Windows Analysis Report
psIFSn7VLi

Overview

General Information

Sample Name: psIFSn7VLi (renamed file extension from none to dll)
Analysis ID: 669356
MD5: 46c0c3d61c9d7de7b0d8e183217a6cc8
SHA1: ce31a65c73c0728e65d5385731d483f7e9f871c2
SHA256: 4533c9dc1c440bf97882358911acf6d3e25ff6b402ca442d752886904f72b786
Tags: 32dllexetrojan
Infos:

Detection

Emotet
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected Emotet
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Snort IDS alert for network traffic
Changes security center settings (notifications, updates, antivirus, firewall)
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Contains functionality to query locales information (e.g. system language)
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Found evasive API chain (may stop execution after checking a module file name)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
HTTP GET or POST without a user agent
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
AV process strings found (often used to terminate AV products)
Modifies existing windows services
PE file contains strange resources
Tries to load missing DLLs
Drops PE files to the windows directory (C:\Windows)
Detected TCP or UDP traffic on non-standard ports
Checks if the current process is being debugged
Connects to several IPs in different countries
Registers a DLL
Queries disk information (often used to detect virtual machines)
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: psIFSn7VLi.dll Virustotal: Detection: 63% Perma Link
Antivirus detection for URL or domain
Source: https://51.91.76.89:8080/WUUUrykRKzQgKnGAgOWXwbTPpbZjnbjXYyUgItVQHAlMtltf Avira URL Cloud: Label: malware
Source: https://51.91.7.5/ Avira URL Cloud: Label: malware
Source: https://206.188.212.92:8080/WvwiYegTHwVudezOCrWPjYKhpMeUQep Avira URL Cloud: Label: malware
Source: https://46.55.222.11/TBwKHjQjVeCWIQFS Avira URL Cloud: Label: malware
Source: https://79.172.212.216:8080/VNwOftDFidReElfWGyCwgb Avira URL Cloud: Label: malware
Source: https://192.99.251.50/njigQUBviBvfjJoFmpOFCcuxzCMjisKOYgnAJJuZGrOYExdzIkjfPaaGvSwrlp Avira URL Cloud: Label: malware
Source: https://46.55.222.11/.50.40.183:80/YQXxdxwQWLyBEVjMOlgty Avira URL Cloud: Label: malware
Source: https://120.50.40.183/rosoft Avira URL Cloud: Label: malware
Source: https://51.91.7.5:8080/EEsdElRrfqZScZWLqBhRqLSt Avira URL Cloud: Label: malware
Source: https://103.221.221.247:8080/ Avira URL Cloud: Label: malware
Source: https://131.100.24.231:80/MIMNtRZxLqGHZoTXVDtaMauEeLlGAjcyCUbpgyHmvtdbZTHIDbPoaw Avira URL Cloud: Label: malware
Source: https://192.99.251.50/: Avira URL Cloud: Label: malware
Source: https://192.99.251.50/F Avira URL Cloud: Label: malware
Source: https://192.99.251.50/ Avira URL Cloud: Label: malware
Source: https://131.100.24.231/ Avira URL Cloud: Label: malware
Source: https://103.221.221.247:8080/PosEzINMiHgCPAexqpnbXngfJaZeCEEsiTgLE3062332-1002 Avira URL Cloud: Label: malware
Source: https://46.55.222.11/TBwKHjQjVeCWIQFSz Avira URL Cloud: Label: malware
Source: https://149.56.128.192/SSYKvnZUOEUlRtjgPVsscjkUTaNTgTQQvJUHkyX- Avira URL Cloud: Label: malware
Source: https://149.56.128.192/SSYKvnZUOEUlRtjgPVsscjkUTaNTgTQQvJUHkyX Avira URL Cloud: Label: malware
Source: https://79.172.212.216:8080/VNwOftDFidReElfWGyCwg( Avira URL Cloud: Label: malware
Source: https://185.157.82.211/ Avira URL Cloud: Label: malware
Source: https://79.172.212.216:8080/nes Avira URL Cloud: Label: malware
Source: https://51.91.76.89/ Avira URL Cloud: Label: malware
Source: https://79.172.212.216:8080/. Avira URL Cloud: Label: malware
Source: https://79.172.212.216/ Avira URL Cloud: Label: malware
Source: https://46.55.222.11/TBwKHjQjVeCWIQFSi Avira URL Cloud: Label: malware
Source: https://206.188.212.92/X Avira URL Cloud: Label: malware
Source: https://160.16.218.63:8080/lksHycwarnaSRJQsEAZwtocdkTVZGajE Avira URL Cloud: Label: malware
Source: https://120.50.40.183/ Avira URL Cloud: Label: malware
Source: https://159.8.59.82/ Avira URL Cloud: Label: malware
Source: https://131.100.24.231:80/MIMNtRZxLqGHZoTXVDtaMauEeLlGAjcyCUbpgyHmvtdbZTHIDbPoawrlp Avira URL Cloud: Label: malware
Source: https://192.99.251.50/27.42.236/h Avira URL Cloud: Label: malware
Source: https://79.172.212.216:8080/VNwOftDFidReElfWGyCwg$v6/ Avira URL Cloud: Label: malware
Source: https://46.55.222.11/TBwKHjQjVeCWIQFSN Avira URL Cloud: Label: malware
Source: https://103.221.221.247/Certificates Avira URL Cloud: Label: malware
Source: https://173.254.208.91:8080/iqyyOTGODIozOxlzJCOa Avira URL Cloud: Label: malware
Source: https://206.188.212.92/7 Avira URL Cloud: Label: malware
Source: https://173.254.208.91:8080/iqyyOTGODIozOxlzJCOT Avira URL Cloud: Label: malware
Source: https://185.157.82.211:8080/cal Avira URL Cloud: Label: malware
Source: https://120.50.40.183:80/$v6/ Avira URL Cloud: Label: malware
Source: https://185.157.82.211:8080/r Avira URL Cloud: Label: malware
Source: https://206.188.212.92/ Avira URL Cloud: Label: malware
Source: https://173.254.208.91/ Avira URL Cloud: Label: malware
Source: https://160.16.218.63/ Avira URL Cloud: Label: malware
Source: https://149.56.128.192/ Avira URL Cloud: Label: malware
Source: https://159.8.59.82:8080/AgctwBgxIsTEnzPyqHwVtfcFB Avira URL Cloud: Label: malware
Source: https://103.221.221.247/Global Avira URL Cloud: Label: malware
Source: https://120.50.40.183:80/za Avira URL Cloud: Label: malware
Source: https://46.55.222.11/ Avira URL Cloud: Label: malware
Source: https://46.55.222.11/TBwKHjQjVeCWIQFS) Avira URL Cloud: Label: malware
Source: https://120.50.40.183/d Avira URL Cloud: Label: malware
Source: https://160.16.218.63:8080/5 Avira URL Cloud: Label: malware
Source: https://103.221.221.247:8080/PosEzINMiHgCPAexqpnbXngfJaZeCEEsiTgLEr Avira URL Cloud: Label: malware
Source: https://103.221.221.247/ Avira URL Cloud: Label: malware
Source: https://103.221.221.247:8080/PosEzINMiHgCPAexqpnbXngfJaZeCEEsiTgLE Avira URL Cloud: Label: malware
Source: https://120.50.40.183/m Avira URL Cloud: Label: malware
Source: https://103.221.221.247:8080/i Avira URL Cloud: Label: malware
Source: https://79.172.212.216:8080/ Avira URL Cloud: Label: malware
Source: https://185.157.82.211:8080/ Avira URL Cloud: Label: malware
Multi AV Scanner detection for domain / URL
Source: https://51.91.7.5/ Virustotal: Detection: 16% Perma Link
Source: 00000006.00000003.410808194.0000000002BDF000.00000004.00000020.00020000.00000000.sdmp Malware Configuration Extractor: Emotet {"C2 list": ["129.232.188.93:443", "209.250.246.206:443", "138.185.72.26:8080", "119.193.124.41:7080", "103.75.201.2:443", "5.9.116.246:8080", "203.114.109.124:443", "101.50.0.91:8080", "146.59.226.45:443", "216.158.226.206:443", "189.126.111.200:7080", "50.116.54.215:443", "212.24.98.99:8080", "158.69.222.101:443", "151.106.112.196:8080", "176.56.128.118:443", "103.43.46.182:443", "167.99.115.35:8080", "209.126.98.206:8080", "45.142.114.231:8080", "72.15.201.15:8080", "103.75.201.4:443", "207.38.84.195:8080", "51.254.140.238:7080", "212.237.17.99:8080", "45.118.115.99:8080", "110.232.117.186:8080", "188.44.20.25:443", "178.79.147.66:8080", "217.182.25.250:8080", "173.212.193.249:8080", "1.234.21.73:7080", "45.118.135.203:7080", "185.8.212.130:7080", "195.154.133.20:443", "197.242.150.244:8080", "164.68.99.3:8080", "107.182.225.142:8080", "196.218.30.83:443", "1.234.2.232:8080", "82.165.152.127:8080"]}
