Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
f_00321b.dll

Overview

General Information

Sample Name:f_00321b.dll
(renamed file extension from none to dll, renamed because original name is a hash value)
Original Sample Name:f_00321b
Analysis ID:829558
MD5:bfc060937dc90b273eccb6825145f298
SHA1:c156c00c7e918f0cb7363614fb1f177c90d8108a
SHA256:2f39c2879989ddd7f9ecf52b6232598e5595f8bf367846ff188c9dfbf1251253
Infos:

Detection

Emotet
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Early bird code injection technique detected
Multi AV Scanner detection for submitted file
Yara detected Emotet
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Snort IDS alert for network traffic
Queues an APC in another process (thread injection)
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Queries the volume information (name, serial number etc) of a device
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Sample execution stops while process was sleeping (likely an evasion)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to call native functions
HTTP GET or POST without a user agent
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Tries to load missing DLLs
Drops PE files to the windows directory (C:\Windows)
Detected TCP or UDP traffic on non-standard ports
Checks if the current process is being debugged
Connects to several IPs in different countries
Registers a DLL
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • loaddll64.exe (PID: 4684 cmdline: loaddll64.exe "C:\Users\user\Desktop\f_00321b.dll" MD5: C676FC0263EDD17D4CE7D644B8F3FCD6)
    • conhost.exe (PID: 4128 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • cmd.exe (PID: 5884 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\f_00321b.dll",#1 MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
      • rundll32.exe (PID: 5300 cmdline: rundll32.exe "C:\Users\user\Desktop\f_00321b.dll",#1 MD5: 73C519F050C20580F8A62C849D49215A)
        • regsvr32.exe (PID: 5024 cmdline: C:\Windows\system32\regsvr32.exe "C:\Windows\system32\LwMWPX\mOtL.dll" MD5: D78B75FC68247E8A63ACBA846182740E)
    • regsvr32.exe (PID: 2904 cmdline: regsvr32.exe /s C:\Users\user\Desktop\f_00321b.dll MD5: D78B75FC68247E8A63ACBA846182740E)
      • regsvr32.exe (PID: 1920 cmdline: C:\Windows\system32\regsvr32.exe "C:\Windows\system32\ChVCsX\ramMHRyb.dll" MD5: D78B75FC68247E8A63ACBA846182740E)
    • rundll32.exe (PID: 2952 cmdline: rundll32.exe C:\Users\user\Desktop\f_00321b.dll,DllRegisterServer MD5: 73C519F050C20580F8A62C849D49215A)
      • regsvr32.exe (PID: 4744 cmdline: C:\Windows\system32\regsvr32.exe "C:\Windows\system32\WiCuwn\qvjh.dll" MD5: D78B75FC68247E8A63ACBA846182740E)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
EmotetWhile Emotet historically was a banking malware organized in a botnet, nowadays Emotet is mostly seen as infrastructure as a service for content delivery. For example, since mid 2018 it is used by Trickbot for installs, which may also lead to ransomware attacks using Ryuk, a combination observed several times against high-profile targets.It is always stealing information from victims but what the criminal gang behind it did, was to open up another business channel by selling their infrastructure delivering additional malicious software. From malware analysts it has been classified into epochs depending on command and control, payloads, and delivery solutions which change over time.Emotet had been taken down by authorities in January 2021, though it appears to have sprung back to life in November 2021.
  • GOLD CABIN
  • MUMMY SPIDER
  • Mealybug
https://malpedia.caad.fkie.fraunhofer.de/details/win.emotet

Malware Configuration

Threatname: Emotet

{"C2 list": ["91.121.146.47:8080", "66.228.32.31:7080", "182.162.143.56:443", "187.63.160.88:80", "167.172.199.165:8080", "164.90.222.65:443", "104.168.155.143:8080", "163.44.196.120:8080", "160.16.142.56:8080", "159.89.202.34:443", "159.65.88.10:8080", "186.194.240.217:443", "149.56.131.28:8080", "72.15.201.15:8080", "1.234.2.232:8080", "82.223.21.224:8080", "206.189.28.199:8080", "169.57.156.166:8080", "107.170.39.149:8080", "103.43.75.120:443", "91.207.28.33:8080", "213.239.212.5:443", "45.235.8.30:8080", "119.59.103.152:8080", "164.68.99.3:8080", "95.217.221.146:8080", "153.126.146.25:7080", "197.242.150.244:8080", "202.129.205.3:8080", "103.132.242.26:8080", "139.59.126.41:443", "110.232.117.186:8080", "183.111.227.137:8080", "5.135.159.50:443", "201.94.166.162:443", "103.75.201.2:443", "79.137.35.198:8080", "172.105.226.75:8080", "94.23.45.86:4143", "115.68.227.76:8080", "153.92.5.27:8080", "167.172.253.162:8080", "188.44.20.25:443", "147.139.166.154:8080", "129.232.188.93:443", "173.212.193.249:8080", "185.4.135.165:8080", "45.176.232.124:443"], "Public Key": ["RUNTMSAAAABAX3S2xNjcDD0fBno33Ln5t71eii+mofIPoXkNFOX1MeiwCh48iz97kB0mJjGGZXwardnDXKxI8GCHGNl0PFj51CrH1gASAIg=", "RUNLMSAAAADzozW1Di4r9DVWzQpMKT588RDdy7BPILP6AiDOTLYMHkSWvrQO5slbmr1OvZ2Pz+AQWzRMggQmAtO6rPH7nyx23yr61gATAIo="]}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.321671737.00000263A5E10000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
    00000005.00000002.322224352.00000264E3C10000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
      00000006.00000002.837764087.000000000095B000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_Emotet_3Yara detected EmotetJoe Security
        00000005.00000002.322307535.00000264E3C41000.00000020.00001000.00020000.00000000.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
          00000003.00000002.322806911.0000000000C60000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
            Click to see the 4 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            4.2.rundll32.exe.263a5e10000.1.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
              6.2.regsvr32.exe.b20000.0.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                4.2.rundll32.exe.263a5e10000.1.raw.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                  3.2.regsvr32.exe.c60000.0.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                    3.2.regsvr32.exe.c60000.0.raw.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                      Click to see the 3 entries

                      Sigma Signatures

                      No Sigma rule has matched

                      Snort Signatures

                      Timestamp:192.168.2.4213.239.212.5497294432404320 03/18/23-16:07:22.189659
                      SID:2404320
                      Source Port:49729
                      Destination Port:443
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:192.168.2.4104.168.155.1434970580802404302 03/18/23-16:04:53.665641
                      SID:2404302
                      Source Port:49705
                      Destination Port:8080
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:192.168.2.445.235.8.304973380802404324 03/18/23-16:07:27.677242
                      SID:2404324
                      Source Port:49733
                      Destination Port:8080
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:192.168.2.4167.172.199.1654970380802404310 03/18/23-16:04:43.917583
                      SID:2404310
                      Source Port:49703
                      Destination Port:8080
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:192.168.2.4164.90.222.65497044432404308 03/18/23-16:04:49.168177
                      SID:2404308
                      Source Port:49704
                      Destination Port:443
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:192.168.2.4187.63.160.8849702802404314 03/18/23-16:04:35.414930
                      SID:2404314
                      Source Port:49702
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:192.168.2.41.234.2.2324971980802404304 03/18/23-16:06:08.918973
                      SID:2404304
                      Source Port:49719
                      Destination Port:8080
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:192.168.2.491.121.146.474969580802404344 03/18/23-16:04:07.538031
                      SID:2404344
                      Source Port:49695
                      Destination Port:8080
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:192.168.2.4206.189.28.1994972180802404318 03/18/23-16:06:24.170219
                      SID:2404318
                      Source Port:49721
                      Destination Port:8080
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:192.168.2.466.228.32.314969770802404330 03/18/23-16:04:13.165467
                      SID:2404330
                      Source Port:49697
                      Destination Port:7080
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:192.168.2.4182.162.143.56496984432404312 03/18/23-16:04:28.915858
                      SID:2404312
                      Source Port:49698
                      Destination Port:443
                      Protocol:TCP
                      Classtype:A Network Trojan was detected

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Multi AV Scanner detection for submitted file
                      Source: f_00321b.dllReversingLabs: Detection: 79%
                      Source: f_00321b.dllVirustotal: Detection: 60%Perma Link
                      Antivirus detection for URL or domain
                      Source: https://164.90.222.65:443/igqovuqspgdf/wfealienuk/lkpf/f/Avira URL Cloud: Label: malware
                      Source: https://107.170.39.149:8080/hHmAvira URL Cloud: Label: malware
                      Source: https://103.43.75.120/igqovuqspgdf/wfealienuk/lkpf/Avira URL Cloud: Label: malware
                      Source: https://103.43.75.120:443/igqovuqspgdf/wfealienuk/lkpf/Avira URL Cloud: Label: malware
                      Source: https://213.239.212.5/0/Avira URL Cloud: Label: malware
                      Source: https://91.121.146.47:8080/igqovuqspgdf/wfealienuk/lkpf/TAvira URL Cloud: Label: malware
                      Source: https://164.90.222.65/igqovuqspgdf/wfealienuk/lkpf/Avira URL Cloud: Label: malware
                      Source: https://104.168.155.143:8080/YAvira URL Cloud: Label: malware
                      Source: https://213.239.212.5/Avira URL Cloud: Label: malware
                      Source: https://82.223.21.224:8080/Avira URL Cloud: Label: malware
                      Source: https://159.89.202.34:443/igqovuqspgdf/wfealienuk/lkpf/Avira URL Cloud: Label: malware
                      Source: https://45.235.8.30:8080/igqovuqspgdf/wfealienuk/lkpf/POAvira URL Cloud: Label: malware
                      Source: https://159.65.88.10:8080/igqovuqspgdf/wfealienuk/lkpf/Avira URL Cloud: Label: malware
                      Source: https://213.239.212.5/igqovuqspgdf/wfealienuk/lkpf/Avira URL Cloud: Label: malware
                      Source: https://91.121.146.47:8080/igqovuqspgdf/wfealienuk/lkpf/Avira URL Cloud: Label: malware
                      Source: https://45.235.8.30:8080/f/Avira URL Cloud: Label: malware
                      Source: https://91.121.146.47:8080/Avira URL Cloud: Label: malware
                      Source: https://206.189.28.199:8080/igqovuqspgdf/wfealienuk/lkpf/Avira URL Cloud: Label: malware
                      Source: https://107.170.39.149:8080/igqovuqspgdf/wfealienuk/lkpf/Avira URL Cloud: Label: malware
                      Source: https://45.235.8.30:8080/Avira URL Cloud: Label: malware
                      Source: https://107.170.39.149:8080/rue4mAvira URL Cloud: Label: malware
                      Source: https://164.90.222.65/wnAvira URL Cloud: Label: malware
                      Source: https://72.15.201.15:8080/igqovuqspgdf/wfealienuk/lkpf/Avira URL Cloud: Label: malware
                      Source: https://45.235.8.30:8080/igqovuqspgdf/wfealienuk/lkpf/Avira URL Cloud: Label: malware
                      Source: https://45.235.8.30:8080/igqovuqspgdf/wfealienuk/lkpf/sAvira URL Cloud: Label: malware
                      Source: https://104.168.155.143:8080/igqovuqspgdf/wfealienuk/lkpf/Avira URL Cloud: Label: malware
                      Source: https://169.57.156.166:8080/igqovuqspgdf/wfealienuk/lkpf/Avira URL Cloud: Label: malware
                      Multi AV Scanner detection for domain / URL
                      Source: https://82.223.21.224:8080/Virustotal: Detection: 8%Perma Link
                      Source: 00000006.00000002.837764087.000000000095B000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Emotet {"C2 list": ["91.121.146.47:8080", "66.228.32.31:7080", "182.162.143.56:443", "187.63.160.88:80", "167.172.199.165:8080", "164.90.222.65:443", "104.168.155.143:8080", "163.44.196.120:8080", "160.16.142.56:8080", "159.89.202.34:443", "159.65.88.10:8080", "186.194.240.217:443", "149.56.131.28:8080", "72.15.201.15:8080", "1.234.2.232:8080", "82.223.21.224:8080", "206.189.28.199:8080", "169.57.156.166:8080", "107.170.39.149:8080", "103.43.75.120:443", "91.207.28.33:8080", "213.239.212.5:443", "45.235.8.30:8080", "119.59.103.152:8080", "164.68.99.3:8080", "95.217.221.146:8080", "153.126.146.25:7080", "197.242.150.244:8080", "202.129.205.3:8080", "103.132.242.26:8080", "139.59.126.41:443", "110.232.117.186:8080", "183.111.227.137:8080", "5.135.159.50:443", "201.94.166.162:443", "103.75.201.2:443", "79.137.35.198:8080", "172.105.226.75:8080", "94.23.45.86:4143", "115.68.227.76:8080", "153.92.5.27:8080", "167.172.253.162:8080", "188.44.20.25:443", "147.139.166.154:8080", "129.232.188.93:443", "173.212.193.249:8080", "185.4.135.165:8080", "45.176.232.124:443"], "Public Key": ["RUNTMSAAAABAX3S2xNjcDD0fBno33Ln5t71eii+mofIPoXkNFOX1MeiwCh48iz97kB0mJjGGZXwardnDXKxI8GCHGNl0PFj51CrH1gASAIg=", "RUNLMSAAAADzozW1Di4r9DVWzQpMKT588RDdy7BPILP6AiDOTLYMHkSWvrQO5slbmr1OvZ2Pz+AQWzRMggQmAtO6rPH7nyx23yr61gATAIo="]}
                      Source: unknownHTTPS traffic detected: 164.90.222.65:443 -> 192.168.2.4:49704 version: TLS 1.2
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180008D28 FindFirstFileExW,
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180008D28 FindFirstFileExW,

