Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
f_00321b.dll

Overview

General Information

Sample Name:f_00321b.dll
(renamed file extension from none to dll, renamed because original name is a hash value)
Original Sample Name:f_00321b
Analysis ID:829552
MD5:bfc060937dc90b273eccb6825145f298
SHA1:c156c00c7e918f0cb7363614fb1f177c90d8108a
SHA256:2f39c2879989ddd7f9ecf52b6232598e5595f8bf367846ff188c9dfbf1251253
Infos:

Detection

Emotet
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Early bird code injection technique detected
Multi AV Scanner detection for submitted file
Yara detected Emotet
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Snort IDS alert for network traffic
Queues an APC in another process (thread injection)
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Queries the volume information (name, serial number etc) of a device
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Sample execution stops while process was sleeping (likely an evasion)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to call native functions
HTTP GET or POST without a user agent
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Tries to load missing DLLs
Drops PE files to the windows directory (C:\Windows)
Detected TCP or UDP traffic on non-standard ports
Checks if the current process is being debugged
Connects to several IPs in different countries
Registers a DLL
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • loaddll64.exe (PID: 4224 cmdline: loaddll64.exe "C:\Users\user\Desktop\f_00321b.dll" MD5: C676FC0263EDD17D4CE7D644B8F3FCD6)
    • conhost.exe (PID: 2516 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • cmd.exe (PID: 3216 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\f_00321b.dll",#1 MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
      • rundll32.exe (PID: 1264 cmdline: rundll32.exe "C:\Users\user\Desktop\f_00321b.dll",#1 MD5: 73C519F050C20580F8A62C849D49215A)
        • regsvr32.exe (PID: 5968 cmdline: C:\Windows\system32\regsvr32.exe "C:\Windows\system32\RymKYMmySRfU\EAqrfXJOpHznppsf.dll" MD5: D78B75FC68247E8A63ACBA846182740E)
    • regsvr32.exe (PID: 4888 cmdline: regsvr32.exe /s C:\Users\user\Desktop\f_00321b.dll MD5: D78B75FC68247E8A63ACBA846182740E)
      • regsvr32.exe (PID: 1312 cmdline: C:\Windows\system32\regsvr32.exe "C:\Windows\system32\ZbmMPnDvLqwXll\QyzgcRWJYZS.dll" MD5: D78B75FC68247E8A63ACBA846182740E)
    • rundll32.exe (PID: 1240 cmdline: rundll32.exe C:\Users\user\Desktop\f_00321b.dll,DllRegisterServer MD5: 73C519F050C20580F8A62C849D49215A)
      • regsvr32.exe (PID: 4768 cmdline: C:\Windows\system32\regsvr32.exe "C:\Windows\system32\IzuSuDitBV\QmEREbzuu.dll" MD5: D78B75FC68247E8A63ACBA846182740E)
      • conhost.exe (PID: 5432 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
EmotetWhile Emotet historically was a banking malware organized in a botnet, nowadays Emotet is mostly seen as infrastructure as a service for content delivery. For example, since mid 2018 it is used by Trickbot for installs, which may also lead to ransomware attacks using Ryuk, a combination observed several times against high-profile targets.It is always stealing information from victims but what the criminal gang behind it did, was to open up another business channel by selling their infrastructure delivering additional malicious software. From malware analysts it has been classified into epochs depending on command and control, payloads, and delivery solutions which change over time.Emotet had been taken down by authorities in January 2021, though it appears to have sprung back to life in November 2021.
  • GOLD CABIN
  • MUMMY SPIDER
  • Mealybug
https://malpedia.caad.fkie.fraunhofer.de/details/win.emotet

Malware Configuration

Threatname: Emotet

{"C2 list": ["91.121.146.47:8080", "66.228.32.31:7080", "182.162.143.56:443", "187.63.160.88:80", "167.172.199.165:8080", "164.90.222.65:443", "104.168.155.143:8080", "163.44.196.120:8080", "160.16.142.56:8080", "159.89.202.34:443", "159.65.88.10:8080", "186.194.240.217:443", "149.56.131.28:8080", "72.15.201.15:8080", "1.234.2.232:8080", "82.223.21.224:8080", "206.189.28.199:8080", "169.57.156.166:8080", "107.170.39.149:8080", "103.43.75.120:443", "91.207.28.33:8080", "213.239.212.5:443", "45.235.8.30:8080", "119.59.103.152:8080", "164.68.99.3:8080", "95.217.221.146:8080", "153.126.146.25:7080", "197.242.150.244:8080", "202.129.205.3:8080", "103.132.242.26:8080", "139.59.126.41:443", "110.232.117.186:8080", "183.111.227.137:8080", "5.135.159.50:443", "201.94.166.162:443", "103.75.201.2:443", "79.137.35.198:8080", "172.105.226.75:8080", "94.23.45.86:4143", "115.68.227.76:8080", "153.92.5.27:8080", "167.172.253.162:8080", "188.44.20.25:443", "147.139.166.154:8080", "129.232.188.93:443", "173.212.193.249:8080", "185.4.135.165:8080", "45.176.232.124:443"], "Public Key": ["RUNTMSAAAABAX3S2xNjcDD0fBno33Ln5t71eii+mofIPoXkNFOX1MeiwCh48iz97kB0mJjGGZXwardnDXKxI8GCHGNl0PFj50W/ClAAOAIo=", "RUNLMSAAAADzozW1Di4r9DVWzQpMKT588RDdy7BPILP6AiDOTLYMHkSWvrQO5slbmr1OvZ2Pz+AQWzRMggQmAtO6rPH7nyx2xW++lAAKAJA="]}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.320583141.0000024067ED1000.00000020.00001000.00020000.00000000.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
    00000006.00000002.839406801.0000000002031000.00000020.00001000.00020000.00000000.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
      00000006.00000002.839010466.000000000072B000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_Emotet_3Yara detected EmotetJoe Security
        00000006.00000002.839356776.0000000001FE0000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
          00000003.00000002.319594851.0000000002301000.00000020.00001000.00020000.00000000.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
            Click to see the 4 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            5.2.rundll32.exe.1caef360000.1.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
              4.2.rundll32.exe.24067ea0000.1.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                4.2.rundll32.exe.24067ea0000.1.raw.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                  3.2.regsvr32.exe.22d0000.0.raw.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                    3.2.regsvr32.exe.22d0000.0.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                      Click to see the 3 entries

                      Sigma Signatures

                      No Sigma rule has matched

                      Snort Signatures

                      Timestamp:192.168.2.4213.239.212.5497294432404320 03/18/23-16:00:53.457464
                      SID:2404320
                      Source Port:49729
                      Destination Port:443
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:192.168.2.4104.168.155.1434970580802404302 03/18/23-15:58:29.445426
                      SID:2404302
                      Source Port:49705
                      Destination Port:8080
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:192.168.2.445.235.8.304973380802404324 03/18/23-16:00:58.958124
                      SID:2404324
                      Source Port:49733
                      Destination Port:8080
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:192.168.2.4167.172.199.1654970380802404310 03/18/23-15:58:19.699415
                      SID:2404310
                      Source Port:49703
                      Destination Port:8080
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:192.168.2.4164.90.222.65497044432404308 03/18/23-15:58:24.948314
                      SID:2404308
                      Source Port:49704
                      Destination Port:443
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:192.168.2.4187.63.160.8849702802404314 03/18/23-15:58:11.945439
                      SID:2404314
                      Source Port:49702
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:192.168.2.41.234.2.2324971980802404304 03/18/23-15:59:46.453351
                      SID:2404304
                      Source Port:49719
                      Destination Port:8080
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:192.168.2.491.121.146.474969580802404344 03/18/23-15:57:43.982133
                      SID:2404344
                      Source Port:49695
                      Destination Port:8080
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:192.168.2.4206.189.28.1994972180802404318 03/18/23-16:00:02.963968
                      SID:2404318
                      Source Port:49721
                      Destination Port:8080
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:192.168.2.466.228.32.314969770802404330 03/18/23-15:57:49.653644
                      SID:2404330
                      Source Port:49697
                      Destination Port:7080
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:192.168.2.4182.162.143.56496984432404312 03/18/23-15:58:05.445458
                      SID:2404312
                      Source Port:49698
                      Destination Port:443
                      Protocol:TCP
                      Classtype:A Network Trojan was detected

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Multi AV Scanner detection for submitted file
                      Source: f_00321b.dllVirustotal: Detection: 60%Perma Link
                      Source: f_00321b.dllReversingLabs: Detection: 79%
                      Antivirus detection for URL or domain
                      Source: https://45.235.8.30:8080/nnukk/upfurpftd/ltwomnfleb/0uAvira URL Cloud: Label: malware
                      Source: https://45.235.8.30:8080/nnukk/upfurpftd/ltwomnfleb//Avira URL Cloud: Label: malware
                      Source: https://213.239.212.5/~Avira URL Cloud: Label: malware
                      Source: https://45.235.8.30:8080/nnukk/upfurpftd/ltwomnfleb/Avira URL Cloud: Label: malware
                      Source: https://213.239.212.5/nnukk/upfurpftd/ltwomnfleb/Avira URL Cloud: Label: malware
                      Source: https://119.59.103.152:8080/nnukk/upfurpftd/ltwomnfleb/Avira URL Cloud: Label: malware
                      Source: https://82.223.21.224:8080/nnukk/upfurpftd/ltwomnfleb/Avira URL Cloud: Label: malware
                      Source: https://107.170.39.149:8080/Avira URL Cloud: Label: malware
                      Source: https://167.172.199.165:8080/YAvira URL Cloud: Label: malware
                      Source: https://82.223.21.224:8080/Avira URL Cloud: Label: malware
                      Source: https://91.207.28.33:8080/-Avira URL Cloud: Label: malware
                      Source: https://159.65.88.10:8080/nnukk/upfurpftd/ltwomnfleb/Avira URL Cloud: Label: malware
                      Source: https://104.168.155.143:8080/nnukk/upfurpftd/ltwomnfleb/Avira URL Cloud: Label: malware
                      Source: https://119.59.103.152:8080/nnukk/upfurpftd/ltwomnfleb/?Avira URL Cloud: Label: malware
                      Source: https://164.90.222.65/nnukk/upfurpftd/ltwomnfleb//KAvira URL Cloud: Label: malware
                      Source: https://164.90.222.65:443/nnukk/upfurpftd/ltwomnfleb/b/XAvira URL Cloud: Label: malware
                      Source: https://91.121.146.47:8080/nnukk/upfurpftd/ltwomnfleb/Avira URL Cloud: Label: malware
                      Source: https://107.170.39.149:8080/nnukk/upfurpftd/ltwomnfleb/Avira URL Cloud: Label: malware
                      Source: https://91.121.146.47:8080/Avira URL Cloud: Label: malware
                      Source: https://119.59.103.152:8080/Avira URL Cloud: Label: malware
                      Source: https://119.59.103.152:8080/l/zAvira URL Cloud: Label: malware
                      Source: https://167.172.199.165:8080/nnukk/upfurpftd/ltwomnfleb/Avira URL Cloud: Label: malware
                      Source: https://187.63.160.88:80/nnukk/upfurpftd/ltwomnfleb/Avira URL Cloud: Label: malware
                      Source: https://45.235.8.30:8080/Avira URL Cloud: Label: malware
                      Source: https://167.172.199.165:8080/oAvira URL Cloud: Label: malware
                      Source: https://66.228.32.31:7080/Avira URL Cloud: Label: malware
                      Source: https://167.172.199.165:8080/Avira URL Cloud: Label: malware
                      Source: https://164.90.222.65/nnukk/upfurpftd/ltwomnfleb/wAvira URL Cloud: Label: malware
                      Source: https://164.90.222.65/nnukk/upfurpftd/ltwomnfleb/Avira URL Cloud: Label: malware
                      Source: https://119.59.103.152:8080/nnukk/upfurpftd/ltwomnfleb/%Avira URL Cloud: Label: malware
                      Source: https://164.90.222.65/wnAvira URL Cloud: Label: malware
                      Source: https://45.235.8.30:8080/nnukk/upfurpftd/ltwomnfleb/YAvira URL Cloud: Label: malware
                      Source: https://213.239.212.5:443/nnukk/upfurpftd/ltwomnfleb/NAvira URL Cloud: Label: malware
                      Source: 00000006.00000002.839010466.000000000072B000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Emotet {"C2 list": ["91.121.146.47:8080", "66.228.32.31:7080", "182.162.143.56:443", "187.63.160.88:80", "167.172.199.165:8080", "164.90.222.65:443", "104.168.155.143:8080", "163.44.196.120:8080", "160.16.142.56:8080", "159.89.202.34:443", "159.65.88.10:8080", "186.194.240.217:443", "149.56.131.28:8080", "72.15.201.15:8080", "1.234.2.232:8080", "82.223.21.224:8080", "206.189.28.199:8080", "169.57.156.166:8080", "107.170.39.149:8080", "103.43.75.120:443", "91.207.28.33:8080", "213.239.212.5:443", "45.235.8.30:8080", "119.59.103.152:8080", "164.68.99.3:8080", "95.217.221.146:8080", "153.126.146.25:7080", "197.242.150.244:8080", "202.129.205.3:8080", "103.132.242.26:8080", "139.59.126.41:443", "110.232.117.186:8080", "183.111.227.137:8080", "5.135.159.50:443", "201.94.166.162:443", "103.75.201.2:443", "79.137.35.198:8080", "172.105.226.75:8080", "94.23.45.86:4143", "115.68.227.76:8080", "153.92.5.27:8080", "167.172.253.162:8080", "188.44.20.25:443", "147.139.166.154:8080", "129.232.188.93:443", "173.212.193.249:8080", "185.4.135.165:8080", "45.176.232.124:443"], "Public Key": ["RUNTMSAAAABAX3S2xNjcDD0fBno33Ln5t71eii+mofIPoXkNFOX1MeiwCh48iz97kB0mJjGGZXwardnDXKxI8GCHGNl0PFj50W/ClAAOAIo=", "RUNLMSAAAADzozW1Di4r9DVWzQpMKT588RDdy7BPILP6AiDOTLYMHkSWvrQO5slbmr1OvZ2Pz+AQWzRMggQmAtO6rPH7nyx2xW++lAAKAJA="]}
                      Source: unknownHTTPS traffic detected: 164.90.222.65:443 -> 192.168.2.4:49704 version: TLS 1.2
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180008D28 FindFirstFileExW,
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180008D28 FindFirstFileExW,

