Windows Analysis Report
MIpuuSiSZ4

Overview

General Information

Sample Name:	MIpuuSiSZ4 (renamed file extension from none to dll)
Analysis ID:	671702
MD5:	1dd34935a785a419fb552b5086ea682e
SHA1:	c6c966e4ba623f9972273de07b842ffbb9a9efce
SHA256:	8b5a10f9a8f2b25057442111a01faf021ef7e048eab875a4078a44758d952c6f
Tags:	exeOpenCTIBRSandboxed
Infos:

Detection

Emotet

Score:	96
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected Emotet

System process connects to network (likely due to code injection or exploit)

Antivirus detection for URL or domain

Snort IDS alert for network traffic

C2 URLs / IPs found in malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Queries the volume information (name, serial number etc) of a device

One or more processes crash

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query locales information (e.g. system language)

Deletes files inside the Windows folder

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Creates files inside the system directory

PE file contains sections with non-standard names

Internet Provider seen in connection with other malware

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Contains functionality which may be used to detect a debugger (GetProcessHeap)

IP address seen in connection with other malware

Tries to load missing DLLs

Drops PE files to the windows directory (C:\Windows)

Detected TCP or UDP traffic on non-standard ports

Checks if the current process is being debugged

Registers a DLL

Queries disk information (often used to detect virtual machines)

Found large amount of non-executed APIs

Creates a process in suspended mode (likely to inject code)

Classification

Signatures

AV Detection

Multi AV Scanner detection for submitted file

Source: MIpuuSiSZ4.dll	Virustotal: Detection: 72%	Perma Link
Source: MIpuuSiSZ4.dll	Metadefender: Detection: 54%	Perma Link
Source: MIpuuSiSZ4.dll	ReversingLabs: Detection: 88%

Antivirus detection for URL or domain

Source: https://174.138.33.49/7	Avira URL Cloud: Label: malware
Source: https://174.138.33.49:7080/temy	Avira URL Cloud: Label: malware
Source: https://174.138.33.49:7080/Numv	Avira URL Cloud: Label: malware

Source: 0000000C.00000003.792258520.0000000000F0F000.00000004.00000020.00020000.00000000.sdmp

Malware Configuration Extractor: Emotet {"C2 list": ["192.168.2.7:2", "244.26.0.0:1", "240.69.242.0:2", "184.6.0.0:1", "64.6.0.0:1", "192.6.0.0:1", "244.6.0.0:1", "4.7.0.0:1", "20.7.0.0:1", "76.7.0.0:1", "92.7.0.0:1", "108.7.0.0:1", "112.7.0.0:1", "200.6.0.0:1", "16.7.0.0:1", "96.7.0.0:1", "124.7.0.0:1", "80.7.0.0:1", "128.7.0.0:1", "240.6.0.0:1", "32.7.0.0:1", "36.7.0.0:1", "214.112.3.0:5308", "241.112.3.0:5164", "243.112.3.0:1484"]}

Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001800427CC _invalid_parameter_noinfo,_invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	0_2_00000001800427CC
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001800427CC _invalid_parameter_noinfo,_invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	0_2_00000001800427CC
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000180042F88 FindFirstFileExW,	0_2_0000000180042F88
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000180043464 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	0_2_0000000180043464
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00000001800427CC _invalid_parameter_noinfo,_invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	2_2_00000001800427CC
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00000001800427CC _invalid_parameter_noinfo,_invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	2_2_00000001800427CC
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180042F88 FindFirstFileExW,	2_2_0000000180042F88
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180043464 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	2_2_0000000180043464
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_0287C9F0 FindFirstFileW,FindNextFileW,	12_2_0287C9F0