Uses 32bit PE files
Source: psIFSn7VLi.dll Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL
Source: unknown HTTPS traffic detected: 149.56.128.192:443 -> 192.168.2.4:49762 version: TLS 1.2
Source: unknown HTTPS traffic detected: 46.55.222.11:443 -> 192.168.2.4:49863 version: TLS 1.2

Networking
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\regsvr32.exe Network Connect: 149.56.128.192 443 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Network Connect: 185.157.82.211 8080 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Network Connect: 79.172.212.216 8080 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Network Connect: 131.100.24.231 80 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Network Connect: 46.55.222.11 443 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Network Connect: 51.91.76.89 8080 Jump to behavior
Source: C:\Windows\System32\svchost.exe Domain query: time.windows.com
Source: C:\Windows\SysWOW64\regsvr32.exe Network Connect: 173.254.208.91 8080 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Network Connect: 160.16.218.63 8080 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Network Connect: 206.188.212.92 8080 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Network Connect: 192.99.251.50 443 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Network Connect: 51.91.7.5 8080 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Network Connect: 159.8.59.82 8080 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Network Connect: 120.50.40.183 80 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Network Connect: 58.227.42.236 80 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Network Connect: 103.221.221.247 8080 Jump to behavior
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2404338 ET CNC Feodo Tracker Reported CnC Server TCP group 20 192.168.2.4:49760 -> 51.91.76.89:8080
Source: Traffic Snort IDS: 2404334 ET CNC Feodo Tracker Reported CnC Server TCP group 18 192.168.2.4:49863 -> 46.55.222.11:443
Source: Traffic Snort IDS: 2404306 ET CNC Feodo Tracker Reported CnC Server TCP group 4 192.168.2.4:49872 -> 131.100.24.231:80
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor IPs: 129.232.188.93:443
Source: Malware configuration extractor IPs: 209.250.246.206:443
Source: Malware configuration extractor IPs: 138.185.72.26:8080
Source: Malware configuration extractor IPs: 119.193.124.41:7080
Source: Malware configuration extractor IPs: 103.75.201.2:443
Source: Malware configuration extractor IPs: 5.9.116.246:8080
Source: Malware configuration extractor IPs: 203.114.109.124:443
Source: Malware configuration extractor IPs: 101.50.0.91:8080
Source: Malware configuration extractor IPs: 146.59.226.45:443
Source: Malware configuration extractor IPs: 216.158.226.206:443
Source: Malware configuration extractor IPs: 189.126.111.200:7080
Source: Malware configuration extractor IPs: 50.116.54.215:443
Source: Malware configuration extractor IPs: 212.24.98.99:8080
Source: Malware configuration extractor IPs: 158.69.222.101:443
Source: Malware configuration extractor IPs: 151.106.112.196:8080
Source: Malware configuration extractor IPs: 176.56.128.118:443
Source: Malware configuration extractor IPs: 103.43.46.182:443
Source: Malware configuration extractor IPs: 167.99.115.35:8080
Source: Malware configuration extractor IPs: 209.126.98.206:8080
Source: Malware configuration extractor IPs: 45.142.114.231:8080
Source: Malware configuration extractor IPs: 72.15.201.15:8080
Source: Malware configuration extractor IPs: 103.75.201.4:443
Source: Malware configuration extractor IPs: 207.38.84.195:8080
Source: Malware configuration extractor IPs: 51.254.140.238:7080
Source: Malware configuration extractor IPs: 212.237.17.99:8080
Source: Malware configuration extractor IPs: 45.118.115.99:8080
Source: Malware configuration extractor IPs: 110.232.117.186:8080
Source: Malware configuration extractor IPs: 188.44.20.25:443
Source: Malware configuration extractor IPs: 178.79.147.66:8080
Source: Malware configuration extractor IPs: 217.182.25.250:8080
Source: Malware configuration extractor IPs: 173.212.193.249:8080
Source: Malware configuration extractor IPs: 1.234.21.73:7080
Source: Malware configuration extractor IPs: 45.118.135.203:7080
Source: Malware configuration extractor IPs: 185.8.212.130:7080
Source: Malware configuration extractor IPs: 195.154.133.20:443
Source: Malware configuration extractor IPs: 197.242.150.244:8080
Source: Malware configuration extractor IPs: 164.68.99.3:8080
Source: Malware configuration extractor IPs: 107.182.225.142:8080
Source: Malware configuration extractor IPs: 196.218.30.83:443
Source: Malware configuration extractor IPs: 1.234.2.232:8080
Source: Malware configuration extractor IPs: 82.165.152.127:8080
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: OVHFR OVHFR
Source: Joe Sandbox View ASN Name: SZERVERPLEXHU SZERVERPLEXHU
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 51c64c77e60f3980eea90869b68c58a8
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /SSYKvnZUOEUlRtjgPVsscjkUTaNTgTQQvJUHkyX HTTP/1.1Cookie: wd=CeWC3bvXPYw6ceEYgfvGdLYPTo0VXwyjQM1b37/spkNB3CGw86NzMzKf1AUGnAmmtW/OWNjKbUC9gyl1OQsrdyfP5xbn01or99X72cgyaEexWqMXtNXm3BOHAyBwYk6TnEAF0q3TMdibHcQhcNNo6Sm9GxBDPs+KnKkOdOQZ76tbXnfftFwj68x6LE4gFCEnmcMMTNEuYiAXbOCL+S+FsI+fnIMfAI5oXYW5JqiwY3vIUlQBUwfTw48YkmxLCfsNjgx6F20LQV3Hnux9vPTgtjjTh1sYYnbNkqrHAkwHKUzWJuie4H3uJ+0/v2jViJz29FfNeDiPeJZqmSc76S+bHost: 149.56.128.192Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /TBwKHjQjVeCWIQFS HTTP/1.1Cookie: TzD=CeWC3bvXPYw6ceEYgfvGdLYPTo0VXwyjQM1b37/spkNB3CGw86NzMzKf1AUGnAmmtW/OWNjKbUC9gyl1OQsrdyfP5xbn01or99X72cgyaEexWqMXtNXm3BOHAyBwYk6TnEAF0q3TMdibHcQhcNNo6Sm9GxBDPs+KnKkOdOQZ76tbXnfftFwj68x6LE4gFCEnmcMMTNEuYiAXbOCL+S+FsI9Ih3e+pR2YRWgAeau9SKu/amPhx+vBX8EeVceLhJI1Cl5c/CGgAhr7yQ63yo30L73FGkUea/TvEpxNO3PjqOskzZcORWqX5SDpz1exfeePjzjvPRMWMpzyGCnmStacLsD4YfqerzQ/buYpgMei8ILwW16H6ENPPQ==Host: 46.55.222.11Connection: Keep-AliveCache-Control: no-cache
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 217.182.25.250 217.182.25.250
Source: Joe Sandbox View IP Address: 79.172.212.216 79.172.212.216
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.4:49760 -> 51.91.76.89:8080
Source: global traffic TCP traffic: 192.168.2.4:49761 -> 173.254.208.91:8080
Source: global traffic TCP traffic: 192.168.2.4:49829 -> 160.16.218.63:8080
Source: global traffic TCP traffic: 192.168.2.4:49858 -> 206.188.212.92:8080
Source: global traffic TCP traffic: 192.168.2.4:49864 -> 79.172.212.216:8080
Source: global traffic TCP traffic: 192.168.2.4:49865 -> 103.221.221.247:8080
Source: global traffic TCP traffic: 192.168.2.4:49868 -> 185.157.82.211:8080
Source: global traffic TCP traffic: 192.168.2.4:49869 -> 159.8.59.82:8080
Source: global traffic TCP traffic: 192.168.2.4:49870 -> 51.91.7.5:8080
Connects to several IPs in different countries
Source: unknown Network traffic detected: IP country count 26
