Automated Malware Analysis IOC Report for

Files

File Path

Type

Processes

Path

Cmdline

Malicious

C:\Windows\System32\loaddll32.exe

loaddll32.exe "C:\Users\user\Desktop\A649.dll"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C rundll32.exe "C:\Users\user\Desktop\A649.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\user\Desktop\A649.dll,mv_add_i

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\user\Desktop\A649.dll",#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 6992 -s 656

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 6960 -s 660

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\user\Desktop\A649.dll,mv_add_q

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\user\Desktop\A649.dll,mv_add_stable

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5132 -s 652

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\user\Desktop\A649.dll",mv_add_i

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\user\Desktop\A649.dll",mv_add_q

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\user\Desktop\A649.dll",mv_add_stable

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\user\Desktop\A649.dll",next

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\user\Desktop\A649.dll",mvutil_license

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\user\Desktop\A649.dll",mvutil_configuration

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5828 -s 652

C:\Windows\SysWOW64\wermgr.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3828 -s 656

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2756 -s 664

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3980 -s 652

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2252 -s 652

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

There are 12 hidden processes, click here to show them.

URLs

Name

Malicious

https://188.28.19.84/t5

188.28.19.84

http://upx.sf.net

unknown

https://streams.videolan.org/upload/

unknown

https://www.broadcom.cn

unknown

https://www.broadcom.com/media/blt4ac44e0e6c6d8341/blt476a993c2707b028/62e16f3bd3b8a5700456394e/wwwB

unknown

https://broadcom.com/

54.68.22.26

https://www.broadcom.com

unknown

https://static.broadcom.com

unknown

https://cdn.cookielaw.org/scripttemplates/otSDKStub.js

unknown

https://jp.broadcom.com

unknown

Domains

Name

Malicious

broadcom.com

54.68.22.26

Details

Name:	broadcom.com
IP:	54.68.22.26
TargetID:	24
Current Path:	C:\Windows\SysWOW64\wermgr.exe
Active:	true
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Sample uses string decryption to hide its real strings	AV Detection
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

