Windows Analysis Report nIQCsrVbbw

Overview

General Information

Sample Name:	nIQCsrVbbw (renamed file extension from none to dll)
Analysis ID:	553359
MD5:	06b75d254c6844f78c7d7eefa5b1243e
SHA1:	af4b4dccf317dbeeab97868a9514a7c9e496c8d3
SHA256:	b0e46325319e75a2490a73045a60030961851c07d266df73d7e048799e133ec7
Tags:	32dllexe
Infos:
Most interesting Screenshot:

Detection

Emotet

Score:	92
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Multi AV Scanner detection for submitted file

Yara detected Emotet

System process connects to network (likely due to code injection or exploit)

Sigma detected: Suspicious Call by Ordinal

C2 URLs / IPs found in malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

One or more processes crash

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query locales information (e.g. system language)

Deletes files inside the Windows folder

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Creates files inside the system directory

Internet Provider seen in connection with other malware

Detected potential crypto function

Found potential string decryption / allocating functions

Found evasive API chain (may stop execution after checking a module file name)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to dynamically determine API calls

Contains functionality which may be used to detect a debugger (GetProcessHeap)

IP address seen in connection with other malware

Creates a DirectInput object (often for capturing keystrokes)

AV process strings found (often used to terminate AV products)

PE file contains an invalid checksum

PE file contains strange resources

Tries to load missing DLLs

Contains functionality to read the PEB

Drops PE files to the windows directory (C:\Windows)

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Detected TCP or UDP traffic on non-standard ports

Checks if the current process is being debugged

Connects to several IPs in different countries

Potential key logger detected (key state polling based)

Registers a DLL

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries disk information (often used to detect virtual machines)

Found large amount of non-executed APIs

Creates a process in suspended mode (likely to inject code)

Classification

Signatures

AV Detection:

Found malware configuration

Source: 0.2.loaddll32.exe.d00000.0.raw.unpack

Malware Configuration Extractor: Emotet {"C2 list": ["45.138.98.34:80", "69.16.218.101:8080", "51.210.242.234:8080", "185.148.168.220:8080", "142.4.219.173:8080", "54.38.242.185:443", "191.252.103.16:80", "104.131.62.48:8080", "62.171.178.147:8080", "217.182.143.207:443", "168.197.250.14:80", "37.44.244.177:8080", "66.42.57.149:443", "210.57.209.142:8080", "159.69.237.188:443", "116.124.128.206:8080", "128.199.192.135:8080", "195.154.146.35:443", "185.148.168.15:8080", "195.77.239.39:8080", "207.148.81.119:8080", "85.214.67.203:8080", "190.90.233.66:443", "78.46.73.125:443", "78.47.204.80:443", "37.59.209.141:8080", "54.37.228.122:443"], "Public Key": ["RUNLMSAAAADYNZPXY4tQxd/N4Wn5sTYAm5tUOxY2ol1ELrI4MNhHNi640vSLasjYTHpFRBoG+o84vtr7AJachCzOHjaAJFCW", "RUNTMSAAAAD0LxqDNhonUYwk8sqo7IWuUllRdUiUBnACc6romsQoe1YJD7wIe4AheqYofpZFucPDXCZ0z9i+ooUffqeoLZU0"]}

Multi AV Scanner detection for submitted file

Source: nIQCsrVbbw.dll	Virustotal: Detection: 15%			Perma Link
Source: nIQCsrVbbw.dll	ReversingLabs: Detection: 16%

Compliance:

