Windows Analysis Report
bscHLGMyjW

Overview

General Information

Sample Name: bscHLGMyjW (renamed file extension from none to dll)
Analysis ID: 669372
MD5: 853c4a8922ffe407962ed618f5e5050b
SHA1: 7d46327d257ff52b5c380b521cd28935d65c4bc7
SHA256: 8c58876a208132d6ed84b2d63416bde9efa590e9ae0246a4f668bcebdc04b7a1
Tags: 32dllexetrojan
Infos:

Detection

Emotet
Score: 92
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Yara detected Emotet
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Snort IDS alert for network traffic
Query firmware table information (likely to detect VMs)
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Found evasive API chain (may stop execution after checking a module file name)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
HTTP GET or POST without a user agent
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
AV process strings found (often used to terminate AV products)
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
PE file contains strange resources
Tries to load missing DLLs
Drops PE files to the windows directory (C:\Windows)
Detected TCP or UDP traffic on non-standard ports
Checks if the current process is being debugged
Connects to several IPs in different countries
Potential key logger detected (key state polling based)
Registers a DLL
Queries disk information (often used to detect virtual machines)
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)

Classification

AV Detection
barindex
Antivirus detection for URL or domain
Source: https://120.50.40.183:80/wVZyzHXwzFIbSsMDkdb Avira URL Cloud: Label: malware
Source: https://51.91.7.5/ Avira URL Cloud: Label: malware
Source: https://120.50.40.183/ Avira URL Cloud: Label: malware
Source: https://159.8.59.82/ Avira URL Cloud: Label: malware
Source: https://131.100.24.231:80/H Avira URL Cloud: Label: malware
Source: https://103.221.221.247:8080/gYHJIs Avira URL Cloud: Label: malware
Source: https://173.254.208.91:8080/FHNmSQhMPmUgfiGTpfRKglWV Avira URL Cloud: Label: malware
Source: https://192.99.251.50/0 Avira URL Cloud: Label: malware
Source: https://159.8.59.82:8080/ Avira URL Cloud: Label: malware
Source: https://79.172.212.216/9 Avira URL Cloud: Label: malware
Source: https://149.56.128.192/fSTm Avira URL Cloud: Label: malware
Source: https://131.100.24.231:80/ Avira URL Cloud: Label: malware
Source: https://51.91.7.5:8080/rxYzgkPqLyQVovawmSL Avira URL Cloud: Label: malware
Source: https://51.91.76.89:8080/lNTCDnLEFARnzCSTbPqiarmtqBjaTTxMdOLjVhFUj Avira URL Cloud: Label: malware
Source: https://160.16.218.63:8080/rlxtXuQTWcz Avira URL Cloud: Label: malware
Source: https://192.99.251.50/4 Avira URL Cloud: Label: malware
Source: https://192.99.251.50/99.251.50/hdaVPxkDfoKJQyOXvwYhhkAy Avira URL Cloud: Label: malware
Source: https://46.55.222.11/BiEgOdFqxzyfFPqwAOweHeXemJBZKjqwNwwVobqyTYy Avira URL Cloud: Label: malware
Source: https://103.221.221.247:8080/ Avira URL Cloud: Label: malware
Source: https://206.188.212.92/ Avira URL Cloud: Label: malware
Source: https://120.50.40.183:80/wVZyzHXwzFIbSsMDkdbsI Avira URL Cloud: Label: malware
Source: https://103.221.221.247:8080/gYHJIsD Avira URL Cloud: Label: malware
Source: https://173.254.208.91/ Avira URL Cloud: Label: malware
Source: https://160.16.218.63/ Avira URL Cloud: Label: malware
Source: https://206.188.212.92:8080/XGoDqOmEznVckdttzjTudmbZ Avira URL Cloud: Label: malware
Source: https://192.99.251.50/0/wVZyzHXwzFIbSsMDkdb Avira URL Cloud: Label: malware
Source: https://46.55.222.11/B Avira URL Cloud: Label: malware
Source: https://149.56.128.192/ Avira URL Cloud: Label: malware
Source: https://103.221.221.247:8080/tas Avira URL Cloud: Label: malware
Source: https://46.55.222.11/F Avira URL Cloud: Label: malware
Source: https://131.100.24.231:80/HjsJJresDkOtazdwjPkgeyoMeBIGInWLCajLkkcuvkifWRvynwfbRFAZdPO Avira URL Cloud: Label: malware
Source: https://192.99.251.50/ Avira URL Cloud: Label: malware
Source: https://192.99.251.50/hdaVPxkDfoKJQyOXvwYhhkAQ Avira URL Cloud: Label: malware
Source: https://46.55.222.11/ Avira URL Cloud: Label: malware
Source: https://120.50.40.183:80/wVZyzHX Avira URL Cloud: Label: malware
Source: https://131.100.24.231/ Avira URL Cloud: Label: malware
Source: https://51.91.7.5:8080/ Avira URL Cloud: Label: malware
Source: https://131.100.24.231/I Avira URL Cloud: Label: malware
Source: https://120.50.40.183:80/wVZyzHXwzFIbSsMDkdbX Avira URL Cloud: Label: malware
Source: https://46.55.222.11/.50.40.183/ Avira URL Cloud: Label: malware
Source: https://103.221.221.247/ Avira URL Cloud: Label: malware
Source: https://160.16.218.63/Y Avira URL Cloud: Label: malware
Source: https://159.8.59.82:8080/taEjAKKH Avira URL Cloud: Label: malware
Source: https://79.172.212.216:8080/ Avira URL Cloud: Label: malware
Source: https://185.157.82.211:8080/ Avira URL Cloud: Label: malware
Source: https://192.99.251.50/hdaVPxkDfoKJQyOXvwYhhkA Avira URL Cloud: Label: malware
Source: https://160.16.218.63:8080/rlxtXuQTWczj Avira URL Cloud: Label: malware
Source: https://160.16.218.63/K Avira URL Cloud: Label: malware
Source: https://185.157.82.211:8080/) Avira URL Cloud: Label: malware
Source: https://192.99.251.50/hdaVPxkDfoKJQyOXvwYhhkAAppData Avira URL Cloud: Label: malware
Source: https://46.55.222.11/- Avira URL Cloud: Label: malware
Source: https://120.50.40.183:80/wVZyzHXwzFIbSsMDkdbP Avira URL Cloud: Label: malware
Source: https://46.55.222.11/.50.40.183:80/wVZyzHXwzFIbSsMDkdb Avira URL Cloud: Label: malware
Source: https://185.157.82.211/ Avira URL Cloud: Label: malware
Source: https://185.157.82.211/V Avira URL Cloud: Label: malware
Source: https://46.55.222.11/BiEgOdFqxzyfFPqwAOweHeXemJBZKjqwNwwVobqyTY= Avira URL Cloud: Label: malware
Source: https://51.91.76.89/ Avira URL Cloud: Label: malware
Source: https://46.55.222.11/BiEgOdFqxzyfFPqwAOweHeXemJBZKjqwNwwVobqyTY Avira URL Cloud: Label: malware
Source: https://79.172.212.216/ Avira URL Cloud: Label: malware
Source: https://159.8.59.82:8080/taEjAKKHJ Avira URL Cloud: Label: malware
Source: https://79.172.212.216:8080/QLBvrKXyQhlLtOrpKVuDaNHJ Avira URL Cloud: Label: malware
Source: https://159.8.59.82/5 Avira URL Cloud: Label: malware
Source: https://185.157.82.211:8080/riNpYqdQCgxyFX Avira URL Cloud: Label: malware
Source: https://120.50.40.183:80/ Avira URL Cloud: Label: malware
Source: https://79.172.212.216:8080/QLBvrKXyQhlLtOrpKVuDaNHJ% Avira URL Cloud: Label: malware
Source: https://120.50.40.183:80/wVZyzHXwzFIbSsMDkdb1 Avira URL Cloud: Label: malware