                      Networking

                      barindex
                      System process connects to network (likely due to code injection or exploit)
                      Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 159.65.88.10 8080
                      Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 164.90.222.65 443
                      Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 213.239.212.5 443
                      Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 186.194.240.217 443
                      Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 104.168.155.143 8080
                      Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 159.89.202.34 443
                      Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 160.16.142.56 8080
                      Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 91.121.146.47 8080
                      Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 91.207.28.33 8080
                      Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 103.43.75.120 443
                      Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 45.235.8.30 8080
                      Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 72.15.201.15 8080
                      Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 163.44.196.120 8080
                      Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 206.189.28.199 8080
                      Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 107.170.39.149 8080
                      Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 187.63.160.88 80
                      Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 66.228.32.31 7080
                      Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 82.223.21.224 8080
                      Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 149.56.131.28 8080
                      Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 169.57.156.166 8080
                      Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 182.162.143.56 443
                      Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 1.234.2.232 8080
                      Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 167.172.199.165 8080
                      Snort IDS alert for network traffic
                      Source: TrafficSnort IDS: 2404308 ET CNC Feodo Tracker Reported CnC Server TCP group 5 192.168.2.4:49704 -> 164.90.222.65:443
                      Source: TrafficSnort IDS: 2404344 ET CNC Feodo Tracker Reported CnC Server TCP group 23 192.168.2.4:49695 -> 91.121.146.47:8080
                      Source: TrafficSnort IDS: 2404330 ET CNC Feodo Tracker Reported CnC Server TCP group 16 192.168.2.4:49697 -> 66.228.32.31:7080
                      Source: TrafficSnort IDS: 2404312 ET CNC Feodo Tracker Reported CnC Server TCP group 7 192.168.2.4:49698 -> 182.162.143.56:443
                      Source: TrafficSnort IDS: 2404314 ET CNC Feodo Tracker Reported CnC Server TCP group 8 192.168.2.4:49702 -> 187.63.160.88:80
                      Source: TrafficSnort IDS: 2404310 ET CNC Feodo Tracker Reported CnC Server TCP group 6 192.168.2.4:49703 -> 167.172.199.165:8080
                      Source: TrafficSnort IDS: 2404302 ET CNC Feodo Tracker Reported CnC Server TCP group 2 192.168.2.4:49705 -> 104.168.155.143:8080
                      Source: TrafficSnort IDS: 2404304 ET CNC Feodo Tracker Reported CnC Server TCP group 3 192.168.2.4:49719 -> 1.234.2.232:8080
                      Source: TrafficSnort IDS: 2404318 ET CNC Feodo Tracker Reported CnC Server TCP group 10 192.168.2.4:49721 -> 206.189.28.199:8080
                      Source: TrafficSnort IDS: 2404320 ET CNC Feodo Tracker Reported CnC Server TCP group 11 192.168.2.4:49729 -> 213.239.212.5:443
                      Source: TrafficSnort IDS: 2404324 ET CNC Feodo Tracker Reported CnC Server TCP group 13 192.168.2.4:49733 -> 45.235.8.30:8080
                      C2 URLs / IPs found in malware configuration
                      Source: Malware configuration extractorIPs: 91.121.146.47:8080
                      Source: Malware configuration extractorIPs: 66.228.32.31:7080
                      Source: Malware configuration extractorIPs: 182.162.143.56:443
                      Source: Malware configuration extractorIPs: 187.63.160.88:80
                      Source: Malware configuration extractorIPs: 167.172.199.165:8080
                      Source: Malware configuration extractorIPs: 164.90.222.65:443
                      Source: Malware configuration extractorIPs: 104.168.155.143:8080
                      Source: Malware configuration extractorIPs: 163.44.196.120:8080
                      Source: Malware configuration extractorIPs: 160.16.142.56:8080
                      Source: Malware configuration extractorIPs: 159.89.202.34:443
                      Source: Malware configuration extractorIPs: 159.65.88.10:8080
                      Source: Malware configuration extractorIPs: 186.194.240.217:443
                      Source: Malware configuration extractorIPs: 149.56.131.28:8080
                      Source: Malware configuration extractorIPs: 72.15.201.15:8080
                      Source: Malware configuration extractorIPs: 1.234.2.232:8080
                      Source: Malware configuration extractorIPs: 82.223.21.224:8080
                      Source: Malware configuration extractorIPs: 206.189.28.199:8080
                      Source: Malware configuration extractorIPs: 169.57.156.166:8080
                      Source: Malware configuration extractorIPs: 107.170.39.149:8080
                      Source: Malware configuration extractorIPs: 103.43.75.120:443
                      Source: Malware configuration extractorIPs: 91.207.28.33:8080
                      Source: Malware configuration extractorIPs: 213.239.212.5:443
                      Source: Malware configuration extractorIPs: 45.235.8.30:8080
                      Source: Malware configuration extractorIPs: 119.59.103.152:8080
                      Source: Malware configuration extractorIPs: 164.68.99.3:8080
                      Source: Malware configuration extractorIPs: 95.217.221.146:8080
                      Source: Malware configuration extractorIPs: 153.126.146.25:7080
                      Source: Malware configuration extractorIPs: 197.242.150.244:8080
                      Source: Malware configuration extractorIPs: 202.129.205.3:8080
                      Source: Malware configuration extractorIPs: 103.132.242.26:8080
                      Source: Malware configuration extractorIPs: 139.59.126.41:443
                      Source: Malware configuration extractorIPs: 110.232.117.186:8080
                      Source: Malware configuration extractorIPs: 183.111.227.137:8080
                      Source: Malware configuration extractorIPs: 5.135.159.50:443
                      Source: Malware configuration extractorIPs: 201.94.166.162:443
                      Source: Malware configuration extractorIPs: 103.75.201.2:443
                      Source: Malware configuration extractorIPs: 79.137.35.198:8080
                      Source: Malware configuration extractorIPs: 172.105.226.75:8080
                      Source: Malware configuration extractorIPs: 94.23.45.86:4143
                      Source: Malware configuration extractorIPs: 115.68.227.76:8080
                      Source: Malware configuration extractorIPs: 153.92.5.27:8080
                      Source: Malware configuration extractorIPs: 167.172.253.162:8080
                      Source: Malware configuration extractorIPs: 188.44.20.25:443
                      Source: Malware configuration extractorIPs: 147.139.166.154:8080
                      Source: Malware configuration extractorIPs: 129.232.188.93:443
                      Source: Malware configuration extractorIPs: 173.212.193.249:8080
                      Source: Malware configuration extractorIPs: 185.4.135.165:8080
                      Source: Malware configuration extractorIPs: 45.176.232.124:443
                      Source: Joe Sandbox ViewASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS
                      Source: Joe Sandbox ViewASN Name: LINODE-APLinodeLLCUS LINODE-APLinodeLLCUS
                      Source: Joe Sandbox ViewJA3 fingerprint: 8916410db85077a5460817142dcbc8de
                      Source: global trafficHTTP traffic detected: POST /igqovuqspgdf/wfealienuk/lkpf/ HTTP/1.1Connection: Keep-AliveContent-Length: 0Host: 164.90.222.65
                      Source: Joe Sandbox ViewIP Address: 159.65.88.10 159.65.88.10
                      Source: global trafficTCP traffic: 192.168.2.4:49695 -> 91.121.146.47:8080
                      Source: global trafficTCP traffic: 192.168.2.4:49697 -> 66.228.32.31:7080
                      Source: global trafficTCP traffic: 192.168.2.4:49703 -> 167.172.199.165:8080
                      Source: global trafficTCP traffic: 192.168.2.4:49705 -> 104.168.155.143:8080
                      Source: global trafficTCP traffic: 192.168.2.4:49706 -> 163.44.196.120:8080
                      Source: global trafficTCP traffic: 192.168.2.4:49707 -> 160.16.142.56:8080
                      Source: global trafficTCP traffic: 192.168.2.4:49712 -> 159.65.88.10:8080
                      Source: global trafficTCP traffic: 192.168.2.4:49717 -> 149.56.131.28:8080
                      Source: global trafficTCP traffic: 192.168.2.4:49718 -> 72.15.201.15:8080
                      Source: global trafficTCP traffic: 192.168.2.4:49719 -> 1.234.2.232:8080
                      Source: global trafficTCP traffic: 192.168.2.4:49720 -> 82.223.21.224:8080
                      Source: global trafficTCP traffic: 192.168.2.4:49721 -> 206.189.28.199:8080
                      Source: global trafficTCP traffic: 192.168.2.4:49722 -> 169.57.156.166:8080
                      Source: global trafficTCP traffic: 192.168.2.4:49723 -> 107.170.39.149:8080
                      Source: global trafficTCP traffic: 192.168.2.4:49728 -> 91.207.28.33:8080
                      Source: global trafficTCP traffic: 192.168.2.4:49733 -> 45.235.8.30:8080
                      Source: unknownNetwork traffic detected: IP country count 17
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49700
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49710 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49699 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49727 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49725 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49729 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49701 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49716
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49715
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49714
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49713
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49698 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49711
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49699
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49710
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49698
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49711 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49726 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49724 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49700 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49709
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49708
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49729
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49716 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49714 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49727
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49726
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49725
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49724
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49701
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.121.146.47
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.121.146.47
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.121.146.47
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.121.146.47
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.121.146.47
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.121.146.47