Uses 32bit PE files

Source: nIQCsrVbbw.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source:	Binary string: ws2_32.pdb source: WerFault.exe, 00000011.00000003.387819882.00000000053F8000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.387767016.00000000053F8000.00000004.00000040.sdmp
Source:	Binary string: winspool.pdb source: WerFault.exe, 00000011.00000003.387753281.00000000053F2000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.387809542.00000000053F5000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 00000011.00000003.387745142.0000000005421000.00000004.00000001.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 00000011.00000003.387745142.0000000005421000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.383845627.00000000035D4000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.383476749.0000000005098000.00000004.00000001.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 00000011.00000003.387819882.00000000053F8000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.387767016.00000000053F8000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 00000011.00000003.387753281.00000000053F2000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdb source: WerFault.exe, 00000011.00000003.387819882.00000000053F8000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.387767016.00000000053F8000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 00000011.00000003.387745142.0000000005421000.00000004.00000001.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 00000011.00000003.387745142.0000000005421000.00000004.00000001.sdmp
Source:	Binary string: propsys.pdb source: WerFault.exe, 00000011.00000003.387819882.00000000053F8000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.387767016.00000000053F8000.00000004.00000040.sdmp
Source:	Binary string: nCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 00000011.00000002.394941169.0000000000EF2000.00000004.00000001.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 00000011.00000003.387802595.00000000053F0000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 00000011.00000003.387745142.0000000005421000.00000004.00000001.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 00000011.00000003.387819882.00000000053F8000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.387767016.00000000053F8000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 00000011.00000003.387745142.0000000005421000.00000004.00000001.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 00000011.00000003.387745142.0000000005421000.00000004.00000001.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 00000011.00000003.387802595.00000000053F0000.00000004.00000040.sdmp
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000011.00000003.387802595.00000000053F0000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 00000011.00000003.387745142.0000000005421000.00000004.00000001.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 00000011.00000003.387819882.00000000053F8000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.387767016.00000000053F8000.00000004.00000040.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 00000011.00000003.387819882.00000000053F8000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.387767016.00000000053F8000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 00000011.00000003.387745142.0000000005421000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.383589686.00000000035DA000.00000004.00000001.sdmp
Source:	Binary string: sechost.pdbk source: WerFault.exe, 00000011.00000003.387753281.00000000053F2000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 00000011.00000003.387819882.00000000053F8000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.387767016.00000000053F8000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000011.00000003.387802595.00000000053F0000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 00000011.00000003.387745142.0000000005421000.00000004.00000001.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 00000011.00000003.387802595.00000000053F0000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdb= source: WerFault.exe, 00000011.00000003.387802595.00000000053F0000.00000004.00000040.sdmp
Source:	Binary string: winspool.pdbk source: WerFault.exe, 00000011.00000003.387753281.00000000053F2000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.387809542.00000000053F5000.00000004.00000040.sdmp
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 00000011.00000003.387819882.00000000053F8000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.387767016.00000000053F8000.00000004.00000040.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 00000011.00000003.387745142.0000000005421000.00000004.00000001.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 00000011.00000003.387745142.0000000005421000.00000004.00000001.sdmp

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic	Snort IDS: 2404332 ET CNC Feodo Tracker Reported CnC Server TCP group 17 192.168.2.3:49743 -> 45.138.98.34:80
Source: Traffic	Snort IDS: 2404338 ET CNC Feodo Tracker Reported CnC Server TCP group 20 192.168.2.3:49744 -> 69.16.218.101:8080

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 69.16.218.101 144			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 45.138.98.34 80			Jump to behavior

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	IPs: 45.138.98.34:80
Source: Malware configuration extractor	IPs: 69.16.218.101:8080
Source: Malware configuration extractor	IPs: 51.210.242.234:8080
Source: Malware configuration extractor	IPs: 185.148.168.220:8080
Source: Malware configuration extractor	IPs: 142.4.219.173:8080
Source: Malware configuration extractor	IPs: 54.38.242.185:443
Source: Malware configuration extractor	IPs: 191.252.103.16:80
Source: Malware configuration extractor	IPs: 104.131.62.48:8080
Source: Malware configuration extractor	IPs: 62.171.178.147:8080
Source: Malware configuration extractor	IPs: 217.182.143.207:443
Source: Malware configuration extractor	IPs: 168.197.250.14:80
Source: Malware configuration extractor	IPs: 37.44.244.177:8080
Source: Malware configuration extractor	IPs: 66.42.57.149:443
Source: Malware configuration extractor	IPs: 210.57.209.142:8080
Source: Malware configuration extractor	IPs: 159.69.237.188:443
Source: Malware configuration extractor	IPs: 116.124.128.206:8080
Source: Malware configuration extractor	IPs: 128.199.192.135:8080
Source: Malware configuration extractor	IPs: 195.154.146.35:443
Source: Malware configuration extractor	IPs: 185.148.168.15:8080
Source: Malware configuration extractor	IPs: 195.77.239.39:8080
Source: Malware configuration extractor	IPs: 207.148.81.119:8080
Source: Malware configuration extractor	IPs: 85.214.67.203:8080
Source: Malware configuration extractor	IPs: 190.90.233.66:443
Source: Malware configuration extractor	IPs: 78.46.73.125:443
Source: Malware configuration extractor	IPs: 78.47.204.80:443
Source: Malware configuration extractor	IPs: 37.59.209.141:8080
Source: Malware configuration extractor	IPs: 54.37.228.122:443

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: AS-CHOOPAUS AS-CHOOPAUS
Source: Joe Sandbox View	ASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 207.148.81.119 207.148.81.119
Source: Joe Sandbox View	IP Address: 104.131.62.48 104.131.62.48

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.3:49744 -> 69.16.218.101:8080

Connects to several IPs in different countries

Source: unknown

Network traffic detected: IP country count 12

Source: unknown	TCP traffic detected without corresponding DNS query: 45.138.98.34
Source: unknown	TCP traffic detected without corresponding DNS query: 45.138.98.34
Source: unknown	TCP traffic detected without corresponding DNS query: 45.138.98.34
Source: unknown	TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown	TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown	TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown	TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown	TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown	TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown	TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown	TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown	TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown	TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown	TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown	TCP traffic detected without corresponding DNS query: 69.16.218.101

