Windows Analysis Report M2hsMd9hTq

Overview

General Information

Sample Name:	M2hsMd9hTq (renamed file extension from none to dll)
Analysis ID:	553120
MD5:	707ec8851adeff69bdb3204692c340a8
SHA1:	b51315290d9b490c55663a572bd85999f3267b7a
SHA256:	a6d1ed377e3de0ae885c14ca65c2eafba01207e058ac353289182800a95b5fea
Tags:	32dllexetrojan
Infos:
Most interesting Screenshot:

Detection

Emotet

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Multi AV Scanner detection for submitted file

Yara detected Emotet

System process connects to network (likely due to code injection or exploit)

Antivirus detection for URL or domain

Changes security center settings (notifications, updates, antivirus, firewall)

Machine Learning detection for sample

Sigma detected: Suspicious Call by Ordinal

C2 URLs / IPs found in malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query locales information (e.g. system language)

Deletes files inside the Windows folder

May sleep (evasive loops) to hinder dynamic analysis

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Uses code obfuscation techniques (call, push, ret)

Creates files inside the system directory

Internet Provider seen in connection with other malware

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to dynamically determine API calls

Contains functionality which may be used to detect a debugger (GetProcessHeap)

IP address seen in connection with other malware

AV process strings found (often used to terminate AV products)

Sample file is different than original file name gathered from version info

PE file contains an invalid checksum

PE file contains strange resources

Tries to load missing DLLs

Contains functionality to read the PEB

Drops PE files to the windows directory (C:\Windows)

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Detected TCP or UDP traffic on non-standard ports

Checks if the current process is being debugged

Connects to several IPs in different countries

Potential key logger detected (key state polling based)

Registers a DLL

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries disk information (often used to detect virtual machines)

Found large amount of non-executed APIs

Creates a process in suspended mode (likely to inject code)

Classification

Signatures

AV Detection:

Found malware configuration

Source: 8.2.rundll32.exe.5310000.2.raw.unpack

Malware Configuration Extractor: Emotet {"C2 list": ["45.138.98.34:80", "69.16.218.101:8080", "51.210.242.234:8080", "185.148.168.220:8080", "142.4.219.173:8080", "54.38.242.185:443", "191.252.103.16:80", "104.131.62.48:8080", "62.171.178.147:8080", "217.182.143.207:443", "168.197.250.14:80", "37.44.244.177:8080", "66.42.57.149:443", "210.57.209.142:8080", "159.69.237.188:443", "116.124.128.206:8080", "128.199.192.135:8080", "195.154.146.35:443", "185.148.168.15:8080", "195.77.239.39:8080", "207.148.81.119:8080", "85.214.67.203:8080", "190.90.233.66:443", "78.46.73.125:443", "78.47.204.80:443", "37.59.209.141:8080", "54.37.228.122:443"], "Public Key": ["RUNLMSAAAADYNZPXY4tQxd/N4Wn5sTYAm5tUOxY2ol1ELrI4MNhHNi640vSLasjYTHpFRBoG+o84vtr7AJachCzOHjaAJFCW", "RUNTMSAAAAD0LxqDNhonUYwk8sqo7IWuUllRdUiUBnACc6romsQoe1YJD7wIe4AheqYofpZFucPDXCZ0z9i+ooUffqeoLZU0"]}

Multi AV Scanner detection for submitted file

Source: M2hsMd9hTq.dll	Virustotal: Detection: 25%			Perma Link
Source: M2hsMd9hTq.dll	ReversingLabs: Detection: 34%

Antivirus detection for URL or domain

Source: https://45.138.98.34/1	Avira URL Cloud: Label: malware
Source: https://45.138.98.34/	Avira URL Cloud: Label: malware
Source: https://45.138.98.34:80/qIFNheLVNvvPNSNxkwhjxonGRMtffKSDvVT	Avira URL Cloud: Label: malware

Machine Learning detection for sample

Source: M2hsMd9hTq.dll

Joe Sandbox ML: detected

Compliance:

Uses 32bit PE files

Source: M2hsMd9hTq.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic	Snort IDS: 2404332 ET CNC Feodo Tracker Reported CnC Server TCP group 17 192.168.2.5:49758 -> 45.138.98.34:80
Source: Traffic	Snort IDS: 2404338 ET CNC Feodo Tracker Reported CnC Server TCP group 20 192.168.2.5:49759 -> 69.16.218.101:8080