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.121.146.47
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.121.146.47
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.121.146.47
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.121.146.47
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.121.146.47
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.121.146.47
                      Source: unknownTCP traffic detected without corresponding DNS query: 66.228.32.31
                      Source: unknownTCP traffic detected without corresponding DNS query: 66.228.32.31
                      Source: unknownTCP traffic detected without corresponding DNS query: 66.228.32.31
                      Source: unknownTCP traffic detected without corresponding DNS query: 182.162.143.56
                      Source: unknownTCP traffic detected without corresponding DNS query: 182.162.143.56
                      Source: unknownTCP traffic detected without corresponding DNS query: 182.162.143.56
                      Source: unknownTCP traffic detected without corresponding DNS query: 182.162.143.56
                      Source: unknownTCP traffic detected without corresponding DNS query: 182.162.143.56
                      Source: unknownTCP traffic detected without corresponding DNS query: 182.162.143.56
                      Source: unknownTCP traffic detected without corresponding DNS query: 182.162.143.56
                      Source: unknownTCP traffic detected without corresponding DNS query: 182.162.143.56
                      Source: unknownTCP traffic detected without corresponding DNS query: 182.162.143.56
                      Source: unknownTCP traffic detected without corresponding DNS query: 182.162.143.56
                      Source: unknownTCP traffic detected without corresponding DNS query: 182.162.143.56
                      Source: unknownTCP traffic detected without corresponding DNS query: 182.162.143.56
                      Source: unknownTCP traffic detected without corresponding DNS query: 187.63.160.88
                      Source: unknownTCP traffic detected without corresponding DNS query: 187.63.160.88
                      Source: unknownTCP traffic detected without corresponding DNS query: 187.63.160.88
                      Source: unknownTCP traffic detected without corresponding DNS query: 167.172.199.165
                      Source: unknownTCP traffic detected without corresponding DNS query: 167.172.199.165
                      Source: unknownTCP traffic detected without corresponding DNS query: 167.172.199.165
                      Source: unknownTCP traffic detected without corresponding DNS query: 167.172.199.165
                      Source: unknownTCP traffic detected without corresponding DNS query: 167.172.199.165
                      Source: unknownTCP traffic detected without corresponding DNS query: 167.172.199.165
                      Source: unknownTCP traffic detected without corresponding DNS query: 167.172.199.165
                      Source: unknownTCP traffic detected without corresponding DNS query: 167.172.199.165
                      Source: unknownTCP traffic detected without corresponding DNS query: 167.172.199.165
                      Source: unknownTCP traffic detected without corresponding DNS query: 167.172.199.165
                      Source: unknownTCP traffic detected without corresponding DNS query: 164.90.222.65
                      Source: unknownTCP traffic detected without corresponding DNS query: 164.90.222.65
                      Source: unknownTCP traffic detected without corresponding DNS query: 164.90.222.65
                      Source: unknownTCP traffic detected without corresponding DNS query: 164.90.222.65
                      Source: unknownTCP traffic detected without corresponding DNS query: 164.90.222.65
                      Source: unknownTCP traffic detected without corresponding DNS query: 164.90.222.65
                      Source: unknownTCP traffic detected without corresponding DNS query: 164.90.222.65
                      Source: unknownTCP traffic detected without corresponding DNS query: 164.90.222.65
                      Source: unknownTCP traffic detected without corresponding DNS query: 164.90.222.65
                      Source: unknownTCP traffic detected without corresponding DNS query: 104.168.155.143
                      Source: regsvr32.exe, 00000006.00000002.837938487.00000000009F5000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.494319079.00000000009F4000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.494204988.00000000009E8000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.407309155.00000000009E8000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.494106768.00000000009E8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                      Source: regsvr32.exe, 00000006.00000003.494319079.00000000009F4000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.494204988.00000000009E8000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.407309155.00000000009E8000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.494106768.00000000009E8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/
                      Source: regsvr32.exe, 00000006.00000003.494319079.00000000009F4000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.494204988.00000000009E8000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.407309155.00000000009E8000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.494106768.00000000009E8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/OID
                      Source: regsvr32.exe, 00000006.00000003.405755577.0000000000A47000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/c
                      Source: regsvr32.exe, 00000006.00000003.407309155.00000000009B4000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.494297194.00000000009B6000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.837838850.00000000009B7000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.494261913.00000000009B4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
                      Source: regsvr32.exe, 00000006.00000003.494106768.00000000009E8000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.6.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
                      Source: regsvr32.exe, 00000006.00000003.407309155.00000000009E8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?3ae1e74b5e41b
                      Source: regsvr32.exe, 00000006.00000002.838188183.0000000002B83000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://10.235.8.30:8080/
                      Source: regsvr32.exe, 00000006.00000002.837938487.00000000009F5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://103.43.75.120/igqovuqspgdf/wfealienuk/lkpf/
                      Source: regsvr32.exe, 00000006.00000002.838188183.0000000002B6A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://103.43.75.120:443/igqovuqspgdf/wfealienuk/lkpf/
                      Source: regsvr32.exe, 00000006.00000002.837838850.00000000009E8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://103.44.196.120:8080/
                      Source: regsvr32.exe, 00000006.00000002.837938487.00000000009F5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://104.168.155.143:8080/
                      Source: regsvr32.exe, 00000006.00000002.837938487.00000000009F5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://104.168.155.143:8080/Y
                      Source: regsvr32.exe, 00000006.00000002.837938487.00000000009F5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://104.168.155.143:8080/igqovuqspgdf/wfealienuk/lkpf/
                      Source: regsvr32.exe, 00000006.00000002.837938487.00000000009F5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://107.170.39.149:8080/hHm
                      Source: regsvr32.exe, 00000006.00000002.837938487.00000000009F5000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.837838850.00000000009E2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://107.170.39.149:8080/igqovuqspgdf/wfealienuk/lkpf/
                      Source: regsvr32.exe, 00000006.00000002.837938487.00000000009F5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://107.170.39.149:8080/rue4m
                      Source: regsvr32.exe, 00000006.00000002.838188183.0000000002B6A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://159.65.88.10:8080/igqovuqspgdf/wfealienuk/lkpf/
                      Source: regsvr32.exe, 00000006.00000002.838188183.0000000002B6A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://159.89.202.34:443/igqovuqspgdf/wfealienuk/lkpf/
                      Source: regsvr32.exe, 00000006.00000003.494106768.00000000009E8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://164.90.222.65/igqovuqspgdf/wfealienuk/lkpf/
                      Source: regsvr32.exe, 00000006.00000002.837938487.00000000009F5000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.494319079.00000000009F4000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.494204988.00000000009E8000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.494106768.00000000009E8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://164.90.222.65/wn
                      Source: regsvr32.exe, 00000006.00000003.493259582.0000000002B6A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://164.90.222.65:443/igqovuqspgdf/wfealienuk/lkpf/f/
                      Source: regsvr32.exe, 00000006.00000002.838188183.0000000002B6A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://169.57.156.166:8080/igqovuqspgdf/wfealienuk/lkpf/
                      Source: regsvr32.exe, 00000006.00000002.838188183.0000000002B6A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://206.189.28.199:8080/igqovuqspgdf/wfealienuk/lkpf/
                      Source: regsvr32.exe, 00000006.00000002.837938487.00000000009F5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://213.239.212.5/
                      Source: regsvr32.exe, 00000006.00000002.837938487.00000000009F5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://213.239.212.5/0/
                      Source: regsvr32.exe, 00000006.00000002.837938487.00000000009F5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://213.239.212.5/igqovuqspgdf/wfealienuk/lkpf/
                      Source: regsvr32.exe, 00000006.00000002.837938487.00000000009F5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://45.235.8.30:8080/
                      Source: regsvr32.exe, 00000006.00000002.837938487.00000000009F5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://45.235.8.30:8080/f/
                      Source: regsvr32.exe, 00000006.00000002.837938487.00000000009F5000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.838188183.0000000002B6A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://45.235.8.30:8080/igqovuqspgdf/wfealienuk/lkpf/
                      Source: regsvr32.exe, 00000006.00000002.837938487.00000000009F5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://45.235.8.30:8080/igqovuqspgdf/wfealienuk/lkpf/PO
                      Source: regsvr32.exe, 00000006.00000002.837938487.00000000009F5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://45.235.8.30:8080/igqovuqspgdf/wfealienuk/lkpf/s
                      Source: regsvr32.exe, 00000006.00000002.837938487.00000000009F5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://72.15.201.15:8080/igqovuqspgdf/wfealienuk/lkpf/
                      Source: regsvr32.exe, 00000006.00000002.837938487.00000000009F5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://82.223.21.224:8080/
                      Source: regsvr32.exe, 00000006.00000002.837764087.000000000095B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://91.121.146.47:8080/
                      Source: regsvr32.exe, 00000006.00000002.837764087.000000000095B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://91.121.146.47:8080/igqovuqspgdf/wfealienuk/lkpf/
                      Source: regsvr32.exe, 00000006.00000003.407505388.00000000009D2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://91.121.146.47:8080/igqovuqspgdf/wfealienuk/lkpf/T
                      Source: unknownHTTP traffic detected: POST /igqovuqspgdf/wfealienuk/lkpf/ HTTP/1.1Connection: Keep-AliveContent-Length: 0Host: 164.90.222.65
                      Source: unknownHTTPS traffic detected: 164.90.222.65:443 -> 192.168.2.4:49704 version: TLS 1.2