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49863
Source: unknown Network traffic detected: HTTP traffic on port 49863 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49867 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49867
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 19 Jul 2022 22:21:19 GMTContent-Type: text/htmlContent-Length: 162Connection: close
Source: unknown TCP traffic detected without corresponding DNS query: 51.91.76.89
Source: unknown TCP traffic detected without corresponding DNS query: 51.91.76.89
Source: unknown TCP traffic detected without corresponding DNS query: 51.91.76.89
Source: unknown TCP traffic detected without corresponding DNS query: 173.254.208.91
Source: unknown TCP traffic detected without corresponding DNS query: 173.254.208.91
Source: unknown TCP traffic detected without corresponding DNS query: 173.254.208.91
Source: unknown TCP traffic detected without corresponding DNS query: 149.56.128.192
Source: unknown TCP traffic detected without corresponding DNS query: 149.56.128.192
Source: unknown TCP traffic detected without corresponding DNS query: 149.56.128.192
Source: unknown TCP traffic detected without corresponding DNS query: 149.56.128.192
Source: unknown TCP traffic detected without corresponding DNS query: 149.56.128.192
Source: unknown TCP traffic detected without corresponding DNS query: 149.56.128.192
Source: unknown TCP traffic detected without corresponding DNS query: 149.56.128.192
Source: unknown TCP traffic detected without corresponding DNS query: 149.56.128.192
Source: unknown TCP traffic detected without corresponding DNS query: 120.50.40.183
Source: unknown TCP traffic detected without corresponding DNS query: 120.50.40.183
Source: unknown TCP traffic detected without corresponding DNS query: 120.50.40.183
Source: unknown TCP traffic detected without corresponding DNS query: 160.16.218.63
Source: unknown TCP traffic detected without corresponding DNS query: 160.16.218.63
Source: unknown TCP traffic detected without corresponding DNS query: 160.16.218.63
Source: unknown TCP traffic detected without corresponding DNS query: 206.188.212.92
Source: unknown TCP traffic detected without corresponding DNS query: 206.188.212.92
Source: unknown TCP traffic detected without corresponding DNS query: 206.188.212.92
Source: unknown TCP traffic detected without corresponding DNS query: 46.55.222.11
Source: unknown TCP traffic detected without corresponding DNS query: 46.55.222.11
Source: unknown TCP traffic detected without corresponding DNS query: 46.55.222.11
Source: unknown TCP traffic detected without corresponding DNS query: 46.55.222.11
Source: unknown TCP traffic detected without corresponding DNS query: 46.55.222.11
Source: unknown TCP traffic detected without corresponding DNS query: 46.55.222.11
Source: unknown TCP traffic detected without corresponding DNS query: 46.55.222.11
Source: unknown TCP traffic detected without corresponding DNS query: 46.55.222.11
Source: unknown TCP traffic detected without corresponding DNS query: 46.55.222.11
Source: unknown TCP traffic detected without corresponding DNS query: 46.55.222.11
Source: unknown TCP traffic detected without corresponding DNS query: 46.55.222.11
Source: unknown TCP traffic detected without corresponding DNS query: 46.55.222.11
Source: unknown TCP traffic detected without corresponding DNS query: 79.172.212.216
Source: unknown TCP traffic detected without corresponding DNS query: 79.172.212.216
Source: unknown TCP traffic detected without corresponding DNS query: 79.172.212.216
Source: unknown TCP traffic detected without corresponding DNS query: 103.221.221.247
Source: unknown TCP traffic detected without corresponding DNS query: 103.221.221.247
Source: unknown TCP traffic detected without corresponding DNS query: 103.221.221.247
Source: unknown TCP traffic detected without corresponding DNS query: 58.227.42.236
Source: unknown TCP traffic detected without corresponding DNS query: 58.227.42.236
Source: unknown TCP traffic detected without corresponding DNS query: 58.227.42.236
Source: unknown TCP traffic detected without corresponding DNS query: 192.99.251.50
Source: unknown TCP traffic detected without corresponding DNS query: 192.99.251.50
Source: unknown TCP traffic detected without corresponding DNS query: 192.99.251.50
Source: unknown TCP traffic detected without corresponding DNS query: 192.99.251.50
Source: unknown TCP traffic detected without corresponding DNS query: 185.157.82.211
Source: unknown TCP traffic detected without corresponding DNS query: 185.157.82.211
Source: svchost.exe, 00000017.00000003.375394454.0000015C8A76F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG", equals www.facebook.com (Facebook)
Source: svchost.exe, 00000017.00000003.375394454.0000015C8A76F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG", equals www.twitter.com (Twitter)
Source: svchost.exe, 00000017.00000003.375394454.0000015C8A76F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.375413420.0000015C8A780000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2022-07-11T16:37:37.4991749Z||.||58dfb4d5-be7e-424e-8739-cac99224843f||1152921505695035586||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailab
Source: svchost.exe, 00000017.00000003.375394454.0000015C8A76F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.375413420.0000015C8A780000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2022-07-11T16:37:37.4991749Z||.||58dfb4d5-be7e-424e-8739-cac99224843f||1152921505695035586||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailab
Source: regsvr32.exe, 00000006.00000003.364680383.0000000002C31000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.728224099.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.502288144.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.762473776.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.623436726.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.508820797.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000002.665412089.000001697FE63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000017.00000002.421711170.0000015C8A700000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: svchost.exe, 00000014.00000002.665412089.000001697FE63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000017.00000002.421495587.0000015C89EEC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.ver)
Source: regsvr32.exe, 00000006.00000003.728308506.0000000002C73000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.762712850.0000000002C73000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.6.dr String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: regsvr32.exe, 00000006.00000003.723777902.0000000004EBF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?75939ced2d84a
Source: regsvr32.exe, 00000006.00000003.728320680.0000000002BEA000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.762137969.0000000002BEA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en;T
Source: svchost.exe, 00000017.00000003.396728134.0000015C8A792000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://help.disneyplus.com.