Source: svchost.exe, 00000017.00000003.472098316.000001D8FAB5C000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","N equals www.facebook.com (Facebook)
Source: svchost.exe, 00000017.00000003.472098316.000001D8FAB5C000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","N equals www.twitter.com (Twitter)
Source: svchost.exe, 00000017.00000003.472067286.000001D8FAB99000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.472098316.000001D8FAB5C000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2022-01-07T11:33:20.1626869Z\|\|.\|\|d5cdcec3-04df-404e-ba07-3240047c89f9\|\|1152921505694348672\|\|Null\|\|fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailab
Source: svchost.exe, 00000017.00000003.472067286.000001D8FAB99000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.472098316.000001D8FAB5C000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2022-01-07T11:33:20.1626869Z\|\|.\|\|d5cdcec3-04df-404e-ba07-3240047c89f9\|\|1152921505694348672\|\|Null\|\|fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailab

Source: svchost.exe, 00000017.00000002.488230673.000001D8FAB00000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000002.827577818.0000023AC8E89000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: svchost.exe, 0000001B.00000002.827577818.0000023AC8E89000.00000004.00000001.sdmp	String found in binary or memory: http://crl.ver)
Source: 77EC63BDA74BD0D0E0426DC8F80085060.14.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: rundll32.exe, 0000000E.00000003.438068118.00000000006E2000.00000004.00000001.sdmp, rundll32.exe, 0000000E.00000003.436839850.0000000004F9C000.00000004.00000001.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?f94ba70d714c2
Source: svchost.exe, 00000017.00000003.464564991.000001D8FAB6A000.00000004.00000001.sdmp	String found in binary or memory: http://help.disneyplus.com.
Source: Amcache.hve.17.dr	String found in binary or memory: http://upx.sf.net
Source: svchost.exe, 00000017.00000003.464564991.000001D8FAB6A000.00000004.00000001.sdmp	String found in binary or memory: https://disneyplus.com/legal.
Source: svchost.exe, 00000017.00000003.464564991.000001D8FAB6A000.00000004.00000001.sdmp	String found in binary or memory: https://www.disneyplus.com/legal/privacy-policy
Source: svchost.exe, 00000017.00000003.464564991.000001D8FAB6A000.00000004.00000001.sdmp	String found in binary or memory: https://www.disneyplus.com/legal/your-california-privacy-rights
Source: svchost.exe, 00000017.00000003.465928142.000001D8FAB90000.00000004.00000001.sdmp	String found in binary or memory: https://www.tiktok.com/legal/report/feedback

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 2_2_10001280 recvfrom,

2_2_10001280

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Creates a DirectInput object (often for capturing keystrokes)

Source: loaddll32.exe, 00000000.00000000.379244317.00000000006FB000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Potential key logger detected (key state polling based)

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_10027958 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,	2_2_10027958
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10027958 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,	3_2_10027958
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_10027958 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,	12_2_10027958

E-Banking Fraud:

Yara detected Emotet

Source: Yara match	File source: 5.2.rundll32.exe.4860000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.1140000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.3330000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.5380000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.51c0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.1270000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.5320000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.11d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.d50000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.1190000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.12a0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.1190000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.5090000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.d50000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.1270000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.3410000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.1140000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.5060000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.1170000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.56c0000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.5350000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.5350000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.1390000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.52f0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.d00000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.560000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.d00000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.5190000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.7c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.52f0000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.d00000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.3330000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.4830000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.560000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.d00000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.d00000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.4b70000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.d00000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.1390000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.4860000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.11d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.7c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.4c90000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.bc0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.880000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.5060000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.5190000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.56c0000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.56f0000.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.361373048.0000000000881000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.369867351.0000000005381000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.306596758.0000000003330000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.376038820.0000000000D51000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.369320365.00000000051C1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.370265294.00000000056C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.359468675.00000000007C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.368368956.0000000004831000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.369446130.00000000052F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.368922473.0000000004B71000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.367128450.0000000000560000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.367810302.0000000001270000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.367757114.0000000001171000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.370663067.0000000001190000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.369147966.0000000005060000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.368438775.0000000004860000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.306669964.0000000003411000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.370426063.00000000056F1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.369281669.0000000005190000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.367845396.00000000012A1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.367713608.0000000001140000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.379371136.0000000000D51000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.376060277.0000000004C91000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.369637751.0000000005350000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.397131962.0000000000D00000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.367919454.0000000001390000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.367465277.0000000000BC1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.368222308.00000000011D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.376003738.0000000000D00000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.379329782.0000000000D00000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.369552219.0000000005321000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.369203622.0000000005091000.00000020.00000001.sdmp, type: MEMORY