                      E-Banking Fraud

                      barindex
                      Yara detected Emotet
                      Source: Yara matchFile source: 00000006.00000002.837764087.000000000095B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 4.2.rundll32.exe.263a5e10000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.regsvr32.exe.b20000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.263a5e10000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.regsvr32.exe.c60000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.regsvr32.exe.c60000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.264e3c10000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.264e3c10000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.regsvr32.exe.b20000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000004.00000002.321671737.00000263A5E10000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.322224352.00000264E3C10000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.322307535.00000264E3C41000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.322806911.0000000000C60000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.323368547.0000000000E61000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.322501137.00000263A7711000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.837994080.0000000000B20000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.838029759.0000000000B51000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: C:\Windows\System32\regsvr32.exeFile deleted: C:\Windows\System32\ChVCsX\ramMHRyb.dll:Zone.IdentifierJump to behavior
                      Source: C:\Windows\System32\regsvr32.exeFile created: C:\Windows\system32\ChVCsX\Jump to behavior
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180006818
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018000B878
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180007110
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180008D28
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180014555
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00C50000
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E7709C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E7A000
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E6CC14
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E67D6C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E6263C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E68BC8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E78FC8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E720E0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E63CF4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E648FC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E690F8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E6F8C4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E75CC4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E680CC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E708CC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E614D4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E73CD4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E618DC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E698AC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E894BC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E7A8B0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E6DCB8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E64C84
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E7CC84
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E75880
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E6AC94
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E7B460
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E6D474
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E76C70
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E6B07C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E62C78
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E6C078
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E67840
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E7C44C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E85450
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E7C058
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E71030
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E7EC30
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E6B83C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E61000
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E69408
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E67C08
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E8181C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E7D5F0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E715C8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E7BDA0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E695BC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E71924
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E74D20
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E7AD28
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E67530
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E7B130
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E66138
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E88500
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E7610C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E89910
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E77518
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E692F0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E7EAC0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E6D6CC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E796D4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E63ABC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E7A6BC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E6AAB8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E64EB8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E84E8C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E68A8C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E6BE90
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E74A90
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E6A660
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E63274
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E70A70
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E7A244
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E6F65C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E6B258
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E6BA2C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E78A2C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E70E2C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E7662C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E75A00
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E88A00
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E63E0C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E7020C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E78E08
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E64214
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E6461C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E827EC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E6A7F0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E797CC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E62FD4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E633D4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E73FD0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E6DBA0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E68FB0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E6FFB8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E78BB8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E75384
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E61B94
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E7D770
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E7CF70
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E6F77C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E68378
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E7E750
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E6975C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E64758
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E6D33C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E6EF14
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E73B14
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E7E310
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E74F18
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180006818
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018000B878
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180007110
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180008D28
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180014555
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000263A5E00000
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000263A7717D6C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000263A771CC14
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000263A772709C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000263A772A000
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000263A7718BC8
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000263A7728FC8
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000263A771263C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000263A7716138
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000263A7721924
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000263A772AD28
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000263A7717530
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000263A772B130
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000263A7727518
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000263A7724D20
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000263A772610C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000263A7739910
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000263A7738A00
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000263A7725A00
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000263A772D5F0
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000263A77215C8
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000263A77195BC
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000263A772BDA0
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000263A771D474
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000263A7712C78
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000263A771C078
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000263A771B07C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000263A7725880
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000263A7726C70
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000263A772C058
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000263A772B460
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000263A772C44C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000263A7735450
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000263A771B83C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000263A7717840
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000263A772EC30
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000263A7721030
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000263A773181C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000263A7719408
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000263A7717C08
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000263A7713CF4
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000263A77190F8
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000263A77148FC
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000263A7738500
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000263A77114D4
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000263A7723CD4
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000263A77118DC
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000263A77220E0
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000263A7725CC4
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000263A771F8C4
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000263A77180CC
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000263A77208CC
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000263A771DCB8
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000263A77394BC
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000263A77198AC
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000263A772A8B0
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000263A771AC94
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000263A7714C84
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000263A772CC84
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000263A7718378
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000263A771F77C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000263A772D770
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000263A772CF70
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000263A7714758
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000263A771975C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000263A772E750
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000263A771D33C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000263A771EF14
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000263A7723B14
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000263A7724F18
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000263A772E310
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000263A7711000
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000263A77327EC
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000263A771A7F0
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000263A7712FD4
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000263A77133D4
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000263A77297CC
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000263A7723FD0
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000263A771FFB8
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000263A7728BB8
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000263A7718FB0
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000263A7711B94
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000263A771DBA0
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000263A7725384
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000263A7713274
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000263A7720A70
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000263A771B258
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000263A771F65C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000263A771A660
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000263A772A244
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000263A7728A2C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000263A771BA2C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000263A7720E2C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000263A772662C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000263A7714214
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000263A771461C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000263A7728E08
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000263A7713E0C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000263A772020C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000263A77192F0
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000263A77296D4
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000263A771D6CC
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000263A771AAB8
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000263A7714EB8
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000263A7713ABC
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000263A772A6BC
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000263A772EAC0
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000263A7718A8C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000263A7734E8C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000263A771BE90
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000263A7724A90
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00000264E3C00000
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00000264E3C47D6C
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00000264E3C5709C
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00000264E3C5A000
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00000264E3C4CC14
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00000264E3C48BC8
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00000264E3C58FC8
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00000264E3C4263C
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00000264E3C495BC
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00000264E3C515C8
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00000264E3C5BDA0
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00000264E3C5AD28
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00000264E3C51924
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00000264E3C47530
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00000264E3C5B130
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00000264E3C46138
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00000264E3C490F8
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00000264E3C43CF4
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00000264E3C68500
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00000264E3C448FC
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00000264E3C69910
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00000264E3C5610C
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00000264E3C57518
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00000264E3C54D20
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00000264E3C5A8B0
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00000264E3C498AC
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00000264E3C4DCB8
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00000264E3C694BC
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00000264E3C55CC4
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00000264E3C4F8C4
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00000264E3C480CC
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00000264E3C508CC
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00000264E3C414D4
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00000264E3C53CD4
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00000264E3C520E0
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00000264E3C418DC
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00000264E3C56C70
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00000264E3C42C78
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00000264E3C4C078
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00000264E3C4D474
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00000264E3C55880
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00000264E3C4B07C
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00000264E3C44C84
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00000264E3C5CC84
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00000264E3C4AC94
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00000264E3C51030
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00000264E3C5EC30
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00000264E3C47840
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00000264E3C4B83C
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00000264E3C65450
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00000264E3C5C44C
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00000264E3C5C058
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00000264E3C5B460
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00000264E3C4A7F0
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00000264E3C627EC
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00000264E3C41000
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00000264E3C49408
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00000264E3C47C08
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00000264E3C6181C
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00000264E3C48FB0
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00000264E3C4FFB8
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00000264E3C58BB8
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00000264E3C53FD0
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00000264E3C597CC
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00000264E3C42FD4
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00000264E3C433D4
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00000264E3C5D770
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00000264E3C5CF70
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00000264E3C48378
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00000264E3C4F77C
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00000264E3C55384
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00000264E3C41B94
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00000264E3C4DBA0
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00000264E3C4D33C
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00000264E3C5E750
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00000264E3C44758
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00000264E3C4975C
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00000264E3C492F0
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00000264E3C5E310
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00000264E3C54F18
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00000264E3C4EF14
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00000264E3C53B14
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00000264E3C4AAB8
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00000264E3C44EB8
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00000264E3C5EAC0
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00000264E3C43ABC
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00000264E3C5A6BC
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00000264E3C4D6CC
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00000264E3C596D4
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00000264E3C50A70
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00000264E3C43274
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00000264E3C4BE90
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00000264E3C54A90
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00000264E3C48A8C
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00000264E3C64E8C
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00000264E3C58A2C
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00000264E3C4BA2C
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00000264E3C50E2C
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00000264E3C5662C
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00000264E3C5A244
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00000264E3C4B258
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00000264E3C4A660
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00000264E3C4F65C
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00000264E3C5D5F0
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00000264E3C55A00
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00000264E3C68A00
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00000264E3C58E08
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00000264E3C43E0C
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00000264E3C5020C
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00000264E3C44214
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00000264E3C4461C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00940000
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00B608CC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00B5CC14
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00B6A000
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00B5640A
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00B57D6C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00B676A8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00B70618
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00B56E42
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00B773A4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00B563F4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00B63FD0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00B58BC8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00B68FC8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00B59B79
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00B6A8B0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00B794BC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00B5DCB8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00B598AC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00B744A8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00B5AC94
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00B71494
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00B6709C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00B54C84
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00B6CC84
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00B65880
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00B7488C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00B53CF4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00B548FC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00B590F8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00B620E0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00B514D4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00B63CD4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00B71CD4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00B518DC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00B5F8C4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00B65CC4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00B580CC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00B61030
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00B6EC30
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00B5B83C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00B57410
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00B7181C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00B51000
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00B59408
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00B57C08
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00B5D474
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00B66C70
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00B5B07C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00B52C78
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00B5C078
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00B6B460
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00B75868
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00B75450
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00B6C058
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00B57840
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00B6C44C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00B595BC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00B6BDA0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00B6D5F0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00B615C8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00B6B130
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00B56138
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00B61924
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00B64D20
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00B6AD28
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00B79910
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00B67518
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00B78500
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00B72100
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00B6610C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00B74D64
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00B72AB0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00B53ABC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00B6A6BC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00B5AAB8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00B54EB8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00B5BE90
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00B64A90
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00B72E84
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00B58A8C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00B74E8C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00B592F0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00B736FC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00B696D4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00B6EAC0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00B5D6CC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00B5263C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00B5BA2C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00B68A2C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00B60E2C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00B6662C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00B54214
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00B5461C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00B65A00
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00B78A00
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00B53E0C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00B6020C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00B68E08
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00B53274
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00B60A70
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00B5A660
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00B5F65C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00B5B258
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00B6A244
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00B76E48
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00B58FB0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00B5FFB8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00B68BB8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00B5DBA0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00B747A8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00B51B94
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00B65384
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00B5A7F0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00B6FFFC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00B727EC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00B52FD4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00B533D4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00B697CC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00B5D33C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00B5EF14
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00B63B14
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00B6E310
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00B78310
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00B75B1C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00B64F18
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00B6D770
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00B6CF70
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00B5F77C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00B58378
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00B78B68
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00B6E750
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00B5975C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00B54758
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180010C10 LdrFindResource_U,LdrAccessResource,NtAllocateVirtualMemory,
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180010AC0 ExitProcess,RtlQueueApcWow64Thread,NtTestAlert,
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180010DB0 ZwOpenSymbolicLinkObject,ZwOpenSymbolicLinkObject,
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180010C10 LdrFindResource_U,LdrAccessResource,NtAllocateVirtualMemory,
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180010AC0 ExitProcess,RtlQueueApcWow64Thread,NtTestAlert,
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180010DB0 ZwOpenSymbolicLinkObject,ZwOpenSymbolicLinkObject,
                      Source: C:\Windows\System32\regsvr32.exeSection loaded: sfc.dll
                      Source: C:\Windows\System32\regsvr32.exeSection loaded: sfc.dll
                      Source: C:\Windows\System32\regsvr32.exeSection loaded: sfc.dll
                      Source: C:\Windows\System32\regsvr32.exeSection loaded: sfc.dll
                      Source: f_00321b.dllReversingLabs: Detection: 79%
                      Source: f_00321b.dllVirustotal: Detection: 60%
                      Source: f_00321b.dllStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: C:\Windows\System32\loaddll64.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                      Source: unknownProcess created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\f_00321b.dll"
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\f_00321b.dll",#1
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\f_00321b.dll
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\f_00321b.dll",#1
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\f_00321b.dll,DllRegisterServer
                      Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\ChVCsX\ramMHRyb.dll"
                      Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\LwMWPX\mOtL.dll"
                      Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\WiCuwn\qvjh.dll"
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\f_00321b.dll",#1
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\f_00321b.dll
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\f_00321b.dll,DllRegisterServer
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\f_00321b.dll",#1
                      Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\ChVCsX\ramMHRyb.dll"
                      Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\LwMWPX\mOtL.dll"
                      Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\WiCuwn\qvjh.dll"
                      Source: C:\Windows\System32\regsvr32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32
                      Source: classification engineClassification label: mal100.troj.evad.winDLL@16/2@0/48
                      Source: C:\Windows\System32\regsvr32.exeFile read: C:\Users\desktop.iniJump to behavior
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E68BC8 Process32NextW,Process32FirstW,CreateToolhelp32Snapshot,FindCloseChangeNotification,
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\f_00321b.dll",#1
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4128:120:WilError_01
                      Source: C:\Windows\System32\regsvr32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\System32\regsvr32.exeAutomated click: OK
                      Source: C:\Windows\System32\regsvr32.exeAutomated click: OK
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: f_00321b.dllStatic PE information: Image base 0x180000000 > 0x60000000
                      Source: f_00321b.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                      Source: f_00321b.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                      Source: f_00321b.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                      Source: f_00321b.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: f_00321b.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                      Source: f_00321b.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                      Source: f_00321b.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: f_00321b.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                      Source: f_00321b.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                      Source: f_00321b.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                      Source: f_00321b.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                      Source: f_00321b.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180005C69 push rdi; ret
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800056DD push rdi; ret
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E6A0FC push ebp; iretd
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E780D7 push ebp; retf
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E66CDE push esi; iretd
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E66C9F pushad ; ret
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E6A1D2 push ebp; iretd
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E77987 push ebp; iretd
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E77D4E push ebp; iretd
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E78157 push ebp; retf
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E69D51 push ebp; retf
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E77D25 push 4D8BFFFFh; retf
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E77D3C push ebp; retf
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E77EAF push 458BCC5Ah; retf
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E69E8B push eax; retf
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E6A26E push ebp; ret
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E7C731 push esi; iretd
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180005C69 push rdi; ret
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800056DD push rdi; ret
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000263A7728157 push ebp; retf
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000263A7727D4E push ebp; iretd
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000263A7719D51 push ebp; retf
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000263A7727D3C push ebp; retf
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000263A7727D25 push 4D8BFFFFh; retf
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000263A771A1D2 push ebp; iretd
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000263A7727987 push ebp; iretd
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000263A771A0FC push ebp; iretd
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000263A77280D7 push ebp; retf
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000263A7716CDE push esi; iretd
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000263A7716C9F pushad ; ret
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000263A772C731 push esi; iretd
                      Source: f_00321b.dllStatic PE information: section name: _RDATA
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\f_00321b.dll
                      Source: C:\Windows\System32\regsvr32.exePE file moved: C:\Windows\System32\ChVCsX\ramMHRyb.dllJump to behavior

                      Hooking and other Techniques for Hiding and Protection

                      barindex
                      Hides that the sample has been downloaded from the Internet (zone.identifier)
                      Source: C:\Windows\System32\regsvr32.exeFile opened: C:\Windows\system32\ChVCsX\ramMHRyb.dll:Zone.Identifier read attributes | delete
                      Source: C:\Windows\System32\rundll32.exeFile opened: C:\Windows\system32\LwMWPX\mOtL.dll:Zone.Identifier read attributes | delete
                      Source: C:\Windows\System32\rundll32.exeFile opened: C:\Windows\system32\WiCuwn\qvjh.dll:Zone.Identifier read attributes | delete
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\regsvr32.exe TID: 4440Thread sleep time: -660000s >= -30000s
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\regsvr32.exeAPI coverage: 7.9 %
                      Source: C:\Windows\System32\regsvr32.exeProcess information queried: ProcessInformation
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180008D28 FindFirstFileExW,
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180008D28 FindFirstFileExW,
                      Source: C:\Windows\System32\regsvr32.exeFile Volume queried: C:\ FullSizeInformation
                      Source: C:\Windows\System32\rundll32.exeFile Volume queried: C:\ FullSizeInformation
                      Source: regsvr32.exe, 00000003.00000002.323042922.0000000000CB5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: hGFsjg
                      Source: rundll32.exe, 00000005.00000002.321631471.00000264E3AB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\H
                      Source: regsvr32.exe, 00000006.00000003.494204988.00000000009E8000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.494204988.00000000009D4000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.407309155.000000000099C000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.407309155.00000000009E8000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.407505388.00000000009D2000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.494106768.000000000099C000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.837838850.000000000099C000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.837838850.00000000009D4000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.494106768.00000000009E8000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.837838850.00000000009E8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                      Source: rundll32.exe, 00000005.00000002.321631471.00000264E3AB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180001C48 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018000A878 GetProcessHeap,
                      Source: C:\Windows\System32\loaddll64.exeProcess queried: DebugPort
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180010C10 LdrFindResource_U,LdrAccessResource,NtAllocateVirtualMemory,
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180001C48 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800082EC RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800017DC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180001C48 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800082EC RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800017DC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

                      HIPS / PFW / Operating System Protection Evasion

                      barindex
                      Early bird code injection technique detected
                      Source: C:\Windows\System32\cmd.exeProcess created / APC Queued / Resumed: C:\Windows\System32\rundll32.exe
                      System process connects to network (likely due to code injection or exploit)
                      Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 159.65.88.10 8080
                      Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 164.90.222.65 443
                      Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 213.239.212.5 443
                      Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 186.194.240.217 443
                      Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 104.168.155.143 8080
                      Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 159.89.202.34 443
                      Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 160.16.142.56 8080
                      Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 91.121.146.47 8080
                      Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 91.207.28.33 8080
                      Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 103.43.75.120 443
                      Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 45.235.8.30 8080
                      Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 72.15.201.15 8080
                      Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 163.44.196.120 8080
                      Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 206.189.28.199 8080
                      Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 107.170.39.149 8080
                      Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 187.63.160.88 80
                      Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 66.228.32.31 7080
                      Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 82.223.21.224 8080
                      Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 149.56.131.28 8080
                      Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 169.57.156.166 8080
                      Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 182.162.143.56 443
                      Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 1.234.2.232 8080
                      Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 167.172.199.165 8080
                      Queues an APC in another process (thread injection)
                      Source: C:\Windows\System32\regsvr32.exeThread APC queued: target process: C:\Windows\System32\rundll32.exe
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\f_00321b.dll",#1
                      Source: C:\Windows\System32\regsvr32.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800070A0 cpuid
                      Source: C:\Windows\System32\regsvr32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180001D98 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