                      Networking

                      barindex
                      System process connects to network (likely due to code injection or exploit)
                      Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 159.65.88.10 8080
                      Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 164.90.222.65 443
                      Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 213.239.212.5 443
                      Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 186.194.240.217 443
                      Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 104.168.155.143 8080
                      Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 119.59.103.152 8080
                      Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 159.89.202.34 443
                      Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 160.16.142.56 8080
                      Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 91.121.146.47 8080
                      Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 91.207.28.33 8080
                      Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 103.43.75.120 443
                      Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 45.235.8.30 8080
                      Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 72.15.201.15 8080
                      Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 163.44.196.120 8080
                      Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 206.189.28.199 8080
                      Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 107.170.39.149 8080
                      Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 187.63.160.88 80
                      Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 66.228.32.31 7080
                      Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 82.223.21.224 8080
                      Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 149.56.131.28 8080
                      Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 169.57.156.166 8080
                      Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 182.162.143.56 443
                      Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 1.234.2.232 8080
                      Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 167.172.199.165 8080
                      Snort IDS alert for network traffic
                      Source: TrafficSnort IDS: 2404308 ET CNC Feodo Tracker Reported CnC Server TCP group 5 192.168.2.4:49704 -> 164.90.222.65:443
                      Source: TrafficSnort IDS: 2404344 ET CNC Feodo Tracker Reported CnC Server TCP group 23 192.168.2.4:49695 -> 91.121.146.47:8080
                      Source: TrafficSnort IDS: 2404330 ET CNC Feodo Tracker Reported CnC Server TCP group 16 192.168.2.4:49697 -> 66.228.32.31:7080
                      Source: TrafficSnort IDS: 2404312 ET CNC Feodo Tracker Reported CnC Server TCP group 7 192.168.2.4:49698 -> 182.162.143.56:443
                      Source: TrafficSnort IDS: 2404314 ET CNC Feodo Tracker Reported CnC Server TCP group 8 192.168.2.4:49702 -> 187.63.160.88:80
                      Source: TrafficSnort IDS: 2404310 ET CNC Feodo Tracker Reported CnC Server TCP group 6 192.168.2.4:49703 -> 167.172.199.165:8080
                      Source: TrafficSnort IDS: 2404302 ET CNC Feodo Tracker Reported CnC Server TCP group 2 192.168.2.4:49705 -> 104.168.155.143:8080
                      Source: TrafficSnort IDS: 2404304 ET CNC Feodo Tracker Reported CnC Server TCP group 3 192.168.2.4:49719 -> 1.234.2.232:8080
                      Source: TrafficSnort IDS: 2404318 ET CNC Feodo Tracker Reported CnC Server TCP group 10 192.168.2.4:49721 -> 206.189.28.199:8080
                      Source: TrafficSnort IDS: 2404320 ET CNC Feodo Tracker Reported CnC Server TCP group 11 192.168.2.4:49729 -> 213.239.212.5:443
                      Source: TrafficSnort IDS: 2404324 ET CNC Feodo Tracker Reported CnC Server TCP group 13 192.168.2.4:49733 -> 45.235.8.30:8080
                      C2 URLs / IPs found in malware configuration
                      Source: Malware configuration extractorIPs: 91.121.146.47:8080
                      Source: Malware configuration extractorIPs: 66.228.32.31:7080
                      Source: Malware configuration extractorIPs: 182.162.143.56:443
                      Source: Malware configuration extractorIPs: 187.63.160.88:80
                      Source: Malware configuration extractorIPs: 167.172.199.165:8080
                      Source: Malware configuration extractorIPs: 164.90.222.65:443
                      Source: Malware configuration extractorIPs: 104.168.155.143:8080
                      Source: Malware configuration extractorIPs: 163.44.196.120:8080
                      Source: Malware configuration extractorIPs: 160.16.142.56:8080
                      Source: Malware configuration extractorIPs: 159.89.202.34:443
                      Source: Malware configuration extractorIPs: 159.65.88.10:8080
                      Source: Malware configuration extractorIPs: 186.194.240.217:443
                      Source: Malware configuration extractorIPs: 149.56.131.28:8080
                      Source: Malware configuration extractorIPs: 72.15.201.15:8080
                      Source: Malware configuration extractorIPs: 1.234.2.232:8080
                      Source: Malware configuration extractorIPs: 82.223.21.224:8080
                      Source: Malware configuration extractorIPs: 206.189.28.199:8080
                      Source: Malware configuration extractorIPs: 169.57.156.166:8080
                      Source: Malware configuration extractorIPs: 107.170.39.149:8080
                      Source: Malware configuration extractorIPs: 103.43.75.120:443
                      Source: Malware configuration extractorIPs: 91.207.28.33:8080
                      Source: Malware configuration extractorIPs: 213.239.212.5:443
                      Source: Malware configuration extractorIPs: 45.235.8.30:8080
                      Source: Malware configuration extractorIPs: 119.59.103.152:8080
                      Source: Malware configuration extractorIPs: 164.68.99.3:8080
                      Source: Malware configuration extractorIPs: 95.217.221.146:8080
                      Source: Malware configuration extractorIPs: 153.126.146.25:7080
                      Source: Malware configuration extractorIPs: 197.242.150.244:8080
                      Source: Malware configuration extractorIPs: 202.129.205.3:8080
                      Source: Malware configuration extractorIPs: 103.132.242.26:8080
                      Source: Malware configuration extractorIPs: 139.59.126.41:443
                      Source: Malware configuration extractorIPs: 110.232.117.186:8080
                      Source: Malware configuration extractorIPs: 183.111.227.137:8080
                      Source: Malware configuration extractorIPs: 5.135.159.50:443
                      Source: Malware configuration extractorIPs: 201.94.166.162:443
                      Source: Malware configuration extractorIPs: 103.75.201.2:443
                      Source: Malware configuration extractorIPs: 79.137.35.198:8080
                      Source: Malware configuration extractorIPs: 172.105.226.75:8080
                      Source: Malware configuration extractorIPs: 94.23.45.86:4143
                      Source: Malware configuration extractorIPs: 115.68.227.76:8080
                      Source: Malware configuration extractorIPs: 153.92.5.27:8080
                      Source: Malware configuration extractorIPs: 167.172.253.162:8080
                      Source: Malware configuration extractorIPs: 188.44.20.25:443
                      Source: Malware configuration extractorIPs: 147.139.166.154:8080
                      Source: Malware configuration extractorIPs: 129.232.188.93:443
                      Source: Malware configuration extractorIPs: 173.212.193.249:8080
                      Source: Malware configuration extractorIPs: 185.4.135.165:8080
                      Source: Malware configuration extractorIPs: 45.176.232.124:443
                      Source: Joe Sandbox ViewASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS
                      Source: Joe Sandbox ViewJA3 fingerprint: 8916410db85077a5460817142dcbc8de
                      Source: global trafficHTTP traffic detected: POST /nnukk/upfurpftd/ltwomnfleb/ HTTP/1.1Connection: Keep-AliveContent-Length: 0Host: 164.90.222.65
                      Source: Joe Sandbox ViewIP Address: 159.65.88.10 159.65.88.10
                      Source: global trafficTCP traffic: 192.168.2.4:49695 -> 91.121.146.47:8080
                      Source: global trafficTCP traffic: 192.168.2.4:49697 -> 66.228.32.31:7080
                      Source: global trafficTCP traffic: 192.168.2.4:49703 -> 167.172.199.165:8080
                      Source: global trafficTCP traffic: 192.168.2.4:49705 -> 104.168.155.143:8080
                      Source: global trafficTCP traffic: 192.168.2.4:49706 -> 163.44.196.120:8080
                      Source: global trafficTCP traffic: 192.168.2.4:49707 -> 160.16.142.56:8080
                      Source: global trafficTCP traffic: 192.168.2.4:49712 -> 159.65.88.10:8080
                      Source: global trafficTCP traffic: 192.168.2.4:49717 -> 149.56.131.28:8080
                      Source: global trafficTCP traffic: 192.168.2.4:49718 -> 72.15.201.15:8080
                      Source: global trafficTCP traffic: 192.168.2.4:49719 -> 1.234.2.232:8080
                      Source: global trafficTCP traffic: 192.168.2.4:49720 -> 82.223.21.224:8080
                      Source: global trafficTCP traffic: 192.168.2.4:49721 -> 206.189.28.199:8080
                      Source: global trafficTCP traffic: 192.168.2.4:49722 -> 169.57.156.166:8080
                      Source: global trafficTCP traffic: 192.168.2.4:49723 -> 107.170.39.149:8080
                      Source: global trafficTCP traffic: 192.168.2.4:49728 -> 91.207.28.33:8080
                      Source: global trafficTCP traffic: 192.168.2.4:49733 -> 45.235.8.30:8080
                      Source: global trafficTCP traffic: 192.168.2.4:49734 -> 119.59.103.152:8080
                      Source: unknownNetwork traffic detected: IP country count 17
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49700
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49710 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49699 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49727 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49725 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49729 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49701 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49716
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49715
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49714
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49713
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49698 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49711
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49699
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49710
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49698
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49711 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49726 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49724 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49700 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49709
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49708
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49729
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49716 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49714 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49727
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49726
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49725
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49724
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49701
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.121.146.47
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.121.146.47
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.121.146.47
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.121.146.47
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.121.146.47
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.121.146.47
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.121.146.47
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.121.146.47
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.121.146.47
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.121.146.47
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.121.146.47
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.121.146.47
                      Source: unknownTCP traffic detected without corresponding DNS query: 66.228.32.31
                      Source: unknownTCP traffic detected without corresponding DNS query: 66.228.32.31
                      Source: unknownTCP traffic detected without corresponding DNS query: 66.228.32.31
                      Source: unknownTCP traffic detected without corresponding DNS query: 182.162.143.56
                      Source: unknownTCP traffic detected without corresponding DNS query: 182.162.143.56
                      Source: unknownTCP traffic detected without corresponding DNS query: 182.162.143.56
                      Source: unknownTCP traffic detected without corresponding DNS query: 182.162.143.56