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 69.16.218.101 144			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 45.138.98.34 80			Jump to behavior

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	IPs: 45.138.98.34:80
Source: Malware configuration extractor	IPs: 69.16.218.101:8080
Source: Malware configuration extractor	IPs: 51.210.242.234:8080
Source: Malware configuration extractor	IPs: 185.148.168.220:8080
Source: Malware configuration extractor	IPs: 142.4.219.173:8080
Source: Malware configuration extractor	IPs: 54.38.242.185:443
Source: Malware configuration extractor	IPs: 191.252.103.16:80
Source: Malware configuration extractor	IPs: 104.131.62.48:8080
Source: Malware configuration extractor	IPs: 62.171.178.147:8080
Source: Malware configuration extractor	IPs: 217.182.143.207:443
Source: Malware configuration extractor	IPs: 168.197.250.14:80
Source: Malware configuration extractor	IPs: 37.44.244.177:8080
Source: Malware configuration extractor	IPs: 66.42.57.149:443
Source: Malware configuration extractor	IPs: 210.57.209.142:8080
Source: Malware configuration extractor	IPs: 159.69.237.188:443
Source: Malware configuration extractor	IPs: 116.124.128.206:8080
Source: Malware configuration extractor	IPs: 128.199.192.135:8080
Source: Malware configuration extractor	IPs: 195.154.146.35:443
Source: Malware configuration extractor	IPs: 185.148.168.15:8080
Source: Malware configuration extractor	IPs: 195.77.239.39:8080
Source: Malware configuration extractor	IPs: 207.148.81.119:8080
Source: Malware configuration extractor	IPs: 85.214.67.203:8080
Source: Malware configuration extractor	IPs: 190.90.233.66:443
Source: Malware configuration extractor	IPs: 78.46.73.125:443
Source: Malware configuration extractor	IPs: 78.47.204.80:443
Source: Malware configuration extractor	IPs: 37.59.209.141:8080
Source: Malware configuration extractor	IPs: 54.37.228.122:443

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: AS-CHOOPAUS AS-CHOOPAUS
Source: Joe Sandbox View	ASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 207.148.81.119 207.148.81.119
Source: Joe Sandbox View	IP Address: 104.131.62.48 104.131.62.48

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.5:49759 -> 69.16.218.101:8080

Connects to several IPs in different countries

Source: unknown

Network traffic detected: IP country count 12

Source: unknown	TCP traffic detected without corresponding DNS query: 45.138.98.34
Source: unknown	TCP traffic detected without corresponding DNS query: 45.138.98.34
Source: unknown	TCP traffic detected without corresponding DNS query: 45.138.98.34
Source: unknown	TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown	TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown	TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown	TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown	TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown	TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown	TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown	TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown	TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown	TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown	TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown	TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown	TCP traffic detected without corresponding DNS query: 69.16.218.101

Source: svchost.exe, 00000021.00000003.571824588.000002A23118D000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","N equals www.facebook.com (Facebook)
Source: svchost.exe, 00000021.00000003.571824588.000002A23118D000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","N equals www.twitter.com (Twitter)
Source: svchost.exe, 00000021.00000003.571841091.000002A23119E000.00000004.00000001.sdmp, svchost.exe, 00000021.00000003.571824588.000002A23118D000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2022-01-07T11:33:20.1626869Z\|\|.\|\|d5cdcec3-04df-404e-ba07-3240047c89f9\|\|1152921505694348672\|\|Null\|\|fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailab
Source: svchost.exe, 00000021.00000003.571841091.000002A23119E000.00000004.00000001.sdmp, svchost.exe, 00000021.00000003.571824588.000002A23118D000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2022-01-07T11:33:20.1626869Z\|\|.\|\|d5cdcec3-04df-404e-ba07-3240047c89f9\|\|1152921505694348672\|\|Null\|\|fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailab

Source: rundll32.exe, 0000000A.00000003.287573549.000000000355C000.00000004.00000001.sdmp, rundll32.exe, 0000000A.00000002.762587120.000000000355C000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000002.603169778.0000023DBF886000.00000004.00000001.sdmp, svchost.exe, 00000021.00000002.587498496.000002A231119000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: svchost.exe, 0000000C.00000002.603169778.0000023DBF886000.00000004.00000001.sdmp, svchost.exe, 00000021.00000002.587230521.000002A2308E8000.00000004.00000001.sdmp	String found in binary or memory: http://crl.ver)
Source: rundll32.exe, 0000000A.00000003.287573549.000000000355C000.00000004.00000001.sdmp, rundll32.exe, 0000000A.00000002.762587120.000000000355C000.00000004.00000001.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.10.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: rundll32.exe, 0000000A.00000003.287598003.0000000003514000.00000004.00000001.sdmp, rundll32.exe, 0000000A.00000003.284605285.0000000005B24000.00000004.00000001.sdmp, rundll32.exe, 0000000A.00000002.762430065.0000000003514000.00000004.00000001.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?4bff1f73ae559
Source: rundll32.exe, 0000000A.00000003.287573549.000000000355C000.00000004.00000001.sdmp, rundll32.exe, 0000000A.00000002.762587120.000000000355C000.00000004.00000001.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabe
Source: rundll32.exe, 0000000A.00000003.287598003.0000000003514000.00000004.00000001.sdmp, rundll32.exe, 0000000A.00000002.762430065.0000000003514000.00000004.00000001.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/enn
Source: svchost.exe, 00000021.00000003.568374017.000002A23116C000.00000004.00000001.sdmp, svchost.exe, 00000021.00000003.567636049.000002A231196000.00000004.00000001.sdmp, svchost.exe, 00000021.00000003.567551923.000002A231602000.00000004.00000001.sdmp, svchost.exe, 00000021.00000003.567736212.000002A231621000.00000004.00000001.sdmp, svchost.exe, 00000021.00000003.567519693.000002A231186000.00000004.00000001.sdmp, svchost.exe, 00000021.00000003.567531380.000002A231196000.00000004.00000001.sdmp	String found in binary or memory: http://help.disneyplus.com.
Source: svchost.exe, 00000010.00000002.307173784.000001B50CE13000.00000004.00000001.sdmp	String found in binary or memory: http://www.bingmapsportal.com
Source: svchost.exe, 0000000E.00000002.761004522.000002866503E000.00000004.00000001.sdmp	String found in binary or memory: https://%s.dnet.xboxlive.com
Source: svchost.exe, 0000000E.00000002.761004522.000002866503E000.00000004.00000001.sdmp	String found in binary or memory: https://%s.xboxlive.com
Source: rundll32.exe, 0000000A.00000003.287598003.0000000003514000.00000004.00000001.sdmp, rundll32.exe, 0000000A.00000002.762430065.0000000003514000.00000004.00000001.sdmp	String found in binary or memory: https://45.138.98.34/
Source: rundll32.exe, 0000000A.00000003.287598003.0000000003514000.00000004.00000001.sdmp, rundll32.exe, 0000000A.00000002.762430065.0000000003514000.00000004.00000001.sdmp	String found in binary or memory: https://45.138.98.34/1
Source: rundll32.exe, 0000000A.00000003.287598003.0000000003514000.00000004.00000001.sdmp, rundll32.exe, 0000000A.00000002.762430065.0000000003514000.00000004.00000001.sdmp	String found in binary or memory: https://45.138.98.34:80/qIFNheLVNvvPNSNxkwhjxonGRMtffKSDvVT
Source: rundll32.exe, 0000000A.00000003.287598003.0000000003514000.00000004.00000001.sdmp, rundll32.exe, 0000000A.00000002.762430065.0000000003514000.00000004.00000001.sdmp	String found in binary or memory: https://69.16.218.101/
Source: rundll32.exe, 0000000A.00000003.287598003.0000000003514000.00000004.00000001.sdmp, rundll32.exe, 0000000A.00000002.762430065.0000000003514000.00000004.00000001.sdmp	String found in binary or memory: https://69.16.218.101/T
Source: rundll32.exe, 0000000A.00000002.762430065.0000000003514000.00000004.00000001.sdmp	String found in binary or memory: https://69.16.218.101:8080/NkSVeNqehcFPnIYSRqyWkDgFYPfQVpAkO
Source: rundll32.exe, 0000000A.00000003.287598003.0000000003514000.00000004.00000001.sdmp, rundll32.exe, 0000000A.00000002.762430065.0000000003514000.00000004.00000001.sdmp	String found in binary or memory: https://69.16.218.101:8080/NkSVeNqehcFPnIYSRqyWkDgFYPfQVpAkON
Source: svchost.exe, 0000000E.00000002.761004522.000002866503E000.00000004.00000001.sdmp	String found in binary or memory: https://activity.windows.com
Source: svchost.exe, 00000010.00000003.306784912.000001B50CE61000.00000004.00000001.sdmp	String found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: svchost.exe, 0000000E.00000002.761004522.000002866503E000.00000004.00000001.sdmp	String found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 0000000E.00000002.761004522.000002866503E000.00000004.00000001.sdmp	String found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 00000010.00000003.306825607.000001B50CE49000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000010.00000003.306784912.000001B50CE61000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 00000010.00000002.307226516.000001B50CE3D000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 00000010.00000003.306756140.000001B50CE67000.00000004.00000001.sdmp, svchost.exe, 00000010.00000002.307290539.000001B50CE69000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Transit/Stops/