                      Stealing of Sensitive Information

                      barindex
                      Yara detected Emotet
                      Source: Yara matchFile source: 00000006.00000002.837764087.000000000095B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 4.2.rundll32.exe.263a5e10000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.regsvr32.exe.b20000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.263a5e10000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.regsvr32.exe.c60000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.regsvr32.exe.c60000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.264e3c10000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.264e3c10000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.regsvr32.exe.b20000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000004.00000002.321671737.00000263A5E10000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.322224352.00000264E3C10000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.322307535.00000264E3C41000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.322806911.0000000000C60000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.323368547.0000000000E61000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.322501137.00000263A7711000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.837994080.0000000000B20000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.838029759.0000000000B51000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsWindows Management Instrumentation1
                      DLL Side-Loading                      		311
                      Process Injection                      		2
                      Masquerading                      		OS Credential Dumping1
                      System Time Discovery                      		Remote Services1
                      Archive Collected Data                      		Exfiltration Over Other Network Medium11
                      Encrypted Channel                      		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                      DLL Side-Loading                      		2
                      Virtualization/Sandbox Evasion                      		LSASS Memory31
                      Security Software Discovery                      		Remote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth1
                      Non-Standard Port                      		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)311
                      Process Injection                      		Security Account Manager2
                      Virtualization/Sandbox Evasion                      		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration1
                      Non-Application Layer Protocol                      		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
                      Hidden Files and Directories                      		NTDS2
                      Process Discovery                      		Distributed Component Object ModelInput CaptureScheduled Transfer12
                      Application Layer Protocol                      		SIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
                      Obfuscated Files or Information                      		LSA Secrets1
                      Remote System Discovery                      		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.common1
                      Regsvr32                      		Cached Domain Credentials2
                      File and Directory Discovery                      		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup Items1
                      Rundll32                      		DCSync24
                      System Information Discovery                      		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job1
                      DLL Side-Loading                      		Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                      Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)1
                      File Deletion                      		/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 829558 Sample: f_00321b Startdate: 18/03/2023 Architecture: WINDOWS Score: 100 30 129.232.188.93 xneeloZA South Africa 2->30 32 185.4.135.165 TOPHOSTGR Greece 2->32 34 23 other IPs or domains 2->34 42 Snort IDS alert for network traffic 2->42 44 Multi AV Scanner detection for domain / URL 2->44 46 Antivirus detection for URL or domain 2->46 48 3 other signatures 2->48 9 loaddll64.exe 1 2->9         started        signatures3 process4 process5 11 regsvr32.exe 2 9->11         started        14 cmd.exe 1 9->14         started        16 rundll32.exe 2 9->16         started        18 conhost.exe 9->18         started        signatures6 54 Hides that the sample has been downloaded from the Internet (zone.identifier) 11->54 56 Queues an APC in another process (thread injection) 11->56 20 regsvr32.exe 11->20         started        58 Early bird code injection technique detected 14->58 24 rundll32.exe 2 14->24         started        26 regsvr32.exe 16->26         started        process7 dnsIp8 36 45.235.8.30, 49733, 8080 WIKINETTELECOMUNICACOESBR Brazil 20->36 38 169.57.156.166, 8080 SOFTLAYERUS United States 20->38 40 21 other IPs or domains 20->40 50 System process connects to network (likely due to code injection or exploit) 20->50 52 Hides that the sample has been downloaded from the Internet (zone.identifier) 24->52 28 regsvr32.exe 24->28         started        signatures9 process10

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      f_00321b.dll79%ReversingLabsWin64.Trojan.Emotet
                      f_00321b.dll60%VirustotalBrowse

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      3.2.regsvr32.exe.c60000.0.unpack100%AviraHEUR/AGEN.1215476Download File
                      4.2.rundll32.exe.263a5e10000.1.unpack100%AviraHEUR/AGEN.1215476Download File
                      5.2.rundll32.exe.264e3c10000.1.unpack100%AviraHEUR/AGEN.1215476Download File
                      6.2.regsvr32.exe.b20000.0.unpack100%AviraHEUR/AGEN.1215476Download File

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      https://104.168.155.143:8080/0%URL Reputationsafe
                      https://82.223.21.224:8080/9%VirustotalBrowse
                      https://164.90.222.65:443/igqovuqspgdf/wfealienuk/lkpf/f/100%Avira URL Cloudmalware
                      https://107.170.39.149:8080/hHm100%Avira URL Cloudmalware
                      https://103.43.75.120/igqovuqspgdf/wfealienuk/lkpf/100%Avira URL Cloudmalware
                      https://103.43.75.120:443/igqovuqspgdf/wfealienuk/lkpf/100%Avira URL Cloudmalware
                      https://213.239.212.5/0/100%Avira URL Cloudmalware
                      https://91.121.146.47:8080/igqovuqspgdf/wfealienuk/lkpf/T100%Avira URL Cloudmalware
                      https://164.90.222.65/igqovuqspgdf/wfealienuk/lkpf/100%Avira URL Cloudmalware
                      https://104.168.155.143:8080/Y100%Avira URL Cloudmalware
                      https://213.239.212.5/100%Avira URL Cloudmalware
                      https://82.223.21.224:8080/100%Avira URL Cloudmalware
                      https://159.89.202.34:443/igqovuqspgdf/wfealienuk/lkpf/100%Avira URL Cloudmalware
                      https://45.235.8.30:8080/igqovuqspgdf/wfealienuk/lkpf/PO100%Avira URL Cloudmalware
                      https://159.65.88.10:8080/igqovuqspgdf/wfealienuk/lkpf/100%Avira URL Cloudmalware
                      https://213.239.212.5/igqovuqspgdf/wfealienuk/lkpf/100%Avira URL Cloudmalware
                      https://91.121.146.47:8080/igqovuqspgdf/wfealienuk/lkpf/100%Avira URL Cloudmalware
                      https://45.235.8.30:8080/f/100%Avira URL Cloudmalware
                      https://91.121.146.47:8080/100%Avira URL Cloudmalware
                      https://206.189.28.199:8080/igqovuqspgdf/wfealienuk/lkpf/100%Avira URL Cloudmalware
                      https://107.170.39.149:8080/igqovuqspgdf/wfealienuk/lkpf/100%Avira URL Cloudmalware
                      https://45.235.8.30:8080/100%Avira URL Cloudmalware
                      https://107.170.39.149:8080/rue4m100%Avira URL Cloudmalware
                      https://164.90.222.65/wn100%Avira URL Cloudmalware
                      https://10.235.8.30:8080/0%Avira URL Cloudsafe
                      https://72.15.201.15:8080/igqovuqspgdf/wfealienuk/lkpf/100%Avira URL Cloudmalware
                      https://45.235.8.30:8080/igqovuqspgdf/wfealienuk/lkpf/100%Avira URL Cloudmalware
                      https://103.44.196.120:8080/0%Avira URL Cloudsafe
                      https://45.235.8.30:8080/igqovuqspgdf/wfealienuk/lkpf/s100%Avira URL Cloudmalware
                      https://104.168.155.143:8080/igqovuqspgdf/wfealienuk/lkpf/100%Avira URL Cloudmalware
                      https://169.57.156.166:8080/igqovuqspgdf/wfealienuk/lkpf/100%Avira URL Cloudmalware

                      Domains and IPs

                      Contacted Domains

                      No contacted domains info

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      https://164.90.222.65/igqovuqspgdf/wfealienuk/lkpf/true
                      • Avira URL Cloud: malware
                      		unknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      https://164.90.222.65:443/igqovuqspgdf/wfealienuk/lkpf/f/regsvr32.exe, 00000006.00000003.493259582.0000000002B6A000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: malware
                      		unknown
                      https://213.239.212.5/regsvr32.exe, 00000006.00000002.837938487.00000000009F5000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: malware
                      		unknown
                      https://107.170.39.149:8080/hHmregsvr32.exe, 00000006.00000002.837938487.00000000009F5000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: malware
                      		unknown
                      https://82.223.21.224:8080/regsvr32.exe, 00000006.00000002.837938487.00000000009F5000.00000004.00000020.00020000.00000000.sdmpfalse
                      • 9%, Virustotal, Browse
                      • Avira URL Cloud: malware
                      		unknown
                      https://103.43.75.120/igqovuqspgdf/wfealienuk/lkpf/regsvr32.exe, 00000006.00000002.837938487.00000000009F5000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: malware
                      		unknown
                      https://103.43.75.120:443/igqovuqspgdf/wfealienuk/lkpf/regsvr32.exe, 00000006.00000002.838188183.0000000002B6A000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: malware
                      		unknown
                      https://104.168.155.143:8080/Yregsvr32.exe, 00000006.00000002.837938487.00000000009F5000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: malware
                      		unknown
                      https://213.239.212.5/0/regsvr32.exe, 00000006.00000002.837938487.00000000009F5000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: malware
                      		unknown
                      https://91.121.146.47:8080/igqovuqspgdf/wfealienuk/lkpf/Tregsvr32.exe, 00000006.00000003.407505388.00000000009D2000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: malware
                      		unknown
                      https://159.89.202.34:443/igqovuqspgdf/wfealienuk/lkpf/regsvr32.exe, 00000006.00000002.838188183.0000000002B6A000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: malware
                      		unknown
                      https://45.235.8.30:8080/igqovuqspgdf/wfealienuk/lkpf/POregsvr32.exe, 00000006.00000002.837938487.00000000009F5000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: malware
                      		unknown
                      https://159.65.88.10:8080/igqovuqspgdf/wfealienuk/lkpf/regsvr32.exe, 00000006.00000002.838188183.0000000002B6A000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: malware
                      		unknown
                      https://213.239.212.5/igqovuqspgdf/wfealienuk/lkpf/regsvr32.exe, 00000006.00000002.837938487.00000000009F5000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: malware
                      		unknown
                      https://91.121.146.47:8080/igqovuqspgdf/wfealienuk/lkpf/regsvr32.exe, 00000006.00000002.837764087.000000000095B000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: malware
                      		unknown
                      https://91.121.146.47:8080/regsvr32.exe, 00000006.00000002.837764087.000000000095B000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: malware
                      		unknown
                      https://45.235.8.30:8080/f/regsvr32.exe, 00000006.00000002.837938487.00000000009F5000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: malware
                      		unknown
                      https://206.189.28.199:8080/igqovuqspgdf/wfealienuk/lkpf/regsvr32.exe, 00000006.00000002.838188183.0000000002B6A000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: malware
                      		unknown
                      https://107.170.39.149:8080/igqovuqspgdf/wfealienuk/lkpf/regsvr32.exe, 00000006.00000002.837938487.00000000009F5000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.837838850.00000000009E2000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: malware
                      		unknown
                      https://45.235.8.30:8080/regsvr32.exe, 00000006.00000002.837938487.00000000009F5000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: malware
                      		unknown
                      https://10.235.8.30:8080/regsvr32.exe, 00000006.00000002.838188183.0000000002B83000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://104.168.155.143:8080/regsvr32.exe, 00000006.00000002.837938487.00000000009F5000.00000004.00000020.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://107.170.39.149:8080/rue4mregsvr32.exe, 00000006.00000002.837938487.00000000009F5000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: malware
                      		unknown
                      https://164.90.222.65/wnregsvr32.exe, 00000006.00000002.837938487.00000000009F5000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.494319079.00000000009F4000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.494204988.00000000009E8000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.494106768.00000000009E8000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: malware
                      		unknown
                      https://45.235.8.30:8080/igqovuqspgdf/wfealienuk/lkpf/regsvr32.exe, 00000006.00000002.837938487.00000000009F5000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.838188183.0000000002B6A000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: malware
                      		unknown
                      https://72.15.201.15:8080/igqovuqspgdf/wfealienuk/lkpf/regsvr32.exe, 00000006.00000002.837938487.00000000009F5000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: malware
                      		unknown
                      https://103.44.196.120:8080/regsvr32.exe, 00000006.00000002.837838850.00000000009E8000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://45.235.8.30:8080/igqovuqspgdf/wfealienuk/lkpf/sregsvr32.exe, 00000006.00000002.837938487.00000000009F5000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: malware
                      		unknown
                      https://169.57.156.166:8080/igqovuqspgdf/wfealienuk/lkpf/regsvr32.exe, 00000006.00000002.838188183.0000000002B6A000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: malware
                      		unknown
                      https://104.168.155.143:8080/igqovuqspgdf/wfealienuk/lkpf/regsvr32.exe, 00000006.00000002.837938487.00000000009F5000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: malware
                      		unknown

