Windows Analysis Report
548IrCt4hj

Overview

General Information

Sample Name:	548IrCt4hj (renamed file extension from none to dll)
Analysis ID:	672062
MD5:	7301880b88f87cd3a593f7106d5743cc
SHA1:	c8a2b0ae061b612f4d4a4cfc4ee3e1f7079b4240
SHA256:	c409ad4f64a1ad925ffbfdb88f57dd9177123364a1875caf6cbb6f5ba3970cc3
Tags:	exeOpenCTIBRSandboxed
Infos:

Detection

Emotet

Score:	96
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected Emotet

System process connects to network (likely due to code injection or exploit)

Antivirus detection for URL or domain

Snort IDS alert for network traffic

C2 URLs / IPs found in malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Queries the volume information (name, serial number etc) of a device

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query locales information (e.g. system language)

Deletes files inside the Windows folder

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Creates files inside the system directory

PE file contains sections with non-standard names

Internet Provider seen in connection with other malware

Detected potential crypto function

Found potential string decryption / allocating functions

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Program does not show much activity (idle)

IP address seen in connection with other malware

PE file contains an invalid checksum

Tries to load missing DLLs

Drops PE files to the windows directory (C:\Windows)

Detected TCP or UDP traffic on non-standard ports

Checks if the current process is being debugged

Connects to several IPs in different countries

Registers a DLL

Queries disk information (often used to detect virtual machines)

Found large amount of non-executed APIs

Creates a process in suspended mode (likely to inject code)

Classification

Signatures

AV Detection

Multi AV Scanner detection for submitted file

Source: 548IrCt4hj.dll	Virustotal: Detection: 70%	Perma Link
Source: 548IrCt4hj.dll	Metadefender: Detection: 45%	Perma Link
Source: 548IrCt4hj.dll	ReversingLabs: Detection: 88%

Antivirus detection for URL or domain

Source: https://174.138.33.49/Z	Avira URL Cloud: Label: malware
Source: https://174.138.33.49:7080/F	Avira URL Cloud: Label: malware
Source: https://174.138.33.49:7080/Only	Avira URL Cloud: Label: malware
Source: https://174.138.33.49:7080/r	Avira URL Cloud: Label: malware
Source: https://174.138.33.49:7080/p	Avira URL Cloud: Label: malware

Source: 0000000A.00000002.940180760.0000000000AEB000.00000004.00000020.00020000.00000000.sdmp

Malware Configuration Extractor: Emotet {"C2 list": ["139.59.80.108:8080", "83.229.80.93:8080", "190.107.19.179:443", "202.134.4.210:7080", "165.232.185.110:8080", "104.244.79.94:443", "198.199.70.22:8080", "37.44.244.177:8080", "195.77.239.39:8080", "103.85.95.4:8080", "85.214.67.203:8080", "103.41.204.169:8080", "78.47.204.80:443", "190.145.8.4:443", "139.196.72.155:8080", "87.106.97.83:7080", "202.29.239.162:443", "202.28.34.99:8080", "54.37.106.167:8080", "103.224.241.74:8080", "103.254.12.236:7080", "188.165.79.151:443", "43.129.209.178:443", "37.187.114.15:8080", "5.253.30.17:7080", "54.37.228.122:443", "157.230.99.206:8080", "103.56.149.105:8080", "157.245.111.0:8080", "128.199.242.164:8080", "104.248.225.227:8080", "88.217.172.165:8080", "175.126.176.79:8080", "85.25.120.45:8080", "178.62.112.199:8080", "178.238.225.252:8080", "93.104.209.107:8080", "210.57.209.142:8080", "128.199.217.206:443", "103.71.99.57:8080", "64.227.55.231:8080"], "Public Key": ["RUNTMSAAAAD0LxqDNhonUYwk8sqo7IWuUllRdUiUBnACc6romsQoe1YJD7wIe4AheqYofpZFucPDXCZ0z9i+ooUffqeoLZU0EZiWsQAQAIg=", "RUNLMSAAAADYNZPXY4tQxd/N4Wn5sTYAm5tUOxY2ol1ELrI4MNhHNi640vSLasjYTHpFRBoG+o84vtr7AJachCzOHjaAJFCW45gAsQAmAIg="]}

Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_000000018006680C FindFirstFileExW,FindNextFileW,FindClose,FindClose,	5_2_000000018006680C
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_00000001800671B0 FindFirstFileExW,	5_2_00000001800671B0
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_00000001800677BC FindFirstFileExW,FindNextFileW,FindClose,FindClose,	5_2_00000001800677BC
Source: C:\Windows\System32\regsvr32.exe	Code function: 10_2_024CC9F0 FindFirstFileW,FindNextFileW,	10_2_024CC9F0

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\regsvr32.exe

Network Connect: 174.138.33.49 7080

Source: Malware configuration extractor	IPs: 139.59.80.108:8080
Source: Malware configuration extractor	IPs: 83.229.80.93:8080
Source: Malware configuration extractor	IPs: 190.107.19.179:443
Source: Malware configuration extractor	IPs: 202.134.4.210:7080
Source: Malware configuration extractor	IPs: 165.232.185.110:8080
Source: Malware configuration extractor	IPs: 104.244.79.94:443
Source: Malware configuration extractor	IPs: 198.199.70.22:8080
Source: Malware configuration extractor	IPs: 37.44.244.177:8080
Source: Malware configuration extractor	IPs: 195.77.239.39:8080
Source: Malware configuration extractor	IPs: 103.85.95.4:8080
Source: Malware configuration extractor	IPs: 85.214.67.203:8080
Source: Malware configuration extractor	IPs: 103.41.204.169:8080
Source: Malware configuration extractor	IPs: 78.47.204.80:443
Source: Malware configuration extractor	IPs: 190.145.8.4:443
Source: Malware configuration extractor	IPs: 139.196.72.155:8080
Source: Malware configuration extractor	IPs: 87.106.97.83:7080
Source: Malware configuration extractor	IPs: 202.29.239.162:443
Source: Malware configuration extractor	IPs: 202.28.34.99:8080
Source: Malware configuration extractor	IPs: 54.37.106.167:8080
Source: Malware configuration extractor	IPs: 103.224.241.74:8080
Source: Malware configuration extractor	IPs: 103.254.12.236:7080
Source: Malware configuration extractor	IPs: 188.165.79.151:443
Source: Malware configuration extractor	IPs: 43.129.209.178:443
Source: Malware configuration extractor	IPs: 37.187.114.15:8080
Source: Malware configuration extractor	IPs: 5.253.30.17:7080
Source: Malware configuration extractor	IPs: 54.37.228.122:443
Source: Malware configuration extractor	IPs: 157.230.99.206:8080
Source: Malware configuration extractor	IPs: 103.56.149.105:8080
Source: Malware configuration extractor	IPs: 157.245.111.0:8080
Source: Malware configuration extractor	IPs: 128.199.242.164:8080
Source: Malware configuration extractor	IPs: 104.248.225.227:8080
Source: Malware configuration extractor	IPs: 88.217.172.165:8080
Source: Malware configuration extractor	IPs: 175.126.176.79:8080
Source: Malware configuration extractor	IPs: 85.25.120.45:8080
Source: Malware configuration extractor	IPs: 178.62.112.199:8080
Source: Malware configuration extractor	IPs: 178.238.225.252:8080
Source: Malware configuration extractor	IPs: 93.104.209.107:8080
Source: Malware configuration extractor	IPs: 210.57.209.142:8080
Source: Malware configuration extractor	IPs: 128.199.217.206:443
Source: Malware configuration extractor	IPs: 103.71.99.57:8080
Source: Malware configuration extractor	IPs: 64.227.55.231:8080

Source: Joe Sandbox View	ASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS
Source: Joe Sandbox View	ASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS

Source: Joe Sandbox View	IP Address: 157.230.99.206 157.230.99.206
Source: Joe Sandbox View	IP Address: 157.245.111.0 157.245.111.0

