Windows Analysis Report hPJnda9rBy

Overview

General Information

Sample Name:	hPJnda9rBy (renamed file extension from none to dll)
Analysis ID:	553354
MD5:	56c2941eb73ea59306cc9d2a6b15974c
SHA1:	8d483f2069955ae7a3f7e70e6dafa2641cbf4a75
SHA256:	7caa923401ec9a16969f0b37225b77cd16c6923abff2eda76f1fa9a35bff2879
Tags:	32dllexe
Infos:
Most interesting Screenshot:

Detection

Emotet

Score:	96
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Multi AV Scanner detection for submitted file

Yara detected Emotet

System process connects to network (likely due to code injection or exploit)

Changes security center settings (notifications, updates, antivirus, firewall)

Sigma detected: Suspicious Call by Ordinal

C2 URLs / IPs found in malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

One or more processes crash

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query locales information (e.g. system language)

Deletes files inside the Windows folder

May sleep (evasive loops) to hinder dynamic analysis

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Uses code obfuscation techniques (call, push, ret)

Creates files inside the system directory

Detected potential crypto function

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Found evasive API chain (may stop execution after checking a module file name)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to dynamically determine API calls

Contains functionality which may be used to detect a debugger (GetProcessHeap)

AV process strings found (often used to terminate AV products)

PE file contains an invalid checksum

PE file contains strange resources

Tries to load missing DLLs

Contains functionality to read the PEB

Drops PE files to the windows directory (C:\Windows)

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Detected TCP or UDP traffic on non-standard ports

Checks if the current process is being debugged

Connects to several IPs in different countries

Potential key logger detected (key state polling based)

Registers a DLL

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries disk information (often used to detect virtual machines)

Found large amount of non-executed APIs

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Signatures

AV Detection:

Found malware configuration

Source: 0.0.loaddll32.exe.eb0000.4.unpack

Malware Configuration Extractor: Emotet {"C2 list": ["45.138.98.34:80", "69.16.218.101:8080", "51.210.242.234:8080", "185.148.168.220:8080", "142.4.219.173:8080", "54.38.242.185:443", "191.252.103.16:80", "104.131.62.48:8080", "62.171.178.147:8080", "217.182.143.207:443", "168.197.250.14:80", "37.44.244.177:8080", "66.42.57.149:443", "210.57.209.142:8080", "159.69.237.188:443", "116.124.128.206:8080", "128.199.192.135:8080", "195.154.146.35:443", "185.148.168.15:8080", "195.77.239.39:8080", "207.148.81.119:8080", "85.214.67.203:8080", "190.90.233.66:443", "78.46.73.125:443", "78.47.204.80:443", "37.59.209.141:8080", "54.37.228.122:443"], "Public Key": ["RUNTMSAAAAD0LxqDNhonUYwk8sqo7IWuUllRdUiUBnACc6romsQoe1YJD7wIe4AheqYofpZFucPDXCZ0z9i+ooUffqeoLZU0", "RUNLMSAAAADYNZPXY4tQxd/N4Wn5sTYAm5tUOxY2ol1ELrI4MNhHNi640vSLasjYTHpFRBoG+o84vtr7AJachCzOHjaAJFCW"]}

Multi AV Scanner detection for submitted file

Source: hPJnda9rBy.dll

Virustotal: Detection: 18%

Perma Link

Compliance:

Uses 32bit PE files

Source: hPJnda9rBy.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source:	Binary string: bcrypt.pdbi* source: WerFault.exe, 0000000B.00000003.259908553.0000000005718000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.259828510.0000000005718000.00000004.00000040.sdmp
Source:	Binary string: ws2_32.pdb source: WerFault.exe, 0000000B.00000003.259908553.0000000005718000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.259828510.0000000005718000.00000004.00000040.sdmp
Source:	Binary string: winspool.pdb source: WerFault.exe, 0000000B.00000003.259884177.0000000005710000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 0000000B.00000003.259805207.0000000005041000.00000004.00000001.sdmp
Source:	Binary string: Kernel.Appcore.pdb- source: WerFault.exe, 0000000B.00000003.259884177.0000000005710000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 0000000B.00000003.255802261.0000000004D2A000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.254847683.0000000003351000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.254740092.0000000004D25000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.259688584.0000000004D2A000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.255222762.0000000003351000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.259805207.0000000005041000.00000004.00000001.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 0000000B.00000003.259908553.0000000005718000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.259828510.0000000005718000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 0000000B.00000003.259812305.0000000005712000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdb source: WerFault.exe, 0000000B.00000003.259908553.0000000005718000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.259828510.0000000005718000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 0000000B.00000003.259805207.0000000005041000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdbc* source: WerFault.exe, 0000000B.00000003.259908553.0000000005718000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.259828510.0000000005718000.00000004.00000040.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 0000000B.00000003.259805207.0000000005041000.00000004.00000001.sdmp
Source:	Binary string: propsys.pdb source: WerFault.exe, 0000000B.00000003.259908553.0000000005718000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.259828510.0000000005718000.00000004.00000040.sdmp
Source:	Binary string: nCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 0000000B.00000002.272220890.0000000002D32000.00000004.00000001.sdmp
Source:	Binary string: oleaut32.pdb_* source: WerFault.exe, 0000000B.00000003.259908553.0000000005718000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.259828510.0000000005718000.00000004.00000040.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000B.00000003.259812305.0000000005712000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.259900857.0000000005715000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 0000000B.00000003.255714857.000000000334B000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.254840837.000000000334B000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.259805207.0000000005041000.00000004.00000001.sdmp
Source:	Binary string: wrpcrt4.pdbk source: WerFault.exe, 0000000B.00000003.259812305.0000000005712000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.259900857.0000000005715000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 0000000B.00000003.259908553.0000000005718000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.259828510.0000000005718000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 0000000B.00000003.259805207.0000000005041000.00000004.00000001.sdmp
Source:	Binary string: shlwapi.pdb?* source: WerFault.exe, 0000000B.00000003.259908553.0000000005718000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.259828510.0000000005718000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 0000000B.00000003.259805207.0000000005041000.00000004.00000001.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 0000000B.00000003.259884177.0000000005710000.00000004.00000040.sdmp
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000000B.00000003.259884177.0000000005710000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 0000000B.00000003.259805207.0000000005041000.00000004.00000001.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 0000000B.00000003.259884177.0000000005710000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 0000000B.00000003.255236401.0000000003357000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.255468472.0000000003357000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.254853748.0000000003357000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.259805207.0000000005041000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.255275842.0000000003357000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 0000000B.00000003.259908553.0000000005718000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.259828510.0000000005718000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdbk source: WerFault.exe, 0000000B.00000003.259812305.0000000005712000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb( source: WerFault.exe, 0000000B.00000003.255236401.0000000003357000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.255468472.0000000003357000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.254853748.0000000003357000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.255275842.0000000003357000.00000004.00000001.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 0000000B.00000003.259908553.0000000005718000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.259828510.0000000005718000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000B.00000003.259884177.0000000005710000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 0000000B.00000003.259908553.0000000005718000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.259828510.0000000005718000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 0000000B.00000003.259805207.0000000005041000.00000004.00000001.sdmp
Source:	Binary string: wkernel32.pdb( source: WerFault.exe, 0000000B.00000003.254847683.0000000003351000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.255222762.0000000003351000.00000004.00000001.sdmp
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 0000000B.00000003.259908553.0000000005718000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.259828510.0000000005718000.00000004.00000040.sdmp
Source:	Binary string: ws2_32.pdbe* source: WerFault.exe, 0000000B.00000003.259908553.0000000005718000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.259828510.0000000005718000.00000004.00000040.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 0000000B.00000003.259805207.0000000005041000.00000004.00000001.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 0000000B.00000003.259805207.0000000005041000.00000004.00000001.sdmp
Source:	Binary string: combase.pdbQ* source: WerFault.exe, 0000000B.00000003.259908553.0000000005718000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.259828510.0000000005718000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb( source: WerFault.exe, 0000000B.00000003.255714857.000000000334B000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.254840837.000000000334B000.00000004.00000001.sdmp

