Windows Analysis Report
PYCkUgesWB.com_15e2f984de986ecb59e38a1c3a4a2300

Overview

General Information

Sample Name:	PYCkUgesWB.com_15e2f984de986ecb59e38a1c3a4a2300 (renamed file extension from com_15e2f984de986ecb59e38a1c3a4a2300 to dll)
Analysis ID:	666431
MD5:	15e2f984de986ecb59e38a1c3a4a2300
SHA1:	795383a71c9030a2c52624795a1e539bfedbf84c
SHA256:	1e9a7692e74e98ac5d21a4d3bfb3696d69d8306e4e42d53bcb4604b3dff420bb
Tags:	droppedexe
Infos:

Detection

Emotet

Score:	88
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected Emotet

System process connects to network (likely due to code injection or exploit)

Antivirus detection for URL or domain

Snort IDS alert for network traffic

C2 URLs / IPs found in malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Queries the volume information (name, serial number etc) of a device

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query locales information (e.g. system language)

Deletes files inside the Windows folder

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Creates files inside the system directory

Internet Provider seen in connection with other malware

Detected potential crypto function

Found evasive API chain (may stop execution after checking a module file name)

Contains functionality to dynamically determine API calls

Contains functionality which may be used to detect a debugger (GetProcessHeap)

IP address seen in connection with other malware

Found inlined nop instructions (likely shell or obfuscated code)

PE file contains an invalid checksum

PE file contains strange resources

Tries to load missing DLLs

Drops PE files to the windows directory (C:\Windows)

Detected TCP or UDP traffic on non-standard ports

Connects to several IPs in different countries

Registers a DLL

Queries disk information (often used to detect virtual machines)

Creates a process in suspended mode (likely to inject code)

Classification

Signatures

AV Detection

Multi AV Scanner detection for submitted file

Source: PYCkUgesWB.dll	Virustotal: Detection: 66%	Perma Link
Source: PYCkUgesWB.dll	Metadefender: Detection: 42%	Perma Link
Source: PYCkUgesWB.dll	ReversingLabs: Detection: 80%

Antivirus detection for URL or domain

Source: https://174.138.33.49:7080/a	Avira URL Cloud: Label: malware
Source: https://174.138.33.49:7080/s64	Avira URL Cloud: Label: malware
Source: https://174.138.33.49:7080/Num	Avira URL Cloud: Label: malware
Source: https://174.138.33.49:7080/u	Avira URL Cloud: Label: malware

Source: 0000000B.00000002.885655028.0000000000898000.00000004.00000020.00020000.00000000.sdmp

Malware Configuration Extractor: Emotet {"C2 list": ["87.106.97.83:7080", "118.98.72.86:443", "93.104.209.107:8080", "157.230.99.206:8080", "104.244.79.94:443", "88.217.172.165:8080", "103.41.204.169:8080", "85.214.67.203:8080", "196.44.98.190:8080", "198.199.70.22:8080", "62.171.178.147:8080", "210.57.209.142:8080", "178.238.225.252:8080", "139.59.80.108:8080", "103.224.241.74:8080", "103.71.99.57:8080", "157.245.111.0:8080", "128.199.242.164:8080", "103.56.149.105:8080", "128.199.217.206:443", "85.25.120.45:8080", "190.145.8.4:443", "165.232.185.110:8080", "178.62.112.199:8080", "103.85.95.4:8080", "188.225.32.231:4143", "103.126.216.86:443", "37.44.244.177:8080", "64.227.55.231:8080", "190.107.19.179:443", "83.229.80.93:8080", "103.254.12.236:7080", "104.248.225.227:8080", "36.67.23.59:443", "43.129.209.178:443", "165.22.254.236:8080", "175.126.176.79:8080", "202.134.4.210:7080", "202.29.239.162:443", "46.101.98.60:8080", "54.37.228.122:443", "5.253.30.17:7080"], "Public Key": ["RUNTMSAAAAD0LxqDNhonUYwk8sqo7IWuUllRdUiUBnACc6romsQoe1YJD7wIe4AheqYofpZFucPDXCZ0z9i+ooUffqeoLZU0yb8XUwABAI4=", "RUNLMSAAAADYNZPXY4tQxd/N4Wn5sTYAm5tUOxY2ol1ELrI4MNhHNi640vSLasjYTHpFRBoG+o84vtr7AJachCzOHjaAJFCW6785UwAHAJM="]}