Source: unknown	TCP traffic detected without corresponding DNS query: 174.138.33.49
Source: unknown	TCP traffic detected without corresponding DNS query: 174.138.33.49
Source: unknown	TCP traffic detected without corresponding DNS query: 174.138.33.49
Source: unknown	TCP traffic detected without corresponding DNS query: 174.138.33.49
Source: unknown	TCP traffic detected without corresponding DNS query: 174.138.33.49
Source: unknown	TCP traffic detected without corresponding DNS query: 174.138.33.49
Source: unknown	TCP traffic detected without corresponding DNS query: 174.138.33.49
Source: unknown	TCP traffic detected without corresponding DNS query: 174.138.33.49
Source: unknown	TCP traffic detected without corresponding DNS query: 174.138.33.49
Source: unknown	TCP traffic detected without corresponding DNS query: 174.138.33.49
Source: unknown	TCP traffic detected without corresponding DNS query: 174.138.33.49
Source: unknown	TCP traffic detected without corresponding DNS query: 174.138.33.49
Source: unknown	TCP traffic detected without corresponding DNS query: 174.138.33.49

Source: svchost.exe, 00000019.00000003.551262839.0000015F2D570000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG", equals www.facebook.com (Facebook)
Source: svchost.exe, 00000019.00000003.551262839.0000015F2D570000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG", equals www.twitter.com (Twitter)
Source: svchost.exe, 00000019.00000003.551262839.0000015F2D570000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000019.00000003.550189528.0000015F2D582000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2022-07-22T07:55:01.8237416Z\|\|.\|\|b7e2ac48-308b-4ab0-ad70-c01dd95863e0\|\|1152921505695074449\|\|Null\|\|fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailab
Source: svchost.exe, 00000019.00000003.551262839.0000015F2D570000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000019.00000003.550189528.0000015F2D582000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2022-07-22T07:55:01.8237416Z\|\|.\|\|b7e2ac48-308b-4ab0-ad70-c01dd95863e0\|\|1152921505695074449\|\|Null\|\|fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailab

Source: regsvr32.exe, 0000000A.00000002.940537855.0000000000B80000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000A.00000003.480115635.0000000000B80000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.836628963.0000018894A9D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000019.00000002.595043128.0000015F2CCE9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: svchost.exe, 00000013.00000002.836139820.00000188934BB000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.835512145.00000188934BB000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000019.00000002.595043128.0000015F2CCE9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ver)
Source: regsvr32.exe, 0000000A.00000003.480159823.0000000000BA9000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000A.00000002.940603447.0000000000BA9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabV&V
Source: regsvr32.exe, 0000000A.00000003.480288771.0000000000B4B000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000A.00000003.480216789.0000000000B21000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000A.00000002.940449077.0000000000B4D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/enf
Source: svchost.exe, 00000019.00000003.568619378.0000015F2D586000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000019.00000003.568197795.0000015F2D598000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://help.disneyplus.com.
Source: regsvr32.exe, 0000000A.00000002.940330437.0000000000B21000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000A.00000003.480216789.0000000000B21000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://174.138.33.49/
Source: regsvr32.exe, 0000000A.00000002.940330437.0000000000B21000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000A.00000003.480216789.0000000000B21000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://174.138.33.49/Z
Source: regsvr32.exe, 0000000A.00000002.940330437.0000000000B21000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000A.00000003.480216789.0000000000B21000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://174.138.33.49:7080/
Source: regsvr32.exe, 0000000A.00000002.940330437.0000000000B21000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000A.00000003.480216789.0000000000B21000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://174.138.33.49:7080/F
Source: regsvr32.exe, 0000000A.00000002.940330437.0000000000B21000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000A.00000003.480216789.0000000000B21000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://174.138.33.49:7080/Only
Source: regsvr32.exe, 0000000A.00000002.940330437.0000000000B21000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000A.00000003.480216789.0000000000B21000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://174.138.33.49:7080/p
Source: regsvr32.exe, 0000000A.00000002.940330437.0000000000B21000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000A.00000003.480216789.0000000000B21000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://174.138.33.49:7080/r
Source: svchost.exe, 00000019.00000003.568619378.0000015F2D586000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000019.00000003.568197795.0000015F2D598000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://disneyplus.com/legal.
Source: svchost.exe, 00000019.00000003.563618298.0000015F2D599000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000019.00000003.563853374.0000015F2D5A9000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000019.00000003.563634572.0000015F2D5A9000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000019.00000003.563884423.0000015F2DA19000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000019.00000003.563734310.0000015F2D587000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000019.00000003.563691195.0000015F2DA03000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000019.00000003.563660153.0000015F2DA02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.hotspotshield.com/
Source: svchost.exe, 00000019.00000003.568619378.0000015F2D586000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000019.00000003.568197795.0000015F2D598000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.disneyplus.com/legal/privacy-policy
Source: svchost.exe, 00000019.00000003.568619378.0000015F2D586000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000019.00000003.568197795.0000015F2D598000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.disneyplus.com/legal/your-california-privacy-rights
Source: svchost.exe, 00000019.00000003.563618298.0000015F2D599000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000019.00000003.563853374.0000015F2D5A9000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000019.00000003.563634572.0000015F2D5A9000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000019.00000003.563884423.0000015F2DA19000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000019.00000003.563734310.0000015F2D587000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000019.00000003.563691195.0000015F2DA03000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000019.00000003.563660153.0000015F2DA02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.hotspotshield.com/terms/
Source: svchost.exe, 00000019.00000003.563618298.0000015F2D599000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000019.00000003.563853374.0000015F2D5A9000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000019.00000003.563634572.0000015F2D5A9000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000019.00000003.563884423.0000015F2DA19000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000019.00000003.563734310.0000015F2D587000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000019.00000003.563691195.0000015F2DA03000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000019.00000003.563660153.0000015F2DA02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.pango.co/privacy
Source: svchost.exe, 00000019.00000003.572982528.0000015F2D59A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000019.00000003.572906706.0000015F2D5B0000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000019.00000003.572968023.0000015F2D589000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000019.00000003.573008527.0000015F2DA02000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000019.00000003.572949834.0000015F2D5B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.tiktok.com/legal/report/feedback