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic	Snort IDS: 2404332 ET CNC Feodo Tracker Reported CnC Server TCP group 17 192.168.2.5:49775 -> 45.138.98.34:80
Source: Traffic	Snort IDS: 2404338 ET CNC Feodo Tracker Reported CnC Server TCP group 20 192.168.2.5:49776 -> 69.16.218.101:8080

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 69.16.218.101 144			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 45.138.98.34 80			Jump to behavior

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	IPs: 45.138.98.34:80
Source: Malware configuration extractor	IPs: 69.16.218.101:8080
Source: Malware configuration extractor	IPs: 51.210.242.234:8080
Source: Malware configuration extractor	IPs: 185.148.168.220:8080
Source: Malware configuration extractor	IPs: 142.4.219.173:8080
Source: Malware configuration extractor	IPs: 54.38.242.185:443
Source: Malware configuration extractor	IPs: 191.252.103.16:80
Source: Malware configuration extractor	IPs: 104.131.62.48:8080
Source: Malware configuration extractor	IPs: 62.171.178.147:8080
Source: Malware configuration extractor	IPs: 217.182.143.207:443
Source: Malware configuration extractor	IPs: 168.197.250.14:80
Source: Malware configuration extractor	IPs: 37.44.244.177:8080
Source: Malware configuration extractor	IPs: 66.42.57.149:443
Source: Malware configuration extractor	IPs: 210.57.209.142:8080
Source: Malware configuration extractor	IPs: 159.69.237.188:443
Source: Malware configuration extractor	IPs: 116.124.128.206:8080
Source: Malware configuration extractor	IPs: 128.199.192.135:8080
Source: Malware configuration extractor	IPs: 195.154.146.35:443
Source: Malware configuration extractor	IPs: 185.148.168.15:8080
Source: Malware configuration extractor	IPs: 195.77.239.39:8080
Source: Malware configuration extractor	IPs: 207.148.81.119:8080
Source: Malware configuration extractor	IPs: 85.214.67.203:8080
Source: Malware configuration extractor	IPs: 190.90.233.66:443
Source: Malware configuration extractor	IPs: 78.46.73.125:443
Source: Malware configuration extractor	IPs: 78.47.204.80:443
Source: Malware configuration extractor	IPs: 37.59.209.141:8080
Source: Malware configuration extractor	IPs: 54.37.228.122:443

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.5:49776 -> 69.16.218.101:8080

Connects to several IPs in different countries

Source: unknown

Network traffic detected: IP country count 12

Source: unknown	TCP traffic detected without corresponding DNS query: 45.138.98.34
Source: unknown	TCP traffic detected without corresponding DNS query: 45.138.98.34
Source: unknown	TCP traffic detected without corresponding DNS query: 45.138.98.34
Source: unknown	TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown	TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown	TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown	TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown	TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown	TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown	TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown	TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown	TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown	TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown	TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown	TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown	TCP traffic detected without corresponding DNS query: 69.16.218.101

Source: svchost.exe, 00000026.00000003.574739165.0000027012DB4000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2022-01-07T11:33:20.1626869Z\|\|.\|\|d5cdcec3-04df-404e-ba07-3240047c89f9\|\|1152921505694348672\|\|Null\|\|fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailab
Source: svchost.exe, 00000026.00000003.574739165.0000027012DB4000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2022-01-07T11:33:20.1626869Z\|\|.\|\|d5cdcec3-04df-404e-ba07-3240047c89f9\|\|1152921505694348672\|\|Null\|\|fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailab

Source: svchost.exe, 0000000C.00000002.607017067.000002737A489000.00000004.00000001.sdmp, svchost.exe, 00000026.00000002.592616666.0000027012D00000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: svchost.exe, 0000000C.00000002.606870771.000002737A416000.00000004.00000001.sdmp	String found in binary or memory: http://crl.ver)
Source: 77EC63BDA74BD0D0E0426DC8F80085060.22.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: svchost.exe, 00000026.00000003.568698813.0000027012D64000.00000004.00000001.sdmp, svchost.exe, 00000026.00000003.568882356.0000027012D96000.00000004.00000001.sdmp, svchost.exe, 00000026.00000003.568927843.0000027013202000.00000004.00000001.sdmp	String found in binary or memory: http://help.disneyplus.com.
Source: svchost.exe, 0000000C.00000002.606696727.0000027374EAD000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.mic
Source: svchost.exe, 0000000C.00000002.606696727.0000027374EAD000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/enumeration
Source: svchost.exe, 0000000C.00000002.606696727.0000027374EAD000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/enumeration/Enu
Source: Amcache.hve.11.dr	String found in binary or memory: http://upx.sf.net
Source: svchost.exe, 00000011.00000002.310359378.000001ABA1013000.00000004.00000001.sdmp	String found in binary or memory: http://www.bingmapsportal.com
Source: svchost.exe, 0000000E.00000002.762464566.0000028F9183E000.00000004.00000001.sdmp	String found in binary or memory: https://%s.dnet.xboxlive.com
Source: svchost.exe, 0000000E.00000002.762464566.0000028F9183E000.00000004.00000001.sdmp	String found in binary or memory: https://%s.xboxlive.com
Source: svchost.exe, 0000000E.00000002.762464566.0000028F9183E000.00000004.00000001.sdmp	String found in binary or memory: https://activity.windows.com
Source: svchost.exe, 00000011.00000003.309899590.000001ABA1051000.00000004.00000001.sdmp	String found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: svchost.exe, 0000000E.00000002.762464566.0000028F9183E000.00000004.00000001.sdmp	String found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 0000000E.00000002.762464566.0000028F9183E000.00000004.00000001.sdmp	String found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 00000011.00000003.309922174.000001ABA104A000.00000004.00000001.sdmp, svchost.exe, 00000011.00000002.310398438.000001ABA1029000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000011.00000002.310436107.000001ABA104C000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.309922174.000001ABA104A000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 00000011.00000003.309899590.000001ABA1051000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 00000011.00000002.310411773.000001ABA103E000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 00000011.00000002.310436107.000001ABA104C000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.309922174.000001ABA104A000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Traffic/Incidents/
Source: svchost.exe, 00000011.00000003.309854705.000001ABA1069000.00000004.00000001.sdmp, svchost.exe, 00000011.00000002.310469805.000001ABA106B000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Transit/Stops/
Source: svchost.exe, 00000011.00000003.309899590.000001ABA1051000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 00000011.00000002.310398438.000001ABA1029000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 00000011.00000002.310398438.000001ABA1029000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000011.00000002.310436107.000001ABA104C000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.309922174.000001ABA104A000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 00000011.00000003.309899590.000001ABA1051000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.283286452.000001ABA1030000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
Source: svchost.exe, 00000011.00000002.310411773.000001ABA103E000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 00000011.00000003.309899590.000001ABA1051000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 00000011.00000003.309899590.000001ABA1051000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 00000011.00000003.309899590.000001ABA1051000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 00000011.00000002.310398438.000001ABA1029000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Traffic/Incidents/
Source: svchost.exe, 00000011.00000003.309962842.000001ABA1041000.00000004.00000001.sdmp, svchost.exe, 00000011.00000002.310429098.000001ABA1043000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.309988764.000001ABA1042000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 00000011.00000003.283286452.000001ABA1030000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Stops/
Source: svchost.exe, 00000011.00000003.309962842.000001ABA1041000.00000004.00000001.sdmp, svchost.exe, 00000011.00000002.310429098.000001ABA1043000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.309988764.000001ABA1042000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
Source: svchost.exe, 00000011.00000003.309899590.000001ABA1051000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 00000011.00000002.310436107.000001ABA104C000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.309962842.000001ABA1041000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.309922174.000001ABA104A000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: svchost.exe, 00000011.00000003.283286452.000001ABA1030000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?entry=
Source: svchost.exe, 00000026.00000003.568698813.0000027012D64000.00000004.00000001.sdmp, svchost.exe, 00000026.00000003.568882356.0000027012D96000.00000004.00000001.sdmp, svchost.exe, 00000026.00000003.568927843.0000027013202000.00000004.00000001.sdmp	String found in binary or memory: https://disneyplus.com/legal.
Source: svchost.exe, 00000011.00000003.309922174.000001ABA104A000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 00000011.00000003.309922174.000001ABA104A000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000011.00000002.310436107.000001ABA104C000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.309922174.000001ABA104A000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000011.00000002.310463785.000001ABA1066000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.t
Source: svchost.exe, 00000011.00000003.309899590.000001ABA1051000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 00000011.00000002.310411773.000001ABA103E000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.283286452.000001ABA1030000.00000004.00000001.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000011.00000003.283286452.000001ABA1030000.00000004.00000001.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 00000011.00000003.283286452.000001ABA1030000.00000004.00000001.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/roadshield.ashx?bucket=
Source: svchost.exe, 00000011.00000002.310411773.000001ABA103E000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 00000011.00000002.310411773.000001ABA103E000.00000004.00000001.sdmp, svchost.exe, 00000011.00000002.310359378.000001ABA1013000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 00000011.00000003.283286452.000001ABA1030000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000011.00000003.309981298.000001ABA1046000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.309962842.000001ABA1041000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000011.00000003.283286452.000001ABA1030000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 00000011.00000003.283286452.000001ABA1030000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.310002897.000001ABA103A000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: svchost.exe, 00000011.00000002.310398438.000001ABA1029000.00000004.00000001.sdmp	String found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen
Source: svchost.exe, 00000026.00000003.568698813.0000027012D64000.00000004.00000001.sdmp, svchost.exe, 00000026.00000003.568882356.0000027012D96000.00000004.00000001.sdmp, svchost.exe, 00000026.00000003.568927843.0000027013202000.00000004.00000001.sdmp	String found in binary or memory: https://www.disneyplus.com/legal/privacy-policy
Source: svchost.exe, 00000026.00000003.568698813.0000027012D64000.00000004.00000001.sdmp, svchost.exe, 00000026.00000003.568882356.0000027012D96000.00000004.00000001.sdmp, svchost.exe, 00000026.00000003.568927843.0000027013202000.00000004.00000001.sdmp	String found in binary or memory: https://www.disneyplus.com/legal/your-california-privacy-rights
Source: svchost.exe, 00000026.00000003.569759353.0000027012D84000.00000004.00000001.sdmp, svchost.exe, 00000026.00000003.569911335.0000027012DA3000.00000004.00000001.sdmp, svchost.exe, 00000026.00000003.569895007.0000027012DBA000.00000004.00000001.sdmp	String found in binary or memory: https://www.tiktok.com/legal/report/feedback

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 3_2_10001280 recvfrom,

3_2_10001280

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Potential key logger detected (key state polling based)

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_10027958 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,	3_2_10027958
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10027958 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,	4_2_10027958
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_10027958 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,	15_2_10027958