Source: svchost.exe, 00000010.00000003.306784912.000001B50CE61000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 00000010.00000003.306805584.000001B50CE4D000.00000004.00000001.sdmp, svchost.exe, 00000010.00000002.307252680.000001B50CE4E000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 00000010.00000003.284823827.000001B50CE30000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 00000010.00000002.307226516.000001B50CE3D000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 00000010.00000003.306784912.000001B50CE61000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 00000010.00000003.306784912.000001B50CE61000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 00000010.00000003.306784912.000001B50CE61000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 00000010.00000003.284823827.000001B50CE30000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Traffic/Incidents/
Source: svchost.exe, 00000010.00000003.306889893.000001B50CE41000.00000004.00000001.sdmp, svchost.exe, 00000010.00000002.307239059.000001B50CE42000.00000004.00000001.sdmp, svchost.exe, 00000010.00000003.306854743.000001B50CE40000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 00000010.00000003.306889893.000001B50CE41000.00000004.00000001.sdmp, svchost.exe, 00000010.00000002.307239059.000001B50CE42000.00000004.00000001.sdmp, svchost.exe, 00000010.00000003.306854743.000001B50CE40000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
Source: svchost.exe, 00000010.00000003.306784912.000001B50CE61000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 00000010.00000003.306854743.000001B50CE40000.00000004.00000001.sdmp, svchost.exe, 00000010.00000002.307245662.000001B50CE4B000.00000004.00000001.sdmp, svchost.exe, 00000010.00000003.306825607.000001B50CE49000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: svchost.exe, 00000010.00000003.284823827.000001B50CE30000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?entry=
Source: svchost.exe, 00000021.00000003.568374017.000002A23116C000.00000004.00000001.sdmp, svchost.exe, 00000021.00000003.567636049.000002A231196000.00000004.00000001.sdmp, svchost.exe, 00000021.00000003.567551923.000002A231602000.00000004.00000001.sdmp, svchost.exe, 00000021.00000003.567736212.000002A231621000.00000004.00000001.sdmp, svchost.exe, 00000021.00000003.567519693.000002A231186000.00000004.00000001.sdmp, svchost.exe, 00000021.00000003.567531380.000002A231196000.00000004.00000001.sdmp	String found in binary or memory: https://disneyplus.com/legal.
Source: svchost.exe, 00000010.00000003.306825607.000001B50CE49000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 00000010.00000002.307245662.000001B50CE4B000.00000004.00000001.sdmp, svchost.exe, 00000010.00000003.306825607.000001B50CE49000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000010.00000002.307245662.000001B50CE4B000.00000004.00000001.sdmp, svchost.exe, 00000010.00000003.306825607.000001B50CE49000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000010.00000002.307252680.000001B50CE4E000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.t
Source: svchost.exe, 00000010.00000003.306784912.000001B50CE61000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 00000010.00000002.307226516.000001B50CE3D000.00000004.00000001.sdmp, svchost.exe, 00000010.00000003.284823827.000001B50CE30000.00000004.00000001.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000010.00000003.284823827.000001B50CE30000.00000004.00000001.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 00000010.00000002.307226516.000001B50CE3D000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 00000010.00000002.307173784.000001B50CE13000.00000004.00000001.sdmp, svchost.exe, 00000010.00000002.307226516.000001B50CE3D000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 00000010.00000003.306854743.000001B50CE40000.00000004.00000001.sdmp, svchost.exe, 00000010.00000003.306884229.000001B50CE45000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000010.00000003.306854743.000001B50CE40000.00000004.00000001.sdmp, svchost.exe, 00000010.00000003.306884229.000001B50CE45000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000010.00000003.284823827.000001B50CE30000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 00000010.00000002.307214272.000001B50CE39000.00000004.00000001.sdmp, svchost.exe, 00000010.00000003.284823827.000001B50CE30000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: svchost.exe, 00000010.00000002.307173784.000001B50CE13000.00000004.00000001.sdmp	String found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen
Source: svchost.exe, 00000021.00000003.568374017.000002A23116C000.00000004.00000001.sdmp, svchost.exe, 00000021.00000003.567636049.000002A231196000.00000004.00000001.sdmp, svchost.exe, 00000021.00000003.567551923.000002A231602000.00000004.00000001.sdmp, svchost.exe, 00000021.00000003.567736212.000002A231621000.00000004.00000001.sdmp, svchost.exe, 00000021.00000003.567519693.000002A231186000.00000004.00000001.sdmp, svchost.exe, 00000021.00000003.567531380.000002A231196000.00000004.00000001.sdmp	String found in binary or memory: https://www.disneyplus.com/legal/privacy-policy
Source: svchost.exe, 00000021.00000003.568374017.000002A23116C000.00000004.00000001.sdmp, svchost.exe, 00000021.00000003.567636049.000002A231196000.00000004.00000001.sdmp, svchost.exe, 00000021.00000003.567551923.000002A231602000.00000004.00000001.sdmp, svchost.exe, 00000021.00000003.567736212.000002A231621000.00000004.00000001.sdmp, svchost.exe, 00000021.00000003.567519693.000002A231186000.00000004.00000001.sdmp, svchost.exe, 00000021.00000003.567531380.000002A231196000.00000004.00000001.sdmp	String found in binary or memory: https://www.disneyplus.com/legal/your-california-privacy-rights
Source: svchost.exe, 00000021.00000003.568771357.000002A2311AD000.00000004.00000001.sdmp, svchost.exe, 00000021.00000003.568746551.000002A2311AD000.00000004.00000001.sdmp, svchost.exe, 00000021.00000003.568828899.000002A231602000.00000004.00000001.sdmp, svchost.exe, 00000021.00000003.568808654.000002A231196000.00000004.00000001.sdmp, svchost.exe, 00000021.00000003.568796159.000002A231185000.00000004.00000001.sdmp	String found in binary or memory: https://www.tiktok.com/legal/report/feedback

