{"RSA Public Key": "MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAOZ9fLJ8UrI0OZURpPsR3eijAyfPj3z6\nuS75f2igmYFW2aWgNcFIzsAYQleKzD0nlCFHOo7Zf8/4wY2UW0CJ4dJEHnE/PHlz\n6uNk3pxjm7o4eCDyiJbzf+k0Azjl0q54FQIDAQAB", "C2 list": ["58.171.153.81:80", "104.131.103.128:443", "66.228.49.173:8080", "104.131.103.37:8080", "149.62.173.247:8080", "72.47.248.48:7080", "68.183.170.114:8080", "81.198.69.61:80", "217.13.106.14:8080", "77.90.136.129:8080", "217.199.160.224:7080", "178.79.163.131:8080", "2.47.112.152:80", "83.169.21.32:7080", "190.163.31.26:80", "185.94.252.27:443", "12.162.84.2:8080", "73.116.193.136:80", "177.72.13.80:80", "116.125.120.88:443", "213.181.91.224:80", "104.131.41.185:8080", "46.28.111.142:7080", "181.129.96.162:8080", "189.2.177.210:443", "111.67.12.221:8080", "189.194.58.119:80", "51.255.165.160:8080", "170.81.48.2:80", "177.74.228.34:80", "70.32.84.74:8080", "213.60.96.117:80", "186.250.52.226:8080", "70.32.115.157:8080", "190.190.148.27:8080", "204.225.249.100:7080", "192.241.143.52:8080", "202.62.39.111:80", "82.76.111.249:443", "190.147.137.153:443", "80.249.176.206:80", "91.219.169.180:80", "212.71.237.140:8080", "114.109.179.60:80", "5.196.35.138:7080", "87.106.46.107:8080", "190.6.193.152:8080", "172.104.169.32:8080", "186.103.141.250:443", "212.231.60.98:80", "147.91.184.91:80", "50.28.51.143:8080", "61.92.159.208:8080", "187.162.248.237:80", "191.182.6.118:80", "94.206.45.18:80", "219.92.13.25:80", "145.236.8.174:80", "89.32.150.160:8080", "93.151.186.85:80", "190.17.195.202:80", "181.120.79.227:80", "177.73.0.98:443", "192.241.146.84:8080", "217.160.182.191:8080", "68.183.190.199:8080", "137.74.106.111:7080", "177.144.135.2:80", "201.213.156.176:80", "82.196.15.205:8080", "104.236.161.64:8080", "209.236.123.42:8080", "77.55.211.77:8080", "177.66.190.130:80", "143.0.87.101:80", "94.176.234.118:443", "191.99.160.58:80", "185.94.252.12:80", "45.161.242.102:80", "181.36.42.205:443"]}
Source: 0.2.mormanti.exe.2db053f.1.raw.unpack | Malware Configuration Extractor: Emotet {"RSA Public Key": "MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAOZ9fLJ8UrI0OZURpPsR3eijAyfPj3z6\nuS75f2igmYFW2aWgNcFIzsAYQleKzD0nlCFHOo7Zf8/4wY2UW0CJ4dJEHnE/PHlz\n6uNk3pxjm7o4eCDyiJbzf+k0Azjl0q54FQIDAQAB", "C2 list": ["58.171.153.81:80", "104.131.103.128:443", "66.228.49.173:8080", "104.131.103.37:8080", "149.62.173.247:8080", "72.47.248.48:7080", "68.183.170.114:8080", "81.198.69.61:80", "217.13.106.14:8080", "77.90.136.129:8080", "217.199.160.224:7080", "178.79.163.131:8080", "2.47.112.152:80", "83.169.21.32:7080", "190.163.31.26:80", "185.94.252.27:443", "12.162.84.2:8080", "73.116.193.136:80", "177.72.13.80:80", "116.125.120.88:443", "213.181.91.224:80", "104.131.41.185:8080", "46.28.111.142:7080", "181.129.96.162:8080", "189.2.177.210:443", "111.67.12.221:8080", "189.194.58.119:80", "51.255.165.160:8080", "170.81.48.2:80", "177.74.228.34:80", "70.32.84.74:8080", "213.60.96.117:80", "186.250.52.226:8080", "70.32.115.157:8080", "190.190.148.27:8080", "204.225.249.100:7080", "192.241.143.52:8080", "202.62.39.111:80", "82.76.111.249:443", "190.147.137.153:443", "80.249.176.206:80", "91.219.169.180:80", "212.71.237.140:8080", "114.109.179.60:80", "5.196.35.138:7080", "87.106.46.107:8080", "190.6.193.152:8080", "172.104.169.32:8080", "186.103.141.250:443", "212.231.60.98:80", "147.91.184.91:80", "50.28.51.143:8080", "61.92.159.208:8080", "187.162.248.237:80", "191.182.6.118:80", "94.206.45.18:80", "219.92.13.25:80", "145.236.8.174:80", "89.32.150.160:8080", "93.151.186.85:80", "190.17.195.202:80", "181.120.79.227:80", "177.73.0.98:443", "192.241.146.84:8080", "217.160.182.191:8080", "68.183.190.199:8080", "137.74.106.111:7080", "177.144.135.2:80", "201.213.156.176:80", "82.196.15.205:8080", "104.236.161.64:8080", "209.236.123.42:8080", "77.55.211.77:8080", "177.66.190.130:80", "143.0.87.101:80", "94.176.234.118:443", "191.99.160.58:80", "185.94.252.12:80", "45.161.242.102:80", "181.36.42.205:443"]} |