E-Banking Fraud:

Yara detected Emotet

Source: Yara match	File source: 0.2.loaddll32.exe.d40000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.5200000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.regsvr32.exe.47b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.5360000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.5390000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.regsvr32.exe.48f0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.5360000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.d40000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.4f20000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.4f20000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.4c70000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.4ca0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.5230000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.rundll32.exe.2ab0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.eb0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.50f0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.4da0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.4ad0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.4ec0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.4ef0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.d40000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.eb0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.regsvr32.exe.47b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.rundll32.exe.45e0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.4c70000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.4aa0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.4ec0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.2f60000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.53c0000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.d40000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.2f30000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.4da0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.5150000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.d40000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.5200000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.4dd0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.2f30000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.4f50000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.rundll32.exe.2ab0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.d40000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.50f0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.4aa0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.eb0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.53c0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.249579927.0000000000D40000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.292238203.00000000050F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.283401737.0000000004C70000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.249666455.0000000000EB1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.292440539.0000000005360000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.292882371.0000000004DA0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.292503101.00000000053C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.292286268.0000000005151000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.291899393.0000000004AA0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.292382538.0000000005231000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.291926283.0000000004AD1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.292911557.0000000004DD1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.273369713.0000000000EB1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.240583182.00000000047B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.240663709.00000000048F1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.283457312.0000000004CA1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.292454173.0000000002F30000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.296105740.0000000002AB0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.293034859.0000000004F20000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.292508980.0000000002F61000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.248107963.0000000000EB1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.273136577.0000000000D40000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.293001920.0000000004EF1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.247589289.0000000000D40000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.293065921.0000000004F51000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.292962848.0000000004EC0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.296341429.00000000045E1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.292348767.0000000005200000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.292473375.0000000005391000.00000020.00000001.sdmp, type: MEMORY

System Summary:

Uses 32bit PE files

Source: hPJnda9rBy.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

One or more processes crash

Source: C:\Windows\System32\svchost.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 6396 -ip 6396

Deletes files inside the Windows folder

Source: C:\Windows\SysWOW64\rundll32.exe

File deleted: C:\Windows\SysWOW64\Vrptpiaqednpvbdv\iiexcwhjvlokrgr.var:Zone.Identifier