                      Source: unknownTCP traffic detected without corresponding DNS query: 182.162.143.56
                      Source: unknownTCP traffic detected without corresponding DNS query: 182.162.143.56
                      Source: unknownTCP traffic detected without corresponding DNS query: 182.162.143.56
                      Source: unknownTCP traffic detected without corresponding DNS query: 182.162.143.56
                      Source: unknownTCP traffic detected without corresponding DNS query: 182.162.143.56
                      Source: unknownTCP traffic detected without corresponding DNS query: 182.162.143.56
                      Source: unknownTCP traffic detected without corresponding DNS query: 182.162.143.56
                      Source: unknownTCP traffic detected without corresponding DNS query: 182.162.143.56
                      Source: unknownTCP traffic detected without corresponding DNS query: 187.63.160.88
                      Source: unknownTCP traffic detected without corresponding DNS query: 187.63.160.88
                      Source: unknownTCP traffic detected without corresponding DNS query: 187.63.160.88
                      Source: unknownTCP traffic detected without corresponding DNS query: 167.172.199.165
                      Source: unknownTCP traffic detected without corresponding DNS query: 167.172.199.165
                      Source: unknownTCP traffic detected without corresponding DNS query: 167.172.199.165
                      Source: unknownTCP traffic detected without corresponding DNS query: 167.172.199.165
                      Source: unknownTCP traffic detected without corresponding DNS query: 167.172.199.165
                      Source: unknownTCP traffic detected without corresponding DNS query: 167.172.199.165
                      Source: unknownTCP traffic detected without corresponding DNS query: 167.172.199.165
                      Source: unknownTCP traffic detected without corresponding DNS query: 167.172.199.165
                      Source: unknownTCP traffic detected without corresponding DNS query: 167.172.199.165
                      Source: unknownTCP traffic detected without corresponding DNS query: 167.172.199.165
                      Source: unknownTCP traffic detected without corresponding DNS query: 164.90.222.65
                      Source: unknownTCP traffic detected without corresponding DNS query: 164.90.222.65
                      Source: unknownTCP traffic detected without corresponding DNS query: 164.90.222.65
                      Source: unknownTCP traffic detected without corresponding DNS query: 164.90.222.65
                      Source: unknownTCP traffic detected without corresponding DNS query: 164.90.222.65
                      Source: unknownTCP traffic detected without corresponding DNS query: 164.90.222.65
                      Source: unknownTCP traffic detected without corresponding DNS query: 164.90.222.65
                      Source: unknownTCP traffic detected without corresponding DNS query: 164.90.222.65
                      Source: unknownTCP traffic detected without corresponding DNS query: 164.90.222.65
                      Source: unknownTCP traffic detected without corresponding DNS query: 164.90.222.65
                      Source: regsvr32.exe, 00000006.00000003.405236343.0000000000797000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.490273767.0000000000797000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.839161422.0000000000797000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.490454644.0000000000797000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.490651926.00000000007A2000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.489636970.0000000000797000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                      Source: regsvr32.exe, 00000006.00000003.403176312.00000000007F4000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.403664983.00000000007F4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/
                      Source: regsvr32.exe, 00000006.00000003.403176312.00000000007F4000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.403664983.00000000007F4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com//
                      Source: regsvr32.exe, 00000006.00000003.489636970.0000000000797000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.6.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
                      Source: regsvr32.exe, 00000006.00000003.403176312.00000000007F4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?1bee005e237d0
                      Source: regsvr32.exe, 00000006.00000003.405118809.000000000075A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.490542704.000000000075A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.404596026.000000000075A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.839083307.000000000075A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/end
                      Source: regsvr32.exe, 00000006.00000002.839305348.00000000007F4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://103.44.196.120:8080/
                      Source: regsvr32.exe, 00000006.00000002.839483293.000000000285E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://104.168.155.143:8080/nnukk/upfurpftd/ltwomnfleb/
                      Source: regsvr32.exe, 00000006.00000002.839305348.00000000007F4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://107.170.39.149:8080/
                      Source: regsvr32.exe, 00000006.00000002.839483293.000000000285E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://107.170.39.149:8080/nnukk/upfurpftd/ltwomnfleb/
                      Source: regsvr32.exe, 00000006.00000002.839305348.00000000007F4000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.839483293.00000000027F0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://119.59.103.152:8080/
                      Source: regsvr32.exe, 00000006.00000002.839305348.00000000007F4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://119.59.103.152:8080/l/z
                      Source: regsvr32.exe, 00000006.00000002.839161422.00000000007DE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://119.59.103.152:8080/nnukk/upfurpftd/ltwomnfleb/
                      Source: regsvr32.exe, 00000006.00000002.839305348.00000000007F4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://119.59.103.152:8080/nnukk/upfurpftd/ltwomnfleb/%
                      Source: regsvr32.exe, 00000006.00000002.839161422.0000000000797000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://119.59.103.152:8080/nnukk/upfurpftd/ltwomnfleb/?
                      Source: regsvr32.exe, 00000006.00000002.839483293.000000000285E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://159.65.88.10:8080/nnukk/upfurpftd/ltwomnfleb/
                      Source: regsvr32.exe, 00000006.00000003.490273767.0000000000797000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.490542704.0000000000755000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.839161422.0000000000797000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.490454644.0000000000797000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.490651926.00000000007A2000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.489636970.0000000000797000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://164.90.222.65/
                      Source: regsvr32.exe, 00000006.00000003.490273767.0000000000797000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.839161422.0000000000797000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.490454644.0000000000797000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.490651926.00000000007A2000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.489636970.0000000000797000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://164.90.222.65/nnukk/upfurpftd/ltwomnfleb/
                      Source: regsvr32.exe, 00000006.00000003.490273767.0000000000797000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.490454644.0000000000797000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.490651926.00000000007A2000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.489636970.0000000000797000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://164.90.222.65/nnukk/upfurpftd/ltwomnfleb//K
                      Source: regsvr32.exe, 00000006.00000003.490273767.0000000000797000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.839161422.0000000000797000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.490454644.0000000000797000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.490651926.00000000007A2000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.489636970.0000000000797000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://164.90.222.65/nnukk/upfurpftd/ltwomnfleb/w
                      Source: regsvr32.exe, 00000006.00000003.489636970.0000000000797000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://164.90.222.65/wn
                      Source: regsvr32.exe, 00000006.00000003.489477256.000000000285E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://164.90.222.65:443/nnukk/upfurpftd/ltwomnfleb/b/X
                      Source: regsvr32.exe, 00000006.00000003.489636970.00000000007F4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://167.172.199.165:8080/
                      Source: regsvr32.exe, 00000006.00000003.489636970.00000000007F4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://167.172.199.165:8080/Y
                      Source: regsvr32.exe, 00000006.00000003.489636970.00000000007F4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://167.172.199.165:8080/nnukk/upfurpftd/ltwomnfleb/
                      Source: regsvr32.exe, 00000006.00000003.489636970.00000000007F4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://167.172.199.165:8080/o
                      Source: regsvr32.exe, 00000006.00000003.490542704.000000000075A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://187.172.199.165:8080/
                      Source: regsvr32.exe, 00000006.00000003.489636970.0000000000797000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.489477256.000000000285E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://187.63.160.88:80/nnukk/upfurpftd/ltwomnfleb/
                      Source: regsvr32.exe, 00000006.00000002.839483293.00000000027F0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://189.56.131.28:8080/
                      Source: regsvr32.exe, 00000006.00000002.839483293.00000000027F0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://21.235.8.30:8080/
                      Source: regsvr32.exe, 00000006.00000002.839305348.00000000007F4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://213.239.212.5/nnukk/upfurpftd/ltwomnfleb/
                      Source: regsvr32.exe, 00000006.00000002.839305348.00000000007F4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://213.239.212.5/~
                      Source: regsvr32.exe, 00000006.00000002.839483293.000000000285E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://213.239.212.5:443/nnukk/upfurpftd/ltwomnfleb/N
                      Source: regsvr32.exe, 00000006.00000002.839305348.00000000007F4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://45.235.8.30:8080/
                      Source: regsvr32.exe, 00000006.00000002.839161422.0000000000797000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.839305348.00000000007F4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://45.235.8.30:8080/nnukk/upfurpftd/ltwomnfleb/
                      Source: regsvr32.exe, 00000006.00000002.839483293.000000000285E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://45.235.8.30:8080/nnukk/upfurpftd/ltwomnfleb//
                      Source: regsvr32.exe, 00000006.00000002.839161422.00000000007DE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://45.235.8.30:8080/nnukk/upfurpftd/ltwomnfleb/0u
                      Source: regsvr32.exe, 00000006.00000002.839305348.00000000007F4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://45.235.8.30:8080/nnukk/upfurpftd/ltwomnfleb/Y
                      Source: regsvr32.exe, 00000006.00000003.489636970.0000000000797000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://66.228.32.31:7080/
                      Source: regsvr32.exe, 00000006.00000002.839305348.00000000007F4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://82.223.21.224:8080/
                      Source: regsvr32.exe, 00000006.00000002.839161422.00000000007DE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://82.223.21.224:8080/nnukk/upfurpftd/ltwomnfleb/
                      Source: regsvr32.exe, 00000006.00000002.839010466.000000000072B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://91.121.146.47:8080/
                      Source: regsvr32.exe, 00000006.00000002.839010466.000000000072B000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.839083307.0000000000783000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.490273767.0000000000783000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.404883022.0000000000783000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://91.121.146.47:8080/nnukk/upfurpftd/ltwomnfleb/
                      Source: regsvr32.exe, 00000006.00000002.839305348.00000000007F4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://91.207.28.33:8080/-
                      Source: unknownHTTP traffic detected: POST /nnukk/upfurpftd/ltwomnfleb/ HTTP/1.1Connection: Keep-AliveContent-Length: 0Host: 164.90.222.65
                      Source: unknownHTTPS traffic detected: 164.90.222.65:443 -> 192.168.2.4:49704 version: TLS 1.2