www.broadcom.com

unknown

IPs

Domain

Country

Malicious

2.82.8.80

unknown

Portugal

70.160.67.203

unknown

United States

75.143.236.149

unknown

United States

83.110.223.61

unknown

United Arab Emirates

86.195.14.72

unknown

France

84.215.202.8

unknown

Norway

184.182.66.109

unknown

United States

92.186.69.229

unknown

France

174.4.89.3

unknown

Canada

161.142.103.187

unknown

Malaysia

114.143.176.236

unknown

India

14.192.241.76

unknown

Malaysia

173.88.135.179

unknown

United States

84.108.200.161

unknown

Israel

47.34.30.133

unknown

United States

183.87.163.165

unknown

India

184.181.75.148

unknown

United States

124.149.143.189

unknown

Australia

84.35.26.14

unknown

Netherlands

73.29.92.128

unknown

United States

68.203.69.96

unknown

United States

82.131.141.209

unknown

Hungary

64.121.161.102

unknown

United States

178.175.187.254

unknown

Moldova Republic of

96.56.197.26

unknown

United States

186.64.67.30

unknown

Argentina

188.28.19.84

unknown

United Kingdom

125.99.76.102

unknown

India

81.101.185.146

unknown

United Kingdom

59.28.84.65

unknown

Korea Republic of

105.186.128.181

unknown

South Africa

76.86.31.59

unknown

United States

147.147.30.126

unknown

United Kingdom

96.87.28.170

unknown

United States

75.109.111.89

unknown

United States

78.92.133.215

unknown

Hungary

124.122.47.148

unknown

Thailand

88.126.94.4

unknown

France

51.14.29.227

unknown

United Kingdom

85.57.212.13

unknown

Spain

47.205.25.170

unknown

United States

95.45.50.93

unknown

Ireland

80.12.88.148

unknown

France

69.133.162.35

unknown

United States

86.132.236.117

unknown

United Kingdom

151.62.238.176

unknown

Italy

70.112.206.5

unknown

United States

205.237.67.69

unknown

Canada

102.159.188.125

unknown

Tunisia

151.65.167.77

unknown

Italy

76.178.148.107

unknown

United States

89.36.206.69

unknown

Italy

69.242.31.249

unknown

United States

193.253.100.236

unknown

France

76.16.49.134

unknown

United States

94.207.104.225

unknown

United Arab Emirates

201.244.108.183

unknown

Colombia

103.42.86.42

unknown

India

78.18.105.11

unknown

Ireland

80.6.50.34

unknown

United Kingdom

103.144.201.56

unknown

27.0.48.233

unknown

India

70.28.50.223

unknown

Canada

98.145.23.67

unknown

United States

47.149.134.231

unknown

United States

82.125.44.236

unknown

France

81.229.117.95

unknown

Sweden

89.129.109.27

unknown

Spain

122.186.210.254

unknown

India

79.77.142.22

unknown

United Kingdom

90.78.147.141

unknown

France

122.184.143.86

unknown

India

186.75.95.6

unknown

Panama

50.68.186.195

unknown

Canada

12.172.173.82

unknown

United States

213.64.33.61

unknown

Sweden

79.168.224.165

unknown

Portugal

86.97.55.89

unknown

United Arab Emirates

176.142.207.63

unknown

France

92.154.17.149

unknown

France

174.58.146.57

unknown

United States

78.160.146.127

unknown

Turkey

58.186.75.42

unknown

Viet Nam

223.166.13.95

unknown

China

65.95.141.84

unknown

Canada

50.68.204.71

unknown

Canada

71.38.155.217

unknown

United States

104.35.24.154

unknown

United States

220.240.164.182

unknown

Australia

103.123.223.133

unknown

India

24.198.114.130

unknown

United States

2.36.64.159

unknown

Italy

198.2.51.242

unknown

United States

92.9.45.20

unknown

United Kingdom

113.11.92.30

unknown

Bangladesh

69.119.123.159

unknown

United States

69.123.4.221

unknown

United States

172.115.17.50

unknown

United States

77.86.98.236

unknown

United Kingdom

147.219.4.194

unknown

United States

54.68.22.26

broadcom.com

United States

192.168.2.1

unknown

There are 92 hidden IPs, click here to show them.

Registry

Path

Value

Malicious

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\Windows Error Reporting\Debug

ExceptionRecord

HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Immersive\production\Property

0018800A5BAC6B85

HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363}

DeviceTicket

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\AppCompatFlags

AmiHivePermissionsCorrect

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\AppCompatFlags

AmiHiveOwnerCorrect

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager

PendingFileRenameOperations

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\AppCompatFlags

AmiOverridePath

\REGISTRY\A\{19f02f52-be46-6124-0de2-b63fb9c0e2c5}\Root\InventoryApplicationFile

WritePermissionsCheck

\REGISTRY\A\{19f02f52-be46-6124-0de2-b63fb9c0e2c5}\Root\InventoryApplicationFile

ProviderSyncId

\REGISTRY\A\{19f02f52-be46-6124-0de2-b63fb9c0e2c5}\Root\InventoryApplicationFile\rundll32.exe|ab97b57a

ProgramId

\REGISTRY\A\{19f02f52-be46-6124-0de2-b63fb9c0e2c5}\Root\InventoryApplicationFile\rundll32.exe|ab97b57a

FileId

\REGISTRY\A\{19f02f52-be46-6124-0de2-b63fb9c0e2c5}\Root\InventoryApplicationFile\rundll32.exe|ab97b57a

LowerCaseLongPath

\REGISTRY\A\{19f02f52-be46-6124-0de2-b63fb9c0e2c5}\Root\InventoryApplicationFile\rundll32.exe|ab97b57a

LongPathHash

\REGISTRY\A\{19f02f52-be46-6124-0de2-b63fb9c0e2c5}\Root\InventoryApplicationFile\rundll32.exe|ab97b57a