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\regsvr32.exe

Network Connect: 174.138.33.49 7080

Source: Malware configuration extractor	IPs: 192.168.2.7:2
Source: Malware configuration extractor	IPs: 244.26.0.0:1
Source: Malware configuration extractor	IPs: 240.69.242.0:2
Source: Malware configuration extractor	IPs: 184.6.0.0:1
Source: Malware configuration extractor	IPs: 64.6.0.0:1
Source: Malware configuration extractor	IPs: 192.6.0.0:1
Source: Malware configuration extractor	IPs: 244.6.0.0:1
Source: Malware configuration extractor	IPs: 4.7.0.0:1
Source: Malware configuration extractor	IPs: 20.7.0.0:1
Source: Malware configuration extractor	IPs: 76.7.0.0:1
Source: Malware configuration extractor	IPs: 92.7.0.0:1
Source: Malware configuration extractor	IPs: 108.7.0.0:1
Source: Malware configuration extractor	IPs: 112.7.0.0:1
Source: Malware configuration extractor	IPs: 200.6.0.0:1
Source: Malware configuration extractor	IPs: 16.7.0.0:1
Source: Malware configuration extractor	IPs: 96.7.0.0:1
Source: Malware configuration extractor	IPs: 124.7.0.0:1
Source: Malware configuration extractor	IPs: 80.7.0.0:1
Source: Malware configuration extractor	IPs: 128.7.0.0:1
Source: Malware configuration extractor	IPs: 240.6.0.0:1
Source: Malware configuration extractor	IPs: 32.7.0.0:1
Source: Malware configuration extractor	IPs: 36.7.0.0:1
Source: Malware configuration extractor	IPs: 214.112.3.0:5308
Source: Malware configuration extractor	IPs: 241.112.3.0:5164
Source: Malware configuration extractor	IPs: 243.112.3.0:1484

Source: unknown	TCP traffic detected without corresponding DNS query: 174.138.33.49
Source: unknown	TCP traffic detected without corresponding DNS query: 174.138.33.49
Source: unknown	TCP traffic detected without corresponding DNS query: 174.138.33.49
Source: unknown	TCP traffic detected without corresponding DNS query: 174.138.33.49
Source: unknown	TCP traffic detected without corresponding DNS query: 174.138.33.49
Source: unknown	TCP traffic detected without corresponding DNS query: 174.138.33.49
Source: unknown	TCP traffic detected without corresponding DNS query: 174.138.33.49
Source: unknown	TCP traffic detected without corresponding DNS query: 174.138.33.49
Source: unknown	TCP traffic detected without corresponding DNS query: 174.138.33.49
Source: unknown	TCP traffic detected without corresponding DNS query: 174.138.33.49
Source: unknown	TCP traffic detected without corresponding DNS query: 174.138.33.49
Source: unknown	TCP traffic detected without corresponding DNS query: 174.138.33.49

