Windows Analysis Report
f_00321b.dll

Overview

General Information

Sample Name: f_00321b.dll
(renamed file extension from none to dll, renamed because original name is a hash value)
Original Sample Name: f_00321b
Analysis ID: 829540
MD5: bfc060937dc90b273eccb6825145f298
SHA1: c156c00c7e918f0cb7363614fb1f177c90d8108a
SHA256: 2f39c2879989ddd7f9ecf52b6232598e5595f8bf367846ff188c9dfbf1251253
Infos:

Detection

Emotet
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Early bird code injection technique detected
Multi AV Scanner detection for submitted file
Yara detected Emotet
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Snort IDS alert for network traffic
Queues an APC in another process (thread injection)
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Queries the volume information (name, serial number etc) of a device
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Detected potential crypto function
Stores large binary data to the registry
Contains functionality to query CPU information (cpuid)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to call native functions
HTTP GET or POST without a user agent
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Uses insecure TLS / SSL version for HTTPS connection
Drops PE files to the windows directory (C:\Windows)
Detected TCP or UDP traffic on non-standard ports
Checks if the current process is being debugged
Connects to several IPs in different countries
Registers a DLL
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: f_00321b.dll ReversingLabs: Detection: 79%
Source: f_00321b.dll Virustotal: Detection: 60% Perma Link
Antivirus detection for URL or domain
Source: https://164.90.222.65/wlqjqf/sqfqe/frrdsoxthmytiqq/rzfarh/ Avira URL Cloud: Label: malware
Source: https://45.235.8.30:8080/wlqjqf/sqfqe/frrdsoxthmytiqq/rzfarh/ Avira URL Cloud: Label: malware
Source: https://163.44.196.120:8080/wlqjqf/sqfqe/frrdsoxthmytiqq/rzfarh/$ Avira URL Cloud: Label: malware
Source: https://45.235.8.30:8080/wlqjqf/sqfqe/frrdsoxthmytiqq/rzfarh//A Avira URL Cloud: Label: malware
Source: 00000008.00000002.1425081092.000000000034A000.00000004.00000020.00020000.00000000.sdmp Malware Configuration Extractor: Emotet {"C2 list": ["91.121.146.47:8080", "66.228.32.31:7080", "182.162.143.56:443", "187.63.160.88:80", "167.172.199.165:8080", "164.90.222.65:443", "104.168.155.143:8080", "163.44.196.120:8080", "160.16.142.56:8080", "159.89.202.34:443", "159.65.88.10:8080", "186.194.240.217:443", "149.56.131.28:8080", "72.15.201.15:8080", "1.234.2.232:8080", "82.223.21.224:8080", "206.189.28.199:8080", "169.57.156.166:8080", "107.170.39.149:8080", "103.43.75.120:443", "91.207.28.33:8080", "213.239.212.5:443", "45.235.8.30:8080", "119.59.103.152:8080", "164.68.99.3:8080", "95.217.221.146:8080", "153.126.146.25:7080", "197.242.150.244:8080", "202.129.205.3:8080", "103.132.242.26:8080", "139.59.126.41:443", "110.232.117.186:8080", "183.111.227.137:8080", "5.135.159.50:443", "201.94.166.162:443", "103.75.201.2:443", "79.137.35.198:8080", "172.105.226.75:8080", "94.23.45.86:4143", "115.68.227.76:8080", "153.92.5.27:8080", "167.172.253.162:8080", "188.44.20.25:443", "147.139.166.154:8080", "129.232.188.93:443", "173.212.193.249:8080", "185.4.135.165:8080", "45.176.232.124:443"], "Public Key": ["RUNTMSAAAABAX3S2xNjcDD0fBno33Ln5t71eii+mofIPoXkNFOX1MeiwCh48iz97kB0mJjGGZXwardnDXKxI8GCHGNl0PFj5SKNpb3sAAIg=", "RUNLMSAAAADzozW1Di4r9DVWzQpMKT588RDdy7BPILP6AiDOTLYMHkSWvrQO5slbmr1OvZ2Pz+AQWzRMggQmAtO6rPH7nyx2QqNpb3sAAJA="]}
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 164.90.222.65:443 -> 192.168.2.22:49180 version: TLS 1.0
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180008D28 FindFirstFileExW, 4_2_0000000180008D28
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_0000000180008D28 FindFirstFileExW, 5_2_0000000180008D28

Networking
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\System32\regsvr32.exe Network Connect: 159.65.88.10 8080 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 164.90.222.65 443 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 206.189.28.199 8080 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 213.239.212.5 443 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 107.170.39.149 8080 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 66.228.32.31 7080 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 187.63.160.88 80 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 186.194.240.217 443 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 82.223.21.224 8080 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 104.168.155.143 8080 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 159.89.202.34 443 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 149.56.131.28 8080 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 91.121.146.47 8080 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 160.16.142.56 8080 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 169.57.156.166 8080 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 91.207.28.33 8080 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 182.162.143.56 443 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 103.43.75.120 443 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 1.234.2.232 8080 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 45.235.8.30 8080 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 167.172.199.165 8080 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 72.15.201.15 8080 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 163.44.196.120 8080 Jump to behavior
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2404308 ET CNC Feodo Tracker Reported CnC Server TCP group 5 192.168.2.22:49180 -> 164.90.222.65:443
Source: Traffic Snort IDS: 2404344 ET CNC Feodo Tracker Reported CnC Server TCP group 23 192.168.2.22:49171 -> 91.121.146.47:8080
Source: Traffic Snort IDS: 2404330 ET CNC Feodo Tracker Reported CnC Server TCP group 16 192.168.2.22:49173 -> 66.228.32.31:7080
Source: Traffic Snort IDS: 2404312 ET CNC Feodo Tracker Reported CnC Server TCP group 7 192.168.2.22:49174 -> 182.162.143.56:443
Source: Traffic Snort IDS: 2404314 ET CNC Feodo Tracker Reported CnC Server TCP group 8 192.168.2.22:49176 -> 187.63.160.88:80
Source: Traffic Snort IDS: 2404310 ET CNC Feodo Tracker Reported CnC Server TCP group 6 192.168.2.22:49178 -> 167.172.199.165:8080
Source: Traffic Snort IDS: 2404302 ET CNC Feodo Tracker Reported CnC Server TCP group 2 192.168.2.22:49181 -> 104.168.155.143:8080
Source: Traffic Snort IDS: 2404304 ET CNC Feodo Tracker Reported CnC Server TCP group 3 192.168.2.22:49195 -> 1.234.2.232:8080
Source: Traffic Snort IDS: 2404318 ET CNC Feodo Tracker Reported CnC Server TCP group 10 192.168.2.22:49199 -> 206.189.28.199:8080
Source: Traffic Snort IDS: 2404320 ET CNC Feodo Tracker Reported CnC Server TCP group 11 192.168.2.22:49207 -> 213.239.212.5:443
Source: Traffic Snort IDS: 2404324 ET CNC Feodo Tracker Reported CnC Server TCP group 13 192.168.2.22:49209 -> 45.235.8.30:8080
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor IPs: 91.121.146.47:8080
Source: Malware configuration extractor IPs: 66.228.32.31:7080
Source: Malware configuration extractor IPs: 182.162.143.56:443
Source: Malware configuration extractor IPs: 187.63.160.88:80
Source: Malware configuration extractor IPs: 167.172.199.165:8080
Source: Malware configuration extractor IPs: 164.90.222.65:443
Source: Malware configuration extractor IPs: 104.168.155.143:8080
Source: Malware configuration extractor IPs: 163.44.196.120:8080
Source: Malware configuration extractor IPs: 160.16.142.56:8080
Source: Malware configuration extractor IPs: 159.89.202.34:443
Source: Malware configuration extractor IPs: 159.65.88.10:8080
Source: Malware configuration extractor IPs: 186.194.240.217:443
Source: Malware configuration extractor IPs: 149.56.131.28:8080
Source: Malware configuration extractor IPs: 72.15.201.15:8080
Source: Malware configuration extractor IPs: 1.234.2.232:8080
Source: Malware configuration extractor IPs: 82.223.21.224:8080
Source: Malware configuration extractor IPs: 206.189.28.199:8080
Source: Malware configuration extractor IPs: 169.57.156.166:8080
Source: Malware configuration extractor IPs: 107.170.39.149:8080
Source: Malware configuration extractor IPs: 103.43.75.120:443
Source: Malware configuration extractor IPs: 91.207.28.33:8080
Source: Malware configuration extractor IPs: 213.239.212.5:443
Source: Malware configuration extractor IPs: 45.235.8.30:8080
Source: Malware configuration extractor IPs: 119.59.103.152:8080
Source: Malware configuration extractor IPs: 164.68.99.3:8080
Source: Malware configuration extractor IPs: 95.217.221.146:8080
Source: Malware configuration extractor IPs: 153.126.146.25:7080
Source: Malware configuration extractor IPs: 197.242.150.244:8080
Source: Malware configuration extractor IPs: 202.129.205.3:8080
Source: Malware configuration extractor IPs: 103.132.242.26:8080
Source: Malware configuration extractor IPs: 139.59.126.41:443
Source: Malware configuration extractor IPs: 110.232.117.186:8080
Source: Malware configuration extractor IPs: 183.111.227.137:8080
Source: Malware configuration extractor IPs: 5.135.159.50:443
Source: Malware configuration extractor IPs: 201.94.166.162:443
Source: Malware configuration extractor IPs: 103.75.201.2:443
Source: Malware configuration extractor IPs: 79.137.35.198:8080
Source: Malware configuration extractor IPs: 172.105.226.75:8080
Source: Malware configuration extractor IPs: 94.23.45.86:4143
Source: Malware configuration extractor IPs: 115.68.227.76:8080
Source: Malware configuration extractor IPs: 153.92.5.27:8080
Source: Malware configuration extractor IPs: 167.172.253.162:8080
Source: Malware configuration extractor IPs: 188.44.20.25:443
