Windows Analysis Report ALNgwfVtrB

Overview

General Information

Sample Name:	ALNgwfVtrB (renamed file extension from none to dll)
Analysis ID:	553377
MD5:	61308ba77d051e4e76e532f9709635e0
SHA1:	95d2cd6c7be346d29735ed970d3f373d37b7e13f
SHA256:	bd2c1b86de45c3e9d0d7c85322228c3512ce2c041765d95bb613cdf12647bea9
Tags:	32dllexe
Infos:
Most interesting Screenshot:

Detection

Emotet

Score:	92
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Multi AV Scanner detection for submitted file

Yara detected Emotet

System process connects to network (likely due to code injection or exploit)

Sigma detected: Suspicious Call by Ordinal

C2 URLs / IPs found in malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

One or more processes crash

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query locales information (e.g. system language)

Deletes files inside the Windows folder

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Creates files inside the system directory

Detected potential crypto function

Found potential string decryption / allocating functions

Found evasive API chain (may stop execution after checking a module file name)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to dynamically determine API calls

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a DirectInput object (often for capturing keystrokes)

AV process strings found (often used to terminate AV products)

PE file contains an invalid checksum

PE file contains strange resources

Tries to load missing DLLs

Contains functionality to read the PEB

Drops PE files to the windows directory (C:\Windows)

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Detected TCP or UDP traffic on non-standard ports

Checks if the current process is being debugged

Connects to several IPs in different countries

Registers a DLL

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries disk information (often used to detect virtual machines)

Found large amount of non-executed APIs

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Signatures

AV Detection:

Found malware configuration

Source: 0.2.loaddll32.exe.b50000.0.raw.unpack

Malware Configuration Extractor: Emotet {"C2 list": ["45.138.98.34:80", "69.16.218.101:8080", "51.210.242.234:8080", "185.148.168.220:8080", "142.4.219.173:8080", "54.38.242.185:443", "191.252.103.16:80", "104.131.62.48:8080", "62.171.178.147:8080", "217.182.143.207:443", "168.197.250.14:80", "37.44.244.177:8080", "66.42.57.149:443", "210.57.209.142:8080", "159.69.237.188:443", "116.124.128.206:8080", "128.199.192.135:8080", "195.154.146.35:443", "185.148.168.15:8080", "195.77.239.39:8080", "207.148.81.119:8080", "85.214.67.203:8080", "190.90.233.66:443", "78.46.73.125:443", "78.47.204.80:443", "37.59.209.141:8080", "54.37.228.122:443"], "Public Key": ["RUNLMSAAAADYNZPXY4tQxd/N4Wn5sTYAm5tUOxY2ol1ELrI4MNhHNi640vSLasjYTHpFRBoG+o84vtr7AJachCzOHjaAJFCW", "RUNTMSAAAAD0LxqDNhonUYwk8sqo7IWuUllRdUiUBnACc6romsQoe1YJD7wIe4AheqYofpZFucPDXCZ0z9i+ooUffqeoLZU0"]}

Multi AV Scanner detection for submitted file

Source: ALNgwfVtrB.dll

Virustotal: Detection: 15%

Perma Link

Compliance:

