe (PID: 7556 cmdline: C:\Windows\system32\regsvr32.exe "C:\Windows\system32\HRYKmuIti\sEzrCiJYDniwfP.dll" MD5: B0C2FA35D14A9FAD919E99D9D75E1B9E)
    • regsvr32.exe (PID: 3112 cmdline: regsvr32.exe /s C:\Users\user\Desktop\aOHLlvfakv.dll MD5: B0C2FA35D14A9FAD919E99D9D75E1B9E)
      • regsvr32.exe (PID: 8668 cmdline: C:\Windows\system32\regsvr32.exe "C:\Windows\system32\YDgQnzosNBGOURNE\pquwSRMRvDBcLA.dll" MD5: B0C2FA35D14A9FAD919E99D9D75E1B9E)
    • rundll32.exe (PID: 4588 cmdline: rundll32.exe C:\Users\user\Desktop\aOHLlvfakv.dll,DllRegisterServer MD5: EF3179D498793BF4234F708D3BE28633)
      • regsvr32.exe (PID: 9004 cmdline: C:\Windows\system32\regsvr32.exe "C:\Windows\system32\LwITFj\lcEQL.dll" MD5: B0C2FA35D14A9FAD919E99D9D75E1B9E)
    • rundll32.exe (PID: 3296 cmdline: rundll32.exe C:\Users\user\Desktop\aOHLlvfakv.dll,__CPPdebugHook MD5: EF3179D498793BF4234F708D3BE28633)
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
EmotetWhile Emotet historically was a banking malware organized in a botnet, nowadays Emotet is mostly seen as infrastructure as a service for content delivery. For example, since mid 2018 it is used by Trickbot for installs, which may also lead to ransomware attacks using Ryuk, a combination observed several times against high-profile targets.It is always stealing information from victims but what the criminal gang behind it did, was to open up another business channel by selling their infrastructure delivering additional malicious software. From malware analysts it has been classified into epochs depending on command and control, payloads, and delivery solutions which change over time.Emotet had been taken down by authorities in January 2021, though it appears to have sprung back to life in November 2021.
  • GOLD CABIN
  • MUMMY SPIDER
  • Mealybug
https://malpedia.caad.fkie.fraunhofer.de/details/win.emotet
{"C2 list": ["91.121.146.47:8080", "66.228.32.31:7080", "182.162.143.56:443", "187.63.160.88:80", "167.172.199.165:8080", "164.90.222.65:443", "104.168.155.143:8080", "91.207.28.33:8080", "72.15.201.15:8080", "183.111.227.137:8080", "103.132.242.26:8080", "159.65.88.10:8080", "173.212.193.249:8080", "82.223.21.224:8080", "172.105.226.75:8080", "103.43.75.120:443", "167.172.253.162:8080", "1.234.2.232:8080", "159.89.202.34:443", "186.194.240.217:443", "185.4.135.165:8080", "139.59.126.41:443", "164.68.99.3:8080", "95.217.221.146:8080", "129.232.188.93:443", "45.176.232.124:443", "163.44.196.120:8080", "79.137.35.198:8080", "153.92.5.27:8080", "160.16.142.56:8080", "202.129.205.3:8080", "201.94.166.162:443", "119.59.103.152:8080", "153.126.146.25:7080", "188.44.20.25:443", "115.68.227.76:8080", "147.139.166.154:8080", "149.56.131.28:8080", "107.170.39.149:8080", "213.239.212.5:443", "197.242.150.244:8080", "206.189.28.199:8080", "5.135.159.50:443", "169.57.156.166:8080", "103.75.201.2:443", "110.232.117.186:8080", "94.23.45.86:4143", "45.235.8.30:8080", "101.50.0.91:8080"], "Public Key": ["RUNTMSAAAABAX3S2xNjcDD0fBno33Ln5t71eii+mofIPoXkNFOX1MeiwCh48iz97kB0mJjGGZXwardnDXKxI8GCHGNl0PFj5LpP78wADAJA=", "RUNLMSAAAADzozW1Di4r9DVWzQpMKT588RDdy7BPILP6AiDOTLYMHkSWvrQO5slbmr1OvZ2Pz+AQWzRMggQmAtO6rPH7nyx2VJJV8wAlAJA="]}
SourceRuleDescriptionAuthorStrings
00000003.00000002.861337089.0000000180001000.00000020.00001000.00020000.00000000.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
    00000007.00000002.3286848282.0000000180001000.00000020.00001000.00020000.00000000.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
      00000003.00000002.860427801.0000000001370000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
        00000005.00000002.858909413.0000000180001000.00000020.00001000.00020000.00000000.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
          00000005.00000002.860809198.0000025255CD0000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
            Click to see the 4 entries
            SourceRuleDescriptionAuthorStrings
            7.2.regsvr32.exe.2410000.1.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
              5.2.rundll32.exe.25255cd0000.1.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                4.2.rundll32.exe.1b91a160000.1.raw.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                  3.2.regsvr32.exe.1370000.1.raw.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                    5.2.rundll32.exe.25255cd0000.1.raw.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                      Click to see the 3 entries
                      No Sigma rule has matched
                      Timestamp:192.168.11.2091.121.146.474979380802404344 03/17/23-17:41:58.374772
                      SID:2404344
                      Source Port:49793
                      Destination Port:8080
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:192.168.11.20182.162.143.56497994432404312 03/17/23-17:42:13.021219
                      SID:2404312
                      Source Port:49799
                      Destination Port:443
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:192.168.11.20167.172.199.1654980880802404308 03/17/23-17:42:27.268480
                      SID:2404308
                      Source Port:49808
                      Destination Port:8080
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:192.168.11.20164.90.222.65498104432404308 03/17/23-17:42:33.407520
                      SID:2404308
                      Source Port:49810
                      Destination Port:443
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:192.168.11.20104.168.155.1434981180802404302 03/17/23-17:42:37.517558
                      SID:2404302
                      Source Port:49811
                      Destination Port:8080
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:192.168.11.2066.228.32.314979570802404330 03/17/23-17:42:05.273202
                      SID:2404330
                      Source Port:49795
                      Destination Port:7080
                      Protocol:TCP
                      Classtype:A Network Trojan was detected

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Source: aOHLlvfakv.dllVirustotal: Detection: 53%Perma Link
                      Source: aOHLlvfakv.dllReversingLabs: Detection: 28%
                      Source: https://186.194.240.217:443/pescnrsqtrnp/icjmpjlu/Avira URL Cloud: Label: malware
                      Source: https://164.68.99.3:8080/pescnrsqtrnp/icjmpjlu/0Avira URL Cloud: Label: malware
                      Source: https://139.59.126.41/0/Avira URL Cloud: Label: malware
                      Source: https://164.68.99.3:8080/pescnrsqtrnp/icjmpjlu/pAvira URL Cloud: Label: malware
                      Source: https://164.68.99.3:8080/wWAvira URL Cloud: Label: malware
                      Source: https://66.228.32.31:7080/Avira URL Cloud: Label: malware
                      Source: https://95.217.221.146:8080/pescnrsqtrnp/icjmpjlu/Avira URL Cloud: Label: malware
                      Source: https://66.228.32.31:7080/pescnrsqtrnp/icjmpjlu/Avira URL Cloud: Label: malware
                      Source: https://164.90.222.65/pescnrsqtrnp/icjmpjlu/Avira URL Cloud: Label: malware
                      Source: https://139.59.126.41/Avira URL Cloud: Label: malware
                      Source: https://139.59.126.41/pescnrsqtrnp/icjmpjlu/Avira URL Cloud: Label: malware
                      Source: https://164.68.99.3:8080/Avira URL Cloud: Label: malware
                      Source: https://167.172.199.165:8080/DAvira URL Cloud: Label: malware
                      Source: https://91.121.146.47:8080/pescnrsqtrnp/icjmpjlu/Avira URL Cloud: Label: malware
                      Source: https://91.121.146.47:8080/pescnrsqtrnp/icjmpjlu/dAvira URL Cloud: Label: malware
                      Source: https://95.217.221.146:8080/pescnrsqtrnp/icjmpjlu//CWAvira URL Cloud: Label: malware
                      Source: https://167.172.199.165:8080/pescnrsqtrnp/icjmpjlu/Avira URL Cloud: Label: malware
                      Source: https://139.59.126.41/jlu/_EAvira URL Cloud: Label: malware
                      Source: https://95.217.221.146:8080/Avira URL Cloud: Label: malware
                      Source: https://164.68.99.3:8080/pescnrsqtrnp/icjmpjlu/LAvira URL Cloud: Label: malware
                      Source: https://66.228.32.31:7080/#WsAvira URL Cloud: Label: malware
                      Source: https://164.68.99.3:8080/pescnrsqtrnp/icjmpjlu/Avira URL Cloud: Label: malware
                      Source: https://186.194.240.217/3WCAvira URL Cloud: Label: malware
                      Source: https://91.121.146.47:8080/Avira URL Cloud: Label: malware
                      Source: 00000007.00000002.3282958811.000000000098B000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Emotet {"C2 list": ["91.121.146.47:8080", "66.228.32.31:7080", "182.162.143.56:443", "187.63.160.88:80", "167.172.199.165:8080", "164.90.222.65:443", "104.168.155.143:8080", "91.207.28.33:8080", "72.15.201.15:8080", "183.111.227.137:8080", "103.132.242.26:8080", "159.65.88.10:8080", "173.212.193.249:8080", "82.223.21.224:8080", "172.105.226.75:8080", "103.43.75.120:443", "167.172.253.162:8080", "1.234.2.232:8080", "159.89.202.34:443", "186.194.240.217:443", "185.4.135.165:8080", "139.59.126.41:443", "164.68.99.3:8080", "95.217.221.146:8080", "129.232.188.93:443", "45.176.232.124:443", "163.44.196.120:8080", "79.137.35.198:8080", "153.92.5.27:8080", "160.16.142.56:8080", "202.129.205.3:8080", "201.94.166.162:443", "119.59.103.152:8080", "153.126.146.25:7080", "188.44.20.25:443", "115.68.227.76:8080", "147.139.166.154:8080", "149.56.131.28:8080", "107.170.39.149:8080", "213.239.212.5:443", "197.242.150.244:8080", "206.189.28.199:8080", "5.135.159.50:443", "169.57.156.166:8080", "103.75.201.2:443", "110.232.117.186:8080", "94.23.45.86:4143", "45.235.8.30:8080", "101.50.0.91:8080"], "Public Key": ["RUNTMSAAAABAX3S2xNjcDD0fBno33Ln5t71eii+mofIPoXkNFOX1MeiwCh48iz97kB0mJjGGZXwardnDXKxI8GCHGNl0PFj5LpP78wADAJA=", "RUNLMSAAAADzozW1Di4r9DVWzQpMKT588RDdy7BPILP6AiDOTLYMHkSWvrQO5slbmr1OvZ2Pz+AQWzRMggQmAtO6rPH7nyx2VJJV8wAlAJA="]}
                      Source: unknownHTTPS traffic detected: 164.90.222.65:443 -> 192.168.11.20:49810 version: TLS 1.2
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4x nop then push rbp
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4x nop then push rbp
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4x nop then push rbp
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4x nop then push rbp
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4x nop then push rbp
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4x nop then push rbp
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4x nop then push rbp
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4x nop then push rbp
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4x nop then push rbp
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4x nop then push rbp
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4x nop then push rbp
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4x nop then push rbp
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4x nop then push rbp
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4x nop then push rbp
                      Source: C:\Windows\System32\rundll32.exeCode function: 4x nop then push rbp
                      Source: C:\Windows\System32\rundll32.exeCode function: 4x nop then push rbp
                      Source: C:\Windows\System32\rundll32.exeCode function: 4x nop then push rbp
                      Source: C:\Windows\System32\rundll32.exeCode function: 4x nop then push rbp
                      Source: C:\Windows\System32\rundll32.exeCode function: 4x nop then push rbp
                      Source: C:\Windows\System32\rundll32.exeCode function: 4x nop then push rbp
                      Source: C:\Windows\System32\rundll32.exeCode function: 4x nop then push rbp
                      Source: C:\Windows\System32\rundll32.exeCode function: 4x nop then push rbp
                      Source: C:\Windows\System32\rundll32.exeCode function: 4x nop then push rbp
                      Source: C:\Windows\System32\rundll32.exeCode function: 4x nop then push rbp
                      Source: C:\Windows\System32\rundll32.exeCode function: 4x nop then push rbp
                      Source: C:\Windows\System32\rundll32.exeCode function: 4x nop then push rbp
                      Source: C:\Windows\System32\rundll32.exeCode function: 4x nop then push rbp
                      Source: C:\Windows\System32\rundll32.exeCode function: 4x nop then push rbp

