Windows Analysis Report
MIpuuSiSZ4.dll

Overview

General Information

Sample Name:	MIpuuSiSZ4.dll
Analysis ID:	671702
MD5:	1dd34935a785a419fb552b5086ea682e
SHA1:	c6c966e4ba623f9972273de07b842ffbb9a9efce
SHA256:	8b5a10f9a8f2b25057442111a01faf021ef7e048eab875a4078a44758d952c6f
Tags:	exeOpenCTIBRSandboxed
Infos:

Detection

Emotet

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected Emotet

System process connects to network (likely due to code injection or exploit)

Antivirus detection for URL or domain

Snort IDS alert for network traffic

Changes security center settings (notifications, updates, antivirus, firewall)

C2 URLs / IPs found in malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Queries the volume information (name, serial number etc) of a device

One or more processes crash

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query locales information (e.g. system language)

Deletes files inside the Windows folder

May sleep (evasive loops) to hinder dynamic analysis

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Uses code obfuscation techniques (call, push, ret)

Creates files inside the system directory

PE file contains sections with non-standard names

Internet Provider seen in connection with other malware

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to enumerate running services

Contains functionality which may be used to detect a debugger (GetProcessHeap)

IP address seen in connection with other malware

AV process strings found (often used to terminate AV products)

Tries to load missing DLLs

Drops PE files to the windows directory (C:\Windows)

Detected TCP or UDP traffic on non-standard ports

Checks if the current process is being debugged

Registers a DLL

Queries disk information (often used to detect virtual machines)

Found large amount of non-executed APIs

Creates a process in suspended mode (likely to inject code)

Classification

Signatures

AV Detection

Multi AV Scanner detection for submitted file

Source: MIpuuSiSZ4.dll	Virustotal: Detection: 72%	Perma Link
Source: MIpuuSiSZ4.dll	Metadefender: Detection: 54%	Perma Link
Source: MIpuuSiSZ4.dll	ReversingLabs: Detection: 88%

Antivirus detection for URL or domain

Source: https://174.138.33.49:7080/x	Avira URL Cloud: Label: malware
Source: https://174.138.33.49/T	Avira URL Cloud: Label: malware
Source: https://174.138.33.49:7080/tem	URL Reputation: Label: malware
Source: https://174.138.33.49:7080/944	Avira URL Cloud: Label: malware

Source: 0000000C.00000002.662226882.000000000132F000.00000004.00000020.00020000.00000000.sdmp

Malware Configuration Extractor: Emotet {"C2 list": ["101.69.85.108:20", "200.18.0.0:1", "208.9.0.0:2512", "82.10.0.0:2642", "144.1.49.1:2", "20.7.0.0:1", "176.6.0.0:1", "232.6.0.0:1", "136.6.0.0:1", "24.7.0.0:1", "248.6.0.0:1", "68.7.0.0:1", "80.7.0.0:1", "172.6.0.0:1", "96.7.0.0:1", "84.7.0.0:1", "4.7.0.0:1", "100.7.0.0:1", "112.7.0.0:1", "116.7.0.0:1", "180.6.0.0:1", "8.7.0.0:1", "236.6.0.0:1", "64.7.0.0:1", "204.6.0.0:1"]}

Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001800427CC _invalid_parameter_noinfo,_invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	0_2_00000001800427CC
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001800427CC _invalid_parameter_noinfo,_invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	0_2_00000001800427CC
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000180042F88 FindFirstFileExW,	0_2_0000000180042F88
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000180043464 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	0_2_0000000180043464
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00000001800427CC _invalid_parameter_noinfo,_invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	2_2_00000001800427CC
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00000001800427CC _invalid_parameter_noinfo,_invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	2_2_00000001800427CC
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180042F88 FindFirstFileExW,	2_2_0000000180042F88
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180043464 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	2_2_0000000180043464
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_02D2C9F0 FindFirstFileW,FindNextFileW,	12_2_02D2C9F0