                      E-Banking Fraud

                      barindex
                      Yara detected Emotet
                      Source: Yara matchFile source: 00000006.00000002.839010466.000000000072B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 5.2.rundll32.exe.1caef360000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.24067ea0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.24067ea0000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.regsvr32.exe.22d0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.regsvr32.exe.22d0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.1caef360000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.regsvr32.exe.1fe0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.regsvr32.exe.1fe0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000004.00000002.320583141.0000024067ED1000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.839406801.0000000002031000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.839356776.0000000001FE0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.319594851.0000000002301000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.319426857.00000000022D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.320938696.000001CAEF360000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.320487184.0000024067EA0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.320983303.000001CAEF391000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: C:\Windows\System32\regsvr32.exeFile deleted: C:\Windows\System32\ZbmMPnDvLqwXll\QyzgcRWJYZS.dll:Zone.IdentifierJump to behavior
                      Source: C:\Windows\System32\regsvr32.exeFile created: C:\Windows\system32\ZbmMPnDvLqwXll\Jump to behavior
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180006818
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018000B878
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180007110
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180008D28
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180014555
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_022A0000
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0230263C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_02308BC8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_02318FC8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0230CC14
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0231A000
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0231709C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_02307D6C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0230BA2C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_02318A2C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_02310E2C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0231662C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_02304214
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0230461C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_02315A00
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_02328A00
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_02318E08
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_02303E0C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0231020C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_02310A70
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_02303274
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0230A660
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0230B258
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0230F65C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0231A244
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0230AAB8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_02304EB8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_02303ABC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0231A6BC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0230BE90
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_02314A90
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_02308A8C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_02324E8C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_023092F0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_023196D4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0231EAC0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0230D6CC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0230D33C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0231E310
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0230EF14
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_02313B14
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_02314F18
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0231D770
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0231CF70
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_02308378
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0230F77C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0231E750
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_02304758
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0230975C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_02308FB0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0230FFB8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_02318BB8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0230DBA0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_02301B94
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_02315384
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0230A7F0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_023227EC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_02313FD0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_02302FD4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_023033D4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_023197CC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_02311030
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0231EC30
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0230B83C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0232181C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_02301000
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_02309408
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_02307C08
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_02316C70
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0230D474
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_02302C78
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0230C078
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0230B07C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0231B460
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_02325450
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0231C058
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_02307840
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0231C44C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0231A8B0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0230DCB8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_023294BC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_023098AC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0230AC94
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_02315880
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_02304C84
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0231CC84
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_02303CF4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_023090F8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_023048FC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_023120E0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_023014D4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_02313CD4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_023018DC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0230F8C4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_02315CC4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_023080CC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_023108CC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_02307530
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0231B130
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_02306138
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_02314D20
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_02311924
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0231AD28
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_02329910
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_02317518
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_02328500
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0231610C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_023095BC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0231BDA0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0231D5F0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_023115C8
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180006818
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018000B878
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180007110
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180008D28
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180014555
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000024067E90000
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000024067ED263C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000024067ED7D6C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000024067EE709C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000024067EEA000
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000024067EDCC14
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000024067ED8BC8
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000024067EE8FC8
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000024067EDBA2C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000024067EE8A2C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000024067EE0E2C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000024067EE662C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000024067ED3E0C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000024067EE020C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000024067EE8E08
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000024067EE5A00
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000024067EF8A00
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000024067ED461C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000024067ED4214
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000024067EED5F0
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000024067EE15C8
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000024067EEBDA0
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000024067ED95BC
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000024067EEAD28
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000024067EE1924
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000024067EE4D20
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000024067ED6138
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000024067ED7530
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000024067EEB130
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000024067EE610C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000024067EF8500
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000024067EE7518
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000024067EF9910
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000024067EE20E0
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000024067ED48FC
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000024067ED90F8
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000024067ED3CF4
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000024067ED80CC
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000024067EE08CC
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000024067EE5CC4
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000024067EDF8C4
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000024067ED18DC
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000024067ED14D4
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000024067EE3CD4
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000024067ED98AC
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000024067EF94BC
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000024067EDDCB8
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000024067EEA8B0
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000024067ED4C84
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000024067EECC84
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000024067EE5880
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000024067EDAC94
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000024067EEB460
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000024067EDB07C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000024067ED2C78
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000024067EDC078
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000024067EDD474
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000024067EE6C70
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000024067EEC44C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000024067ED7840
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000024067EEC058
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000024067EF5450
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000024067EDB83C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000024067EE1030
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000024067EEEC30
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000024067ED9408
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000024067ED7C08
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000024067ED1000
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000024067EF181C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000024067EF27EC
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000024067EDA7F0
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000024067EE97CC
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000024067ED2FD4
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000024067ED33D4
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000024067EE3FD0
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000024067EDDBA0
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000024067EDFFB8
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000024067EE8BB8
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000024067ED8FB0
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000024067EE5384
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000024067ED1B94
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000024067EDF77C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000024067ED8378
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000024067EED770
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000024067EECF70
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000024067ED975C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000024067ED4758
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000024067EEE750
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000024067EDD33C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000024067EE4F18
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000024067EDEF14
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000024067EE3B14
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000024067EEE310
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000024067ED92F0
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000024067EDD6CC
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000024067EEEAC0
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000024067EE96D4
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000024067ED3ABC
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000024067EEA6BC
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000024067EDAAB8
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000024067ED4EB8
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000024067ED8A8C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000024067EF4E8C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000024067EDBE90
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000024067EE4A90
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000024067EDA660
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000024067ED3274
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000024067EE0A70
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000024067EEA244
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000024067EDF65C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000024067EDB258
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000001CAEF350000
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000001CAEF3A8FC8
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000001CAEF398BC8
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000001CAEF3AA000
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000001CAEF39CC14
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000001CAEF39263C
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000001CAEF3A709C
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000001CAEF397D6C
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000001CAEF39FFB8
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000001CAEF3A8BB8
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000001CAEF398FB0
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000001CAEF39DBA0
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000001CAEF391B94
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000001CAEF399408
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000001CAEF397C08
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000001CAEF391000
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000001CAEF3B27EC
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000001CAEF39A7F0
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000001CAEF392FD4
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000001CAEF3933D4
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000001CAEF3A97CC
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000001CAEF3A3FD0
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000001CAEF39B83C
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000001CAEF397840
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000001CAEF3A1030
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000001CAEF3AEC30
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000001CAEF3B181C
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000001CAEF3ACC84
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000001CAEF394C84
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000001CAEF39B07C
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000001CAEF3A5880
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000001CAEF39D474
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000001CAEF392C78
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000001CAEF39C078
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000001CAEF3A6C70
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000001CAEF3AB460
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000001CAEF3AC058
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000001CAEF3AC44C
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000001CAEF3B5450
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000001CAEF3AA6BC
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000001CAEF393ABC
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000001CAEF3AEAC0
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000001CAEF39AAB8
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000001CAEF394EB8
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000001CAEF3B4E8C
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000001CAEF398A8C
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000001CAEF3A4A90
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000001CAEF39BE90
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000001CAEF3992F0
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000001CAEF3A96D4
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000001CAEF39D6CC
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000001CAEF39D33C
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000001CAEF39EF14
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000001CAEF3A3B14
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000001CAEF3A4F18
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000001CAEF3AE310
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000001CAEF3A5384
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000001CAEF39F77C
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000001CAEF398378
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000001CAEF3AD770
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000001CAEF3ACF70
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000001CAEF39975C
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000001CAEF394758
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000001CAEF3AE750
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000001CAEF3A15C8
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000001CAEF3995BC
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000001CAEF3ABDA0
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000001CAEF3A8E08
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000001CAEF3A5A00
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000001CAEF3B8A00
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000001CAEF3AD5F0
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000001CAEF3AA244
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000001CAEF3A8A2C
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000001CAEF3A0E2C
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000001CAEF3A662C
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000001CAEF39BA2C
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000001CAEF39461C
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000001CAEF394214
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000001CAEF3A020C
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000001CAEF393E0C
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000001CAEF393274
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000001CAEF3A0A70
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000001CAEF39F65C
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000001CAEF39A660
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000001CAEF39B258
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000001CAEF3A5CC4
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000001CAEF39F8C4
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000001CAEF3B94BC
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000001CAEF39DCB8
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000001CAEF3998AC
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000001CAEF3AA8B0
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000001CAEF39AC94
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000001CAEF3948FC
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000001CAEF3B8500
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000001CAEF393CF4
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000001CAEF3990F8
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000001CAEF3918DC
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000001CAEF3A20E0
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000001CAEF3A3CD4
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000001CAEF3914D4
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000001CAEF3A08CC
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000001CAEF3980CC
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000001CAEF396138
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000001CAEF3AB130
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000001CAEF397530
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000001CAEF3A1924
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000001CAEF3AAD28
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000001CAEF3A4D20
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000001CAEF3A7518
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000001CAEF3A610C
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000001CAEF3B9910
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_01FD0000
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_02050618
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_02036E42
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_02039B79
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_020573A4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_02038BC8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_02048FC8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_02043FD0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_020363F4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0203640A
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0203CC14
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_020408CC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_02037D6C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_02045A00
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_02058A00
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0204020C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_02048E08
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_02033E0C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_02034214
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0203461C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_02048A2C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_02040E2C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0204662C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0203BA2C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0203263C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0204A244
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_02056E48
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0203B258
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0203F65C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0203A660
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_02040A70
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_02033274
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_02052E84
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_02054E8C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_02038A8C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0203BE90
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_02044A90
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_02052AB0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0204A6BC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_02047EBE
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0203AAB8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_02034EB8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_02033ABC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0204EAC0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0203D6CC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_020496D4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_020392F0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_020536FC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_02043B14
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0204E310
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_02058310
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0203EF14
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_02055B1C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_02044F18
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0203D33C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0204E750
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_02034758
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0203975C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_02058B68
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0204D770
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0204CF70
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_02038378
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0203F77C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_02045384
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_02031B94
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0204779A
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0203DBA0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_020547A8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_02038FB0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0203FFB8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_02048BB8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_020497CC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_02032FD4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_020333D4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_020527EC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0203A7F0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0204FFFC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_02031000
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0204A000
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_02039408
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_02037C08
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_02037410
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0205181C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_02041030
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0204EC30
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0203B83C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_02037840
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0204C44C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_02055450
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0204C058
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0204B460
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_02055868
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_02046C70
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0203D474
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_02032C78
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0203C078
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0203B07C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0204CC84
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_02045880
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_02034C84
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0205488C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_02051494
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0203AC94
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0204709C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_020544A8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_020398AC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0204A8B0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_020594BC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0203DCB8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_02045CC4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0203F8C4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_020380CC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_02043CD4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_02051CD4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_020314D4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_020318DC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_020420E0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_02033CF4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_020390F8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_020348FC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_02058500
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_02052100
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0204610C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_02059910
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_02047518
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_02041924
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_02044D20
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0204AD28
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0204B130
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_02036138
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_02054D64
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0204BDA0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_020395BC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_020415C8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0204D5F0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180010C10 LdrFindResource_U,LdrAccessResource,NtAllocateVirtualMemory,
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180010AC0 ExitProcess,RtlQueueApcWow64Thread,NtTestAlert,
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180010DB0 ZwOpenSymbolicLinkObject,ZwOpenSymbolicLinkObject,
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180010C10 LdrFindResource_U,LdrAccessResource,NtAllocateVirtualMemory,
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180010AC0 ExitProcess,RtlQueueApcWow64Thread,NtTestAlert,
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180010DB0 ZwOpenSymbolicLinkObject,ZwOpenSymbolicLinkObject,
                      Source: C:\Windows\System32\regsvr32.exeSection loaded: sfc.dll
                      Source: C:\Windows\System32\regsvr32.exeSection loaded: sfc.dll
                      Source: C:\Windows\System32\regsvr32.exeSection loaded: sfc.dll
                      Source: C:\Windows\System32\regsvr32.exeSection loaded: sfc.dll
                      Source: f_00321b.dllVirustotal: Detection: 60%
                      Source: f_00321b.dllReversingLabs: Detection: 79%
                      Source: f_00321b.dllStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: C:\Windows\System32\loaddll64.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                      Source: unknownProcess created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\f_00321b.dll"
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\f_00321b.dll",#1
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\f_00321b.dll
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\f_00321b.dll",#1
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\f_00321b.dll,DllRegisterServer
                      Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\ZbmMPnDvLqwXll\QyzgcRWJYZS.dll"
                      Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\RymKYMmySRfU\EAqrfXJOpHznppsf.dll"
                      Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\IzuSuDitBV\QmEREbzuu.dll"
                      Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\f_00321b.dll",#1
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\f_00321b.dll
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\f_00321b.dll,DllRegisterServer
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\f_00321b.dll",#1
                      Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\ZbmMPnDvLqwXll\QyzgcRWJYZS.dll"
                      Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\RymKYMmySRfU\EAqrfXJOpHznppsf.dll"
                      Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\IzuSuDitBV\QmEREbzuu.dll"
                      Source: C:\Windows\System32\regsvr32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32
                      Source: classification engineClassification label: mal100.troj.evad.winDLL@17/2@0/48
                      Source: C:\Windows\System32\regsvr32.exeFile read: C:\Users\desktop.iniJump to behavior
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_02308BC8 Process32NextW,Process32FirstW,CreateToolhelp32Snapshot,FindCloseChangeNotification,
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\f_00321b.dll",#1
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2516:120:WilError_01
                      Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5432:120:WilError_01
                      Source: C:\Windows\System32\regsvr32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\System32\regsvr32.exeAutomated click: OK
                      Source: C:\Windows\System32\regsvr32.exeAutomated click: OK
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: f_00321b.dllStatic PE information: Image base 0x180000000 > 0x60000000
                      Source: f_00321b.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                      Source: f_00321b.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                      Source: f_00321b.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                      Source: f_00321b.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: f_00321b.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                      Source: f_00321b.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                      Source: f_00321b.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: f_00321b.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                      Source: f_00321b.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                      Source: f_00321b.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                      Source: f_00321b.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                      Source: f_00321b.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180005C69 push rdi; ret
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800056DD push rdi; ret
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0230A26E push ebp; ret
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_02317EAF push 458BCC5Ah; retf
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_02309E8B push eax; retf
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0231C731 push esi; iretd
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_02306C9F pushad ; ret
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0230A0FC push ebp; iretd
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_023180D7 push ebp; retf
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_02306CDE push esi; iretd
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_02317D3C push ebp; retf
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_02317D25 push 4D8BFFFFh; retf
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_02309D51 push ebp; retf
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_02318157 push ebp; retf
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_02317D4E push ebp; iretd
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_02317987 push ebp; iretd
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0230A1D2 push ebp; iretd
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180005C69 push rdi; ret
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800056DD push rdi; ret
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000024067EDA1D2 push ebp; iretd
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000024067EE7987 push ebp; iretd
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000024067EE7D4E push ebp; iretd
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000024067EE8157 push ebp; retf
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000024067ED9D51 push ebp; retf
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000024067EE7D25 push 4D8BFFFFh; retf
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000024067EE7D3C push ebp; retf
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000024067EDA0FC push ebp; iretd
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000024067ED6CDE push esi; iretd
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000024067EE80D7 push ebp; retf
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000024067ED6C9F pushad ; ret
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000024067EEC731 push esi; iretd
                      Source: f_00321b.dllStatic PE information: section name: _RDATA
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\f_00321b.dll
                      Source: C:\Windows\System32\regsvr32.exePE file moved: C:\Windows\System32\ZbmMPnDvLqwXll\QyzgcRWJYZS.dllJump to behavior

                      Hooking and other Techniques for Hiding and Protection

                      barindex
                      Hides that the sample has been downloaded from the Internet (zone.identifier)
                      Source: C:\Windows\System32\regsvr32.exeFile opened: C:\Windows\system32\ZbmMPnDvLqwXll\QyzgcRWJYZS.dll:Zone.Identifier read attributes | delete
                      Source: C:\Windows\System32\rundll32.exeFile opened: C:\Windows\system32\RymKYMmySRfU\EAqrfXJOpHznppsf.dll:Zone.Identifier read attributes | delete
                      Source: C:\Windows\System32\rundll32.exeFile opened: C:\Windows\system32\IzuSuDitBV\QmEREbzuu.dll:Zone.Identifier read attributes | delete
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\regsvr32.exe TID: 5164Thread sleep time: -660000s >= -30000s
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\regsvr32.exeAPI coverage: 9.3 %
                      Source: C:\Windows\System32\regsvr32.exeProcess information queried: ProcessInformation
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180008D28 FindFirstFileExW,
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180008D28 FindFirstFileExW,
                      Source: C:\Windows\System32\regsvr32.exeFile Volume queried: C:\ FullSizeInformation
                      Source: C:\Windows\System32\rundll32.exeFile Volume queried: C:\ FullSizeInformation
                      Source: C:\Windows\System32\rundll32.exeFile Volume queried: C:\ FullSizeInformation
                      Source: regsvr32.exe, 00000006.00000003.405236343.0000000000797000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.490273767.0000000000797000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.839161422.0000000000797000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.490454644.0000000000797000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.489636970.0000000000797000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWN
                      Source: regsvr32.exe, 00000006.00000003.405236343.0000000000797000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.490273767.0000000000797000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.490273767.000000000074B000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.839161422.0000000000797000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.490454644.0000000000797000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.489636970.0000000000797000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.404596026.000000000074B000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.839083307.000000000074B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                      Source: rundll32.exe, 00000004.00000003.318175405.0000024067CAE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180001C48 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018000A878 GetProcessHeap,
                      Source: C:\Windows\System32\loaddll64.exeProcess queried: DebugPort
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180010C10 LdrFindResource_U,LdrAccessResource,NtAllocateVirtualMemory,
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180001C48 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800082EC RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800017DC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180001C48 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800082EC RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800017DC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

                      HIPS / PFW / Operating System Protection Evasion

                      barindex
                      Early bird code injection technique detected
                      Source: C:\Windows\System32\cmd.exeProcess created / APC Queued / Resumed: C:\Windows\System32\rundll32.exe
                      System process connects to network (likely due to code injection or exploit)
                      Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 159.65.88.10 8080
                      Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 164.90.222.65 443
                      Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 213.239.212.5 443
                      Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 186.194.240.217 443
                      Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 104.168.155.143 8080
                      Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 119.59.103.152 8080
                      Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 159.89.202.34 443
                      Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 160.16.142.56 8080
                      Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 91.121.146.47 8080
                      Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 91.207.28.33 8080
                      Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 103.43.75.120 443
                      Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 45.235.8.30 8080
                      Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 72.15.201.15 8080
                      Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 163.44.196.120 8080
                      Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 206.189.28.199 8080
                      Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 107.170.39.149 8080
                      Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 187.63.160.88 80
                      Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 66.228.32.31 7080
                      Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 82.223.21.224 8080
                      Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 149.56.131.28 8080
                      Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 169.57.156.166 8080
                      Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 182.162.143.56 443
                      Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 1.234.2.232 8080
                      Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 167.172.199.165 8080
                      Queues an APC in another process (thread injection)
                      Source: C:\Windows\System32\regsvr32.exeThread APC queued: target process: C:\Windows\System32\rundll32.exe
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\f_00321b.dll",#1
                      Source: C:\Windows\System32\regsvr32.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800070A0 cpuid
                      Source: C:\Windows\System32\regsvr32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180001D98 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