Name

\REGISTRY\A\{19f02f52-be46-6124-0de2-b63fb9c0e2c5}\Root\InventoryApplicationFile\rundll32.exe|ab97b57a

Publisher

\REGISTRY\A\{19f02f52-be46-6124-0de2-b63fb9c0e2c5}\Root\InventoryApplicationFile\rundll32.exe|ab97b57a

Version

\REGISTRY\A\{19f02f52-be46-6124-0de2-b63fb9c0e2c5}\Root\InventoryApplicationFile\rundll32.exe|ab97b57a

BinFileVersion

\REGISTRY\A\{19f02f52-be46-6124-0de2-b63fb9c0e2c5}\Root\InventoryApplicationFile\rundll32.exe|ab97b57a

BinaryType

\REGISTRY\A\{19f02f52-be46-6124-0de2-b63fb9c0e2c5}\Root\InventoryApplicationFile\rundll32.exe|ab97b57a

ProductName

\REGISTRY\A\{19f02f52-be46-6124-0de2-b63fb9c0e2c5}\Root\InventoryApplicationFile\rundll32.exe|ab97b57a

ProductVersion

\REGISTRY\A\{19f02f52-be46-6124-0de2-b63fb9c0e2c5}\Root\InventoryApplicationFile\rundll32.exe|ab97b57a

LinkDate

\REGISTRY\A\{19f02f52-be46-6124-0de2-b63fb9c0e2c5}\Root\InventoryApplicationFile\rundll32.exe|ab97b57a

BinProductVersion

\REGISTRY\A\{19f02f52-be46-6124-0de2-b63fb9c0e2c5}\Root\InventoryApplicationFile\rundll32.exe|ab97b57a

Size

\REGISTRY\A\{19f02f52-be46-6124-0de2-b63fb9c0e2c5}\Root\InventoryApplicationFile\rundll32.exe|ab97b57a

Language

\REGISTRY\A\{19f02f52-be46-6124-0de2-b63fb9c0e2c5}\Root\InventoryApplicationFile\rundll32.exe|ab97b57a

IsPeFile

\REGISTRY\A\{19f02f52-be46-6124-0de2-b63fb9c0e2c5}\Root\InventoryApplicationFile\rundll32.exe|ab97b57a

IsOsComponent

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\Windows Error Reporting\Debug

ExceptionRecord

HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Immersive\production\Property

0018800A5BAC6B85

HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363}

DeviceTicket

HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363}

DeviceId

HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363}

ApplicationFlags

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\IdentityCRL\ClockData

ClockTimeSeconds

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\IdentityCRL\ClockData

TickCount

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\Windows Error Reporting\Debug

ExceptionRecord

HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Immersive\production\Property

0018800A5BAC6B85

HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363}

DeviceTicket

HKEY_CURRENT_USER\Software\Microsoft\Efyeaazugsj

b790b431

HKEY_CURRENT_USER\Software\Microsoft\Efyeaazugsj

820f647f

HKEY_CURRENT_USER\Software\Microsoft\Efyeaazugsj

804e4403

HKEY_CURRENT_USER\Software\Microsoft\Efyeaazugsj

38f22366

HKEY_CURRENT_USER\Software\Microsoft\Efyeaazugsj

45fa6cec

HKEY_CURRENT_USER\Software\Microsoft\Efyeaazugsj

fd460b89

HKEY_CURRENT_USER\Software\Microsoft\Efyeaazugsj

3ab3031a

HKEY_CURRENT_USER\Software\Microsoft\Efyeaazugsj

c8d9dbc7

HKEY_CURRENT_USER\Software\Microsoft\Efyeaazugsj

ff072bf5

HKEY_CURRENT_USER\Software\Microsoft\Efyeaazugsj

b790b431

HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Immersive\production\Property

0018000C98DE29A7

\REGISTRY\A\{3cefa112-8e39-ba88-021d-f78e707a75a1}\Root\InventoryApplicationFile

WritePermissionsCheck

\REGISTRY\A\{3cefa112-8e39-ba88-021d-f78e707a75a1}\Root\InventoryApplicationFile

ProviderSyncId