Source: C:\Windows\System32\regsvr32.exe

Code function: 11_2_000000018001C9F0 FindFirstFileW,FindNextFileW,

11_2_000000018001C9F0

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Windows\System32\loaddll64.exe

Code function: 4x nop then movzx eax, byte ptr [rcx+rdx]

0_2_10005790

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\regsvr32.exe

Network Connect: 174.138.33.49 7080

Source: Malware configuration extractor	IPs: 87.106.97.83:7080
Source: Malware configuration extractor	IPs: 118.98.72.86:443
Source: Malware configuration extractor	IPs: 93.104.209.107:8080
Source: Malware configuration extractor	IPs: 157.230.99.206:8080
Source: Malware configuration extractor	IPs: 104.244.79.94:443
Source: Malware configuration extractor	IPs: 88.217.172.165:8080
Source: Malware configuration extractor	IPs: 103.41.204.169:8080
Source: Malware configuration extractor	IPs: 85.214.67.203:8080
Source: Malware configuration extractor	IPs: 196.44.98.190:8080
Source: Malware configuration extractor	IPs: 198.199.70.22:8080
Source: Malware configuration extractor	IPs: 62.171.178.147:8080
Source: Malware configuration extractor	IPs: 210.57.209.142:8080
Source: Malware configuration extractor	IPs: 178.238.225.252:8080
Source: Malware configuration extractor	IPs: 139.59.80.108:8080
Source: Malware configuration extractor	IPs: 103.224.241.74:8080
Source: Malware configuration extractor	IPs: 103.71.99.57:8080
Source: Malware configuration extractor	IPs: 157.245.111.0:8080
Source: Malware configuration extractor	IPs: 128.199.242.164:8080
Source: Malware configuration extractor	IPs: 103.56.149.105:8080
Source: Malware configuration extractor	IPs: 128.199.217.206:443
Source: Malware configuration extractor	IPs: 85.25.120.45:8080
Source: Malware configuration extractor	IPs: 190.145.8.4:443
Source: Malware configuration extractor	IPs: 165.232.185.110:8080
Source: Malware configuration extractor	IPs: 178.62.112.199:8080
Source: Malware configuration extractor	IPs: 103.85.95.4:8080
Source: Malware configuration extractor	IPs: 188.225.32.231:4143
Source: Malware configuration extractor	IPs: 103.126.216.86:443
Source: Malware configuration extractor	IPs: 37.44.244.177:8080
Source: Malware configuration extractor	IPs: 64.227.55.231:8080
Source: Malware configuration extractor	IPs: 190.107.19.179:443
Source: Malware configuration extractor	IPs: 83.229.80.93:8080
Source: Malware configuration extractor	IPs: 103.254.12.236:7080
Source: Malware configuration extractor	IPs: 104.248.225.227:8080
Source: Malware configuration extractor	IPs: 36.67.23.59:443
Source: Malware configuration extractor	IPs: 43.129.209.178:443
Source: Malware configuration extractor	IPs: 165.22.254.236:8080
Source: Malware configuration extractor	IPs: 175.126.176.79:8080
Source: Malware configuration extractor	IPs: 202.134.4.210:7080
Source: Malware configuration extractor	IPs: 202.29.239.162:443
Source: Malware configuration extractor	IPs: 46.101.98.60:8080
Source: Malware configuration extractor	IPs: 54.37.228.122:443
Source: Malware configuration extractor	IPs: 5.253.30.17:7080