Source: Malware configuration extractor | IPs: 58.171.153.81:80 |
Source: Malware configuration extractor | IPs: 104.131.103.128:443 |
Source: Malware configuration extractor | IPs: 66.228.49.173:8080 |
Source: Malware configuration extractor | IPs: 104.131.103.37:8080 |
Source: Malware configuration extractor | IPs: 149.62.173.247:8080 |
Source: Malware configuration extractor | IPs: 72.47.248.48:7080 |
Source: Malware configuration extractor | IPs: 68.183.170.114:8080 |
Source: Malware configuration extractor | IPs: 81.198.69.61:80 |
Source: Malware configuration extractor | IPs: 217.13.106.14:8080 |
Source: Malware configuration extractor | IPs: 77.90.136.129:8080 |
Source: Malware configuration extractor | IPs: 217.199.160.224:7080 |
Source: Malware configuration extractor | IPs: 178.79.163.131:8080 |
Source: Malware configuration extractor | IPs: 2.47.112.152:80 |
Source: Malware configuration extractor | IPs: 83.169.21.32:7080 |
Source: Malware configuration extractor | IPs: 190.163.31.26:80 |
Source: Malware configuration extractor | IPs: 185.94.252.27:443 |
Source: Malware configuration extractor | IPs: 12.162.84.2:8080 |
Source: Malware configuration extractor | IPs: 73.116.193.136:80 |
Source: Malware configuration extractor | IPs: 177.72.13.80:80 |
Source: Malware configuration extractor | IPs: 116.125.120.88:443 |
Source: Malware configuration extractor | IPs: 213.181.91.224:80 |
Source: Malware configuration extractor | IPs: 104.131.41.185:8080 |
Source: Malware configuration extractor | IPs: 46.28.111.142:7080 |
Source: Malware configuration extractor | IPs: 181.129.96.162:8080 |
Source: Malware configuration extractor | IPs: 189.2.177.210:443 |
Source: Malware configuration extractor | IPs: 111.67.12.221:8080 |
Source: Malware configuration extractor | IPs: 189.194.58.119:80 |
Source: Malware configuration extractor | IPs: 51.255.165.160:8080 |
Source: Malware configuration extractor | IPs: 170.81.48.2:80 |
Source: Malware configuration extractor | IPs: 177.74.228.34:80 |
Source: Malware configuration extractor | IPs: 70.32.84.74:8080 |
Source: Malware configuration extractor | IPs: 213.60.96.117:80 |
Source: Malware configuration extractor | IPs: 186.250.52.226:8080 |
Source: Malware configuration extractor | IPs: 70.32.115.157:8080 |
Source: Malware configuration extractor | IPs: 190.190.148.27:8080 |
Source: Malware configuration extractor | IPs: 204.225.249.100:7080 |
Source: Malware configuration extractor | IPs: 192.241.143.52:8080 |
Source: Malware configuration extractor | IPs: 202.62.39.111:80 |
Source: Malware configuration extractor | IPs: 82.76.111.249:443 |
Source: Malware configuration extractor | IPs: 190.147.137.153:443 |
Source: Malware configuration extractor | IPs: 80.249.176.206:80 |
Source: Malware configuration extractor | IPs: 91.219.169.180:80 |
Source: Malware configuration extractor | IPs: 212.71.237.140:8080 |
Source: Malware configuration extractor | IPs: 114.109.179.60:80 |
Source: Malware configuration extractor | IPs: 5.196.35.138:7080 |
Source: Malware configuration extractor | IPs: 87.106.46.107:8080 |
Source: Malware configuration extractor | IPs: 190.6.193.152:8080 |
Source: Malware configuration extractor | IPs: 172.104.169.32:8080 |
Source: Malware configuration extractor | IPs: 186.103.141.250:443 |
Source: Malware configuration extractor | IPs: 212.231.60.98:80 |
Source: Malware configuration extractor | IPs: 147.91.184.91:80 |
Source: Malware configuration extractor | IPs: 50.28.51.143:8080 |
Source: Malware configuration extractor | IPs: 61.92.159.208:8080 |
Source: Malware configuration extractor | IPs: 187.162.248.237:80 |
Source: Malware configuration extractor | IPs: 191.182.6.118:80 |
Source: Malware configuration extractor | IPs: 94.206.45.18:80 |
Source: Malware configuration extractor | IPs: 219.92.13.25:80 |
Source: Malware configuration extractor | IPs: 145.236.8.174:80 |
