Source: 0.2.PHvqpLRfRl.exe.3f279e.0.raw.unpack |
Malware Configuration Extractor: Emotet {"RSA Public Key": "MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhANQOcBKvh5xEW7VcJ9totsjdBwuAclxS\nQ0e09fk8V053lktpW3TRrzAW63yt6j1KWnyxMrU3igFXypBoI4lVNmkje4UPtIIS\nfkzjEIvG1v/ZNn1k0J0PfFTxbFFeUEs3AwIDAQAB", "C2 list": ["74.219.172.26:80", "134.209.36.254:8080", "104.156.59.7:8080", "120.138.30.150:8080", "194.187.133.160:443", "104.236.246.93:8080", "74.208.45.104:8080", "78.187.156.31:80", "187.161.206.24:80", "94.23.216.33:80", "172.91.208.86:80", "91.211.88.52:7080", "50.91.114.38:80", "200.123.150.89:443", "121.124.124.40:7080", "62.75.141.82:80", "5.196.74.210:8080", "24.137.76.62:80", "85.105.205.77:8080", "139.130.242.43:80", "82.225.49.121:80", "110.145.77.103:80", "195.251.213.56:80", "46.105.131.79:8080", "87.106.136.232:8080", "75.139.38.211:80", "124.41.215.226:80", "203.153.216.189:7080", "162.241.242.173:8080", "219.74.18.66:443", "174.45.13.118:80", "68.188.112.97:80", "200.114.213.233:8080", "213.196.135.145:80", "61.92.17.12:80", "61.19.246.238:443", "219.75.128.166:80", "120.150.60.189:80", "123.176.25.234:80", "1.221.254.82:80", "137.119.36.33:80", "94.23.237.171:443", "74.120.55.163:80", "62.30.7.67:443", "104.131.11.150:443", "139.59.67.118:443", "209.141.54.221:8080", "79.137.83.50:443", "84.39.182.7:80", "97.82.79.83:80", "87.106.139.101:8080", "94.1.108.190:443", "37.187.72.193:8080", "139.162.108.71:8080", "93.147.212.206:80", "74.134.41.124:80", "103.86.49.11:8080", "75.80.124.4:80", "109.74.5.95:8080", "153.232.188.106:80", "168.235.67.138:7080", "50.35.17.13:80", "42.200.107.142:80", "82.80.155.43:80", "78.24.219.147:8080", "24.43.99.75:80", "107.5.122.110:80", "156.155.166.221:80", "83.169.36.251:8080", "47.144.21.12:443", "79.98.24.39:8080", "181.169.34.190:80", "139.59.60.244:8080", "85.152.162.105:80", "185.94.252.104:443", "110.5.16.198:80", "174.102.48.180:443", "140.186.212.146:80", "95.179.229.244:8080", "104.32.141.43:80", "169.239.182.217:8080", "121.7.127.163:80", "94.200.114.161:80", "201.173.217.124:443", "104.131.44.150:8080", "137.59.187.107:8080", "5.39.91.110:7080", "203.117.253.142:80", "157.245.99.39:8080", "176.111.60.55:8080", "95.213.236.64:8080", "220.245.198.194:80", "37.139.21.175:8080", "89.216.122.92:80", "139.99.158.11:443", "24.179.13.119:80", "188.219.31.12:80"]} |
Source: C:\Users\user\Desktop\PHvqpLRfRl.exe |
Code function: 0_2_01144C40 CryptAcquireContextA,CryptAcquireContextA, |
0_2_01144C40 |
Source: C:\Windows\SysWOW64\BackgroundTransferHost\ipsmsnap.exe |
Code function: 1_2_01144C40 CryptAcquireContextA,CryptAcquireContextA, |
1_2_01144C40 |
Source: C:\Windows\SysWOW64\BackgroundTransferHost\ipsmsnap.exe |
Code function: 1_2_00402210 CryptDestroyHash,CryptExportKey,CryptDuplicateHash,CryptGetHashParam,CryptEncrypt,memcpy,GetProcessHeap,HeapFree, |
1_2_00402210 |
Source: C:\Windows\SysWOW64\BackgroundTransferHost\ipsmsnap.exe |
Code function: 1_2_004025A0 CryptAcquireContextW,CryptImportKey,LocalFree,CryptCreateHash,CryptDecodeObjectEx,CryptDecodeObjectEx,CryptGenKey, |
1_2_004025A0 |
Source: C:\Windows\SysWOW64\BackgroundTransferHost\ipsmsnap.exe |
Code function: 1_2_00401FA0 CryptDuplicateHash,CryptDestroyHash,memcpy, |
1_2_00401FA0 |
Source: Malware configuration extractor |
IPs: 74.219.172.26:80 |
Source: Malware configuration extractor |
IPs: 134.209.36.254:8080 |
Source: Malware configuration extractor |
IPs: 104.156.59.7:8080 |
Source: Malware configuration extractor |
IPs: 120.138.30.150:8080 |
Source: Malware configuration extractor |
IPs: 194.187.133.160:443 |
Source: Malware configuration extractor |
IPs: 104.236.246.93:8080 |
Source: Malware configuration extractor |
IPs: 74.208.45.104:8080 |
Source: Malware configuration extractor |
IPs: 78.187.156.31:80 |
Source: Malware configuration extractor |
IPs: 187.161.206.24:80 |
Source: Malware configuration extractor |
IPs: 94.23.216.33:80 |
Source: Malware configuration extractor |
IPs: 172.91.208.86:80 |
Source: Malware configuration extractor |
IPs: 91.211.88.52:7080 |
Source: Malware configuration extractor |
IPs: 50.91.114.38:80 |
Source: Malware configuration extractor |
IPs: 200.123.150.89:443 |
Source: Malware configuration extractor |
IPs: 121.124.124.40:7080 |
Source: Malware configuration extractor |
IPs: 62.75.141.82:80 |
Source: Malware configuration extractor |
IPs: 5.196.74.210:8080 |
Source: Malware configuration extractor |
IPs: 24.137.76.62:80 |
Source: Malware configuration extractor |
IPs: 85.105.205.77:8080 |
Source: Malware configuration extractor |
IPs: 139.130.242.43:80 |
Source: Malware configuration extractor |
IPs: 82.225.49.121:80 |
Source: Malware configuration extractor |
IPs: 110.145.77.103:80 |
Source: Malware configuration extractor |
IPs: 195.251.213.56:80 |
Source: Malware configuration extractor |
IPs: 46.105.131.79:8080 |
Source: Malware configuration extractor |
IPs: 87.106.136.232:8080 |
Source: Malware configuration extractor |
IPs: 75.139.38.211:80 |
Source: Malware configuration extractor |
IPs: 124.41.215.226:80 |
Source: Malware configuration extractor |
IPs: 203.153.216.189:7080 |
Source: Malware configuration extractor |
IPs: 162.241.242.173:8080 |
Source: Malware configuration extractor |
IPs: 219.74.18.66:443 |
Source: Malware configuration extractor |