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00ECEFDD	0_2_00ECEFDD
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EBF0E9	0_2_00EBF0E9
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00ED00EF	0_2_00ED00EF
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00ED3EE9	0_2_00ED3EE9
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00ECE4E5	0_2_00ECE4E5
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00ECBEFD	0_2_00ECBEFD
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EB80C0	0_2_00EB80C0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00ECCCD9	0_2_00ECCCD9
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00ECD8DB	0_2_00ECD8DB
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00ECCAD5	0_2_00ECCAD5
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EBBAA9	0_2_00EBBAA9
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EC3EAA	0_2_00EC3EAA
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00ED36AA	0_2_00ED36AA
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00ECA2A5	0_2_00ECA2A5
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EB1CA1	0_2_00EB1CA1
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00ED46BD	0_2_00ED46BD
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EC0EBC	0_2_00EC0EBC
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EBC6B8	0_2_00EBC6B8
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EC0ABA	0_2_00EC0ABA
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00ED0A64	0_2_00ED0A64
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EC4A66	0_2_00EC4A66
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00ED3263	0_2_00ED3263
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EB7E79	0_2_00EB7E79
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EB7078	0_2_00EB7078
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EC567B	0_2_00EC567B
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00ECA474	0_2_00ECA474
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EBA871	0_2_00EBA871
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00ECDC71	0_2_00ECDC71
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EBDE74	0_2_00EBDE74
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EC4244	0_2_00EC4244
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EB7442	0_2_00EB7442
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EBE640	0_2_00EBE640
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00ECF840	0_2_00ECF840
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EBA445	0_2_00EBA445
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EC2E5D	0_2_00EC2E5D
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00ECB257	0_2_00ECB257
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EBB820	0_2_00EBB820
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EB3431	0_2_00EB3431
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EB8636	0_2_00EB8636
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EC7A0F	0_2_00EC7A0F
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00ED2009	0_2_00ED2009
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EC8806	0_2_00EC8806
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EC9A01	0_2_00EC9A01
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EC67E6	0_2_00EC67E6
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EC85FF	0_2_00EC85FF
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00ECE1F8	0_2_00ECE1F8
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EB55FF	0_2_00EB55FF
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EC27F9	0_2_00EC27F9
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EB4BFC	0_2_00EB4BFC
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EC07F4	0_2_00EC07F4
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EC9DF5	0_2_00EC9DF5
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00ECFBDE	0_2_00ECFBDE
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EBC5D8	0_2_00EBC5D8
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EBE7DE	0_2_00EBE7DE
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00ECC5D5	0_2_00ECC5D5
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EC8FAE	0_2_00EC8FAE
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00ED07AA	0_2_00ED07AA
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EB77A3	0_2_00EB77A3
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00ECD1BC	0_2_00ECD1BC
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00ED17BD	0_2_00ED17BD
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EB57B8	0_2_00EB57B8
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EBBFBE	0_2_00EBBFBE
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EBFB8E	0_2_00EBFB8E
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EB238C	0_2_00EB238C
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EC3D85	0_2_00EC3D85
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EC0F86	0_2_00EC0F86
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EC6187	0_2_00EC6187
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EB2194	0_2_00EB2194
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EBF369	0_2_00EBF369
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EB6B7A	0_2_00EB6B7A
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EC5779	0_2_00EC5779
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EC437A	0_2_00EC437A
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EC017B	0_2_00EC017B
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EC4F74	0_2_00EC4F74
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EC9774	0_2_00EC9774
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EC654A	0_2_00EC654A
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EBD14C	0_2_00EBD14C
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EC2142	0_2_00EC2142
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00ECFF58	0_2_00ECFF58
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EC7D5B	0_2_00EC7D5B
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00ECE955	0_2_00ECE955
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00ED2D53	0_2_00ED2D53
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EC8D3D	0_2_00EC8D3D
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EB1F38	0_2_00EB1F38
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EC5333	0_2_00EC5333
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EB670B	0_2_00EB670B
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00ED2B09	0_2_00ED2B09
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00ECAD08	0_2_00ECAD08
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EBEF0C	0_2_00EBEF0C
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EC5515	0_2_00EC5515
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_100291F6	3_2_100291F6
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_1002F378	3_2_1002F378
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_100403D7	3_2_100403D7
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_1004250B	3_2_1004250B
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_10041557	3_2_10041557
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_100395A1	3_2_100395A1
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_1002F784	3_2_1002F784
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_1004091B	3_2_1004091B
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_1002EACF	3_2_1002EACF
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_1002FBA4	3_2_1002FBA4
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_10035D96	3_2_10035D96
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_10040E5F	3_2_10040E5F
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_1002EFA4	3_2_1002EFA4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_100291F6	4_2_100291F6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1002F378	4_2_1002F378
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_100403D7	4_2_100403D7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1004250B	4_2_1004250B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10041557	4_2_10041557
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_100395A1	4_2_100395A1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1002F784	4_2_1002F784
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1004091B	4_2_1004091B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1002EACF	4_2_1002EACF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1002FBA4	4_2_1002FBA4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10035D96	4_2_10035D96
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10040E5F	4_2_10040E5F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1002EFA4	4_2_1002EFA4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04AD8636	6_2_04AD8636
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04AE7A0F	6_2_04AE7A0F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04AF2009	6_2_04AF2009
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04AE4A66	6_2_04AE4A66
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04ADDE74	6_2_04ADDE74
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04ADA445	6_2_04ADA445
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04AEB257	6_2_04AEB257
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04AF17BD	6_2_04AF17BD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04AE85FF	6_2_04AE85FF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04AEEFDD	6_2_04AEEFDD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04ADC5D8	6_2_04ADC5D8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04AD670B	6_2_04AD670B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04AEAD08	6_2_04AEAD08
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04AE654A	6_2_04AE654A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04AE2142	6_2_04AE2142
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04AEFF58	6_2_04AEFF58
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04AEE955	6_2_04AEE955
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04AE3EAA	6_2_04AE3EAA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04ADBAA9	6_2_04ADBAA9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04AF36AA	6_2_04AF36AA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04AEA2A5	6_2_04AEA2A5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04AD1CA1	6_2_04AD1CA1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04AF46BD	6_2_04AF46BD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04AE0EBC	6_2_04AE0EBC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04AE0ABA	6_2_04AE0ABA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04ADC6B8	6_2_04ADC6B8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04AF00EF	6_2_04AF00EF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04ADF0E9	6_2_04ADF0E9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04AF3EE9	6_2_04AF3EE9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04AEE4E5	6_2_04AEE4E5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04AEBEFD	6_2_04AEBEFD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04AD80C0	6_2_04AD80C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04AED8DB	6_2_04AED8DB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04AECCD9	6_2_04AECCD9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04AECAD5	6_2_04AECAD5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04ADB820	6_2_04ADB820
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04AD3431	6_2_04AD3431
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04AE8806	6_2_04AE8806
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04AE9A01	6_2_04AE9A01
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04AF0A64	6_2_04AF0A64
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04AF3263	6_2_04AF3263
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04AD7E79	6_2_04AD7E79
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04AD7078	6_2_04AD7078
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04AE567B	6_2_04AE567B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04AEA474	6_2_04AEA474
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04ADA871	6_2_04ADA871
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04AEDC71	6_2_04AEDC71
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04AE4244	6_2_04AE4244
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04ADE640	6_2_04ADE640
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04AEF840	6_2_04AEF840
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04AD7442	6_2_04AD7442
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04AE2E5D	6_2_04AE2E5D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04AE8FAE	6_2_04AE8FAE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04AF07AA	6_2_04AF07AA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04AD77A3	6_2_04AD77A3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04AED1BC	6_2_04AED1BC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04ADBFBE	6_2_04ADBFBE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04AD57B8	6_2_04AD57B8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04AD238C	6_2_04AD238C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04ADFB8E	6_2_04ADFB8E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04AE0F86	6_2_04AE0F86
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04AE6187	6_2_04AE6187
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04AE3D85	6_2_04AE3D85
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04AD2194	6_2_04AD2194
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04AE67E6	6_2_04AE67E6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04AD4BFC	6_2_04AD4BFC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04AD55FF	6_2_04AD55FF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04AEE1F8	6_2_04AEE1F8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04AE27F9	6_2_04AE27F9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04AE07F4	6_2_04AE07F4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04AE9DF5	6_2_04AE9DF5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04AEFBDE	6_2_04AEFBDE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04ADE7DE	6_2_04ADE7DE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04AEC5D5	6_2_04AEC5D5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04AE8D3D	6_2_04AE8D3D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04AD1F38	6_2_04AD1F38
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04AE5333	6_2_04AE5333
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04ADEF0C	6_2_04ADEF0C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04AF2B09	6_2_04AF2B09
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04AE5515	6_2_04AE5515
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04ADF369	6_2_04ADF369
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04AE437A	6_2_04AE437A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04AE017B	6_2_04AE017B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04AE5779	6_2_04AE5779
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04AD6B7A	6_2_04AD6B7A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04AE4F74	6_2_04AE4F74
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04AE9774	6_2_04AE9774
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04ADD14C	6_2_04ADD14C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04AE7D5B	6_2_04AE7D5B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04AF2D53	6_2_04AF2D53
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_100291F6	15_2_100291F6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_1002F378	15_2_1002F378
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_100403D7	15_2_100403D7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_1004250B	15_2_1004250B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_10041557	15_2_10041557
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_100395A1	15_2_100395A1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_1002F784	15_2_1002F784
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_1004091B	15_2_1004091B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_1002EACF	15_2_1002EACF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_1002FBA4	15_2_1002FBA4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_10035D96	15_2_10035D96
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_10040E5F	15_2_10040E5F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_1002EFA4	15_2_1002EFA4

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: String function: 10030E38 appears 58 times
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: String function: 10030535 appears 87 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 10030E38 appears 116 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 1003578B appears 46 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 10030535 appears 174 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 10030568 appears 32 times

Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: xboxlivetitleid.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cdpsgshims.dll	Jump to behavior