System Summary:

Uses 32bit PE files

Source: nIQCsrVbbw.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

One or more processes crash

Source: C:\Windows\System32\svchost.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 6748 -ip 6748

Deletes files inside the Windows folder

Source: C:\Windows\SysWOW64\rundll32.exe

File deleted: C:\Windows\SysWOW64\Uibizbzyxusffon\lvdcgmwj.xbl:Zone.Identifier

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_100291F6	2_2_100291F6
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_1002F378	2_2_1002F378
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_100403D7	2_2_100403D7
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_1004250B	2_2_1004250B
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_10041557	2_2_10041557
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_100395A1	2_2_100395A1
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_1002F784	2_2_1002F784
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_1004091B	2_2_1004091B
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_1002EACF	2_2_1002EACF
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_1002FBA4	2_2_1002FBA4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_100291F6	3_2_100291F6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1002F378	3_2_1002F378
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_100403D7	3_2_100403D7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1004250B	3_2_1004250B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10041557	3_2_10041557
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_100395A1	3_2_100395A1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1002F784	3_2_1002F784
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1004091B	3_2_1004091B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1002EACF	3_2_1002EACF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1002FBA4	3_2_1002FBA4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10035D96	3_2_10035D96
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10040E5F	3_2_10040E5F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1002EFA4	3_2_1002EFA4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00BC8636	5_2_00BC8636
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00BD7A0F	5_2_00BD7A0F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00BE2009	5_2_00BE2009
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00BCDE74	5_2_00BCDE74
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00BD4A66	5_2_00BD4A66
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00BDB257	5_2_00BDB257
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00BCA445	5_2_00BCA445
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00BE17BD	5_2_00BE17BD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00BD85FF	5_2_00BD85FF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00BDEFDD	5_2_00BDEFDD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00BCC5D8	5_2_00BCC5D8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00BDAD08	5_2_00BDAD08
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00BC670B	5_2_00BC670B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00BDFF58	5_2_00BDFF58
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00BDE955	5_2_00BDE955
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00BD654A	5_2_00BD654A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00BD2142	5_2_00BD2142
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00BD0EBC	5_2_00BD0EBC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00BE46BD	5_2_00BE46BD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00BCC6B8	5_2_00BCC6B8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00BD0ABA	5_2_00BD0ABA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00BE36AA	5_2_00BE36AA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00BCBAA9	5_2_00BCBAA9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00BD3EAA	5_2_00BD3EAA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00BDA2A5	5_2_00BDA2A5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00BC1CA1	5_2_00BC1CA1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00BDBEFD	5_2_00BDBEFD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00BE00EF	5_2_00BE00EF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00BCF0E9	5_2_00BCF0E9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00BE3EE9	5_2_00BE3EE9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00BDE4E5	5_2_00BDE4E5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00BDCCD9	5_2_00BDCCD9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00BDD8DB	5_2_00BDD8DB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00BDCAD5	5_2_00BDCAD5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00BC80C0	5_2_00BC80C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00BC3431	5_2_00BC3431
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00BCB820	5_2_00BCB820
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00BD8806	5_2_00BD8806
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00BD9A01	5_2_00BD9A01
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00BC7078	5_2_00BC7078
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00BC7E79	5_2_00BC7E79
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00BD567B	5_2_00BD567B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00BDA474	5_2_00BDA474
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00BDDC71	5_2_00BDDC71
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00BCA871	5_2_00BCA871
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00BE0A64	5_2_00BE0A64
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00BE3263	5_2_00BE3263
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00BD2E5D	5_2_00BD2E5D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00BD4244	5_2_00BD4244
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00BCE640	5_2_00BCE640
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00BDF840	5_2_00BDF840
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00BC7442	5_2_00BC7442
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00BDD1BC	5_2_00BDD1BC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00BCBFBE	5_2_00BCBFBE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00BC57B8	5_2_00BC57B8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00BD8FAE	5_2_00BD8FAE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00BE07AA	5_2_00BE07AA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00BC77A3	5_2_00BC77A3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00BC2194	5_2_00BC2194
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00BC238C	5_2_00BC238C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00BCFB8E	5_2_00BCFB8E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00BD3D85	5_2_00BD3D85
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00BD6187	5_2_00BD6187
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00BD0F86	5_2_00BD0F86
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00BC4BFC	5_2_00BC4BFC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00BC55FF	5_2_00BC55FF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00BD27F9	5_2_00BD27F9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00BDE1F8	5_2_00BDE1F8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00BD9DF5	5_2_00BD9DF5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00BD07F4	5_2_00BD07F4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00BD67E6	5_2_00BD67E6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00BCE7DE	5_2_00BCE7DE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00BDFBDE	5_2_00BDFBDE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00BDC5D5	5_2_00BDC5D5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00BD8D3D	5_2_00BD8D3D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00BC1F38	5_2_00BC1F38
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00BD5333	5_2_00BD5333
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00BD5515	5_2_00BD5515
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00BCEF0C	5_2_00BCEF0C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00BE2B09	5_2_00BE2B09
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00BD5779	5_2_00BD5779
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00BC6B7A	5_2_00BC6B7A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00BD017B	5_2_00BD017B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00BD437A	5_2_00BD437A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00BD4F74	5_2_00BD4F74
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00BD9774	5_2_00BD9774
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00BCF369	5_2_00BCF369
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00BD7D5B	5_2_00BD7D5B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00BE2D53	5_2_00BE2D53
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00BCD14C	5_2_00BCD14C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_100291F6	12_2_100291F6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_1002F378	12_2_1002F378
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_100403D7	12_2_100403D7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_1004250B	12_2_1004250B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_10041557	12_2_10041557
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_100395A1	12_2_100395A1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_1002F784	12_2_1002F784
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_1004091B	12_2_1004091B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_1002EACF	12_2_1002EACF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_1002FBA4	12_2_1002FBA4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_10035D96	12_2_10035D96
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_10040E5F	12_2_10040E5F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_1002EFA4	12_2_1002EFA4