IPs: 174.45.13.118:80 |
Source: Malware configuration extractor |
IPs: 68.188.112.97:80 |
Source: Malware configuration extractor |
IPs: 200.114.213.233:8080 |
Source: Malware configuration extractor |
IPs: 213.196.135.145:80 |
Source: Malware configuration extractor |
IPs: 61.92.17.12:80 |
Source: Malware configuration extractor |
IPs: 61.19.246.238:443 |
Source: Malware configuration extractor |
IPs: 219.75.128.166:80 |
Source: Malware configuration extractor |
IPs: 120.150.60.189:80 |
Source: Malware configuration extractor |
IPs: 123.176.25.234:80 |
Source: Malware configuration extractor |
IPs: 1.221.254.82:80 |
Source: Malware configuration extractor |
IPs: 137.119.36.33:80 |
Source: Malware configuration extractor |
IPs: 94.23.237.171:443 |
Source: Malware configuration extractor |
IPs: 74.120.55.163:80 |
Source: Malware configuration extractor |
IPs: 62.30.7.67:443 |
Source: Malware configuration extractor |
IPs: 104.131.11.150:443 |
Source: Malware configuration extractor |
IPs: 139.59.67.118:443 |
Source: Malware configuration extractor |
IPs: 209.141.54.221:8080 |
Source: Malware configuration extractor |
IPs: 79.137.83.50:443 |
Source: Malware configuration extractor |
IPs: 84.39.182.7:80 |
Source: Malware configuration extractor |
IPs: 97.82.79.83:80 |
Source: Malware configuration extractor |
IPs: 87.106.139.101:8080 |
Source: Malware configuration extractor |
IPs: 94.1.108.190:443 |
Source: Malware configuration extractor |
IPs: 37.187.72.193:8080 |
Source: Malware configuration extractor |
IPs: 139.162.108.71:8080 |
Source: Malware configuration extractor |
IPs: 93.147.212.206:80 |
Source: Malware configuration extractor |
IPs: 74.134.41.124:80 |
Source: Malware configuration extractor |
IPs: 103.86.49.11:8080 |
Source: Malware configuration extractor |
IPs: 75.80.124.4:80 |
Source: Malware configuration extractor |
IPs: 109.74.5.95:8080 |
Source: Malware configuration extractor |
IPs: 153.232.188.106:80 |
Source: Malware configuration extractor |
IPs: 168.235.67.138:7080 |
Source: Malware configuration extractor |
IPs: 50.35.17.13:80 |
Source: Malware configuration extractor |
IPs: 42.200.107.142:80 |
Source: Malware configuration extractor |
IPs: 82.80.155.43:80 |
Source: Malware configuration extractor |
IPs: 78.24.219.147:8080 |
Source: Malware configuration extractor |
IPs: 24.43.99.75:80 |
Source: Malware configuration extractor |
IPs: 107.5.122.110:80 |
Source: Malware configuration extractor |
IPs: 156.155.166.221:80 |
Source: Malware configuration extractor |
IPs: 83.169.36.251:8080 |
Source: Malware configuration extractor |
IPs: 47.144.21.12:443 |
Source: Malware configuration extractor |
IPs: 79.98.24.39:8080 |
Source: Malware configuration extractor |
IPs: 181.169.34.190:80 |
Source: Malware configuration extractor |
IPs: 139.59.60.244:8080 |
Source: Malware configuration extractor |
IPs: 85.152.162.105:80 |
Source: Malware configuration extractor |
IPs: 185.94.252.104:443 |
Source: Malware configuration extractor |
IPs: 110.5.16.198:80 |
Source: Malware configuration extractor |
IPs: 174.102.48.180:443 |
Source: Malware configuration extractor |
IPs: 140.186.212.146:80 |
Source: Malware configuration extractor |
IPs: 95.179.229.244:8080 |
Source: Malware configuration extractor |
IPs: 104.32.141.43:80 |
Source: Malware configuration extractor |
IPs: 169.239.182.217:8080 |
Source: Malware configuration extractor |
IPs: 121.7.127.163:80 |
Source: Malware configuration extractor |
IPs: 94.200.114.161:80 |
Source: Malware configuration extractor |
IPs: 201.173.217.124:443 |
Source: Malware configuration extractor |
IPs: 104.131.44.150:8080 |
Source: Malware configuration extractor |
IPs: 137.59.187.107:8080 |
Source: Malware configuration extractor |
IPs: 5.39.91.110:7080 |
Source: Malware configuration extractor |
IPs: 203.117.253.142:80 |
Source: Malware configuration extractor |
IPs: 157.245.99.39:8080 |
Source: Malware configuration extractor |
IPs: 176.111.60.55:8080 |
Source: Malware configuration extractor |
IPs: 95.213.236.64:8080 |
Source: Malware configuration extractor |
IPs: 220.245.198.194:80 |
Source: Malware configuration extractor |
IPs: 37.139.21.175:8080 |
Source: Malware configuration extractor |
IPs: 89.216.122.92:80 |
Source: Malware configuration extractor |
IPs: 139.99.158.11:443 |
Source: Malware configuration extractor |
IPs: 24.179.13.119:80 |
Source: Malware configuration extractor |
IPs: 188.219.31.12:80 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 74.219.172.26 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 74.219.172.26 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 74.219.172.26 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 134.209.36.254 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 134.209.36.254 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 134.209.36.254 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 104.156.59.7 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 104.156.59.7 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 104.156.59.7 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 120.138.30.150 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 120.138.30.150 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 120.138.30.150 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 194.187.133.160 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 194.187.133.160 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 194.187.133.160 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 104.236.246.93 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 104.236.246.93 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 104.236.246.93 |