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\hPJnda9rBy.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\hPJnda9rBy.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\hPJnda9rBy.dll
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\hPJnda9rBy.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\hPJnda9rBy.dll,DllRegisterServer
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\hPJnda9rBy.dll",DllRegisterServer
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 6396 -ip 6396
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6396 -s 524
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\hPJnda9rBy.dll",DllRegisterServer
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Vrptpiaqednpvbdv\iiexcwhjvlokrgr.var",pFqaCuAaxr
Source: unknown	Process created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Vrptpiaqednpvbdv\iiexcwhjvlokrgr.var",DllRegisterServer
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\hPJnda9rBy.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\hPJnda9rBy.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\hPJnda9rBy.dll,DllRegisterServer	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\hPJnda9rBy.dll",#1	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\hPJnda9rBy.dll",DllRegisterServer	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\hPJnda9rBy.dll",DllRegisterServer	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Vrptpiaqednpvbdv\iiexcwhjvlokrgr.var",pFqaCuAaxr	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 6396 -ip 6396	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6396 -s 524	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Vrptpiaqednpvbdv\iiexcwhjvlokrgr.var",DllRegisterServer	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable

Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6396
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \BaseNamedObjects\Local\SM0:6656:64:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:6276:120:WilError_01

Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: hPJnda9rBy.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: hPJnda9rBy.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: hPJnda9rBy.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: hPJnda9rBy.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: hPJnda9rBy.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EB1195 push cs; iretd	0_2_00EB1197
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_1003060D push ecx; ret	3_2_10030620
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_10030E7D push ecx; ret	3_2_10030E90
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1003060D push ecx; ret	4_2_10030620
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10030E7D push ecx; ret	4_2_10030E90
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04AD1195 push cs; iretd	6_2_04AD1197
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_1003060D push ecx; ret	15_2_10030620
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_10030E7D push ecx; ret	15_2_10030E90

Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Vrptpiaqednpvbdv\iiexcwhjvlokrgr.var:Zone.Identifier read attributes \| delete			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Zwlrldvbtrytygsy\qindpn.btl:Zone.Identifier read attributes \| delete			Jump to behavior

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_100250A3 IsIconic,GetWindowPlacement,GetWindowRect,	3_2_100250A3
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_1001DFC0 IsIconic,SendMessageA,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon,	3_2_1001DFC0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_100250A3 IsIconic,GetWindowPlacement,GetWindowRect,	4_2_100250A3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1001DFC0 IsIconic,SendMessageA,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon,	4_2_1001DFC0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_100250A3 IsIconic,GetWindowPlacement,GetWindowRect,	15_2_100250A3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_1001DFC0 IsIconic,SendMessageA,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon,	15_2_1001DFC0

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\svchost.exe TID: 6916	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 6996	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 1284	Thread sleep time: -150000s >= -30000s

Source: C:\Windows\SysWOW64\regsvr32.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep
Source: C:\Windows\SysWOW64\rundll32.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep

Source: C:\Windows\SysWOW64\regsvr32.exe	API coverage: 5.0 %
Source: C:\Windows\SysWOW64\rundll32.exe	API coverage: 5.2 %
Source: C:\Windows\SysWOW64\rundll32.exe	API coverage: 5.4 %

Source: C:\Windows\SysWOW64\regsvr32.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\rundll32.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\rundll32.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\rundll32.exe	API call chain: ExitProcess graph end node

Source: Amcache.hve.11.dr	Binary or memory string: VMware
Source: Amcache.hve.11.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
Source: Amcache.hve.11.dr	Binary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.11.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.11.dr	Binary or memory string: VMware, Inc.
Source: svchost.exe, 0000000C.00000002.606976541.000002737A463000.00000004.00000001.sdmp	Binary or memory string: @Hyper-V RAW
Source: svchost.exe, 00000026.00000003.591845649.0000027012456000.00000004.00000001.sdmp, svchost.exe, 00000026.00000002.592359325.0000027012458000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW0
Source: svchost.exe, 00000026.00000002.592415326.00000270124A4000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAWp
Source: Amcache.hve.11.dr	Binary or memory string: VMware Virtual disk SCSI Disk Devicehbin
Source: Amcache.hve.11.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.11.dr	Binary or memory string: VMware7,1
Source: Amcache.hve.11.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.11.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.11.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.13989454.B64.1906190538,BiosReleaseDate:06/19/2019,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: svchost.exe, 0000000C.00000002.606555899.0000027374E29000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000002.606952703.000002737A456000.00000004.00000001.sdmp, svchost.exe, 00000026.00000002.592476007.00000270124ED000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.11.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.11.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.11.dr	Binary or memory string: VMware, Inc.me
Source: Amcache.hve.11.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.11.dr	Binary or memory string: VMware-42 35 bb 32 33 75 d2 27-52 00 3c e2 4b d4 32 71
Source: svchost.exe, 0000000E.00000002.762620319.0000028F91867000.00000004.00000001.sdmp, svchost.exe, 00000010.00000002.762293120.000002E416E2A000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Amcache.hve.11.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EBF7F7 mov eax, dword ptr fs:[00000030h]		0_2_00EBF7F7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04ADF7F7 mov eax, dword ptr fs:[00000030h]		6_2_04ADF7F7

Source: C:\Windows\System32\loaddll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_1003A8D4 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_1003A8D4
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_1002DB0D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_1002DB0D
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_10032CB9 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_10032CB9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1003A8D4 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_1003A8D4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1002DB0D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	4_2_1002DB0D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10032CB9 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	4_2_10032CB9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_1003A8D4 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	15_2_1003A8D4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_1002DB0D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	15_2_1002DB0D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_10032CB9 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	15_2_10032CB9

Source: loaddll32.exe, 00000000.00000000.248590621.0000000001700000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.249832475.0000000001700000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: loaddll32.exe, 00000000.00000000.248590621.0000000001700000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.249832475.0000000001700000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: loaddll32.exe, 00000000.00000000.248590621.0000000001700000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.249832475.0000000001700000.00000002.00020000.sdmp	Binary or memory string: SProgram Managerl
Source: loaddll32.exe, 00000000.00000000.248590621.0000000001700000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.249832475.0000000001700000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd,
Source: loaddll32.exe, 00000000.00000000.248590621.0000000001700000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.249832475.0000000001700000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Windows Analysis Report hPJnda9rBy