Source: Malware configuration extractor IPs: 147.139.166.154:8080
Source: Malware configuration extractor IPs: 129.232.188.93:443
Source: Malware configuration extractor IPs: 173.212.193.249:8080
Source: Malware configuration extractor IPs: 185.4.135.165:8080
Source: Malware configuration extractor IPs: 45.176.232.124:443
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS
Source: Joe Sandbox View ASN Name: LINODE-APLinodeLLCUS LINODE-APLinodeLLCUS
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 8c4a22651d328568ec66382a84fc505f
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: POST /wlqjqf/sqfqe/frrdsoxthmytiqq/rzfarh/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedContent-Length: 269Host: 164.90.222.65
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 159.65.88.10 159.65.88.10
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 164.90.222.65:443 -> 192.168.2.22:49180 version: TLS 1.0
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 91.121.146.47:8080
Source: global traffic TCP traffic: 192.168.2.22:49173 -> 66.228.32.31:7080
Source: global traffic TCP traffic: 192.168.2.22:49178 -> 167.172.199.165:8080
Source: global traffic TCP traffic: 192.168.2.22:49181 -> 104.168.155.143:8080
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 163.44.196.120:8080
Source: global traffic TCP traffic: 192.168.2.22:49185 -> 160.16.142.56:8080
Source: global traffic TCP traffic: 192.168.2.22:49188 -> 159.65.88.10:8080
Source: global traffic TCP traffic: 192.168.2.22:49192 -> 149.56.131.28:8080
Source: global traffic TCP traffic: 192.168.2.22:49194 -> 72.15.201.15:8080
Source: global traffic TCP traffic: 192.168.2.22:49195 -> 1.234.2.232:8080
Source: global traffic TCP traffic: 192.168.2.22:49197 -> 82.223.21.224:8080
Source: global traffic TCP traffic: 192.168.2.22:49199 -> 206.189.28.199:8080
Source: global traffic TCP traffic: 192.168.2.22:49201 -> 169.57.156.166:8080
Source: global traffic TCP traffic: 192.168.2.22:49202 -> 107.170.39.149:8080
Source: global traffic TCP traffic: 192.168.2.22:49206 -> 91.207.28.33:8080
Source: global traffic TCP traffic: 192.168.2.22:49209 -> 45.235.8.30:8080
Connects to several IPs in different countries
Source: unknown Network traffic detected: IP country count 17
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49205
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49204
Source: unknown Network traffic detected: HTTP traffic on port 49187 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49186 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49180 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49187
Source: unknown Network traffic detected: HTTP traffic on port 49190 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49175
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49186
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49174
Source: unknown Network traffic detected: HTTP traffic on port 49204 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49180
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49191
Source: unknown Network traffic detected: HTTP traffic on port 49205 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49190
Source: unknown Network traffic detected: HTTP traffic on port 49207 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49208 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49175 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49174 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49191 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49208
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49207
Source: unknown TCP traffic detected without corresponding DNS query: 91.121.146.47
Source: unknown TCP traffic detected without corresponding DNS query: 91.121.146.47
Source: unknown TCP traffic detected without corresponding DNS query: 91.121.146.47
Source: unknown TCP traffic detected without corresponding DNS query: 91.121.146.47
Source: unknown TCP traffic detected without corresponding DNS query: 91.121.146.47
Source: unknown TCP traffic detected without corresponding DNS query: 91.121.146.47
Source: unknown TCP traffic detected without corresponding DNS query: 91.121.146.47
Source: unknown TCP traffic detected without corresponding DNS query: 91.121.146.47
Source: unknown TCP traffic detected without corresponding DNS query: 91.121.146.47
Source: unknown TCP traffic detected without corresponding DNS query: 91.121.146.47
Source: unknown TCP traffic detected without corresponding DNS query: 66.228.32.31
Source: unknown TCP traffic detected without corresponding DNS query: 66.228.32.31
Source: unknown TCP traffic detected without corresponding DNS query: 66.228.32.31
Source: unknown TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown TCP traffic detected without corresponding DNS query: 187.63.160.88
Source: unknown TCP traffic detected without corresponding DNS query: 187.63.160.88
Source: unknown TCP traffic detected without corresponding DNS query: 187.63.160.88
Source: unknown TCP traffic detected without corresponding DNS query: 187.63.160.88
Source: unknown TCP traffic detected without corresponding DNS query: 187.63.160.88
Source: unknown TCP traffic detected without corresponding DNS query: 187.63.160.88
Source: unknown TCP traffic detected without corresponding DNS query: 167.172.199.165
Source: unknown TCP traffic detected without corresponding DNS query: 167.172.199.165
Source: unknown TCP traffic detected without corresponding DNS query: 167.172.199.165
Source: unknown TCP traffic detected without corresponding DNS query: 167.172.199.165
Source: unknown TCP traffic detected without corresponding DNS query: 167.172.199.165
Source: unknown TCP traffic detected without corresponding DNS query: 167.172.199.165
Source: unknown TCP traffic detected without corresponding DNS query: 167.172.199.165
Source: unknown TCP traffic detected without corresponding DNS query: 167.172.199.165
Source: unknown TCP traffic detected without corresponding DNS query: 167.172.199.165
Source: unknown TCP traffic detected without corresponding DNS query: 167.172.199.165
Source: unknown TCP traffic detected without corresponding DNS query: 164.90.222.65
Source: unknown TCP traffic detected without corresponding DNS query: 164.90.222.65
Source: unknown TCP traffic detected without corresponding DNS query: 164.90.222.65
Source: unknown TCP traffic detected without corresponding DNS query: 164.90.222.65
Source: unknown TCP traffic detected without corresponding DNS query: 164.90.222.65
Source: unknown TCP traffic detected without corresponding DNS query: 164.90.222.65
Source: unknown TCP traffic detected without corresponding DNS query: 164.90.222.65
Source: unknown TCP traffic detected without corresponding DNS query: 164.90.222.65
Source: unknown TCP traffic detected without corresponding DNS query: 164.90.222.65
Source: unknown TCP traffic detected without corresponding DNS query: 164.90.222.65
Source: unknown TCP traffic detected without corresponding DNS query: 164.90.222.65
Source: unknown TCP traffic detected without corresponding DNS query: 104.168.155.143
Source: unknown TCP traffic detected without corresponding DNS query: 104.168.155.143
Source: unknown TCP traffic detected without corresponding DNS query: 104.168.155.143
Source: unknown TCP traffic detected without corresponding DNS query: 104.168.155.143
Source: regsvr32.exe, 00000008.00000002.1425081092.00000000003AB000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000003.1079294071.00000000003AB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
Source: regsvr32.exe, 00000008.00000002.1425081092.00000000003AB000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000003.1079294071.00000000003AB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: regsvr32.exe, 00000008.00000002.1425081092.00000000003AB000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000003.1079294071.00000000003AB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: regsvr32.exe, 00000008.00000002.1425081092.00000000003AB000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000003.1079294071.00000000003AB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: regsvr32.exe, 00000008.00000002.1425081092.00000000003AB000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000003.1079294071.00000000003AB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: regsvr32.exe, 00000008.00000002.1425081092.00000000003AB000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000003.1079294071.00000000003AB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: regsvr32.exe, 00000008.00000002.1425081092.00000000003AB000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000003.1079294071.00000000003AB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: regsvr32.exe, 00000008.00000002.1425081092.00000000003AB000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000003.1079294071.00000000003AB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.comodoca.com0
Source: regsvr32.exe, 00000008.00000002.1425081092.00000000003AB000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000003.1079294071.00000000003AB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.comodoca.com0%
Source: regsvr32.exe, 00000008.00000002.1425081092.00000000003AB000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000003.1079294071.00000000003AB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.comodoca.com0-
Source: regsvr32.exe, 00000008.00000002.1425081092.00000000003AB000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000003.1079294071.00000000003AB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.comodoca.com0/
Source: regsvr32.exe, 00000008.00000002.1425081092.00000000003AB000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000003.1079294071.00000000003AB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.comodoca.com05