Uses 32bit PE files

Source: ALNgwfVtrB.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source:	Binary string: ws2_32.pdb source: WerFault.exe, 00000009.00000003.390648764.0000000001128000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.390538795.0000000001128000.00000004.00000040.sdmp
Source:	Binary string: winspool.pdb source: WerFault.exe, 00000009.00000003.390648764.0000000001128000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.390538795.0000000001128000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 00000009.00000003.390510495.0000000004871000.00000004.00000001.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 00000009.00000003.386248432.0000000001084000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.390510495.0000000004871000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.386451052.00000000008F1000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.386643870.00000000008F1000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.387103473.0000000001089000.00000004.00000001.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 00000009.00000003.390648764.0000000001128000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.390538795.0000000001128000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 00000009.00000003.390522998.0000000001122000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdb source: WerFault.exe, 00000009.00000003.390648764.0000000001128000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.390538795.0000000001128000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 00000009.00000003.390510495.0000000004871000.00000004.00000001.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 00000009.00000003.390510495.0000000004871000.00000004.00000001.sdmp
Source:	Binary string: propsys.pdb source: WerFault.exe, 00000009.00000003.390648764.0000000001128000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.390538795.0000000001128000.00000004.00000040.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 00000009.00000003.390522998.0000000001122000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.390639136.0000000001125000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 00000009.00000003.390510495.0000000004871000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.387043294.00000000008EB000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.386443931.00000000008EB000.00000004.00000001.sdmp
Source:	Binary string: wrpcrt4.pdbk source: WerFault.exe, 00000009.00000003.390522998.0000000001122000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.390639136.0000000001125000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 00000009.00000003.390648764.0000000001128000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.390538795.0000000001128000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 00000009.00000003.390510495.0000000004871000.00000004.00000001.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 00000009.00000003.390510495.0000000004871000.00000004.00000001.sdmp
Source:	Binary string: oleaut32.pdbQk source: WerFault.exe, 00000009.00000003.390648764.0000000001128000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.390538795.0000000001128000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 00000009.00000003.390627336.0000000001120000.00000004.00000040.sdmp
Source:	Binary string: Kernel.Appcore.pdb6g source: WerFault.exe, 00000009.00000003.390627336.0000000001120000.00000004.00000040.sdmp
Source:	Binary string: bcrypt.pdbok.zD source: WerFault.exe, 00000009.00000003.390648764.0000000001128000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.390538795.0000000001128000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb!kXz source: WerFault.exe, 00000009.00000003.390648764.0000000001128000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.390538795.0000000001128000.00000004.00000040.sdmp
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000009.00000003.390627336.0000000001120000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 00000009.00000003.390510495.0000000004871000.00000004.00000001.sdmp
Source:	Binary string: iphlpapi.pdb?k~z source: WerFault.exe, 00000009.00000003.390648764.0000000001128000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.390538795.0000000001128000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 00000009.00000003.390627336.0000000001120000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 00000009.00000003.386458009.00000000008F7000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.386707582.00000000008F7000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.390510495.0000000004871000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.386650391.00000000008F7000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.386804457.00000000008F7000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 00000009.00000003.390648764.0000000001128000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.390538795.0000000001128000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdbk source: WerFault.exe, 00000009.00000003.390522998.0000000001122000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb( source: WerFault.exe, 00000009.00000003.386458009.00000000008F7000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.386707582.00000000008F7000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.386650391.00000000008F7000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.386804457.00000000008F7000.00000004.00000001.sdmp
Source:	Binary string: winspool.pdb9kpz source: WerFault.exe, 00000009.00000003.390648764.0000000001128000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.390538795.0000000001128000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000009.00000003.390627336.0000000001120000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 00000009.00000003.390627336.0000000001120000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 00000009.00000003.390648764.0000000001128000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.390538795.0000000001128000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 00000009.00000003.390510495.0000000004871000.00000004.00000001.sdmp
Source:	Binary string: ws2_32.pdb]k source: WerFault.exe, 00000009.00000003.390648764.0000000001128000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.390538795.0000000001128000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb( source: WerFault.exe, 00000009.00000003.386451052.00000000008F1000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.386643870.00000000008F1000.00000004.00000001.sdmp
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 00000009.00000003.390648764.0000000001128000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.390538795.0000000001128000.00000004.00000040.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 00000009.00000003.390510495.0000000004871000.00000004.00000001.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 00000009.00000003.390510495.0000000004871000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdbuk4zl source: WerFault.exe, 00000009.00000003.390648764.0000000001128000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.390538795.0000000001128000.00000004.00000040.sdmp
Source:	Binary string: a/pjr2pCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 00000009.00000002.401712125.0000000000672000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb( source: WerFault.exe, 00000009.00000003.387043294.00000000008EB000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.386443931.00000000008EB000.00000004.00000001.sdmp

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic	Snort IDS: 2404332 ET CNC Feodo Tracker Reported CnC Server TCP group 17 192.168.2.6:49727 -> 45.138.98.34:80
Source: Traffic	Snort IDS: 2404338 ET CNC Feodo Tracker Reported CnC Server TCP group 20 192.168.2.6:49728 -> 69.16.218.101:8080

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 69.16.218.101 144			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 45.138.98.34 80			Jump to behavior