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: GetLocaleInfoA,	3_2_1003E000
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,InterlockedDecrement,InterlockedDecrement,	3_2_1003D098
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: _strcpy_s,GetLocaleInfoA,__snwprintf_s,LoadLibraryA,	3_2_1002129B
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,InterlockedDecrement,InterlockedDecrement,	3_2_1003D35E
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,__invoke_watson,___crtGetLocaleInfoW,	3_2_1003850E
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: GetLocaleInfoA,GetLocaleInfoA,GetACP,	3_2_1003D7AE
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,	3_2_1003C7D2
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,	3_2_1003D8C5
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: GetLocaleInfoA,_LcidFromHexString,_GetPrimaryLen,_strlen,	3_2_1003D95D
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,	3_2_1003D9D1
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: GetLocaleInfoA,_LocaleUpdate::_LocaleUpdate,___ascii_strnicmp,__tolower_l,__tolower_l,	3_2_1003F9F4
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: _LocaleUpdate::_LocaleUpdate,GetLocaleInfoW,	3_2_1003EA86
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLastError,GetLocaleInfoW,__alloca_probe_16,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,GetLocaleInfoA,	3_2_1003EABA
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,	3_2_1003DBA3
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	3_2_1003EBF9
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,	3_2_1003DC64
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,	3_2_1003DCCB
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,_ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itoa_s,	3_2_1003DD07
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,	3_2_1003CE40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoA,	4_2_1003E000
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,InterlockedDecrement,InterlockedDecrement,	4_2_1003D098
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: _strcpy_s,GetLocaleInfoA,__snwprintf_s,LoadLibraryA,	4_2_1002129B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,InterlockedDecrement,InterlockedDecrement,	4_2_1003D35E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,__invoke_watson,___crtGetLocaleInfoW,	4_2_1003850E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoA,GetLocaleInfoA,GetACP,	4_2_1003D7AE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,	4_2_1003C7D2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,	4_2_1003D8C5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoA,_LcidFromHexString,_GetPrimaryLen,_strlen,	4_2_1003D95D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,	4_2_1003D9D1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoA,_LocaleUpdate::_LocaleUpdate,___ascii_strnicmp,__tolower_l,__tolower_l,	4_2_1003F9F4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: _LocaleUpdate::_LocaleUpdate,GetLocaleInfoW,	4_2_1003EA86
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLastError,GetLocaleInfoW,__alloca_probe_16,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,GetLocaleInfoA,	4_2_1003EABA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,	4_2_1003DBA3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	4_2_1003EBF9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,	4_2_1003DC64
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,	4_2_1003DCCB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,_ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itoa_s,	4_2_1003DD07
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,	4_2_1003CE40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoA,	15_2_1003E000
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,InterlockedDecrement,InterlockedDecrement,	15_2_1003D098
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: _strcpy_s,GetLocaleInfoA,__snwprintf_s,LoadLibraryA,	15_2_1002129B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,InterlockedDecrement,InterlockedDecrement,	15_2_1003D35E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,__invoke_watson,___crtGetLocaleInfoW,	15_2_1003850E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoA,GetLocaleInfoA,GetACP,	15_2_1003D7AE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,	15_2_1003C7D2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,	15_2_1003D8C5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoA,_LcidFromHexString,_GetPrimaryLen,_strlen,	15_2_1003D95D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,	15_2_1003D9D1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoA,_LocaleUpdate::_LocaleUpdate,___ascii_strnicmp,__tolower_l,__tolower_l,	15_2_1003F9F4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: _LocaleUpdate::_LocaleUpdate,GetLocaleInfoW,	15_2_1003EA86
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLastError,GetLocaleInfoW,__alloca_probe_16,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,GetLocaleInfoA,	15_2_1003EABA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,	15_2_1003DBA3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	15_2_1003EBF9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,	15_2_1003DC64
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,	15_2_1003DCCB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,_ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itoa_s,	15_2_1003DD07
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,	15_2_1003CE40

Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct

Source: svchost.exe, 00000017.00000002.762305279.0000028F9B63D000.00000004.00000001.sdmp	Binary or memory string: $@\REGISTRY\USER\S-1-5-19ws Defender\MsMpeng.exe
Source: Amcache.hve.11.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.11.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: svchost.exe, 00000017.00000002.762368383.0000028F9B702000.00000004.00000001.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: svchost.exe, 00000017.00000002.762261663.0000028F9B622000.00000004.00000001.sdmp	Binary or memory string: \MsMpeng.exe

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_10001160 WSAStartup,_memset,htonl,htons,socket,bind,setsockopt,	3_2_10001160
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10001160 WSAStartup,_memset,htonl,htons,socket,bind,setsockopt,	4_2_10001160
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_10001160 WSAStartup,_memset,htonl,htons,socket,bind,setsockopt,	15_2_10001160

IP	Domain	Country	ASN	ASN Name	Malicious
207.148.81.119	unknown	United States	20473	AS-CHOOPAUS	true
104.131.62.48	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
85.214.67.203	unknown	Germany	6724	STRATOSTRATOAGDE	true
191.252.103.16	unknown	Brazil	27715	LocawebServicosdeInternetSABR	true
168.197.250.14	unknown	Argentina	264776	OmarAnselmoRipollTDCNETAR	true
66.42.57.149	unknown	United States	20473	AS-CHOOPAUS	true
185.148.168.15	unknown	Germany	44780	EVERSCALE-ASDE	true
51.210.242.234	unknown	France	16276	OVHFR	true
217.182.143.207	unknown	France	16276	OVHFR	true
69.16.218.101	unknown	United States	32244	LIQUIDWEBUS	true
159.69.237.188	unknown	Germany	24940	HETZNER-ASDE	true
45.138.98.34	unknown	Germany	9009	M247GB	true
116.124.128.206	unknown	Korea Republic of	9318	SKB-ASSKBroadbandCoLtdKR	true
78.46.73.125	unknown	Germany	24940	HETZNER-ASDE	true
37.59.209.141	unknown	France	16276	OVHFR	true
210.57.209.142	unknown	Indonesia	38142	UNAIR-AS-IDUniversitasAirlanggaID	true
185.148.168.220	unknown	Germany	44780	EVERSCALE-ASDE	true
54.37.228.122	unknown	France	16276	OVHFR	true
190.90.233.66	unknown	Colombia	18678	INTERNEXASAESPCO	true
142.4.219.173	unknown	Canada	16276	OVHFR	true
54.38.242.185	unknown	France	16276	OVHFR	true
195.154.146.35	unknown	France	12876	OnlineSASFR	true
195.77.239.39	unknown	Spain	60493	FICOSA-ASES	true
78.47.204.80	unknown	Germany	24940	HETZNER-ASDE	true
37.44.244.177	unknown	Germany	47583	AS-HOSTINGERLT	true
62.171.178.147	unknown	United Kingdom	51167	CONTABODE	true
128.199.192.135	unknown	United Kingdom	14061	DIGITALOCEAN-ASNUS	true