Source: Yara match	File source: 7.2.rundll32.exe.1e034440000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.1f33eb00000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.regsvr32.exe.1120000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.1e034440000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.regsvr32.exe.c20000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.regsvr32.exe.c20000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.1f33eb00000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.regsvr32.exe.1120000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.424123479.000001E034440000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.940693332.0000000000C20000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.427012616.0000000001120000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.422757747.000001F33EB00000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.940812969.00000000024B1000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.422895400.000001F33EC51000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.424307117.000001E034471000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.427064425.0000000001151000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY

Source: C:\Windows\System32\regsvr32.exe	Code function: String function: 000000018006BC48 appears 58 times
Source: C:\Windows\System32\regsvr32.exe	Code function: String function: 00000001800019CE appears 79 times

Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc.dll			Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc.dll			Jump to behavior

Source: unknown	Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\548IrCt4hj.dll"
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\548IrCt4hj.dll",#1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\548IrCt4hj.dll
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\548IrCt4hj.dll",#1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\548IrCt4hj.dll,DllCanUnloadNow
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\ZPLPsNKH\eFntQ.dll"
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\548IrCt4hj.dll,DllGetClassObject
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\548IrCt4hj.dll,DllRegisterServer
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\548IrCt4hj.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\548IrCt4hj.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\548IrCt4hj.dll,DllCanUnloadNow	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\548IrCt4hj.dll,DllGetClassObject	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\548IrCt4hj.dll,DllRegisterServer	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\548IrCt4hj.dll",#1	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\ZPLPsNKH\eFntQ.dll"	Jump to behavior

Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: C:\Windows\System32\rundll32.exe	Automated click: OK
Source: C:\Windows\System32\rundll32.exe	Automated click: OK

Source: 548IrCt4hj.dll	Static PE information: section name: .00cfg
Source: 548IrCt4hj.dll	Static PE information: section name: _RDATA

Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\svchost.exe TID: 5220	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 6620	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 6012	Thread sleep time: -90000s >= -30000s	Jump to behavior