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 3_2_100012D0 recvfrom,

3_2_100012D0

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Potential key logger detected (key state polling based)

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_1000FF59 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,		3_2_1000FF59
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1000FF59 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,		4_2_1000FF59

E-Banking Fraud:

Yara detected Emotet

Source: Yara match	File source: 10.2.rundll32.exe.5d70000.20.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.23d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.5790000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.4ed0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.5480000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.4e90000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.5310000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.5fd0000.22.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.53f0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.51a0000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.3360000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.regsvr32.exe.40d0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.5aa0000.17.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.51d0000.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.54f0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.36e0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.5020000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.5340000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.4ff0000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.4850000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.5600000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.54f0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.5050000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.55d0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.5730000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.2790000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.4db0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.5310000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.5450000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.4df0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.57c0000.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.5c70000.18.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.4d60000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.4cc0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.5870000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.4fc0000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.5a70000.16.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.3070000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.5520000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.59c0000.15.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.5730000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.6000000.23.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.3330000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.5000000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.5da0000.21.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.5d70000.20.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.regsvr32.exe.26d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.5990000.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.5870000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.53f0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.3330000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.5790000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.4e60000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.58a0000.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.5a70000.16.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.5990000.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.5450000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.5020000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.51a0000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.23d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.4d60000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.regsvr32.exe.26d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.5760000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.5c70000.18.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.3480000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.5ca0000.19.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.3480000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.5420000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.3070000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.4ed0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.5fd0000.22.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.4cc0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.55d0000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.4e60000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.4fc0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.247708165.0000000004ED0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.764384798.0000000005D70000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.251269260.0000000004DB1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.764593172.0000000005FD0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.250801502.0000000004CC0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.251317536.0000000004E60000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.763160491.00000000054F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.251543763.0000000005450000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.251018853.0000000004851000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.254580749.0000000002791000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.763467558.0000000005790000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.764153228.0000000005C70000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.763888533.0000000005AA1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.763578627.0000000005870000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.763623141.00000000058A1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.761812038.0000000003361000.00000020.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.251440561.0000000004FC0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.250842742.0000000003070000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.763204211.0000000005521000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.247153008.00000000026D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.251348106.0000000005341000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.763293110.0000000005601000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.762842466.00000000036E1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.251435374.00000000053F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.251474105.0000000004FF1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.254179155.00000000023D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.764675936.0000000006001000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.251540171.0000000005051000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.251287174.0000000005310000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.251612529.00000000051D1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.764435934.0000000005DA1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.763511347.00000000057C1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.251607526.0000000005481000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.763831341.0000000005A70000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.764277951.0000000005CA1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.761623893.0000000003330000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.251214045.0000000004D60000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.763416711.0000000005761000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.251508844.0000000005020000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.762037427.0000000003480000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.250952211.0000000004DF1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.763764045.00000000059C1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.251355041.0000000004E91000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.251487303.0000000005421000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.763708229.0000000005990000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.251578591.00000000051A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.247650152.00000000040D1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.763252082.00000000055D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.247759843.0000000005001000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.763375282.0000000005730000.00000040.00000001.sdmp, type: MEMORY