Source: regsvr32.exe, 0000000C.00000003.792258520.0000000000F0F000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000003.788408312.0000000000F0F000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000002.883040476.0000000000F0F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000016.00000002.883963436.00000227B5063000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000002.740019918.0000014760705000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: svchost.exe, 00000016.00000002.883963436.00000227B5063000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000002.739932682.000001475FCE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ver)
Source: regsvr32.exe, 0000000C.00000003.792402869.0000000000EB2000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000002.882736405.0000000000EB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: regsvr32.exe, 0000000C.00000003.792258520.0000000000F0F000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000003.788408312.0000000000F0F000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000002.883040476.0000000000F0F000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.12.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: regsvr32.exe, 0000000C.00000003.563716950.0000000000F5F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?ba3f020901819
Source: regsvr32.exe, 0000000C.00000003.565719065.000000000300D000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000002.883662137.000000000302C000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000003.565412953.0000000002FD1000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000003.565930872.000000000302C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.caby
Source: svchost.exe, 0000001E.00000003.714545443.00000147607A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://help.disneyplus.com.
Source: svchost.exe, 00000016.00000002.883340069.00000227AF8AC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
Source: regsvr32.exe, 0000000C.00000003.792402869.0000000000EB2000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000002.882736405.0000000000EB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://174.138.33.49/
Source: regsvr32.exe, 0000000C.00000003.792402869.0000000000EB2000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000002.882736405.0000000000EB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://174.138.33.49/7
Source: regsvr32.exe, 0000000C.00000003.792402869.0000000000EB2000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000002.882736405.0000000000EB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://174.138.33.49:7080/
Source: regsvr32.exe, 0000000C.00000003.792402869.0000000000EB2000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000002.882736405.0000000000EB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://174.138.33.49:7080/Numv
Source: regsvr32.exe, 0000000C.00000003.792402869.0000000000EB2000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000002.882736405.0000000000EB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://174.138.33.49:7080/temy
Source: svchost.exe, 0000001E.00000003.714545443.00000147607A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://disneyplus.com/legal.
Source: svchost.exe, 0000001E.00000003.710986823.0000014760C19000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.710810502.0000014760C02000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.710861874.0000014760C03000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.710944641.00000147607AD000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.710923120.000001476079C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.hotspotshield.com/
Source: svchost.exe, 0000001E.00000003.714545443.00000147607A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.disneyplus.com/legal/privacy-policy
Source: svchost.exe, 0000001E.00000003.714545443.00000147607A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.disneyplus.com/legal/your-california-privacy-rights
Source: svchost.exe, 0000001E.00000003.710986823.0000014760C19000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.710810502.0000014760C02000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.710861874.0000014760C03000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.710944641.00000147607AD000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.710923120.000001476079C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.hotspotshield.com/terms/
Source: svchost.exe, 0000001E.00000003.710986823.0000014760C19000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.710810502.0000014760C02000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.710861874.0000014760C03000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.710944641.00000147607AD000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.710923120.000001476079C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.pango.co/privacy
Source: svchost.exe, 0000001E.00000003.719101021.00000147607A0000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.718967987.00000147607B6000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.719233278.0000014760C02000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.718937080.00000147607B6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.tiktok.com/legal/report/feedback

Source: Yara match	File source: 3.2.rundll32.exe.1a6c08b0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.195c5870000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.rundll32.exe.1a6c08b0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.rundll32.exe.21313760000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.regsvr32.exe.1000000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.21313760000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.1a6c08b0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll64.exe.1942a5d0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.rundll32.exe.21313760000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.16a80010000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.16a80010000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.rundll32.exe.21313760000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.rundll32.exe.1a6c08b0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.195c5870000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.rundll32.exe.1a6c08b0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.regsvr32.exe.1000000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.13b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.rundll32.exe.1a6c08b0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll64.exe.1942a5d0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.13b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.21313760000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.rundll32.exe.21313760000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000000.457523835.000001A6C0911000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.454942955.0000000001411000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.460329273.0000016A80010000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.500443188.000001A6C0911000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.883306468.0000000001000000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.503233757.0000021313901000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.460399040.0000016A80071000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.883481925.0000000002861000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.499993940.000001A6C08B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.488615007.000001942A671000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.458204040.0000021313901000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.468293754.00000195C58D1000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.457983091.0000021313760000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.457466014.000001A6C08B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.454887422.00000000013B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.448855621.000001A6C0911000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.454361313.0000021313901000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.448792384.000001A6C08B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.468234789.00000195C5870000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.454167344.0000021313760000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.503043476.0000021313760000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.488528971.000001942A5D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Source: C:\Windows\System32\loaddll64.exe	Code function: String function: 0000000180046D38 appears 44 times
Source: C:\Windows\System32\regsvr32.exe	Code function: String function: 0000000180046D38 appears 44 times

Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc.dll	Jump to behavior

Source: unknown	Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\MIpuuSiSZ4.dll"
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\MIpuuSiSZ4.dll",#1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\MIpuuSiSZ4.dll
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\MIpuuSiSZ4.dll",#1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\MIpuuSiSZ4.dll,AddStroke
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\MIpuuSiSZ4.dll,AddWordsToWordList
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\MIpuuSiSZ4.dll,AdviseInkChange
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 484 -p 6160 -ip 6160
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\FmCnbLJkOlaRytmc\QMbXoKRooU.dll"
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 516 -p 3896 -ip 3896
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6160 -s 336
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 3896 -s 328
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\YbTPHZsAWIZFUi\eAeQcUPg.dll"
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\MIpuuSiSZ4.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\MIpuuSiSZ4.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\MIpuuSiSZ4.dll,AddStroke	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\MIpuuSiSZ4.dll,AddWordsToWordList	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\MIpuuSiSZ4.dll,AdviseInkChange	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\YbTPHZsAWIZFUi\eAeQcUPg.dll"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\MIpuuSiSZ4.dll",#1	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\FmCnbLJkOlaRytmc\QMbXoKRooU.dll"	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 484 -p 6160 -ip 6160	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 516 -p 3896 -ip 3896	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6160 -s 336	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 3896 -s 328	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6160
Source: C:\Windows\System32\WerFault.exe	Mutant created: \BaseNamedObjects\Local\SM0:6496:120:WilError_01
Source: C:\Windows\System32\WerFault.exe	Mutant created: \BaseNamedObjects\Local\SM0:6568:120:WilError_01
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3896

Source: C:\Windows\System32\regsvr32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: MIpuuSiSZ4.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: MIpuuSiSZ4.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: MIpuuSiSZ4.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: MIpuuSiSZ4.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: MIpuuSiSZ4.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: MIpuuSiSZ4.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: MIpuuSiSZ4.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: MIpuuSiSZ4.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: MIpuuSiSZ4.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: MIpuuSiSZ4.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: MIpuuSiSZ4.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001942A678C72 push ebp; ret		0_2_000001942A678C7D
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_01418C72 push ebp; ret		2_2_01418C7D

Source: C:\Windows\System32\loaddll64.exe	File opened: C:\Windows\system32\YbTPHZsAWIZFUi\eAeQcUPg.dll:Zone.Identifier read attributes \| delete			Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	File opened: C:\Windows\system32\FmCnbLJkOlaRytmc\QMbXoKRooU.dll:Zone.Identifier read attributes \| delete			Jump to behavior

Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\svchost.exe TID: 2240	Thread sleep time: -30000s >= -30000s			Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 3160	Thread sleep time: -120000s >= -30000s

Source: C:\Windows\System32\loaddll64.exe	API coverage: 7.1 %
Source: C:\Windows\System32\regsvr32.exe	API coverage: 7.4 %

Source: svchost.exe, 00000016.00000002.883963436.00000227B5063000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000002.739954619.000001475FCF3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: @Hyper-V RAW
Source: regsvr32.exe, 0000000C.00000003.792566060.0000000000EE3000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000003.792402869.0000000000EB2000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000002.882736405.0000000000EB2000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000002.882901644.0000000000EE3000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000016.00000002.882944619.00000227AF829000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000016.00000002.883925272.00000227B504C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000002.739774338.000001475FC66000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.739198935.000001475FC64000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000002.739932682.000001475FCE0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: svchost.exe, 0000000E.00000002.882587569.0000023C76802000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcDsSvcfhsvcWPDBusEnumsvsvcwlansvcEmbeddedModeirmonSensorServicevmicvssNgcSvcsysmainDevQueryBrokerStorSvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionNcbServiceNetmanDeviceAssociationServiceTabletInputServicePcaSvcIPxlatCfgSvcCscServiceUmRdpService
Source: regsvr32.exe, 0000000C.00000003.792566060.0000000000EE3000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000002.882901644.0000000000EE3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWj
Source: loaddll64.exe, 00000000.00000002.488486061.0000019428C98000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: -b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: svchost.exe, 0000000E.00000002.882727598.0000023C76828000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000180002F14 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0000000180002F14
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000018001360C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_000000018001360C
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000018000386C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_000000018000386C
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000180003A54 SetUnhandledExceptionFilter,	0_2_0000000180003A54
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180002F14 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_0000000180002F14
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018001360C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_000000018001360C
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018000386C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_000000018000386C
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180003A54 SetUnhandledExceptionFilter,	2_2_0000000180003A54

Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Windows Analysis Report MIpuuSiSZ4

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Spreading

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Windows Analysis Report
MIpuuSiSZ4

Source: C:\Windows\System32\loaddll64.exe	Code function: EnumSystemLocalesW,	0_2_000000018004C150
Source: C:\Windows\System32\loaddll64.exe	Code function: EnumSystemLocalesW,	0_2_000000018004C1D4
Source: C:\Windows\System32\loaddll64.exe	Code function: EnumSystemLocalesW,	0_2_000000018004C2A4
Source: C:\Windows\System32\loaddll64.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	0_2_000000018004C364
Source: C:\Windows\System32\loaddll64.exe	Code function: GetLocaleInfoW,	0_2_000000018004C5B0
Source: C:\Windows\System32\loaddll64.exe	Code function: EnumSystemLocalesW,	0_2_0000000180046664
Source: C:\Windows\System32\loaddll64.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_000000018004C708
Source: C:\Windows\System32\loaddll64.exe	Code function: EnumSystemLocalesW,	0_2_0000000180046788
Source: C:\Windows\System32\loaddll64.exe	Code function: GetLocaleInfoW,	0_2_000000018004C7DC
Source: C:\Windows\System32\loaddll64.exe	Code function: EnumSystemLocalesW,	0_2_0000000180046810
Source: C:\Windows\System32\loaddll64.exe	Code function: EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_000000018004C908
Source: C:\Windows\System32\loaddll64.exe	Code function: GetLocaleInfoW,	0_2_00000001800475F0
Source: C:\Windows\System32\loaddll64.exe	Code function: TranslateName,TranslateName,GetACP,IsValidCodePage,GetLocaleInfoW,	0_2_000000018004BE04
Source: C:\Windows\System32\regsvr32.exe	Code function: EnumSystemLocalesW,	2_2_000000018004C150
Source: C:\Windows\System32\regsvr32.exe	Code function: EnumSystemLocalesW,	2_2_000000018004C1D4
Source: C:\Windows\System32\regsvr32.exe	Code function: EnumSystemLocalesW,	2_2_000000018004C2A4
Source: C:\Windows\System32\regsvr32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	2_2_000000018004C364
Source: C:\Windows\System32\regsvr32.exe	Code function: GetLocaleInfoW,	2_2_000000018004C5B0
Source: C:\Windows\System32\regsvr32.exe	Code function: EnumSystemLocalesW,	2_2_0000000180046664
Source: C:\Windows\System32\regsvr32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	2_2_000000018004C708
Source: C:\Windows\System32\regsvr32.exe	Code function: EnumSystemLocalesW,	2_2_0000000180046788
Source: C:\Windows\System32\regsvr32.exe	Code function: GetLocaleInfoW,	2_2_000000018004C7DC
Source: C:\Windows\System32\regsvr32.exe	Code function: EnumSystemLocalesW,	2_2_0000000180046810
Source: C:\Windows\System32\regsvr32.exe	Code function: EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	2_2_000000018004C908
Source: C:\Windows\System32\regsvr32.exe	Code function: GetLocaleInfoW,	2_2_00000001800475F0
Source: C:\Windows\System32\regsvr32.exe	Code function: TranslateName,TranslateName,GetACP,IsValidCodePage,GetLocaleInfoW,	2_2_000000018004BE04