Source: ipsmsnap.exe, 00000001.00000002.468016701.0000000000E9A000.00000004.00000020.sdmp |
String found in binary or memory: http://104.156.59.7:8080/3x1oIXeY |
Source: ipsmsnap.exe, 00000001.00000002.468016701.0000000000E9A000.00000004.00000020.sdmp |
String found in binary or memory: http://104.156.59.7:8080/3x1oIXewHYdNlV01/MCzATjJI1I/RPBsOTo7qERajOZz1lh/LN3m/MNxh/ |
Source: ipsmsnap.exe, 00000001.00000002.468016701.0000000000E9A000.00000004.00000020.sdmp |
String found in binary or memory: http://104.156.59.7:8080/3x1oIXewHYdNlV01/MCzATjJI1I/RPBsOTo7qERajOZz1lh/LN3m/MNxh/#? |
Source: ipsmsnap.exe, 00000001.00000002.468016701.0000000000E9A000.00000004.00000020.sdmp |
String found in binary or memory: http://104.156.59.7:8080/3x1oIXewHYdNlV01/MCzATjJI1I/RPBsOTo7qERajOZz1lh/LN3m/MNxh/3 |
Source: ipsmsnap.exe, 00000001.00000002.468016701.0000000000E9A000.00000004.00000020.sdmp |
String found in binary or memory: http://104.156.59.7:8080/3x1oIXewHYdNlV01/MCzATjJI1I/RPBsOTo7qERajOZz1lh/LN3m/MNxh/m |
Source: ipsmsnap.exe, 00000001.00000002.470677696.00000000030B0000.00000004.00000001.sdmp |
String found in binary or memory: http://104.236.246.93:8080/nNKoq5kK/ |
Source: ipsmsnap.exe, 00000001.00000002.470792566.00000000030DE000.00000004.00000001.sdmp |
String found in binary or memory: http://104.236.246.93:8080/nNKoq5kK/= |
Source: ipsmsnap.exe, 00000001.00000002.470677696.00000000030B0000.00000004.00000001.sdmp |
String found in binary or memory: http://104.236.246.93:8080/nNKoq5kK/n |
Source: ipsmsnap.exe, 00000001.00000002.468016701.0000000000E9A000.00000004.00000020.sdmp |
String found in binary or memory: http://120.138.30.150:8080/2aF5ml4oR/WXLdIdZGpJmXIp5/ |
Source: ipsmsnap.exe, 00000001.00000002.468016701.0000000000E9A000.00000004.00000020.sdmp |
String found in binary or memory: http://120.138.30.150:8080/2aF5ml4oR/WXLdIdZGpJmXIp5/PBsOTo7qERajOZz1lh/LN3m/MNxh/5? |
Source: ipsmsnap.exe, 00000001.00000002.468016701.0000000000E9A000.00000004.00000020.sdmp |
String found in binary or memory: http://120.138.30.150:8080/2aF5ml4oR/WXLdIdZGpJmXIp5/c8 |
Source: ipsmsnap.exe, 00000001.00000002.468016701.0000000000E9A000.00000004.00000020.sdmp |
String found in binary or memory: http://134.209.36.254:8080/tWwU/w3xB1Bhz7yaslBgJS/q49F3NAtj1IqnXaW2A/GIQOEsdbSxikR6wT/lMJv8yE/ |
Source: ipsmsnap.exe, 00000001.00000002.468016701.0000000000E9A000.00000004.00000020.sdmp |
String found in binary or memory: http://194.187.133.160:443/rRPAuzYPI/PCfjdWIpUQcAD/TNhKcjKj/nadJLloIjR2s5GA9b/NUnsi05bbdpoKVYXGgn/R8 |
Source: ipsmsnap.exe, 00000001.00000003.276535300.00000000030C4000.00000004.00000001.sdmp |
String found in binary or memory: http://74.219.172.26/3vre0AbvHoC/72zolH2gtmnbq3QOxa/GmI2ntvI/3wNRQ8Motcr5/ |
Source: svchost.exe, 00000004.00000002.470968831.0000025BE688D000.00000004.00000001.sdmp |
String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0 |
Source: svchost.exe, 00000004.00000002.470968831.0000025BE688D000.00000004.00000001.sdmp |
String found in binary or memory: http://ocsp.digicert.com0: |
Source: svchost.exe, 00000004.00000002.470968831.0000025BE688D000.00000004.00000001.sdmp |
String found in binary or memory: http://ocsp.msocsp.com0 |
Source: svchost.exe, 00000004.00000002.470303423.0000025BE66A0000.00000002.00000001.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous. |
Source: svchost.exe, 00000009.00000002.309127915.00000184DC213000.00000004.00000001.sdmp |
String found in binary or memory: http://www.bingmapsportal.com |
Source: svchost.exe, 00000006.00000002.467720725.0000025C8183D000.00000004.00000001.sdmp |
String found in binary or memory: https://%s.dnet.xboxlive.com |
Source: svchost.exe, 00000006.00000002.467720725.0000025C8183D000.00000004.00000001.sdmp |
String found in binary or memory: https://%s.xboxlive.com |
Source: svchost.exe, 00000006.00000002.467720725.0000025C8183D000.00000004.00000001.sdmp |
String found in binary or memory: https://activity.windows.com |
Source: svchost.exe, 00000009.00000003.308854579.00000184DC261000.00000004.00000001.sdmp |
String found in binary or memory: https://appexmapsappupdate.blob.core.windows.net |
Source: svchost.exe, 00000006.00000002.467720725.0000025C8183D000.00000004.00000001.sdmp |
String found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device |
Source: svchost.exe, 00000006.00000002.467720725.0000025C8183D000.00000004.00000001.sdmp |
String found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device |
Source: svchost.exe, 00000009.00000003.308869309.00000184DC249000.00000004.00000001.sdmp |
String found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/ |
Source: svchost.exe, 00000009.00000003.308869309.00000184DC249000.00000004.00000001.sdmp |
String found in binary or memory: https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/ |
Source: svchost.exe, 00000009.00000003.308854579.00000184DC261000.00000004.00000001.sdmp |