Source: svchost.exe, 0000000E.00000002.314090796.000001ECDFA13000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.bingmapsportal.com
Source: svchost.exe, 0000000C.00000002.762160897.00000276B2E44000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://%s.dnet.xboxlive.com
Source: svchost.exe, 0000000C.00000002.762160897.00000276B2E44000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://%s.xboxlive.com
Source: regsvr32.exe, 00000006.00000003.728224099.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.762473776.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.623436726.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.508820797.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://103.221.221.247/
Source: regsvr32.exe, 00000006.00000003.623436726.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.508820797.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://103.221.221.247/Certificates
Source: regsvr32.exe, 00000006.00000003.623436726.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.508820797.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://103.221.221.247/Global
Source: regsvr32.exe, 00000006.00000003.623436726.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.508820797.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://103.221.221.247:8080/
Source: regsvr32.exe, 00000006.00000003.728224099.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.762473776.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.623436726.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.508820797.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://103.221.221.247:8080/PosEzINMiHgCPAexqpnbXngfJaZeCEEsiTgLE
Source: regsvr32.exe, 00000006.00000003.623436726.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.508820797.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://103.221.221.247:8080/PosEzINMiHgCPAexqpnbXngfJaZeCEEsiTgLE3062332-1002
Source: regsvr32.exe, 00000006.00000003.728224099.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.762473776.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.623436726.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.508820797.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://103.221.221.247:8080/PosEzINMiHgCPAexqpnbXngfJaZeCEEsiTgLEr
Source: regsvr32.exe, 00000006.00000003.623436726.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.508820797.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://103.221.221.247:8080/i
Source: regsvr32.exe, 00000006.00000003.508820797.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://120.50.40.183/
Source: regsvr32.exe, 00000006.00000003.728224099.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.502288144.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.762473776.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.623436726.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.508820797.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://120.50.40.183/d
Source: regsvr32.exe, 00000006.00000003.728224099.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.502288144.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.762473776.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.623436726.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.508820797.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://120.50.40.183/m
Source: regsvr32.exe, 00000006.00000003.502288144.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.623436726.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.508820797.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://120.50.40.183/rosoft
Source: regsvr32.exe, 00000006.00000003.410793511.0000000002C64000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.502288144.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.410742618.0000000002C0B000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.623436726.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.508820797.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://120.50.40.183:80/
Source: regsvr32.exe, 00000006.00000003.410793511.0000000002C64000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.502288144.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://120.50.40.183:80/$v6/
Source: regsvr32.exe, 00000006.00000003.508820797.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://120.50.40.183:80/YQXxdxwQWLyBEVjMOlg
Source: regsvr32.exe, 00000006.00000003.410793511.0000000002C64000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://120.50.40.183:80/za
Source: regsvr32.exe, 00000006.00000003.728320680.0000000002BEA000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.762137969.0000000002BEA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://131.100.24.231/
Source: regsvr32.exe, 00000006.00000003.728224099.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.728320680.0000000002BEA000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.762137969.0000000002BEA000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.762473776.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://131.100.24.231:80/MIMNtRZxLqGHZoTXVDtaMauEeLlGAjcyCUbpgyHmvtdbZTHIDbPoaw
Source: regsvr32.exe, 00000006.00000003.728320680.0000000002BEA000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.762137969.0000000002BEA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://131.100.24.231:80/MIMNtRZxLqGHZoTXVDtaMauEeLlGAjcyCUbpgyHmvtdbZTHIDbPoawrlp
Source: regsvr32.exe, 00000006.00000003.365060100.0000000002C0B000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.728320680.0000000002BEA000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.410742618.0000000002C0B000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.762137969.0000000002BEA000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.508876930.0000000002BEA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://149.56.128.192/
Source: regsvr32.exe, 00000006.00000003.365060100.0000000002C0B000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.728320680.0000000002BEA000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.410742618.0000000002C0B000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.762137969.0000000002BEA000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.508876930.0000000002BEA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://149.56.128.192/Q4
Source: regsvr32.exe, 00000006.00000003.410649801.0000000002BEC000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.365020565.0000000002BEA000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.728320680.0000000002BEA000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.762137969.0000000002BEA000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.508876930.0000000002BEA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://149.56.128.192/SSYKvnZUOEUlRtjgPVsscjkUTaNTgTQQvJUHkyX
Source: regsvr32.exe, 00000006.00000003.410649801.0000000002BEC000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.365020565.0000000002BEA000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.728320680.0000000002BEA000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.762137969.0000000002BEA000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.508876930.0000000002BEA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://149.56.128.192/SSYKvnZUOEUlRtjgPVsscjkUTaNTgTQQvJUHkyX-
Source: regsvr32.exe, 00000006.00000003.728320680.0000000002BEA000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.762137969.0000000002BEA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://159.8.59.82/
Source: regsvr32.exe, 00000006.00000003.728224099.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.762473776.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://159.8.59.82:8080/AgctwBgxIsTEnzPyqHwVtfcFB
Source: regsvr32.exe, 00000006.00000003.508820797.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://160.16.218.63/
Source: regsvr32.exe, 00000006.00000003.502288144.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://160.16.218.63:8080/5
Source: regsvr32.exe, 00000006.00000003.502288144.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.623436726.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.508820797.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://160.16.218.63:8080/E
Source: regsvr32.exe, 00000006.00000003.728224099.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.502288144.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.762473776.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.623436726.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.508820797.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://160.16.218.63:8080/lksHycwarnaSRJQsEAZwtocdkTVZGajE
Source: regsvr32.exe, 00000006.00000003.365060100.0000000002C0B000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.728320680.0000000002BEA000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.410742618.0000000002C0B000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.762137969.0000000002BEA000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.508876930.0000000002BEA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://173.254.208.91/
Source: regsvr32.exe, 00000006.00000003.410649801.0000000002BEC000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.365020565.0000000002BEA000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.728320680.0000000002BEA000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.762137969.0000000002BEA000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.508876930.0000000002BEA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://173.254.208.91:8080/iqyyOTGODIozOxlzJCOT
Source: regsvr32.exe, 00000006.00000003.410649801.0000000002BEC000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.365020565.0000000002BEA000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.728320680.0000000002BEA000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.762137969.0000000002BEA000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.508876930.0000000002BEA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://173.254.208.91:8080/iqyyOTGODIozOxlzJCOa
Source: regsvr32.exe, 00000006.00000003.728320680.0000000002BEA000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.762137969.0000000002BEA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://185.157.82.211/
Source: regsvr32.exe, 00000006.00000003.728224099.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.762473776.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://185.157.82.211:8080/
Source: regsvr32.exe, 00000006.00000003.728224099.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.762473776.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://185.157.82.211:8080/cal
Source: regsvr32.exe, 00000006.00000003.728224099.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.762473776.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://185.157.82.211:8080/r
Source: regsvr32.exe, 00000006.00000003.623436726.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://192.99.251.50/
Source: regsvr32.exe, 00000006.00000003.623436726.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://192.99.251.50/27.42.236/h
Source: regsvr32.exe, 00000006.00000003.623436726.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://192.99.251.50/5563209-4053062332-1002
Source: regsvr32.exe, 00000006.00000003.728320680.0000000002BEA000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.762137969.0000000002BEA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://192.99.251.50/:
Source: regsvr32.exe, 00000006.00000003.728320680.0000000002BEA000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.762137969.0000000002BEA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://192.99.251.50/F