System Summary:

Uses 32bit PE files

Source: M2hsMd9hTq.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Deletes files inside the Windows folder

Source: C:\Windows\SysWOW64\rundll32.exe

File deleted: C:\Windows\SysWOW64\Zxfif\dcctxlgarqbqh.hrz:Zone.Identifier

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: String function: 10017BC1 appears 68 times
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: String function: 1001984C appears 48 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 10017BC1 appears 68 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 1001984C appears 48 times

Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: xboxlivetitleid.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cdpsgshims.dll	Jump to behavior

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\M2hsMd9hTq.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\M2hsMd9hTq.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\M2hsMd9hTq.dll
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\M2hsMd9hTq.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\M2hsMd9hTq.dll,DllRegisterServer
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\M2hsMd9hTq.dll",DllRegisterServer
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\M2hsMd9hTq.dll",DllRegisterServer
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Zxfif\dcctxlgarqbqh.hrz",JFJwcZZNDUCWxQ
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Zxfif\dcctxlgarqbqh.hrz",DllRegisterServer
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknown	Process created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\M2hsMd9hTq.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\M2hsMd9hTq.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\M2hsMd9hTq.dll,DllRegisterServer	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\M2hsMd9hTq.dll",#1	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\M2hsMd9hTq.dll",DllRegisterServer	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\M2hsMd9hTq.dll",DllRegisterServer	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Zxfif\dcctxlgarqbqh.hrz",JFJwcZZNDUCWxQ	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Zxfif\dcctxlgarqbqh.hrz",DllRegisterServer	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: M2hsMd9hTq.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: M2hsMd9hTq.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: M2hsMd9hTq.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: M2hsMd9hTq.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: M2hsMd9hTq.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_10019891 push ecx; ret	3_2_100198A4
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_10017C60 push ecx; ret	3_2_10017C73
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_040D1195 push cs; iretd	3_2_040D1197
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10019891 push ecx; ret	4_2_100198A4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10017C60 push ecx; ret	4_2_10017C73
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_05001195 push cs; iretd	4_2_05001197
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04851195 push cs; iretd	5_2_04851197
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04DF1195 push cs; iretd	8_2_04DF1197

Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Zxfif\dcctxlgarqbqh.hrz:Zone.Identifier read attributes \| delete			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Jfqipigpage\lfkhkwabjlp.gvp:Zone.Identifier read attributes \| delete			Jump to behavior

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_1000D804 IsIconic,GetWindowPlacement,GetWindowRect,	3_2_1000D804
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_10008B90 IsIconic,SendMessageA,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon,	3_2_10008B90
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1000D804 IsIconic,GetWindowPlacement,GetWindowRect,	4_2_1000D804
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10008B90 IsIconic,SendMessageA,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon,	4_2_10008B90

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\svchost.exe TID: 2272	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 2880	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 5916	Thread sleep time: -210000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\SysWOW64\regsvr32.exe	API coverage: 4.9 %
Source: C:\Windows\SysWOW64\rundll32.exe	API coverage: 4.9 %

Source: C:\Windows\SysWOW64\regsvr32.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\rundll32.exe	API call chain: ExitProcess graph end node