Source: Malware configuration extractor | IPs: 89.32.150.160:8080 |
Source: Malware configuration extractor | IPs: 93.151.186.85:80 |
Source: Malware configuration extractor | IPs: 190.17.195.202:80 |
Source: Malware configuration extractor | IPs: 181.120.79.227:80 |
Source: Malware configuration extractor | IPs: 177.73.0.98:443 |
Source: Malware configuration extractor | IPs: 192.241.146.84:8080 |
Source: Malware configuration extractor | IPs: 217.160.182.191:8080 |
Source: Malware configuration extractor | IPs: 68.183.190.199:8080 |
Source: Malware configuration extractor | IPs: 137.74.106.111:7080 |
Source: Malware configuration extractor | IPs: 177.144.135.2:80 |
Source: Malware configuration extractor | IPs: 201.213.156.176:80 |
Source: Malware configuration extractor | IPs: 82.196.15.205:8080 |
Source: Malware configuration extractor | IPs: 104.236.161.64:8080 |
Source: Malware configuration extractor | IPs: 209.236.123.42:8080 |
Source: Malware configuration extractor | IPs: 77.55.211.77:8080 |
Source: Malware configuration extractor | IPs: 177.66.190.130:80 |
Source: Malware configuration extractor | IPs: 143.0.87.101:80 |
Source: Malware configuration extractor | IPs: 94.176.234.118:443 |
Source: Malware configuration extractor | IPs: 191.99.160.58:80 |
Source: Malware configuration extractor | IPs: 185.94.252.12:80 |
Source: Malware configuration extractor | IPs: 45.161.242.102:80 |
Source: Malware configuration extractor | IPs: 181.36.42.205:443 |
Source: unknown | TCP traffic detected without corresponding DNS query: 58.171.153.81 |
Source: unknown | TCP traffic detected without corresponding DNS query: 58.171.153.81 |
Source: unknown | TCP traffic detected without corresponding DNS query: 58.171.153.81 |
Source: unknown | TCP traffic detected without corresponding DNS query: 104.131.103.128 |
Source: unknown | TCP traffic detected without corresponding DNS query: 104.131.103.128 |
Source: unknown | TCP traffic detected without corresponding DNS query: 104.131.103.128 |
Source: unknown | TCP traffic detected without corresponding DNS query: 66.228.49.173 |
Source: unknown | TCP traffic detected without corresponding DNS query: 66.228.49.173 |
Source: unknown | TCP traffic detected without corresponding DNS query: 66.228.49.173 |
Source: unknown | TCP traffic detected without corresponding DNS query: 104.131.103.37 |
Source: unknown | TCP traffic detected without corresponding DNS query: 104.131.103.37 |
Source: unknown | TCP traffic detected without corresponding DNS query: 104.131.103.37 |
Source: unknown | TCP traffic detected without corresponding DNS query: 149.62.173.247 |
Source: unknown | TCP traffic detected without corresponding DNS query: 149.62.173.247 |
Source: unknown | TCP traffic detected without corresponding DNS query: 149.62.173.247 |
Source: unknown | TCP traffic detected without corresponding DNS query: 72.47.248.48 |
Source: unknown | TCP traffic detected without corresponding DNS query: 72.47.248.48 |
Source: unknown | TCP traffic detected without corresponding DNS query: 72.47.248.48 |
Source: unknown | TCP traffic detected without corresponding DNS query: 68.183.170.114 |
Source: unknown | TCP traffic detected without corresponding DNS query: 68.183.170.114 |
Source: unknown | TCP traffic detected without corresponding DNS query: 68.183.170.114 |
Source: eventvwr.exe, 00000002.00000003.394916417.00000000034DC000.00000004.00000001.sdmp | String found in binary or memory: http://104.131.103.128:443/iNVKl1XPWZqml34fy2r/3FDoguFdfDtjz/ |
Source: eventvwr.exe, 00000002.00000003.394916417.00000000034DC000.00000004.00000001.sdmp | String found in binary or memory: http://149.62.173.247/kH8ALNiaGV/5bEuMKuJNKlslD3n/rvXy2RpDwZlslOQBeY7/BCLTdgbwF6J8vsIGfDq/jZ9iV8xFle |
Source: eventvwr.exe, 00000002.00000003.394916417.00000000034DC000.00000004.00000001.sdmp | String found in binary or memory: http://149.62.173.247:8080/kH8ALNiaGV/5bEuMKuJNKlslD3n/rvXy2RpDwZlslOQBeY7/BCLTdgbwF6J8vsIGfDq/jZ9iV |