Source: regsvr32.exe, 00000006.00000003.728224099.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.728320680.0000000002BEA000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.762137969.0000000002BEA000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.762473776.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.623436726.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://192.99.251.50/njigQUBviBvfjJoFmpOFCcuxzCMjisKOYgnAJJuZGrOYExdzIkjfPaaGvSwrlp
Source: regsvr32.exe, 00000006.00000003.728224099.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.502288144.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.762473776.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.623436726.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.508820797.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://206.188.212.92/
Source: regsvr32.exe, 00000006.00000003.502288144.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://206.188.212.92/7
Source: regsvr32.exe, 00000006.00000003.728224099.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.502288144.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.762473776.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.623436726.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.508820797.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://206.188.212.92/X
Source: regsvr32.exe, 00000006.00000003.728224099.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.502288144.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.762473776.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.623436726.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.508820797.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://206.188.212.92:8080/WvwiYegTHwVudezOCrWPjYKhpMeUQep
Source: regsvr32.exe, 00000006.00000003.728224099.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.502288144.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.762473776.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.508921722.0000000002C1F000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.623436726.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.508820797.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://46.55.222.11/
Source: regsvr32.exe, 00000006.00000003.502288144.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.623436726.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.508820797.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://46.55.222.11/.50.40.183:80/YQXxdxwQWLyBEVjMOlgty
Source: regsvr32.exe, 00000006.00000003.502288144.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.623436726.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.508820797.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://46.55.222.11/TBwKHjQjVeCWIQFS
Source: regsvr32.exe, 00000006.00000003.728224099.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.502288144.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.762473776.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.623436726.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.508820797.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://46.55.222.11/TBwKHjQjVeCWIQFS)
Source: regsvr32.exe, 00000006.00000003.728224099.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.502288144.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.762473776.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.623436726.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.508820797.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://46.55.222.11/TBwKHjQjVeCWIQFSN
Source: regsvr32.exe, 00000006.00000003.502288144.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.623436726.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.508820797.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://46.55.222.11/TBwKHjQjVeCWIQFSi
Source: regsvr32.exe, 00000006.00000003.502288144.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://46.55.222.11/TBwKHjQjVeCWIQFSz
Source: regsvr32.exe, 00000006.00000003.728224099.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.762473776.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://51.91.7.5/
Source: regsvr32.exe, 00000006.00000003.728224099.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.728320680.0000000002BEA000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.762137969.0000000002BEA000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.762473776.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://51.91.7.5:8080/EEsdElRrfqZScZWLqBhRqLSt
Source: regsvr32.exe, 00000006.00000003.508876930.0000000002BEA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://51.91.76.89/
Source: regsvr32.exe, 00000006.00000003.365020565.0000000002BEA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://51.91.76.89:80
Source: regsvr32.exe, 00000006.00000003.365060100.0000000002C0B000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.728320680.0000000002BEA000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.410742618.0000000002C0B000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.762137969.0000000002BEA000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.508876930.0000000002BEA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://51.91.76.89:8080/WUUUrykRKzQgKnGAgOWXwbTPpbZjnbjXYyUgItVQHAlMtltf
Source: regsvr32.exe, 00000006.00000003.623436726.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://58.227.42.236/
Source: regsvr32.exe, 00000006.00000003.623436726.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://58.227.42.236/N
Source: regsvr32.exe, 00000006.00000003.728320680.0000000002BEA000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.762137969.0000000002BEA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://58.227.42.236/c4
Source: regsvr32.exe, 00000006.00000003.623436726.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://58.227.42.236:80/
Source: regsvr32.exe, 00000006.00000003.623436726.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://58.227.42.236:80/$v6/
Source: regsvr32.exe, 00000006.00000003.623436726.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://58.227.42.236:80/-
Source: regsvr32.exe, 00000006.00000003.623436726.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://58.227.42.236:80/:
Source: regsvr32.exe, 00000006.00000003.728320680.0000000002BEA000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.762137969.0000000002BEA000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.623436726.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://58.227.42.236:80/CBvqXjPjXUGuuflNLuZWkXecSmHukPuGWkGWJXlIStqkcdnP
Source: regsvr32.exe, 00000006.00000003.623436726.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://58.227.42.236:80/CBvqXjPjXUGuuflNLuZWkXecSmHukPuGWkGWJXlIStqkcdnPK
Source: regsvr32.exe, 00000006.00000003.623436726.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://58.227.42.236:80/CBvqXjPjXUGuuflNLuZWkXecSmHukPuGWkGWJXlIStqkcdnPz
Source: regsvr32.exe, 00000006.00000003.623436726.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://58.227.42.236:80/D
Source: regsvr32.exe, 00000006.00000003.728224099.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.762473776.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.623436726.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.508820797.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://79.172.212.216/
Source: regsvr32.exe, 00000006.00000003.508820797.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://79.172.212.2167:8080/
Source: regsvr32.exe, 00000006.00000003.728224099.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.762473776.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.623436726.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.508820797.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://79.172.212.216:8080/
Source: regsvr32.exe, 00000006.00000003.508820797.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://79.172.212.216:8080/.
Source: regsvr32.exe, 00000006.00000003.728224099.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.762473776.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.623436726.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.508820797.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://79.172.212.216:8080/VNwOftDFidReElfWGyCwg
Source: regsvr32.exe, 00000006.00000003.508820797.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://79.172.212.216:8080/VNwOftDFidReElfWGyCwg$v6/
Source: regsvr32.exe, 00000006.00000003.623436726.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.508820797.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://79.172.212.216:8080/VNwOftDFidReElfWGyCwg(
Source: regsvr32.exe, 00000006.00000003.623436726.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.508820797.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://79.172.212.216:8080/VNwOftDFidReElfWGyCwgb
Source: regsvr32.exe, 00000006.00000003.623436726.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.508820797.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://79.172.212.216:8080/nes
Source: svchost.exe, 0000000C.00000002.762160897.00000276B2E44000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://activity.windows.com
Source: svchost.exe, 0000000E.00000003.313783832.000001ECDFA60000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: svchost.exe, 0000000C.00000002.761982748.00000276B2E29000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 0000000C.00000002.761982748.00000276B2E29000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 0000000E.00000003.313794156.000001ECDFA5A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 0000000E.00000002.314163787.000001ECDFA5C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.313794156.000001ECDFA5A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 0000000E.00000003.313783832.000001ECDFA60000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 0000000E.00000002.314128119.000001ECDFA3D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 0000000E.00000002.314163787.000001ECDFA5C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.313794156.000001ECDFA5A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Traffic/Incidents/
Source: svchost.exe, 0000000E.00000003.313783832.000001ECDFA60000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 0000000E.00000002.314141397.000001ECDFA4D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.313769610.000001ECDFA47000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 0000000E.00000002.314163787.000001ECDFA5C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.313794156.000001ECDFA5A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 0000000E.00000003.313783832.000001ECDFA60000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
Source: svchost.exe, 0000000E.00000002.314128119.000001ECDFA3D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 0000000E.00000003.313783832.000001ECDFA60000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 0000000E.00000003.313783832.000001ECDFA60000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 0000000E.00000003.313783832.000001ECDFA60000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 0000000E.00000003.313814458.000001ECDFA40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.314134200.000001ECDFA42000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 0000000E.00000003.313814458.000001ECDFA40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.314134200.000001ECDFA42000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
Source: svchost.exe, 0000000E.00000003.313783832.000001ECDFA60000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 0000000E.00000002.314163787.000001ECDFA5C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.313794156.000001ECDFA5A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.313814458.000001ECDFA40000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: svchost.exe, 00000017.00000003.396728134.0000015C8A792000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://disneyplus.com/legal.