IP	Domain	Country	ASN	ASN Name	Malicious
32.7.0.0	unknown	United States	2686	ATGS-MMD-ASUS	true
174.138.33.49	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
128.7.0.0	unknown	Germany	680	DFNVereinzurFoerderungeinesDeutschenForschungsnetzese	true
20.7.0.0	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	true
108.7.0.0	unknown	United States	701	UUNETUS	true
80.7.0.0	unknown	United Kingdom	5089	NTLGB	true
92.7.0.0	unknown	United Kingdom	13285	OPALTELECOM-ASTalkTalkCommunicationsLimitedGB	true
244.6.0.0	unknown	Reserved	unknown	unknown	true
240.69.242.0	unknown	Reserved	unknown	unknown	true
184.6.0.0	unknown	United States	209	CENTURYLINK-US-LEGACY-QWESTUS	true
192.6.0.0	unknown	United States	54735	TTGSIUS	true
112.7.0.0	unknown	China	24444	CMNET-V4SHANDONG-AS-APShandongMobileCommunicationCompany	true
64.6.0.0	unknown	United States	14363	MTCCOMMUS	true
214.112.3.0	unknown	United States	721	DNIC-ASBLK-00721-00726US	true
4.7.0.0	unknown	United States	3356	LEVEL3US	true
76.7.0.0	unknown	United States	22186	CENTURYLINK-LEGACY-EMBARQ-KSGRNRUS	true
96.7.0.0	unknown	United States	262589	INTERNEXABRASILOPERADORADETELECOMUNICACOESSABR	true
240.6.0.0	unknown	Reserved	unknown	unknown	true
243.112.3.0	unknown	Reserved	unknown	unknown	true
200.6.0.0	unknown	Ecuador	8151	UninetSAdeCVMX	true
241.112.3.0	unknown	Reserved	unknown	unknown	true
124.7.0.0	unknown	India	4662	QTCN-ASN1GCNetReachRangeIncTW	true
16.7.0.0	unknown	United States	unknown	unknown	true
36.7.0.0	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	true
244.26.0.0	unknown	Reserved	unknown	unknown	true

ID:	671702
Product:	CloudBasic
Start time:	13:55:58
Start date:	22.07.2022
Sample:	MIpuuSiSZ4
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	1dd34935a785a419fb552b5086ea682e
SHA1:	c6c966e4ba623f9972273de07b842ffbb9a9efce
SHA256:	8b5a10f9a8f2b25057442111a01faf021ef7e048eab875a4078a44758d952c6f
Filetype:	Win64 Dynamic Link Library (generic) (102004/3) 86.43%