                      Networking

                      barindex
                      Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 159.65.88.10 8080
                      Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 172.105.226.75 8080
                      Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 164.90.222.65 443
                      Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 186.194.240.217 443
                      Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 103.132.242.26 8080
                      Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 104.168.155.143 8080
                      Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 159.89.202.34 443
                      Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 91.121.146.47 8080
                      Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 91.207.28.33 8080
                      Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 103.43.75.120 443
                      Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 72.15.201.15 8080
                      Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 82.223.21.224 8080
                      Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 173.212.193.249 8080
                      Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 187.63.160.88 80
                      Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 66.228.32.31 7080
                      Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 185.4.135.165 8080
                      Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 183.111.227.137 8080
                      Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 95.217.221.146 8080
                      Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 164.68.99.3 8080
                      Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 182.162.143.56 443
                      Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 139.59.126.41 443
                      Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 167.172.253.162 8080
                      Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 1.234.2.232 8080
                      Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 167.172.199.165 8080
                      Source: TrafficSnort IDS: 2404308 ET CNC Feodo Tracker Reported CnC Server TCP group 5 192.168.11.20:49810 -> 164.90.222.65:443
                      Source: TrafficSnort IDS: 2404344 ET CNC Feodo Tracker Reported CnC Server TCP group 23 192.168.11.20:49793 -> 91.121.146.47:8080
                      Source: TrafficSnort IDS: 2404330 ET CNC Feodo Tracker Reported CnC Server TCP group 16 192.168.11.20:49795 -> 66.228.32.31:7080
                      Source: TrafficSnort IDS: 2404312 ET CNC Feodo Tracker Reported CnC Server TCP group 7 192.168.11.20:49799 -> 182.162.143.56:443
                      Source: TrafficSnort IDS: 2404308 ET CNC Feodo Tracker Reported CnC Server TCP group 5 192.168.11.20:49808 -> 167.172.199.165:8080
                      Source: TrafficSnort IDS: 2404302 ET CNC Feodo Tracker Reported CnC Server TCP group 2 192.168.11.20:49811 -> 104.168.155.143:8080
                      Source: Malware configuration extractorIPs: 91.121.146.47:8080
                      Source: Malware configuration extractorIPs: 66.228.32.31:7080
                      Source: Malware configuration extractorIPs: 182.162.143.56:443
                      Source: Malware configuration extractorIPs: 187.63.160.88:80
                      Source: Malware configuration extractorIPs: 167.172.199.165:8080
                      Source: Malware configuration extractorIPs: 164.90.222.65:443
                      Source: Malware configuration extractorIPs: 104.168.155.143:8080
                      Source: Malware configuration extractorIPs: 91.207.28.33:8080
                      Source: Malware configuration extractorIPs: 72.15.201.15:8080
                      Source: Malware configuration extractorIPs: 183.111.227.137:8080
                      Source: Malware configuration extractorIPs: 103.132.242.26:8080
                      Source: Malware configuration extractorIPs: 159.65.88.10:8080
                      Source: Malware configuration extractorIPs: 173.212.193.249:8080
                      Source: Malware configuration extractorIPs: 82.223.21.224:8080
                      Source: Malware configuration extractorIPs: 172.105.226.75:8080
                      Source: Malware configuration extractorIPs: 103.43.75.120:443
                      Source: Malware configuration extractorIPs: 167.172.253.162:8080
                      Source: Malware configuration extractorIPs: 1.234.2.232:8080
                      Source: Malware configuration extractorIPs: 159.89.202.34:443
                      Source: Malware configuration extractorIPs: 186.194.240.217:443
                      Source: Malware configuration extractorIPs: 185.4.135.165:8080
                      Source: Malware configuration extractorIPs: 139.59.126.41:443
                      Source: Malware configuration extractorIPs: 164.68.99.3:8080
                      Source: Malware configuration extractorIPs: 95.217.221.146:8080
                      Source: Malware configuration extractorIPs: 129.232.188.93:443
                      Source: Malware configuration extractorIPs: 45.176.232.124:443
                      Source: Malware configuration extractorIPs: 163.44.196.120:8080
                      Source: Malware configuration extractorIPs: 79.137.35.198:8080
                      Source: Malware configuration extractorIPs: 153.92.5.27:8080
                      Source: Malware configuration extractorIPs: 160.16.142.56:8080
                      Source: Malware configuration extractorIPs: 202.129.205.3:8080
                      Source: Malware configuration extractorIPs: 201.94.166.162:443
                      Source: Malware configuration extractorIPs: 119.59.103.152:8080
                      Source: Malware configuration extractorIPs: 153.126.146.25:7080
                      Source: Malware configuration extractorIPs: 188.44.20.25:443
                      Source: Malware configuration extractorIPs: 115.68.227.76:8080
                      Source: Malware configuration extractorIPs: 147.139.166.154:8080
                      Source: Malware configuration extractorIPs: 149.56.131.28:8080
                      Source: Malware configuration extractorIPs: 107.170.39.149:8080
                      Source: Malware configuration extractorIPs: 213.239.212.5:443
                      Source: Malware configuration extractorIPs: 197.242.150.244:8080
                      Source: Malware configuration extractorIPs: 206.189.28.199:8080
                      Source: Malware configuration extractorIPs: 5.135.159.50:443
                      Source: Malware configuration extractorIPs: 169.57.156.166:8080
                      Source: Malware configuration extractorIPs: 103.75.201.2:443
                      Source: Malware configuration extractorIPs: 110.232.117.186:8080
                      Source: Malware configuration extractorIPs: 94.23.45.86:4143
                      Source: Malware configuration extractorIPs: 45.235.8.30:8080
                      Source: Malware configuration extractorIPs: 101.50.0.91:8080
                      Source: Joe Sandbox ViewASN Name: RACKCORP-APRackCorpAU RACKCORP-APRackCorpAU
                      Source: Joe Sandbox ViewJA3 fingerprint: 72a589da586844d7f0818ce684948eea
                      Source: global trafficHTTP traffic detected: POST /pescnrsqtrnp/icjmpjlu/ HTTP/1.1Connection: Keep-AliveContent-Length: 0Host: 164.90.222.65
                      Source: Joe Sandbox ViewIP Address: 110.232.117.186 110.232.117.186
                      Source: global trafficTCP traffic: 192.168.11.20:49793 -> 91.121.146.47:8080
                      Source: global trafficTCP traffic: 192.168.11.20:49795 -> 66.228.32.31:7080
                      Source: global trafficTCP traffic: 192.168.11.20:49808 -> 167.172.199.165:8080
                      Source: global trafficTCP traffic: 192.168.11.20:49811 -> 104.168.155.143:8080
                      Source: global trafficTCP traffic: 192.168.11.20:49812 -> 91.207.28.33:8080
                      Source: global trafficTCP traffic: 192.168.11.20:49814 -> 72.15.201.15:8080
                      Source: global trafficTCP traffic: 192.168.11.20:49815 -> 183.111.227.137:8080
                      Source: global trafficTCP traffic: 192.168.11.20:49822 -> 103.132.242.26:8080
                      Source: global trafficTCP traffic: 192.168.11.20:49823 -> 159.65.88.10:8080
                      Source: global trafficTCP traffic: 192.168.11.20:49824 -> 173.212.193.249:8080
                      Source: global trafficTCP traffic: 192.168.11.20:49825 -> 82.223.21.224:8080
                      Source: global trafficTCP traffic: 192.168.11.20:49831 -> 167.172.253.162:8080
                      Source: global trafficTCP traffic: 192.168.11.20:49832 -> 1.234.2.232:8080
                      Source: global trafficTCP traffic: 192.168.11.20:49840 -> 185.4.135.165:8080
                      Source: global trafficTCP traffic: 192.168.11.20:49844 -> 164.68.99.3:8080
                      Source: global trafficTCP traffic: 192.168.11.20:49845 -> 95.217.221.146:8080
                      Source: unknownNetwork traffic detected: IP country count 18
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49843
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49842 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49842
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49841
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49838 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49834 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49800 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49836 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49828 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49801 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49810 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49799 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49839
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49838
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49837
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49836
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49835
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49834
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49799
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49810
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49841 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49830
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49839 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49837 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49843 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49835 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49829 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49830 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49829
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49828
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49801
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49800
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.121.146.47
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.121.146.47
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.121.146.47
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.121.146.47
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.121.146.47
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.121.146.47
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.121.146.47
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.121.146.47
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.121.146.47
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.121.146.47
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.121.146.47
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.121.146.47
                      Source: unknownTCP traffic detected without corresponding DNS query: 66.228.32.31
                      Source: unknownTCP traffic detected without corresponding DNS query: 66.228.32.31
                      Source: unknownTCP traffic detected without corresponding DNS query: 66.228.32.31
                      Source: unknownTCP traffic detected without corresponding DNS query: 66.228.32.31
                      Source: unknownTCP traffic detected without corresponding DNS query: 66.228.32.31
                      Source: unknownTCP traffic detected without corresponding DNS query: 182.162.143.56
                      Source: unknownTCP traffic detected without corresponding DNS query: 182.162.143.56
                      Source: unknownTCP traffic detected without corresponding DNS query: 182.162.143.56
                      Source: unknownTCP traffic detected without corresponding DNS query: 182.162.143.56
                      Source: unknownTCP traffic detected without corresponding DNS query: 182.162.143.56
                      Source: unknownTCP traffic detected without corresponding DNS query: 182.162.143.56
                      Source: unknownTCP traffic detected without corresponding DNS query: 182.162.143.56
                      Source: unknownTCP traffic detected without corresponding DNS query: 182.162.143.56
                      Source: unknownTCP traffic detected without corresponding DNS query: 182.162.143.56
                      Source: unknownTCP traffic detected without corresponding DNS query: 182.162.143.56
                      Source: unknownTCP traffic detected without corresponding DNS query: 187.63.160.88
                      Source: unknownTCP traffic detected without corresponding DNS query: 187.63.160.88
                      Source: unknownTCP traffic detected without corresponding DNS query: 187.63.160.88
                      Source: unknownTCP traffic detected without corresponding DNS query: 187.63.160.88
                      Source: unknownTCP traffic detected without corresponding DNS query: 187.63.160.88
                      Source: unknownTCP traffic detected without corresponding DNS query: 167.172.199.165
                      Source: unknownTCP traffic detected without corresponding DNS query: 167.172.199.165
                      Source: unknownTCP traffic detected without corresponding DNS query: 167.172.199.165
                      Source: unknownTCP traffic detected without corresponding DNS query: 167.172.199.165
                      Source: unknownTCP traffic detected without corresponding DNS query: 167.172.199.165
                      Source: unknownTCP traffic detected without corresponding DNS query: 167.172.199.165
                      Source: unknownTCP traffic detected without corresponding DNS query: 167.172.199.165
                      Source: unknownTCP traffic detected without corresponding DNS query: 167.172.199.165
                      Source: unknownTCP traffic detected without corresponding DNS query: 167.172.199.165
                      Source: unknownTCP traffic detected without corresponding DNS query: 167.172.199.165
                      Source: unknownTCP traffic detected without corresponding DNS query: 167.172.199.165
                      Source: unknownTCP traffic detected without corresponding DNS query: 164.90.222.65
                      Source: unknownTCP traffic detected without corresponding DNS query: 164.90.222.65
                      Source: unknownTCP traffic detected without corresponding DNS query: 164.90.222.65
                      Source: unknownTCP traffic detected without corresponding DNS query: 164.90.222.65
                      Source: unknownTCP traffic detected without corresponding DNS query: 164.90.222.65
                      Source: unknownTCP traffic detected without corresponding DNS query: 164.90.222.65
                      Source: unknownTCP traffic detected without corresponding DNS query: 164.90.222.65
                      Source: regsvr32.exe, 00000007.00000002.3284094347.0000000000A28000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1512104522.0000000000A1A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1236480763.0000000000A1A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1513381084.0000000000A1A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1502020156.0000000000A1A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1238112714.0000000000A1A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1501043629.0000000002ECE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
                      Source: regsvr32.exe, 00000007.00000002.3284094347.0000000000A28000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1512104522.0000000000A1A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1236480763.0000000000A1A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1513381084.0000000000A1A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1502020156.0000000000A1A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1238112714.0000000000A1A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                      Source: regsvr32.exe, 00000007.00000003.1212529823.0000000002C97000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1213684958.0000000002C97000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1237911678.0000000002C97000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1211632236.0000000002C90000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1211632236.0000000002C97000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/
                      Source: regsvr32.exe, 00000007.00000003.1214356942.0000000002C90000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1211632236.0000000002C90000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1237911678.0000000002C90000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1212529823.0000000002C90000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update
                      Source: regsvr32.exe, 00000007.00000003.1514297126.00000000009EC000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1236480763.00000000009EC000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1502020156.00000000009EC000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000002.3282958811.00000000009DB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
                      Source: regsvr32.exe, 00000007.00000003.1502020156.0000000000A65000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1238888691.0000000000A63000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1515080100.0000000000A63000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000002.3284094347.0000000000A63000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.7.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
                      Source: regsvr32.exe, 00000007.00000003.1236480763.0000000000A1A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1238112714.0000000000A1A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?65a00d22ec036
                      Source: regsvr32.exe, 00000007.00000002.3284094347.0000000000A63000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://139.59.126.41/
                      Source: regsvr32.exe, 00000007.00000002.3284094347.0000000000A63000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://139.59.126.41/0/
                      Source: regsvr32.exe, 00000007.00000002.3284094347.0000000000A63000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://139.59.126.41/jlu/_E
                      Source: regsvr32.exe, 00000007.00000002.3284094347.0000000000A19000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://139.59.126.41/pescnrsqtrnp/icjmpjlu/
                      Source: regsvr32.exe, 00000007.00000002.3284094347.0000000000A63000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://164.68.99.3:8080/
                      Source: regsvr32.exe, 00000007.00000002.3284094347.0000000000A63000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://164.68.99.3:8080/pescnrsqtrnp/icjmpjlu/
                      Source: regsvr32.exe, 00000007.00000002.3284094347.0000000000A28000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://164.68.99.3:8080/pescnrsqtrnp/icjmpjlu/0
                      Source: regsvr32.exe, 00000007.00000002.3284094347.0000000000A19000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://164.68.99.3:8080/pescnrsqtrnp/icjmpjlu/L
                      Source: regsvr32.exe, 00000007.00000002.3284094347.0000000000A63000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://164.68.99.3:8080/pescnrsqtrnp/icjmpjlu/p
                      Source: regsvr32.exe, 00000007.00000002.3284094347.0000000000A63000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://164.68.99.3:8080/wW
                      Source: regsvr32.exe, 00000007.00000003.1501981002.0000000002CF5000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000002.3285581454.0000000002CF5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://167.172.199.165:8080/D
                      Source: regsvr32.exe, 00000007.00000003.1502020156.0000000000A1A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://167.172.199.165:8080/pescnrsqtrnp/icjmpjlu/
                      Source: regsvr32.exe, 00000007.00000002.3284094347.0000000000A63000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://186.194.240.217/3WC
                      Source: regsvr32.exe, 00000007.00000002.3282958811.000000000098B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://186.194.240.217:443/pescnrsqtrnp/icjmpjlu/
                      Source: regsvr32.exe, 00000007.00000003.1515080100.0000000000A63000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://66.228.32.31:7080/
                      Source: regsvr32.exe, 00000007.00000003.1502020156.0000000000A65000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1515080100.0000000000A63000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://66.228.32.31:7080/#Ws
                      Source: regsvr32.exe, 00000007.00000003.1502020156.0000000000A65000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1515080100.0000000000A63000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://66.228.32.31:7080/pescnrsqtrnp/icjmpjlu/
                      Source: regsvr32.exe, 00000007.00000003.1514297126.00000000009EC000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1236480763.00000000009EC000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1502020156.00000000009EC000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000002.3282958811.00000000009DB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://91.121.146.47:8080/
                      Source: regsvr32.exe, 00000007.00000003.1238112714.0000000000A05000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1514297126.0000000000A05000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1502020156.0000000000A05000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000002.3282958811.000000000098B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://91.121.146.47:8080/pescnrsqtrnp/icjmpjlu/
                      Source: regsvr32.exe, 00000007.00000002.3282958811.000000000098B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://91.121.146.47:8080/pescnrsqtrnp/icjmpjlu/d
                      Source: regsvr32.exe, 00000007.00000002.3285581454.0000000002C90000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://95.217.221.146:8080/
                      Source: regsvr32.exe, 00000007.00000002.3284094347.0000000000A28000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000002.3284094347.0000000000A63000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://95.217.221.146:8080/pescnrsqtrnp/icjmpjlu/
                      Source: regsvr32.exe, 00000007.00000002.3284094347.0000000000A63000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://95.217.221.146:8080/pescnrsqtrnp/icjmpjlu//CW
                      Source: unknownHTTP traffic detected: POST /pescnrsqtrnp/icjmpjlu/ HTTP/1.1Connection: Keep-AliveContent-Length: 0Host: 164.90.222.65
                      Source: unknownHTTPS traffic detected: 164.90.222.65:443 -> 192.168.11.20:49810 version: TLS 1.2

