Automated Malware Analysis IOC Report for

Files

File Path

Type

Processes

Path

Cmdline

Malicious

C:\Windows\System32\loaddll32.exe

loaddll32.exe "C:\Users\user\Desktop\F086.dll"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C rundll32.exe "C:\Users\user\Desktop\F086.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\user\Desktop\F086.dll,mv_add_i

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\user\Desktop\F086.dll",#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 7152 -s 660

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 684 -s 652

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\user\Desktop\F086.dll,mv_add_q

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\user\Desktop\F086.dll,mv_add_stable

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 6716 -s 652

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\user\Desktop\F086.dll",mv_add_i

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\user\Desktop\F086.dll",mv_add_q

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\user\Desktop\F086.dll",mv_add_stable

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\user\Desktop\F086.dll",next

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\user\Desktop\F086.dll",mvutil_license

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\user\Desktop\F086.dll",mvutil_configuration

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 6712 -s 652

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 7044 -s 652

C:\Windows\SysWOW64\wermgr.exe

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

There are 9 hidden processes, click here to show them.

URLs

Name

Malicious

https://www.xfinity.com/mobile/policies/broadband-disclosures

unknown

http://upx.sf.net

unknown

https://www.xfinity.com/learn/internet-service/acp

unknown

https://www.xfinity.com/networkmanagement

unknown

https://streams.videolan.org/upload/

unknown

Details

Name:	https://streams.videolan.org/upload/
TargetID:	-1
From Memory:	true
Source:	rundll32.exe, rundll32.exe, 00000003.00000002.488409319.00000000100AE000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.488551661.00000000100AE000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000B.00000002.495622337.00000000100AE000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.504031322.00000000100AE000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000010.00000002.504159065.00000000100AE000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000012.00000002.508750049.00000000100AE000.00000002.00000001.01000000.00000003.sdmp, F086.dll
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

https://xfinity.com/

68.87.41.40

Details

Name:	https://xfinity.com/
IP:	68.87.41.40
TargetID:	24
From Memory:	false
Current Path:	C:\Windows\SysWOW64\wermgr.exe
Source:	network
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Uses secure TLS version for HTTPS connections	Compliance, Networking

Domains

Name

Malicious

xfinity.com

68.87.41.40

Details

Name:	xfinity.com
IP:	68.87.41.40
TargetID:	24
Current Path:	C:\Windows\SysWOW64\wermgr.exe
Active:	true
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Sample uses string decryption to hide its real strings	AV Detection
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

www.xfinity.com

unknown

IPs

Domain

Country

Malicious

2.82.8.80

unknown

Portugal

70.160.67.203

unknown

United States

75.143.236.149

unknown

United States

83.110.223.61

unknown

United Arab Emirates

86.195.14.72

unknown

France

84.215.202.8

unknown

Norway

184.182.66.109

unknown

United States

92.186.69.229

unknown

France

174.4.89.3

unknown

Canada

161.142.103.187

unknown

Malaysia

114.143.176.236

unknown

India

14.192.241.76

unknown

Malaysia

173.88.135.179

unknown

United States

84.108.200.161

unknown

Israel

47.34.30.133

unknown

United States

183.87.163.165

unknown

India

184.181.75.148

unknown

United States

124.149.143.189

unknown

Australia

84.35.26.14

unknown

Netherlands

73.29.92.128

unknown

United States

68.203.69.96

unknown

United States

82.131.141.209

unknown

Hungary

64.121.161.102

unknown

United States

178.175.187.254

unknown

Moldova Republic of

96.56.197.26

unknown

United States

186.64.67.30

unknown

Argentina

188.28.19.84

unknown

United Kingdom

125.99.76.102

unknown

India

81.101.185.146

unknown

United Kingdom

59.28.84.65

unknown

Korea Republic of

105.186.128.181

unknown

South Africa

76.86.31.59

unknown

United States

147.147.30.126

unknown

United Kingdom

96.87.28.170

unknown

United States

75.109.111.89

unknown

United States

78.92.133.215

unknown

Hungary

124.122.47.148

unknown

Thailand

88.126.94.4

unknown

France

51.14.29.227

unknown

United Kingdom

85.57.212.13

unknown

Spain

47.205.25.170

unknown

United States

95.45.50.93

unknown

Ireland

80.12.88.148

unknown

France

69.133.162.35

unknown

United States

86.132.236.117

unknown

United Kingdom

151.62.238.176

unknown

Italy

70.112.206.5

unknown

United States

205.237.67.69

unknown

Canada

102.159.188.125

unknown

Tunisia

151.65.167.77

unknown

Italy

76.178.148.107

unknown

United States

89.36.206.69

unknown

Italy

69.242.31.249

unknown

United States

193.253.100.236

unknown

France

76.16.49.134

unknown

United States

94.207.104.225

unknown

United Arab Emirates

201.244.108.183

unknown

Colombia

103.42.86.42

unknown

India

78.18.105.11

unknown

Ireland

80.6.50.34

unknown

United Kingdom

103.144.201.56

unknown

27.0.48.233

unknown

India

70.28.50.223

unknown

Canada

98.145.23.67

unknown

United States

47.149.134.231

unknown

United States

82.125.44.236

unknown

France

81.229.117.95

unknown

Sweden

89.129.109.27

unknown

Spain

122.186.210.254

unknown

India

79.77.142.22

unknown

United Kingdom

90.78.147.141

unknown

France

122.184.143.86

unknown

India

186.75.95.6

unknown

Panama

50.68.186.195

unknown

Canada

12.172.173.82

unknown

United States

213.64.33.61

unknown

Sweden

79.168.224.165

unknown

Portugal

86.97.55.89

unknown

United Arab Emirates

176.142.207.63

unknown

France

92.154.17.149

unknown

France

174.58.146.57

unknown

United States

78.160.146.127

unknown

Turkey

58.186.75.42

unknown

Viet Nam

223.166.13.95

unknown

China

65.95.141.84

unknown

Canada

50.68.204.71

unknown

Canada

71.38.155.217

unknown

United States

104.35.24.154

unknown

United States

220.240.164.182

unknown

Australia

103.123.223.133

unknown

India

24.198.114.130

unknown

United States

2.36.64.159

unknown

Italy

198.2.51.242

unknown

United States

92.9.45.20

unknown

United Kingdom

113.11.92.30

unknown

Bangladesh

69.119.123.159

unknown

United States

69.123.4.221

unknown

United States

172.115.17.50

unknown

United States

68.87.41.40

xfinity.com

United States

192.168.2.1

unknown

There are 90 hidden IPs, click here to show them.

Registry

Path

Value

Malicious

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\AppCompatFlags

AmiHivePermissionsCorrect

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\AppCompatFlags

AmiHiveOwnerCorrect

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\Windows Error Reporting\Debug

ExceptionRecord

HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Immersive\production\Property

001840064172BCE4

HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363}

DeviceTicket