Source: svchost.exe, 00000013.00000002.836485099.0000018894A65000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000019.00000002.595056654.0000015F2CCF8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: @Hyper-V RAW
Source: regsvr32.exe, 0000000A.00000003.480288771.0000000000B4B000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000A.00000003.480216789.0000000000B21000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000A.00000002.940449077.0000000000B4D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.835848057.000001889342A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.836463528.0000018894A54000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000019.00000002.595043128.0000015F2CCE9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: svchost.exe, 00000015.00000002.940237565.000001D31EA02000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcDsSvcfhsvcWPDBusEnumsvsvcwlansvcEmbeddedModeirmonSensorServicevmicvssNgcSvcsysmainDevQueryBrokerStorSvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionNcbServiceNetmanDeviceAssociationServiceTabletInputServicePcaSvcIPxlatCfgSvcCscServiceUmRdpService
Source: regsvr32.exe, 0000000A.00000002.940330437.0000000000B21000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000A.00000003.480216789.0000000000B21000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000019.00000002.594594939.0000015F2CC71000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW`
Source: svchost.exe, 00000015.00000002.940346278.000001D31EA28000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_000000018002BAEC RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		5_2_000000018002BAEC
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_0000000180003841 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		5_2_0000000180003841

Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior

Source: C:\Windows\System32\regsvr32.exe	Code function: GetLocaleInfoW,	5_2_0000000180002B08
Source: C:\Windows\System32\regsvr32.exe	Code function: TranslateName,TranslateName,GetACP,IsValidCodePage,GetLocaleInfoW,	5_2_0000000180071D18
Source: C:\Windows\System32\regsvr32.exe	Code function: EnumSystemLocalesW,	5_2_0000000180072138
Source: C:\Windows\System32\regsvr32.exe	Code function: EnumSystemLocalesW,	5_2_00000001800721DC
Source: C:\Windows\System32\regsvr32.exe	Code function: EnumSystemLocalesW,	5_2_00000001800722DC
Source: C:\Windows\System32\regsvr32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	5_2_00000001800723C8
Source: C:\Windows\System32\regsvr32.exe	Code function: GetLocaleInfoW,	5_2_00000001800726A4
Source: C:\Windows\System32\regsvr32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	5_2_0000000180072854
Source: C:\Windows\System32\regsvr32.exe	Code function: GetLocaleInfoW,	5_2_0000000180072960
Source: C:\Windows\System32\regsvr32.exe	Code function: EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	5_2_0000000180072AD8
Source: C:\Windows\System32\regsvr32.exe	Code function: EnumSystemLocalesW,	5_2_000000018006B3D0
Source: C:\Windows\System32\regsvr32.exe	Code function: EnumSystemLocalesW,	5_2_000000018006B534
Source: C:\Windows\System32\regsvr32.exe	Code function: EnumSystemLocalesW,	5_2_000000018006B5DC