                      World Map of Contacted IPs

                      • No. of IPs < 25%
                      • 25% < No. of IPs < 50%
                      • 50% < No. of IPs < 75%
                      • 75% < No. of IPs

                      Public IPs

                      IPDomainCountryFlagASNASN NameMalicious
                      159.65.88.10
                      		unknownUnited States
                      		14061DIGITALOCEAN-ASNUStrue
                      172.105.226.75
                      		unknownUnited States
                      		63949LINODE-APLinodeLLCUStrue
                      164.90.222.65
                      		unknownUnited States
                      		14061DIGITALOCEAN-ASNUStrue
                      110.232.117.186
                      		unknownAustralia
                      		56038RACKCORP-APRackCorpAUtrue
                      213.239.212.5
                      		unknownGermany
                      		24940HETZNER-ASDEtrue
                      5.135.159.50
                      		unknownFrance
                      		16276OVHFRtrue
                      186.194.240.217
                      		unknownBrazil
                      		262733NetceteraTelecomunicacoesLtdaBRtrue
                      103.132.242.26
                      		unknownIndia
                      		45117INPL-IN-APIshansNetworkINtrue
                      104.168.155.143
                      		unknownUnited States
                      		54290HOSTWINDSUStrue
                      119.59.103.152
                      		unknownThailand
                      		56067METRABYTE-TH453LadplacoutJorakhaebuaTHtrue
                      79.137.35.198
                      		unknownFrance
                      		16276OVHFRtrue
                      159.89.202.34
                      		unknownUnited States
                      		14061DIGITALOCEAN-ASNUStrue
                      91.121.146.47
                      		unknownFrance
                      		16276OVHFRtrue
                      160.16.142.56
                      		unknownJapan9370SAKURA-BSAKURAInternetIncJPtrue
                      201.94.166.162
                      		unknownBrazil
                      		28573CLAROSABRtrue
                      91.207.28.33
                      		unknownKyrgyzstan
                      		39819PROHOSTKGtrue
                      103.75.201.2
                      		unknownThailand
                      		133496CDNPLUSCOLTD-AS-APCDNPLUSCOLTDTHtrue
                      103.43.75.120
                      		unknownJapan20473AS-CHOOPAUStrue
                      115.68.227.76
                      		unknownKorea Republic of
                      		38700SMILESERV-AS-KRSMILESERVKRtrue
                      188.44.20.25
                      		unknownMacedonia
                      		57374GIV-ASMKtrue
                      45.235.8.30
                      		unknownBrazil
                      		267405WIKINETTELECOMUNICACOESBRtrue
                      153.126.146.25
                      		unknownJapan7684SAKURA-ASAKURAInternetIncJPtrue
                      72.15.201.15
                      		unknownUnited States
                      		13649ASN-VINSUStrue
                      163.44.196.120
                      		unknownSingapore
                      		135161GMO-Z-COM-THGMO-ZcomNetDesignHoldingsCoLtdSGtrue
                      206.189.28.199
                      		unknownUnited States
                      		14061DIGITALOCEAN-ASNUStrue
                      107.170.39.149
                      		unknownUnited States
                      		14061DIGITALOCEAN-ASNUStrue
                      66.228.32.31
                      		unknownUnited States
                      		63949LINODE-APLinodeLLCUStrue
                      187.63.160.88
                      		unknownBrazil
                      		28169BITCOMPROVEDORDESERVICOSDEINTERNETLTDABRtrue
                      82.223.21.224
                      		unknownSpain
                      		8560ONEANDONE-ASBrauerstrasse48DEtrue
                      197.242.150.244
                      		unknownSouth Africa
                      		37611AfrihostZAtrue
                      173.212.193.249
                      		unknownGermany
                      		51167CONTABODEtrue
                      185.4.135.165
                      		unknownGreece
                      		199246TOPHOSTGRtrue
                      183.111.227.137
                      		unknownKorea Republic of
                      		4766KIXS-AS-KRKoreaTelecomKRtrue
                      45.176.232.124
                      		unknownColombia
                      		267869CABLEYTELECOMUNICACIONESDECOLOMBIASASCABLETELCOCtrue
                      95.217.221.146
                      		unknownGermany
                      		24940HETZNER-ASDEtrue
                      149.56.131.28
                      		unknownCanada
                      		16276OVHFRtrue
                      169.57.156.166
                      		unknownUnited States
                      		36351SOFTLAYERUStrue
                      164.68.99.3
                      		unknownGermany
                      		51167CONTABODEtrue
                      182.162.143.56
                      		unknownKorea Republic of
                      		3786LGDACOMLGDACOMCorporationKRtrue
                      139.59.126.41
                      		unknownSingapore
                      		14061DIGITALOCEAN-ASNUStrue
                      1.234.2.232
                      		unknownKorea Republic of
                      		9318SKB-ASSKBroadbandCoLtdKRtrue
                      167.172.253.162
                      		unknownUnited States
                      		14061DIGITALOCEAN-ASNUStrue
                      129.232.188.93
                      		unknownSouth Africa
                      		37153xneeloZAtrue
                      167.172.199.165
                      		unknownUnited States
                      		14061DIGITALOCEAN-ASNUStrue
                      202.129.205.3
                      		unknownThailand
                      		45328NIPA-AS-THNIPATECHNOLOGYCOLTDTHtrue
                      147.139.166.154
                      		unknownUnited States
                      		45102CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdCtrue
                      153.92.5.27
                      		unknownGermany
                      		47583AS-HOSTINGERLTtrue
                      94.23.45.86
                      		unknownFrance
                      		16276OVHFRtrue

                      General Information

                      Joe Sandbox Version:37.0.0 Beryl
                      Analysis ID:829558
                      Start date and time:2023-03-18 16:02:26 +01:00
                      Joe Sandbox Product:CloudBasic
                      Overall analysis duration:0h 9m 23s
                      Hypervisor based Inspection enabled:false
                      Report type:light
                      Cookbook file name:default.jbs
                      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                      Number of analysed new started processes analysed:14
                      Number of new started drivers analysed:0
                      Number of existing processes analysed:0
                      Number of existing drivers analysed:0
                      Number of injected processes analysed:0
                      Technologies:
                      • HCA enabled
                      • EGA enabled
                      • HDC enabled
                      • AMSI enabled
                      Analysis Mode:default
                      Analysis stop reason:Timeout
                      Sample file name:f_00321b.dll
                      (renamed file extension from none to dll, renamed because original name is a hash value)
                      Original Sample Name:f_00321b
                      Detection:MAL
                      Classification:mal100.troj.evad.winDLL@16/2@0/48
                      EGA Information:
                      • Successful, ratio: 100%
                      HDC Information:
                      • Successful, ratio: 50.2% (good quality ratio 42.4%)
                      • Quality average: 60.5%
                      • Quality standard deviation: 35.6%
                      HCA Information:
                      • Successful, ratio: 83%
                      • Number of executed functions: 0
                      • Number of non-executed functions: 0
                      Cookbook Comments:
                      • Override analysis time to 240s for rundll32

                      Warnings

                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, WMIADAP.exe, conhost.exe, backgroundTaskHost.exe
                      • TCP Packets have been reduced to 100
                      • Excluded IPs from analysis (whitelisted): 8.238.85.126, 8.241.126.121, 8.248.113.254, 67.26.73.254, 8.241.126.249
                      • Excluded domains from analysis (whitelisted): fg.download.windowsupdate.com.c.footprint.net, ctldl.windowsupdate.com, wu-bg-shim.trafficmanager.net
                      • Not all processes where analyzed, report is missing behavior information
                      • Report size exceeded maximum capacity and may have missing behavior information.
                      • Report size getting too big, too many NtOpenKeyEx calls found.
                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                      • Report size getting too big, too many NtQueryValueKey calls found.

                      Simulations

                      Behavior and APIs

                      TimeTypeDescription
                      16:04:08API Interceptor23x Sleep call for process: regsvr32.exe modified

                      Joe Sandbox View / Context

                      IPs

                      No context

                      Domains

                      No context

                      ASNs

                      No context

                      JA3 Fingerprints

                      No context

                      Dropped Files

                      No context

                      Created / dropped Files

                      C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

                      Download File
                      Process:C:\Windows\System32\regsvr32.exe
                      File Type:Microsoft Cabinet archive data, Windows 2000/XP setup, 62582 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
                      Category:dropped
                      Size (bytes):62582
                      Entropy (8bit):7.996063107774368
                      Encrypted:true
                      SSDEEP:1536:Jk3XPi43VgGp0gB2itudTSRAn/TWTdWftu:CHa43V5p022iZ4CgA
                      MD5:E71C8443AE0BC2E282C73FAEAD0A6DD3
                      SHA1:0C110C1B01E68EDFACAEAE64781A37B1995FA94B
                      SHA-256:95B0A5ACC5BF70D3ABDFD091D0C9F9063AA4FDE65BD34DBF16786082E1992E72
                      SHA-512:B38458C7FA2825AFB72794F374827403D5946B1132E136A0CE075DFD351277CF7D957C88DC8A1E4ADC3BCAE1FA8010DAE3831E268E910D517691DE24326391A6
                      Malicious:false
                      Preview:MSCF....v.......,...................I.................BVrl .authroot.stl....oJ5..CK..8U....a..3.1.P. J.".t..2F2e.dHH......$E.KB.2D..-SJE....^..'..y.}..,{m.....\...]4.G.......h....148...e.gr.....48:.L...g.....Xef.x:..t...J...6-....kW6Z>....&......ye.U.Q&z:.vZ..._....a...]..T.E.....B.h.,...[....V.O.3..EW.x.?.Q..$.@.W..=.B.f..8a.Y.JK..g./%p..C.4CD.s..Jd.u..@.g=...a.. .h%..'.xjy7.E..\.....A..':.4TdW?Ko3$.Hg.z.d~....../q..C.....`...A[ W(.........9...GZ.;....l&?........F...p?... .p.....{S.L4..v.+...7.T?.....p..`..&..9.......f...0+.L.....1.2b)..vX5L'.~....2vz.,E.Ni.{#...o..w.?.#.3..h.v<.S%.].tD@!Le.w.q.7.8....QW.FT.....hE.........Y............./.%Q...k...*.Y.n..v.A..../...>B..5\..-Ko.......O<.b.K.{.O.b...._.7...4.;%9N..K.X>......kg-9..r.c.g.G|.*[.-...HT...",?.q...ad....7RE.......!f..#../....?.-.^.K.c^...+{.g......]<..$.=.O....ii7.wJ+S..Z..d.....>..J*...T..Q7..`.r,<$....\d:K`..T.n....N.....C..j.;.1SX..j....1...R....+....Yg....]....3..9..S..D..`.

                      C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

                      Download File
                      Process:C:\Windows\System32\regsvr32.exe
                      File Type:data
                      Category:modified
                      Size (bytes):328
                      Entropy (8bit):3.1274376123142225
                      Encrypted:false
                      SSDEEP:6:kKoLry/7UN+SkQlPlEGYRMY9z+4KlDA3RUecZUt:gnCvkPlE99SNxAhUext
                      MD5:92A5046B3EABBD6B4A2EBF06E1D95894
                      SHA1:9C1965C6F53CFBA0B9554569274DE1133FC72B59
                      SHA-256:8A39A8B9EF95B8F67F54A49142CD8716E8BA8D5D3363DFE7425E0EE5A18036FD
                      SHA-512:8FC6A1FB78F8BF46F6B259E4224F2E174188CEB43128D690C8280E4E19AA1C22B3DE892DB6B947BB38AC990033A7E0B95EACD51B0EE1785FF94F3C230E711C93
                      Malicious:false
                      Preview:p...... ............Y..(....................................................... ..........).K......&...........v...h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".0.d.2.f.9.2.9.a.7.4.b.d.9.1.:.0."...