Source: 00000005.00000003.729492928.0000000003439000.00000004.00000020.00020000.00000000.sdmp Malware Configuration Extractor: Emotet {"C2 list": ["216.131.66.3:1", "192.16.0.0:1484", "216.64.72.3:1", "248.38.74.3:1", "255.255.255.255:3", "156.4.0.0:1", "108.4.0.0:1", "152.4.0.0:1", "124.4.0.0:1", "180.4.0.0:1", "184.4.0.0:1", "128.4.0.0:1", "148.4.0.0:1", "208.185.68.3:1", "40.38.70.3:48", "32.137.69.3:48", "103.240.2.0:4300", "112.135.10.118:5", "91.240.2.0:4600", "108.240.2.0:3484", "114.240.2.0:2956", "120.240.2.0:4600", "224.120.66.3:1", "135.52.4.0:4828", "220.194.66.52:443"]}
Uses 32bit PE files
Source: bscHLGMyjW.dll Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
Source: unknown HTTPS traffic detected: 149.56.128.192:443 -> 192.168.2.7:49764 version: TLS 1.2
Source: unknown HTTPS traffic detected: 46.55.222.11:443 -> 192.168.2.7:49856 version: TLS 1.2

Networking
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\regsvr32.exe Network Connect: 149.56.128.192 443 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Network Connect: 185.157.82.211 8080 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Network Connect: 79.172.212.216 8080 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Network Connect: 131.100.24.231 80 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Network Connect: 46.55.222.11 443 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Network Connect: 51.91.76.89 8080 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Network Connect: 173.254.208.91 8080 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Network Connect: 160.16.218.63 8080 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Network Connect: 206.188.212.92 8080 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Network Connect: 192.99.251.50 443 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Network Connect: 51.91.7.5 8080 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Network Connect: 159.8.59.82 8080 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Network Connect: 120.50.40.183 80 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Network Connect: 58.227.42.236 80 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Network Connect: 103.221.221.247 8080 Jump to behavior
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2404338 ET CNC Feodo Tracker Reported CnC Server TCP group 20 192.168.2.7:49762 -> 51.91.76.89:8080
Source: Traffic Snort IDS: 2404334 ET CNC Feodo Tracker Reported CnC Server TCP group 18 192.168.2.7:49856 -> 46.55.222.11:443
Source: Traffic Snort IDS: 2404306 ET CNC Feodo Tracker Reported CnC Server TCP group 4 192.168.2.7:49895 -> 131.100.24.231:80
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor IPs: 216.131.66.3:1
Source: Malware configuration extractor IPs: 192.16.0.0:1484
Source: Malware configuration extractor IPs: 216.64.72.3:1
Source: Malware configuration extractor IPs: 248.38.74.3:1
Source: Malware configuration extractor IPs: 255.255.255.255:3
Source: Malware configuration extractor IPs: 156.4.0.0:1
Source: Malware configuration extractor IPs: 108.4.0.0:1
Source: Malware configuration extractor IPs: 152.4.0.0:1
Source: Malware configuration extractor IPs: 124.4.0.0:1
Source: Malware configuration extractor IPs: 180.4.0.0:1
Source: Malware configuration extractor IPs: 184.4.0.0:1
Source: Malware configuration extractor IPs: 128.4.0.0:1
Source: Malware configuration extractor IPs: 148.4.0.0:1
Source: Malware configuration extractor IPs: 208.185.68.3:1
Source: Malware configuration extractor IPs: 40.38.70.3:48
Source: Malware configuration extractor IPs: 32.137.69.3:48
Source: Malware configuration extractor IPs: 103.240.2.0:4300
Source: Malware configuration extractor IPs: 112.135.10.118:5
Source: Malware configuration extractor IPs: 91.240.2.0:4600
Source: Malware configuration extractor IPs: 108.240.2.0:3484
Source: Malware configuration extractor IPs: 114.240.2.0:2956
Source: Malware configuration extractor IPs: 120.240.2.0:4600
Source: Malware configuration extractor IPs: 224.120.66.3:1
Source: Malware configuration extractor IPs: 135.52.4.0:4828
Source: Malware configuration extractor IPs: 220.194.66.52:443
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: SWA-W11-MKT-INETUS SWA-W11-MKT-INETUS
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 51c64c77e60f3980eea90869b68c58a8
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /fSTm HTTP/1.1Cookie: RCgcztBeyqV=lnFDO8M7QZ1oPgB4nY1cj9kEItiu+1IC4kYVxBoxBllfbtHBCudUYjnRoBy8SYXV1srkURbSy/IsFNQ+ucZuSoKtKE0A5BmVzVszJ57xNbQiIl6AXjiVwF9fZa5yKYDVvPEpBhl22lgyuByb+bvkutsXjB2JpqNEfh4g+cnQNOBmZjpGug7GM9O03vTF2D7uGgC81sfYU6tCwLuyKOvpdyEei5sFj+shvwDs+JDlyi5zLxE/FuyzCk3X+efIKtNFb5X94ruZkldLHost: 149.56.128.192Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /BiEgOdFqxzyfFPqwAOweHeXemJBZKjqwNwwVobqyTY HTTP/1.1Cookie: hwPnhB=lnFDO8M7QZ1oPgB4nY1cj9kEItiu+1IC4kYVxBoxBllfbtHBCudUYjnRoBy8SYXV1srkURbSy/IsFNQ+ucZuSoKtKE0A5BmVzVszJ57xNbQiIl6AXjiVwF9fZa5yKYDVvPEpBhl22lgyuByb+bvkutsXjB2JpqNEfh4g+cnQNOBmZjpGug7GM9O03vTF2D7uGgC81sfYU6tCwLuyKOvpd81D4rN1AGkvWGjCmOQEyJVKCjHD95//Nxae/txUYJ5SwYpA/5OYvY6zhTXw98PfWocrrg1I/8T7yt9faC2eGs5YaD2HKU6Z4U7+QDaKwy9bRKPIQC74SA==Host: 46.55.222.11Connection: Keep-AliveCache-Control: no-cache
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 185.157.82.211 185.157.82.211
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.7:49762 -> 51.91.76.89:8080
Source: global traffic TCP traffic: 192.168.2.7:49763 -> 173.254.208.91:8080
Source: global traffic TCP traffic: 192.168.2.7:49792 -> 160.16.218.63:8080
Source: global traffic TCP traffic: 192.168.2.7:49822 -> 206.188.212.92:8080
Source: global traffic TCP traffic: 192.168.2.7:49857 -> 79.172.212.216:8080
Source: global traffic TCP traffic: 192.168.2.7:49858 -> 103.221.221.247:8080
Source: global traffic TCP traffic: 192.168.2.7:49890 -> 185.157.82.211:8080
Source: global traffic TCP traffic: 192.168.2.7:49893 -> 159.8.59.82:8080
Source: global traffic TCP traffic: 192.168.2.7:49894 -> 51.91.7.5:8080
Connects to several IPs in different countries
Source: unknown Network traffic detected: IP country count 17
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49884
Source: unknown Network traffic detected: HTTP traffic on port 49856 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49884 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49856
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 19 Jul 2022 23:08:26 GMTContent-Type: text/htmlContent-Length: 162Connection: close
Source: unknown TCP traffic detected without corresponding DNS query: 51.91.76.89