ID:	553354
Product:	CloudBasic
Start time:	18:49:20
Start date:	14.01.2022
Sample:	hPJnda9rBy
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	56c2941eb73ea59306cc9d2a6b15974c
SHA1:	8d483f2069955ae7a3f7e70e6dafa2641cbf4a75
SHA256:	7caa923401ec9a16969f0b37225b77cd16c6923abff2eda76f1fa9a35bff2879
Filetype:	Win32 Dynamic Link Library (generic) (1002004/3) 98.32%

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\Microsoft\Network\Downloader\edb.chk	data	BF1DC7D5D8DAD7478F426DF8B3F8BAA6	C6B0BDE788F553F865D65F773D8F6A3546887E42	BE47C764C38CA7A90A345BE183F5261E89B98743B5E35989E9A8BE0DA498C0F2
C:\ProgramData\Microsoft\Network\Downloader\edb.log	MPEG-4 LOAS	480F1D8F507E6F3F9FE0B7A4A018C8F7	AC93D87E2C4C645026D7D5A3853870BCB9139E41	1A525D00790F8EB0418D255015F85E171DA4496889C17690C5D6F4E541D0157B
C:\ProgramData\Microsoft\Network\Downloader\qmgr.db	Extensible storage engine DataBase, version 0x620, checksum 0x57df8562, page size 16384, Windows version 10.0	B9976BD699FD40EC2597214BD70D42DB	85B44DDF230461CF51FDA956563B716D1A7C8058	A541FA8B6CAEC46F6DC533C32077CFF305F7DA4AE567BA7439C657227182B072
C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm	data	BB6FF757E36C514FC9BFB6F5A097860E	721D7CB22C57D2532090EE19CC75F1F9465D6986	C20C401E05EB6CD262D23FCFBB0F822315049C9014AEF90AD1CCA38098490ED9
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_loaddll32.exe_d422a667165d65114742feca998c4f65a16c35b9_7cac0383_1be2745f\Report.wer	Little-endian UTF-16 Unicode text, with CRLF line terminators	70384C8F40FEF1CB13FB622793A064FB	C6015969E6BF416C80AC5660B550C2BE10FF1891	263C1DA703EB7FF99381640F8D213430787C3020C9C279B5B1949989FA3D6601
C:\ProgramData\Microsoft\Windows\WER\Temp\WER16A.tmp.csv	data	972E6872AB588C93A987C3763E8FF60D	469DE7754D1563A0B903028C48196772537AE3D6	6E6705CEC01CDE97A616E314CF92D1934FC18086BBC5EE05D80687041CA6F807
C:\ProgramData\Microsoft\Windows\WER\Temp\WER5B88.tmp.dmp	Mini DuMP crash report, 15 streams, Sat Jan 15 02:50:26 2022, 0x1205a4 type	D2FE87042ECA1FD35C67B74A136F7340	1B9E8F2AFA839EE6F7EB0C744C0AFD9B90A93B39	4A5B8952BEFDDA27286F771870F572FEAD94EB322241D406095A0F26428D53F5
C:\ProgramData\Microsoft\Windows\WER\Temp\WER61D2.tmp.WERInternalMetadata.xml	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators	3D73E97743B6D71D2CE7E360CE83B0E4	6DD1CA01E57659066B0FDFEF68A519CF384B1332	AD05D6019F5A76DA135A8C73DF6D475452D1C1DD3C6B5D2864D3104CB459E909
C:\ProgramData\Microsoft\Windows\WER\Temp\WER66B5.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	35AFB0959F866102EFCEF8CFB03D7CF4	102464CB0E6D372AA1B96AF55051D6CF0863F25F	7EE8969FE2312FBD972D2DBD7763819ED689B01319CE35DF07833E3A0824C281
C:\ProgramData\Microsoft\Windows\WER\Temp\WER8FD.tmp.txt	data	CDF93CF01FE266D9413C5F468E72D0BF	81F0302DD34173F096751DD7E3E8C10154311CAB	9E3B6B144B3D88BE0FCB92968B6168E559E3A2CA48275604F127620D4CD144E8
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506	Microsoft Cabinet archive data, 61414 bytes, 1 file	ACAEDA60C79C6BCAC925EEB3653F45E0	2AAAE490BCDACCC6172240FF1697753B37AC5578	6B0CECCF0103AFD89844761417C1D23ACC41F8AEBF3B7230765209B61EEE5658
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	data	C825C3B963A4EDD130C1ED69E8DB5165	939347D739FBCACF514F706123325C83A45C6EFC	9065DAC879286F740D2C31A7807B7474A9C9A783133236919FCA9AA27B447811
C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp	ASCII text, with no line terminators	DCA83F08D448911A14C22EBCACC5AD57	91270525521B7FE0D986DB19747F47D34B6318AD	2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\MpCmdRun.log	Little-endian UTF-16 Unicode text, with CRLF, CR line terminators	9DAAEF8A5E401B4B4FB8E40C4209D947	C57BCC0397D823196CF033FB9EBF4DE4EFC98379	E507D467ED93E99586D91585D7332A90E76ED9FEF80170D5856AD69776DA2586
C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\Logs\dosvc.20220115_025036_670.etl	data	E61B2F014940B7E98E976655C4904B64	E4807D63E9488F9E15ED5C0F14DBBD1A4FD691CF	67889112EB75B5283A7437C528B12CD463875865559C2C6F169A0B2900E3A304
C:\Windows\appcompat\Programs\Amcache.hve	MS Windows registry file, NT/2000 or above	30895F1B808AF0A0F36C9AC8DC3C8DA3	96292AAA73F88F5D6D630B0C98F88CCB61FDB4BC	2FF4438EB94E16380307213D04B64CA20A8A91816EBD3CEA50BCDF15E2DE866B
C:\Windows\appcompat\Programs\Amcache.hve.LOG1	MS Windows registry file, NT/2000 or above	B5438EDFDB8F0C941C2FDB4C839F2277	FB6C2BC358A72FC4EA19B0E932D2DA10BBA84A75	FE1E867A5EC16F5C0202213154038F4862BB97EE81A7A23D12BDD57E7E36EE2C