                      Static File Info

                      General

                      File type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                      Entropy (8bit):7.337848702590508
                      TrID:
                      • Win64 Dynamic Link Library (generic) (102004/3) 86.43%
                      • Win64 Executable (generic) (12005/4) 10.17%
                      • Generic Win/DOS Executable (2004/3) 1.70%
                      • DOS Executable Generic (2002/1) 1.70%
                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.01%
                      File name:f_00321b.dll
                      File size:316928
                      MD5:bfc060937dc90b273eccb6825145f298
                      SHA1:c156c00c7e918f0cb7363614fb1f177c90d8108a
                      SHA256:2f39c2879989ddd7f9ecf52b6232598e5595f8bf367846ff188c9dfbf1251253
                      SHA512:cc1fee19314b0a0f9e292fa84f6e98f087033d77db937848dda1da0c88f49997866cba5465df04bf929b810b42fdb81481341064c4565c9b6272fa7f3b473ac5
                      SSDEEP:6144:cwNQMQTlfdUPABVy559hhR3iP7TfPYbrF1EFVw0todxKROsCt:rNbadDBkZ6rPeEFizdxxsCt
                      TLSH:2C649D47E2A601E7FC62763DA0734708A766B0524314EB5F02B04F5B2F637A3FD5AA25
                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......L`.=...n...n...nCy.o...nCy.o...nCy.o...n.z.o(..n.z.o...n.z.o...nCy.o...n...nq..n.z.o...n.z.o...n.zsn...n...n...n.z.o...nRich...

                      File Icon

                      Icon Hash:74f0e4ecccdce0e4

                      Static PE Info

                      General

                      Entrypoint:0x18000179c
                      Entrypoint Section:.text
                      Digitally signed:false
                      Imagebase:0x180000000
                      Subsystem:windows gui
                      Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, DLL
                      DLL Characteristics:HIGH_ENTROPY_VA, NX_COMPAT
                      Time Stamp:0x640B360F [Fri Mar 10 13:52:15 2023 UTC]
                      TLS Callbacks:
                      CLR (.Net) Version:
                      OS Version Major:6
                      OS Version Minor:0
                      File Version Major:6
                      File Version Minor:0
                      Subsystem Version Major:6
                      Subsystem Version Minor:0
                      Import Hash:abb9300283e542fb453de5c4c87cd55d

                      Entrypoint Preview

                      Instruction
                      dec eax
                      mov dword ptr [esp+08h], ebx
                      dec eax
                      mov dword ptr [esp+10h], esi
                      push edi
                      dec eax
                      sub esp, 20h
                      dec ecx
                      mov edi, eax
                      mov ebx, edx
                      dec eax
                      mov esi, ecx
                      cmp edx, 01h
                      jne 00007FD6BD343647h
                      call 00007FD6BD343C20h
                      dec esp
                      mov eax, edi
                      mov edx, ebx
                      dec eax
                      mov ecx, esi
                      dec eax
                      mov ebx, dword ptr [esp+30h]
                      dec eax
                      mov esi, dword ptr [esp+38h]
                      dec eax
                      add esp, 20h
                      pop edi
                      jmp 00007FD6BD3434D4h
                      int3
                      int3
                      int3
                      inc eax
                      push ebx
                      dec eax
                      sub esp, 20h
                      dec eax
                      mov ebx, ecx
                      xor ecx, ecx
                      call dword ptr [00014903h]
                      dec eax
                      mov ecx, ebx
                      call dword ptr [000148F2h]
                      call dword ptr [000148FCh]
                      dec eax
                      mov ecx, eax
                      mov edx, C0000409h
                      dec eax
                      add esp, 20h
                      pop ebx
                      dec eax
                      jmp dword ptr [000148F0h]
                      dec eax
                      mov dword ptr [esp+08h], ecx
                      dec eax
                      sub esp, 38h
                      mov ecx, 00000017h
                      call dword ptr [000148E4h]
                      test eax, eax
                      je 00007FD6BD343649h
                      mov ecx, 00000002h
                      int 29h
                      dec eax
                      lea ecx, dword ptr [0002038Ah]
                      call 00007FD6BD34380Eh
                      dec eax
                      mov eax, dword ptr [esp+38h]
                      dec eax
                      mov dword ptr [00020471h], eax
                      dec eax
                      lea eax, dword ptr [esp+38h]
                      dec eax
                      add eax, 08h
                      dec eax
                      mov dword ptr [00020401h], eax
                      dec eax
                      mov eax, dword ptr [0002045Ah]
                      dec eax
                      mov dword ptr [000202CBh], eax

                      Data Directories

                      NameVirtual AddressVirtual Size Is in Section
                      IMAGE_DIRECTORY_ENTRY_EXPORT0x1f9100x54.rdata
                      IMAGE_DIRECTORY_ENTRY_IMPORT0x1f9640x64.rdata
                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x260000x2bd28.rsrc
                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x230000x11a0.pdata
                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x520000x684.reloc
                      IMAGE_DIRECTORY_ENTRY_DEBUG0x1e1b00x38.rdata
                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x1e0700x140.rdata
                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_IAT0x160000x360.rdata
                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                      Sections

                      NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                      .text0x10000x144150x14600False0.5082438650306749data6.388870950832575IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      .rdata0x160000xa4b40xa600False0.4210749246987952data4.746360898517369IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .data0x210000x1ea40xc00False0.1513671875DOS executable (block device driver \322f\324\377\3772)2.0951973339816368IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      .pdata0x230000x11a00x1200False0.4715711805555556data4.892908366942992IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      _RDATA0x250000x15c0x200False0.408203125data2.8023223995708944IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .rsrc0x260000x2bd280x2be00False0.8690349002849003data7.841437382818367IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .reloc0x520000x6840x800False0.51708984375data4.920748452777265IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                      Resources

                      NameRVASizeTypeLanguageCountry
                      LXGUM0x261300xa2cdataEnglishUnited States
                      LXGUM0x26b600x2b000dataEnglishUnited States
                      RT_STRING0x51b600x48dataEnglishUnited States
                      RT_MANIFEST0x51ba80x17dXML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States

                      Imports

                      DLLImport
                      KERNEL32.dllSetFilePointerEx, GetConsoleMode, GetConsoleOutputCP, WriteFile, FlushFileBuffers, SetStdHandle, HeapSize, GetStringTypeW, GetFileType, GetStdHandle, GetProcessHeap, CreateFileW, CloseHandle, WriteConsoleW, ExitProcess, HeapReAlloc, GetLastError, LCMapStringW, FlsFree, FlsSetValue, FlsGetValue, FlsAlloc, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, IsProcessorFeaturePresent, IsDebuggerPresent, GetStartupInfoW, GetModuleHandleW, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwindEx, InterlockedFlushSList, SetLastError, EncodePointer, RaiseException, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, GetProcAddress, LoadLibraryExW, RtlPcToFileHeader, GetModuleHandleExW, GetModuleFileNameW, HeapAlloc, HeapFree, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, MultiByteToWideChar, WideCharToMultiByte, GetEnvironmentStringsW, FreeEnvironmentStringsW
                      USER32.dllGetGestureInfo, InvalidateRect, ScreenToClient, CloseGestureInfoHandle, EndPaint, BeginPaint, UpdateWindow, PostQuitMessage, LoadCursorW, GetMessageW, DefWindowProcW, DestroyWindow, CreateWindowExW, RegisterClassExW, LoadStringW, ShowWindow, DispatchMessageW, SetGestureConfig, TranslateAcceleratorW, TranslateMessage
                      GDI32.dllPolyline, LineTo, CreatePen, MoveToEx, DeleteObject, SelectObject
                      ntdll.dllNtQueueApcThread, ZwOpenSymbolicLinkObject, LdrFindResource_U, NtAllocateVirtualMemory, NtTestAlert, LdrAccessResource, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind

                      Exports

                      NameOrdinalAddress
                      DllRegisterServer10x180010a70

                      Possible Origin

                      Language of compilation systemCountry where language is spokenMap
                      EnglishUnited States

                      Network Behavior

                      Snort IDS Alerts

                      TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                      192.168.2.4213.239.212.5497294432404320 03/18/23-16:07:22.189659TCP2404320ET CNC Feodo Tracker Reported CnC Server TCP group 1149729443192.168.2.4213.239.212.5
                      192.168.2.4104.168.155.1434970580802404302 03/18/23-16:04:53.665641TCP2404302ET CNC Feodo Tracker Reported CnC Server TCP group 2497058080192.168.2.4104.168.155.143
                      192.168.2.445.235.8.304973380802404324 03/18/23-16:07:27.677242TCP2404324ET CNC Feodo Tracker Reported CnC Server TCP group 13497338080192.168.2.445.235.8.30
                      192.168.2.4167.172.199.1654970380802404310 03/18/23-16:04:43.917583TCP2404310ET CNC Feodo Tracker Reported CnC Server TCP group 6497038080192.168.2.4167.172.199.165
                      192.168.2.4164.90.222.65497044432404308 03/18/23-16:04:49.168177TCP2404308ET CNC Feodo Tracker Reported CnC Server TCP group 549704443192.168.2.4164.90.222.65
                      192.168.2.4187.63.160.8849702802404314 03/18/23-16:04:35.414930TCP2404314ET CNC Feodo Tracker Reported CnC Server TCP group 84970280192.168.2.4187.63.160.88
                      192.168.2.41.234.2.2324971980802404304 03/18/23-16:06:08.918973TCP2404304ET CNC Feodo Tracker Reported CnC Server TCP group 3497198080192.168.2.41.234.2.232
                      192.168.2.491.121.146.474969580802404344 03/18/23-16:04:07.538031TCP2404344ET CNC Feodo Tracker Reported CnC Server TCP group 23496958080192.168.2.491.121.146.47
                      192.168.2.4206.189.28.1994972180802404318 03/18/23-16:06:24.170219TCP2404318ET CNC Feodo Tracker Reported CnC Server TCP group 10497218080192.168.2.4206.189.28.199
                      192.168.2.466.228.32.314969770802404330 03/18/23-16:04:13.165467TCP2404330ET CNC Feodo Tracker Reported CnC Server TCP group 16496977080192.168.2.466.228.32.31
                      192.168.2.4182.162.143.56496984432404312 03/18/23-16:04:28.915858TCP2404312ET CNC Feodo Tracker Reported CnC Server TCP group 749698443192.168.2.4182.162.143.56