Source: unknown TCP traffic detected without corresponding DNS query: 51.91.76.89
Source: unknown TCP traffic detected without corresponding DNS query: 51.91.76.89
Source: unknown TCP traffic detected without corresponding DNS query: 173.254.208.91
Source: unknown TCP traffic detected without corresponding DNS query: 173.254.208.91
Source: unknown TCP traffic detected without corresponding DNS query: 173.254.208.91
Source: unknown TCP traffic detected without corresponding DNS query: 149.56.128.192
Source: unknown TCP traffic detected without corresponding DNS query: 149.56.128.192
Source: unknown TCP traffic detected without corresponding DNS query: 149.56.128.192
Source: unknown TCP traffic detected without corresponding DNS query: 149.56.128.192
Source: unknown TCP traffic detected without corresponding DNS query: 149.56.128.192
Source: unknown TCP traffic detected without corresponding DNS query: 149.56.128.192
Source: unknown TCP traffic detected without corresponding DNS query: 149.56.128.192
Source: unknown TCP traffic detected without corresponding DNS query: 149.56.128.192
Source: unknown TCP traffic detected without corresponding DNS query: 120.50.40.183
Source: unknown TCP traffic detected without corresponding DNS query: 120.50.40.183
Source: unknown TCP traffic detected without corresponding DNS query: 120.50.40.183
Source: unknown TCP traffic detected without corresponding DNS query: 160.16.218.63
Source: unknown TCP traffic detected without corresponding DNS query: 160.16.218.63
Source: unknown TCP traffic detected without corresponding DNS query: 160.16.218.63
Source: unknown TCP traffic detected without corresponding DNS query: 206.188.212.92
Source: unknown TCP traffic detected without corresponding DNS query: 206.188.212.92
Source: unknown TCP traffic detected without corresponding DNS query: 206.188.212.92
Source: unknown TCP traffic detected without corresponding DNS query: 46.55.222.11
Source: unknown TCP traffic detected without corresponding DNS query: 46.55.222.11
Source: unknown TCP traffic detected without corresponding DNS query: 46.55.222.11
Source: unknown TCP traffic detected without corresponding DNS query: 46.55.222.11
Source: unknown TCP traffic detected without corresponding DNS query: 46.55.222.11
Source: unknown TCP traffic detected without corresponding DNS query: 46.55.222.11
Source: unknown TCP traffic detected without corresponding DNS query: 46.55.222.11
Source: unknown TCP traffic detected without corresponding DNS query: 46.55.222.11
Source: unknown TCP traffic detected without corresponding DNS query: 46.55.222.11
Source: unknown TCP traffic detected without corresponding DNS query: 46.55.222.11
Source: unknown TCP traffic detected without corresponding DNS query: 46.55.222.11
Source: unknown TCP traffic detected without corresponding DNS query: 46.55.222.11
Source: unknown TCP traffic detected without corresponding DNS query: 46.55.222.11
Source: unknown TCP traffic detected without corresponding DNS query: 46.55.222.11
Source: unknown TCP traffic detected without corresponding DNS query: 79.172.212.216
Source: unknown TCP traffic detected without corresponding DNS query: 79.172.212.216
Source: unknown TCP traffic detected without corresponding DNS query: 79.172.212.216
Source: unknown TCP traffic detected without corresponding DNS query: 103.221.221.247
Source: unknown TCP traffic detected without corresponding DNS query: 103.221.221.247
Source: unknown TCP traffic detected without corresponding DNS query: 103.221.221.247
Source: unknown TCP traffic detected without corresponding DNS query: 58.227.42.236
Source: unknown TCP traffic detected without corresponding DNS query: 58.227.42.236
Source: unknown TCP traffic detected without corresponding DNS query: 58.227.42.236
Source: unknown TCP traffic detected without corresponding DNS query: 192.99.251.50
Source: unknown TCP traffic detected without corresponding DNS query: 192.99.251.50
Source: unknown TCP traffic detected without corresponding DNS query: 192.99.251.50
Source: unknown TCP traffic detected without corresponding DNS query: 192.99.251.50
Source: regsvr32.exe, 00000005.00000003.826473303.0000000003474000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000003.729314283.0000000003474000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000003.861975728.0000000003439000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000003.608979653.0000000003474000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000003.517131871.000000000347A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000003.470796560.000000000347A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000002.873626561.0000000003439000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000002.596545350.000001CA15500000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000019.00000002.875031828.000001BCA7C63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000002.874276020.00000249B38E3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: svchost.exe, 00000015.00000002.596545350.000001CA15500000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000019.00000002.875031828.000001BCA7C63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000002.874276020.00000249B38E3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.ver)
Source: regsvr32.exe, 00000005.00000003.826473303.0000000003474000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000003.861975728.0000000003439000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000002.873626561.0000000003439000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: 77EC63BDA74BD0D0E0426DC8F80085060.5.dr String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: regsvr32.exe, 00000005.00000003.829420861.0000000005320000.00000004.00000800.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000003.828593542.0000000005320000.00000004.00000800.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000003.829796778.0000000005320000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?b0ff45d2b2387
Source: regsvr32.exe, 00000005.00000003.826473303.0000000003474000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000003.861975728.0000000003439000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000002.873626561.0000000003439000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabD
Source: svchost.exe, 00000015.00000003.571982184.000001CA1558E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000003.571561051.000001CA155A0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://help.disneyplus.com.