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	IPs: 45.138.98.34:80
Source: Malware configuration extractor	IPs: 69.16.218.101:8080
Source: Malware configuration extractor	IPs: 51.210.242.234:8080
Source: Malware configuration extractor	IPs: 185.148.168.220:8080
Source: Malware configuration extractor	IPs: 142.4.219.173:8080
Source: Malware configuration extractor	IPs: 54.38.242.185:443
Source: Malware configuration extractor	IPs: 191.252.103.16:80
Source: Malware configuration extractor	IPs: 104.131.62.48:8080
Source: Malware configuration extractor	IPs: 62.171.178.147:8080
Source: Malware configuration extractor	IPs: 217.182.143.207:443
Source: Malware configuration extractor	IPs: 168.197.250.14:80
Source: Malware configuration extractor	IPs: 37.44.244.177:8080
Source: Malware configuration extractor	IPs: 66.42.57.149:443
Source: Malware configuration extractor	IPs: 210.57.209.142:8080
Source: Malware configuration extractor	IPs: 159.69.237.188:443
Source: Malware configuration extractor	IPs: 116.124.128.206:8080
Source: Malware configuration extractor	IPs: 128.199.192.135:8080
Source: Malware configuration extractor	IPs: 195.154.146.35:443
Source: Malware configuration extractor	IPs: 185.148.168.15:8080
Source: Malware configuration extractor	IPs: 195.77.239.39:8080
Source: Malware configuration extractor	IPs: 207.148.81.119:8080
Source: Malware configuration extractor	IPs: 85.214.67.203:8080
Source: Malware configuration extractor	IPs: 190.90.233.66:443
Source: Malware configuration extractor	IPs: 78.46.73.125:443
Source: Malware configuration extractor	IPs: 78.47.204.80:443
Source: Malware configuration extractor	IPs: 37.59.209.141:8080
Source: Malware configuration extractor	IPs: 54.37.228.122:443

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.6:49728 -> 69.16.218.101:8080

Connects to several IPs in different countries

Source: unknown

Network traffic detected: IP country count 12

Source: unknown	TCP traffic detected without corresponding DNS query: 45.138.98.34
Source: unknown	TCP traffic detected without corresponding DNS query: 45.138.98.34
Source: unknown	TCP traffic detected without corresponding DNS query: 45.138.98.34
Source: unknown	TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown	TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown	TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown	TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown	TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown	TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown	TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown	TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown	TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown	TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown	TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown	TCP traffic detected without corresponding DNS query: 69.16.218.101