Source: eventvwr.exe, 00000002.00000003.334412522.00000000034DC000.00000004.00000001.sdmp | String found in binary or memory: http://58.171.153.81/j4XmHhlvX7h4pe/uu11HumRcyQn/3XzJ/ymPM07W/vKmfGodTznrrD/ |
Source: eventvwr.exe, 00000002.00000003.334420749.00000000034E1000.00000004.00000001.sdmp | String found in binary or memory: http://66.228.49.173/TyLIHl4nuj0XCeB/C12IKmccuoQw2U92z/ |
Source: eventvwr.exe, 00000002.00000003.334420749.00000000034E1000.00000004.00000001.sdmp | String found in binary or memory: http://66.228.49.173:8080/TyLIHl4nuj0XCeB/C12IKmccuoQw2U92z/ |
Source: eventvwr.exe, 00000002.00000003.334420749.00000000034E1000.00000004.00000001.sdmp | String found in binary or memory: http://66.228.49.173:8080/TyLIHl4nuj0XCeB/C12IKmccuoQw2U92z/s(KF |
Source: eventvwr.exe, 00000002.00000002.467254710.00000000034DB000.00000004.00000001.sdmp | String found in binary or memory: http://68.183.170.114/nFzrf7w0/EO2pZ/MQ0xve/ |
Source: eventvwr.exe, 00000002.00000002.466095172.0000000002ED6000.00000004.00000001.sdmp, eventvwr.exe, 00000002.00000002.467254710.00000000034DB000.00000004.00000001.sdmp | String found in binary or memory: http://68.183.170.114:8080/nFzrf7w0/EO2pZ/MQ0xve/ |
Source: eventvwr.exe, 00000002.00000002.466095172.0000000002ED6000.00000004.00000001.sdmp | String found in binary or memory: http://68.183.170.114:8080/nFzrf7w0/EO2pZ/MQ0xve/: |
Source: eventvwr.exe, 00000002.00000002.467254710.00000000034DB000.00000004.00000001.sdmp | String found in binary or memory: http://68.183.170.114:8080/nFzrf7w0/EO2pZ/MQ0xve/c |
Source: eventvwr.exe, 00000002.00000002.467254710.00000000034DB000.00000004.00000001.sdmp | String found in binary or memory: http://72.47.248.48:7080/VTzYrEpbArBozqZBhS/ |
Source: eventvwr.exe, 00000002.00000002.467254710.00000000034DB000.00000004.00000001.sdmp | String found in binary or memory: http://72.47.248.48:7080/VTzYrEpbArBozqZBhS/6O |
Source: eventvwr.exe, 00000002.00000002.467254710.00000000034DB000.00000004.00000001.sdmp | String found in binary or memory: http://72.47.248.48:7080/VTzYrEpbArBozqZBhS/CL: |
Source: svchost.exe, 00000006.00000002.466542718.0000022B0E414000.00000004.00000001.sdmp | String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0 |
Source: svchost.exe, 00000006.00000002.466542718.0000022B0E414000.00000004.00000001.sdmp | String found in binary or memory: http://ocsp.digicert.com0: |
Source: svchost.exe, 00000006.00000002.466542718.0000022B0E414000.00000004.00000001.sdmp | String found in binary or memory: http://ocsp.msocsp.com0 |
Source: svchost.exe, 00000006.00000002.465692005.0000022B08EA3000.00000004.00000001.sdmp | String found in binary or memory: http://schemas.xmlsoap.org/ws/ |
Source: svchost.exe, 00000006.00000002.466806888.0000022B0E690000.00000002.00000001.sdmp | String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous. |
Source: svchost.exe, 0000000E.00000002.309089370.00000265B8A13000.00000004.00000001.sdmp | String found in binary or memory: http://www.bingmapsportal.com |
Source: svchost.exe, 0000000B.00000002.465372736.000001C4AD22A000.00000004.00000001.sdmp | String found in binary or memory: https://%s.dnet.xboxlive.com |
Source: svchost.exe, 0000000B.00000002.465372736.000001C4AD22A000.00000004.00000001.sdmp | String found in binary or memory: https://%s.xboxlive.com |
Source: svchost.exe, 0000000B.00000002.465372736.000001C4AD22A000.00000004.00000001.sdmp | String found in binary or memory: https://activity.windows.com |
Source: svchost.exe, 0000000E.00000003.308632739.00000265B8A61000.00000004.00000001.sdmp | String found in binary or memory: https://appexmapsappupdate.blob.core.windows.net |
Source: svchost.exe, 0000000B.00000002.465372736.000001C4AD22A000.00000004.00000001.sdmp | String found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device |
Source: svchost.exe, 0000000B.00000002.465372736.000001C4AD22A000.00000004.00000001.sdmp | String found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device |