Source: rundll32.exe, 0000000A.00000003.287598003.0000000003514000.00000004.00000001.sdmp, rundll32.exe, 0000000A.00000002.762430065.0000000003514000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAWX
Source: svchost.exe, 0000000C.00000002.603148618.0000023DBF862000.00000004.00000001.sdmp	Binary or memory string: "@Hyper-V RAWGlobal\BFE_Notify_Event_{165f929e-c666-46f4-ace4-b77cc56f1e7e}LMEM
Source: rundll32.exe, 0000000A.00000003.287598003.0000000003514000.00000004.00000001.sdmp, rundll32.exe, 0000000A.00000002.762430065.0000000003514000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000002.603130519.0000023DBF84C000.00000004.00000001.sdmp, svchost.exe, 00000021.00000002.587037532.000002A23086B000.00000004.00000001.sdmp, svchost.exe, 00000021.00000003.586277347.000002A23086A000.00000004.00000001.sdmp, svchost.exe, 00000021.00000002.587230521.000002A2308E8000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: svchost.exe, 0000000C.00000002.602838176.0000023DBA029000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW@Q
Source: svchost.exe, 0000000E.00000002.761004522.000002866503E000.00000004.00000001.sdmp, svchost.exe, 0000000F.00000002.761009269.000001F052629000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_040DF7F7 mov eax, dword ptr fs:[00000030h]	3_2_040DF7F7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_0500F7F7 mov eax, dword ptr fs:[00000030h]	4_2_0500F7F7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0485F7F7 mov eax, dword ptr fs:[00000030h]	5_2_0485F7F7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04DFF7F7 mov eax, dword ptr fs:[00000030h]	8_2_04DFF7F7

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_1001C49A _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_1001C49A
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_10021743 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_10021743
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_100167D5 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_100167D5
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_1001FC21 SetUnhandledExceptionFilter,__encode_pointer,	3_2_1001FC21
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_1001FC43 __decode_pointer,SetUnhandledExceptionFilter,	3_2_1001FC43
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1001C49A _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	4_2_1001C49A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10021743 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_10021743
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_100167D5 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	4_2_100167D5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1001FC21 SetUnhandledExceptionFilter,__encode_pointer,	4_2_1001FC21
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1001FC43 __decode_pointer,SetUnhandledExceptionFilter,	4_2_1001FC43

Source: rundll32.exe, 0000000A.00000002.762963759.0000000003AC0000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: rundll32.exe, 0000000A.00000002.762963759.0000000003AC0000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: rundll32.exe, 0000000A.00000002.762963759.0000000003AC0000.00000002.00020000.sdmp	Binary or memory string: SProgram Managerl
Source: rundll32.exe, 0000000A.00000002.762963759.0000000003AC0000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd,
Source: rundll32.exe, 0000000A.00000002.762963759.0000000003AC0000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: GetThreadLocale,GetLocaleInfoA,GetACP,	3_2_10027704
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: _strcpy_s,__snprintf_s,GetLocaleInfoA,LoadLibraryA,	3_2_1000A803
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: GetLocaleInfoA,	3_2_10023880
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetThreadLocale,GetLocaleInfoA,GetACP,	4_2_10027704
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: _strcpy_s,__snprintf_s,GetLocaleInfoA,LoadLibraryA,	4_2_1000A803
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoA,	4_2_10023880

Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct

Windows Analysis Report M2hsMd9hTq

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Source: svchost.exe, 00000012.00000002.760931158.0000017D1C83D000.00000004.00000001.sdmp	Binary or memory string: &@V%ProgramFiles%\Windows Defender\MsMpeng.exe
Source: svchost.exe, 00000012.00000002.760788276.0000017D1C813000.00000004.00000001.sdmp, svchost.exe, 00000012.00000002.761024824.0000017D1C902000.00000004.00000001.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_100011C0 WSAStartup,_memset,htonl,htons,socket,bind,setsockopt,		3_2_100011C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_100011C0 WSAStartup,_memset,htonl,htons,socket,bind,setsockopt,		4_2_100011C0