Source: regsvr32.exe, 00000008.00000002.1425081092.00000000003AB000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000003.1079294071.00000000003AB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.entrust.net03
Source: regsvr32.exe, 00000008.00000002.1425081092.00000000003AB000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000003.1079294071.00000000003AB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.entrust.net0D
Source: regsvr32.exe, 00000008.00000002.1425081092.00000000003AB000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000003.1079294071.00000000003AB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: regsvr32.exe, 00000008.00000002.1425081092.00000000003AB000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000003.1079294071.00000000003AB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: regsvr32.exe, 00000008.00000002.1425081092.000000000039A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://163.44.196.120:8080/wlqjqf/sqfqe/frrdsoxthmytiqq/rzfarh/$
Source: regsvr32.exe, 00000008.00000003.1079294071.00000000003AB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://164.90.222.65/wlqjqf/sqfqe/frrdsoxthmytiqq/rzfarh/
Source: regsvr32.exe, 00000008.00000002.1425081092.00000000003AB000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000002.1425340570.0000000002C9F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://45.235.8.30:8080/wlqjqf/sqfqe/frrdsoxthmytiqq/rzfarh/
Source: regsvr32.exe, 00000008.00000002.1425340570.0000000002C9F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://45.235.8.30:8080/wlqjqf/sqfqe/frrdsoxthmytiqq/rzfarh//A
Source: regsvr32.exe, 00000008.00000002.1425081092.00000000003AB000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000003.1079294071.00000000003AB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://secure.comodo.com/CPS0
Source: unknown HTTP traffic detected: POST /wlqjqf/sqfqe/frrdsoxthmytiqq/rzfarh/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedContent-Length: 269Host: 164.90.222.65

E-Banking Fraud
barindex
Yara detected Emotet
Source: Yara match File source: 00000008.00000002.1425081092.000000000034A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 8.2.regsvr32.exe.150000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.regsvr32.exe.150000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.1b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.1b0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.regsvr32.exe.1c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.regsvr32.exe.1c0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.1b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.1b0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000002.911933178.00000000001E1000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.911793490.00000000001B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.911404298.00000000001C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.911845792.00000000001E1000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.1424978614.0000000000150000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.911429954.00000000001F1000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.1425013231.0000000000181000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.911734375.00000000001B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Deletes files inside the Windows folder
Source: C:\Windows\System32\rundll32.exe File deleted: C:\Windows\System32\CcdErbXwwqK\BMwTvRDPNYt.dll:Zone.Identifier Jump to behavior
Creates files inside the system directory
Source: C:\Windows\System32\regsvr32.exe File created: C:\Windows\system32\TMlQeVZkdztztmVcv\ Jump to behavior
Detected potential crypto function
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180006818 4_2_0000000180006818
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018000B878 4_2_000000018000B878
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180007110 4_2_0000000180007110
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180008D28 4_2_0000000180008D28
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180014555 4_2_0000000180014555
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_001B0000 4_2_001B0000
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_001FCC14 4_2_001FCC14
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0020A000 4_2_0020A000
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0020709C 4_2_0020709C
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_001F7D6C 4_2_001F7D6C
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_001F263C 4_2_001F263C
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0020CF70 4_2_0020CF70
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_001F8BC8 4_2_001F8BC8
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_00208FC8 4_2_00208FC8
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_00201030 4_2_00201030
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0020EC30 4_2_0020EC30
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_001F9408 4_2_001F9408
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_001F7C08 4_2_001F7C08
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_001F1000 4_2_001F1000
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_001FB83C 4_2_001FB83C
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0021181C 4_2_0021181C
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0020B460 4_2_0020B460
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_00206C70 4_2_00206C70
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_001F7840 4_2_001F7840
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_001FB07C 4_2_001FB07C
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_001F2C78 4_2_001F2C78
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_001FC078 4_2_001FC078
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_001FD474 4_2_001FD474
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0020C44C 4_2_0020C44C
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_00215450 4_2_00215450
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0020C058 4_2_0020C058
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_001FAC94 4_2_001FAC94
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0020A8B0 4_2_0020A8B0
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_001F4C84 4_2_001F4C84
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_002194BC 4_2_002194BC
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_00205880 4_2_00205880
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0020CC84 4_2_0020CC84
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_001FDCB8 4_2_001FDCB8
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_001F98AC 4_2_001F98AC
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_002020E0 4_2_002020E0
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_001F18DC 4_2_001F18DC
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_001F14D4 4_2_001F14D4
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_001F80CC 4_2_001F80CC
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_001FF8C4 4_2_001FF8C4
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_001F48FC 4_2_001F48FC
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_00205CC4 4_2_00205CC4
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_001F90F8 4_2_001F90F8
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_001F3CF4 4_2_001F3CF4
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_002008CC 4_2_002008CC
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_00203CD4 4_2_00203CD4
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_00204D20 4_2_00204D20
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_00201924 4_2_00201924
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0020AD28 4_2_0020AD28
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0020B130 4_2_0020B130
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_00218500 4_2_00218500
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_001F6138 4_2_001F6138
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0020610C 4_2_0020610C
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_001F7530 4_2_001F7530
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_00219910 4_2_00219910
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_00207518 4_2_00207518
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0020BDA0 4_2_0020BDA0
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_001F95BC 4_2_001F95BC
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0020D5F0 4_2_0020D5F0
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_002015C8 4_2_002015C8
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_001F461C 4_2_001F461C
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_001F4214 4_2_001F4214
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_00208A2C 4_2_00208A2C
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_00200E2C 4_2_00200E2C
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0020662C 4_2_0020662C
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_001F3E0C 4_2_001F3E0C
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_00205A00 4_2_00205A00
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_00218A00 4_2_00218A00
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_00208E08 4_2_00208E08
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0020020C 4_2_0020020C
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_001FBA2C 4_2_001FBA2C
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_001FF65C 4_2_001FF65C
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_001FB258 4_2_001FB258
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_00200A70 4_2_00200A70
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0020A244 4_2_0020A244