Source: svchost.exe, 0000000E.00000003.313794156.000001ECDFA5A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 0000000E.00000002.314163787.000001ECDFA5C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.313794156.000001ECDFA5A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 0000000E.00000002.314163787.000001ECDFA5C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.313794156.000001ECDFA5A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 0000000E.00000003.313761832.000001ECDFA63000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dynamic.t
Source: svchost.exe, 0000000E.00000003.313783832.000001ECDFA60000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 0000000E.00000002.314128119.000001ECDFA3D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000017.00000003.392127513.0000015C8A7B4000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.391991165.0000015C8A795000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.392087236.0000015C8A792000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.392152187.0000015C8AC02000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.392175741.0000015C8AC03000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.392461273.0000015C8AC19000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.392344061.0000015C8A7B4000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.392106913.0000015C8A7A4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://support.hotspotshield.com/
Source: svchost.exe, 0000000E.00000002.314128119.000001ECDFA3D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 0000000E.00000002.314128119.000001ECDFA3D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.314090796.000001ECDFA13000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 0000000E.00000003.313809959.000001ECDFA56000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
Source: svchost.exe, 0000000E.00000003.313814458.000001ECDFA40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.314134200.000001ECDFA42000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: svchost.exe, 0000000E.00000002.314141397.000001ECDFA4D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.313769610.000001ECDFA47000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen
Source: svchost.exe, 00000017.00000003.396728134.0000015C8A792000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.disneyplus.com/legal/privacy-policy
Source: svchost.exe, 00000017.00000003.396728134.0000015C8A792000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.disneyplus.com/legal/your-california-privacy-rights
Source: svchost.exe, 00000017.00000003.392127513.0000015C8A7B4000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.391991165.0000015C8A795000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.392087236.0000015C8A792000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.392152187.0000015C8AC02000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.392175741.0000015C8AC03000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.392461273.0000015C8AC19000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.392344061.0000015C8A7B4000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.392106913.0000015C8A7A4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.hotspotshield.com/terms/
Source: svchost.exe, 00000017.00000003.392127513.0000015C8A7B4000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.391991165.0000015C8A795000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.392087236.0000015C8A792000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.392152187.0000015C8AC02000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.392175741.0000015C8AC03000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.392461273.0000015C8AC19000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.392344061.0000015C8A7B4000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.392106913.0000015C8A7A4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.pango.co/privacy
Source: svchost.exe, 00000017.00000003.400782206.0000015C8A792000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.tiktok.com/legal/report
Source: svchost.exe, 00000017.00000003.400864147.0000015C8AC02000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.400750031.0000015C8A7B9000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.400709458.0000015C8A7B9000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.400813065.0000015C8A7A3000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.400782206.0000015C8A792000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.tiktok.com/legal/report/feedback
Source: unknown DNS traffic detected: queries for: time.windows.com
Source: global traffic HTTP traffic detected: GET /SSYKvnZUOEUlRtjgPVsscjkUTaNTgTQQvJUHkyX HTTP/1.1Cookie: wd=CeWC3bvXPYw6ceEYgfvGdLYPTo0VXwyjQM1b37/spkNB3CGw86NzMzKf1AUGnAmmtW/OWNjKbUC9gyl1OQsrdyfP5xbn01or99X72cgyaEexWqMXtNXm3BOHAyBwYk6TnEAF0q3TMdibHcQhcNNo6Sm9GxBDPs+KnKkOdOQZ76tbXnfftFwj68x6LE4gFCEnmcMMTNEuYiAXbOCL+S+FsI+fnIMfAI5oXYW5JqiwY3vIUlQBUwfTw48YkmxLCfsNjgx6F20LQV3Hnux9vPTgtjjTh1sYYnbNkqrHAkwHKUzWJuie4H3uJ+0/v2jViJz29FfNeDiPeJZqmSc76S+bHost: 149.56.128.192Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /TBwKHjQjVeCWIQFS HTTP/1.1Cookie: TzD=CeWC3bvXPYw6ceEYgfvGdLYPTo0VXwyjQM1b37/spkNB3CGw86NzMzKf1AUGnAmmtW/OWNjKbUC9gyl1OQsrdyfP5xbn01or99X72cgyaEexWqMXtNXm3BOHAyBwYk6TnEAF0q3TMdibHcQhcNNo6Sm9GxBDPs+KnKkOdOQZ76tbXnfftFwj68x6LE4gFCEnmcMMTNEuYiAXbOCL+S+FsI9Ih3e+pR2YRWgAeau9SKu/amPhx+vBX8EeVceLhJI1Cl5c/CGgAhr7yQ63yo30L73FGkUea/TvEpxNO3PjqOskzZcORWqX5SDpz1exfeePjzjvPRMWMpzyGCnmStacLsD4YfqerzQ/buYpgMei8ILwW16H6ENPPQ==Host: 46.55.222.11Connection: Keep-AliveCache-Control: no-cache
Source: unknown HTTPS traffic detected: 149.56.128.192:443 -> 192.168.2.4:49762 version: TLS 1.2
Source: unknown HTTPS traffic detected: 46.55.222.11:443 -> 192.168.2.4:49863 version: TLS 1.2

E-Banking Fraud
barindex
Yara detected Emotet
Source: Yara match File source: 2.2.regsvr32.exe.4df0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.4f10000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.regsvr32.exe.4590000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.3530000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.regsvr32.exe.9c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.2940000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.4230000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.3530000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.regsvr32.exe.4dc0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.regsvr32.exe.9c0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.regsvr32.exe.4dc0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.2940000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000002.247001370.0000000004231000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.762864021.0000000004591000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.246952927.0000000002940000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.246760873.0000000003530000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.761637752.00000000009C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.250264890.0000000004DF1000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.250193606.0000000004DC0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.246960941.0000000004F11000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Uses 32bit PE files
Source: psIFSn7VLi.dll Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL
Deletes files inside the Windows folder
Source: C:\Windows\SysWOW64\regsvr32.exe File deleted: C:\Windows\SysWOW64\Arwhu\ttgk.pdy:Zone.Identifier Jump to behavior
Creates files inside the system directory
Source: C:\Windows\SysWOW64\regsvr32.exe File created: C:\Windows\SysWOW64\Arwhu\ Jump to behavior
Detected potential crypto function
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_10041D70 2_2_10041D70
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10041D70 3_2_10041D70
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: String function: 10040C7C appears 42 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 10040C7C appears 39 times
PE file contains strange resources
Source: psIFSn7VLi.dll Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Tries to load missing DLLs
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: xboxlivetitleid.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: cdpsgshims.dll Jump to behavior
Source: psIFSn7VLi.dll Virustotal: Detection: 63%
Source: psIFSn7VLi.dll Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\psIFSn7VLi.dll"
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\psIFSn7VLi.dll",#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\psIFSn7VLi.dll
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\psIFSn7VLi.dll",#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\psIFSn7VLi.dll,DllRegisterServer
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\psIFSn7VLi.dll,DllUnregisterServer
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Arwhu\ttgk.pdy"
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknown Process created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k unistacksvcgroup