Source: svchost.exe, 0000000E.00000003.308646998.00000265B8A5C000.00000004.00000001.sdmp | String found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/ |
Source: svchost.exe, 0000000E.00000003.308646998.00000265B8A5C000.00000004.00000001.sdmp | String found in binary or memory: https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/ |
Source: svchost.exe, 0000000E.00000003.308632739.00000265B8A61000.00000004.00000001.sdmp | String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations |
Source: svchost.exe, 0000000E.00000002.309140351.00000265B8A3E000.00000004.00000001.sdmp | String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/ |
Source: svchost.exe, 0000000E.00000003.308646998.00000265B8A5C000.00000004.00000001.sdmp | String found in binary or memory: https://dev.ditu.live.com/REST/v1/Traffic/Incidents/ |
Source: svchost.exe, 0000000E.00000003.308632739.00000265B8A61000.00000004.00000001.sdmp | String found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx |
Source: svchost.exe, 0000000E.00000003.308695347.00000265B8A45000.00000004.00000001.sdmp | String found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v= |
Source: svchost.exe, 0000000E.00000003.308646998.00000265B8A5C000.00000004.00000001.sdmp | String found in binary or memory: https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/ |
Source: svchost.exe, 0000000E.00000003.308632739.00000265B8A61000.00000004.00000001.sdmp | String found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations |
Source: svchost.exe, 0000000E.00000002.309140351.00000265B8A3E000.00000004.00000001.sdmp | String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/ |
Source: svchost.exe, 0000000E.00000003.308632739.00000265B8A61000.00000004.00000001.sdmp | String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving |
Source: svchost.exe, 0000000E.00000003.308632739.00000265B8A61000.00000004.00000001.sdmp | String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit |
Source: svchost.exe, 0000000E.00000003.308632739.00000265B8A61000.00000004.00000001.sdmp | String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking |
Source: svchost.exe, 0000000E.00000002.309153516.00000265B8A42000.00000004.00000001.sdmp | String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/ |
Source: svchost.exe, 0000000E.00000002.309153516.00000265B8A42000.00000004.00000001.sdmp | String found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n= |
Source: svchost.exe, 0000000E.00000003.308632739.00000265B8A61000.00000004.00000001.sdmp | String found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx |
Source: svchost.exe, 0000000E.00000002.309177417.00000265B8A58000.00000004.00000001.sdmp | String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log? |
Source: svchost.exe, 0000000E.00000003.308646998.00000265B8A5C000.00000004.00000001.sdmp | String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r= |
Source: svchost.exe, 0000000E.00000002.309177417.00000265B8A58000.00000004.00000001.sdmp | String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r= |
Source: svchost.exe, 0000000E.00000002.309177417.00000265B8A58000.00000004.00000001.sdmp | String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r= |
Source: svchost.exe, 0000000E.00000003.308695347.00000265B8A45000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000002.309153516.00000265B8A42000.00000004.00000001.sdmp | String found in binary or memory: https://dynamic.t |
Source: svchost.exe, 0000000E.00000003.308632739.00000265B8A61000.00000004.00000001.sdmp | String found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx |
Source: svchost.exe, 0000000E.00000002.309140351.00000265B8A3E000.00000004.00000001.sdmp | String found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/ |
Source: svchost.exe, 0000000E.00000003.286870020.00000265B8A31000.00000004.00000001.sdmp | String found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v= |