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_001F3274 4_2_001F3274
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_001FA660 4_2_001FA660
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_001FBE90 4_2_001FBE90
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_001F8A8C 4_2_001F8A8C
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0020A6BC 4_2_0020A6BC
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_001F3ABC 4_2_001F3ABC
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_001FAAB8 4_2_001FAAB8
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_001F4EB8 4_2_001F4EB8
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_00214E8C 4_2_00214E8C
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_00204A90 4_2_00204A90
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_001FD6CC 4_2_001FD6CC
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0020EAC0 4_2_0020EAC0
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_001F92F0 4_2_001F92F0
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_002096D4 4_2_002096D4
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_001FEF14 4_2_001FEF14
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_001FD33C 4_2_001FD33C
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0020E310 4_2_0020E310
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_00203B14 4_2_00203B14
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_00204F18 4_2_00204F18
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_001F975C 4_2_001F975C
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_001F4758 4_2_001F4758
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0020D770 4_2_0020D770
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_001FF77C 4_2_001FF77C
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_001F8378 4_2_001F8378
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0020E750 4_2_0020E750
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_001F1B94 4_2_001F1B94
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_00208BB8 4_2_00208BB8
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_00205384 4_2_00205384
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_001FFFB8 4_2_001FFFB8
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_001F8FB0 4_2_001F8FB0
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_001FDBA0 4_2_001FDBA0
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_001F2FD4 4_2_001F2FD4
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_001F33D4 4_2_001F33D4
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_002127EC 4_2_002127EC
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_002097CC 4_2_002097CC
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_001FA7F0 4_2_001FA7F0
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_00203FD0 4_2_00203FD0
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_0000000180006818 5_2_0000000180006818
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000000018000B878 5_2_000000018000B878
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_0000000180007110 5_2_0000000180007110
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_0000000180008D28 5_2_0000000180008D28
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_0000000180014555 5_2_0000000180014555
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_001A0000 5_2_001A0000
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_001ECC14 5_2_001ECC14
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_001FA000 5_2_001FA000
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_001F709C 5_2_001F709C
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_001E7D6C 5_2_001E7D6C
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_001E263C 5_2_001E263C
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_001FCF70 5_2_001FCF70
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_001E8BC8 5_2_001E8BC8
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_001F8FC8 5_2_001F8FC8
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_001E9408 5_2_001E9408
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_001E7C08 5_2_001E7C08
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_001E1000 5_2_001E1000
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_001EB83C 5_2_001EB83C
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_001F1030 5_2_001F1030
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_001FEC30 5_2_001FEC30
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_0020181C 5_2_0020181C
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_001FC058 5_2_001FC058
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_001FC44C 5_2_001FC44C
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_001E7840 5_2_001E7840
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_001EB07C 5_2_001EB07C
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_001E2C78 5_2_001E2C78
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_001EC078 5_2_001EC078
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_001ED474 5_2_001ED474
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_001F6C70 5_2_001F6C70
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_00205450 5_2_00205450
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_001FB460 5_2_001FB460
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_001EAC94 5_2_001EAC94
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_001E4C84 5_2_001E4C84
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_001FCC84 5_2_001FCC84
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_002094BC 5_2_002094BC
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_001F5880 5_2_001F5880
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_001EDCB8 5_2_001EDCB8
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_001FA8B0 5_2_001FA8B0
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_001E98AC 5_2_001E98AC
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_001E18DC 5_2_001E18DC
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_001E14D4 5_2_001E14D4
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_001F3CD4 5_2_001F3CD4
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_001E80CC 5_2_001E80CC
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_001F08CC 5_2_001F08CC
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_001EF8C4 5_2_001EF8C4
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_001F5CC4 5_2_001F5CC4
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_001E48FC 5_2_001E48FC
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_001E90F8 5_2_001E90F8
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_001E3CF4 5_2_001E3CF4
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_001F20E0 5_2_001F20E0
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_001F7518 5_2_001F7518
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_001F610C 5_2_001F610C
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_00208500 5_2_00208500
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_001E6138 5_2_001E6138
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_001E7530 5_2_001E7530
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_001FB130 5_2_001FB130
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_00209910 5_2_00209910
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_001FAD28 5_2_001FAD28
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_001F1924 5_2_001F1924
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_001F4D20 5_2_001F4D20
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_001E95BC 5_2_001E95BC
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_001FBDA0 5_2_001FBDA0
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_001F15C8 5_2_001F15C8
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_001FD5F0 5_2_001FD5F0
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_001E461C 5_2_001E461C
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_001E4214 5_2_001E4214
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_001E3E0C 5_2_001E3E0C
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_001F020C 5_2_001F020C
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_001F8E08 5_2_001F8E08
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_001F5A00 5_2_001F5A00
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_00208A00 5_2_00208A00
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_001EBA2C 5_2_001EBA2C
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_001F8A2C 5_2_001F8A2C
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_001F0E2C 5_2_001F0E2C
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_001F662C 5_2_001F662C
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_001EF65C 5_2_001EF65C
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_001EB258 5_2_001EB258
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_001FA244 5_2_001FA244
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_001E3274 5_2_001E3274
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_001F0A70 5_2_001F0A70
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_001EA660 5_2_001EA660
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_001EBE90 5_2_001EBE90
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_001F4A90 5_2_001F4A90
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_001E8A8C 5_2_001E8A8C
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_001E3ABC 5_2_001E3ABC
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_001FA6BC 5_2_001FA6BC
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_001EAAB8 5_2_001EAAB8
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_001E4EB8 5_2_001E4EB8
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_00204E8C 5_2_00204E8C
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_001F96D4 5_2_001F96D4
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_001ED6CC 5_2_001ED6CC