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\System32\svchost.exe Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Source: C:\Program Files\Windows Defender\MpCmdRun.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -s W32Time
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\psIFSn7VLi.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\psIFSn7VLi.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\psIFSn7VLi.dll,DllRegisterServer Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\psIFSn7VLi.dll,DllUnregisterServer Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\psIFSn7VLi.dll",#1 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Arwhu\ttgk.pdy" Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D105A4D4-344C-48EB-9866-EE378D90658B}\InProcServer32 Jump to behavior
Source: C:\Windows\System32\svchost.exe File created: C:\Users\user\AppData\Local\packages\ActiveSync\LocalState\DiagOutputDir\UnistackCritical.etl Jump to behavior
Source: classification engine Classification label: mal100.troj.evad.winDLL@29/8@2/57
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_1003D09A __EH_prolog,VariantClear,SysAllocStringByteLen,CoCreateInstance,CoCreateInstance,CoCreateInstance, 2_2_1003D09A
Source: C:\Windows\SysWOW64\regsvr32.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\psIFSn7VLi.dll",#1
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:3388:120:WilError_01
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_1002EA60 FindResourceW,LoadResource,SizeofResource,VirtualAllocExNuma,VirtualAlloc,memcpy,malloc,??3@YAXPAX@Z, 2_2_1002EA60
Source: C:\Windows\SysWOW64\regsvr32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_1003E8D0 push eax; ret 2_2_1003E8E4
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_1003E8D0 push eax; ret 2_2_1003E90C
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_1003F964 push eax; ret 2_2_1003F982
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_10040CB7 push ecx; ret 2_2_10040CC7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10040CB7 push ecx; ret 3_2_10040CC7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1003E8D0 push eax; ret 3_2_1003E8E4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1003E8D0 push eax; ret 3_2_1003E90C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1003F964 push eax; ret 3_2_1003F982
PE file contains sections with non-standard names
Source: psIFSn7VLi.dll Static PE information: section name: .didat
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_10049401 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 2_2_10049401
Registers a DLL
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\psIFSn7VLi.dll
Drops PE files to the windows directory (C:\Windows)
Source: C:\Windows\SysWOW64\regsvr32.exe PE file moved: C:\Windows\SysWOW64\Arwhu\ttgk.pdy Jump to behavior
Modifies existing windows services
Source: C:\Windows\System32\svchost.exe Registry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\W32Time\Config Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Windows\SysWOW64\regsvr32.exe File opened: C:\Windows\SysWOW64\Arwhu\ttgk.pdy:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Pwywyaihuigj\xpxapuj.ypc:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Hryrotqgbtbdfp\yklzymlfbv.qfq:Zone.Identifier read attributes | delete Jump to behavior
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_10039047 IsIconic,GetWindowPlacement,GetWindowRect, 2_2_10039047
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10039047 IsIconic,GetWindowPlacement,GetWindowRect, 3_2_10039047
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\svchost.exe TID: 6284 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 6280 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 6856 Thread sleep time: -60000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Found evasive API chain (may stop execution after checking a module file name)
Source: C:\Windows\SysWOW64\regsvr32.exe Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Source: C:\Windows\SysWOW64\rundll32.exe Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Queries disk information (often used to detect virtual machines)
Source: C:\Windows\System32\svchost.exe File opened: PhysicalDrive0 Jump to behavior
Found large amount of non-executed APIs
Source: C:\Windows\SysWOW64\regsvr32.exe API coverage: 6.4 %
Source: C:\Windows\SysWOW64\rundll32.exe API coverage: 6.3 %
Source: C:\Windows\SysWOW64\regsvr32.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_1003E90D VirtualQuery,GetSystemInfo,VirtualQuery,VirtualAlloc,VirtualProtect, 2_2_1003E90D
Source: C:\Windows\SysWOW64\regsvr32.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\rundll32.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\regsvr32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: svchost.exe, 00000014.00000002.664670317.000001697E829000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW@`
Source: regsvr32.exe, 00000006.00000003.365060100.0000000002C0B000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.410649801.0000000002BEC000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.365020565.0000000002BEA000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.728320680.0000000002BEA000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.410742618.0000000002C0B000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.762137969.0000000002BEA000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.508876930.0000000002BEA000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000002.665412089.000001697FE63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000002.665370507.000001697FE56000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000017.00000002.421185062.0000015C89E82000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: svchost.exe, 0000000B.00000002.761522044.0000024B7AA02000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcDsSvcfhsvcWPDBusEnumsvsvcwlansvcEmbeddedModeirmonSensorServicevmicvssNgcSvcsysmainDevQueryBrokerStorSvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionNcbServiceNetmanDeviceAssociationServiceTabletInputServicePcaSvcIPxlatCfgSvcCscServiceUmRdpService
Source: svchost.exe, 0000000B.00000002.761730487.0000024B7AA28000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.762160897.00000276B2E44000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.761947130.0000027206429000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000022.00000002.761938638.00000136BA229000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_10049401 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 2_2_10049401
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_1000D140 GetNativeSystemInfo,GetProcessHeap,HeapAlloc,memcpy, 2_2_1000D140
Checks if the current process is being debugged
Source: C:\Windows\System32\loaddll32.exe Process queried: DebugPort Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\regsvr32.exe Network Connect: 149.56.128.192 443 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Network Connect: 185.157.82.211 8080 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Network Connect: 79.172.212.216 8080 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Network Connect: 131.100.24.231 80 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Network Connect: 46.55.222.11 443 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Network Connect: 51.91.76.89 8080 Jump to behavior
Source: C:\Windows\System32\svchost.exe Domain query: time.windows.com
Source: C:\Windows\SysWOW64\regsvr32.exe Network Connect: 173.254.208.91 8080 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Network Connect: 160.16.218.63 8080 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Network Connect: 206.188.212.92 8080 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Network Connect: 192.99.251.50 443 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Network Connect: 51.91.7.5 8080 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Network Connect: 159.8.59.82 8080 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Network Connect: 120.50.40.183 80 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Network Connect: 58.227.42.236 80 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Network Connect: 103.221.221.247 8080 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\psIFSn7VLi.dll",#1 Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\regsvr32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Contains functionality to query locales information (e.g. system language)
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: GetLocaleInfoW,GetLastError,GetLocaleInfoW,GetLocaleInfoA,GetLocaleInfoA,MultiByteToWideChar, 2_2_1004E84C
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: GetLocaleInfoA,_strncpy, 2_2_1004B91A
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: GetLocaleInfoW,GetLastError,GetLocaleInfoW,GetLocaleInfoW,WideCharToMultiByte,GetLocaleInfoA, 2_2_1004E97C
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: GetLocaleInfoA, 2_2_10049CA4
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: GetThreadLocale,GetLocaleInfoA,GetACP, 2_2_10001560
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: _strlen,EnumSystemLocalesA, 2_2_1004BE39
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: _strlen,_strlen,EnumSystemLocalesA, 2_2_1004BE70