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\Microsoft\Network\Downloader\qmgr.db	Extensible storage engine DataBase, version 0x620, checksum 0x9bd413be, page size 16384, DirtyShutdown, Windows version 10.0	67BC1180577BCAE7AAAB0395C6668DE1	54063A0EBB7A899A61F7B47C28B184EA080C9FEB	AADEEC33723E9CB7C975F69645141F65B1CF0545EB6FD12269210108B22083D8
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_MIp_773949b15a9dc27bfcd3f791ccbc8dda8da3511_ceeedb37_116bd172\Report.wer	Little-endian UTF-16 Unicode text, with CRLF line terminators	DC08AF70F1A9F069487A3081FFAE724A	EE7D71A22BEDE02D198F895950703D4BBF73F5F0	0D736C5C970F822A0FBB017CA75F4894BAF5E23525FAC93D52720D575D247A4C
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_MIp_aa8bb9fdf8d32e2840ca8df43968d536d04b9a9_ceeedb37_1a1fcd1c\Report.wer	Little-endian UTF-16 Unicode text, with CRLF line terminators	A86B7FADCDE51D62CE966354FB5F6D3E	3CDC004C4F0E8C87DEDE02051BD08E5733D5A620	62D635E063040B7F760E0424452183FB2DBA728192E3559036CECF5DB0A4B868
C:\ProgramData\Microsoft\Windows\WER\Temp\WER940B.tmp.dmp	Mini DuMP crash report, 15 streams, Fri Jul 22 20:58:11 2022, 0x1205a4 type	6DA5CE983BAF9352E00714A8BB39727E	40AC6315F73498356FFD4546AB837B1EDB8E4436	E1FDAEE089B49ED19476BC82FEADFAC287A65FD3F7FE361C64BEA1CA72FF9F49
C:\ProgramData\Microsoft\Windows\WER\Temp\WER9FD2.tmp.dmp	Mini DuMP crash report, 15 streams, Fri Jul 22 20:58:12 2022, 0x1205a4 type	EA3866323B1704449AD420AFF2568E70	A8D86FB576FDACCE09830A84D42D6BEF00BEE8A6	A076EBFBE6DE8900FA059902F628D87B656F7CA5652162CEFB772D406A486FB2
C:\ProgramData\Microsoft\Windows\WER\Temp\WERB4E2.tmp.WERInternalMetadata.xml	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators	5707F8FB038E671C7B62CB5035AAAB02	74C594EF9DA77B7F4D233D5F7F6C1961A4D7A113	7E3AA329FF2FDBF29AFBBAC46A16C4268399B33CF15B4D0105AC15CCD4ADB59E
C:\ProgramData\Microsoft\Windows\WER\Temp\WERB764.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	1ADF8A480754A46C16ABB3071BBDE030	4296C5D7A325C8AA4A1EE0E4D31C842A9B7A7F51	FF255A547C95F1D3E34B22ABD7F4E29D2F61796538E64A29E0C19F082BAAEC36
C:\ProgramData\Microsoft\Windows\WER\Temp\WERB89A.tmp.csv	data	AD9B2D87A8B0A0650C811F0196D3FC69	E589D91FD2A256451BDD824C34DC087AA4C18F99	8D499200DC2DC20F84F58BC3CB5E051FA9854AFA7A889D84EED09EE5F81E49A5
C:\ProgramData\Microsoft\Windows\WER\Temp\WERBB5A.tmp.WERInternalMetadata.xml	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators	351B391DF4BC5442150F6F2B00D5BD60	79BD5E9F2C1D8B703125E7E0DBC2F0451C6E048E	A3451CB058B5E7CD354B15B5414F4845CD0C6E54A6A823D4BE11F550011DEB0D
C:\ProgramData\Microsoft\Windows\WER\Temp\WERBE49.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	03A8266176247D4230025BA8D9AF1772	FED690D9A1A7086A597B418949F8C37323751285	AA9C108A14F8B04E30FD522AF6327172D809E5DD94B8668DDA229D1CF9CD988C
C:\ProgramData\Microsoft\Windows\WER\Temp\WERC0F8.tmp.csv	data	7D1A88D60AF131C65C41EAF82B0BDEDA	606F6D475DB41C98C1C3A50E9ADFDBD3933E5F57	837BCFBD3BC1953219F1DB90CBE1B34E991CE28DA0AD3F9D3AE530A916061087
C:\ProgramData\Microsoft\Windows\WER\Temp\WERC28F.tmp.txt	data	D113A605C42A9F5B80205B269AFE4CD8	CF90AA4AB1E3B96324E23C137534C2724086C13A	E75D7414ADD5AEFF36D29530716015AF2E6141BB95B1A7C35606363169D1143A
C:\ProgramData\Microsoft\Windows\WER\Temp\WERC6A7.tmp.txt	data	DDA604DCF734EE681590803CEC9FAFE3	862AA166DA42679D7DCA16A4273F829C04FA219E	6444E6B751946D2B298A87E8EA6589E582E2DD588F5D4790B59A8952EA6F862D
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506	Microsoft Cabinet archive data, 61712 bytes, 1 file	589C442FC7A0C70DCA927115A700D41E	66A07DACE3AFBFD1AA07A47E6875BEAB62C4BB31	2E5CB72E9EB43BAAFB6C6BFCC573AAC92F49A8064C483F9D378A9E8E781A526A
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	data	A42B93B0EC145424B2143A7E54D44391	46B8C15CCF1EEB1A3E06B2AD72434B33E8466FB7	9B6D154A211EA55DA2EF86DCEDA82C22BD0868650C70EE05239917587950244E
C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp	ASCII text, with no line terminators	DCA83F08D448911A14C22EBCACC5AD57	91270525521B7FE0D986DB19747F47D34B6318AD	2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9