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_001FEAC0 5_2_001FEAC0
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_001E92F0 5_2_001E92F0
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_001F4F18 5_2_001F4F18
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_001EEF14 5_2_001EEF14
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_001F3B14 5_2_001F3B14
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_001FE310 5_2_001FE310
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_001ED33C 5_2_001ED33C
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_001E975C 5_2_001E975C
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_001E4758 5_2_001E4758
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_001FE750 5_2_001FE750
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_001EF77C 5_2_001EF77C
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_001E8378 5_2_001E8378
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_001FD770 5_2_001FD770
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_001E1B94 5_2_001E1B94
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_001F5384 5_2_001F5384
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_001EFFB8 5_2_001EFFB8
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_001F8BB8 5_2_001F8BB8
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_001E8FB0 5_2_001E8FB0
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_001EDBA0 5_2_001EDBA0
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_001E2FD4 5_2_001E2FD4
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_001E33D4 5_2_001E33D4
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_002027EC 5_2_002027EC
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_001F3FD0 5_2_001F3FD0
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_001F97CC 5_2_001F97CC
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_001EA7F0 5_2_001EA7F0
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_001A0000 6_2_001A0000
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_001ECC14 6_2_001ECC14
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_001FA000 6_2_001FA000
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_001F709C 6_2_001F709C
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_001E7D6C 6_2_001E7D6C
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_001E263C 6_2_001E263C
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_001FCF70 6_2_001FCF70
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_001E8BC8 6_2_001E8BC8
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_001F8FC8 6_2_001F8FC8
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_001E9408 6_2_001E9408
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_001E7C08 6_2_001E7C08
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_001E1000 6_2_001E1000
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_001EB83C 6_2_001EB83C
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_001F1030 6_2_001F1030
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_001FEC30 6_2_001FEC30
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_0020181C 6_2_0020181C
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_001FC058 6_2_001FC058
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_001FC44C 6_2_001FC44C
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_001E7840 6_2_001E7840
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_001EB07C 6_2_001EB07C
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_001E2C78 6_2_001E2C78
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_001EC078 6_2_001EC078
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_001ED474 6_2_001ED474
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_001F6C70 6_2_001F6C70
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_00205450 6_2_00205450
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_001FB460 6_2_001FB460
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_001EAC94 6_2_001EAC94
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_001E4C84 6_2_001E4C84
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_001FCC84 6_2_001FCC84
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_002094BC 6_2_002094BC
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_001F5880 6_2_001F5880
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_001EDCB8 6_2_001EDCB8
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_001FA8B0 6_2_001FA8B0
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_001E98AC 6_2_001E98AC
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_001E18DC 6_2_001E18DC
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_001E14D4 6_2_001E14D4
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_001F3CD4 6_2_001F3CD4
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_001E80CC 6_2_001E80CC
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_001F08CC 6_2_001F08CC
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_001EF8C4 6_2_001EF8C4
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_001F5CC4 6_2_001F5CC4
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_001E48FC 6_2_001E48FC
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_001E90F8 6_2_001E90F8
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_001E3CF4 6_2_001E3CF4
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_001F20E0 6_2_001F20E0
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_001F7518 6_2_001F7518
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_001F610C 6_2_001F610C
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_00208500 6_2_00208500
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_001E6138 6_2_001E6138
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_001E7530 6_2_001E7530
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_001FB130 6_2_001FB130
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_00209910 6_2_00209910
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_001FAD28 6_2_001FAD28
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_001F1924 6_2_001F1924
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_001F4D20 6_2_001F4D20
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_001E95BC 6_2_001E95BC
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_001FBDA0 6_2_001FBDA0
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_001F15C8 6_2_001F15C8
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_001FD5F0 6_2_001FD5F0
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_001E461C 6_2_001E461C
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_001E4214 6_2_001E4214
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_001E3E0C 6_2_001E3E0C
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_001F020C 6_2_001F020C
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_001F8E08 6_2_001F8E08
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_001F5A00 6_2_001F5A00
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_00208A00 6_2_00208A00
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_001EBA2C 6_2_001EBA2C
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_001F8A2C 6_2_001F8A2C
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_001F0E2C 6_2_001F0E2C
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_001F662C 6_2_001F662C
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_001EF65C 6_2_001EF65C
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_001EB258 6_2_001EB258
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_001FA244 6_2_001FA244
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_001E3274 6_2_001E3274
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_001F0A70 6_2_001F0A70
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_001EA660 6_2_001EA660
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_001EBE90 6_2_001EBE90
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_001F4A90 6_2_001F4A90
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_001E8A8C 6_2_001E8A8C
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_001E3ABC 6_2_001E3ABC
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_001FA6BC 6_2_001FA6BC
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_001EAAB8 6_2_001EAAB8
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_001E4EB8 6_2_001E4EB8
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_00204E8C 6_2_00204E8C
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_001F96D4 6_2_001F96D4
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_001ED6CC 6_2_001ED6CC
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_001FEAC0 6_2_001FEAC0
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_001E92F0 6_2_001E92F0
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_001F4F18 6_2_001F4F18
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_001EEF14 6_2_001EEF14
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_001F3B14 6_2_001F3B14
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_001FE310 6_2_001FE310
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_001ED33C 6_2_001ED33C
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_001E975C 6_2_001E975C
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_001E4758 6_2_001E4758
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_001FE750 6_2_001FE750
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_001EF77C 6_2_001EF77C
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_001E8378 6_2_001E8378
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_001FD770 6_2_001FD770
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_001E1B94 6_2_001E1B94
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_001F5384 6_2_001F5384
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_001EFFB8 6_2_001EFFB8
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_001F8BB8 6_2_001F8BB8
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_001E8FB0 6_2_001E8FB0