IP	Domain	Country	ASN	ASN Name	Malicious
157.230.99.206	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
157.245.111.0	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
54.37.106.167	unknown	France	16276	OVHFR	true
188.165.79.151	unknown	France	16276	OVHFR	true
202.29.239.162	unknown	Thailand	4621	UNINET-AS-APUNINET-TH	true
174.138.33.49	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
43.129.209.178	unknown	Japan	4249	LILLY-ASUS	true
103.41.204.169	unknown	Indonesia	58397	INFINYS-AS-IDPTInfinysSystemIndonesiaID	true
5.253.30.17	unknown	Latvia	18978	ENZUINC-US	true
85.214.67.203	unknown	Germany	6724	STRATOSTRATOAGDE	true
103.56.149.105	unknown	Indonesia	55688	BEON-AS-IDPTBeonIntermediaID	true
83.229.80.93	unknown	United Kingdom	8513	SKYVISIONGB	true
85.25.120.45	unknown	Germany	8972	GD-EMEA-DC-SXB1DE	true
198.199.70.22	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
37.187.114.15	unknown	France	16276	OVHFR	true
93.104.209.107	unknown	Germany	8767	MNET-ASGermanyDE	true
175.126.176.79	unknown	Korea Republic of	9523	MOKWON-AS-KRMokwonUniversityKR	true
139.196.72.155	unknown	China	37963	CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd	true
128.199.242.164	unknown	United Kingdom	14061	DIGITALOCEAN-ASNUS	true
165.232.185.110	unknown	United States	22255	ALLEGHENYHEALTHNETWORKUS	true
104.248.225.227	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
178.238.225.252	unknown	Germany	51167	CONTABODE	true
128.199.217.206	unknown	United Kingdom	14061	DIGITALOCEAN-ASNUS	true
190.145.8.4	unknown	Colombia	14080	TelmexColombiaSACO	true
103.224.241.74	unknown	India	133296	WEBWERKS-AS-INWebWerksIndiaPvtLtdIN	true
103.71.99.57	unknown	India	135682	AWDHPL-AS-INAdvikaWebDevelopmentsHostingPvtLtdIN	true
190.107.19.179	unknown	Colombia	27951	MediaCommercePartnersSACO	true
210.57.209.142	unknown	Indonesia	38142	UNAIR-AS-IDUniversitasAirlanggaID	true
202.28.34.99	unknown	Thailand	9562	MSU-TH-APMahasarakhamUniversityTH	true
87.106.97.83	unknown	Germany	8560	ONEANDONE-ASBrauerstrasse48DE	true
103.254.12.236	unknown	Viet Nam	56151	DIGISTAR-VNDigiStarCompanyLimitedVN	true
103.85.95.4	unknown	Indonesia	136077	IDNIC-UNSRAT-AS-IDUniversitasIslamNegeriMataramID	true
54.37.228.122	unknown	France	16276	OVHFR	true
202.134.4.210	unknown	Indonesia	7713	TELKOMNET-AS-APPTTelekomunikasiIndonesiaID	true
88.217.172.165	unknown	Germany	8767	MNET-ASGermanyDE	true
195.77.239.39	unknown	Spain	60493	FICOSA-ASES	true
78.47.204.80	unknown	Germany	24940	HETZNER-ASDE	true
139.59.80.108	unknown	Singapore	14061	DIGITALOCEAN-ASNUS	true
104.244.79.94	unknown	United States	53667	PONYNETUS	true
37.44.244.177	unknown	Germany	47583	AS-HOSTINGERLT	true
178.62.112.199	unknown	European Union	14061	DIGITALOCEAN-ASNUS	true
64.227.55.231	unknown	United States	14061	DIGITALOCEAN-ASNUS	true

Windows Analysis Report 548IrCt4hj

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Spreading

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Windows Analysis Report
548IrCt4hj

ID:	672062
Product:	CloudBasic
Start time:	04:55:07
Start date:	23.07.2022
Sample:	548IrCt4hj
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	7301880b88f87cd3a593f7106d5743cc
SHA1:	c8a2b0ae061b612f4d4a4cfc4ee3e1f7079b4240
SHA256:	c409ad4f64a1ad925ffbfdb88f57dd9177123364a1875caf6cbb6f5ba3970cc3
Filetype:	Win64 Dynamic Link Library (generic) (102004/3) 86.43%

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\Microsoft\Network\Downloader\edb.chk	data	BF1DC7D5D8DAD7478F426DF8B3F8BAA6	C6B0BDE788F553F865D65F773D8F6A3546887E42	BE47C764C38CA7A90A345BE183F5261E89B98743B5E35989E9A8BE0DA498C0F2
C:\ProgramData\Microsoft\Network\Downloader\edb.log	MPEG-4 LOAS	8302100D8C0781AFFA569599554A747D	2AD4A77D9A42C5905F5B8FBAAACCFAB60CA60CD3	8F307CAB2013948ADA4DFE98A26132AC3BDF98B917EB84BBA843DE5977A18C05
C:\ProgramData\Microsoft\Network\Downloader\qmgr.db	Extensible storage engine DataBase, version 0x620, checksum 0x9292e26a, page size 16384, Windows version 10.0	C50F19CC34E36AE9D8945ECDF6CABAD5	15A5137868B1A5D0B8BC5E506A12052CE5CB0AA1	C9A0DFC6BC8086E76E08B4237104495011053AFF5F8DC0D99735BD3A55563327
C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm	data	3356637935306EB31EC34EF8F4F51FDE	C1F3106EFAB78E6B7AD03FEBEDBA313849D71462	01E4C7BAED15BB1CBCB4358951970B0080D9F3CE5652A3076424C5C6F767903B
C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp	ASCII text, with no line terminators	DCA83F08D448911A14C22EBCACC5AD57	91270525521B7FE0D986DB19747F47D34B6318AD	2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9