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\regsvr32.exe

Network Connect: 174.138.33.49 7080

Source: Malware configuration extractor	IPs: 101.69.85.108:20
Source: Malware configuration extractor	IPs: 200.18.0.0:1
Source: Malware configuration extractor	IPs: 208.9.0.0:2512
Source: Malware configuration extractor	IPs: 82.10.0.0:2642
Source: Malware configuration extractor	IPs: 144.1.49.1:2
Source: Malware configuration extractor	IPs: 20.7.0.0:1
Source: Malware configuration extractor	IPs: 176.6.0.0:1
Source: Malware configuration extractor	IPs: 232.6.0.0:1
Source: Malware configuration extractor	IPs: 136.6.0.0:1
Source: Malware configuration extractor	IPs: 24.7.0.0:1
Source: Malware configuration extractor	IPs: 248.6.0.0:1
Source: Malware configuration extractor	IPs: 68.7.0.0:1
Source: Malware configuration extractor	IPs: 80.7.0.0:1
Source: Malware configuration extractor	IPs: 172.6.0.0:1
Source: Malware configuration extractor	IPs: 96.7.0.0:1
Source: Malware configuration extractor	IPs: 84.7.0.0:1
Source: Malware configuration extractor	IPs: 4.7.0.0:1
Source: Malware configuration extractor	IPs: 100.7.0.0:1
Source: Malware configuration extractor	IPs: 112.7.0.0:1
Source: Malware configuration extractor	IPs: 116.7.0.0:1
Source: Malware configuration extractor	IPs: 180.6.0.0:1
Source: Malware configuration extractor	IPs: 8.7.0.0:1
Source: Malware configuration extractor	IPs: 236.6.0.0:1
Source: Malware configuration extractor	IPs: 64.7.0.0:1
Source: Malware configuration extractor	IPs: 204.6.0.0:1

Source: Joe Sandbox View	ASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS
Source: Joe Sandbox View	ASN Name: MICROSOFT-CORP-MSN-AS-BLOCKUS MICROSOFT-CORP-MSN-AS-BLOCKUS

Source: unknown	TCP traffic detected without corresponding DNS query: 174.138.33.49
Source: unknown	TCP traffic detected without corresponding DNS query: 174.138.33.49
Source: unknown	TCP traffic detected without corresponding DNS query: 174.138.33.49
Source: unknown	TCP traffic detected without corresponding DNS query: 174.138.33.49
Source: unknown	TCP traffic detected without corresponding DNS query: 174.138.33.49
Source: unknown	TCP traffic detected without corresponding DNS query: 174.138.33.49
Source: unknown	TCP traffic detected without corresponding DNS query: 174.138.33.49
Source: unknown	TCP traffic detected without corresponding DNS query: 174.138.33.49
Source: unknown	TCP traffic detected without corresponding DNS query: 174.138.33.49
Source: unknown	TCP traffic detected without corresponding DNS query: 174.138.33.49
Source: unknown	TCP traffic detected without corresponding DNS query: 174.138.33.49

Source: svchost.exe, 00000020.00000003.605789439.00000298A2773000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG", equals www.facebook.com (Facebook)
Source: svchost.exe, 00000020.00000003.605789439.00000298A2773000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG", equals www.twitter.com (Twitter)
Source: svchost.exe, 00000020.00000003.605789439.00000298A2773000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000020.00000003.605830890.00000298A2784000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2022-07-22T07:55:01.8237416Z\|\|.\|\|b7e2ac48-308b-4ab0-ad70-c01dd95863e0\|\|1152921505695074449\|\|Null\|\|fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailab
Source: svchost.exe, 00000020.00000003.605789439.00000298A2773000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000020.00000003.605830890.00000298A2784000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2022-07-22T07:55:01.8237416Z\|\|.\|\|b7e2ac48-308b-4ab0-ad70-c01dd95863e0\|\|1152921505695074449\|\|Null\|\|fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailab

Source: svchost.exe, 00000009.00000002.626913081.000002413A266000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000002.662226882.000000000132F000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000003.444256705.000000000132F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000020.00000002.649942559.00000298A2711000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: svchost.exe, 00000009.00000002.626913081.000002413A266000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000020.00000002.649749481.00000298A1EEA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ver)
Source: regsvr32.exe, 0000000C.00000002.661740445.00000000012D3000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000003.444163231.00000000012E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: regsvr32.exe, 0000000C.00000003.444256705.000000000132F000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000002.662502712.000000000136D000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000003.445329795.000000000136D000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.12.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: regsvr32.exe, 0000000C.00000003.443936950.000000000138D000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000003.445018013.00000000034A1000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000002.663236738.000000000350D000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000003.445267551.000000000350D000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000003.445153458.00000000034E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?e0707f5d6733f
Source: regsvr32.exe, 0000000C.00000002.662226882.000000000132F000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000003.444256705.000000000132F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabvH
Source: regsvr32.exe, 0000000C.00000003.444256705.000000000132F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/pXX
Source: svchost.exe, 00000020.00000003.627116814.00000298A279A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://help.disneyplus.com.
Source: svchost.exe, 00000012.00000002.405412295.000002D970813000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.bingmapsportal.com
Source: svchost.exe, 00000010.00000002.661987254.000002D0F6641000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://%s.dnet.xboxlive.com
Source: svchost.exe, 00000010.00000002.661987254.000002D0F6641000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://%s.xboxlive.com
Source: svchost.exe, 00000010.00000002.661987254.000002D0F6641000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://%s.xboxlive.come
Source: regsvr32.exe, 0000000C.00000002.661956267.0000000001301000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000003.444203872.0000000001301000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://174.138.33.49/
Source: regsvr32.exe, 0000000C.00000002.661956267.0000000001301000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000003.444203872.0000000001301000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://174.138.33.49/T
Source: regsvr32.exe, 0000000C.00000002.661956267.0000000001301000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000002.661740445.00000000012D3000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000003.444163231.00000000012E2000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000003.444203872.0000000001301000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://174.138.33.49:7080/
Source: regsvr32.exe, 0000000C.00000002.661740445.00000000012D3000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000003.444163231.00000000012E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://174.138.33.49:7080/944
Source: regsvr32.exe, 0000000C.00000002.661740445.00000000012D3000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000003.444163231.00000000012E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://174.138.33.49:7080/tem
Source: regsvr32.exe, 0000000C.00000002.661956267.0000000001301000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000003.444203872.0000000001301000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://174.138.33.49:7080/x
Source: svchost.exe, 00000010.00000002.661987254.000002D0F6641000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.com
Source: svchost.exe, 00000012.00000003.404914654.000002D970861000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: svchost.exe, 00000010.00000002.661987254.000002D0F6641000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 00000010.00000002.661987254.000002D0F6641000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 00000012.00000003.404945537.000002D97085A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000012.00000002.405473479.000002D97085C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.404945537.000002D97085A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 00000012.00000003.404914654.000002D970861000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 00000012.00000002.405452602.000002D97083D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 00000012.00000002.405473479.000002D97085C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.404945537.000002D97085A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Traffic/Incidents/
Source: svchost.exe, 00000012.00000003.404914654.000002D970861000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 00000012.00000002.405466984.000002D97084E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.404854812.000002D970849000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 00000012.00000002.405473479.000002D97085C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.404945537.000002D97085A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 00000012.00000003.404914654.000002D970861000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
Source: svchost.exe, 00000012.00000002.405452602.000002D97083D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 00000012.00000003.404914654.000002D970861000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 00000012.00000003.404914654.000002D970861000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 00000012.00000003.404914654.000002D970861000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 00000012.00000002.405457932.000002D970842000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.404980940.000002D970840000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.405017263.000002D970841000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 00000012.00000002.405457932.000002D970842000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.404980940.000002D970840000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.405017263.000002D970841000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
Source: svchost.exe, 00000012.00000003.404914654.000002D970861000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 00000012.00000002.405473479.000002D97085C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.404980940.000002D970840000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.404945537.000002D97085A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: svchost.exe, 00000020.00000003.627116814.00000298A279A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://disneyplus.com/legal.
Source: svchost.exe, 00000012.00000003.404945537.000002D97085A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 00000012.00000002.405473479.000002D97085C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.404945537.000002D97085A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000012.00000003.404945537.000002D97085A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000012.00000003.404854812.000002D970849000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.t
Source: svchost.exe, 00000012.00000003.404914654.000002D970861000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 00000012.00000002.405452602.000002D97083D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000012.00000003.383087363.000002D970831000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 00000020.00000003.620490256.00000298A2781000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000020.00000003.620519716.00000298A2C19000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000020.00000003.620333446.00000298A279D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000020.00000003.620402747.00000298A2C02000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000020.00000003.620475663.00000298A27AD000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000020.00000003.620374463.00000298A27AD000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000020.00000003.620430135.00000298A2C03000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.hotspotshield.com/
Source: svchost.exe, 00000012.00000002.405452602.000002D97083D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 00000012.00000002.405412295.000002D970813000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.405452602.000002D97083D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 00000012.00000003.383087363.000002D970831000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000012.00000003.404980940.000002D970840000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.405005326.000002D970845000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000012.00000003.383087363.000002D970831000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 00000012.00000003.383087363.000002D970831000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.405447191.000002D97083A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: svchost.exe, 00000012.00000002.405412295.000002D970813000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen
Source: svchost.exe, 00000020.00000003.627116814.00000298A279A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.disneyplus.com/legal/privacy-policy
Source: svchost.exe, 00000020.00000003.627116814.00000298A279A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.disneyplus.com/legal/your-california-privacy-rights
Source: svchost.exe, 00000020.00000003.620490256.00000298A2781000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000020.00000003.620519716.00000298A2C19000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000020.00000003.620333446.00000298A279D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000020.00000003.620402747.00000298A2C02000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000020.00000003.620475663.00000298A27AD000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000020.00000003.620374463.00000298A27AD000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000020.00000003.620430135.00000298A2C03000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.hotspotshield.com/terms/
Source: svchost.exe, 00000020.00000003.620490256.00000298A2781000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000020.00000003.620519716.00000298A2C19000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000020.00000003.620333446.00000298A279D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000020.00000003.620402747.00000298A2C02000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000020.00000003.620475663.00000298A27AD000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000020.00000003.620374463.00000298A27AD000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000020.00000003.620430135.00000298A2C03000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.pango.co/privacy
Source: svchost.exe, 00000020.00000003.629383351.00000298A279F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.tiktok.com/legal/report/feedback