String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations |
Source: svchost.exe, 00000009.00000002.309161825.00000184DC23D000.00000004.00000001.sdmp |
String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/ |
Source: svchost.exe, 00000009.00000003.308869309.00000184DC249000.00000004.00000001.sdmp |
String found in binary or memory: https://dev.ditu.live.com/REST/v1/Traffic/Incidents/ |
Source: svchost.exe, 00000009.00000003.308854579.00000184DC261000.00000004.00000001.sdmp |
String found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx |
Source: svchost.exe, 00000009.00000003.308835499.00000184DC250000.00000004.00000001.sdmp |
String found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v= |
Source: svchost.exe, 00000009.00000003.308869309.00000184DC249000.00000004.00000001.sdmp |
String found in binary or memory: https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/ |
Source: svchost.exe, 00000009.00000003.308854579.00000184DC261000.00000004.00000001.sdmp |
String found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations |
Source: svchost.exe, 00000009.00000002.309161825.00000184DC23D000.00000004.00000001.sdmp |
String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/ |
Source: svchost.exe, 00000009.00000003.308854579.00000184DC261000.00000004.00000001.sdmp |
String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving |
Source: svchost.exe, 00000009.00000003.308854579.00000184DC261000.00000004.00000001.sdmp |
String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit |
Source: svchost.exe, 00000009.00000003.308854579.00000184DC261000.00000004.00000001.sdmp |
String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking |
Source: svchost.exe, 00000009.00000003.287207473.00000184DC230000.00000004.00000001.sdmp |
String found in binary or memory: https://dev.virtualearth.net/REST/v1/Traffic/Incidents/ |
Source: svchost.exe, 00000009.00000002.309167893.00000184DC242000.00000004.00000001.sdmp |
String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/ |
Source: svchost.exe, 00000009.00000002.309167893.00000184DC242000.00000004.00000001.sdmp |
String found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n= |
Source: svchost.exe, 00000009.00000003.308854579.00000184DC261000.00000004.00000001.sdmp |
String found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx |
Source: svchost.exe, 00000009.00000003.308864231.00000184DC24C000.00000004.00000001.sdmp |
String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log? |
Source: svchost.exe, 00000009.00000003.287207473.00000184DC230000.00000004.00000001.sdmp |
String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?entry= |
Source: svchost.exe, 00000009.00000003.308869309.00000184DC249000.00000004.00000001.sdmp |
String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r= |
Source: svchost.exe, 00000009.00000003.308864231.00000184DC24C000.00000004.00000001.sdmp |
String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r= |
Source: svchost.exe, 00000009.00000003.308864231.00000184DC24C000.00000004.00000001.sdmp |
String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r= |
Source: svchost.exe, 00000009.00000002.309195425.00000184DC265000.00000004.00000001.sdmp |
String found in binary or memory: https://dynamic.t |
Source: svchost.exe, 00000009.00000003.308854579.00000184DC261000.00000004.00000001.sdmp |
String found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx |
Source: svchost.exe, 00000009.00000002.309161825.00000184DC23D000.00000004.00000001.sdmp |
String found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/ |
Source: svchost.exe, 00000009.00000003.287207473.00000184DC230000.00000004.00000001.sdmp |
String found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v= |
Source: svchost.exe, 00000009.00000002.309161825.00000184DC23D000.00000004.00000001.sdmp |
String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx |
Source: svchost.exe, 00000009.00000002.309161825.00000184DC23D000.00000004.00000001.sdmp, svchost.exe, 00000009.00000002.309127915.00000184DC213000.00000004.00000001.sdmp |
String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r= |
Source: svchost.exe, 00000009.00000003.287207473.00000184DC230000.00000004.00000001.sdmp |
String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r= |
Source: svchost.exe, 00000009.00000003.308892949.00000184DC245000.00000004.00000001.sdmp |
String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r= |
Source: svchost.exe, 00000009.00000003.287207473.00000184DC230000.00000004.00000001.sdmp |
String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r= |
Source: svchost.exe, 00000009.00000002.309155756.00000184DC239000.00000004.00000001.sdmp |
String found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen |
Source: svchost.exe, 00000009.00000003.308835499.00000184DC250000.00000004.00000001.sdmp |
String found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen |
Source: Yara match |