Source: eventvwr.exe, 00000002.00000003.334420749.00000000034E1000.00000004.00000001.sdmp | String found in binary or memory: https://fs.microsoft.c |
Source: svchost.exe, 0000000E.00000002.309140351.00000265B8A3E000.00000004.00000001.sdmp | String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx |
Source: svchost.exe, 0000000E.00000002.309140351.00000265B8A3E000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000002.309089370.00000265B8A13000.00000004.00000001.sdmp | String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r= |
Source: svchost.exe, 0000000E.00000003.286870020.00000265B8A31000.00000004.00000001.sdmp | String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r= |
Source: svchost.exe, 0000000E.00000003.308695347.00000265B8A45000.00000004.00000001.sdmp | String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r= |
Source: svchost.exe, 0000000E.00000003.286870020.00000265B8A31000.00000004.00000001.sdmp | String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r= |
Source: svchost.exe, 0000000E.00000003.308721293.00000265B8A3A000.00000004.00000001.sdmp | String found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen |
Source: svchost.exe, 0000000E.00000003.308695347.00000265B8A45000.00000004.00000001.sdmp | String found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen |
Source: unknown | Process created: C:\Users\user\Desktop\mormanti.exe 'C:\Users\user\Desktop\mormanti.exe' |
Source: C:\Users\user\Desktop\mormanti.exe | Process created: C:\Windows\SysWOW64\msmpeg2vdec\eventvwr.exe C:\Windows\SysWOW64\msmpeg2vdec\eventvwr.exe |
Source: unknown | Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p |
Source: unknown | Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS |
Source: unknown | Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p |
Source: unknown | Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p |
Source: unknown | Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService |
Source: unknown | Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc |
Source: unknown | Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k unistacksvcgroup |
Source: unknown | Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc |
Source: unknown | Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p |
Source: unknown | Process created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe |
Source: unknown | Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc |
Source: C:\Windows\System32\svchost.exe | Process created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable |
Source: C:\Program Files\Windows Defender\MpCmdRun.exe | Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
Source: C:\Users\user\Desktop\mormanti.exe | Process created: C:\Windows\SysWOW64\msmpeg2vdec\eventvwr.exe C:\Windows\SysWOW64\msmpeg2vdec\eventvwr.exe |
Source: C:\Windows\System32\svchost.exe | Process created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable |
Source: svchost.exe, 00000005.00000002.227092288.0000025121F40000.00000002.00000001.sdmp, svchost.exe, 00000008.00000002.276841534.000001F85F660000.00000002.00000001.sdmp, svchost.exe, 00000009.00000002.291456589.000001F7F1260000.00000002.00000001.sdmp, svchost.exe, 0000000B.00000002.466345591.000001C4ADF40000.00000002.00000001.sdmp | Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed. |
Source: svchost.exe, 00000006.00000002.466653401.0000022B0E460000.00000004.00000001.sdmp | Binary or memory string: @Hyper-V RAW |
Source: eventvwr.exe, 00000002.00000003.394916417.00000000034DC000.00000004.00000001.sdmp, svchost.exe, 00000006.00000002.466637022.0000022B0E453000.00000004.00000001.sdmp | Binary or memory string: Hyper-V RAW |
Source: svchost.exe, 0000000A.00000002.465149550.000001E006C02000.00000004.00000001.sdmp | Binary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcDsSvcfhsvcWPDBusEnumsvsvcwlansvcEmbeddedModeirmonSensorServicevmicvssNgcSvcsysmainDevQueryBrokerStorSvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionNcbServiceNetmanDeviceAssociationServiceTabletInputServicePcaSvcIPxlatCfgSvcCscServiceUmRdpService |