                      E-Banking Fraud

                      barindex
                      Source: Yara matchFile source: 00000007.00000002.3282958811.000000000098B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 7.2.regsvr32.exe.2410000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.25255cd0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.1b91a160000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.regsvr32.exe.1370000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.25255cd0000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.regsvr32.exe.1370000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.regsvr32.exe.2410000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.1b91a160000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000003.00000002.861337089.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.3286848282.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.860427801.0000000001370000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.858909413.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.860809198.0000025255CD0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.3285052145.0000000002410000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.858695133.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.860577207.000001B91A160000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: C:\Windows\System32\rundll32.exeFile deleted: C:\Windows\System32\HRYKmuIti\sEzrCiJYDniwfP.dll:Zone.IdentifierJump to behavior
                      Source: C:\Windows\System32\regsvr32.exeFile created: C:\Windows\system32\YDgQnzosNBGOURNE\Jump to behavior
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00401730
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0041D100
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0042E190
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_004161A0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0041F200
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00414AC0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_004172F0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00440BD0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0040A387
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00441BA0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00424C40
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00414420
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_004165D0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_004186C7
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_004186C9
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_004186ED
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_004186FB
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_004186FD
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_004186FF
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0041869B
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0041869D
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0041869F
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_004186A1
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00439760
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00418701
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00418703
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00418705
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_01360000
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018001A000
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018000CC14
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018001709C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180007D6C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018000263C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180018FC8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180008BC8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800227EC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018000A7F0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180001000
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180009408
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180007C08
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018002181C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180011030
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018001EC30
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018000B83C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180007840
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018001C44C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180025450
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018001C058
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018001B460
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180016C70
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018000D474
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180002C78
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018000C078
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018000B07C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180015880
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018001CC84
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180004C84
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018000AC94
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800098AC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018001A8B0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018000DCB8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800294BC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180015CC4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018000F8C4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800108CC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800080CC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180013CD4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800014D4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800018DC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800120E0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180003CF4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800090F8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800048FC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180028500
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018001610C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180029910
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180017518
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180014D20
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180011924
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018001AD28
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018001B130
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180007530
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180006138
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018001BDA0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800095BC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800115C8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018001D5F0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180028A00
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180015A00
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180018E08
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018001020C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180003E0C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180004214
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018000461C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180018A2C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180010E2C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018001662C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018000BA2C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018001A244
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018000B258
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018000F65C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018000A660
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180010A70
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180003274
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180024E8C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180008A8C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180014A90
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018000BE90
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018000AAB8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180004EB8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018001A6BC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180003ABC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018001EAC0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018000D6CC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800196D4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800092F0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018001E310
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180013B14
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018000EF14
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180014F18
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018000D33C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018001E750
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180004758
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018000975C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018001D770
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018001CF70
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180008378
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018000F77C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180015384
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180001B94
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018000DBA0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180008FB0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180018BB8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018000FFB8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800197CC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180013FD0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180002FD4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800033D4
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00401730
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0041D100
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0042E190
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_004161A0
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0041F200
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00414AC0
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_004172F0
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00440BD0
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0040A387
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00441BA0
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00424C40
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00414420
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_004165D0
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_004186C7
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_004186C9
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_004186ED
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_004186FB
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_004186FD
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_004186FF
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0041869B
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0041869D
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0041869F
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_004186A1
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00439760
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00418701
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00418703
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00418705
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001A000
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001709C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180008BC8
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018000CC14
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180007D6C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018000263C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180018FC8
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800227EC
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018000A7F0
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180001000
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018002181C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180011030
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018000B83C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180007840
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001C058
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018000C078
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018000B07C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180015880
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800098AC
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001A8B0
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018000F8C4
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800108CC
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800080CC
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800018DC
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800120E0
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800090F8
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800048FC
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001610C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180029910
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180011924
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001B130
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180006138
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180028A00
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180015A00
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001020C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180004214
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180018A2C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018000BA2C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001A244
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018000B258
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180010A70
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180003274
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180008A8C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180014A90
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018000AAB8
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180003ABC
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001EAC0
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800092F0
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001E310
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180013B14
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018000D33C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180008378
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180015384
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180001B94
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018000DBA0
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180018BB8
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800033D4
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180009408
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180007C08
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001EC30
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001C44C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180025450
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001B460
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180016C70
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018000D474
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180002C78
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001CC84
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180004C84
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018000AC94
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018000DCB8
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800294BC
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180015CC4
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180013CD4
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800014D4
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180003CF4
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180028500
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180017518
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180014D20
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001AD28
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180007530
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001BDA0
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800095BC
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800115C8
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001D5F0
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180018E08
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180003E0C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018000461C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180010E2C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001662C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018000F65C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018000A660
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180024E8C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018000BE90
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180004EB8
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001A6BC
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018000D6CC
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800196D4
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018000EF14
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180014F18
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001E750
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180004758
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018000975C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001D770
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001CF70
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018000F77C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180008FB0
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018000FFB8
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800197CC
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180013FD0
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180002FD4
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000001B9186F0000
                      Source: C:\Windows\System32\rundll32.exeCode function: String function: 00401F90 appears 87 times
                      Source: C:\Windows\System32\regsvr32.exeCode function: String function: 00401F90 appears 87 times
                      Source: C:\Windows\System32\regsvr32.exeSection loaded: sfc.dll
                      Source: C:\Windows\System32\regsvr32.exeSection loaded: edgegdi.dll
                      Source: C:\Windows\System32\regsvr32.exeSection loaded: sfc.dll
                      Source: C:\Windows\System32\regsvr32.exeSection loaded: edgegdi.dll
                      Source: C:\Windows\System32\regsvr32.exeSection loaded: sfc.dll
                      Source: C:\Windows\System32\regsvr32.exeSection loaded: edgegdi.dll
                      Source: C:\Windows\System32\regsvr32.exeSection loaded: sfc.dll
                      Source: C:\Windows\System32\regsvr32.exeSection loaded: edgegdi.dll
                      Source: aOHLlvfakv.dllVirustotal: Detection: 53%
                      Source: aOHLlvfakv.dllReversingLabs: Detection: 28%
                      Source: aOHLlvfakv.dllStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: C:\Windows\System32\loaddll64.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                      Source: unknownProcess created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\aOHLlvfakv.dll"
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\aOHLlvfakv.dll",#1
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\aOHLlvfakv.dll
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\aOHLlvfakv.dll",#1
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\aOHLlvfakv.dll,DllRegisterServer
                      Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\HRYKmuIti\sEzrCiJYDniwfP.dll"
                      Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\LwITFj\lcEQL.dll"
                      Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\YDgQnzosNBGOURNE\pquwSRMRvDBcLA.dll"
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\aOHLlvfakv.dll,__CPPdebugHook
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\aOHLlvfakv.dll",#1
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\aOHLlvfakv.dll
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\aOHLlvfakv.dll,DllRegisterServer
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\aOHLlvfakv.dll,__CPPdebugHook
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\aOHLlvfakv.dll",#1
                      Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\YDgQnzosNBGOURNE\pquwSRMRvDBcLA.dll"
                      Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\HRYKmuIti\sEzrCiJYDniwfP.dll"
                      Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\LwITFj\lcEQL.dll"
                      Source: C:\Windows\System32\regsvr32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32
                      Source: classification engineClassification label: mal96.troj.evad.winDLL@18/2@0/49
                      Source: C:\Windows\System32\regsvr32.exeFile read: C:\Users\desktop.iniJump to behavior
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180008BC8 Process32NextW,Process32FirstW,CreateToolhelp32Snapshot,FindCloseChangeNotification,
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\aOHLlvfakv.dll",#1
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9020:304:WilStaging_02
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9020:120:WilError_03
                      Source: C:\Windows\System32\regsvr32.exeAutomated click: OK
                      Source: C:\Windows\System32\regsvr32.exeAutomated click: OK
                      Source: C:\Windows\System32\rundll32.exeAutomated click: OK
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: aOHLlvfakv.dllStatic file information: File size 571122142 > 1048576
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180006C9F pushad ; ret
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800180D7 push ebp; retf
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180006CDE push esi; iretd
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018000A0FC push ebp; iretd
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180017D25 push 4D8BFFFFh; retf
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180017D3C push ebp; retf
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180017D4E push ebp; iretd
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180009D51 push ebp; retf
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180018157 push ebp; retf
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180017987 push ebp; iretd
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018000A1D2 push ebp; iretd
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018000A26E push ebp; ret
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180009E8B push eax; retf
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180017EAF push 458BCC5Ah; retf
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018001C731 push esi; iretd
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800180D7 push ebp; retf
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018000A0FC push ebp; iretd
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180018157 push ebp; retf
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180017987 push ebp; iretd
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018000A1D2 push ebp; iretd
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018000A26E push ebp; ret
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180006C9F pushad ; ret
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180006CDE push esi; iretd
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180017D25 push 4D8BFFFFh; retf
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180017D3C push ebp; retf
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180017D4E push ebp; iretd
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180009D51 push ebp; retf
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180009E8B push eax; retf
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180017EAF push 458BCC5Ah; retf
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001C731 push esi; iretd
                      Source: aOHLlvfakv.dllStatic PE information: section name: .rodata
                      Source: aOHLlvfakv.dllStatic PE information: section name: .xdata
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00401C80 LoadLibraryW,GetProcAddress,ExitProcess,
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\aOHLlvfakv.dll
                      Source: C:\Windows\System32\rundll32.exePE file moved: C:\Windows\System32\HRYKmuIti\sEzrCiJYDniwfP.dllJump to behavior