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_001EDBA0 6_2_001EDBA0
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_001E2FD4 6_2_001E2FD4
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_001E33D4 6_2_001E33D4
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_002027EC 6_2_002027EC
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_001F3FD0 6_2_001F3FD0
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_001F97CC 6_2_001F97CC
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_001EA7F0 6_2_001EA7F0
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_00140000 8_2_00140000
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0018CC14 8_2_0018CC14
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_001908CC 8_2_001908CC
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_00187D6C 8_2_00187D6C
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_001A0618 8_2_001A0618
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0019020C 8_2_0019020C
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_00197EBE 8_2_00197EBE
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_00189B79 8_2_00189B79
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0019CF70 8_2_0019CF70
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_001863A4 8_2_001863A4
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_001A73A4 8_2_001A73A4
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_00193FD0 8_2_00193FD0
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_00188BC8 8_2_00188BC8
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_00198FC8 8_2_00198FC8
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_001A181C 8_2_001A181C
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_00187410 8_2_00187410
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_00189408 8_2_00189408
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_00187C08 8_2_00187C08
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_00181000 8_2_00181000
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0019A000 8_2_0019A000
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0018B83C 8_2_0018B83C
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_00191030 8_2_00191030
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0019EC30 8_2_0019EC30
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0019C058 8_2_0019C058
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_001A5450 8_2_001A5450
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0019C44C 8_2_0019C44C
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_00187840 8_2_00187840
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_00182C78 8_2_00182C78
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0018C078 8_2_0018C078
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0018B07C 8_2_0018B07C
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_00196C70 8_2_00196C70
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0018D474 8_2_0018D474
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_001A5868 8_2_001A5868
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0019B460 8_2_0019B460
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0019709C 8_2_0019709C
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0018AC94 8_2_0018AC94
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_001A1494 8_2_001A1494
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_001A488C 8_2_001A488C
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_00195880 8_2_00195880
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_00184C84 8_2_00184C84
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0019CC84 8_2_0019CC84
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0018DCB8 8_2_0018DCB8
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_001A94BC 8_2_001A94BC
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0019A8B0 8_2_0019A8B0
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_001A44A8 8_2_001A44A8
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_001898AC 8_2_001898AC
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_001818DC 8_2_001818DC
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_001814D4 8_2_001814D4
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_00193CD4 8_2_00193CD4
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_001A1CD4 8_2_001A1CD4
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_001880CC 8_2_001880CC
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0018F8C4 8_2_0018F8C4
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_00195CC4 8_2_00195CC4
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_001890F8 8_2_001890F8
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_001848FC 8_2_001848FC
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_00183CF4 8_2_00183CF4
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_001920E0 8_2_001920E0
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_00197518 8_2_00197518
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_001A9910 8_2_001A9910
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0019610C 8_2_0019610C
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_001A8500 8_2_001A8500
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_001A2100 8_2_001A2100
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_00186138 8_2_00186138
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0019B130 8_2_0019B130
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0019AD28 8_2_0019AD28
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_00194D20 8_2_00194D20
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_00191924 8_2_00191924
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_001A4D64 8_2_001A4D64
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_001895BC 8_2_001895BC
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0019BDA0 8_2_0019BDA0
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_001915C8 8_2_001915C8
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0019D5F0 8_2_0019D5F0
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0018461C 8_2_0018461C
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_00184214 8_2_00184214
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_00198E08 8_2_00198E08
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_00183E0C 8_2_00183E0C
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_00195A00 8_2_00195A00
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_001A8A00 8_2_001A8A00
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0018263C 8_2_0018263C
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0018BA2C 8_2_0018BA2C
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_00198A2C 8_2_00198A2C
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_00190E2C 8_2_00190E2C
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0019662C 8_2_0019662C
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0018B258 8_2_0018B258
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0018F65C 8_2_0018F65C
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_001A6E48 8_2_001A6E48
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0019A244 8_2_0019A244
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_00190A70 8_2_00190A70
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_00183274 8_2_00183274
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0018A660 8_2_0018A660
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0018BE90 8_2_0018BE90
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_00194A90 8_2_00194A90
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_00188A8C 8_2_00188A8C
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_001A4E8C 8_2_001A4E8C
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_001A2E84 8_2_001A2E84
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0018AAB8 8_2_0018AAB8
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_00184EB8 8_2_00184EB8
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_00183ABC 8_2_00183ABC
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0019A6BC 8_2_0019A6BC
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_001A2AB0 8_2_001A2AB0
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_001996D4 8_2_001996D4
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0018D6CC 8_2_0018D6CC
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0019EAC0 8_2_0019EAC0
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_001A36FC 8_2_001A36FC
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_001892F0 8_2_001892F0
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_00194F18 8_2_00194F18
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_001A5B1C 8_2_001A5B1C
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0019E310 8_2_0019E310
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_001A8310 8_2_001A8310
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0018EF14 8_2_0018EF14
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_00193B14 8_2_00193B14
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0018D33C 8_2_0018D33C
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_00184758 8_2_00184758
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0018975C 8_2_0018975C
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0019E750 8_2_0019E750
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_00188378 8_2_00188378
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0018F77C 8_2_0018F77C
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0019D770 8_2_0019D770
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_001A8B68 8_2_001A8B68
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0019779A 8_2_0019779A
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_00181B94 8_2_00181B94
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_00195384 8_2_00195384