Source: Yara match	File source: 2.2.regsvr32.exe.710000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.rundll32.exe.22fc4510000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.regsvr32.exe.2cb0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.rundll32.exe.22fc4510000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.rundll32.exe.14980010000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.rundll32.exe.22fc4510000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.20000010000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.22fc4510000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.14980010000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.1a029ee0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.rundll32.exe.22fc4510000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.1a029ee0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.rundll32.exe.14980010000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.22fc4510000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.20000010000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.rundll32.exe.14980010000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.710000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.rundll32.exe.14980010000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.14980010000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.regsvr32.exe.2cb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll64.exe.15738060000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll64.exe.15738060000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.364452628.0000015738060000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.345850399.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.351700174.0000020000071000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.662977936.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.348541554.0000022FC4510000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.351638703.0000020000010000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.377797661.0000022FC4510000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.378702987.0000014980010000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.378747717.0000014980071000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.346021007.0000000002061000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.348813253.0000022FC4571000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.358968494.000001A029F41000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.338942505.0000022FC4510000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.377880147.0000022FC4571000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.662715077.0000000002CB0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.352241442.0000014980010000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.338998123.0000022FC4571000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.364805521.0000015739971000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.345097590.0000014980010000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.349632978.0000014980071000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.352325443.0000014980071000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.358868561.000001A029EE0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Source: C:\Windows\System32\loaddll64.exe	Code function: String function: 0000000180046D38 appears 44 times
Source: C:\Windows\System32\regsvr32.exe	Code function: String function: 0000000180046D38 appears 44 times

Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: xboxlivetitleid.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cdpsgshims.dll	Jump to behavior

Source: unknown	Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\MIpuuSiSZ4.dll"
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\MIpuuSiSZ4.dll",#1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\MIpuuSiSZ4.dll
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\MIpuuSiSZ4.dll",#1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\MIpuuSiSZ4.dll,AddStroke
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\MIpuuSiSZ4.dll,AddWordsToWordList
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\MIpuuSiSZ4.dll,AdviseInkChange
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\GAjjZRZVj\QFdWkQKkPokX.dll"
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6776 -s 324
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6792 -s 328
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\ZcjkHmdxs\qpwRIIkrlFzB.dll"
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknown	Process created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\MIpuuSiSZ4.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\MIpuuSiSZ4.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\MIpuuSiSZ4.dll,AddStroke	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\MIpuuSiSZ4.dll,AddWordsToWordList	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\MIpuuSiSZ4.dll,AdviseInkChange	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\ZcjkHmdxs\qpwRIIkrlFzB.dll"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\MIpuuSiSZ4.dll",#1	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\GAjjZRZVj\QFdWkQKkPokX.dll"	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable

Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6792
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:6352:120:WilError_01
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6776

Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: MIpuuSiSZ4.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: MIpuuSiSZ4.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: MIpuuSiSZ4.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: MIpuuSiSZ4.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: MIpuuSiSZ4.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: MIpuuSiSZ4.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: MIpuuSiSZ4.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: MIpuuSiSZ4.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: MIpuuSiSZ4.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: MIpuuSiSZ4.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: MIpuuSiSZ4.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000015739978C72 push ebp; ret		0_2_0000015739978C7D
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_02068C72 push ebp; ret		2_2_02068C7D

Source: C:\Windows\System32\loaddll64.exe	File opened: C:\Windows\system32\ZcjkHmdxs\qpwRIIkrlFzB.dll:Zone.Identifier read attributes \| delete			Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	File opened: C:\Windows\system32\GAjjZRZVj\QFdWkQKkPokX.dll:Zone.Identifier read attributes \| delete			Jump to behavior

Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\svchost.exe TID: 7016	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 7020	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 1032	Thread sleep time: -30000s >= -30000s

Source: C:\Windows\System32\loaddll64.exe	API coverage: 9.0 %
Source: C:\Windows\System32\regsvr32.exe	API coverage: 7.1 %

Source: svchost.exe, 00000009.00000002.626913081.000002413A266000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: "@Hyper-V RAWGlobal\BFE_Notify_Event_{f3c219e5-8073-4743-9b26-35724d75b7c3}LMEM
Source: svchost.exe, 00000020.00000002.649906463.00000298A2700000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: @Hyper-V RAW
Source: svchost.exe, 00000007.00000002.661391909.0000017603802000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcDsSvcfhsvcWPDBusEnumsvsvcwlansvcEmbeddedModeirmonSensorServicevmicvssNgcSvcsysmainDevQueryBrokerStorSvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionNcbServiceNetmanDeviceAssociationServiceTabletInputServicePcaSvcIPxlatCfgSvcCscServiceUmRdpService
Source: svchost.exe, 00000009.00000002.626869690.000002413A259000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.625682040.0000024134C29000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000002.661956267.0000000001301000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000002.661740445.00000000012D3000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000003.444163231.00000000012E2000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000003.444203872.0000000001301000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000020.00000002.649749481.00000298A1EEA000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000020.00000002.649489638.00000298A1E70000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: regsvr32.exe, 00000002.00000003.338636942.0000000000814000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: svchost.exe, 00000007.00000002.661773254.0000017603840000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000002.661987254.000002D0F6641000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000002.661749128.000001E262629000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior

Windows Analysis Report MIpuuSiSZ4.dll

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Spreading

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Windows Analysis Report
MIpuuSiSZ4.dll

Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000180002F14 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0000000180002F14
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000018001360C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_000000018001360C
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000018000386C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_000000018000386C
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000180003A54 SetUnhandledExceptionFilter,	0_2_0000000180003A54
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180002F14 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_0000000180002F14
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018001360C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_000000018001360C
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018000386C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_000000018000386C
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180003A54 SetUnhandledExceptionFilter,	2_2_0000000180003A54

Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Windows\System32\loaddll64.exe	Code function: EnumSystemLocalesW,	0_2_000000018004C150
Source: C:\Windows\System32\loaddll64.exe	Code function: EnumSystemLocalesW,	0_2_000000018004C1D4
Source: C:\Windows\System32\loaddll64.exe	Code function: EnumSystemLocalesW,	0_2_000000018004C2A4
Source: C:\Windows\System32\loaddll64.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	0_2_000000018004C364
Source: C:\Windows\System32\loaddll64.exe	Code function: GetLocaleInfoW,	0_2_000000018004C5B0
Source: C:\Windows\System32\loaddll64.exe	Code function: EnumSystemLocalesW,	0_2_0000000180046664
Source: C:\Windows\System32\loaddll64.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_000000018004C708
Source: C:\Windows\System32\loaddll64.exe	Code function: EnumSystemLocalesW,	0_2_0000000180046788
Source: C:\Windows\System32\loaddll64.exe	Code function: GetLocaleInfoW,	0_2_000000018004C7DC
Source: C:\Windows\System32\loaddll64.exe	Code function: EnumSystemLocalesW,	0_2_0000000180046810
Source: C:\Windows\System32\loaddll64.exe	Code function: EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_000000018004C908
Source: C:\Windows\System32\loaddll64.exe	Code function: GetLocaleInfoW,	0_2_00000001800475F0
Source: C:\Windows\System32\loaddll64.exe	Code function: TranslateName,TranslateName,GetACP,IsValidCodePage,GetLocaleInfoW,	0_2_000000018004BE04
Source: C:\Windows\System32\regsvr32.exe	Code function: EnumSystemLocalesW,	2_2_000000018004C150
Source: C:\Windows\System32\regsvr32.exe	Code function: EnumSystemLocalesW,	2_2_000000018004C1D4
Source: C:\Windows\System32\regsvr32.exe	Code function: EnumSystemLocalesW,	2_2_000000018004C2A4
Source: C:\Windows\System32\regsvr32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	2_2_000000018004C364
Source: C:\Windows\System32\regsvr32.exe	Code function: GetLocaleInfoW,	2_2_000000018004C5B0
Source: C:\Windows\System32\regsvr32.exe	Code function: EnumSystemLocalesW,	2_2_0000000180046664
Source: C:\Windows\System32\regsvr32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	2_2_000000018004C708
Source: C:\Windows\System32\regsvr32.exe	Code function: EnumSystemLocalesW,	2_2_0000000180046788
Source: C:\Windows\System32\regsvr32.exe	Code function: GetLocaleInfoW,	2_2_000000018004C7DC
Source: C:\Windows\System32\regsvr32.exe	Code function: EnumSystemLocalesW,	2_2_0000000180046810
Source: C:\Windows\System32\regsvr32.exe	Code function: EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	2_2_000000018004C908
Source: C:\Windows\System32\regsvr32.exe	Code function: GetLocaleInfoW,	2_2_00000001800475F0
Source: C:\Windows\System32\regsvr32.exe	Code function: TranslateName,TranslateName,GetACP,IsValidCodePage,GetLocaleInfoW,	2_2_000000018004BE04

Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct

Source: svchost.exe, 00000014.00000002.662009877.000001B1E9902000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: svchost.exe, 00000014.00000002.661820829.000001B1E983D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $@V%ProgramFiles%\Windows Defender\MsMpeng.exe