                      Hooking and other Techniques for Hiding and Protection

                      barindex
                      Source: C:\Windows\System32\regsvr32.exeFile opened: C:\Windows\system32\YDgQnzosNBGOURNE\pquwSRMRvDBcLA.dll:Zone.Identifier read attributes | delete
                      Source: C:\Windows\System32\rundll32.exeFile opened: C:\Windows\system32\HRYKmuIti\sEzrCiJYDniwfP.dll:Zone.Identifier read attributes | delete
                      Source: C:\Windows\System32\rundll32.exeFile opened: C:\Windows\system32\LwITFj\lcEQL.dll:Zone.Identifier read attributes | delete
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\regsvr32.exe TID: 6532Thread sleep time: -690000s >= -30000s
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\regsvr32.exeAPI coverage: 6.1 %
                      Source: C:\Windows\System32\rundll32.exeAPI coverage: 6.1 %
                      Source: C:\Windows\System32\regsvr32.exeProcess information queried: ProcessInformation
                      Source: C:\Windows\System32\regsvr32.exeAPI call chain: ExitProcess graph end node
                      Source: C:\Windows\System32\rundll32.exeAPI call chain: ExitProcess graph end node
                      Source: C:\Windows\System32\regsvr32.exeFile Volume queried: C:\ FullSizeInformation
                      Source: C:\Windows\System32\rundll32.exeFile Volume queried: C:\ FullSizeInformation
                      Source: C:\Windows\System32\rundll32.exeFile Volume queried: C:\ FullSizeInformation
                      Source: regsvr32.exe, 00000007.00000003.1512104522.0000000000A1A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1236480763.00000000009CC000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1236480763.0000000000A1A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1512104522.00000000009CC000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1513381084.0000000000A1A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000002.3282958811.00000000009CC000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1502020156.00000000009CC000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1502020156.0000000000A1A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1238112714.0000000000A1A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1513381084.00000000009CC000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000002.3284094347.0000000000A19000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00401C80 LoadLibraryW,GetProcAddress,ExitProcess,
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00448C90 TlsGetValue,GetProcessHeap,TlsSetValue,TlsGetValue,
                      Source: C:\Windows\System32\loaddll64.exeProcess queried: DebugPort

                      HIPS / PFW / Operating System Protection Evasion

                      barindex
                      Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 159.65.88.10 8080
                      Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 172.105.226.75 8080
                      Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 164.90.222.65 443
                      Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 186.194.240.217 443
                      Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 103.132.242.26 8080
                      Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 104.168.155.143 8080
                      Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 159.89.202.34 443
                      Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 91.121.146.47 8080
                      Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 91.207.28.33 8080
                      Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 103.43.75.120 443
                      Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 72.15.201.15 8080
                      Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 82.223.21.224 8080
                      Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 173.212.193.249 8080
                      Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 187.63.160.88 80
                      Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 66.228.32.31 7080
                      Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 185.4.135.165 8080
                      Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 183.111.227.137 8080
                      Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 95.217.221.146 8080
                      Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 164.68.99.3 8080
                      Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 182.162.143.56 443
                      Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 139.59.126.41 443
                      Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 167.172.253.162 8080
                      Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 1.234.2.232 8080
                      Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 167.172.199.165 8080
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\aOHLlvfakv.dll",#1
                      Source: C:\Windows\System32\regsvr32.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\System32\regsvr32.exeCode function: EnterCriticalSection,GetLocaleInfoA,LeaveCriticalSection,EnterCriticalSection,IsValidLocale,SetThreadLocale,LeaveCriticalSection,LeaveCriticalSection,SetLastError,SetLastError,LeaveCriticalSection,LeaveCriticalSection,GetCPInfo,IsValidLocale,SetThreadLocale,SetLastError,SetLastError,
                      Source: C:\Windows\System32\regsvr32.exeCode function: GetLocaleInfoA,GetLocaleInfoA,SetLastError,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,SetLastError,GetLocaleInfoA,SetLastError,GetLocaleInfoA,SetLastError,GetLocaleInfoA,SetLastError,GetLocaleInfoA,SetLastError,GetLocaleInfoA,SetLastError,GetLocaleInfoA,SetLastError,
                      Source: C:\Windows\System32\regsvr32.exeCode function: GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,SetLastError,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,SetLastError,
                      Source: C:\Windows\System32\regsvr32.exeCode function: GetLocaleInfoA,
                      Source: C:\Windows\System32\regsvr32.exeCode function: GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,SetLastError,
                      Source: C:\Windows\System32\regsvr32.exeCode function: GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,SetLastError,GetLocaleInfoA,SetLastError,GetLocaleInfoA,SetLastError,GetLocaleInfoA,SetLastError,GetLocaleInfoA,SetLastError,GetLocaleInfoA,SetLastError,GetLocaleInfoA,SetLastError,GetLocaleInfoA,SetLastError,GetLocaleInfoA,SetLastError,GetLocaleInfoA,SetLastError,
                      Source: C:\Windows\System32\rundll32.exeCode function: EnterCriticalSection,GetLocaleInfoA,LeaveCriticalSection,EnterCriticalSection,IsValidLocale,SetThreadLocale,LeaveCriticalSection,LeaveCriticalSection,SetLastError,SetLastError,LeaveCriticalSection,LeaveCriticalSection,GetCPInfo,IsValidLocale,SetThreadLocale,SetLastError,SetLastError,
                      Source: C:\Windows\System32\rundll32.exeCode function: GetLocaleInfoA,GetLocaleInfoA,SetLastError,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,SetLastError,GetLocaleInfoA,SetLastError,GetLocaleInfoA,SetLastError,GetLocaleInfoA,SetLastError,GetLocaleInfoA,SetLastError,GetLocaleInfoA,SetLastError,GetLocaleInfoA,SetLastError,
                      Source: C:\Windows\System32\rundll32.exeCode function: GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,SetLastError,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,SetLastError,
                      Source: C:\Windows\System32\rundll32.exeCode function: GetLocaleInfoA,
                      Source: C:\Windows\System32\rundll32.exeCode function: GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,SetLastError,
                      Source: C:\Windows\System32\rundll32.exeCode function: GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,SetLastError,GetLocaleInfoA,SetLastError,GetLocaleInfoA,SetLastError,GetLocaleInfoA,SetLastError,GetLocaleInfoA,SetLastError,GetLocaleInfoA,SetLastError,GetLocaleInfoA,SetLastError,GetLocaleInfoA,SetLastError,GetLocaleInfoA,SetLastError,GetLocaleInfoA,SetLastError,
                      Source: C:\Windows\System32\regsvr32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00446AA0 GetVersion,GetCurrentThreadId,EnumThreadWindows,MessageBoxA,WriteFile,WriteFile,