                      Stealing of Sensitive Information

                      barindex
                      Yara detected Emotet
                      Source: Yara matchFile source: 00000006.00000002.839010466.000000000072B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 5.2.rundll32.exe.1caef360000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.24067ea0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.24067ea0000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.regsvr32.exe.22d0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.regsvr32.exe.22d0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.1caef360000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.regsvr32.exe.1fe0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.regsvr32.exe.1fe0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000004.00000002.320583141.0000024067ED1000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.839406801.0000000002031000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.839356776.0000000001FE0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.319594851.0000000002301000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.319426857.00000000022D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.320938696.000001CAEF360000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.320487184.0000024067EA0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.320983303.000001CAEF391000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsWindows Management Instrumentation1
                      DLL Side-Loading                      		311
                      Process Injection                      		2
                      Masquerading                      		OS Credential Dumping1
                      System Time Discovery                      		Remote Services1
                      Archive Collected Data                      		Exfiltration Over Other Network Medium11
                      Encrypted Channel                      		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                      DLL Side-Loading                      		2
                      Virtualization/Sandbox Evasion                      		LSASS Memory31
                      Security Software Discovery                      		Remote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth1
                      Non-Standard Port                      		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)311
                      Process Injection                      		Security Account Manager2
                      Virtualization/Sandbox Evasion                      		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration1
                      Non-Application Layer Protocol                      		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
                      Hidden Files and Directories                      		NTDS2
                      Process Discovery                      		Distributed Component Object ModelInput CaptureScheduled Transfer12
                      Application Layer Protocol                      		SIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
                      Obfuscated Files or Information                      		LSA Secrets1
                      Remote System Discovery                      		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.common1
                      Regsvr32                      		Cached Domain Credentials2
                      File and Directory Discovery                      		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup Items1
                      Rundll32                      		DCSync24
                      System Information Discovery                      		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job1
                      DLL Side-Loading                      		Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                      Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)1
                      File Deletion                      		/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 829552 Sample: f_00321b Startdate: 18/03/2023 Architecture: WINDOWS Score: 100 32 129.232.188.93 xneeloZA South Africa 2->32 34 185.4.135.165 TOPHOSTGR Greece 2->34 36 22 other IPs or domains 2->36 44 Snort IDS alert for network traffic 2->44 46 Antivirus detection for URL or domain 2->46 48 Multi AV Scanner detection for submitted file 2->48 50 2 other signatures 2->50 9 loaddll64.exe 1 2->9         started        signatures3 process4 process5 11 regsvr32.exe 2 9->11         started        14 cmd.exe 1 9->14         started        16 rundll32.exe 2 9->16         started        18 conhost.exe 9->18         started        signatures6 56 Hides that the sample has been downloaded from the Internet (zone.identifier) 11->56 58 Queues an APC in another process (thread injection) 11->58 20 regsvr32.exe 11->20         started        60 Early bird code injection technique detected 14->60 24 rundll32.exe 2 14->24         started        26 regsvr32.exe 16->26         started        28 conhost.exe 16->28         started        process7 dnsIp8 38 45.235.8.30, 49733, 8080 WIKINETTELECOMUNICACOESBR Brazil 20->38 40 169.57.156.166, 8080 SOFTLAYERUS United States 20->40 42 22 other IPs or domains 20->42 52 System process connects to network (likely due to code injection or exploit) 20->52 54 Hides that the sample has been downloaded from the Internet (zone.identifier) 24->54 30 regsvr32.exe 24->30         started        signatures9 process10

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      f_00321b.dll60%VirustotalBrowse
                      f_00321b.dll79%ReversingLabsWin64.Trojan.Emotet

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      5.2.rundll32.exe.1caef360000.1.unpack100%AviraHEUR/AGEN.1215476Download File
                      4.2.rundll32.exe.24067ea0000.1.unpack100%AviraHEUR/AGEN.1215476Download File
                      3.2.regsvr32.exe.22d0000.0.unpack100%AviraHEUR/AGEN.1215476Download File
                      6.2.regsvr32.exe.1fe0000.0.unpack100%AviraHEUR/AGEN.1215476Download File

                      Domains

                      SourceDetectionScannerLabelLink
                      c-0001.c-msedge.net0%VirustotalBrowse

                      URLs

                      SourceDetectionScannerLabelLink
                      https://164.90.222.65/0%URL Reputationsafe
                      https://45.235.8.30:8080/nnukk/upfurpftd/ltwomnfleb/0u100%Avira URL Cloudmalware
                      https://45.235.8.30:8080/nnukk/upfurpftd/ltwomnfleb//100%Avira URL Cloudmalware
                      https://213.239.212.5/~100%Avira URL Cloudmalware
                      https://45.235.8.30:8080/nnukk/upfurpftd/ltwomnfleb/100%Avira URL Cloudmalware
                      https://21.235.8.30:8080/0%Avira URL Cloudsafe
                      https://213.239.212.5/nnukk/upfurpftd/ltwomnfleb/100%Avira URL Cloudmalware
                      https://119.59.103.152:8080/nnukk/upfurpftd/ltwomnfleb/100%Avira URL Cloudmalware
                      https://82.223.21.224:8080/nnukk/upfurpftd/ltwomnfleb/100%Avira URL Cloudmalware
                      https://107.170.39.149:8080/100%Avira URL Cloudmalware
                      https://167.172.199.165:8080/Y100%Avira URL Cloudmalware
                      https://82.223.21.224:8080/100%Avira URL Cloudmalware
                      https://91.207.28.33:8080/-100%Avira URL Cloudmalware
                      https://159.65.88.10:8080/nnukk/upfurpftd/ltwomnfleb/100%Avira URL Cloudmalware
                      https://104.168.155.143:8080/nnukk/upfurpftd/ltwomnfleb/100%Avira URL Cloudmalware
                      https://119.59.103.152:8080/nnukk/upfurpftd/ltwomnfleb/?100%Avira URL Cloudmalware
                      https://164.90.222.65/nnukk/upfurpftd/ltwomnfleb//K100%Avira URL Cloudmalware
                      https://164.90.222.65:443/nnukk/upfurpftd/ltwomnfleb/b/X100%Avira URL Cloudmalware
                      https://91.121.146.47:8080/nnukk/upfurpftd/ltwomnfleb/100%Avira URL Cloudmalware
                      https://189.56.131.28:8080/0%Avira URL Cloudsafe
                      https://107.170.39.149:8080/nnukk/upfurpftd/ltwomnfleb/100%Avira URL Cloudmalware
                      https://91.121.146.47:8080/100%Avira URL Cloudmalware
                      https://119.59.103.152:8080/100%Avira URL Cloudmalware
                      https://119.59.103.152:8080/l/z100%Avira URL Cloudmalware
                      https://187.172.199.165:8080/0%Avira URL Cloudsafe
                      https://167.172.199.165:8080/nnukk/upfurpftd/ltwomnfleb/100%Avira URL Cloudmalware
                      https://187.63.160.88:80/nnukk/upfurpftd/ltwomnfleb/100%Avira URL Cloudmalware
                      https://45.235.8.30:8080/100%Avira URL Cloudmalware
                      https://167.172.199.165:8080/o100%Avira URL Cloudmalware
                      https://66.228.32.31:7080/100%Avira URL Cloudmalware
                      https://167.172.199.165:8080/100%Avira URL Cloudmalware
                      https://164.90.222.65/nnukk/upfurpftd/ltwomnfleb/w100%Avira URL Cloudmalware
                      https://164.90.222.65/nnukk/upfurpftd/ltwomnfleb/100%Avira URL Cloudmalware
                      https://103.44.196.120:8080/0%Avira URL Cloudsafe
                      https://119.59.103.152:8080/nnukk/upfurpftd/ltwomnfleb/%100%Avira URL Cloudmalware
                      https://164.90.222.65/wn100%Avira URL Cloudmalware
                      https://45.235.8.30:8080/nnukk/upfurpftd/ltwomnfleb/Y100%Avira URL Cloudmalware
                      https://213.239.212.5:443/nnukk/upfurpftd/ltwomnfleb/N100%Avira URL Cloudmalware

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      c-0001.c-msedge.net
                      		13.107.4.50
                      		truefalseunknown

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      https://164.90.222.65/nnukk/upfurpftd/ltwomnfleb/true
                      • Avira URL Cloud: malware
                      		unknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      https://45.235.8.30:8080/nnukk/upfurpftd/ltwomnfleb//regsvr32.exe, 00000006.00000002.839483293.000000000285E000.00000004.00000020.00020000.00000000.sdmptrue
                      • Avira URL Cloud: malware
                      		unknown
                      https://45.235.8.30:8080/nnukk/upfurpftd/ltwomnfleb/0uregsvr32.exe, 00000006.00000002.839161422.00000000007DE000.00000004.00000020.00020000.00000000.sdmptrue
                      • Avira URL Cloud: malware
                      		unknown
                      https://167.172.199.165:8080/Yregsvr32.exe, 00000006.00000003.489636970.00000000007F4000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: malware
                      		unknown
                      https://213.239.212.5/~regsvr32.exe, 00000006.00000002.839305348.00000000007F4000.00000004.00000020.00020000.00000000.sdmptrue
                      • Avira URL Cloud: malware
                      		unknown
                      https://45.235.8.30:8080/nnukk/upfurpftd/ltwomnfleb/regsvr32.exe, 00000006.00000002.839161422.0000000000797000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.839305348.00000000007F4000.00000004.00000020.00020000.00000000.sdmptrue
                      • Avira URL Cloud: malware
                      		unknown
                      https://119.59.103.152:8080/nnukk/upfurpftd/ltwomnfleb/regsvr32.exe, 00000006.00000002.839161422.00000000007DE000.00000004.00000020.00020000.00000000.sdmptrue
                      • Avira URL Cloud: malware
                      		unknown
                      https://21.235.8.30:8080/regsvr32.exe, 00000006.00000002.839483293.00000000027F0000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://164.90.222.65/regsvr32.exe, 00000006.00000003.490273767.0000000000797000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.490542704.0000000000755000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.839161422.0000000000797000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.490454644.0000000000797000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.490651926.00000000007A2000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.489636970.0000000000797000.00000004.00000020.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://213.239.212.5/nnukk/upfurpftd/ltwomnfleb/regsvr32.exe, 00000006.00000002.839305348.00000000007F4000.00000004.00000020.00020000.00000000.sdmptrue
                      • Avira URL Cloud: malware
                      		unknown
                      https://82.223.21.224:8080/regsvr32.exe, 00000006.00000002.839305348.00000000007F4000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: malware
                      		unknown
                      https://107.170.39.149:8080/regsvr32.exe, 00000006.00000002.839305348.00000000007F4000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: malware
                      		unknown
                      https://82.223.21.224:8080/nnukk/upfurpftd/ltwomnfleb/regsvr32.exe, 00000006.00000002.839161422.00000000007DE000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: malware
                      		unknown
                      https://91.207.28.33:8080/-regsvr32.exe, 00000006.00000002.839305348.00000000007F4000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: malware
                      		unknown
                      https://159.65.88.10:8080/nnukk/upfurpftd/ltwomnfleb/regsvr32.exe, 00000006.00000002.839483293.000000000285E000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: malware
                      		unknown
                      https://164.90.222.65/nnukk/upfurpftd/ltwomnfleb//Kregsvr32.exe, 00000006.00000003.490273767.0000000000797000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.490454644.0000000000797000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.490651926.00000000007A2000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.489636970.0000000000797000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: malware
                      		unknown
                      https://104.168.155.143:8080/nnukk/upfurpftd/ltwomnfleb/regsvr32.exe, 00000006.00000002.839483293.000000000285E000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: malware
                      		unknown
                      https://119.59.103.152:8080/nnukk/upfurpftd/ltwomnfleb/?regsvr32.exe, 00000006.00000002.839161422.0000000000797000.00000004.00000020.00020000.00000000.sdmptrue
                      • Avira URL Cloud: malware
                      		unknown
                      https://164.90.222.65:443/nnukk/upfurpftd/ltwomnfleb/b/Xregsvr32.exe, 00000006.00000003.489477256.000000000285E000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: malware
                      		unknown
                      https://91.121.146.47:8080/nnukk/upfurpftd/ltwomnfleb/regsvr32.exe, 00000006.00000002.839010466.000000000072B000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.839083307.0000000000783000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.490273767.0000000000783000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.404883022.0000000000783000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: malware
                      		unknown
                      https://189.56.131.28:8080/regsvr32.exe, 00000006.00000002.839483293.00000000027F0000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://107.170.39.149:8080/nnukk/upfurpftd/ltwomnfleb/regsvr32.exe, 00000006.00000002.839483293.000000000285E000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: malware
                      		unknown
                      https://119.59.103.152:8080/regsvr32.exe, 00000006.00000002.839305348.00000000007F4000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.839483293.00000000027F0000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: malware
                      		unknown
                      https://119.59.103.152:8080/l/zregsvr32.exe, 00000006.00000002.839305348.00000000007F4000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: malware
                      		unknown
                      https://91.121.146.47:8080/regsvr32.exe, 00000006.00000002.839010466.000000000072B000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: malware
                      		unknown
                      https://187.172.199.165:8080/regsvr32.exe, 00000006.00000003.490542704.000000000075A000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://167.172.199.165:8080/nnukk/upfurpftd/ltwomnfleb/regsvr32.exe, 00000006.00000003.489636970.00000000007F4000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: malware
                      		unknown
                      https://187.63.160.88:80/nnukk/upfurpftd/ltwomnfleb/regsvr32.exe, 00000006.00000003.489636970.0000000000797000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.489477256.000000000285E000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: malware
                      		unknown
                      https://45.235.8.30:8080/regsvr32.exe, 00000006.00000002.839305348.00000000007F4000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: malware
                      		unknown
                      https://167.172.199.165:8080/oregsvr32.exe, 00000006.00000003.489636970.00000000007F4000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: malware
                      		unknown
                      https://66.228.32.31:7080/regsvr32.exe, 00000006.00000003.489636970.0000000000797000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: malware
                      		unknown
                      https://167.172.199.165:8080/regsvr32.exe, 00000006.00000003.489636970.00000000007F4000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: malware
                      		unknown
                      https://119.59.103.152:8080/nnukk/upfurpftd/ltwomnfleb/%regsvr32.exe, 00000006.00000002.839305348.00000000007F4000.00000004.00000020.00020000.00000000.sdmptrue
                      • Avira URL Cloud: malware
                      		unknown
                      https://164.90.222.65/nnukk/upfurpftd/ltwomnfleb/wregsvr32.exe, 00000006.00000003.490273767.0000000000797000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.839161422.0000000000797000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.490454644.0000000000797000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.490651926.00000000007A2000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.489636970.0000000000797000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: malware
                      		unknown
                      https://164.90.222.65/wnregsvr32.exe, 00000006.00000003.489636970.0000000000797000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: malware
                      		unknown
                      https://103.44.196.120:8080/regsvr32.exe, 00000006.00000002.839305348.00000000007F4000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://45.235.8.30:8080/nnukk/upfurpftd/ltwomnfleb/Yregsvr32.exe, 00000006.00000002.839305348.00000000007F4000.00000004.00000020.00020000.00000000.sdmptrue
                      • Avira URL Cloud: malware
                      		unknown
                      https://213.239.212.5:443/nnukk/upfurpftd/ltwomnfleb/Nregsvr32.exe, 00000006.00000002.839483293.000000000285E000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: malware
                      		unknown