IP	Domain	Country	ASN	ASN Name	Malicious
174.138.33.49	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
248.6.0.0	unknown	Reserved	unknown	unknown	true
20.7.0.0	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	true
101.69.85.108	unknown	China	4837	CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	true
176.6.0.0	unknown	Germany	12638	AS12638DuesseldorfDE	true
144.1.49.1	unknown	unknown	58541	CHINATELECOM-SHANDONG-QINGDAO-IDCQingdao266000CN	true
80.7.0.0	unknown	United Kingdom	5089	NTLGB	true
64.7.0.0	unknown	United States	4565	MEGAPATH2-US	true
24.7.0.0	unknown	United States	7922	COMCAST-7922US	true
112.7.0.0	unknown	China	24444	CMNET-V4SHANDONG-AS-APShandongMobileCommunicationCompany	true
4.7.0.0	unknown	United States	3356	LEVEL3US	true
208.9.0.0	unknown	United States	1239	SPRINTLINKUS	true
232.6.0.0	unknown	Reserved	unknown	unknown	true
96.7.0.0	unknown	United States	262589	INTERNEXABRASILOPERADORADETELECOMUNICACOESSABR	true
204.6.0.0	unknown	United States	174	COGENT-174US	true
172.6.0.0	unknown	United States	7018	ATT-INTERNET4US	true
100.7.0.0	unknown	United States	701	UUNETUS	true
180.6.0.0	unknown	Japan	4713	OCNNTTCommunicationsCorporationJP	true
84.7.0.0	unknown	France	8228	CEGETEL-ASFR	true
200.18.0.0	unknown	Brazil	10715	UniversidadeFederaldeSantaCatarinaBR	true
136.6.0.0	unknown	United States	60311	ONEFMCH	true
236.6.0.0	unknown	Reserved	unknown	unknown	true
68.7.0.0	unknown	United States	22773	ASN-CXA-ALL-CCI-22773-RDCUS	true
116.7.0.0	unknown	China	4809	CHINATELECOM-CORE-WAN-CN2ChinaTelecomNextGenerationCarr	true
8.7.0.0	unknown	United States	3356	LEVEL3US	true
82.10.0.0	unknown	United Kingdom	5089	NTLGB	true

ID:	671702
Product:	CloudBasic
Start time:	14:09:07
Start date:	22.07.2022
Sample:	MIpuuSiSZ4.dll
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	1dd34935a785a419fb552b5086ea682e
SHA1:	c6c966e4ba623f9972273de07b842ffbb9a9efce
SHA256:	8b5a10f9a8f2b25057442111a01faf021ef7e048eab875a4078a44758d952c6f
Filetype:	Win64 Dynamic Link Library (generic) (102004/3) 86.43%