Source: regsvr32.exe, 00000005.00000003.826473303.0000000003474000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000003.729314283.0000000003474000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000003.861975728.0000000003439000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000002.873626561.0000000003439000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://103.221.221.247/
Source: regsvr32.exe, 00000005.00000003.826473303.0000000003474000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000003.729314283.0000000003474000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000003.861975728.0000000003439000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000002.873626561.0000000003439000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://103.221.221.247:8080/
Source: regsvr32.exe, 00000005.00000003.826473303.0000000003474000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000003.729314283.0000000003474000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000003.861975728.0000000003439000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000002.873626561.0000000003439000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://103.221.221.247:8080/gYHJIs
Source: regsvr32.exe, 00000005.00000003.729314283.0000000003474000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://103.221.221.247:8080/gYHJIsD
Source: regsvr32.exe, 00000005.00000003.729314283.0000000003474000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://103.221.221.247:8080/tas
Source: regsvr32.exe, 00000005.00000003.517131871.000000000347A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000002.873626561.0000000003439000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://120.50.40.183/
Source: regsvr32.exe, 00000005.00000003.826473303.0000000003474000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000003.729314283.0000000003474000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000003.861975728.0000000003439000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000003.608979653.0000000003474000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000003.517131871.000000000347A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000002.873626561.0000000003439000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://120.50.40.183:80/
Source: regsvr32.exe, 00000005.00000003.826473303.0000000003474000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000003.729314283.0000000003474000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000003.608979653.0000000003474000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://120.50.40.183:80/wVZyzHX
Source: regsvr32.exe, 00000005.00000003.517131871.000000000347A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000002.873626561.0000000003439000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://120.50.40.183:80/wVZyzHXwzFIbSsMDkdb
Source: regsvr32.exe, 00000005.00000003.517131871.000000000347A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://120.50.40.183:80/wVZyzHXwzFIbSsMDkdb1
Source: regsvr32.exe, 00000005.00000003.517131871.000000000347A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://120.50.40.183:80/wVZyzHXwzFIbSsMDkdbP
Source: regsvr32.exe, 00000005.00000003.826473303.0000000003474000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000003.729314283.0000000003474000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000003.861975728.0000000003439000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000003.608979653.0000000003474000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000003.517131871.000000000347A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000002.873626561.0000000003439000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://120.50.40.183:80/wVZyzHXwzFIbSsMDkdbX
Source: regsvr32.exe, 00000005.00000003.517131871.000000000347A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://120.50.40.183:80/wVZyzHXwzFIbSsMDkdbsI
Source: regsvr32.exe, 00000005.00000003.826473303.0000000003474000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000003.861975728.0000000003439000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000002.873626561.0000000003439000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://131.100.24.231/
Source: regsvr32.exe, 00000005.00000003.861975728.0000000003439000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000002.873626561.0000000003439000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://131.100.24.231/I
Source: regsvr32.exe, 00000005.00000003.826473303.0000000003474000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://131.100.24.231:80/
Source: regsvr32.exe, 00000005.00000003.826473303.0000000003474000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://131.100.24.231:80/H
Source: regsvr32.exe, 00000005.00000003.826473303.0000000003474000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000003.861975728.0000000003439000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000002.873626561.0000000003439000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://131.100.24.231:80/HjsJJresDkOtazdwjPkgeyoMeBIGInWLCajLkkcuvkifWRvynwfbRFAZdPO
Source: regsvr32.exe, 00000005.00000003.861975728.0000000003439000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000003.471558713.000000000345A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000002.873626561.0000000003439000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000003.729492928.0000000003439000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://149.56.128.192/
Source: regsvr32.exe, 00000005.00000003.471558713.000000000345A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000002.873543622.0000000003426000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://149.56.128.192/fSTm
Source: regsvr32.exe, 00000005.00000003.861975728.0000000003439000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000002.873626561.0000000003439000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://159.8.59.82/
Source: regsvr32.exe, 00000005.00000003.861975728.0000000003439000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000002.873626561.0000000003439000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://159.8.59.82/5
Source: regsvr32.exe, 00000005.00000003.826473303.0000000003474000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://159.8.59.82:8080/
Source: regsvr32.exe, 00000005.00000003.826473303.0000000003474000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000003.861975728.0000000003439000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000002.873626561.0000000003439000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://159.8.59.82:8080/taEjAKKH
Source: regsvr32.exe, 00000005.00000003.826473303.0000000003474000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://159.8.59.82:8080/taEjAKKHJ
Source: regsvr32.exe, 00000005.00000003.826473303.0000000003474000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000003.729314283.0000000003474000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000003.861975728.0000000003439000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000003.608979653.0000000003474000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000002.873626561.0000000003439000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://160.16.218.63/
Source: regsvr32.exe, 00000005.00000003.729314283.0000000003474000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000003.608979653.0000000003474000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://160.16.218.63/K
Source: regsvr32.exe, 00000005.00000003.826473303.0000000003474000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000003.729314283.0000000003474000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000003.861975728.0000000003439000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000003.608979653.0000000003474000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000002.873626561.0000000003439000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://160.16.218.63/Y
Source: regsvr32.exe, 00000005.00000003.826473303.0000000003474000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000003.729314283.0000000003474000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000003.861975728.0000000003439000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000003.608979653.0000000003474000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000002.873626561.0000000003439000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://160.16.218.63:8080/rlxtXuQTWcz
Source: regsvr32.exe, 00000005.00000003.826473303.0000000003474000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000003.729314283.0000000003474000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000003.861975728.0000000003439000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000003.608979653.0000000003474000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000002.873626561.0000000003439000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://160.16.218.63:8080/rlxtXuQTWczj
Source: regsvr32.exe, 00000005.00000003.861975728.0000000003439000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000003.471558713.000000000345A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000002.873626561.0000000003439000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000003.729492928.0000000003439000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://173.254.208.91/
Source: regsvr32.exe, 00000005.00000003.861975728.0000000003439000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000003.471558713.000000000345A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000002.873626561.0000000003439000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000003.729492928.0000000003439000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://173.254.208.91:8080/FHNmSQhMPmUgfiGTpfRKglWV
Source: regsvr32.exe, 00000005.00000002.873626561.0000000003439000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://185.157.82.211/
Source: regsvr32.exe, 00000005.00000003.861975728.0000000003439000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000002.873626561.0000000003439000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://185.157.82.211/V
Source: regsvr32.exe, 00000005.00000003.826473303.0000000003474000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000003.861975728.0000000003439000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000002.873626561.0000000003439000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://185.157.82.211:8080/
Source: regsvr32.exe, 00000005.00000003.826473303.0000000003474000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000003.861975728.0000000003439000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000002.873626561.0000000003439000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://185.157.82.211:8080/)
Source: regsvr32.exe, 00000005.00000003.861975728.0000000003439000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000002.873626561.0000000003439000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://185.157.82.211:8080/riNpYqdQCgxyFX
Source: regsvr32.exe, 00000005.00000003.826473303.0000000003474000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000003.729314283.0000000003474000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000003.861975728.0000000003439000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000002.873626561.0000000003439000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000003.729492928.0000000003439000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://192.99.251.50/