File source: 1.2.ipsmsnap.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 1.2.ipsmsnap.exe.e5279e.2.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 1.2.ipsmsnap.exe.e5052e.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.PHvqpLRfRl.exe.3f279e.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.PHvqpLRfRl.exe.3f052e.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.PHvqpLRfRl.exe.980000.2.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 1.2.ipsmsnap.exe.e5052e.1.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.PHvqpLRfRl.exe.3f279e.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 1.2.ipsmsnap.exe.e5279e.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.PHvqpLRfRl.exe.3f052e.1.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000001.00000002.467934925.0000000000E50000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000001.00000002.467384235.0000000000401000.00000020.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.202006890.00000000003F0000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.202145856.0000000000814000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.202173410.0000000000981000.00000020.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000001.00000002.467972344.0000000000E64000.00000004.00000001.sdmp, type: MEMORY |
Source: C:\Users\user\Desktop\PHvqpLRfRl.exe |
Code function: 0_2_01159723 |
0_2_01159723 |
Source: C:\Users\user\Desktop\PHvqpLRfRl.exe |
Code function: 0_2_0114AFA8 |
0_2_0114AFA8 |
Source: C:\Users\user\Desktop\PHvqpLRfRl.exe |
Code function: 0_2_0115A181 |
0_2_0115A181 |
Source: C:\Users\user\Desktop\PHvqpLRfRl.exe |
Code function: 0_2_01154057 |
0_2_01154057 |
Source: C:\Users\user\Desktop\PHvqpLRfRl.exe |
Code function: 0_2_0115D060 |
0_2_0115D060 |
Source: C:\Users\user\Desktop\PHvqpLRfRl.exe |
Code function: 0_2_011533D5 |
0_2_011533D5 |
Source: C:\Users\user\Desktop\PHvqpLRfRl.exe |
Code function: 0_2_0114DBCA |
0_2_0114DBCA |
Source: C:\Users\user\Desktop\PHvqpLRfRl.exe |
Code function: 0_2_011572CB |
0_2_011572CB |
Source: C:\Users\user\Desktop\PHvqpLRfRl.exe |
Code function: 0_2_01153C22 |
0_2_01153C22 |
Source: C:\Users\user\Desktop\PHvqpLRfRl.exe |
Code function: 0_2_011537ED |
0_2_011537ED |
Source: C:\Users\user\Desktop\PHvqpLRfRl.exe |
Code function: 0_2_01158660 |
0_2_01158660 |
Source: C:\Users\user\Desktop\PHvqpLRfRl.exe |
Code function: 0_2_01152EE1 |
0_2_01152EE1 |
Source: C:\Users\user\Desktop\PHvqpLRfRl.exe |
Code function: 0_2_003F380E |
0_2_003F380E |
Source: C:\Users\user\Desktop\PHvqpLRfRl.exe |
Code function: 0_2_003F98FE |
0_2_003F98FE |
Source: C:\Users\user\Desktop\PHvqpLRfRl.exe |
Code function: 0_2_003F90CE |
0_2_003F90CE |
Source: C:\Users\user\Desktop\PHvqpLRfRl.exe |
Code function: 0_2_003F9C6E |
0_2_003F9C6E |
Source: C:\Users\user\Desktop\PHvqpLRfRl.exe |
Code function: 0_2_003F7F8E |
0_2_003F7F8E |
Source: C:\Windows\SysWOW64\BackgroundTransferHost\ipsmsnap.exe |
Code function: 1_2_01159723 |
1_2_01159723 |
Source: C:\Windows\SysWOW64\BackgroundTransferHost\ipsmsnap.exe |
Code function: 1_2_0114AFA8 |
1_2_0114AFA8 |
Source: C:\Windows\SysWOW64\BackgroundTransferHost\ipsmsnap.exe |
Code function: 1_2_0115A181 |
1_2_0115A181 |
Source: C:\Windows\SysWOW64\BackgroundTransferHost\ipsmsnap.exe |
Code function: 1_2_01154057 |
1_2_01154057 |
Source: C:\Windows\SysWOW64\BackgroundTransferHost\ipsmsnap.exe |
Code function: 1_2_0115D060 |
1_2_0115D060 |
Source: C:\Windows\SysWOW64\BackgroundTransferHost\ipsmsnap.exe |
Code function: 1_2_011533D5 |
1_2_011533D5 |
Source: C:\Windows\SysWOW64\BackgroundTransferHost\ipsmsnap.exe |
Code function: 1_2_0114DBCA |
1_2_0114DBCA |
Source: C:\Windows\SysWOW64\BackgroundTransferHost\ipsmsnap.exe |
Code function: 1_2_011572CB |
1_2_011572CB |
Source: C:\Windows\SysWOW64\BackgroundTransferHost\ipsmsnap.exe |
Code function: 1_2_01153C22 |
1_2_01153C22 |
Source: C:\Windows\SysWOW64\BackgroundTransferHost\ipsmsnap.exe |
Code function: 1_2_011537ED |
1_2_011537ED |
Source: C:\Windows\SysWOW64\BackgroundTransferHost\ipsmsnap.exe |
Code function: 1_2_01158660 |
1_2_01158660 |
Source: C:\Windows\SysWOW64\BackgroundTransferHost\ipsmsnap.exe |
Code function: 1_2_01152EE1 |
1_2_01152EE1 |
Source: C:\Windows\SysWOW64\BackgroundTransferHost\ipsmsnap.exe |
Code function: 1_2_004080D0 |
1_2_004080D0 |
Source: C:\Windows\SysWOW64\BackgroundTransferHost\ipsmsnap.exe |
Code function: 1_2_004063F0 |
1_2_004063F0 |
Source: C:\Windows\SysWOW64\BackgroundTransferHost\ipsmsnap.exe |
Code function: 1_2_00401C70 |
1_2_00401C70 |
Source: C:\Windows\SysWOW64\BackgroundTransferHost\ipsmsnap.exe |
Code function: 1_2_00407D60 |
1_2_00407D60 |
Source: C:\Windows\SysWOW64\BackgroundTransferHost\ipsmsnap.exe |
Code function: 1_2_00407530 |
1_2_00407530 |
Source: C:\Windows\SysWOW64\BackgroundTransferHost\ipsmsnap.exe |
Code function: 1_2_00E598FE |
1_2_00E598FE |
Source: C:\Windows\SysWOW64\BackgroundTransferHost\ipsmsnap.exe |
Code function: 1_2_00E590CE |
1_2_00E590CE |
Source: C:\Windows\SysWOW64\BackgroundTransferHost\ipsmsnap.exe |
Code function: 1_2_00E59C6E |
1_2_00E59C6E |
Source: C:\Windows\SysWOW64\BackgroundTransferHost\ipsmsnap.exe |
Code function: 1_2_00E5380E |
1_2_00E5380E |
Source: C:\Windows\SysWOW64\BackgroundTransferHost\ipsmsnap.exe |
Code function: 1_2_00E57F8E |
1_2_00E57F8E |
Source: unknown |
Process created: C:\Users\user\Desktop\PHvqpLRfRl.exe 'C:\Users\user\Desktop\PHvqpLRfRl.exe' |
|
Source: C:\Users\user\Desktop\PHvqpLRfRl.exe |
Process created: C:\Windows\SysWOW64\BackgroundTransferHost\ipsmsnap.exe C:\Windows\SysWOW64\BackgroundTransferHost\ipsmsnap.exe |
|
Source: unknown |
Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS |
|
Source: unknown |
Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService |
|
Source: unknown |
Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc |
|
Source: unknown |
Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k unistacksvcgroup |
|
Source: unknown |
Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc |
|
Source: unknown |
Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p |
|
Source: unknown |
Process created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe |
|
Source: unknown |
Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc |
|
Source: unknown |
Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p |
|
Source: C:\Windows\System32\svchost.exe |
Process created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable |
|
Source: C:\Program Files\Windows Defender\MpCmdRun.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: unknown |
Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p |
|
Source: unknown |
Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p |
|
Source: C:\Users\user\Desktop\PHvqpLRfRl.exe |
Process created: C:\Windows\SysWOW64\BackgroundTransferHost\ipsmsnap.exe C:\Windows\SysWOW64\BackgroundTransferHost\ipsmsnap.exe |
Jump to behavior |
Source: C:\Windows\System32\svchost.exe |
Process created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable |
Jump to behavior |
Source: C:\Users\user\Desktop\PHvqpLRfRl.exe |
Code function: 0_2_01156216 push ecx; ret |
0_2_01156229 |
Source: C:\Users\user\Desktop\PHvqpLRfRl.exe |
Code function: 0_2_0114B2E5 push ecx; ret |
0_2_0114B2F8 |
Source: C:\Users\user\Desktop\PHvqpLRfRl.exe |
Code function: 0_2_003F782E push ecx; mov dword ptr [esp], 00002224h |
0_2_003F782F |
Source: C:\Users\user\Desktop\PHvqpLRfRl.exe |
Code function: 0_2_003FE015 push 0000003Bh; ret |
0_2_003FE01A |
Source: C:\Users\user\Desktop\PHvqpLRfRl.exe |
Code function: 0_2_003F786E push ecx; mov dword ptr [esp], 0000A465h |
0_2_003F786F |
Source: C:\Users\user\Desktop\PHvqpLRfRl.exe |
Code function: 0_2_003F78BE push ecx; mov dword ptr [esp], 0000C239h |
0_2_003F78BF |
Source: C:\Users\user\Desktop\PHvqpLRfRl.exe |
Code function: 0_2_003F788E push ecx; mov dword ptr [esp], 00000E88h |
0_2_003F788F |
Source: C:\Users\user\Desktop\PHvqpLRfRl.exe |
Code function: 0_2_003F790E push ecx; mov dword ptr [esp], 0000B4A4h |
0_2_003F790F |
Source: C:\Users\user\Desktop\PHvqpLRfRl.exe |
Code function: 0_2_003F797E push ecx; mov dword ptr [esp], 0000272Ah |
0_2_003F797F |
Source: C:\Users\user\Desktop\PHvqpLRfRl.exe |
Code function: 0_2_003F794E push ecx; mov dword ptr [esp], 00001190h |
0_2_003F794F |
Source: C:\Users\user\Desktop\PHvqpLRfRl.exe |
Code function: 0_2_003F79DE push ecx; mov dword ptr [esp], 0000C126h |
0_2_003F79DF |
Source: C:\Users\user\Desktop\PHvqpLRfRl.exe |
Code function: 0_2_003F7A3E push ecx; mov dword ptr [esp], 00008285h |
0_2_003F7A3F |
Source: C:\Users\user\Desktop\PHvqpLRfRl.exe |
Code function: 0_2_003F7A7E push ecx; mov dword ptr [esp], 00006DE4h |
0_2_003F7A7F |
Source: C:\Users\user\Desktop\PHvqpLRfRl.exe |
Code function: 0_2_003FD76E push ecx; retf |
0_2_003FD7A5 |
Source: C:\Users\user\Desktop\PHvqpLRfRl.exe |
Code function: 0_2_003F77EE push ecx; mov dword ptr [esp], 00008F8Eh |
0_2_003F77EF |
Source: C:\Windows\SysWOW64\BackgroundTransferHost\ipsmsnap.exe |
Code function: 1_2_01156216 push ecx; ret |
1_2_01156229 |
Source: C:\Windows\SysWOW64\BackgroundTransferHost\ipsmsnap.exe |
Code function: 1_2_0114B2E5 push ecx; ret |
1_2_0114B2F8 |
Source: C:\Windows\SysWOW64\BackgroundTransferHost\ipsmsnap.exe |
Code function: 1_2_00405C50 push ecx; mov dword ptr [esp], 00008F8Eh |
1_2_00405C51 |
Source: C:\Windows\SysWOW64\BackgroundTransferHost\ipsmsnap.exe |
Code function: 1_2_00405CD0 push ecx; mov dword ptr [esp], 0000A465h |
1_2_00405CD1 |
Source: C:\Windows\SysWOW64\BackgroundTransferHost\ipsmsnap.exe |
Code function: 1_2_00405CF0 push ecx; mov dword ptr [esp], 00000E88h |
1_2_00405CF1 |
Source: C:\Windows\SysWOW64\BackgroundTransferHost\ipsmsnap.exe |
Code function: 1_2_00405C90 push ecx; mov dword ptr [esp], 00002224h |
1_2_00405C91 |
Source: C:\Windows\SysWOW64\BackgroundTransferHost\ipsmsnap.exe |
Code function: 1_2_00405D70 push ecx; mov dword ptr [esp], 0000B4A4h |
1_2_00405D71 |
Source: C:\Windows\SysWOW64\BackgroundTransferHost\ipsmsnap.exe |
Code function: 1_2_00405D20 push ecx; mov dword ptr [esp], 0000C239h |
1_2_00405D21 |
Source: C:\Windows\SysWOW64\BackgroundTransferHost\ipsmsnap.exe |
Code function: 1_2_00405DE0 push ecx; mov dword ptr [esp], 0000272Ah |
1_2_00405DE1 |
Source: C:\Windows\SysWOW64\BackgroundTransferHost\ipsmsnap.exe |
Code function: 1_2_00405DB0 push ecx; mov dword ptr [esp], 00001190h |
1_2_00405DB1 |
Source: C:\Windows\SysWOW64\BackgroundTransferHost\ipsmsnap.exe |
Code function: 1_2_00405E40 push ecx; mov dword ptr [esp], 0000C126h |
1_2_00405E41 |
Source: C:\Windows\SysWOW64\BackgroundTransferHost\ipsmsnap.exe |
Code function: 1_2_00405EE0 push ecx; mov dword ptr [esp], 00006DE4h |
1_2_00405EE1 |
Source: C:\Windows\SysWOW64\BackgroundTransferHost\ipsmsnap.exe |
Code function: 1_2_00405EA0 push ecx; mov dword ptr [esp], 00008285h |
1_2_00405EA1 |
Source: C:\Windows\SysWOW64\BackgroundTransferHost\ipsmsnap.exe |
Code function: 1_2_00E578BE push ecx; mov dword ptr [esp], 0000C239h |