                      World Map of Contacted IPs

                      • No. of IPs < 25%
                      • 25% < No. of IPs < 50%
                      • 50% < No. of IPs < 75%
                      • 75% < No. of IPs

                      Public IPs

                      IPDomainCountryFlagASNASN NameMalicious
                      159.65.88.10
                      		unknownUnited States
                      		14061DIGITALOCEAN-ASNUStrue
                      172.105.226.75
                      		unknownUnited States
                      		63949LINODE-APLinodeLLCUStrue
                      164.90.222.65
                      		unknownUnited States
                      		14061DIGITALOCEAN-ASNUStrue
                      110.232.117.186
                      		unknownAustralia
                      		56038RACKCORP-APRackCorpAUtrue
                      213.239.212.5
                      		unknownGermany
                      		24940HETZNER-ASDEtrue
                      5.135.159.50
                      		unknownFrance
                      		16276OVHFRtrue
                      186.194.240.217
                      		unknownBrazil
                      		262733NetceteraTelecomunicacoesLtdaBRtrue
                      103.132.242.26
                      		unknownIndia
                      		45117INPL-IN-APIshansNetworkINtrue
                      104.168.155.143
                      		unknownUnited States
                      		54290HOSTWINDSUStrue
                      119.59.103.152
                      		unknownThailand
                      		56067METRABYTE-TH453LadplacoutJorakhaebuaTHtrue
                      79.137.35.198
                      		unknownFrance
                      		16276OVHFRtrue
                      159.89.202.34
                      		unknownUnited States
                      		14061DIGITALOCEAN-ASNUStrue
                      91.121.146.47
                      		unknownFrance
                      		16276OVHFRtrue
                      160.16.142.56
                      		unknownJapan9370SAKURA-BSAKURAInternetIncJPtrue
                      201.94.166.162
                      		unknownBrazil
                      		28573CLAROSABRtrue
                      91.207.28.33
                      		unknownKyrgyzstan
                      		39819PROHOSTKGtrue
                      103.75.201.2
                      		unknownThailand
                      		133496CDNPLUSCOLTD-AS-APCDNPLUSCOLTDTHtrue
                      103.43.75.120
                      		unknownJapan20473AS-CHOOPAUStrue
                      115.68.227.76
                      		unknownKorea Republic of
                      		38700SMILESERV-AS-KRSMILESERVKRtrue
                      188.44.20.25
                      		unknownMacedonia
                      		57374GIV-ASMKtrue
                      45.235.8.30
                      		unknownBrazil
                      		267405WIKINETTELECOMUNICACOESBRtrue
                      153.126.146.25
                      		unknownJapan7684SAKURA-ASAKURAInternetIncJPtrue
                      72.15.201.15
                      		unknownUnited States
                      		13649ASN-VINSUStrue
                      163.44.196.120
                      		unknownSingapore
                      		135161GMO-Z-COM-THGMO-ZcomNetDesignHoldingsCoLtdSGtrue
                      206.189.28.199
                      		unknownUnited States
                      		14061DIGITALOCEAN-ASNUStrue
                      107.170.39.149
                      		unknownUnited States
                      		14061DIGITALOCEAN-ASNUStrue
                      66.228.32.31
                      		unknownUnited States
                      		63949LINODE-APLinodeLLCUStrue
                      187.63.160.88
                      		unknownBrazil
                      		28169BITCOMPROVEDORDESERVICOSDEINTERNETLTDABRtrue
                      82.223.21.224
                      		unknownSpain
                      		8560ONEANDONE-ASBrauerstrasse48DEtrue
                      197.242.150.244
                      		unknownSouth Africa
                      		37611AfrihostZAtrue
                      173.212.193.249
                      		unknownGermany
                      		51167CONTABODEtrue
                      185.4.135.165
                      		unknownGreece
                      		199246TOPHOSTGRtrue
                      183.111.227.137
                      		unknownKorea Republic of
                      		4766KIXS-AS-KRKoreaTelecomKRtrue
                      45.176.232.124
                      		unknownColombia
                      		267869CABLEYTELECOMUNICACIONESDECOLOMBIASASCABLETELCOCtrue
                      95.217.221.146
                      		unknownGermany
                      		24940HETZNER-ASDEtrue
                      149.56.131.28
                      		unknownCanada
                      		16276OVHFRtrue
                      169.57.156.166
                      		unknownUnited States
                      		36351SOFTLAYERUStrue
                      164.68.99.3
                      		unknownGermany
                      		51167CONTABODEtrue
                      182.162.143.56
                      		unknownKorea Republic of
                      		3786LGDACOMLGDACOMCorporationKRtrue
                      139.59.126.41
                      		unknownSingapore
                      		14061DIGITALOCEAN-ASNUStrue
                      1.234.2.232
                      		unknownKorea Republic of
                      		9318SKB-ASSKBroadbandCoLtdKRtrue
                      167.172.253.162
                      		unknownUnited States
                      		14061DIGITALOCEAN-ASNUStrue
                      129.232.188.93
                      		unknownSouth Africa
                      		37153xneeloZAtrue
                      167.172.199.165
                      		unknownUnited States
                      		14061DIGITALOCEAN-ASNUStrue
                      202.129.205.3
                      		unknownThailand
                      		45328NIPA-AS-THNIPATECHNOLOGYCOLTDTHtrue
                      147.139.166.154
                      		unknownUnited States
                      		45102CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdCtrue
                      153.92.5.27
                      		unknownGermany
                      		47583AS-HOSTINGERLTtrue
                      94.23.45.86
                      		unknownFrance
                      		16276OVHFRtrue

                      General Information

                      Joe Sandbox Version:37.0.0 Beryl
                      Analysis ID:829552
                      Start date and time:2023-03-18 15:56:02 +01:00
                      Joe Sandbox Product:CloudBasic
                      Overall analysis duration:0h 9m 56s
                      Hypervisor based Inspection enabled:false
                      Report type:light
                      Cookbook file name:default.jbs
                      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                      Number of analysed new started processes analysed:14
                      Number of new started drivers analysed:0
                      Number of existing processes analysed:0
                      Number of existing drivers analysed:0
                      Number of injected processes analysed:0
                      Technologies:
                      • HCA enabled
                      • EGA enabled
                      • HDC enabled
                      • AMSI enabled
                      Analysis Mode:default
                      Analysis stop reason:Timeout
                      Sample file name:f_00321b.dll
                      (renamed file extension from none to dll, renamed because original name is a hash value)
                      Original Sample Name:f_00321b
                      Detection:MAL
                      Classification:mal100.troj.evad.winDLL@17/2@0/48
                      EGA Information:
                      • Successful, ratio: 100%
                      HDC Information:
                      • Successful, ratio: 50.2% (good quality ratio 42.4%)
                      • Quality average: 60.5%
                      • Quality standard deviation: 35.6%
                      HCA Information:
                      • Successful, ratio: 84%
                      • Number of executed functions: 0
                      • Number of non-executed functions: 0
                      Cookbook Comments:
                      • Override analysis time to 240s for rundll32

                      Warnings

                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, WMIADAP.exe, backgroundTaskHost.exe
                      • TCP Packets have been reduced to 100
                      • Excluded IPs from analysis (whitelisted): 13.107.4.50
                      • Excluded domains from analysis (whitelisted): ctldl.windowsupdate.com, wu-bg-shim.trafficmanager.net
                      • Not all processes where analyzed, report is missing behavior information
                      • Report size exceeded maximum capacity and may have missing behavior information.
                      • Report size getting too big, too many NtOpenKeyEx calls found.
                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                      • Report size getting too big, too many NtQueryValueKey calls found.

                      Simulations

                      Behavior and APIs

                      TimeTypeDescription
                      15:57:44API Interceptor23x Sleep call for process: regsvr32.exe modified

                      Joe Sandbox View / Context

                      IPs

                      No context

                      Domains

                      No context

                      ASNs

                      No context

                      JA3 Fingerprints

                      No context

                      Dropped Files

                      No context

                      Created / dropped Files

                      C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

                      Download File
                      Process:C:\Windows\System32\regsvr32.exe
                      File Type:Microsoft Cabinet archive data, Windows 2000/XP setup, 62582 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
                      Category:dropped
                      Size (bytes):62582
                      Entropy (8bit):7.996063107774368
                      Encrypted:true
                      SSDEEP:1536:Jk3XPi43VgGp0gB2itudTSRAn/TWTdWftu:CHa43V5p022iZ4CgA
                      MD5:E71C8443AE0BC2E282C73FAEAD0A6DD3
                      SHA1:0C110C1B01E68EDFACAEAE64781A37B1995FA94B
                      SHA-256:95B0A5ACC5BF70D3ABDFD091D0C9F9063AA4FDE65BD34DBF16786082E1992E72
                      SHA-512:B38458C7FA2825AFB72794F374827403D5946B1132E136A0CE075DFD351277CF7D957C88DC8A1E4ADC3BCAE1FA8010DAE3831E268E910D517691DE24326391A6
                      Malicious:false
                      Preview:MSCF....v.......,...................I.................BVrl .authroot.stl....oJ5..CK..8U....a..3.1.P. J.".t..2F2e.dHH......$E.KB.2D..-SJE....^..'..y.}..,{m.....\...]4.G.......h....148...e.gr.....48:.L...g.....Xef.x:..t...J...6-....kW6Z>....&......ye.U.Q&z:.vZ..._....a...]..T.E.....B.h.,...[....V.O.3..EW.x.?.Q..$.@.W..=.B.f..8a.Y.JK..g./%p..C.4CD.s..Jd.u..@.g=...a.. .h%..'.xjy7.E..\.....A..':.4TdW?Ko3$.Hg.z.d~....../q..C.....`...A[ W(.........9...GZ.;....l&?........F...p?... .p.....{S.L4..v.+...7.T?.....p..`..&..9.......f...0+.L.....1.2b)..vX5L'.~....2vz.,E.Ni.{#...o..w.?.#.3..h.v<.S%.].tD@!Le.w.q.7.8....QW.FT.....hE.........Y............./.%Q...k...*.Y.n..v.A..../...>B..5\..-Ko.......O<.b.K.{.O.b...._.7...4.;%9N..K.X>......kg-9..r.c.g.G|.*[.-...HT...",?.q...ad....7RE.......!f..#../....?.-.^.K.c^...+{.g......]<..$.=.O....ii7.wJ+S..Z..d.....>..J*...T..Q7..`.r,<$....\d:K`..T.n....N.....C..j.;.1SX..j....1...R....+....Yg....]....3..9..S..D..`.