                      Network Port Distribution

                      TCP Packets

                      TimestampSource PortDest PortSource IPDest IP
                      Mar 18, 2023 16:04:07.538031101 CET496958080192.168.2.491.121.146.47
                      Mar 18, 2023 16:04:07.566123962 CET80804969591.121.146.47192.168.2.4
                      Mar 18, 2023 16:04:07.566241980 CET496958080192.168.2.491.121.146.47
                      Mar 18, 2023 16:04:07.569513083 CET496958080192.168.2.491.121.146.47
                      Mar 18, 2023 16:04:07.598629951 CET80804969591.121.146.47192.168.2.4
                      Mar 18, 2023 16:04:07.620004892 CET80804969591.121.146.47192.168.2.4
                      Mar 18, 2023 16:04:07.620024920 CET80804969591.121.146.47192.168.2.4
                      Mar 18, 2023 16:04:07.620105028 CET496958080192.168.2.491.121.146.47
                      Mar 18, 2023 16:04:07.626739025 CET496958080192.168.2.491.121.146.47
                      Mar 18, 2023 16:04:07.656168938 CET80804969591.121.146.47192.168.2.4
                      Mar 18, 2023 16:04:07.703690052 CET496958080192.168.2.491.121.146.47
                      Mar 18, 2023 16:04:09.123631001 CET496958080192.168.2.491.121.146.47
                      Mar 18, 2023 16:04:09.123706102 CET496958080192.168.2.491.121.146.47
                      Mar 18, 2023 16:04:09.151858091 CET80804969591.121.146.47192.168.2.4
                      Mar 18, 2023 16:04:09.161629915 CET80804969591.121.146.47192.168.2.4
                      Mar 18, 2023 16:04:09.219538927 CET496958080192.168.2.491.121.146.47
                      Mar 18, 2023 16:04:12.163172007 CET80804969591.121.146.47192.168.2.4
                      Mar 18, 2023 16:04:12.163310051 CET80804969591.121.146.47192.168.2.4
                      Mar 18, 2023 16:04:12.163469076 CET496958080192.168.2.491.121.146.47
                      Mar 18, 2023 16:04:12.163644075 CET496958080192.168.2.491.121.146.47
                      Mar 18, 2023 16:04:12.163717985 CET496958080192.168.2.491.121.146.47
                      Mar 18, 2023 16:04:12.191780090 CET80804969591.121.146.47192.168.2.4
                      Mar 18, 2023 16:04:12.191864967 CET80804969591.121.146.47192.168.2.4
                      Mar 18, 2023 16:04:13.165467024 CET496977080192.168.2.466.228.32.31
                      Mar 18, 2023 16:04:16.173233032 CET496977080192.168.2.466.228.32.31
                      Mar 18, 2023 16:04:22.173724890 CET496977080192.168.2.466.228.32.31
                      Mar 18, 2023 16:04:28.915858030 CET49698443192.168.2.4182.162.143.56
                      Mar 18, 2023 16:04:28.915951014 CET44349698182.162.143.56192.168.2.4
                      Mar 18, 2023 16:04:28.916100025 CET49698443192.168.2.4182.162.143.56
                      Mar 18, 2023 16:04:28.917953014 CET49698443192.168.2.4182.162.143.56
                      Mar 18, 2023 16:04:28.917999983 CET44349698182.162.143.56192.168.2.4
                      Mar 18, 2023 16:04:29.168721914 CET44349698182.162.143.56192.168.2.4
                      Mar 18, 2023 16:04:29.171901941 CET49699443192.168.2.4182.162.143.56
                      Mar 18, 2023 16:04:29.171993017 CET44349699182.162.143.56192.168.2.4
                      Mar 18, 2023 16:04:29.172085047 CET49699443192.168.2.4182.162.143.56
                      Mar 18, 2023 16:04:29.173659086 CET49699443192.168.2.4182.162.143.56
                      Mar 18, 2023 16:04:29.173687935 CET44349699182.162.143.56192.168.2.4
                      Mar 18, 2023 16:04:29.429583073 CET44349699182.162.143.56192.168.2.4
                      Mar 18, 2023 16:04:29.430413008 CET49700443192.168.2.4182.162.143.56
                      Mar 18, 2023 16:04:29.430479050 CET44349700182.162.143.56192.168.2.4
                      Mar 18, 2023 16:04:29.430608988 CET49700443192.168.2.4182.162.143.56
                      Mar 18, 2023 16:04:29.430986881 CET49700443192.168.2.4182.162.143.56
                      Mar 18, 2023 16:04:29.431008101 CET44349700182.162.143.56192.168.2.4
                      Mar 18, 2023 16:04:29.681132078 CET44349700182.162.143.56192.168.2.4
                      Mar 18, 2023 16:04:29.682370901 CET49701443192.168.2.4182.162.143.56
                      Mar 18, 2023 16:04:29.682427883 CET44349701182.162.143.56192.168.2.4
                      Mar 18, 2023 16:04:29.682502985 CET49701443192.168.2.4182.162.143.56
                      Mar 18, 2023 16:04:29.683222055 CET49701443192.168.2.4182.162.143.56
                      Mar 18, 2023 16:04:29.683243990 CET44349701182.162.143.56192.168.2.4
                      Mar 18, 2023 16:04:29.933031082 CET44349701182.162.143.56192.168.2.4
                      Mar 18, 2023 16:04:35.414930105 CET4970280192.168.2.4187.63.160.88
                      Mar 18, 2023 16:04:35.649703026 CET8049702187.63.160.88192.168.2.4
                      Mar 18, 2023 16:04:36.159209967 CET4970280192.168.2.4187.63.160.88
                      Mar 18, 2023 16:04:36.392321110 CET8049702187.63.160.88192.168.2.4
                      Mar 18, 2023 16:04:36.893764019 CET4970280192.168.2.4187.63.160.88
                      Mar 18, 2023 16:04:37.127011061 CET8049702187.63.160.88192.168.2.4
                      Mar 18, 2023 16:04:43.917582989 CET497038080192.168.2.4167.172.199.165
                      Mar 18, 2023 16:04:44.085635900 CET808049703167.172.199.165192.168.2.4
                      Mar 18, 2023 16:04:44.085844040 CET497038080192.168.2.4167.172.199.165
                      Mar 18, 2023 16:04:44.086786032 CET497038080192.168.2.4167.172.199.165
                      Mar 18, 2023 16:04:44.253998041 CET808049703167.172.199.165192.168.2.4
                      Mar 18, 2023 16:04:44.263807058 CET808049703167.172.199.165192.168.2.4
                      Mar 18, 2023 16:04:44.263864040 CET808049703167.172.199.165192.168.2.4
                      Mar 18, 2023 16:04:44.264022112 CET497038080192.168.2.4167.172.199.165
                      Mar 18, 2023 16:04:44.274636030 CET497038080192.168.2.4167.172.199.165
                      Mar 18, 2023 16:04:44.442653894 CET808049703167.172.199.165192.168.2.4
                      Mar 18, 2023 16:04:44.443876982 CET497038080192.168.2.4167.172.199.165
                      Mar 18, 2023 16:04:44.652205944 CET808049703167.172.199.165192.168.2.4
                      Mar 18, 2023 16:04:45.266201973 CET808049703167.172.199.165192.168.2.4
                      Mar 18, 2023 16:04:45.316627979 CET497038080192.168.2.4167.172.199.165
                      Mar 18, 2023 16:04:48.266819954 CET808049703167.172.199.165192.168.2.4
                      Mar 18, 2023 16:04:48.266854048 CET808049703167.172.199.165192.168.2.4
                      Mar 18, 2023 16:04:48.266910076 CET497038080192.168.2.4167.172.199.165
                      Mar 18, 2023 16:04:48.267302036 CET497038080192.168.2.4167.172.199.165
                      Mar 18, 2023 16:04:48.267366886 CET497038080192.168.2.4167.172.199.165
                      Mar 18, 2023 16:04:48.434720993 CET808049703167.172.199.165192.168.2.4
                      Mar 18, 2023 16:04:48.434746027 CET808049703167.172.199.165192.168.2.4
                      Mar 18, 2023 16:04:49.168176889 CET49704443192.168.2.4164.90.222.65
                      Mar 18, 2023 16:04:49.168282032 CET44349704164.90.222.65192.168.2.4
                      Mar 18, 2023 16:04:49.168464899 CET49704443192.168.2.4164.90.222.65
                      Mar 18, 2023 16:04:49.169192076 CET49704443192.168.2.4164.90.222.65
                      Mar 18, 2023 16:04:49.169229031 CET44349704164.90.222.65192.168.2.4
                      Mar 18, 2023 16:04:49.307187080 CET44349704164.90.222.65192.168.2.4
                      Mar 18, 2023 16:04:49.307413101 CET49704443192.168.2.4164.90.222.65
                      Mar 18, 2023 16:04:49.310338974 CET49704443192.168.2.4164.90.222.65
                      Mar 18, 2023 16:04:49.310395956 CET44349704164.90.222.65192.168.2.4
                      Mar 18, 2023 16:04:49.311386108 CET44349704164.90.222.65192.168.2.4
                      Mar 18, 2023 16:04:49.363498926 CET49704443192.168.2.4164.90.222.65
                      Mar 18, 2023 16:04:49.650243044 CET49704443192.168.2.4164.90.222.65
                      Mar 18, 2023 16:04:49.650281906 CET44349704164.90.222.65192.168.2.4
                      Mar 18, 2023 16:04:49.858705997 CET44349704164.90.222.65192.168.2.4
                      Mar 18, 2023 16:04:49.858830929 CET44349704164.90.222.65192.168.2.4
                      Mar 18, 2023 16:04:49.858892918 CET49704443192.168.2.4164.90.222.65
                      Mar 18, 2023 16:04:49.859055042 CET49704443192.168.2.4164.90.222.65
                      Mar 18, 2023 16:04:49.859081984 CET44349704164.90.222.65192.168.2.4
                      Mar 18, 2023 16:04:53.665641069 CET497058080192.168.2.4104.168.155.143
                      Mar 18, 2023 16:04:53.828515053 CET808049705104.168.155.143192.168.2.4
                      Mar 18, 2023 16:04:54.332683086 CET497058080192.168.2.4104.168.155.143
                      Mar 18, 2023 16:04:54.495578051 CET808049705104.168.155.143192.168.2.4
                      Mar 18, 2023 16:04:55.004642963 CET497058080192.168.2.4104.168.155.143

                      HTTP Request Dependency Graph

                      • 164.90.222.65

                      Statistics

                      Behavior

                      Click to jump to process

                      System Behavior

                      General

                      Target ID:0
                      Start time:16:03:25
                      Start date:18/03/2023
                      Path:C:\Windows\System32\loaddll64.exe
                      Wow64 process (32bit):false
                      Commandline:loaddll64.exe "C:\Users\user\Desktop\f_00321b.dll"
                      Imagebase:0x7ff6977d0000
                      File size:139776 bytes
                      MD5 hash:C676FC0263EDD17D4CE7D644B8F3FCD6
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high

                      General

                      Target ID:1
                      Start time:16:03:25
                      Start date:18/03/2023
                      Path:C:\Windows\System32\conhost.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Imagebase:0x7ff7c72c0000
                      File size:625664 bytes
                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high

                      General

                      Target ID:2
                      Start time:16:03:25
                      Start date:18/03/2023
                      Path:C:\Windows\System32\cmd.exe
                      Wow64 process (32bit):false
                      Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\f_00321b.dll",#1
                      Imagebase:0x7ff632260000
                      File size:273920 bytes
                      MD5 hash:4E2ACF4F8A396486AB4268C94A6A245F
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high

                      General

                      Target ID:3
                      Start time:16:03:25
                      Start date:18/03/2023
                      Path:C:\Windows\System32\regsvr32.exe
                      Wow64 process (32bit):false
                      Commandline:regsvr32.exe /s C:\Users\user\Desktop\f_00321b.dll
                      Imagebase:0x7ff72cd70000
                      File size:24064 bytes
                      MD5 hash:D78B75FC68247E8A63ACBA846182740E
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Yara matches:
                      • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000003.00000002.322806911.0000000000C60000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000003.00000002.323368547.0000000000E61000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
                      Reputation:high

                      General

                      Target ID:4
                      Start time:16:03:26
                      Start date:18/03/2023
                      Path:C:\Windows\System32\rundll32.exe
                      Wow64 process (32bit):false
                      Commandline:rundll32.exe "C:\Users\user\Desktop\f_00321b.dll",#1
                      Imagebase:0x7ff6abd80000
                      File size:69632 bytes
                      MD5 hash:73C519F050C20580F8A62C849D49215A
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Yara matches:
                      • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000002.321671737.00000263A5E10000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000002.322501137.00000263A7711000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
                      Reputation:high

                      General

                      Target ID:5
                      Start time:16:03:26
                      Start date:18/03/2023
                      Path:C:\Windows\System32\rundll32.exe
                      Wow64 process (32bit):false
                      Commandline:rundll32.exe C:\Users\user\Desktop\f_00321b.dll,DllRegisterServer
                      Imagebase:0x7ff6abd80000
                      File size:69632 bytes
                      MD5 hash:73C519F050C20580F8A62C849D49215A
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Yara matches:
                      • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000005.00000002.322224352.00000264E3C10000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000005.00000002.322307535.00000264E3C41000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
                      Reputation:high

                      General

                      Target ID:6
                      Start time:16:03:28
                      Start date:18/03/2023
                      Path:C:\Windows\System32\regsvr32.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\regsvr32.exe "C:\Windows\system32\ChVCsX\ramMHRyb.dll"
                      Imagebase:0x7ff72cd70000
                      File size:24064 bytes
                      MD5 hash:D78B75FC68247E8A63ACBA846182740E
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Yara matches:
                      • Rule: JoeSecurity_Emotet_3, Description: Yara detected Emotet, Source: 00000006.00000002.837764087.000000000095B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000006.00000002.837994080.0000000000B20000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000006.00000002.838029759.0000000000B51000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
                      Reputation:high

                      General

                      Target ID:7
                      Start time:16:03:28
                      Start date:18/03/2023
                      Path:C:\Windows\System32\regsvr32.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\regsvr32.exe "C:\Windows\system32\LwMWPX\mOtL.dll"
                      Imagebase:0x7ff72cd70000
                      File size:24064 bytes
                      MD5 hash:D78B75FC68247E8A63ACBA846182740E
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language

                      General

                      Target ID:8
                      Start time:16:03:28
                      Start date:18/03/2023
                      Path:C:\Windows\System32\regsvr32.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\regsvr32.exe "C:\Windows\system32\WiCuwn\qvjh.dll"
                      Imagebase:0x7ff72cd70000
                      File size:24064 bytes
                      MD5 hash:D78B75FC68247E8A63ACBA846182740E
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language

                      Disassembly

                      No disassembly