                      Stealing of Sensitive Information

                      barindex
                      Source: Yara matchFile source: 00000007.00000002.3282958811.000000000098B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 7.2.regsvr32.exe.2410000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.25255cd0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.1b91a160000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.regsvr32.exe.1370000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.25255cd0000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.regsvr32.exe.1370000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.regsvr32.exe.2410000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.1b91a160000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000003.00000002.861337089.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.3286848282.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.860427801.0000000001370000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.858909413.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.860809198.0000025255CD0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.3285052145.0000000002410000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.858695133.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.860577207.000001B91A160000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid Accounts1
                      Native API
                      1
                      DLL Side-Loading
                      111
                      Process Injection
                      2
                      Masquerading
                      OS Credential Dumping21
                      Security Software Discovery
                      Remote Services1
                      Archive Collected Data
                      Exfiltration Over Other Network Medium11
                      Encrypted Channel
                      Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                      DLL Side-Loading
                      2
                      Virtualization/Sandbox Evasion
                      LSASS Memory2
                      Virtualization/Sandbox Evasion
                      Remote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth1
                      Non-Standard Port
                      Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)111
                      Process Injection
                      Security Account Manager2
                      Process Discovery
                      SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration1
                      Non-Application Layer Protocol
                      Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
                      Deobfuscate/Decode Files or Information
                      NTDS1
                      File and Directory Discovery
                      Distributed Component Object ModelInput CaptureScheduled Transfer12
                      Application Layer Protocol
                      SIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
                      Hidden Files and Directories
                      LSA Secrets24
                      System Information Discovery
                      SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.common3
                      Obfuscated Files or Information
                      Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup Items1
                      Regsvr32
                      DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job1
                      Rundll32
                      Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                      Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)1
                      DLL Side-Loading
                      /etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
                      Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)1
                      File Deletion
                      Network SniffingProcess DiscoveryTaint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact
                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 828936 Sample: aOHLlvfakv.dll Startdate: 17/03/2023 Architecture: WINDOWS Score: 96 31 129.232.188.93 xneeloZA South Africa 2->31 33 45.235.8.30 WIKINETTELECOMUNICACOESBR Brazil 2->33 35 23 other IPs or domains 2->35 43 Snort IDS alert for network traffic 2->43 45 Antivirus detection for URL or domain 2->45 47 Multi AV Scanner detection for submitted file 2->47 49 2 other signatures 2->49 9 loaddll64.exe 1 2->9         started        signatures3 process4 process5 11 cmd.exe 1 9->11         started        13 rundll32.exe 2 9->13         started        16 regsvr32.exe 2 9->16         started        18 2 other processes 9->18 signatures6 20 rundll32.exe 2 11->20         started        55 Hides that the sample has been downloaded from the Internet (zone.identifier) 13->55 23 regsvr32.exe 13->23         started        25 regsvr32.exe 16->25         started        process7 signatures8 51 Hides that the sample has been downloaded from the Internet (zone.identifier) 20->51 27 regsvr32.exe 20->27         started        process9 dnsIp10 37 185.4.135.165, 49840, 8080 TOPHOSTGR Greece 27->37 39 1.234.2.232, 49832, 8080 SKB-ASSKBroadbandCoLtdKR Korea Republic of 27->39 41 22 other IPs or domains 27->41 53 System process connects to network (likely due to code injection or exploit) 27->53 signatures11