Source: regsvr32.exe, 00000005.00000003.826473303.0000000003474000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000003.729314283.0000000003474000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://192.99.251.50/0
Source: regsvr32.exe, 00000005.00000003.826473303.0000000003474000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000003.729314283.0000000003474000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://192.99.251.50/0/wVZyzHXwzFIbSsMDkdb
Source: regsvr32.exe, 00000005.00000003.861975728.0000000003439000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000002.873626561.0000000003439000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000003.729492928.0000000003439000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://192.99.251.50/4
Source: regsvr32.exe, 00000005.00000003.826473303.0000000003474000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000003.729314283.0000000003474000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://192.99.251.50/99.251.50/hdaVPxkDfoKJQyOXvwYhhkAy
Source: regsvr32.exe, 00000005.00000003.826473303.0000000003474000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000003.729314283.0000000003474000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000003.861975728.0000000003439000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000002.873626561.0000000003439000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000003.729492928.0000000003439000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://192.99.251.50/hdaVPxkDfoKJQyOXvwYhhkA
Source: regsvr32.exe, 00000005.00000003.729314283.0000000003474000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://192.99.251.50/hdaVPxkDfoKJQyOXvwYhhkAAppData
Source: regsvr32.exe, 00000005.00000003.826473303.0000000003474000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000003.729314283.0000000003474000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000003.861975728.0000000003439000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000002.873626561.0000000003439000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://192.99.251.50/hdaVPxkDfoKJQyOXvwYhhkAQ
Source: regsvr32.exe, 00000005.00000003.826473303.0000000003474000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000003.729314283.0000000003474000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000003.861975728.0000000003439000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000003.608979653.0000000003474000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000002.873626561.0000000003439000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://206.188.212.92/
Source: regsvr32.exe, 00000005.00000003.826473303.0000000003474000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000003.729314283.0000000003474000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000003.861975728.0000000003439000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000003.608979653.0000000003474000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000002.873626561.0000000003439000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://206.188.212.92:8080/XGoDqOmEznVckdttzjTudmbZ
Source: regsvr32.exe, 00000005.00000003.608979653.0000000003474000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://46.55.222.11/
Source: regsvr32.exe, 00000005.00000003.826473303.0000000003474000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000003.729314283.0000000003474000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000003.861975728.0000000003439000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000003.608979653.0000000003474000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000002.873626561.0000000003439000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://46.55.222.11/-
Source: regsvr32.exe, 00000005.00000003.608979653.0000000003474000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://46.55.222.11/.50.40.183/
Source: regsvr32.exe, 00000005.00000003.608979653.0000000003474000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://46.55.222.11/.50.40.183:80/wVZyzHXwzFIbSsMDkdb
Source: regsvr32.exe, 00000005.00000003.826473303.0000000003474000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000003.729314283.0000000003474000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000003.861975728.0000000003439000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000003.608979653.0000000003474000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000002.873626561.0000000003439000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://46.55.222.11/B
Source: regsvr32.exe, 00000005.00000002.873543622.0000000003426000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://46.55.222.11/BiEgOdFqxzyfFPqwAOweHeXemJBZKjqwNwwVobqyTY
Source: regsvr32.exe, 00000005.00000003.826473303.0000000003474000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000003.729314283.0000000003474000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000003.861975728.0000000003439000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000003.608979653.0000000003474000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000002.873626561.0000000003439000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://46.55.222.11/BiEgOdFqxzyfFPqwAOweHeXemJBZKjqwNwwVobqyTY=
Source: regsvr32.exe, 00000005.00000003.608979653.0000000003474000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://46.55.222.11/BiEgOdFqxzyfFPqwAOweHeXemJBZKjqwNwwVobqyTYy
Source: regsvr32.exe, 00000005.00000003.729492928.0000000003439000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://46.55.222.11/F
Source: regsvr32.exe, 00000005.00000003.826473303.0000000003474000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000003.861975728.0000000003439000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000002.873626561.0000000003439000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://51.91.7.5/
Source: regsvr32.exe, 00000005.00000003.826473303.0000000003474000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000003.861975728.0000000003439000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000002.873626561.0000000003439000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://51.91.7.5:8080/
Source: regsvr32.exe, 00000005.00000003.861975728.0000000003439000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000002.873626561.0000000003439000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://51.91.7.5:8080/rxYzgkPqLyQVovawmSL
Source: regsvr32.exe, 00000005.00000003.729492928.0000000003439000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://51.91.76.89/
Source: regsvr32.exe, 00000005.00000002.873397994.00000000033EA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://51.91.76.89:8080/lNTCDnLEFARnzCSTbPqiarmtqBjaTTxMdOLjVhFUj
Source: regsvr32.exe, 00000005.00000003.826473303.0000000003474000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000003.729314283.0000000003474000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://58.227.42.236/
Source: regsvr32.exe, 00000005.00000003.861975728.0000000003439000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000002.873626561.0000000003439000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000003.729492928.0000000003439000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://58.227.42.236/3
Source: regsvr32.exe, 00000005.00000003.729314283.0000000003474000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://58.227.42.236/72.212.216/
Source: regsvr32.exe, 00000005.00000003.861975728.0000000003439000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000002.873626561.0000000003439000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000003.729492928.0000000003439000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://58.227.42.236/n
Source: regsvr32.exe, 00000005.00000003.826473303.0000000003474000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000003.729314283.0000000003474000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://58.227.42.236:80/
Source: regsvr32.exe, 00000005.00000003.729314283.0000000003474000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://58.227.42.236:80/2.212.216:8080/QLBvrKXyQhlLtOrpKVuDaNHJ
Source: regsvr32.exe, 00000005.00000003.826473303.0000000003474000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000003.729314283.0000000003474000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000003.861975728.0000000003439000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000002.873626561.0000000003439000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000003.729492928.0000000003439000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://58.227.42.236:80/sCQmfFGUJRcSUjROebyagzBacHzSNzxJ
Source: regsvr32.exe, 00000005.00000003.729314283.0000000003474000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://58.227.42.236:80/sCQmfFGUJRcSUjROebyagzBacHzSNzxJ771D
Source: regsvr32.exe, 00000005.00000003.826473303.0000000003474000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000003.729314283.0000000003474000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000003.861975728.0000000003439000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000002.873626561.0000000003439000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://58.227.42.236:80/sCQmfFGUJRcSUjROebyagzBacHzSNzxJh
Source: regsvr32.exe, 00000005.00000003.729492928.0000000003439000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://58.227.42.236:80/sCQmfFGUJRcSUjROebyagzBacHzSNzxJn
Source: regsvr32.exe, 00000005.00000003.729314283.0000000003474000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000003.861975728.0000000003439000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000002.873626561.0000000003439000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000003.729492928.0000000003439000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://79.172.212.216/
Source: regsvr32.exe, 00000005.00000003.861975728.0000000003439000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000002.873626561.0000000003439000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000003.729492928.0000000003439000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://79.172.212.216/9
Source: regsvr32.exe, 00000005.00000003.826473303.0000000003474000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000003.729314283.0000000003474000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000003.861975728.0000000003439000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000002.873626561.0000000003439000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://79.172.212.216:8080/
Source: regsvr32.exe, 00000005.00000003.826473303.0000000003474000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000003.729314283.0000000003474000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000003.861975728.0000000003439000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000002.873626561.0000000003439000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://79.172.212.216:8080/QLBvrKXyQhlLtOrpKVuDaNHJ
Source: regsvr32.exe, 00000005.00000003.826473303.0000000003474000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000003.729314283.0000000003474000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000003.861975728.0000000003439000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000002.873626561.0000000003439000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://79.172.212.216:8080/QLBvrKXyQhlLtOrpKVuDaNHJ%
Source: svchost.exe, 00000015.00000003.571982184.000001CA1558E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000003.571561051.000001CA155A0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://disneyplus.com/legal.