1_2_00E578BF |
Source: C:\Windows\SysWOW64\BackgroundTransferHost\ipsmsnap.exe |
Code function: 1_2_00E5788E push ecx; mov dword ptr [esp], 00000E88h |
1_2_00E5788F |
Source: C:\Windows\SysWOW64\BackgroundTransferHost\ipsmsnap.exe |
Code function: 1_2_00E5786E push ecx; mov dword ptr [esp], 0000A465h |
1_2_00E5786F |
Source: C:\Users\user\Desktop\PHvqpLRfRl.exe |
Code function: 0_2_0114AFA8 RtlEncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, |
0_2_0114AFA8 |
Source: svchost.exe, 00000004.00000002.468125375.0000025BE102A000.00000004.00000001.sdmp |
Binary or memory string: Hyper-V RAW@` |
Source: svchost.exe, 00000006.00000002.470048622.0000025C82540000.00000002.00000001.sdmp, svchost.exe, 00000011.00000002.406272493.000002D9E9EB0000.00000002.00000001.sdmp, svchost.exe, 0000001A.00000002.442538315.0000020D20460000.00000002.00000001.sdmp |
Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed. |
Source: ipsmsnap.exe, 00000001.00000002.468016701.0000000000E9A000.00000004.00000020.sdmp, svchost.exe, 00000004.00000002.470829364.0000025BE6861000.00000004.00000001.sdmp |
Binary or memory string: Hyper-V RAW |
Source: svchost.exe, 00000005.00000002.467871912.000001431E402000.00000004.00000001.sdmp |
Binary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcDsSvcfhsvcWPDBusEnumsvsvcwlansvcEmbeddedModeirmonSensorServicevmicvssNgcSvcsysmainDevQueryBrokerStorSvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionNcbServiceNetmanDeviceAssociationServiceTabletInputServicePcaSvcIPxlatCfgSvcCscServiceUmRdpService |
Source: svchost.exe, 00000006.00000002.470048622.0000025C82540000.00000002.00000001.sdmp, svchost.exe, 00000011.00000002.406272493.000002D9E9EB0000.00000002.00000001.sdmp, svchost.exe, 0000001A.00000002.442538315.0000020D20460000.00000002.00000001.sdmp |
Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service. |
Source: ipsmsnap.exe, 00000001.00000002.470677696.00000000030B0000.00000004.00000001.sdmp |
Binary or memory string: Hyper-V RAW ' |
Source: svchost.exe, 00000006.00000002.470048622.0000025C82540000.00000002.00000001.sdmp, svchost.exe, 00000011.00000002.406272493.000002D9E9EB0000.00000002.00000001.sdmp, svchost.exe, 0000001A.00000002.442538315.0000020D20460000.00000002.00000001.sdmp |
Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported. |
Source: svchost.exe, 00000005.00000002.467943438.000001431E429000.00000004.00000001.sdmp, svchost.exe, 00000006.00000002.467809094.0000025C8186A000.00000004.00000001.sdmp, svchost.exe, 00000008.00000002.468178940.00000224C302A000.00000004.00000001.sdmp |
Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll |
Source: svchost.exe, 00000006.00000002.470048622.0000025C82540000.00000002.00000001.sdmp, svchost.exe, 00000011.00000002.406272493.000002D9E9EB0000.00000002.00000001.sdmp, svchost.exe, 0000001A.00000002.442538315.0000020D20460000.00000002.00000001.sdmp |
Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service. |
Source: C:\Users\user\Desktop\PHvqpLRfRl.exe |
Code function: 0_2_003F689E mov eax, dword ptr fs:[00000030h] |
0_2_003F689E |
Source: C:\Users\user\Desktop\PHvqpLRfRl.exe |
Code function: 0_2_003F095E mov eax, dword ptr fs:[00000030h] |
0_2_003F095E |
Source: C:\Users\user\Desktop\PHvqpLRfRl.exe |
Code function: 0_2_003F59DE mov eax, dword ptr fs:[00000030h] |
0_2_003F59DE |
Source: C:\Users\user\Desktop\PHvqpLRfRl.exe |
Code function: 0_2_003F0456 mov eax, dword ptr fs:[00000030h] |
0_2_003F0456 |
Source: C:\Users\user\Desktop\PHvqpLRfRl.exe |
Code function: 0_2_00811030 mov eax, dword ptr fs:[00000030h] |
0_2_00811030 |
Source: C:\Windows\SysWOW64\BackgroundTransferHost\ipsmsnap.exe |
Code function: 1_2_00404D00 mov eax, dword ptr fs:[00000030h] |
1_2_00404D00 |
Source: C:\Windows\SysWOW64\BackgroundTransferHost\ipsmsnap.exe |
Code function: 1_2_00403E40 mov eax, dword ptr fs:[00000030h] |
1_2_00403E40 |
Source: C:\Windows\SysWOW64\BackgroundTransferHost\ipsmsnap.exe |
Code function: 1_2_00E5689E mov eax, dword ptr fs:[00000030h] |
1_2_00E5689E |
Source: C:\Windows\SysWOW64\BackgroundTransferHost\ipsmsnap.exe |
Code function: 1_2_00E50456 mov eax, dword ptr fs:[00000030h] |
1_2_00E50456 |
Source: C:\Windows\SysWOW64\BackgroundTransferHost\ipsmsnap.exe |
Code function: 1_2_00E559DE mov eax, dword ptr fs:[00000030h] |
1_2_00E559DE |
Source: C:\Windows\SysWOW64\BackgroundTransferHost\ipsmsnap.exe |
Code function: 1_2_00E5095E mov eax, dword ptr fs:[00000030h] |
1_2_00E5095E |
Source: C:\Windows\SysWOW64\BackgroundTransferHost\ipsmsnap.exe |
Code function: 1_2_00E61030 mov eax, dword ptr fs:[00000030h] |
1_2_00E61030 |
Source: C:\Users\user\Desktop\PHvqpLRfRl.exe |
Code function: EnumSystemLocalesW, |
0_2_01155179 |
Source: C:\Users\user\Desktop\PHvqpLRfRl.exe |
Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, |
0_2_011551FC |
Source: C:\Users\user\Desktop\PHvqpLRfRl.exe |
Code function: GetLocaleInfoW, |
0_2_0115500C |
Source: C:\Users\user\Desktop\PHvqpLRfRl.exe |
Code function: EnumSystemLocalesW, |
0_2_011550BC |
Source: C:\Users\user\Desktop\PHvqpLRfRl.exe |
Code function: EnumSystemLocalesW, |
0_2_011550FC |
Source: C:\Users\user\Desktop\PHvqpLRfRl.exe |
Code function: GetLocaleInfoW, |
0_2_011553F1 |
Source: C:\Users\user\Desktop\PHvqpLRfRl.exe |
Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, |