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand
                      SourceDetectionScannerLabelLink
                      aOHLlvfakv.dll54%VirustotalBrowse
                      aOHLlvfakv.dll28%ReversingLabsWin64.Trojan.Emotetcrypt
                      No Antivirus matches
                      No Antivirus matches
                      No Antivirus matches
                      SourceDetectionScannerLabelLink
                      https://186.194.240.217:443/pescnrsqtrnp/icjmpjlu/100%Avira URL Cloudmalware
                      https://164.68.99.3:8080/pescnrsqtrnp/icjmpjlu/0100%Avira URL Cloudmalware
                      https://139.59.126.41/0/100%Avira URL Cloudmalware
                      https://164.68.99.3:8080/pescnrsqtrnp/icjmpjlu/p100%Avira URL Cloudmalware
                      https://164.68.99.3:8080/wW100%Avira URL Cloudmalware
                      https://66.228.32.31:7080/100%Avira URL Cloudmalware
                      https://95.217.221.146:8080/pescnrsqtrnp/icjmpjlu/100%Avira URL Cloudmalware
                      https://66.228.32.31:7080/pescnrsqtrnp/icjmpjlu/100%Avira URL Cloudmalware
                      https://164.90.222.65/pescnrsqtrnp/icjmpjlu/100%Avira URL Cloudmalware
                      https://139.59.126.41/100%Avira URL Cloudmalware
                      https://139.59.126.41/pescnrsqtrnp/icjmpjlu/100%Avira URL Cloudmalware
                      https://164.68.99.3:8080/100%Avira URL Cloudmalware
                      https://167.172.199.165:8080/D100%Avira URL Cloudmalware
                      https://91.121.146.47:8080/pescnrsqtrnp/icjmpjlu/100%Avira URL Cloudmalware
                      https://91.121.146.47:8080/pescnrsqtrnp/icjmpjlu/d100%Avira URL Cloudmalware
                      https://95.217.221.146:8080/pescnrsqtrnp/icjmpjlu//CW100%Avira URL Cloudmalware
                      https://167.172.199.165:8080/pescnrsqtrnp/icjmpjlu/100%Avira URL Cloudmalware
                      https://139.59.126.41/jlu/_E100%Avira URL Cloudmalware
                      https://95.217.221.146:8080/100%Avira URL Cloudmalware
                      https://164.68.99.3:8080/pescnrsqtrnp/icjmpjlu/L100%Avira URL Cloudmalware
                      https://66.228.32.31:7080/#Ws100%Avira URL Cloudmalware
                      https://164.68.99.3:8080/pescnrsqtrnp/icjmpjlu/100%Avira URL Cloudmalware
                      https://186.194.240.217/3WC100%Avira URL Cloudmalware
                      https://91.121.146.47:8080/100%Avira URL Cloudmalware
                      No contacted domains info
                      NameMaliciousAntivirus DetectionReputation
                      https://164.90.222.65/pescnrsqtrnp/icjmpjlu/true
                      • Avira URL Cloud: malware
                      unknown
                      NameSourceMaliciousAntivirus DetectionReputation
                      https://164.68.99.3:8080/pescnrsqtrnp/icjmpjlu/0regsvr32.exe, 00000007.00000002.3284094347.0000000000A28000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: malware
                      unknown
                      https://164.68.99.3:8080/pescnrsqtrnp/icjmpjlu/pregsvr32.exe, 00000007.00000002.3284094347.0000000000A63000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: malware
                      unknown
                      https://186.194.240.217:443/pescnrsqtrnp/icjmpjlu/regsvr32.exe, 00000007.00000002.3282958811.000000000098B000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: malware
                      unknown
                      https://139.59.126.41/0/regsvr32.exe, 00000007.00000002.3284094347.0000000000A63000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: malware
                      unknown
                      https://164.68.99.3:8080/wWregsvr32.exe, 00000007.00000002.3284094347.0000000000A63000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: malware
                      unknown
                      https://95.217.221.146:8080/pescnrsqtrnp/icjmpjlu/regsvr32.exe, 00000007.00000002.3284094347.0000000000A28000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000002.3284094347.0000000000A63000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: malware
                      unknown
                      https://66.228.32.31:7080/regsvr32.exe, 00000007.00000003.1515080100.0000000000A63000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: malware
                      unknown
                      https://66.228.32.31:7080/pescnrsqtrnp/icjmpjlu/regsvr32.exe, 00000007.00000003.1502020156.0000000000A65000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1515080100.0000000000A63000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: malware
                      unknown
                      https://139.59.126.41/regsvr32.exe, 00000007.00000002.3284094347.0000000000A63000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: malware
                      unknown
                      https://139.59.126.41/pescnrsqtrnp/icjmpjlu/regsvr32.exe, 00000007.00000002.3284094347.0000000000A19000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: malware
                      unknown
                      https://164.68.99.3:8080/regsvr32.exe, 00000007.00000002.3284094347.0000000000A63000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: malware
                      unknown
                      https://167.172.199.165:8080/Dregsvr32.exe, 00000007.00000003.1501981002.0000000002CF5000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000002.3285581454.0000000002CF5000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: malware
                      unknown
                      https://91.121.146.47:8080/pescnrsqtrnp/icjmpjlu/regsvr32.exe, 00000007.00000003.1238112714.0000000000A05000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1514297126.0000000000A05000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1502020156.0000000000A05000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000002.3282958811.000000000098B000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: malware
                      unknown
                      https://91.121.146.47:8080/pescnrsqtrnp/icjmpjlu/dregsvr32.exe, 00000007.00000002.3282958811.000000000098B000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: malware
                      unknown
                      https://95.217.221.146:8080/pescnrsqtrnp/icjmpjlu//CWregsvr32.exe, 00000007.00000002.3284094347.0000000000A63000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: malware
                      unknown
                      https://167.172.199.165:8080/pescnrsqtrnp/icjmpjlu/regsvr32.exe, 00000007.00000003.1502020156.0000000000A1A000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: malware
                      unknown
                      https://139.59.126.41/jlu/_Eregsvr32.exe, 00000007.00000002.3284094347.0000000000A63000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: malware
                      unknown
                      https://95.217.221.146:8080/regsvr32.exe, 00000007.00000002.3285581454.0000000002C90000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: malware
                      unknown
                      https://164.68.99.3:8080/pescnrsqtrnp/icjmpjlu/Lregsvr32.exe, 00000007.00000002.3284094347.0000000000A19000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: malware
                      unknown
                      https://66.228.32.31:7080/#Wsregsvr32.exe, 00000007.00000003.1502020156.0000000000A65000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1515080100.0000000000A63000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: malware
                      unknown
                      https://164.68.99.3:8080/pescnrsqtrnp/icjmpjlu/regsvr32.exe, 00000007.00000002.3284094347.0000000000A63000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: malware
                      unknown
                      https://186.194.240.217/3WCregsvr32.exe, 00000007.00000002.3284094347.0000000000A63000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: malware
                      unknown
                      https://91.121.146.47:8080/regsvr32.exe, 00000007.00000003.1514297126.00000000009EC000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1236480763.00000000009EC000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1502020156.00000000009EC000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000002.3282958811.00000000009DB000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: malware
                      unknown
                      • No. of IPs < 25%
                      • 25% < No. of IPs < 50%
                      • 50% < No. of IPs < 75%
                      • 75% < No. of IPs
                      IPDomainCountryFlagASNASN NameMalicious
                      110.232.117.186
                      unknownAustralia
                      56038RACKCORP-APRackCorpAUtrue
                      103.132.242.26
                      unknownIndia
                      45117INPL-IN-APIshansNetworkINtrue
                      104.168.155.143
                      unknownUnited States
                      54290HOSTWINDSUStrue
                      79.137.35.198
                      unknownFrance
                      16276OVHFRtrue
                      115.68.227.76
                      unknownKorea Republic of
                      38700SMILESERV-AS-KRSMILESERVKRtrue
                      163.44.196.120
                      unknownSingapore
                      135161GMO-Z-COM-THGMO-ZcomNetDesignHoldingsCoLtdSGtrue
                      206.189.28.199
                      unknownUnited States
                      14061DIGITALOCEAN-ASNUStrue
                      107.170.39.149
                      unknownUnited States
                      14061DIGITALOCEAN-ASNUStrue
                      66.228.32.31
                      unknownUnited States
                      63949LINODE-APLinodeLLCUStrue
                      185.4.135.165
                      unknownGreece
                      199246TOPHOSTGRtrue
                      197.242.150.244
                      unknownSouth Africa
                      37611AfrihostZAtrue
                      183.111.227.137
                      unknownKorea Republic of
                      4766KIXS-AS-KRKoreaTelecomKRtrue
                      45.176.232.124
                      unknownColombia
                      267869CABLEYTELECOMUNICACIONESDECOLOMBIASASCABLETELCOCtrue
                      169.57.156.166
                      unknownUnited States
                      36351SOFTLAYERUStrue
                      164.68.99.3
                      unknownGermany
                      51167CONTABODEtrue
                      139.59.126.41
                      unknownSingapore
                      14061DIGITALOCEAN-ASNUStrue
                      167.172.253.162
                      unknownUnited States
                      14061DIGITALOCEAN-ASNUStrue
                      167.172.199.165
                      unknownUnited States
                      14061DIGITALOCEAN-ASNUStrue
                      202.129.205.3
                      unknownThailand
                      45328NIPA-AS-THNIPATECHNOLOGYCOLTDTHtrue
                      147.139.166.154
                      unknownUnited States
                      45102CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdCtrue
                      153.92.5.27
                      unknownGermany
                      47583AS-HOSTINGERLTtrue
                      159.65.88.10
                      unknownUnited States
                      14061DIGITALOCEAN-ASNUStrue
                      172.105.226.75
                      unknownUnited States
                      63949LINODE-APLinodeLLCUStrue
                      101.50.0.91
                      unknownIndonesia
                      55688BEON-AS-IDPTBeonIntermediaIDtrue
                      164.90.222.65
                      unknownUnited States
                      14061DIGITALOCEAN-ASNUStrue
                      213.239.212.5
                      unknownGermany
                      24940HETZNER-ASDEtrue
                      5.135.159.50
                      unknownFrance
                      16276OVHFRtrue
                      186.194.240.217
                      unknownBrazil
                      262733NetceteraTelecomunicacoesLtdaBRtrue
                      119.59.103.152
                      unknownThailand
                      56067METRABYTE-TH453LadplacoutJorakhaebuaTHtrue
                      159.89.202.34
                      unknownUnited States
                      14061DIGITALOCEAN-ASNUStrue
                      91.121.146.47
                      unknownFrance
                      16276OVHFRtrue
                      160.16.142.56
                      unknownJapan9370SAKURA-BSAKURAInternetIncJPtrue
                      201.94.166.162
                      unknownBrazil
                      28573CLAROSABRtrue
                      91.207.28.33
                      unknownKyrgyzstan
                      39819PROHOSTKGtrue
                      103.75.201.2
                      unknownThailand
                      133496CDNPLUSCOLTD-AS-APCDNPLUSCOLTDTHtrue
                      103.43.75.120
                      unknownJapan20473AS-CHOOPAUStrue
                      188.44.20.25
                      unknownMacedonia
                      57374GIV-ASMKtrue
                      45.235.8.30
                      unknownBrazil
                      267405WIKINETTELECOMUNICACOESBRtrue
                      153.126.146.25
                      unknownJapan7684SAKURA-ASAKURAInternetIncJPtrue
                      72.15.201.15
                      unknownUnited States
                      13649ASN-VINSUStrue
                      187.63.160.88
                      unknownBrazil
                      28169BITCOMPROVEDORDESERVICOSDEINTERNETLTDABRtrue
                      173.212.193.249
                      unknownGermany
                      51167CONTABODEtrue
                      82.223.21.224
                      unknownSpain
                      8560ONEANDONE-ASBrauerstrasse48DEtrue
                      95.217.221.146
                      unknownGermany
                      24940HETZNER-ASDEtrue
                      149.56.131.28
                      unknownCanada
                      16276OVHFRtrue
                      182.162.143.56
                      unknownKorea Republic of
                      3786LGDACOMLGDACOMCorporationKRtrue
                      1.234.2.232
                      unknownKorea Republic of
                      9318SKB-ASSKBroadbandCoLtdKRtrue
                      129.232.188.93
                      unknownSouth Africa
                      37153xneeloZAtrue
                      94.23.45.86
                      unknownFrance
                      16276OVHFRtrue
                      Joe Sandbox Version:37.0.0 Beryl
                      Analysis ID:828936
                      Start date and time:2023-03-17 17:36:40 +01:00
                      Joe Sandbox Product:CloudBasic
                      Overall analysis duration:0h 14m 38s
                      Hypervisor based Inspection enabled:false
                      Report type:light
                      Cookbook file name:default.jbs
                      Analysis system description:Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, IE 11, Chrome 93, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
                      Number of analysed new started processes analysed:21
                      Number of new started drivers analysed:0
                      Number of existing processes analysed:0
                      Number of existing drivers analysed:0
                      Number of injected processes analysed:0
                      Technologies:
                      • HCA enabled
                      • EGA enabled
                      • HDC enabled
                      • AMSI enabled
                      Analysis Mode:default
                      Analysis stop reason:Timeout
                      Sample file name:aOHLlvfakv.dll
                      Detection:MAL
                      Classification:mal96.troj.evad.winDLL@18/2@0/49
                      EGA Information:
                      • Successful, ratio: 100%
                      HDC Information:
                      • Successful, ratio: 33.2% (good quality ratio 31%)
                      • Quality average: 76.9%
                      • Quality standard deviation: 27.2%
                      HCA Information:
                      • Successful, ratio: 68%
                      • Number of executed functions: 0
                      • Number of non-executed functions: 0
                      Cookbook Comments:
                      • Found application associated with file extension: .dll
                      • Override analysis time to 240s for rundll32
                      • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SgrmBroker.exe, MoUsoCoreWorker.exe, svchost.exe
                      • TCP Packets have been reduced to 100
                      • Excluded IPs from analysis (whitelisted): 8.248.139.254, 8.248.135.254, 8.248.117.254, 8.253.204.249, 67.26.137.254
                      • Excluded domains from analysis (whitelisted): wdcpalt.microsoft.com, fg.download.windowsupdate.com.c.footprint.net, fs.microsoft.com, login.live.com, ctldl.windowsupdate.com, wdcp.microsoft.com, wu-bg-shim.trafficmanager.net
                      • Not all processes where analyzed, report is missing behavior information
                      • Report creation exceeded maximum time and may have missing disassembly code information.
                      • Report size exceeded maximum capacity and may have missing behavior information.
                      • Report size getting too big, too many NtOpenKeyEx calls found.
                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                      • Report size getting too big, too many NtQueryValueKey calls found.
                      TimeTypeDescription
                      17:42:00API Interceptor24x Sleep call for process: regsvr32.exe modified
                      No context
                      No context
                      No context
                      No context
                      No context
                      Process:C:\Windows\System32\regsvr32.exe
                      File Type:Microsoft Cabinet archive data, Windows 2000/XP setup, 62582 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
                      Category:dropped
                      Size (bytes):62582
                      Entropy (8bit):7.996063107774368
                      Encrypted:true
                      SSDEEP:1536:Jk3XPi43VgGp0gB2itudTSRAn/TWTdWftu:CHa43V5p022iZ4CgA
                      MD5:E71C8443AE0BC2E282C73FAEAD0A6DD3
                      SHA1:0C110C1B01E68EDFACAEAE64781A37B1995FA94B
                      SHA-256:95B0A5ACC5BF70D3ABDFD091D0C9F9063AA4FDE65BD34DBF16786082E1992E72
                      SHA-512:B38458C7FA2825AFB72794F374827403D5946B1132E136A0CE075DFD351277CF7D957C88DC8A1E4ADC3BCAE1FA8010DAE3831E268E910D517691DE24326391A6
                      Malicious:false
                      Preview:MSCF....v.......,...................I.................BVrl .authroot.stl....oJ5..CK..8U....a..3.1.P. J.".t..2F2e.dHH......$E.KB.2D..-SJE....^..'..y.}..,{m.....\...]4.G.......h....148...e.gr.....48:.L...g.....Xef.x:..t...J...6-....kW6Z>....&......ye.U.Q&z:.vZ..._....a...]..T.E.....B.h.,...[....V.O.3..EW.x.?.Q..$.@.W..=.B.f..8a.Y.JK..g./%p..C.4CD.s..Jd.u..@.g=...a.. .h%..'.xjy7.E..\.....A..':.4TdW?Ko3$.Hg.z.d~....../q..C.....`...A[ W(.........9...GZ.;....l&?........F...p?... .p.....{S.L4..v.+...7.T?.....p..`..&..9.......f...0+.L.....1.2b)..vX5L'.~....2vz.,E.Ni.{#...o..w.?.#.3..h.v<.S%.].tD@!Le.w.q.7.8....QW.FT.....hE.........Y............./.%Q...k...*.Y.n..v.A..../...>B..5\..-Ko.......O<.b.K.{.O.b...._.7...4.;%9N..K.X>......kg-9..r.c.g.G|.*[.-...HT...",?.q...ad....7RE.......!f..#../....?.-.^.K.c^...+{.g......]<..$.=.O....ii7.wJ+S..Z..d.....>..J*...T..Q7..`.r,<$....\d:K`..T.n....N.....C..j.;.1SX..j....1...R....+....Yg....]....3..9..S..D..`.
                      Process:C:\Windows\System32\regsvr32.exe
                      File Type:data
                      Category:modified
                      Size (bytes):328
                      Entropy (8bit):3.1335351732898324
                      Encrypted:false