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: String function: 10030E38 appears 49 times
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: String function: 10030535 appears 76 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 10030E38 appears 116 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 1003578B appears 46 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 10030535 appears 174 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 10030568 appears 32 times

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\nIQCsrVbbw.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\nIQCsrVbbw.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\nIQCsrVbbw.dll
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\nIQCsrVbbw.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\nIQCsrVbbw.dll,DllRegisterServer
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\nIQCsrVbbw.dll",DllRegisterServer
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\nIQCsrVbbw.dll",DllRegisterServer
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Uibizbzyxusffon\lvdcgmwj.xbl",PtnVsXFQteN
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Uibizbzyxusffon\lvdcgmwj.xbl",DllRegisterServer
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 6748 -ip 6748
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6748 -s 512
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\nIQCsrVbbw.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\nIQCsrVbbw.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\nIQCsrVbbw.dll,DllRegisterServer	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\nIQCsrVbbw.dll",#1	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\nIQCsrVbbw.dll",DllRegisterServer	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\nIQCsrVbbw.dll",DllRegisterServer	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Uibizbzyxusffon\lvdcgmwj.xbl",PtnVsXFQteN	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Uibizbzyxusffon\lvdcgmwj.xbl",DllRegisterServer	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 6748 -ip 6748	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6748 -s 512	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \BaseNamedObjects\Local\SM0:3876:64:WilError_01
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6748

Source: C:\Windows\SysWOW64\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: nIQCsrVbbw.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: nIQCsrVbbw.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: nIQCsrVbbw.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: nIQCsrVbbw.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: nIQCsrVbbw.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_1003060D push ecx; ret	2_2_10030620
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1003060D push ecx; ret	3_2_10030620
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10030E7D push ecx; ret	3_2_10030E90
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00BC1195 push cs; iretd	5_2_00BC1197
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_1003060D push ecx; ret	12_2_10030620
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_10030E7D push ecx; ret	12_2_10030E90

Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Uibizbzyxusffon\lvdcgmwj.xbl:Zone.Identifier read attributes \| delete			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Ejank\xjmldn.gsl:Zone.Identifier read attributes \| delete			Jump to behavior

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_100250A3 IsIconic,GetWindowPlacement,GetWindowRect,	2_2_100250A3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_100250A3 IsIconic,GetWindowPlacement,GetWindowRect,	3_2_100250A3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1001DFC0 IsIconic,SendMessageA,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon,	3_2_1001DFC0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_100250A3 IsIconic,GetWindowPlacement,GetWindowRect,	12_2_100250A3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_1001DFC0 IsIconic,SendMessageA,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon,	12_2_1001DFC0

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\svchost.exe TID: 3144	Thread sleep time: -180000s >= -30000s			Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 6908	Thread sleep time: -30000s >= -30000s			Jump to behavior

Source: C:\Windows\SysWOW64\regsvr32.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Source: C:\Windows\SysWOW64\rundll32.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep

Source: C:\Windows\SysWOW64\regsvr32.exe	API coverage: 4.6 %
Source: C:\Windows\SysWOW64\rundll32.exe	API coverage: 5.0 %
Source: C:\Windows\SysWOW64\rundll32.exe	API coverage: 5.2 %

Source: C:\Windows\SysWOW64\regsvr32.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\rundll32.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\rundll32.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\rundll32.exe	API call chain: ExitProcess graph end node

Source: C:\Windows\SysWOW64\rundll32.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior

Source: Amcache.hve.17.dr	Binary or memory string: VMware
Source: Amcache.hve.17.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
Source: Amcache.hve.17.dr	Binary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.17.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.17.dr	Binary or memory string: VMware, Inc.
Source: svchost.exe, 0000001B.00000002.827552655.0000023AC8E60000.00000004.00000001.sdmp	Binary or memory string: y_Event$@Hyper-V RAW2d-4c2f-a0a5-91ba6f8f5c2f}LMEM
Source: Amcache.hve.17.dr	Binary or memory string: VMware Virtual disk SCSI Disk Devicehbin
Source: Amcache.hve.17.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.17.dr	Binary or memory string: VMware7,1
Source: Amcache.hve.17.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.17.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.17.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.13989454.B64.1906190538,BiosReleaseDate:06/19/2019,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: svchost.exe, 00000017.00000002.488004797.000001D8FA2EF000.00000004.00000001.sdmp, svchost.exe, 00000017.00000002.487873057.000001D8FA284000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.487235003.000001D8FA257000.00000004.00000001.sdmp, svchost.exe, 00000017.00000002.487824691.000001D8FA258000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000002.826608694.0000023AC362A000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000002.827535646.0000023AC8E4A000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.17.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.17.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.17.dr	Binary or memory string: VMware, Inc.me
Source: Amcache.hve.17.dr	Binary or memory string: VMware-42 35 d8 20 48 cb c7 ff-aa 5e d0 37 a0 49 53 d7
Source: Amcache.hve.17.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.17.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000

Source: C:\Windows\System32\loaddll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_1003A8D4 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_1003A8D4
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_1002DB0D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_1002DB0D
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_10032CB9 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_10032CB9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1003A8D4 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_1003A8D4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1002DB0D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_1002DB0D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10032CB9 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_10032CB9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_1003A8D4 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	12_2_1003A8D4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_1002DB0D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	12_2_1002DB0D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_10032CB9 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	12_2_10032CB9

Source: loaddll32.exe, 00000000.00000000.379490489.0000000001250000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.376314359.0000000001250000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: loaddll32.exe, 00000000.00000000.379490489.0000000001250000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.376314359.0000000001250000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: loaddll32.exe, 00000000.00000000.379490489.0000000001250000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.376314359.0000000001250000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: loaddll32.exe, 00000000.00000000.379490489.0000000001250000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.376314359.0000000001250000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Windows Analysis Report nIQCsrVbbw

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: GetLocaleInfoA,	2_2_1003E000
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,InterlockedDecrement,InterlockedDecrement,	2_2_1003D098
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: _strcpy_s,GetLocaleInfoA,__snwprintf_s,LoadLibraryA,	2_2_1002129B
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,InterlockedDecrement,InterlockedDecrement,	2_2_1003D35E
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,__invoke_watson,___crtGetLocaleInfoW,	2_2_1003850E
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: GetLocaleInfoA,GetLocaleInfoA,GetACP,	2_2_1003D7AE
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,	2_2_1003C7D2
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,	2_2_1003D8C5
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: GetLocaleInfoA,_LcidFromHexString,_GetPrimaryLen,_strlen,	2_2_1003D95D
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,	2_2_1003D9D1
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: GetLocaleInfoA,GetLocaleInfoA,_LocaleUpdate::_LocaleUpdate,___ascii_strnicmp,__tolower_l,__tolower_l,	2_2_1003F9F4
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: _LocaleUpdate::_LocaleUpdate,GetLocaleInfoW,	2_2_1003EA86
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLastError,GetLocaleInfoW,__alloca_probe_16,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,GetLocaleInfoA,	2_2_1003EABA
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,	2_2_1003DBA3
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	2_2_1003EBF9
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,	2_2_1003DC64
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,	2_2_1003DCCB
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,_ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itoa_s,	2_2_1003DD07
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoA,	3_2_1003E000
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,InterlockedDecrement,InterlockedDecrement,	3_2_1003D098
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: _strcpy_s,GetLocaleInfoA,__snwprintf_s,LoadLibraryA,	3_2_1002129B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,InterlockedDecrement,InterlockedDecrement,	3_2_1003D35E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,__invoke_watson,___crtGetLocaleInfoW,	3_2_1003850E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoA,GetLocaleInfoA,GetACP,	3_2_1003D7AE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,	3_2_1003C7D2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,	3_2_1003D8C5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoA,_LcidFromHexString,_GetPrimaryLen,_strlen,	3_2_1003D95D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,	3_2_1003D9D1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoA,GetLocaleInfoA,_LocaleUpdate::_LocaleUpdate,___ascii_strnicmp,__tolower_l,__tolower_l,	3_2_1003F9F4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: _LocaleUpdate::_LocaleUpdate,GetLocaleInfoW,	3_2_1003EA86
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLastError,GetLocaleInfoW,__alloca_probe_16,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,GetLocaleInfoA,	3_2_1003EABA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,	3_2_1003DBA3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	3_2_1003EBF9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,	3_2_1003DC64
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,	3_2_1003DCCB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,_ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itoa_s,	3_2_1003DD07
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,	3_2_1003CE40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoA,	12_2_1003E000
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,InterlockedDecrement,InterlockedDecrement,	12_2_1003D098
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: _strcpy_s,GetLocaleInfoA,__snwprintf_s,LoadLibraryA,	12_2_1002129B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,InterlockedDecrement,InterlockedDecrement,	12_2_1003D35E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,__invoke_watson,___crtGetLocaleInfoW,	12_2_1003850E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoA,GetLocaleInfoA,GetACP,	12_2_1003D7AE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,	12_2_1003C7D2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,	12_2_1003D8C5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoA,_LcidFromHexString,_GetPrimaryLen,_strlen,	12_2_1003D95D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,	12_2_1003D9D1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoA,GetLocaleInfoA,_LocaleUpdate::_LocaleUpdate,___ascii_strnicmp,__tolower_l,__tolower_l,	12_2_1003F9F4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: _LocaleUpdate::_LocaleUpdate,GetLocaleInfoW,	12_2_1003EA86
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLastError,GetLocaleInfoW,__alloca_probe_16,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,GetLocaleInfoA,	12_2_1003EABA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,	12_2_1003DBA3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	12_2_1003EBF9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,	12_2_1003DC64
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,	12_2_1003DCCB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,_ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itoa_s,	12_2_1003DD07
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,	12_2_1003CE40