Source: regsvr32.exe, 00000005.00000003.608979653.0000000003474000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sls.upP
Source: svchost.exe, 00000015.00000003.567542287.000001CA155AC000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000003.567572106.000001CA15A02000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000003.567792370.000001CA15A19000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000003.567438801.000001CA1559C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000003.567727159.000001CA1558A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000003.567687637.000001CA15A03000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000003.567757308.000001CA155AC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://support.hotspotshield.com/
Source: svchost.exe, 00000015.00000003.571982184.000001CA1558E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000003.571561051.000001CA155A0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.disneyplus.com/legal/privacy-policy
Source: svchost.exe, 00000015.00000003.571982184.000001CA1558E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000003.571561051.000001CA155A0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.disneyplus.com/legal/your-california-privacy-rights
Source: svchost.exe, 00000015.00000003.567542287.000001CA155AC000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000003.567572106.000001CA15A02000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000003.567792370.000001CA15A19000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000003.567438801.000001CA1559C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000003.567727159.000001CA1558A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000003.567687637.000001CA15A03000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000003.567757308.000001CA155AC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.hotspotshield.com/terms/
Source: svchost.exe, 00000015.00000003.567542287.000001CA155AC000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000003.567572106.000001CA15A02000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000003.567792370.000001CA15A19000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000003.567438801.000001CA1559C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000003.567727159.000001CA1558A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000003.567687637.000001CA15A03000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000003.567757308.000001CA155AC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.pango.co/privacy
Source: svchost.exe, 00000015.00000003.576016058.000001CA15A02000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000003.575804144.000001CA155B5000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000003.575895200.000001CA1558E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000003.575847849.000001CA155B5000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000003.575944148.000001CA1559F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.tiktok.com/legal/report/feedback
Source: global traffic HTTP traffic detected: GET /fSTm HTTP/1.1Cookie: RCgcztBeyqV=lnFDO8M7QZ1oPgB4nY1cj9kEItiu+1IC4kYVxBoxBllfbtHBCudUYjnRoBy8SYXV1srkURbSy/IsFNQ+ucZuSoKtKE0A5BmVzVszJ57xNbQiIl6AXjiVwF9fZa5yKYDVvPEpBhl22lgyuByb+bvkutsXjB2JpqNEfh4g+cnQNOBmZjpGug7GM9O03vTF2D7uGgC81sfYU6tCwLuyKOvpdyEei5sFj+shvwDs+JDlyi5zLxE/FuyzCk3X+efIKtNFb5X94ruZkldLHost: 149.56.128.192Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /BiEgOdFqxzyfFPqwAOweHeXemJBZKjqwNwwVobqyTY HTTP/1.1Cookie: hwPnhB=lnFDO8M7QZ1oPgB4nY1cj9kEItiu+1IC4kYVxBoxBllfbtHBCudUYjnRoBy8SYXV1srkURbSy/IsFNQ+ucZuSoKtKE0A5BmVzVszJ57xNbQiIl6AXjiVwF9fZa5yKYDVvPEpBhl22lgyuByb+bvkutsXjB2JpqNEfh4g+cnQNOBmZjpGug7GM9O03vTF2D7uGgC81sfYU6tCwLuyKOvpd81D4rN1AGkvWGjCmOQEyJVKCjHD95//Nxae/txUYJ5SwYpA/5OYvY6zhTXw98PfWocrrg1I/8T7yt9faC2eGs5YaD2HKU6Z4U7+QDaKwy9bRKPIQC74SA==Host: 46.55.222.11Connection: Keep-AliveCache-Control: no-cache
Source: unknown HTTPS traffic detected: 149.56.128.192:443 -> 192.168.2.7:49764 version: TLS 1.2
Source: unknown HTTPS traffic detected: 46.55.222.11:443 -> 192.168.2.7:49856 version: TLS 1.2
Potential key logger detected (key state polling based)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10042C39 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageW, 3_2_10042C39

E-Banking Fraud
barindex
Yara detected Emotet
Source: Yara match File source: 5.2.regsvr32.exe.4df0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.3590000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.regsvr32.exe.3150000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.3550000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.regsvr32.exe.4dc0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.regsvr32.exe.4b80000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.regsvr32.exe.3150000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.regsvr32.exe.4dc0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.4c20000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.3550000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.3590000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.4db0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000002.361541102.0000000004DB1000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.359006501.0000000003590000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.361265936.0000000003550000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.874265286.0000000004DF1000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.359233383.0000000004C21000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.363189239.0000000004B81000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.361757163.0000000003150000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.874183013.0000000004DC0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Uses 32bit PE files
Source: bscHLGMyjW.dll Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
Deletes files inside the Windows folder
Source: C:\Windows\SysWOW64\regsvr32.exe File deleted: C:\Windows\SysWOW64\Mjzwixkz\jiugg.vcz:Zone.Identifier Jump to behavior
Creates files inside the system directory
Source: C:\Windows\SysWOW64\regsvr32.exe File created: C:\Windows\SysWOW64\Mjzwixkz\ Jump to behavior
Detected potential crypto function
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_1006C116 2_2_1006C116
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_1006BA52 2_2_1006BA52
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_1005D3D0 2_2_1005D3D0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_1006DBE5 2_2_1006DBE5
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_1005FBE9 2_2_1005FBE9
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_10044502 2_2_10044502
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_1006B510 2_2_1006B510
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1006C116 3_2_1006C116
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1006BA52 3_2_1006BA52
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1005D3D0 3_2_1005D3D0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1006DBE5 3_2_1006DBE5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1005FBE9 3_2_1005FBE9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10044502 3_2_10044502
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1006B510 3_2_1006B510
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10059E00 3_2_10059E00
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10060E5C 3_2_10060E5C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1005DE78 3_2_1005DE78
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10068EBE 3_2_10068EBE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1005871A 3_2_1005871A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1006AFCE 3_2_1006AFCE
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: String function: 10059D9C appears 35 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 10059D9C appears 44 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 1005803F appears 70 times
Sample file is different than original file name gathered from version info
Source: bscHLGMyjW.dll Binary or memory string: OriginalFilenameQuatRotDemo.EXEP vs bscHLGMyjW.dll
PE file contains strange resources
Source: bscHLGMyjW.dll Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Tries to load missing DLLs
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: windowscoredeviceinfo.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: windowscoredeviceinfo.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: windowscoredeviceinfo.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: windowscoredeviceinfo.dll Jump to behavior
Source: bscHLGMyjW.dll Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\bscHLGMyjW.dll"
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\bscHLGMyjW.dll",#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\bscHLGMyjW.dll
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\bscHLGMyjW.dll",#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\bscHLGMyjW.dll,DllRegisterServer
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Mjzwixkz\jiugg.vcz"