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\Microsoft\Network\Downloader\edb.chk	data	BF1DC7D5D8DAD7478F426DF8B3F8BAA6	C6B0BDE788F553F865D65F773D8F6A3546887E42	BE47C764C38CA7A90A345BE183F5261E89B98743B5E35989E9A8BE0DA498C0F2
C:\ProgramData\Microsoft\Network\Downloader\edb.log	MPEG-4 LOAS	70A5B7D8E2DEE8170DC1E083CCA3CE17	F3B8F17368F39ED7713E65721C93D6D3B7B9A2C2	8D6AA38C684CD3C65C1F854E1B31676DD9E332B2134F06DF5BCCB0D91689F781
C:\ProgramData\Microsoft\Network\Downloader\qmgr.db	Extensible storage engine DataBase, version 0x620, checksum 0x9fe2e37f, page size 16384, Windows version 10.0	19F8855F774735CCC8BCE5F79ED231B6	C105EA75CC9D92EBD60BF55AE5522FEE898489B9	12C3290682DD6BB02DC0360DC3DA9575C5C400597D69DEECACE4DC70F99E5917
C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm	data	CD01E4F23E04035414BA9B9633F9F1EF	EFE4C001C27E9C473AC3A4B7C8471E215781E2A1	DE5735C8E68FAA5BBB3AD2934EAB9B2E8103ACCF6E22179CDDC14081F9FE9558
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_MIp_773949b15a9dc27bfcd3f791ccbc8dda8da3511_ceeedb37_0e0d5ce9\Report.wer	Little-endian UTF-16 Unicode text, with CRLF line terminators	7DC9F73DEF29002E1206FA23948F2E42	1514D0E4D04F00199CB62E657FE2EEA370DD278D	A63786AA6434919A07EA05F40E5E86AEC6326D065C90A85C2F81BD5E2F0009B1
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_MIp_aa8bb9fdf8d32e2840ca8df43968d536d04b9a9_ceeedb37_07895910\Report.wer	Little-endian UTF-16 Unicode text, with CRLF line terminators	311D9D5DD757DFFCA2D4B6C46870D415	99417DC19B7ACFA4A69EEB8AAFAA08B956B455C4	AFFA8D1168A1B8417E115A4B9C95BA8A68AD43287E0798545D518E72A72DFC1E
C:\ProgramData\Microsoft\Windows\WER\Temp\WER31C2.tmp.dmp	Mini DuMP crash report, 15 streams, Fri Jul 22 21:11:02 2022, 0x1205a4 type	04E27A5A5CD926209E9DF3277BFD5568	B0F8A53B134CDCCB30E1950AE5DF92D52741CA2C	1A3DF93B9CF4E8B649F71E40438CFD3D809684B16DB6C70BD278D4967FF7A39D
C:\ProgramData\Microsoft\Windows\WER\Temp\WER3A8C.tmp.dmp	Mini DuMP crash report, 15 streams, Fri Jul 22 21:11:04 2022, 0x1205a4 type	B91B0DF6830BF2C08315A77C6D835667	E87AC87670539F0D814421700F853EA438EF304E	8AD8C29581A4743FEF9C7C2772FB721797C5017052C86EF3EDB3368198D26345
C:\ProgramData\Microsoft\Windows\WER\Temp\WER3DB9.tmp.WERInternalMetadata.xml	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators	76CC5955C86EA809660608C5BA848DAC	EDACA74055FDD4B7342A3ACEA1D0ECC7C76FE968	F43D48F38CFECA62BAA7A6DF8C5563926432D4B4A754E320D6A219E829943282
C:\ProgramData\Microsoft\Windows\WER\Temp\WER3FAE.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	F022773265E899347C4417FE0AA02F68	DB1D3257D2301DFFF5014571A7DC99147CA3754F	36AFA68F591F873B69550113030DE17EDC4B060E0F99CCBD34D9DC82D80E3EA5
C:\ProgramData\Microsoft\Windows\WER\Temp\WER43B4.tmp.WERInternalMetadata.xml	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators	E5C28F8EEFAB76EF6FD043E7608A16E4	32F14F79BEF26CC67FE114647893CC62A07A196D	3C0CC2A7F21369758FF51B4B2C18961FB3041FC6129B15DF9401065054CAB076
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4675.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	400AF3467BEA945FF08EEEEA48E212D4	0B3A96CCE356B960C83CBC001F9FB855441B408D	D9870892CC9112382DBAD15D17931C7EC4CE4181B1F5237AA1F3C9B8F4BFDF88
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506	Microsoft Cabinet archive data, 61712 bytes, 1 file	589C442FC7A0C70DCA927115A700D41E	66A07DACE3AFBFD1AA07A47E6875BEAB62C4BB31	2E5CB72E9EB43BAAFB6C6BFCC573AAC92F49A8064C483F9D378A9E8E781A526A
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	data	393A75620FA9245A499CC73005C86D0E	556A243C5C445F94D53A27B455BB4C5997DA58B8	074F48DB61AAE7BAE1D2CB0A71B962643B737A4B82A2EE57E3D1BA81C69F0937
C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp	ASCII text, with no line terminators	DCA83F08D448911A14C22EBCACC5AD57	91270525521B7FE0D986DB19747F47D34B6318AD	2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\MpCmdRun.log	Little-endian UTF-16 Unicode text, with CRLF, CR line terminators	79C0D9DDA6271582B2DD5E96FD072C8F	C6E2EFC633A02091186D2EEF6B6E6D9728BB8C20	F0AAA959E0E482063E0A73C441F227AD4D89864BB1369BD9F04DCE2416064DBB