Source: Amcache.hve.17.dr, Amcache.hve.LOG1.17.dr	Binary or memory string: c:\users\user\desktop\procexp.exe
Source: Amcache.hve.17.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.17.dr, Amcache.hve.LOG1.17.dr	Binary or memory string: procexp.exe

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_10001160 WSAStartup,_memset,htonl,htons,socket,bind,setsockopt,	2_2_10001160
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10001160 WSAStartup,_memset,htonl,htons,socket,bind,setsockopt,	3_2_10001160
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_10001160 WSAStartup,_memset,htonl,htons,socket,bind,setsockopt,	12_2_10001160

IP	Domain	Country	ASN	ASN Name	Malicious
207.148.81.119	unknown	United States	20473	AS-CHOOPAUS	true
104.131.62.48	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
85.214.67.203	unknown	Germany	6724	STRATOSTRATOAGDE	true
191.252.103.16	unknown	Brazil	27715	LocawebServicosdeInternetSABR	true
168.197.250.14	unknown	Argentina	264776	OmarAnselmoRipollTDCNETAR	true
66.42.57.149	unknown	United States	20473	AS-CHOOPAUS	true
185.148.168.15	unknown	Germany	44780	EVERSCALE-ASDE	true
51.210.242.234	unknown	France	16276	OVHFR	true
217.182.143.207	unknown	France	16276	OVHFR	true
69.16.218.101	unknown	United States	32244	LIQUIDWEBUS	true
159.69.237.188	unknown	Germany	24940	HETZNER-ASDE	true
45.138.98.34	unknown	Germany	9009	M247GB	true
116.124.128.206	unknown	Korea Republic of	9318	SKB-ASSKBroadbandCoLtdKR	true
78.46.73.125	unknown	Germany	24940	HETZNER-ASDE	true
37.59.209.141	unknown	France	16276	OVHFR	true
210.57.209.142	unknown	Indonesia	38142	UNAIR-AS-IDUniversitasAirlanggaID	true
185.148.168.220	unknown	Germany	44780	EVERSCALE-ASDE	true
54.37.228.122	unknown	France	16276	OVHFR	true
190.90.233.66	unknown	Colombia	18678	INTERNEXASAESPCO	true
142.4.219.173	unknown	Canada	16276	OVHFR	true
54.38.242.185	unknown	France	16276	OVHFR	true
195.154.146.35	unknown	France	12876	OnlineSASFR	true
195.77.239.39	unknown	Spain	60493	FICOSA-ASES	true
78.47.204.80	unknown	Germany	24940	HETZNER-ASDE	true
37.44.244.177	unknown	Germany	47583	AS-HOSTINGERLT	true
62.171.178.147	unknown	United Kingdom	51167	CONTABODE	true
128.199.192.135	unknown	United Kingdom	14061	DIGITALOCEAN-ASNUS	true

ID:	553359
Product:	CloudBasic
Start time:	18:58:28
Start date:	14.01.2022
Sample:	nIQCsrVbbw
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	06b75d254c6844f78c7d7eefa5b1243e
SHA1:	af4b4dccf317dbeeab97868a9514a7c9e496c8d3
SHA256:	b0e46325319e75a2490a73045a60030961851c07d266df73d7e048799e133ec7
Filetype:	Win32 Dynamic Link Library (generic) (1002004/3) 98.32%