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\bscHLGMyjW.dll,DllUnregisterServerr
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k wusvcs -p -s WaaSMedicSvc
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\bscHLGMyjW.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\bscHLGMyjW.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\bscHLGMyjW.dll,DllRegisterServer Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\bscHLGMyjW.dll,DllUnregisterServerr Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\bscHLGMyjW.dll",#1 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Mjzwixkz\jiugg.vcz" Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D105A4D4-344C-48EB-9866-EE378D90658B}\InProcServer32 Jump to behavior
Source: classification engine Classification label: mal92.troj.evad.winDLL@20/4@0/41
Source: C:\Windows\SysWOW64\regsvr32.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\bscHLGMyjW.dll",#1
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_1003F1BA LockResource, 2_2_1003F1BA
Source: C:\Windows\SysWOW64\regsvr32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: C:\Windows\System32\svchost.exe Automated click: OK
Source: bscHLGMyjW.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: bscHLGMyjW.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: bscHLGMyjW.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: bscHLGMyjW.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: bscHLGMyjW.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_10058117 push ecx; ret 2_2_1005812A
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_10059DE1 push ecx; ret 2_2_10059DF4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10058117 push ecx; ret 3_2_1005812A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10059DE1 push ecx; ret 3_2_10059DF4
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_10066A27 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__invoke_watson,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__invoke_watson,__decode_pointer,__decode_pointer,__decode_pointer, 2_2_10066A27
PE file contains an invalid checksum
Source: bscHLGMyjW.dll Static PE information: real checksum: 0xecea0 should be: 0xeb5e6
Registers a DLL
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\bscHLGMyjW.dll
Drops PE files to the windows directory (C:\Windows)
Source: C:\Windows\SysWOW64\regsvr32.exe PE file moved: C:\Windows\SysWOW64\Mjzwixkz\jiugg.vcz Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Windows\SysWOW64\regsvr32.exe File opened: C:\Windows\SysWOW64\Mjzwixkz\jiugg.vcz:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Kocvnasf\ohufcnixuaxfi.qqn:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Ttdhcba\lpmnmnmtwarg.oaw:Zone.Identifier read attributes | delete Jump to behavior
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_1003A200 IsIconic, 2_2_1003A200
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_10040404 IsIconic,GetWindowPlacement,GetWindowRect, 2_2_10040404
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1003A200 IsIconic, 3_2_1003A200
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10040404 IsIconic,GetWindowPlacement,GetWindowRect, 3_2_10040404
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Query firmware table information (likely to detect VMs)
Source: C:\Windows\System32\svchost.exe System information queried: FirmwareTableInformation Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\svchost.exe TID: 1724 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 4824 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 6208 Thread sleep time: -30000s >= -30000s Jump to behavior
Found evasive API chain (may stop execution after checking a module file name)
Source: C:\Windows\SysWOW64\regsvr32.exe Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Queries disk information (often used to detect virtual machines)
Source: C:\Windows\System32\svchost.exe File opened: PhysicalDrive0 Jump to behavior
Found large amount of non-executed APIs
Source: C:\Windows\SysWOW64\regsvr32.exe API coverage: 4.0 %
Source: C:\Windows\SysWOW64\rundll32.exe API coverage: 4.7 %
Source: C:\Windows\SysWOW64\regsvr32.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\rundll32.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\rundll32.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\regsvr32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: svchost.exe, 00000019.00000002.875031828.000001BCA7C63000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: "@Hyper-V RAW
Source: svchost.exe, 0000001E.00000002.875679970.00000249B480C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMware, Inc.
Source: svchost.exe, 00000019.00000002.873768952.000001BCA2429000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWM
Source: svchost.exe, 00000015.00000002.596304247.000001CA14A86000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWp
Source: svchost.exe, 0000001E.00000002.875679970.00000249B480C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMware, Inc.NoneVMware-42 35 44 6e 75 85 11 47-bd a2 bb ed 21 43 9f 89VMware7,1
Source: svchost.exe, 0000001E.00000002.875679970.00000249B480C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMware7,1
Source: svchost.exe, 0000001E.00000002.874134233.00000249B38AD000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMware Virtual RAM00000001VMW-4096MBRAM slot #0RAM slot #0
Source: regsvr32.exe, 00000005.00000003.517082902.0000000003447000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000003.861975728.0000000003439000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000003.471558713.000000000345A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000003.471540863.0000000003447000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000002.873626561.0000000003439000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000003.729492928.0000000003439000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000002.596464157.000001CA14AEF000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000019.00000002.874945338.000001BCA7C49000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000002.874208129.00000249B38C7000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000002.874224488.00000249B38CD000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: svchost.exe, 0000000D.00000002.873278369.000001B139A02000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcDsSvcfhsvcWPDBusEnumsvsvcwlansvcEmbeddedModeirmonSensorServicevmicvssNgcSvcsysmainDevQueryBrokerStorSvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionNcbServiceNetmanDeviceAssociationServiceTabletInputServicePcaSvcIPxlatCfgSvcCscServiceUmRdpService
Source: svchost.exe, 0000001E.00000002.874134233.00000249B38AD000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMware SVGA IIES1371
Source: svchost.exe, 0000001E.00000002.874134233.00000249B38AD000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMware Virtual RAM
Source: svchost.exe, 0000001E.00000002.875679970.00000249B480C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMware-42 35 44 6e 75 85 11 47-bd a2 bb ed 21 43 9f 89
Source: svchost.exe, 0000001E.00000002.874134233.00000249B38AD000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMware SVGA II
Source: svchost.exe, 0000001E.00000002.873878182.00000249B3863000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW@
Source: svchost.exe, 0000001E.00000002.875679970.00000249B480C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMware, Inc.VMW71.00V.18227214.B64.210625222006/25/2021
Source: svchost.exe, 0000000D.00000002.873500156.000001B139A29000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_1005E81A _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 2_2_1005E81A
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_10066A27 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__invoke_watson,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__invoke_watson,__decode_pointer,__decode_pointer,__decode_pointer, 2_2_10066A27
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_10057D4F GetProcessHeap,GetProcessHeap,HeapAlloc,GetVersionExA,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,__heap_term,__RTC_Initialize,GetCommandLineA,___crtGetEnvironmentStringsA,__ioinit,__mtterm,__setargv,__setenvp,__cinit,__ioterm,__ioterm,__mtterm,__heap_term,___set_flsgetvalue,__calloc_crt,__decode_pointer,GetCurrentThreadId,__freeptd, 2_2_10057D4F
Checks if the current process is being debugged
Source: C:\Windows\System32\loaddll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_1005E81A _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 2_2_1005E81A
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_10057102 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 2_2_10057102
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_100643A7 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_100643A7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1005E81A _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 3_2_1005E81A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10057102 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 3_2_10057102