                      SSDEEP:6:kKNLry/7UN+SkQlPlEGYRMY9z+4KlDA3RUecZUt:9CvkPlE99SNxAhUext
                      MD5:141ADD778B4D9D765C44061B65895A5C
                      SHA1:B04B46DFF42488E393A9DC339242CFAEC02D4B4D
                      SHA-256:F6E040EEB2079A3E39E26EA4B0C633250A3E0A756F2FC31F47FFF07852014F61
                      SHA-512:74A62B27AA08D8A394883C1FE03CDC002D0FC00C8C09146E9C721EF9CE955B8F7ECF0ED108144B3AA2CDB31F0C85D6004FBC5959ACD43F73D4FBA02567505657
                      Malicious:false
                      Preview:p...... .........#...X..(....................................................... ..........).K......&...........v...h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".0.d.2.f.9.2.9.a.7.4.b.d.9.1.:.0."...
                      File type:PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
                      Entropy (8bit):0.018845395989010114
                      TrID:
                      • Win64 Dynamic Link Library (generic) (102004/3) 58.55%
                      • InstallShield setup (43055/19) 24.71%
                      • Windows Screen Saver (13104/52) 7.52%
                      • Win64 Executable (generic) (12005/4) 6.89%
                      • Generic Win/DOS Executable (2004/3) 1.15%
                      File name:aOHLlvfakv.dll
                      File size:571122142
                      MD5:362f48619364efe57ecd00f83d1bca62
                      SHA1:ae142315393512fe3f3e03dc07aed88428b6e29b
                      SHA256:a873911592c3ce95d36e009f40bb376f587ad0ba6971a150a2ac10c87a2465f5
                      SHA512:1ed6695b6bfdce048697963812deafcde28f7c4397af824fc6ffeda03c5ad282b52728620bb2b81a2caa782a8e91f1e888687aaf1727323d2c8365edf8c9a33a
                      SSDEEP:
                      TLSH:
                      File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................
                      Icon Hash:74f0e4ecccdce0e4
                      Entrypoint:0x401300
                      Entrypoint Section:.text
                      Digitally signed:false
                      Imagebase:0x400000
                      Subsystem:windows cui
                      Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, DEBUG_STRIPPED, DLL
                      DLL Characteristics:
                      Time Stamp:0x64078C02 [Tue Mar 7 19:09:54 2023 UTC]
                      TLS Callbacks:
                      CLR (.Net) Version:
                      OS Version Major:5
                      OS Version Minor:2
                      File Version Major:5
                      File Version Minor:2
                      Subsystem Version Major:5
                      Subsystem Version Minor:2
                      Import Hash:c73bbc818ceb2fafea2b25df17dec187
                      Instruction
                      dec eax
                      sub esp, 28h
                      dec eax
                      mov eax, ecx
                      mov dword ptr [00050D8Bh], edx
                      dec esp
                      mov dword ptr [00050D88h], eax
                      dec eax
                      mov dword ptr [00050D75h], eax
                      dec eax
                      cmp edx, 01h
                      jne 00007F6B510E3691h
                      call 00007F6B511191CFh
                      call 00007F6B51114D8Ah
                      call 00007F6B511191D5h
                      dec eax
                      lea eax, dword ptr [00050CC9h]
                      dec eax
                      lea ecx, dword ptr [00047372h]
                      dec eax
                      mov dword ptr [eax+30h], ecx
                      dec eax
                      lea ecx, dword ptr [FFFFFCB7h]
                      dec eax
                      mov dword ptr [eax], ecx
                      dec eax
                      lea ecx, dword ptr [FFFFFF59h]
                      dec eax
                      mov dword ptr [eax+08h], ecx
                      dec eax
                      lea ecx, dword ptr [FFFFFF4Eh]
                      dec eax
                      mov dword ptr [eax+10h], ecx
                      dec eax
                      lea ecx, dword ptr [FFFFFF8Bh]
                      dec eax
                      mov dword ptr [eax+18h], ecx
                      dec eax
                      lea ecx, dword ptr [0004617Ch]
                      dec eax
                      mov dword ptr [eax+68h], ecx
                      dec eax
                      lea ecx, dword ptr [00046571h]
                      dec eax
                      mov dword ptr [eax+70h], ecx
                      dec eax
                      lea ecx, dword ptr [00046596h]
                      dec eax
                      mov dword ptr [eax+78h], ecx
                      dec eax
                      lea ecx, dword ptr [00046B3Bh]
                      dec eax
                      mov dword ptr [eax+00000080h], ecx
                      dec eax
                      lea ecx, dword ptr [0005D2EDh]
                      dec eax
                      mov dword ptr [eax+50h], ecx
                      mov dword ptr [eax+20h], 00000001h
                      dec eax
                      mov ecx, eax
                      dec eax
                      mov edx, dword ptr [00050CD8h]
                      inc esp
                      mov eax, dword ptr [00050CD9h]
                      dec esp
                      mov ecx, dword ptr [00050CD6h]
                      call 00007F6B510E373Ah
                      NameVirtual AddressVirtual Size Is in Section
                      IMAGE_DIRECTORY_ENTRY_EXPORT0x810000x69.edata
                      IMAGE_DIRECTORY_ENTRY_IMPORT0x800000xb38.idata
                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x820000x2be00.rsrc
                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x760000x3a38.pdata
                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                      IMAGE_DIRECTORY_ENTRY_BASERELOC0xae0000x11b4.reloc
                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                      NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                      .text0x10000x4c4c80x4c600False0.4390311732815057data6.348222298404593IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      .rodata0x4e0000x36000x3600False0.3231336805555556data5.09617814286108IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      .data0x520000x22de00xe400False0.17931058114035087data2.348309483365582IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      .tls0x750000x5d00x600False0.013020833333333334data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      .pdata0x760000x3a380x3c00False0.4626953125data5.526910649754969IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .xdata0x7a0000x5fd00x6000False0.14701334635416666shared library4.906149317469979IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .idata0x800000xb380xc00False0.2919921875data3.959226833867136IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .edata0x810000x690x200False0.181640625data1.2134297058839834IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .rsrc0x820000x2be000x2be00False0.8775151353276354data7.859341694371929IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .reloc0xae0000x11b40x1200False0.6178385416666666data5.813939662419332IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
                      NameRVASizeTypeLanguageCountry
                      VNRKGF0x821840xa2cdataEnglishUnited States
                      VNRKGF0x82bb00x2b000dataEnglishUnited States
                      RT_RCDATA0xadbb00x10data
                      RT_RCDATA0xadbc00x2dataEnglishUnited States
                      RT_VERSION0xadbc40x1f4dataEnglishUnited States
                      DLLImport
                      KERNEL32AddVectoredExceptionHandler, CloseHandle, CreateDirectoryA, CreateFileA, CreateFileW, DeleteCriticalSection, DeleteFileA, EnterCriticalSection, ExitProcess, FreeEnvironmentStringsA, GetACP, GetCPInfo, GetCurrentProcessId, GetCurrentThreadId, GetDateFormatA, GetEnvironmentStrings, GetFileAttributesA, GetFileAttributesW, GetFileSize, GetFileType, GetLastError, GetLocalTime, GetLocaleInfoA, GetModuleFileNameA, GetModuleHandleA, GetOEMCP, GetProcAddress, GetProcessHeap, GetStartupInfoA, GetStdHandle, GetStringTypeA, GetStringTypeW, GetSystemDefaultLangID, GetSystemInfo, GetTickCount, GetTimeZoneInformation, GetUserDefaultLCID, GetVersion, GetVersionExA, HeapAlloc, HeapFree, InitializeCriticalSection, InitializeCriticalSectionAndSpinCount, IsDBCSLeadByteEx, IsDebuggerPresent, IsValidLocale, LCMapStringA, LeaveCriticalSection, LoadLibraryA, LoadLibraryW, LocalFileTimeToFileTime, MultiByteToWideChar, RaiseException, ReadFile, RemoveDirectoryA, RemoveVectoredExceptionHandler, RtlCaptureContext, SetConsoleCtrlHandler, SetEndOfFile, SetFilePointer, SetFileTime, SetHandleCount, SetLastError, SetThreadLocale, Sleep, SleepEx, SystemTimeToFileTime, TlsAlloc, TlsFree, TlsGetValue, TlsSetValue, VirtualAlloc, VirtualFree, VirtualQuery, WideCharToMultiByte, WriteFile, RtlRestoreContext, RtlUnwindEx
                      USER32EnumThreadWindows, MessageBoxA, wsprintfA
                      NameOrdinalAddress
                      DllRegisterServer10x401da0
                      __CPPdebugHook20x474aa0
                      Language of compilation systemCountry where language is spokenMap
                      EnglishUnited States
                      TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                      192.168.11.2091.121.146.474979380802404344 03/17/23-17:41:58.374772TCP2404344ET CNC Feodo Tracker Reported CnC Server TCP group 23497938080192.168.11.2091.121.146.47
                      192.168.11.20182.162.143.56497994432404312 03/17/23-17:42:13.021219TCP2404312ET CNC Feodo Tracker Reported CnC Server TCP group 749799443192.168.11.20182.162.143.56
                      192.168.11.20167.172.199.1654980880802404308 03/17/23-17:42:27.268480TCP2404308ET CNC Feodo Tracker Reported CnC Server TCP group 5498088080192.168.11.20167.172.199.165
                      192.168.11.20164.90.222.65498104432404308 03/17/23-17:42:33.407520TCP2404308ET CNC Feodo Tracker Reported CnC Server TCP group 549810443192.168.11.20164.90.222.65
                      192.168.11.20104.168.155.1434981180802404302 03/17/23-17:42:37.517558TCP2404302ET CNC Feodo Tracker Reported CnC Server TCP group 2498118080192.168.11.20104.168.155.143
                      192.168.11.2066.228.32.314979570802404330 03/17/23-17:42:05.273202TCP2404330ET CNC Feodo Tracker Reported CnC Server TCP group 16497957080192.168.11.2066.228.32.31
                      TimestampSource PortDest PortSource IPDest IP
                      Mar 17, 2023 17:41:58.374772072 CET497938080192.168.11.2091.121.146.47
                      Mar 17, 2023 17:41:58.394654989 CET80804979391.121.146.47192.168.11.20
                      Mar 17, 2023 17:41:58.394908905 CET497938080192.168.11.2091.121.146.47
                      Mar 17, 2023 17:41:58.396826982 CET497938080192.168.11.2091.121.146.47
                      Mar 17, 2023 17:41:58.416774988 CET80804979391.121.146.47192.168.11.20
                      Mar 17, 2023 17:41:58.438533068 CET80804979391.121.146.47192.168.11.20
                      Mar 17, 2023 17:41:58.438611031 CET80804979391.121.146.47192.168.11.20
                      Mar 17, 2023 17:41:58.438812971 CET497938080192.168.11.2091.121.146.47
                      Mar 17, 2023 17:41:58.441060066 CET497938080192.168.11.2091.121.146.47
                      Mar 17, 2023 17:41:58.461968899 CET80804979391.121.146.47192.168.11.20
                      Mar 17, 2023 17:41:58.506763935 CET497938080192.168.11.2091.121.146.47
                      Mar 17, 2023 17:41:59.256028891 CET497938080192.168.11.2091.121.146.47
                      Mar 17, 2023 17:41:59.256028891 CET497938080192.168.11.2091.121.146.47
                      Mar 17, 2023 17:41:59.276854038 CET80804979391.121.146.47192.168.11.20
                      Mar 17, 2023 17:42:01.236709118 CET80804979391.121.146.47192.168.11.20
                      Mar 17, 2023 17:42:01.287337065 CET497938080192.168.11.2091.121.146.47
                      Mar 17, 2023 17:42:04.236349106 CET80804979391.121.146.47192.168.11.20
                      Mar 17, 2023 17:42:04.236385107 CET80804979391.121.146.47192.168.11.20
                      Mar 17, 2023 17:42:04.236536980 CET497938080192.168.11.2091.121.146.47
                      Mar 17, 2023 17:42:04.236789942 CET497938080192.168.11.2091.121.146.47
                      Mar 17, 2023 17:42:04.236789942 CET497938080192.168.11.2091.121.146.47
                      Mar 17, 2023 17:42:04.256392956 CET80804979391.121.146.47192.168.11.20
                      Mar 17, 2023 17:42:04.256506920 CET80804979391.121.146.47192.168.11.20
                      Mar 17, 2023 17:42:05.273201942 CET497957080192.168.11.2066.228.32.31
                      Mar 17, 2023 17:42:05.365420103 CET70804979566.228.32.31192.168.11.20
                      Mar 17, 2023 17:42:05.880079031 CET497957080192.168.11.2066.228.32.31
                      Mar 17, 2023 17:42:05.972516060 CET70804979566.228.32.31192.168.11.20
                      Mar 17, 2023 17:42:06.473604918 CET497957080192.168.11.2066.228.32.31
                      Mar 17, 2023 17:42:06.565701962 CET70804979566.228.32.31192.168.11.20
                      Mar 17, 2023 17:42:07.067228079 CET497957080192.168.11.2066.228.32.31
                      Mar 17, 2023 17:42:07.159077883 CET70804979566.228.32.31192.168.11.20
                      Mar 17, 2023 17:42:07.660923004 CET497957080192.168.11.2066.228.32.31
                      Mar 17, 2023 17:42:07.753176928 CET70804979566.228.32.31192.168.11.20
                      Mar 17, 2023 17:42:13.021219015 CET49799443192.168.11.20182.162.143.56
                      Mar 17, 2023 17:42:13.021243095 CET44349799182.162.143.56192.168.11.20
                      Mar 17, 2023 17:42:13.021507025 CET49799443192.168.11.20182.162.143.56
                      Mar 17, 2023 17:42:13.021766901 CET49799443192.168.11.20182.162.143.56
                      Mar 17, 2023 17:42:13.021780014 CET44349799182.162.143.56192.168.11.20
                      Mar 17, 2023 17:42:13.262397051 CET44349799182.162.143.56192.168.11.20
                      Mar 17, 2023 17:42:13.263051987 CET49800443192.168.11.20182.162.143.56
                      Mar 17, 2023 17:42:13.263098955 CET44349800182.162.143.56192.168.11.20
                      Mar 17, 2023 17:42:13.263350010 CET49800443192.168.11.20182.162.143.56
                      Mar 17, 2023 17:42:13.263613939 CET49800443192.168.11.20182.162.143.56
                      Mar 17, 2023 17:42:13.263655901 CET44349800182.162.143.56192.168.11.20
                      Mar 17, 2023 17:42:13.506201982 CET44349800182.162.143.56192.168.11.20
                      Mar 17, 2023 17:42:13.506864071 CET49801443192.168.11.20182.162.143.56
                      Mar 17, 2023 17:42:13.506884098 CET44349801182.162.143.56192.168.11.20
                      Mar 17, 2023 17:42:13.507070065 CET49801443192.168.11.20182.162.143.56
                      Mar 17, 2023 17:42:13.507759094 CET49801443192.168.11.20182.162.143.56
                      Mar 17, 2023 17:42:13.507816076 CET44349801182.162.143.56192.168.11.20
                      Mar 17, 2023 17:42:13.508106947 CET49801443192.168.11.20182.162.143.56
                      Mar 17, 2023 17:42:18.770060062 CET4980280192.168.11.20187.63.160.88
                      Mar 17, 2023 17:42:18.991063118 CET8049802187.63.160.88192.168.11.20
                      Mar 17, 2023 17:42:19.501975060 CET4980280192.168.11.20187.63.160.88
                      Mar 17, 2023 17:42:19.722867966 CET8049802187.63.160.88192.168.11.20
                      Mar 17, 2023 17:42:20.236145973 CET4980280192.168.11.20187.63.160.88
                      Mar 17, 2023 17:42:20.457137108 CET8049802187.63.160.88192.168.11.20
                      Mar 17, 2023 17:42:20.970432043 CET4980280192.168.11.20187.63.160.88
                      Mar 17, 2023 17:42:21.191561937 CET8049802187.63.160.88192.168.11.20
                      Mar 17, 2023 17:42:21.704818010 CET4980280192.168.11.20187.63.160.88
                      Mar 17, 2023 17:42:21.925785065 CET8049802187.63.160.88192.168.11.20
                      Mar 17, 2023 17:42:27.268480062 CET498088080192.168.11.20167.172.199.165
                      Mar 17, 2023 17:42:27.428508043 CET808049808167.172.199.165192.168.11.20
                      Mar 17, 2023 17:42:27.428760052 CET498088080192.168.11.20167.172.199.165
                      Mar 17, 2023 17:42:27.429096937 CET498088080192.168.11.20167.172.199.165
                      Mar 17, 2023 17:42:27.588521957 CET808049808167.172.199.165192.168.11.20
                      Mar 17, 2023 17:42:27.598985910 CET808049808167.172.199.165192.168.11.20
                      Mar 17, 2023 17:42:27.599060059 CET808049808167.172.199.165192.168.11.20
                      Mar 17, 2023 17:42:27.599360943 CET498088080192.168.11.20167.172.199.165
                      Mar 17, 2023 17:42:27.602097034 CET498088080192.168.11.20167.172.199.165
                      Mar 17, 2023 17:42:27.762232065 CET808049808167.172.199.165192.168.11.20
                      Mar 17, 2023 17:42:27.812634945 CET498088080192.168.11.20167.172.199.165
                      Mar 17, 2023 17:42:28.055224895 CET498088080192.168.11.20167.172.199.165
                      Mar 17, 2023 17:42:28.255151033 CET808049808167.172.199.165192.168.11.20
                      Mar 17, 2023 17:42:28.880906105 CET808049808167.172.199.165192.168.11.20
                      Mar 17, 2023 17:42:28.921806097 CET498088080192.168.11.20167.172.199.165
                      Mar 17, 2023 17:42:31.878376961 CET808049808167.172.199.165192.168.11.20
                      Mar 17, 2023 17:42:31.878443956 CET808049808167.172.199.165192.168.11.20
                      Mar 17, 2023 17:42:31.878724098 CET498088080192.168.11.20167.172.199.165
                      Mar 17, 2023 17:42:31.878724098 CET498088080192.168.11.20167.172.199.165
                      Mar 17, 2023 17:42:31.878724098 CET498088080192.168.11.20167.172.199.165
                      Mar 17, 2023 17:42:32.038175106 CET808049808167.172.199.165192.168.11.20
                      Mar 17, 2023 17:42:32.038233042 CET808049808167.172.199.165192.168.11.20
                      Mar 17, 2023 17:42:33.266638041 CET49810443192.168.11.20164.90.222.65
                      Mar 17, 2023 17:42:33.266664028 CET44349810164.90.222.65192.168.11.20
                      Mar 17, 2023 17:42:33.266859055 CET49810443192.168.11.20164.90.222.65
                      Mar 17, 2023 17:42:33.267117977 CET49810443192.168.11.20164.90.222.65
                      Mar 17, 2023 17:42:33.267132044 CET44349810164.90.222.65192.168.11.20
                      Mar 17, 2023 17:42:33.404678106 CET44349810164.90.222.65192.168.11.20
                      Mar 17, 2023 17:42:33.404896021 CET49810443192.168.11.20164.90.222.65
                      Mar 17, 2023 17:42:33.406138897 CET49810443192.168.11.20164.90.222.65
                      Mar 17, 2023 17:42:33.406156063 CET44349810164.90.222.65192.168.11.20
                      Mar 17, 2023 17:42:33.406534910 CET44349810164.90.222.65192.168.11.20
                      Mar 17, 2023 17:42:33.407407999 CET49810443192.168.11.20164.90.222.65
                      Mar 17, 2023 17:42:33.448353052 CET44349810164.90.222.65192.168.11.20
                      Mar 17, 2023 17:42:33.604700089 CET44349810164.90.222.65192.168.11.20
                      Mar 17, 2023 17:42:33.604796886 CET44349810164.90.222.65192.168.11.20
                      Mar 17, 2023 17:42:33.605035067 CET49810443192.168.11.20164.90.222.65
                      Mar 17, 2023 17:42:33.606838942 CET49810443192.168.11.20164.90.222.65
                      Mar 17, 2023 17:42:33.606838942 CET49810443192.168.11.20164.90.222.65
                      TimestampSource IPDest IPChecksumCodeType
                      Mar 17, 2023 17:43:28.805680990 CET103.132.242.26192.168.11.202278(Unknown)Destination Unreachable
                      Mar 17, 2023 17:43:29.806631088 CET103.132.242.26192.168.11.202278(Unknown)Destination Unreachable
                      Mar 17, 2023 17:43:31.821768999 CET103.132.242.26192.168.11.202278(Unknown)Destination Unreachable
                      Mar 17, 2023 17:43:35.836711884 CET103.132.242.26192.168.11.202278(Unknown)Destination Unreachable
                      • 164.90.222.65