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\Microsoft\Network\Downloader\edb.log	MPEG-4 LOAS	51DC402A9F6C81E0BED7BE8CD9693A66	0860EAFD248F50CE399F8BE75302C69B9AC2186B	AD6EA2A2ACEB0426A47FA5716F3F8A683FA9C5497ED8B73C9273746BAC5B030C
C:\ProgramData\Microsoft\Network\Downloader\qmgr.db	Extensible storage engine DataBase, version 0x620, checksum 0xb577f95a, page size 16384, DirtyShutdown, Windows version 10.0	D3944AD90064A7E4584F2DB27C5ADC86	2E44696DFB217829BFF20523DC3B477A0811F074	934257669376A2690EB42234D498CF5709DFDDA7130025751526D7F382C2B793
C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm	data	6C470310ECBB4F35FA720C7BC188746B	2C392A6FDBF24BB955C99B1FEB373CA48642D8C5	B896754FCB6CC2860AABDB82A1AC5DE93ECA2410EA5A3497B0FD38C21A779E66
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_loaddll32.exe_7d3365b34093db6d884642e334bbbe4e6283fce_7cac0383_1858c648\Report.wer	Little-endian UTF-16 Unicode text, with CRLF line terminators	030E2D9BBA13D29640FC53D6F406D48D	AA68FC7ECDD6942B61FC27365E34E791BD2ED08F	B67B89C0D3FA51AB3D8C74CDEE6DB758AB665E338104A154E864C1936481F936
C:\ProgramData\Microsoft\Windows\WER\Temp\WER44E1.tmp.csv	data	6B1E58957A41AF1EC4FC58CA70BD59CD	C8412D5B6DE309505D5E562B31460A21A87744C2	63051A2FC6AC62D918072A5CD2184BE7A278D034871139ED77865C9FAAF787B0
C:\ProgramData\Microsoft\Windows\WER\Temp\WER48CA.tmp.txt	data	45928CC03A93897925D4ED016E93C10C	FCE2AFF07EF67490416298A848BB5E7F99E235A9	D3006E019A2F2729BFF81B10D0F7CAA814DD6959425E1F4F6BDFE9812AF5D50E
C:\ProgramData\Microsoft\Windows\WER\Temp\WERB61B.tmp.dmp	Mini DuMP crash report, 15 streams, Sat Jan 15 03:00:09 2022, 0x1205a4 type	BD343ADAD03C9995B4EA2C3EB1373745	240981625408A7E4800196D0BED975AE1E97C531	94000B5C993375C966E713E7886E9CD1B9F018FDA7958DF6959130753E26CB55
C:\ProgramData\Microsoft\Windows\WER\Temp\WERBC85.tmp.WERInternalMetadata.xml	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators	DA7CFC33DFCE8DABA83C4EA42ADF32C6	63D2E474088C182A4711071B217918858C89EA71	95967CA4FB21A290203A7574A307999BDE48EC81A80D9C1EBEBB427EC77A6436
C:\ProgramData\Microsoft\Windows\WER\Temp\WERBF45.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	662A1A367461BA31DB23340401FD97AB	523C2303A37800C0E8A73B16DC5EE89FA379130E	917F8CDCF7BF4FDAC65412CFBE5C28FBE72D4D28A2B8E48E8712252A697CC62C
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506	Microsoft Cabinet archive data, 61414 bytes, 1 file	ACAEDA60C79C6BCAC925EEB3653F45E0	2AAAE490BCDACCC6172240FF1697753B37AC5578	6B0CECCF0103AFD89844761417C1D23ACC41F8AEBF3B7230765209B61EEE5658
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	data	7F09ADF005426F52A243F8841E74EFE3	DBF5C90A9BBAE8BFA3C60F2F1B7E0B4C58254C71	C3D2BE8AB9CD6874A1D13CCAFCEB3FE354986399118D9756427EB9C40DE192FC
C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp	ASCII text, with no line terminators	DCA83F08D448911A14C22EBCACC5AD57	91270525521B7FE0D986DB19747F47D34B6318AD	2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
C:\Windows\appcompat\Programs\Amcache.hve	MS Windows registry file, NT/2000 or above	E6298D490A541EF8F687C9FE5B0DFC20	AC6036A760334F24CBC3B7FECC0C9102778FB889	D39DE5CA4FB67686131204CFB251D3C5DA07CA486AC985C85C4548D527B33660
C:\Windows\appcompat\Programs\Amcache.hve.LOG1	MS Windows registry file, NT/2000 or above	B55740C905DEDF938ECE9AA720F2D7AF	8AAAF759CF0C4BE4B0F7EBC792C35397A58A33BD	2D1F3529349467CCF6270C3D0955E5371A66958620B99777B362F22AC547A828