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: _strlen,EnumSystemLocalesA, 2_2_1004BEF6
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: GetLocaleInfoA,_TranslateName,_TranslateName,IsValidCodePage,IsValidLocale, 2_2_1004BF4B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoA, 3_2_10049CA4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetThreadLocale,GetLocaleInfoA,GetACP, 3_2_10001560
Source: C:\Windows\SysWOW64\rundll32.exe Code function: _strlen,EnumSystemLocalesA, 3_2_1004BE39
Source: C:\Windows\SysWOW64\rundll32.exe Code function: _strlen,_strlen,EnumSystemLocalesA, 3_2_1004BE70
Source: C:\Windows\SysWOW64\rundll32.exe Code function: _strlen,EnumSystemLocalesA, 3_2_1004BEF6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoA,_TranslateName,_TranslateName,IsValidCodePage,IsValidLocale, 3_2_1004BF4B
Source: C:\Windows\SysWOW64\regsvr32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_10045190 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 2_2_10045190
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_10048415 __lock,_strlen,_strncpy,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,_strncpy, 2_2_10048415
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_10001078 lstrcmpiW,GetVersion,InterlockedExchange, 2_2_10001078

Lowering of HIPS / PFW / Operating System Security Settings
barindex
Changes security center settings (notifications, updates, antivirus, firewall)
Source: C:\Windows\System32\svchost.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cval Jump to behavior
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct
AV process strings found (often used to terminate AV products)
Source: svchost.exe, 00000010.00000002.761873992.0000020E5823D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: (@V%ProgramFiles%\Windows Defender\MsMpeng.exe
Source: svchost.exe, 00000010.00000002.762125761.0000020E58302000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000002.761658717.0000020E58213000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Stealing of Sensitive Information
barindex
Yara detected Emotet
Source: Yara match File source: 2.2.regsvr32.exe.4df0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.4f10000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.regsvr32.exe.4590000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.3530000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.regsvr32.exe.9c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.2940000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.4230000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.3530000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.regsvr32.exe.4dc0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.regsvr32.exe.9c0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.regsvr32.exe.4dc0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.2940000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000002.247001370.0000000004231000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.762864021.0000000004591000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.246952927.0000000002940000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.246760873.0000000003530000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.761637752.00000000009C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.250264890.0000000004DF1000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.250193606.0000000004DC0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.246960941.0000000004F11000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 669356 Sample: psIFSn7VLi Startdate: 20/07/2022 Architecture: WINDOWS Score: 100 37 129.232.188.93 xneeloZA South Africa 2->37 39 185.8.212.130 UZINFOCOMUZ Uzbekistan 2->39 41 39 other IPs or domains 2->41 55 Snort IDS alert for network traffic 2->55 57 Multi AV Scanner detection for domain / URL 2->57 59 Antivirus detection for URL or domain 2->59 61 3 other signatures 2->61 8 loaddll32.exe 1 2->8         started        10 svchost.exe 2->10         started        13 svchost.exe 1 2->13         started        15 11 other processes 2->15 signatures3 process4 dnsIp5 18 regsvr32.exe 5 8->18         started        21 cmd.exe 1 8->21         started        23 rundll32.exe 2 8->23         started        25 rundll32.exe 8->25         started        63 Changes security center settings (notifications, updates, antivirus, firewall) 10->63 27 MpCmdRun.exe 1 10->27         started        65 System process connects to network (likely due to code injection or exploit) 13->65 49 127.0.0.1 unknown unknown 15->49 51 time.windows.com 15->51 signatures6 process7 signatures8 53 Hides that the sample has been downloaded from the Internet (zone.identifier) 18->53 29 regsvr32.exe 12 18->29         started        33 rundll32.exe 2 21->33         started        35 conhost.exe 27->35         started        process9 dnsIp10 43 79.172.212.216, 49864, 8080 SZERVERPLEXHU Hungary 29->43 45 159.8.59.82, 8080 SOFTLAYERUS United States 29->45 47 13 other IPs or domains 29->47 67 System process connects to network (likely due to code injection or exploit) 29->67 69 Hides that the sample has been downloaded from the Internet (zone.identifier) 33->69 signatures11
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
217.182.25.250
 unknown France
16276 OVHFR true
79.172.212.216
 unknown Hungary
61998 SZERVERPLEXHU true
151.106.112.196
 unknown Germany
61157 PLUSSERVER-ASN1DE true
110.232.117.186
 unknown Australia
56038 RACKCORP-APRackCorpAU true
51.254.140.238
 unknown France
16276 OVHFR true
173.254.208.91
 unknown United States
8100 ASN-QUADRANET-GLOBALUS true
206.188.212.92
 unknown United States
55002 DEFENSE-NETUS true
45.118.115.99
 unknown Indonesia
131717 IDNIC-CIFO-AS-IDPTCitraJelajahInformatikaID true
209.126.98.206
 unknown United States
30083 AS-30083-GO-DADDY-COM-LLCUS true
1.234.21.73
 unknown Korea Republic of
9318 SKB-ASSKBroadbandCoLtdKR true
149.56.128.192
 unknown Canada
16276 OVHFR true
176.56.128.118
 unknown Switzerland
12637 SEEWEBWebhostingcolocationandcloudservicesIT true
45.118.135.203
 unknown Japan 63949 LINODE-APLinodeLLCUS true
167.99.115.35
 unknown United States
14061 DIGITALOCEAN-ASNUS true
185.8.212.130
 unknown Uzbekistan
48979 UZINFOCOMUZ true
197.242.150.244
 unknown South Africa
37611 AfrihostZA true
51.91.76.89
 unknown France
16276 OVHFR true
178.79.147.66
 unknown United Kingdom
63949 LINODE-APLinodeLLCUS true
207.38.84.195
 unknown United States
30083 AS-30083-GO-DADDY-COM-LLCUS true
164.68.99.3
 unknown Germany
51167 CONTABODE true
189.126.111.200
 unknown Brazil
27715 LocawebServicosdeInternetSABR true
146.59.226.45
 unknown Norway
16276 OVHFR true
120.50.40.183
 unknown Singapore
17547 M1NET-SG-APM1NETLTDSG true
58.227.42.236
 unknown Korea Republic of
9318 SKB-ASSKBroadbandCoLtdKR true
158.69.222.101
 unknown Canada
16276 OVHFR true
196.218.30.83
 unknown Egypt
8452 TE-ASTE-ASEG true
101.50.0.91
 unknown Indonesia
55688 BEON-AS-IDPTBeonIntermediaID true
195.154.133.20
 unknown France
12876 OnlineSASFR true
185.157.82.211
 unknown Poland
42927 S-NET-ASPL true
103.43.46.182
 unknown Indonesia
58397 INFINYS-AS-IDPTInfinysSystemIndonesiaID true
212.237.17.99
 unknown Italy
31034 ARUBA-ASNIT true
212.24.98.99
 unknown Lithuania
62282 RACKRAYUABRakrejusLT true
138.185.72.26
 unknown Brazil
264343 EmpasoftLtdaMeBR true
103.75.201.2
 unknown Thailand
133496 CDNPLUSCOLTD-AS-APCDNPLUSCOLTDTH true
216.158.226.206
 unknown United States
19318 IS-AS-1US true
103.75.201.4
 unknown Thailand
133496 CDNPLUSCOLTD-AS-APCDNPLUSCOLTDTH true
51.91.7.5
 unknown France
16276 OVHFR true
5.9.116.246
 unknown Germany
24940 HETZNER-ASDE true
188.44.20.25
 unknown Macedonia
57374 GIV-ASMK true
72.15.201.15
 unknown United States
13649 ASN-VINSUS true
209.250.246.206
 unknown European Union
20473 AS-CHOOPAUS true
82.165.152.127
 unknown Germany
8560 ONEANDONE-ASBrauerstrasse48DE true
107.182.225.142
 unknown United States
32780 HOSTINGSERVICES-INCUS true
50.116.54.215
 unknown United States
63949 LINODE-APLinodeLLCUS true
131.100.24.231
 unknown Brazil
61635 GOPLEXTELECOMUNICACOESEINTERNETLTDA-MEBR true
46.55.222.11
 unknown Bulgaria
34841 BALCHIKNETBG true
173.212.193.249
 unknown Germany
51167 CONTABODE true
160.16.218.63
 unknown Japan 9370 SAKURA-BSAKURAInternetIncJP true
192.99.251.50
 unknown Canada
16276 OVHFR true
45.142.114.231
 unknown Germany
44066 DE-FIRSTCOLOwwwfirst-colonetDE true
203.114.109.124
 unknown Thailand
131293 TOT-LLI-AS-APTOTPublicCompanyLimitedTH true
1.234.2.232
 unknown Korea Republic of
9318 SKB-ASSKBroadbandCoLtdKR true
119.193.124.41
 unknown Korea Republic of
4766 KIXS-AS-KRKoreaTelecomKR true
159.8.59.82
 unknown United States
36351 SOFTLAYERUS true
129.232.188.93
 unknown South Africa
37153 xneeloZA true
103.221.221.247
 unknown Viet Nam
18403 FPT-AS-APTheCorporationforFinancingPromotingTechnolo true

Private

IP
127.0.0.1

Contacted Domains

Name IP Active
time.windows.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://46.55.222.11/TBwKHjQjVeCWIQFS true
  • Avira URL Cloud: malware
 unknown
https://149.56.128.192/SSYKvnZUOEUlRtjgPVsscjkUTaNTgTQQvJUHkyX true
  • Avira URL Cloud: malware
 unknown