                      Click to jump to process

                      Target ID:0
                      Start time:17:41:20
                      Start date:17/03/2023
                      Path:C:\Windows\System32\loaddll64.exe
                      Wow64 process (32bit):false
                      Commandline:loaddll64.exe "C:\Users\user\Desktop\aOHLlvfakv.dll"
                      Imagebase:0x7ff7a5a40000
                      File size:139776 bytes
                      MD5 hash:C676FC0263EDD17D4CE7D644B8F3FCD6
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high

                      Target ID:1
                      Start time:17:41:20
                      Start date:17/03/2023
                      Path:C:\Windows\System32\conhost.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Imagebase:0x7ff76e060000
                      File size:875008 bytes
                      MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high

                      Target ID:2
                      Start time:17:41:20
                      Start date:17/03/2023
                      Path:C:\Windows\System32\cmd.exe
                      Wow64 process (32bit):false
                      Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\aOHLlvfakv.dll",#1
                      Imagebase:0x7ff785600000
                      File size:289792 bytes
                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:moderate

                      Target ID:3
                      Start time:17:41:20
                      Start date:17/03/2023
                      Path:C:\Windows\System32\regsvr32.exe
                      Wow64 process (32bit):false
                      Commandline:regsvr32.exe /s C:\Users\user\Desktop\aOHLlvfakv.dll
                      Imagebase:0x7ff62d2c0000
                      File size:25088 bytes
                      MD5 hash:B0C2FA35D14A9FAD919E99D9D75E1B9E
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Yara matches:
                      • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000003.00000002.861337089.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000003.00000002.860427801.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                      Reputation:moderate

                      Target ID:4
                      Start time:17:41:20
                      Start date:17/03/2023
                      Path:C:\Windows\System32\rundll32.exe
                      Wow64 process (32bit):false
                      Commandline:rundll32.exe "C:\Users\user\Desktop\aOHLlvfakv.dll",#1
                      Imagebase:0x7ff6a2320000
                      File size:71680 bytes
                      MD5 hash:EF3179D498793BF4234F708D3BE28633
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Yara matches:
                      • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000002.858695133.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000002.860577207.000001B91A160000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                      Reputation:moderate

                      Target ID:5
                      Start time:17:41:20
                      Start date:17/03/2023
                      Path:C:\Windows\System32\rundll32.exe
                      Wow64 process (32bit):false
                      Commandline:rundll32.exe C:\Users\user\Desktop\aOHLlvfakv.dll,DllRegisterServer
                      Imagebase:0x7ff6a2320000
                      File size:71680 bytes
                      MD5 hash:EF3179D498793BF4234F708D3BE28633
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Yara matches:
                      • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000005.00000002.858909413.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000005.00000002.860809198.0000025255CD0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                      Reputation:moderate

                      Target ID:7
                      Start time:17:41:22
                      Start date:17/03/2023
                      Path:C:\Windows\System32\regsvr32.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\regsvr32.exe "C:\Windows\system32\HRYKmuIti\sEzrCiJYDniwfP.dll"
                      Imagebase:0x7ff62d2c0000
                      File size:25088 bytes
                      MD5 hash:B0C2FA35D14A9FAD919E99D9D75E1B9E
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Yara matches:
                      • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000007.00000002.3286848282.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Emotet_3, Description: Yara detected Emotet, Source: 00000007.00000002.3282958811.000000000098B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000007.00000002.3285052145.0000000002410000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security

                      Target ID:8
                      Start time:17:41:22
                      Start date:17/03/2023
                      Path:C:\Windows\System32\regsvr32.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\regsvr32.exe "C:\Windows\system32\LwITFj\lcEQL.dll"
                      Imagebase:0x7ff62d2c0000
                      File size:25088 bytes
                      MD5 hash:B0C2FA35D14A9FAD919E99D9D75E1B9E
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language

                      Target ID:9
                      Start time:17:41:22
                      Start date:17/03/2023
                      Path:C:\Windows\System32\regsvr32.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\regsvr32.exe "C:\Windows\system32\YDgQnzosNBGOURNE\pquwSRMRvDBcLA.dll"
                      Imagebase:0x7ff62d2c0000
                      File size:25088 bytes
                      MD5 hash:B0C2FA35D14A9FAD919E99D9D75E1B9E
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language

                      Target ID:10
                      Start time:17:41:23
                      Start date:17/03/2023
                      Path:C:\Windows\System32\rundll32.exe
                      Wow64 process (32bit):false
                      Commandline:rundll32.exe C:\Users\user\Desktop\aOHLlvfakv.dll,__CPPdebugHook
                      Imagebase:0x7ff6a2320000
                      File size:71680 bytes
                      MD5 hash:EF3179D498793BF4234F708D3BE28633
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language

                      No disassembly