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0018FFB8 8_2_0018FFB8
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_00198BB8 8_2_00198BB8
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_00188FB0 8_2_00188FB0
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_001A47A8 8_2_001A47A8
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0018DBA0 8_2_0018DBA0
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_00182FD4 8_2_00182FD4
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_001833D4 8_2_001833D4
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_001997CC 8_2_001997CC
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0019FFFC 8_2_0019FFFC
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0018A7F0 8_2_0018A7F0
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_001A27EC 8_2_001A27EC
Contains functionality to call native functions
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180010C10 LdrFindResource_U,LdrAccessResource,NtAllocateVirtualMemory, 4_2_0000000180010C10
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180010AC0 ExitProcess,NtQueueApcThread,NtTestAlert, 4_2_0000000180010AC0
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180010DB0 ZwOpenSymbolicLinkObject,ZwOpenSymbolicLinkObject, 4_2_0000000180010DB0
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_0000000180010C10 LdrFindResource_U,LdrAccessResource,NtAllocateVirtualMemory, 5_2_0000000180010C10
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_0000000180010AC0 ExitProcess,NtQueueApcThread,NtTestAlert, 5_2_0000000180010AC0
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_0000000180010DB0 ZwOpenSymbolicLinkObject,ZwOpenSymbolicLinkObject, 5_2_0000000180010DB0
Source: f_00321b.dll ReversingLabs: Detection: 79%
Source: f_00321b.dll Virustotal: Detection: 60%
Source: f_00321b.dll Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll64.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\f_00321b.dll"
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\f_00321b.dll",#1
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\f_00321b.dll
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\f_00321b.dll",#1
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\f_00321b.dll,DllRegisterServer
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\TMlQeVZkdztztmVcv\UUQGnKwW.dll"
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\CcdErbXwwqK\BMwTvRDPNYt.dll"
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\PmXMgnVtL\uQQuLasS.dll"
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\f_00321b.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\f_00321b.dll Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\f_00321b.dll,DllRegisterServer Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\f_00321b.dll",#1 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\TMlQeVZkdztztmVcv\UUQGnKwW.dll" Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\CcdErbXwwqK\BMwTvRDPNYt.dll" Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\PmXMgnVtL\uQQuLasS.dll" Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\InProcServer32 Jump to behavior
Source: classification engine Classification label: mal100.troj.evad.winDLL@15/0@0/48
Source: C:\Windows\System32\regsvr32.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_001F8BC8 Process32NextW,Process32FirstW,CreateToolhelp32Snapshot,CloseHandle, 4_2_001F8BC8
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\f_00321b.dll",#1
Source: C:\Windows\System32\regsvr32.exe Automated click: OK
Source: C:\Windows\System32\regsvr32.exe Automated click: OK
Source: Window Recorder Window detected: More than 3 window changes detected
Source: f_00321b.dll Static PE information: Image base 0x180000000 > 0x60000000
Source: f_00321b.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: f_00321b.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: f_00321b.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: f_00321b.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: f_00321b.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: f_00321b.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: f_00321b.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: f_00321b.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: f_00321b.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: f_00321b.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: f_00321b.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: f_00321b.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180005C69 push rdi; ret 4_2_0000000180005C72
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_00000001800056DD push rdi; ret 4_2_00000001800056E4
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_001F6C9F pushad ; ret 4_2_001F6CAA
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_001F6CDE push esi; iretd 4_2_001F6CDF
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_001FA0FC push ebp; iretd 4_2_001FA0FD
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_002080D7 push ebp; retf 4_2_002080D8
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_00207D25 push 4D8BFFFFh; retf 4_2_00207D2A
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_00207D3C push ebp; retf 4_2_00207D3D
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_001F9D51 push ebp; retf 4_2_001F9D5A
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_00207D4E push ebp; iretd 4_2_00207D4F
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_00208157 push ebp; retf 4_2_00208158
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_00207987 push ebp; iretd 4_2_0020798F
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_001FA1D2 push ebp; iretd 4_2_001FA1D3
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_001FA26E push ebp; ret 4_2_001FA26F
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_00207EAF push 458BCC5Ah; retf 4_2_00207EBC
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_001F9E8B push eax; retf 4_2_001F9E8E
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0020C731 push esi; iretd 4_2_0020C732
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_0000000180005C69 push rdi; ret 5_2_0000000180005C72
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_00000001800056DD push rdi; ret 5_2_00000001800056E4
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_001E6C9F pushad ; ret 5_2_001E6CAA
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_001E6CDE push esi; iretd 5_2_001E6CDF
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_001F80D7 push ebp; retf 5_2_001F80D8
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_001EA0FC push ebp; iretd 5_2_001EA0FD
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_001F7D3C push ebp; retf 5_2_001F7D3D
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_001F7D25 push 4D8BFFFFh; retf 5_2_001F7D2A
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_001F8157 push ebp; retf 5_2_001F8158
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_001E9D51 push ebp; retf 5_2_001E9D5A
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_001F7D4E push ebp; iretd 5_2_001F7D4F
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_001F7987 push ebp; iretd 5_2_001F798F
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_001EA1D2 push ebp; iretd 5_2_001EA1D3
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_001EA26E push ebp; ret 5_2_001EA26F
PE file contains sections with non-standard names
Source: f_00321b.dll Static PE information: section name: _RDATA
Registers a DLL
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\f_00321b.dll
Drops PE files to the windows directory (C:\Windows)
Source: C:\Windows\System32\rundll32.exe PE file moved: C:\Windows\System32\CcdErbXwwqK\BMwTvRDPNYt.dll Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Windows\System32\regsvr32.exe File opened: C:\Windows\system32\TMlQeVZkdztztmVcv\UUQGnKwW.dll:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Windows\system32\CcdErbXwwqK\BMwTvRDPNYt.dll:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Windows\system32\PmXMgnVtL\uQQuLasS.dll:Zone.Identifier read attributes | delete Jump to behavior
Stores large binary data to the registry
Source: C:\Windows\System32\regsvr32.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\regsvr32.exe TID: 1760 Thread sleep time: -180000s >= -30000s Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 1580 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 2192 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: C:\Windows\System32\regsvr32.exe TID: 2624 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: C:\Windows\System32\regsvr32.exe TID: 2548 Thread sleep time: -60000s >= -30000s Jump to behavior
Found large amount of non-executed APIs
Source: C:\Windows\System32\regsvr32.exe API coverage: 9.5 %
Source: C:\Windows\System32\regsvr32.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180008D28 FindFirstFileExW, 4_2_0000000180008D28
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_0000000180008D28 FindFirstFileExW, 5_2_0000000180008D28
Source: C:\Windows\System32\regsvr32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: regsvr32.exe, 00000004.00000002.911530708.000000000032A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180001C48 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 4_2_0000000180001C48
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018000A878 GetProcessHeap, 4_2_000000018000A878
Checks if the current process is being debugged
Source: C:\Windows\System32\loaddll64.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180010C10 LdrFindResource_U,LdrAccessResource,NtAllocateVirtualMemory, 4_2_0000000180010C10
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180001C48 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 4_2_0000000180001C48