                      C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

                      Download File
                      Process:C:\Windows\System32\regsvr32.exe
                      File Type:data
                      Category:modified
                      Size (bytes):328
                      Entropy (8bit):3.123641537625697
                      Encrypted:false
                      SSDEEP:6:kKOry/7UN+SkQlPlEGYRMY9z+4KlDA3RUecZUt:mCvkPlE99SNxAhUext
                      MD5:1D721B64039DC653E2772556CCB02D45
                      SHA1:804188A5F346A929ADFE4618FBE24CDF9BB0C38F
                      SHA-256:10F85BCAB9F99A4D5BF26EA9A275348685020D302B71C4CAF4ABB46EA66940B4
                      SHA-512:BAC9FCC93AD14D431147EDBB4C1986839274A47B1E53BF0C9085F445AD6B8B654F51DAC40E21ADD3F44F66FA891C1C6C7471B75159D7BF3A3AAF68866BE25CB8
                      Malicious:false
                      Preview:p...... ........9....Y..(....................................................... ..........).K......&...........v...h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".0.d.2.f.9.2.9.a.7.4.b.d.9.1.:.0."...

                      Static File Info

                      General

                      File type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                      Entropy (8bit):7.337848702590508
                      TrID:
                      • Win64 Dynamic Link Library (generic) (102004/3) 86.43%
                      • Win64 Executable (generic) (12005/4) 10.17%
                      • Generic Win/DOS Executable (2004/3) 1.70%
                      • DOS Executable Generic (2002/1) 1.70%
                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.01%
                      File name:f_00321b.dll
                      File size:316928
                      MD5:bfc060937dc90b273eccb6825145f298
                      SHA1:c156c00c7e918f0cb7363614fb1f177c90d8108a
                      SHA256:2f39c2879989ddd7f9ecf52b6232598e5595f8bf367846ff188c9dfbf1251253
                      SHA512:cc1fee19314b0a0f9e292fa84f6e98f087033d77db937848dda1da0c88f49997866cba5465df04bf929b810b42fdb81481341064c4565c9b6272fa7f3b473ac5
                      SSDEEP:6144:cwNQMQTlfdUPABVy559hhR3iP7TfPYbrF1EFVw0todxKROsCt:rNbadDBkZ6rPeEFizdxxsCt
                      TLSH:2C649D47E2A601E7FC62763DA0734708A766B0524314EB5F02B04F5B2F637A3FD5AA25
                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......L`.=...n...n...nCy.o...nCy.o...nCy.o...n.z.o(..n.z.o...n.z.o...nCy.o...n...nq..n.z.o...n.z.o...n.zsn...n...n...n.z.o...nRich...

                      File Icon

                      Icon Hash:74f0e4ecccdce0e4

                      Static PE Info

                      General

                      Entrypoint:0x18000179c
                      Entrypoint Section:.text
                      Digitally signed:false
                      Imagebase:0x180000000
                      Subsystem:windows gui
                      Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, DLL
                      DLL Characteristics:HIGH_ENTROPY_VA, NX_COMPAT
                      Time Stamp:0x640B360F [Fri Mar 10 13:52:15 2023 UTC]
                      TLS Callbacks:
                      CLR (.Net) Version:
                      OS Version Major:6
                      OS Version Minor:0
                      File Version Major:6
                      File Version Minor:0
                      Subsystem Version Major:6
                      Subsystem Version Minor:0
                      Import Hash:abb9300283e542fb453de5c4c87cd55d

                      Entrypoint Preview

                      Instruction
                      dec eax
                      mov dword ptr [esp+08h], ebx
                      dec eax
                      mov dword ptr [esp+10h], esi
                      push edi
                      dec eax
                      sub esp, 20h
                      dec ecx
                      mov edi, eax
                      mov ebx, edx
                      dec eax
                      mov esi, ecx
                      cmp edx, 01h
                      jne 00007FDE20B6DC67h
                      call 00007FDE20B6E240h
                      dec esp
                      mov eax, edi
                      mov edx, ebx
                      dec eax
                      mov ecx, esi
                      dec eax
                      mov ebx, dword ptr [esp+30h]
                      dec eax
                      mov esi, dword ptr [esp+38h]
                      dec eax
                      add esp, 20h
                      pop edi
                      jmp 00007FDE20B6DAF4h
                      int3
                      int3
                      int3
                      inc eax
                      push ebx
                      dec eax
                      sub esp, 20h
                      dec eax
                      mov ebx, ecx
                      xor ecx, ecx
                      call dword ptr [00014903h]
                      dec eax
                      mov ecx, ebx
                      call dword ptr [000148F2h]
                      call dword ptr [000148FCh]
                      dec eax
                      mov ecx, eax
                      mov edx, C0000409h
                      dec eax
                      add esp, 20h
                      pop ebx
                      dec eax
                      jmp dword ptr [000148F0h]
                      dec eax
                      mov dword ptr [esp+08h], ecx
                      dec eax
                      sub esp, 38h
                      mov ecx, 00000017h
                      call dword ptr [000148E4h]
                      test eax, eax
                      je 00007FDE20B6DC69h
                      mov ecx, 00000002h
                      int 29h
                      dec eax
                      lea ecx, dword ptr [0002038Ah]
                      call 00007FDE20B6DE2Eh
                      dec eax
                      mov eax, dword ptr [esp+38h]
                      dec eax
                      mov dword ptr [00020471h], eax
                      dec eax
                      lea eax, dword ptr [esp+38h]
                      dec eax
                      add eax, 08h
                      dec eax
                      mov dword ptr [00020401h], eax
                      dec eax
                      mov eax, dword ptr [0002045Ah]
                      dec eax
                      mov dword ptr [000202CBh], eax

                      Data Directories

                      NameVirtual AddressVirtual Size Is in Section
                      IMAGE_DIRECTORY_ENTRY_EXPORT0x1f9100x54.rdata
                      IMAGE_DIRECTORY_ENTRY_IMPORT0x1f9640x64.rdata
                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x260000x2bd28.rsrc
                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x230000x11a0.pdata
                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x520000x684.reloc
                      IMAGE_DIRECTORY_ENTRY_DEBUG0x1e1b00x38.rdata
                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x1e0700x140.rdata
                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_IAT0x160000x360.rdata
                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                      Sections

                      NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                      .text0x10000x144150x14600False0.5082438650306749data6.388870950832575IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      .rdata0x160000xa4b40xa600False0.4210749246987952data4.746360898517369IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .data0x210000x1ea40xc00False0.1513671875DOS executable (block device driver \322f\324\377\3772)2.0951973339816368IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      .pdata0x230000x11a00x1200False0.4715711805555556data4.892908366942992IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      _RDATA0x250000x15c0x200False0.408203125data2.8023223995708944IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .rsrc0x260000x2bd280x2be00False0.8690349002849003data7.841437382818367IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .reloc0x520000x6840x800False0.51708984375data4.920748452777265IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                      Resources

                      NameRVASizeTypeLanguageCountry
                      LXGUM0x261300xa2cdataEnglishUnited States
                      LXGUM0x26b600x2b000dataEnglishUnited States
                      RT_STRING0x51b600x48dataEnglishUnited States
                      RT_MANIFEST0x51ba80x17dXML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States

                      Imports

                      DLLImport
                      KERNEL32.dllSetFilePointerEx, GetConsoleMode, GetConsoleOutputCP, WriteFile, FlushFileBuffers, SetStdHandle, HeapSize, GetStringTypeW, GetFileType, GetStdHandle, GetProcessHeap, CreateFileW, CloseHandle, WriteConsoleW, ExitProcess, HeapReAlloc, GetLastError, LCMapStringW, FlsFree, FlsSetValue, FlsGetValue, FlsAlloc, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, IsProcessorFeaturePresent, IsDebuggerPresent, GetStartupInfoW, GetModuleHandleW, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwindEx, InterlockedFlushSList, SetLastError, EncodePointer, RaiseException, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, GetProcAddress, LoadLibraryExW, RtlPcToFileHeader, GetModuleHandleExW, GetModuleFileNameW, HeapAlloc, HeapFree, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, MultiByteToWideChar, WideCharToMultiByte, GetEnvironmentStringsW, FreeEnvironmentStringsW
                      USER32.dllGetGestureInfo, InvalidateRect, ScreenToClient, CloseGestureInfoHandle, EndPaint, BeginPaint, UpdateWindow, PostQuitMessage, LoadCursorW, GetMessageW, DefWindowProcW, DestroyWindow, CreateWindowExW, RegisterClassExW, LoadStringW, ShowWindow, DispatchMessageW, SetGestureConfig, TranslateAcceleratorW, TranslateMessage
                      GDI32.dllPolyline, LineTo, CreatePen, MoveToEx, DeleteObject, SelectObject
                      ntdll.dllNtQueueApcThread, ZwOpenSymbolicLinkObject, LdrFindResource_U, NtAllocateVirtualMemory, NtTestAlert, LdrAccessResource, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind

                      Exports

                      NameOrdinalAddress
                      DllRegisterServer10x180010a70

                      Possible Origin

                      Language of compilation systemCountry where language is spokenMap
                      EnglishUnited States

                      Network Behavior

                      Snort IDS Alerts

                      TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                      192.168.2.4213.239.212.5497294432404320 03/18/23-16:00:53.457464TCP2404320ET CNC Feodo Tracker Reported CnC Server TCP group 1149729443192.168.2.4213.239.212.5
                      192.168.2.4104.168.155.1434970580802404302 03/18/23-15:58:29.445426TCP2404302ET CNC Feodo Tracker Reported CnC Server TCP group 2497058080192.168.2.4104.168.155.143
                      192.168.2.445.235.8.304973380802404324 03/18/23-16:00:58.958124TCP2404324ET CNC Feodo Tracker Reported CnC Server TCP group 13497338080192.168.2.445.235.8.30
                      192.168.2.4167.172.199.1654970380802404310 03/18/23-15:58:19.699415TCP2404310ET CNC Feodo Tracker Reported CnC Server TCP group 6497038080192.168.2.4167.172.199.165
                      192.168.2.4164.90.222.65497044432404308 03/18/23-15:58:24.948314TCP2404308ET CNC Feodo Tracker Reported CnC Server TCP group 549704443192.168.2.4164.90.222.65
                      192.168.2.4187.63.160.8849702802404314 03/18/23-15:58:11.945439TCP2404314ET CNC Feodo Tracker Reported CnC Server TCP group 84970280192.168.2.4187.63.160.88
                      192.168.2.41.234.2.2324971980802404304 03/18/23-15:59:46.453351TCP2404304ET CNC Feodo Tracker Reported CnC Server TCP group 3497198080192.168.2.41.234.2.232
                      192.168.2.491.121.146.474969580802404344 03/18/23-15:57:43.982133TCP2404344ET CNC Feodo Tracker Reported CnC Server TCP group 23496958080192.168.2.491.121.146.47
                      192.168.2.4206.189.28.1994972180802404318 03/18/23-16:00:02.963968TCP2404318ET CNC Feodo Tracker Reported CnC Server TCP group 10497218080192.168.2.4206.189.28.199
                      192.168.2.466.228.32.314969770802404330 03/18/23-15:57:49.653644TCP2404330ET CNC Feodo Tracker Reported CnC Server TCP group 16496977080192.168.2.466.228.32.31
                      192.168.2.4182.162.143.56496984432404312 03/18/23-15:58:05.445458TCP2404312ET CNC Feodo Tracker Reported CnC Server TCP group 749698443192.168.2.4182.162.143.56