IP	Domain	Country	ASN	ASN Name	Malicious
207.148.81.119	unknown	United States	20473	AS-CHOOPAUS	true
104.131.62.48	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
85.214.67.203	unknown	Germany	6724	STRATOSTRATOAGDE	true
191.252.103.16	unknown	Brazil	27715	LocawebServicosdeInternetSABR	true
168.197.250.14	unknown	Argentina	264776	OmarAnselmoRipollTDCNETAR	true
66.42.57.149	unknown	United States	20473	AS-CHOOPAUS	true
185.148.168.15	unknown	Germany	44780	EVERSCALE-ASDE	true
51.210.242.234	unknown	France	16276	OVHFR	true
217.182.143.207	unknown	France	16276	OVHFR	true
69.16.218.101	unknown	United States	32244	LIQUIDWEBUS	true
159.69.237.188	unknown	Germany	24940	HETZNER-ASDE	true
45.138.98.34	unknown	Germany	9009	M247GB	true
116.124.128.206	unknown	Korea Republic of	9318	SKB-ASSKBroadbandCoLtdKR	true
78.46.73.125	unknown	Germany	24940	HETZNER-ASDE	true
37.59.209.141	unknown	France	16276	OVHFR	true
210.57.209.142	unknown	Indonesia	38142	UNAIR-AS-IDUniversitasAirlanggaID	true
185.148.168.220	unknown	Germany	44780	EVERSCALE-ASDE	true
54.37.228.122	unknown	France	16276	OVHFR	true
190.90.233.66	unknown	Colombia	18678	INTERNEXASAESPCO	true
142.4.219.173	unknown	Canada	16276	OVHFR	true
54.38.242.185	unknown	France	16276	OVHFR	true
195.154.146.35	unknown	France	12876	OnlineSASFR	true
195.77.239.39	unknown	Spain	60493	FICOSA-ASES	true
78.47.204.80	unknown	Germany	24940	HETZNER-ASDE	true
37.44.244.177	unknown	Germany	47583	AS-HOSTINGERLT	true
62.171.178.147	unknown	United Kingdom	51167	CONTABODE	true
128.199.192.135	unknown	United Kingdom	14061	DIGITALOCEAN-ASNUS	true

ID:	553120
Product:	CloudBasic
Start time:	10:50:42
Start date:	14.01.2022
Sample:	M2hsMd9hTq
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	707ec8851adeff69bdb3204692c340a8
SHA1:	b51315290d9b490c55663a572bd85999f3267b7a
SHA256:	a6d1ed377e3de0ae885c14ca65c2eafba01207e058ac353289182800a95b5fea
Filetype:	Win32 Dynamic Link Library (generic) (1002004/3) 95.65%

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\Microsoft\Network\Downloader\edb.chk	data	BF1DC7D5D8DAD7478F426DF8B3F8BAA6	C6B0BDE788F553F865D65F773D8F6A3546887E42	BE47C764C38CA7A90A345BE183F5261E89B98743B5E35989E9A8BE0DA498C0F2
C:\ProgramData\Microsoft\Network\Downloader\edb.log	MPEG-4 LOAS	F7181E58DBD46FD6667C111BB57ADB6E	26A557E1C7992A5E5B45ADB790734B09C59E2648	03ED7237861CFBE9DE2AFDC3CC15579F975609AA850F29ECD1D6396761556CA8
C:\ProgramData\Microsoft\Network\Downloader\qmgr.db	Extensible storage engine DataBase, version 0x620, checksum 0x7a4cdab4, page size 16384, Windows version 10.0	0B4230BCE3C5BC298429551F080EC64B	6806B5CEFE5834EAA742874B90DCE6276FA7F9F4	A59293E5432507411A916322A2BBD533BB47057674819361C551EA5C56AA8CA0
C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm	data	205D325AC1F46E66A9DE7B8E779F3C9B	F783E1D4FDFF3148D3280EA06540BBC81ABDB4DF	F98AC8E0902251EFE71F7DA500DD9376E468F03A48DD5138D2DF6E7E8374F980
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506	Microsoft Cabinet archive data, 61414 bytes, 1 file	ACAEDA60C79C6BCAC925EEB3653F45E0	2AAAE490BCDACCC6172240FF1697753B37AC5578	6B0CECCF0103AFD89844761417C1D23ACC41F8AEBF3B7230765209B61EEE5658
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	data	92EA2BF893C01FECAF88971729F04467	BA9515C108D2C4B101CD8217CD30E2DBFA557CC6	6804AA30DEFE7C14FE33501BA5A76C27DD0ED9633C6DDBC5B7004B37E43D1BE3
C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp	ASCII text, with no line terminators	DCA83F08D448911A14C22EBCACC5AD57	91270525521B7FE0D986DB19747F47D34B6318AD	2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\MpCmdRun.log	Little-endian UTF-16 Unicode text, with CRLF, CR line terminators	EF4A738F9534F21AD28054EBE4A48DFE	EB61A050285D3D7F0C9D7B12AB89393B79726AF5	6AA3D787A7545C8162781DCB025E23C280B3D37B7FD62438C17B624E5088D1E1
C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\Logs\dosvc.20220114_185158_945.etl	data	960DC335D5874DEED58AED46351578D7	8A91C73DE78B0277871C742A93F527DE746B248E	129E447D9FD9333FF2177EE47F697A1975898712C51A510FFE901DA5599FAE39