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_00000001800082EC RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 4_2_00000001800082EC
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_00000001800017DC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 4_2_00000001800017DC
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_0000000180001C48 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 5_2_0000000180001C48
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_00000001800082EC RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 5_2_00000001800082EC
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_00000001800017DC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 5_2_00000001800017DC

HIPS / PFW / Operating System Protection Evasion
barindex
Early bird code injection technique detected
Source: C:\Windows\System32\cmd.exe Process created / APC Queued / Resumed: C:\Windows\System32\rundll32.exe Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process created / APC Queued / Resumed: C:\Windows\System32\regsvr32.exe Jump to behavior
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\System32\regsvr32.exe Network Connect: 159.65.88.10 8080 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 164.90.222.65 443 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 206.189.28.199 8080 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 213.239.212.5 443 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 107.170.39.149 8080 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 66.228.32.31 7080 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 187.63.160.88 80 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 186.194.240.217 443 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 82.223.21.224 8080 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 104.168.155.143 8080 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 159.89.202.34 443 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 149.56.131.28 8080 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 91.121.146.47 8080 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 160.16.142.56 8080 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 169.57.156.166 8080 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 91.207.28.33 8080 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 182.162.143.56 443 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 103.43.75.120 443 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 1.234.2.232 8080 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 45.235.8.30 8080 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 167.172.199.165 8080 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 72.15.201.15 8080 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 163.44.196.120 8080 Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Windows\System32\regsvr32.exe Thread APC queued: target process: C:\Windows\System32\rundll32.exe Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\f_00321b.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\f_00321b.dll Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\f_00321b.dll,DllRegisterServer Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\f_00321b.dll",#1 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\TMlQeVZkdztztmVcv\UUQGnKwW.dll" Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\CcdErbXwwqK\BMwTvRDPNYt.dll" Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\PmXMgnVtL\uQQuLasS.dll" Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\regsvr32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_00000001800070A0 cpuid 4_2_00000001800070A0
Source: C:\Windows\System32\regsvr32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180001D98 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 4_2_0000000180001D98

Stealing of Sensitive Information
barindex
Yara detected Emotet
Source: Yara match File source: 00000008.00000002.1425081092.000000000034A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 8.2.regsvr32.exe.150000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.regsvr32.exe.150000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.1b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.1b0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.regsvr32.exe.1c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.regsvr32.exe.1c0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.1b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.1b0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000002.911933178.00000000001E1000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.911793490.00000000001B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.911404298.00000000001C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.911845792.00000000001E1000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.1424978614.0000000000150000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.911429954.00000000001F1000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.1425013231.0000000000181000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.911734375.00000000001B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 829540 Sample: f_00321b Startdate: 18/03/2023 Architecture: WINDOWS Score: 100 29 129.232.188.93 xneeloZA South Africa 2->29 31 185.4.135.165 TOPHOSTGR Greece 2->31 33 23 other IPs or domains 2->33 43 Snort IDS alert for network traffic 2->43 45 Antivirus detection for URL or domain 2->45 47 Multi AV Scanner detection for submitted file 2->47 49 2 other signatures 2->49 9 loaddll64.exe 2->9         started        signatures3 process4 process5 11 cmd.exe 9->11         started        14 regsvr32.exe 2 9->14         started        16 rundll32.exe 2 9->16         started        signatures6 53 Early bird code injection technique detected 11->53 18 rundll32.exe 2 11->18         started        55 Hides that the sample has been downloaded from the Internet (zone.identifier) 14->55 57 Queues an APC in another process (thread injection) 14->57 21 regsvr32.exe 14->21         started        23 regsvr32.exe 16->23         started        process7 signatures8 41 Hides that the sample has been downloaded from the Internet (zone.identifier) 18->41 25 regsvr32.exe 18->25         started        process9 dnsIp10 35 45.235.8.30, 49209, 49210, 8080 WIKINETTELECOMUNICACOESBR Brazil 25->35 37 169.57.156.166, 8080 SOFTLAYERUS United States 25->37 39 21 other IPs or domains 25->39 51 System process connects to network (likely due to code injection or exploit) 25->51 signatures11
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
159.65.88.10
 unknown United States
14061 DIGITALOCEAN-ASNUS true
172.105.226.75
 unknown United States
63949 LINODE-APLinodeLLCUS true
164.90.222.65
 unknown United States
14061 DIGITALOCEAN-ASNUS true
110.232.117.186
 unknown Australia
56038 RACKCORP-APRackCorpAU true
213.239.212.5
 unknown Germany
24940 HETZNER-ASDE true
5.135.159.50
 unknown France
16276 OVHFR true
186.194.240.217
 unknown Brazil
262733 NetceteraTelecomunicacoesLtdaBR true
103.132.242.26
 unknown India
45117 INPL-IN-APIshansNetworkIN true
104.168.155.143
 unknown United States
54290 HOSTWINDSUS true
119.59.103.152
 unknown Thailand
56067 METRABYTE-TH453LadplacoutJorakhaebuaTH true
79.137.35.198
 unknown France
16276 OVHFR true
159.89.202.34
 unknown United States
14061 DIGITALOCEAN-ASNUS true
91.121.146.47
 unknown France
16276 OVHFR true
160.16.142.56
 unknown Japan 9370 SAKURA-BSAKURAInternetIncJP true
201.94.166.162
 unknown Brazil
28573 CLAROSABR true
91.207.28.33
 unknown Kyrgyzstan
39819 PROHOSTKG true
103.75.201.2
 unknown Thailand
133496 CDNPLUSCOLTD-AS-APCDNPLUSCOLTDTH true
103.43.75.120
 unknown Japan 20473 AS-CHOOPAUS true
115.68.227.76
 unknown Korea Republic of
38700 SMILESERV-AS-KRSMILESERVKR true
188.44.20.25
 unknown Macedonia
57374 GIV-ASMK true
45.235.8.30
 unknown Brazil
267405 WIKINETTELECOMUNICACOESBR true
153.126.146.25
 unknown Japan 7684 SAKURA-ASAKURAInternetIncJP true
72.15.201.15
 unknown United States
13649 ASN-VINSUS true
163.44.196.120
 unknown Singapore
135161 GMO-Z-COM-THGMO-ZcomNetDesignHoldingsCoLtdSG true
206.189.28.199
 unknown United States
14061 DIGITALOCEAN-ASNUS true
107.170.39.149
 unknown United States
14061 DIGITALOCEAN-ASNUS true
66.228.32.31
 unknown United States
63949 LINODE-APLinodeLLCUS true
187.63.160.88
 unknown Brazil
28169 BITCOMPROVEDORDESERVICOSDEINTERNETLTDABR true
82.223.21.224
 unknown Spain
8560 ONEANDONE-ASBrauerstrasse48DE true
197.242.150.244
 unknown South Africa
37611 AfrihostZA true
173.212.193.249
 unknown Germany
51167 CONTABODE true
185.4.135.165
 unknown Greece
199246 TOPHOSTGR true
183.111.227.137
 unknown Korea Republic of
4766 KIXS-AS-KRKoreaTelecomKR true
45.176.232.124
 unknown Colombia
267869 CABLEYTELECOMUNICACIONESDECOLOMBIASASCABLETELCOC true
95.217.221.146
 unknown Germany
24940 HETZNER-ASDE true
149.56.131.28
 unknown Canada
16276 OVHFR true
169.57.156.166
 unknown United States
36351 SOFTLAYERUS true
164.68.99.3
 unknown Germany
51167 CONTABODE true
182.162.143.56
 unknown Korea Republic of
3786 LGDACOMLGDACOMCorporationKR true
139.59.126.41
 unknown Singapore
14061 DIGITALOCEAN-ASNUS true
1.234.2.232
 unknown Korea Republic of
9318 SKB-ASSKBroadbandCoLtdKR true
167.172.253.162
 unknown United States
14061 DIGITALOCEAN-ASNUS true
129.232.188.93
 unknown South Africa
37153 xneeloZA true
167.172.199.165
 unknown United States
14061 DIGITALOCEAN-ASNUS true
202.129.205.3
 unknown Thailand
45328 NIPA-AS-THNIPATECHNOLOGYCOLTDTH true
147.139.166.154
 unknown United States
45102 CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC true
153.92.5.27
 unknown Germany
47583 AS-HOSTINGERLT true
94.23.45.86
 unknown France
16276 OVHFR true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://164.90.222.65/wlqjqf/sqfqe/frrdsoxthmytiqq/rzfarh/ true
  • Avira URL Cloud: malware
 unknown