                      Network Port Distribution

                      TCP Packets

                      TimestampSource PortDest PortSource IPDest IP
                      Mar 18, 2023 15:57:43.982132912 CET496958080192.168.2.491.121.146.47
                      Mar 18, 2023 15:57:44.010421038 CET80804969591.121.146.47192.168.2.4
                      Mar 18, 2023 15:57:44.010539055 CET496958080192.168.2.491.121.146.47
                      Mar 18, 2023 15:57:44.013843060 CET496958080192.168.2.491.121.146.47
                      Mar 18, 2023 15:57:44.041975975 CET80804969591.121.146.47192.168.2.4
                      Mar 18, 2023 15:57:44.064595938 CET80804969591.121.146.47192.168.2.4
                      Mar 18, 2023 15:57:44.064632893 CET80804969591.121.146.47192.168.2.4
                      Mar 18, 2023 15:57:44.064770937 CET496958080192.168.2.491.121.146.47
                      Mar 18, 2023 15:57:44.077897072 CET496958080192.168.2.491.121.146.47
                      Mar 18, 2023 15:57:44.107184887 CET80804969591.121.146.47192.168.2.4
                      Mar 18, 2023 15:57:44.155500889 CET496958080192.168.2.491.121.146.47
                      Mar 18, 2023 15:57:45.521246910 CET496958080192.168.2.491.121.146.47
                      Mar 18, 2023 15:57:45.521328926 CET496958080192.168.2.491.121.146.47
                      Mar 18, 2023 15:57:45.553070068 CET80804969591.121.146.47192.168.2.4
                      Mar 18, 2023 15:57:45.563245058 CET80804969591.121.146.47192.168.2.4
                      Mar 18, 2023 15:57:45.608760118 CET496958080192.168.2.491.121.146.47
                      Mar 18, 2023 15:57:48.559087038 CET80804969591.121.146.47192.168.2.4
                      Mar 18, 2023 15:57:48.559130907 CET80804969591.121.146.47192.168.2.4
                      Mar 18, 2023 15:57:48.559294939 CET496958080192.168.2.491.121.146.47
                      Mar 18, 2023 15:57:48.559461117 CET496958080192.168.2.491.121.146.47
                      Mar 18, 2023 15:57:48.559514999 CET496958080192.168.2.491.121.146.47
                      Mar 18, 2023 15:57:48.587496996 CET80804969591.121.146.47192.168.2.4
                      Mar 18, 2023 15:57:48.587532997 CET80804969591.121.146.47192.168.2.4
                      Mar 18, 2023 15:57:49.653644085 CET496977080192.168.2.466.228.32.31
                      Mar 18, 2023 15:57:52.656811953 CET496977080192.168.2.466.228.32.31
                      Mar 18, 2023 15:57:58.703701019 CET496977080192.168.2.466.228.32.31
                      Mar 18, 2023 15:58:05.445457935 CET49698443192.168.2.4182.162.143.56
                      Mar 18, 2023 15:58:05.445525885 CET44349698182.162.143.56192.168.2.4
                      Mar 18, 2023 15:58:05.445621014 CET49698443192.168.2.4182.162.143.56
                      Mar 18, 2023 15:58:05.446594000 CET49698443192.168.2.4182.162.143.56
                      Mar 18, 2023 15:58:05.446608067 CET44349698182.162.143.56192.168.2.4
                      Mar 18, 2023 15:58:05.713150024 CET44349698182.162.143.56192.168.2.4
                      Mar 18, 2023 15:58:05.713974953 CET49699443192.168.2.4182.162.143.56
                      Mar 18, 2023 15:58:05.714050055 CET44349699182.162.143.56192.168.2.4
                      Mar 18, 2023 15:58:05.714160919 CET49699443192.168.2.4182.162.143.56
                      Mar 18, 2023 15:58:05.715395927 CET49699443192.168.2.4182.162.143.56
                      Mar 18, 2023 15:58:05.715436935 CET44349699182.162.143.56192.168.2.4
                      Mar 18, 2023 15:58:05.987780094 CET44349699182.162.143.56192.168.2.4
                      Mar 18, 2023 15:58:05.989764929 CET49700443192.168.2.4182.162.143.56
                      Mar 18, 2023 15:58:05.989820957 CET44349700182.162.143.56192.168.2.4
                      Mar 18, 2023 15:58:05.990039110 CET49700443192.168.2.4182.162.143.56
                      Mar 18, 2023 15:58:05.991280079 CET49700443192.168.2.4182.162.143.56
                      Mar 18, 2023 15:58:05.991303921 CET44349700182.162.143.56192.168.2.4
                      Mar 18, 2023 15:58:06.239960909 CET44349700182.162.143.56192.168.2.4
                      Mar 18, 2023 15:58:06.241710901 CET49701443192.168.2.4182.162.143.56
                      Mar 18, 2023 15:58:06.241755962 CET44349701182.162.143.56192.168.2.4
                      Mar 18, 2023 15:58:06.241857052 CET49701443192.168.2.4182.162.143.56
                      Mar 18, 2023 15:58:06.242470980 CET49701443192.168.2.4182.162.143.56
                      Mar 18, 2023 15:58:06.242486954 CET44349701182.162.143.56192.168.2.4
                      Mar 18, 2023 15:58:06.501095057 CET44349701182.162.143.56192.168.2.4
                      Mar 18, 2023 15:58:11.945439100 CET4970280192.168.2.4187.63.160.88
                      Mar 18, 2023 15:58:12.179195881 CET8049702187.63.160.88192.168.2.4
                      Mar 18, 2023 15:58:12.689225912 CET4970280192.168.2.4187.63.160.88
                      Mar 18, 2023 15:58:12.922725916 CET8049702187.63.160.88192.168.2.4
                      Mar 18, 2023 15:58:13.423608065 CET4970280192.168.2.4187.63.160.88
                      Mar 18, 2023 15:58:13.661552906 CET8049702187.63.160.88192.168.2.4
                      Mar 18, 2023 15:58:19.699414968 CET497038080192.168.2.4167.172.199.165
                      Mar 18, 2023 15:58:19.867234945 CET808049703167.172.199.165192.168.2.4
                      Mar 18, 2023 15:58:19.867444038 CET497038080192.168.2.4167.172.199.165
                      Mar 18, 2023 15:58:19.868233919 CET497038080192.168.2.4167.172.199.165
                      Mar 18, 2023 15:58:20.035275936 CET808049703167.172.199.165192.168.2.4
                      Mar 18, 2023 15:58:20.045103073 CET808049703167.172.199.165192.168.2.4
                      Mar 18, 2023 15:58:20.045140028 CET808049703167.172.199.165192.168.2.4
                      Mar 18, 2023 15:58:20.045212030 CET497038080192.168.2.4167.172.199.165
                      Mar 18, 2023 15:58:20.051392078 CET497038080192.168.2.4167.172.199.165
                      Mar 18, 2023 15:58:20.219124079 CET808049703167.172.199.165192.168.2.4
                      Mar 18, 2023 15:58:20.220163107 CET497038080192.168.2.4167.172.199.165
                      Mar 18, 2023 15:58:20.428314924 CET808049703167.172.199.165192.168.2.4
                      Mar 18, 2023 15:58:21.038682938 CET808049703167.172.199.165192.168.2.4
                      Mar 18, 2023 15:58:21.080550909 CET497038080192.168.2.4167.172.199.165
                      Mar 18, 2023 15:58:24.038556099 CET808049703167.172.199.165192.168.2.4
                      Mar 18, 2023 15:58:24.038588047 CET808049703167.172.199.165192.168.2.4
                      Mar 18, 2023 15:58:24.038654089 CET497038080192.168.2.4167.172.199.165
                      Mar 18, 2023 15:58:24.039973974 CET497038080192.168.2.4167.172.199.165
                      Mar 18, 2023 15:58:24.040021896 CET497038080192.168.2.4167.172.199.165
                      Mar 18, 2023 15:58:24.207125902 CET808049703167.172.199.165192.168.2.4
                      Mar 18, 2023 15:58:24.207159042 CET808049703167.172.199.165192.168.2.4
                      Mar 18, 2023 15:58:24.948313951 CET49704443192.168.2.4164.90.222.65
                      Mar 18, 2023 15:58:24.948385954 CET44349704164.90.222.65192.168.2.4
                      Mar 18, 2023 15:58:24.948482990 CET49704443192.168.2.4164.90.222.65
                      Mar 18, 2023 15:58:24.949033022 CET49704443192.168.2.4164.90.222.65
                      Mar 18, 2023 15:58:24.949058056 CET44349704164.90.222.65192.168.2.4
                      Mar 18, 2023 15:58:25.070983887 CET44349704164.90.222.65192.168.2.4
                      Mar 18, 2023 15:58:25.071180105 CET49704443192.168.2.4164.90.222.65
                      Mar 18, 2023 15:58:25.075246096 CET49704443192.168.2.4164.90.222.65
                      Mar 18, 2023 15:58:25.075273991 CET44349704164.90.222.65192.168.2.4
                      Mar 18, 2023 15:58:25.075628996 CET44349704164.90.222.65192.168.2.4
                      Mar 18, 2023 15:58:25.127825975 CET49704443192.168.2.4164.90.222.65
                      Mar 18, 2023 15:58:25.402632952 CET49704443192.168.2.4164.90.222.65
                      Mar 18, 2023 15:58:25.402668953 CET44349704164.90.222.65192.168.2.4
                      Mar 18, 2023 15:58:25.615834951 CET44349704164.90.222.65192.168.2.4
                      Mar 18, 2023 15:58:25.615917921 CET44349704164.90.222.65192.168.2.4
                      Mar 18, 2023 15:58:25.616075039 CET49704443192.168.2.4164.90.222.65
                      Mar 18, 2023 15:58:25.616332054 CET49704443192.168.2.4164.90.222.65
                      Mar 18, 2023 15:58:25.616355896 CET44349704164.90.222.65192.168.2.4
                      Mar 18, 2023 15:58:25.616396904 CET49704443192.168.2.4164.90.222.65
                      Mar 18, 2023 15:58:25.616406918 CET44349704164.90.222.65192.168.2.4
                      Mar 18, 2023 15:58:29.445425987 CET497058080192.168.2.4104.168.155.143
                      Mar 18, 2023 15:58:29.608290911 CET808049705104.168.155.143192.168.2.4
                      Mar 18, 2023 15:58:30.112575054 CET497058080192.168.2.4104.168.155.143

                      DNS Answers

                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                      Mar 18, 2023 15:57:44.642750978 CET8.8.8.8192.168.2.40x901aNo error (0)au.c-0001.c-msedge.netc-0001.c-msedge.netCNAME (Canonical name)IN (0x0001)false
                      Mar 18, 2023 15:57:44.642750978 CET8.8.8.8192.168.2.40x901aNo error (0)c-0001.c-msedge.net13.107.4.50A (IP address)IN (0x0001)false

                      HTTP Request Dependency Graph

                      • 164.90.222.65

                      Statistics

                      Behavior

                      Click to jump to process

                      System Behavior

                      General

                      Target ID:0
                      Start time:15:57:02
                      Start date:18/03/2023
                      Path:C:\Windows\System32\loaddll64.exe
                      Wow64 process (32bit):false
                      Commandline:loaddll64.exe "C:\Users\user\Desktop\f_00321b.dll"
                      Imagebase:0x7ff73c1f0000
                      File size:139776 bytes
                      MD5 hash:C676FC0263EDD17D4CE7D644B8F3FCD6
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high

                      General

                      Target ID:1
                      Start time:15:57:02
                      Start date:18/03/2023
                      Path:C:\Windows\System32\conhost.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Imagebase:0x7ff7c72c0000
                      File size:625664 bytes
                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high

                      General

                      Target ID:2
                      Start time:15:57:02
                      Start date:18/03/2023
                      Path:C:\Windows\System32\cmd.exe
                      Wow64 process (32bit):false
                      Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\f_00321b.dll",#1
                      Imagebase:0x7ff632260000
                      File size:273920 bytes
                      MD5 hash:4E2ACF4F8A396486AB4268C94A6A245F
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high

                      General

                      Target ID:3
                      Start time:15:57:02
                      Start date:18/03/2023
                      Path:C:\Windows\System32\regsvr32.exe
                      Wow64 process (32bit):false
                      Commandline:regsvr32.exe /s C:\Users\user\Desktop\f_00321b.dll
                      Imagebase:0x7ff6746f0000
                      File size:24064 bytes
                      MD5 hash:D78B75FC68247E8A63ACBA846182740E
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Yara matches:
                      • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000003.00000002.319594851.0000000002301000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000003.00000002.319426857.00000000022D0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                      Reputation:high

                      General

                      Target ID:4
                      Start time:15:57:02
                      Start date:18/03/2023
                      Path:C:\Windows\System32\rundll32.exe
                      Wow64 process (32bit):false
                      Commandline:rundll32.exe "C:\Users\user\Desktop\f_00321b.dll",#1
                      Imagebase:0x7ff669490000
                      File size:69632 bytes
                      MD5 hash:73C519F050C20580F8A62C849D49215A
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Yara matches:
                      • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000002.320583141.0000024067ED1000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000002.320487184.0000024067EA0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                      Reputation:high

                      General

                      Target ID:5
                      Start time:15:57:02
                      Start date:18/03/2023
                      Path:C:\Windows\System32\rundll32.exe
                      Wow64 process (32bit):false
                      Commandline:rundll32.exe C:\Users\user\Desktop\f_00321b.dll,DllRegisterServer
                      Imagebase:0x7ff669490000
                      File size:69632 bytes
                      MD5 hash:73C519F050C20580F8A62C849D49215A
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Yara matches:
                      • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000005.00000002.320938696.000001CAEF360000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000005.00000002.320983303.000001CAEF391000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
                      Reputation:high

                      General

                      Target ID:6
                      Start time:15:57:04
                      Start date:18/03/2023
                      Path:C:\Windows\System32\regsvr32.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\regsvr32.exe "C:\Windows\system32\ZbmMPnDvLqwXll\QyzgcRWJYZS.dll"
                      Imagebase:0x7ff6746f0000
                      File size:24064 bytes
                      MD5 hash:D78B75FC68247E8A63ACBA846182740E
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Yara matches:
                      • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000006.00000002.839406801.0000000002031000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Emotet_3, Description: Yara detected Emotet, Source: 00000006.00000002.839010466.000000000072B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000006.00000002.839356776.0000000001FE0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security

                      General

                      Target ID:7
                      Start time:15:57:05
                      Start date:18/03/2023
                      Path:C:\Windows\System32\regsvr32.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\regsvr32.exe "C:\Windows\system32\RymKYMmySRfU\EAqrfXJOpHznppsf.dll"
                      Imagebase:0x7ff6746f0000
                      File size:24064 bytes
                      MD5 hash:D78B75FC68247E8A63ACBA846182740E
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language

                      General

                      Target ID:8
                      Start time:15:57:05
                      Start date:18/03/2023
                      Path:C:\Windows\System32\regsvr32.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\regsvr32.exe "C:\Windows\system32\IzuSuDitBV\QmEREbzuu.dll"
                      Imagebase:0x7ff6746f0000
                      File size:24064 bytes
                      MD5 hash:D78B75FC68247E8A63ACBA846182740E
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language

                      General

                      Target ID:10
                      Start time:15:57:50
                      Start date:18/03/2023
                      Path:C:\Windows\System32\conhost.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Imagebase:0x7ff7c72c0000
                      File size:625664 bytes
                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                      Has elevated privileges:true
                      Has administrator privileges:false
                      Programmed in:C, C++ or other language

                      Disassembly

                      No disassembly