0_2_0115551B |
Source: C:\Users\user\Desktop\PHvqpLRfRl.exe |
Code function: EnumSystemLocalesW, |
0_2_01150D02 |
Source: C:\Users\user\Desktop\PHvqpLRfRl.exe |
Code function: GetLocaleInfoW, |
0_2_01150D3F |
Source: C:\Users\user\Desktop\PHvqpLRfRl.exe |
Code function: GetLocaleInfoW, |
0_2_011555C8 |
Source: C:\Users\user\Desktop\PHvqpLRfRl.exe |
Code function: _GetLcidFromLangCountry,_GetLcidFromLangCountry,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, |
0_2_01155632 |
Source: C:\Users\user\Desktop\PHvqpLRfRl.exe |
Code function: _GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,IsValidCodePage,GetLocaleInfoW, |
0_2_01154E48 |
Source: C:\Windows\SysWOW64\BackgroundTransferHost\ipsmsnap.exe |
Code function: EnumSystemLocalesW, |
1_2_01155179 |
Source: C:\Windows\SysWOW64\BackgroundTransferHost\ipsmsnap.exe |
Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, |
1_2_011551FC |
Source: C:\Windows\SysWOW64\BackgroundTransferHost\ipsmsnap.exe |
Code function: GetLocaleInfoW, |
1_2_0115500C |
Source: C:\Windows\SysWOW64\BackgroundTransferHost\ipsmsnap.exe |
Code function: EnumSystemLocalesW, |
1_2_011550BC |
Source: C:\Windows\SysWOW64\BackgroundTransferHost\ipsmsnap.exe |
Code function: EnumSystemLocalesW, |
1_2_011550FC |
Source: C:\Windows\SysWOW64\BackgroundTransferHost\ipsmsnap.exe |
Code function: GetLocaleInfoW, |
1_2_011553F1 |
Source: C:\Windows\SysWOW64\BackgroundTransferHost\ipsmsnap.exe |
Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, |
1_2_0115551B |
Source: C:\Windows\SysWOW64\BackgroundTransferHost\ipsmsnap.exe |
Code function: EnumSystemLocalesW, |
1_2_01150D02 |
Source: C:\Windows\SysWOW64\BackgroundTransferHost\ipsmsnap.exe |
Code function: GetLocaleInfoW, |
1_2_01150D3F |
Source: C:\Windows\SysWOW64\BackgroundTransferHost\ipsmsnap.exe |
Code function: GetLocaleInfoW, |
1_2_011555C8 |
Source: C:\Windows\SysWOW64\BackgroundTransferHost\ipsmsnap.exe |
Code function: _GetLcidFromLangCountry,_GetLcidFromLangCountry,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, |
1_2_01155632 |
Source: C:\Windows\SysWOW64\BackgroundTransferHost\ipsmsnap.exe |
Code function: _GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,IsValidCodePage,GetLocaleInfoW, |
1_2_01154E48 |
Source: C:\Windows\SysWOW64\BackgroundTransferHost\ipsmsnap.exe |
Queries volume information: C:\ VolumeInformation |
Jump to behavior |
Source: C:\Windows\System32\svchost.exe |
Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation |
Jump to behavior |
Source: C:\Windows\System32\svchost.exe |
Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation |
Jump to behavior |
Source: C:\Windows\System32\svchost.exe |
Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation |
Jump to behavior |
Source: C:\Windows\System32\svchost.exe |
Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation |
Jump to behavior |
Source: C:\Windows\System32\svchost.exe |
Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation |
Jump to behavior |
Source: C:\Windows\System32\svchost.exe |
Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation |
Jump to behavior |
Source: C:\Windows\System32\svchost.exe |
Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation |
Jump to behavior |
Source: C:\Windows\System32\svchost.exe |
Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation |
Jump to behavior |
Source: C:\Windows\System32\svchost.exe |
Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation |
Jump to behavior |
Source: C:\Windows\System32\svchost.exe |
Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation |
Jump to behavior |
Source: C:\Windows\System32\svchost.exe |
Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation |
Jump to behavior |
Source: C:\Windows\System32\svchost.exe |
Queries volume information: C:\ VolumeInformation |
Jump to behavior |
Source: C:\Windows\System32\svchost.exe |
Queries volume information: C:\ VolumeInformation |
Jump to behavior |
Source: Yara match |
File source: 1.2.ipsmsnap.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 1.2.ipsmsnap.exe.e5279e.2.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 1.2.ipsmsnap.exe.e5052e.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.PHvqpLRfRl.exe.3f279e.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.PHvqpLRfRl.exe.3f052e.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.PHvqpLRfRl.exe.980000.2.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 1.2.ipsmsnap.exe.e5052e.1.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.PHvqpLRfRl.exe.3f279e.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 1.2.ipsmsnap.exe.e5279e.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.PHvqpLRfRl.exe.3f052e.1.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000001.00000002.467934925.0000000000E50000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000001.00000002.467384235.0000000000401000.00000020.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.202006890.00000000003F0000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.202145856.0000000000814000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.202173410.0000000000981000.00000020.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000001.00000002.467972344.0000000000E64000.00000004.00000001.sdmp, type: MEMORY |