Source: unknown	TCP traffic detected without corresponding DNS query: 174.138.33.49
Source: unknown	TCP traffic detected without corresponding DNS query: 174.138.33.49
Source: unknown	TCP traffic detected without corresponding DNS query: 174.138.33.49
Source: unknown	TCP traffic detected without corresponding DNS query: 174.138.33.49
Source: unknown	TCP traffic detected without corresponding DNS query: 174.138.33.49
Source: unknown	TCP traffic detected without corresponding DNS query: 174.138.33.49
Source: unknown	TCP traffic detected without corresponding DNS query: 174.138.33.49
Source: unknown	TCP traffic detected without corresponding DNS query: 174.138.33.49
Source: unknown	TCP traffic detected without corresponding DNS query: 174.138.33.49
Source: unknown	TCP traffic detected without corresponding DNS query: 174.138.33.49
Source: unknown	TCP traffic detected without corresponding DNS query: 174.138.33.49

Source: svchost.exe, 0000001B.00000003.752136141.000001705656F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG", equals www.facebook.com (Facebook)
Source: svchost.exe, 0000001B.00000003.752136141.000001705656F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG", equals www.twitter.com (Twitter)
Source: svchost.exe, 0000001B.00000003.752174346.0000017056580000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.752136141.000001705656F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2022-07-11T16:37:37.4991749Z\|\|.\|\|58dfb4d5-be7e-424e-8739-cac99224843f\|\|1152921505695035586\|\|Null\|\|fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailab
Source: svchost.exe, 0000001B.00000003.752174346.0000017056580000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.752136141.000001705656F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2022-07-11T16:37:37.4991749Z\|\|.\|\|58dfb4d5-be7e-424e-8739-cac99224843f\|\|1152921505695035586\|\|Null\|\|fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailab

Source: regsvr32.exe, 0000000B.00000003.802858560.000000000092E000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000B.00000002.886096275.000000000092E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.887267999.000001897A662000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.777530501.000001705650B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000002.804759431.000001705650C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: svchost.exe, 0000001B.00000002.804530802.0000017055AEA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ver)
Source: regsvr32.exe, 0000000B.00000002.885967879.00000000008F6000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000B.00000003.803132902.00000000008F6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: regsvr32.exe, 0000000B.00000003.802910460.000000000095B000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000B.00000002.885863277.00000000008CD000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000B.00000003.803078720.00000000008CD000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000B.00000002.886221388.000000000095B000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.11.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: regsvr32.exe, 0000000B.00000003.574519632.000000000097A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com:80/msdownload/update/v3/static/trustedr/en/authrootstl.cab?3a38e22c22
Source: svchost.exe, 0000001B.00000003.776121457.00000170565B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://help.disneyplus.com.
Source: svchost.exe, 00000012.00000002.886351225.0000018974CAB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/0
Source: svchost.exe, 00000012.00000002.886351225.0000018974CAB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addres
Source: regsvr32.exe, 0000000B.00000003.803078720.00000000008CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://174.138.33.49/
Source: regsvr32.exe, 0000000B.00000002.885863277.00000000008CD000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000B.00000003.803078720.00000000008CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://174.138.33.49:7080/
Source: regsvr32.exe, 0000000B.00000002.885863277.00000000008CD000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000B.00000003.803078720.00000000008CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://174.138.33.49:7080/Num
Source: regsvr32.exe, 0000000B.00000002.885863277.00000000008CD000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000B.00000003.803078720.00000000008CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://174.138.33.49:7080/a
Source: regsvr32.exe, 0000000B.00000002.885863277.00000000008CD000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000B.00000003.803078720.00000000008CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://174.138.33.49:7080/s64
Source: regsvr32.exe, 0000000B.00000002.885863277.00000000008CD000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000B.00000003.803078720.00000000008CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://174.138.33.49:7080/u
Source: svchost.exe, 0000001B.00000003.776121457.00000170565B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://disneyplus.com/legal.
Source: svchost.exe, 0000001B.00000003.772609747.0000017056585000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.772596708.0000017056582000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.771116472.00000170565B0000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.771585831.000001705657C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.771543494.000001705657B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.771348384.000001705659E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.771440016.000001705657B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.771293341.0000017056A1A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.771489113.000001705657B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.771257487.0000017056A1A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.771315826.0000017056A02000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.771513285.000001705657C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.771024338.000001705659E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.771224165.00000170565BA000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.771633828.0000017056580000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.hotspotshield.com/
Source: svchost.exe, 0000001B.00000003.776121457.00000170565B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.disneyplus.com/legal/privacy-policy
Source: svchost.exe, 0000001B.00000003.776121457.00000170565B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.disneyplus.com/legal/your-california-privacy-rights
Source: svchost.exe, 0000001B.00000003.772609747.0000017056585000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.772596708.0000017056582000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.771116472.00000170565B0000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.771585831.000001705657C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.771543494.000001705657B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.771348384.000001705659E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.771440016.000001705657B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.771293341.0000017056A1A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.771489113.000001705657B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.771257487.0000017056A1A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.771315826.0000017056A02000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.771513285.000001705657C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.771024338.000001705659E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.771224165.00000170565BA000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.771633828.0000017056580000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.hotspotshield.com/terms/
Source: svchost.exe, 0000001B.00000003.772609747.0000017056585000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.772596708.0000017056582000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.771116472.00000170565B0000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.771585831.000001705657C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.771543494.000001705657B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.771348384.000001705659E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.771440016.000001705657B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.771293341.0000017056A1A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.771489113.000001705657B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.771257487.0000017056A1A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.771315826.0000017056A02000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.771513285.000001705657C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.771024338.000001705659E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.771224165.00000170565BA000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.771633828.0000017056580000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.pango.co/privacy
Source: svchost.exe, 0000001B.00000003.781191744.000001705659E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.tiktok.com/legal/report/feedback