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_100643A7 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_100643A7

HIPS / PFW / Operating System Protection Evasion
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\regsvr32.exe Network Connect: 149.56.128.192 443 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Network Connect: 185.157.82.211 8080 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Network Connect: 79.172.212.216 8080 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Network Connect: 131.100.24.231 80 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Network Connect: 46.55.222.11 443 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Network Connect: 51.91.76.89 8080 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Network Connect: 173.254.208.91 8080 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Network Connect: 160.16.218.63 8080 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Network Connect: 206.188.212.92 8080 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Network Connect: 192.99.251.50 443 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Network Connect: 51.91.7.5 8080 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Network Connect: 159.8.59.82 8080 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Network Connect: 120.50.40.183 80 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Network Connect: 58.227.42.236 80 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Network Connect: 103.221.221.247 8080 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\bscHLGMyjW.dll",#1 Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\regsvr32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Contains functionality to query locales information (e.g. system language)
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: _wcscpy_s,__snprintf_s,GetLocaleInfoW,LoadLibraryW, 2_2_1003C980
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: GetLocaleInfoA, 2_2_1006D5D7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: _wcscpy_s,__snprintf_s,GetLocaleInfoW,LoadLibraryW, 3_2_1003C980
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoA, 3_2_1006D5D7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetThreadLocale,GetLocaleInfoA,GetACP, 3_2_1006EE9C
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_10067B4E cpuid 2_2_10067B4E
Source: C:\Windows\SysWOW64\regsvr32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_10062032 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 2_2_10062032
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10065EBC __lock,__invoke_watson,__invoke_watson,__invoke_watson,____lc_codepage_func,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,__invoke_watson,__invoke_watson, 3_2_10065EBC
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_10057D4F GetProcessHeap,GetProcessHeap,HeapAlloc,GetVersionExA,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,__heap_term,__RTC_Initialize,GetCommandLineA,___crtGetEnvironmentStringsA,__ioinit,__mtterm,__setargv,__setenvp,__cinit,__ioterm,__ioterm,__mtterm,__heap_term,___set_flsgetvalue,__calloc_crt,__decode_pointer,GetCurrentThreadId,__freeptd, 2_2_10057D4F
AV process strings found (often used to terminate AV products)
Source: svchost.exe, 0000001E.00000002.875577025.00000249B41ED000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \BullGuard Ltd\BullGuard\BullGuard.exe

Stealing of Sensitive Information
barindex
Yara detected Emotet
Source: Yara match File source: 5.2.regsvr32.exe.4df0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.3590000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.regsvr32.exe.3150000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.3550000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.regsvr32.exe.4dc0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.regsvr32.exe.4b80000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.regsvr32.exe.3150000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.regsvr32.exe.4dc0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.4c20000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.3550000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.3590000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.4db0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000002.361541102.0000000004DB1000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.359006501.0000000003590000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.361265936.0000000003550000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.874265286.0000000004DF1000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.359233383.0000000004C21000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.363189239.0000000004B81000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.361757163.0000000003150000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.874183013.0000000004DC0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 669372 Sample: bscHLGMyjW Startdate: 20/07/2022 Architecture: WINDOWS Score: 92 33 216.64.72.3 WINDSTREAMUS United States 2->33 35 156.4.0.0 VODACOM-ZA United States 2->35 37 22 other IPs or domains 2->37 51 Snort IDS alert for network traffic 2->51 53 Antivirus detection for URL or domain 2->53 55 Yara detected Emotet 2->55 57 C2 URLs / IPs found in malware configuration 2->57 8 loaddll32.exe 1 2->8         started        10 svchost.exe 2->10         started        13 svchost.exe 9 1 2->13         started        16 5 other processes 2->16 signatures3 process4 dnsIp5 18 regsvr32.exe 5 8->18         started        21 cmd.exe 1 8->21         started        23 rundll32.exe 2 8->23         started        25 rundll32.exe 8->25         started        59 Query firmware table information (likely to detect VMs) 10->59 45 127.0.0.1 unknown unknown 13->45 47 192.168.2.1 unknown unknown 16->47 signatures6 process7 signatures8 49 Hides that the sample has been downloaded from the Internet (zone.identifier) 18->49 27 regsvr32.exe 12 18->27         started        31 rundll32.exe 2 21->31         started        process9 dnsIp10 39 79.172.212.216, 49857, 8080 SZERVERPLEXHU Hungary 27->39 41 159.8.59.82, 8080 SOFTLAYERUS United States 27->41 43 13 other IPs or domains 27->43 61 System process connects to network (likely due to code injection or exploit) 27->61 63 Hides that the sample has been downloaded from the Internet (zone.identifier) 31->63 signatures11
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
248.38.74.3
 unknown Reserved
unknown unknown true
208.185.68.3
 unknown United States
396173 SWA-W11-MKT-INETUS true
185.157.82.211
 unknown Poland
42927 S-NET-ASPL true
216.131.66.3
 unknown United States
22781 RBLHSTUS true
180.4.0.0
 unknown Japan 4713 OCNNTTCommunicationsCorporationJP true
79.172.212.216
 unknown Hungary
61998 SZERVERPLEXHU true
114.240.2.0
 unknown China
4808 CHINA169-BJChinaUnicomBeijingProvinceNetworkCN true
220.194.66.52
 unknown China
4837 CHINA169-BACKBONECHINAUNICOMChina169BackboneCN true
91.240.2.0
 unknown United Kingdom
198863 CUP-ASGB true
173.254.208.91
 unknown United States
8100 ASN-QUADRANET-GLOBALUS true
206.188.212.92
 unknown United States
55002 DEFENSE-NETUS true
40.38.70.3
 unknown United States
4249 LILLY-ASUS true
135.52.4.0
 unknown United States
54614 CIKTELECOM-CABLECA true
51.91.7.5
 unknown France
16276 OVHFR true
32.137.69.3
 unknown United States
2686 ATGS-MMD-ASUS true
108.240.2.0
 unknown United States
7018 ATT-INTERNET4US true
148.4.0.0
 unknown United States
6074 LIUNETUS true
108.4.0.0
 unknown United States
701 UUNETUS true
192.16.0.0
 unknown United States
14153 EDGECAST-IRUS true
149.56.128.192
 unknown Canada
16276 OVHFR true
128.4.0.0
 unknown United States
2 UDEL-DCNUS true
120.240.2.0
 unknown China
56040 CMNET-GUANGDONG-APChinaMobilecommunicationscorporation true
131.100.24.231
 unknown Brazil
61635 GOPLEXTELECOMUNICACOESEINTERNETLTDA-MEBR true
156.4.0.0
 unknown United States
29975 VODACOM-ZA true
184.4.0.0
 unknown United States
5778 CENTURYLINK-LEGACY-EMBARQ-RCMTUS true
46.55.222.11
 unknown Bulgaria
34841 BALCHIKNETBG true
51.91.76.89
 unknown France
16276 OVHFR true
103.240.2.0
 unknown unknown
7575 AARNET-AS-APAustralianAcademicandResearchNetworkAARNe true
160.16.218.63
 unknown Japan 9370 SAKURA-BSAKURAInternetIncJP true
224.120.66.3
 unknown Reserved
unknown unknown true
192.99.251.50
 unknown Canada
16276 OVHFR true
216.64.72.3
 unknown United States
7029 WINDSTREAMUS true
124.4.0.0
 unknown India
18302 SKG_NW-AS-KRSKTelecomKR true
112.135.10.118
 unknown Sri Lanka
9329 SLTINT-AS-APSriLankaTelecomInternetLK true
152.4.0.0
 unknown United States
81 NCRENUS true
159.8.59.82
 unknown United States
36351 SOFTLAYERUS true
120.50.40.183
 unknown Singapore
17547 M1NET-SG-APM1NETLTDSG true
58.227.42.236
 unknown Korea Republic of
9318 SKB-ASSKBroadbandCoLtdKR true
103.221.221.247
 unknown Viet Nam
18403 FPT-AS-APTheCorporationforFinancingPromotingTechnolo true

Private

IP
192.168.2.1
127.0.0.1

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://149.56.128.192/fSTm true
  • Avira URL Cloud: malware
 unknown
https://46.55.222.11/BiEgOdFqxzyfFPqwAOweHeXemJBZKjqwNwwVobqyTY true
  • Avira URL Cloud: malware
 unknown