Source: svchost.exe, 00000005.00000002.227092288.0000025121F40000.00000002.00000001.sdmp, svchost.exe, 00000008.00000002.276841534.000001F85F660000.00000002.00000001.sdmp, svchost.exe, 00000009.00000002.291456589.000001F7F1260000.00000002.00000001.sdmp, svchost.exe, 0000000B.00000002.466345591.000001C4ADF40000.00000002.00000001.sdmp | Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service. |
Source: svchost.exe, 00000005.00000002.227092288.0000025121F40000.00000002.00000001.sdmp, svchost.exe, 00000008.00000002.276841534.000001F85F660000.00000002.00000001.sdmp, svchost.exe, 00000009.00000002.291456589.000001F7F1260000.00000002.00000001.sdmp, svchost.exe, 0000000B.00000002.466345591.000001C4ADF40000.00000002.00000001.sdmp | Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported. |
Source: svchost.exe, 00000006.00000002.465518449.0000022B08E29000.00000004.00000001.sdmp | Binary or memory string: Hyper-V RAW@aF |
Source: svchost.exe, 0000000A.00000002.465212488.000001E006C29000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000002.465407534.000001C4AD251000.00000004.00000001.sdmp, svchost.exe, 0000000D.00000002.465492639.0000016AC822A000.00000004.00000001.sdmp | Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll |
Source: svchost.exe, 00000005.00000002.227092288.0000025121F40000.00000002.00000001.sdmp, svchost.exe, 00000008.00000002.276841534.000001F85F660000.00000002.00000001.sdmp, svchost.exe, 00000009.00000002.291456589.000001F7F1260000.00000002.00000001.sdmp, svchost.exe, 0000000B.00000002.466345591.000001C4ADF40000.00000002.00000001.sdmp | Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service. |
Source: C:\Users\user\Desktop\mormanti.exe | Code function: 0_2_00C11FF2 mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\Desktop\mormanti.exe | Code function: 0_2_02DB304D mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\Desktop\mormanti.exe | Code function: 0_2_02DB0467 mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\Desktop\mormanti.exe | Code function: 0_2_02DB277C mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\Desktop\mormanti.exe | Code function: 0_2_02DC370E mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\Desktop\mormanti.exe | Code function: 0_2_02DC2E3D mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\msmpeg2vdec\eventvwr.exe | Code function: 2_2_00C11FF2 mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\msmpeg2vdec\eventvwr.exe | Queries volume information: C:\ VolumeInformation |
Source: C:\Windows\System32\svchost.exe | Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation |
Source: C:\Windows\System32\svchost.exe | Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation |
Source: C:\Windows\System32\svchost.exe | Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation |
Source: C:\Windows\System32\svchost.exe | Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation |
Source: C:\Windows\System32\svchost.exe | Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation |
Source: C:\Windows\System32\svchost.exe | Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation |
Source: C:\Windows\System32\svchost.exe | Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation |
Source: C:\Windows\System32\svchost.exe | Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation |
Source: C:\Windows\System32\svchost.exe | Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation |
Source: C:\Windows\System32\svchost.exe | Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation |
Source: C:\Windows\System32\svchost.exe | Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation |
Source: C:\Windows\System32\svchost.exe | Queries volume information: C:\ VolumeInformation |
Source: C:\Windows\System32\svchost.exe | Queries volume information: C:\ VolumeInformation |