Source: Yara match	File source: 3.2.rundll32.exe.20500010000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.1b23e930000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll64.exe.1e200010000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.21dbea20000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.regsvr32.exe.2310000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll64.exe.1e200010000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.regsvr32.exe.2310000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.21dbea20000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.1580000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.1580000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.1ec47bf0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.1ec47bf0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.1b23e930000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.20500010000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.492629360.000001E200010000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.479464350.0000000001580000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.492455276.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.477702534.000001EC47BF0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.887240071.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.477040143.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.466000340.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.886485279.0000000002310000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.466138189.000001B23E930000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.485258322.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.466579273.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.479882020.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.487464916.0000021DBEA20000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.466935474.0000020500010000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc.dll	Jump to behavior

Source: unknown	Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\PYCkUgesWB.dll"
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\PYCkUgesWB.dll",#1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\PYCkUgesWB.dll
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\PYCkUgesWB.dll",#1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\PYCkUgesWB.dll,AjkRVrFNnyQmqXQdrComyaiwV
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\PYCkUgesWB.dll,AkMhEGvNFpnSswjeCw
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\PYCkUgesWB.dll,BMIWqtk
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\XSYhmb\vuKI.dll"
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\AfzDfnhsGeYDyd\OsmuofIfhwEGDVL.dll"
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k netsvcs -p -s BITS
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\PYCkUgesWB.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\PYCkUgesWB.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\PYCkUgesWB.dll,AjkRVrFNnyQmqXQdrComyaiwV	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\PYCkUgesWB.dll,AkMhEGvNFpnSswjeCw	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\PYCkUgesWB.dll,BMIWqtk	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\AfzDfnhsGeYDyd\OsmuofIfhwEGDVL.dll"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\PYCkUgesWB.dll",#1	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\XSYhmb\vuKI.dll"	Jump to behavior

Source: C:\Windows\System32\regsvr32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000180008C72 push ebp; ret		0_2_0000000180008C7D
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180008C72 push ebp; ret		2_2_0000000180008C7D

Source: C:\Windows\System32\loaddll64.exe	File opened: C:\Windows\system32\AfzDfnhsGeYDyd\OsmuofIfhwEGDVL.dll:Zone.Identifier read attributes \| delete			Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	File opened: C:\Windows\system32\XSYhmb\vuKI.dll:Zone.Identifier read attributes \| delete			Jump to behavior

Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\svchost.exe TID: 6920	Thread sleep time: -30000s >= -30000s			Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 2704	Thread sleep time: -150000s >= -30000s			Jump to behavior

Source: C:\Windows\System32\loaddll64.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\System32\loaddll64.exe	API call chain: ExitProcess graph end node

Source: regsvr32.exe, 0000000B.00000002.885983137.00000000008FD000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000B.00000003.803196731.00000000008FA000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000B.00000003.803132902.00000000008F6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWY
Source: svchost.exe, 00000012.00000002.887267999.000001897A662000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: @Hyper-V RAW
Source: svchost.exe, 0000000A.00000002.885676626.000001DB4EC02000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcDsSvcfhsvcWPDBusEnumsvsvcwlansvcEmbeddedModeirmonSensorServicevmicvssNgcSvcsysmainDevQueryBrokerStorSvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionNcbServiceNetmanDeviceAssociationServiceTabletInputServicePcaSvcIPxlatCfgSvcCscServiceUmRdpService
Source: regsvr32.exe, 0000000B.00000002.885983137.00000000008FD000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000B.00000003.803196731.00000000008FA000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000B.00000003.803132902.00000000008F6000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.886011420.0000018974C29000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.887207397.000001897A64A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000002.804530802.0000017055AEA000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000002.804366776.0000017055AAA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: regsvr32.exe, 0000000B.00000002.885863277.00000000008CD000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000B.00000003.803078720.00000000008CD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW`
Source: regsvr32.exe, 00000002.00000003.469429616.0000000001420000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}6
Source: svchost.exe, 0000000A.00000002.885950299.000001DB4EC40000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_10001050 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_10001050
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_10006C70 RtlCaptureContext,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_10006C70
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_10006580 SetUnhandledExceptionFilter,	0_2_10006580
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_100065B0 SetUnhandledExceptionFilter,	0_2_100065B0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_10004660 RtlCaptureContext,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_10004660
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_10004700 RtlCaptureContext,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_10004700

Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

IP	Domain	Country	ASN	ASN Name	Malicious
157.230.99.206	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
157.245.111.0	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
196.44.98.190	unknown	Ghana	327814	EcobandGH	true
202.29.239.162	unknown	Thailand	4621	UNINET-AS-APUNINET-TH	true
174.138.33.49	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
43.129.209.178	unknown	Japan	4249	LILLY-ASUS	true
103.41.204.169	unknown	Indonesia	58397	INFINYS-AS-IDPTInfinysSystemIndonesiaID	true
36.67.23.59	unknown	Indonesia	17974	TELKOMNET-AS2-APPTTelekomunikasiIndonesiaID	true
5.253.30.17	unknown	Latvia	18978	ENZUINC-US	true
85.214.67.203	unknown	Germany	6724	STRATOSTRATOAGDE	true
103.56.149.105	unknown	Indonesia	55688	BEON-AS-IDPTBeonIntermediaID	true
85.25.120.45	unknown	Germany	8972	GD-EMEA-DC-SXB1DE	true
83.229.80.93	unknown	United Kingdom	8513	SKYVISIONGB	true
198.199.70.22	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
93.104.209.107	unknown	Germany	8767	MNET-ASGermanyDE	true
188.225.32.231	unknown	Russian Federation	9123	TIMEWEB-ASRU	true
175.126.176.79	unknown	Korea Republic of	9523	MOKWON-AS-KRMokwonUniversityKR	true
128.199.242.164	unknown	United Kingdom	14061	DIGITALOCEAN-ASNUS	true
165.232.185.110	unknown	United States	22255	ALLEGHENYHEALTHNETWORKUS	true
103.126.216.86	unknown	Bangladesh	138482	SKYVIEW-AS-APSKYVIEWONLINELTDBD	true
104.248.225.227	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
178.238.225.252	unknown	Germany	51167	CONTABODE	true
128.199.217.206	unknown	United Kingdom	14061	DIGITALOCEAN-ASNUS	true
190.145.8.4	unknown	Colombia	14080	TelmexColombiaSACO	true
46.101.98.60	unknown	Netherlands	14061	DIGITALOCEAN-ASNUS	true
103.224.241.74	unknown	India	133296	WEBWERKS-AS-INWebWerksIndiaPvtLtdIN	true
103.71.99.57	unknown	India	135682	AWDHPL-AS-INAdvikaWebDevelopmentsHostingPvtLtdIN	true
210.57.209.142	unknown	Indonesia	38142	UNAIR-AS-IDUniversitasAirlanggaID	true
190.107.19.179	unknown	Colombia	27951	MediaCommercePartnersSACO	true
87.106.97.83	unknown	Germany	8560	ONEANDONE-ASBrauerstrasse48DE	true
103.254.12.236	unknown	Viet Nam	56151	DIGISTAR-VNDigiStarCompanyLimitedVN	true
103.85.95.4	unknown	Indonesia	136077	IDNIC-UNSRAT-AS-IDUniversitasIslamNegeriMataramID	true
54.37.228.122	unknown	France	16276	OVHFR	true
202.134.4.210	unknown	Indonesia	7713	TELKOMNET-AS-APPTTelekomunikasiIndonesiaID	true
88.217.172.165	unknown	Germany	8767	MNET-ASGermanyDE	true
165.22.254.236	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
118.98.72.86	unknown	Indonesia	7713	TELKOMNET-AS-APPTTelekomunikasiIndonesiaID	true
139.59.80.108	unknown	Singapore	14061	DIGITALOCEAN-ASNUS	true
104.244.79.94	unknown	United States	53667	PONYNETUS	true
178.62.112.199	unknown	European Union	14061	DIGITALOCEAN-ASNUS	true
37.44.244.177	unknown	Germany	47583	AS-HOSTINGERLT	true
62.171.178.147	unknown	United Kingdom	51167	CONTABODE	true
64.227.55.231	unknown	United States	14061	DIGITALOCEAN-ASNUS	true

ID:	666431
Product:	CloudBasic
Start time:	19:09:11
Start date:	16.07.2022
Sample:	PYCkUgesWB.com_15e2f984de986ecb59e38a1c3a4a2300
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	15e2f984de986ecb59e38a1c3a4a2300
SHA1:	795383a71c9030a2c52624795a1e539bfedbf84c
SHA256:	1e9a7692e74e98ac5d21a4d3bfb3696d69d8306e4e42d53bcb4604b3dff420bb
Filetype:	Win64 Dynamic Link Library (generic) (102004/3) 86.43%

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\Microsoft\Network\Downloader\qmgr.db	Extensible storage engine DataBase, version 0x620, checksum 0x4dfe4fb8, page size 16384, DirtyShutdown, Windows version 10.0	EB961E7113E3D08479E5A7A470B28163	97161FC542A63DB96B7287C22D11D1E19C706A19	2E4145142F92749B4EC51BF620D2BE8883371813557B449FE39A9BFE1DD20024
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506	Microsoft Cabinet archive data, 61712 bytes, 1 file	589C442FC7A0C70DCA927115A700D41E	66A07DACE3AFBFD1AA07A47E6875BEAB62C4BB31	2E5CB72E9EB43BAAFB6C6BFCC573AAC92F49A8064C483F9D378A9E8E781A526A
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	data	CB006CC6314BF3DEB2C82425738A567F	91210AC0A73CDB5A354D2F1346B707377751F76E	5255C7343D802A3FE510DCC6B5E9DCA3DC3FB2BB8F891695F57354FA1812E6EA
C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp	ASCII text, with no line terminators	DCA83F08D448911A14C22EBCACC5AD57	91270525521B7FE0D986DB19747F47D34B6318AD	2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9

Windows Analysis Report PYCkUgesWB.com_15e2f984de986ecb59e38a1c3a4a2300

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Spreading

Software Vulnerabilities

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Windows Analysis Report
PYCkUgesWB.com_15e2f984de986ecb59e38a1c3a4a2300