Source: svchost.exe, 00000015.00000003.511379311.000001E0BD5A2000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","N equals www.facebook.com (Facebook)
Source: svchost.exe, 00000015.00000003.511379311.000001E0BD5A2000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","N equals www.twitter.com (Twitter)
Source: svchost.exe, 00000015.00000003.511468259.000001E0BD5B3000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.511379311.000001E0BD5A2000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2022-01-07T11:33:20.1626869Z\|\|.\|\|d5cdcec3-04df-404e-ba07-3240047c89f9\|\|1152921505694348672\|\|Null\|\|fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailab
Source: svchost.exe, 00000015.00000003.511468259.000001E0BD5B3000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.511379311.000001E0BD5A2000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2022-01-07T11:33:20.1626869Z\|\|.\|\|d5cdcec3-04df-404e-ba07-3240047c89f9\|\|1152921505694348672\|\|Null\|\|fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailab
Source: svchost.exe, 00000015.00000003.511379311.000001E0BD5A2000.00000004.00000001.sdmp	String found in binary or memory: trings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","SkuTitle":"Spotify - Music and Podcasts","Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"ProductId":"9NCBCSZSJRSB","Properties":{"FulfillmentData":{"ProductId":"9NCBCSZSJRSB","WuCategoryId":"5c353b9c-7ac7-4d27-af07-923e7d9aa2e2","PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","SkuId":"0011"},"FulfillmentType":"WindowsUpdate","FulfillmentPluginId":null,"Packages":[{"Applications":[{"ApplicationId":"Spotify"}],"Architectures":["x86"],"Capabilities":["internetClient","runFullTrust","Microsoft.storeFilter.core.notSupported_8wekyb3d8bbwe"],"ExperienceIds":[],"MaxDownloadSizeInBytes":104380919,"MaxInstallSizeInBytes":203345920,"PackageFormat":"Appx","PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","MainPackageFamilyNameForDlc":null,"PackageFullName":"SpotifyAB.SpotifyMusic_1.176.447.0_x86__zpdnekdrzrea0","PackageId":"3fbafb47-f476-4c26-4445-49acb9a726e6-X86","PackageRank":30001,"PlatformDependencies":[{"MaxTested":2814750754275328,"MinVersion":2814750710366559,"PlatformName":"Windows.Desktop"}],"PlatformDependencyXmlBlob":"{\"blob.version\":1688867040526336,\"content.isMain\":false,\"content.packageId\":\"SpotifyAB.SpotifyMusic_1.176.447.0_x86__zpdnekdrzrea0\",\"content.productId\":\"caac1b9d-621b-4f96-b143-e10e1397740a\",\"content.targetPlatforms\":[{\"platform.maxVersionTested\":2814750754275328,\"platform.minVersion\":2814750710366559,\"platform.target\":3}],\"content.type\":7,\"policy\":{\"category.first\":\"app\",\"category.second\":\"Music\",\"optOut.backupRestore\":true,\"optOut.removeableMedia\":false},\"policy2\":{\"ageRating\":3,\"optOut.DVR\":false,\"thirdPartyAppRatings\":[{\"level\":9,\"systemId\":3},{\"leve
Source: svchost.exe, 00000015.00000003.511379311.000001E0BD5A2000.00000004.00000001.sdmp	String found in binary or memory: trings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","SkuTitle":"Spotify - Music and Podcasts","Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"ProductId":"9NCBCSZSJRSB","Properties":{"FulfillmentData":{"ProductId":"9NCBCSZSJRSB","WuCategoryId":"5c353b9c-7ac7-4d27-af07-923e7d9aa2e2","PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","SkuId":"0011"},"FulfillmentType":"WindowsUpdate","FulfillmentPluginId":null,"Packages":[{"Applications":[{"ApplicationId":"Spotify"}],"Architectures":["x86"],"Capabilities":["internetClient","runFullTrust","Microsoft.storeFilter.core.notSupported_8wekyb3d8bbwe"],"ExperienceIds":[],"MaxDownloadSizeInBytes":104380919,"MaxInstallSizeInBytes":203345920,"PackageFormat":"Appx","PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","MainPackageFamilyNameForDlc":null,"PackageFullName":"SpotifyAB.SpotifyMusic_1.176.447.0_x86__zpdnekdrzrea0","PackageId":"3fbafb47-f476-4c26-4445-49acb9a726e6-X86","PackageRank":30001,"PlatformDependencies":[{"MaxTested":2814750754275328,"MinVersion":2814750710366559,"PlatformName":"Windows.Desktop"}],"PlatformDependencyXmlBlob":"{\"blob.version\":1688867040526336,\"content.isMain\":false,\"content.packageId\":\"SpotifyAB.SpotifyMusic_1.176.447.0_x86__zpdnekdrzrea0\",\"content.productId\":\"caac1b9d-621b-4f96-b143-e10e1397740a\",\"content.targetPlatforms\":[{\"platform.maxVersionTested\":2814750754275328,\"platform.minVersion\":2814750710366559,\"platform.target\":3}],\"content.type\":7,\"policy\":{\"category.first\":\"app\",\"category.second\":\"Music\",\"optOut.backupRestore\":true,\"optOut.removeableMedia\":false},\"policy2\":{\"ageRating\":3,\"optOut.DVR\":false,\"thirdPartyAppRatings\":[{\"level\":9,\"systemId\":3},{\"leve

Source: svchost.exe, 00000015.00000002.528158834.000001E0BD500000.00000004.00000001.sdmp, svchost.exe, 00000018.00000002.863748399.000002E116062000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: 77EC63BDA74BD0D0E0426DC8F80085060.11.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: svchost.exe, 00000015.00000003.503188635.000001E0BD571000.00000004.00000001.sdmp	String found in binary or memory: http://help.disneyplus.com.
Source: Amcache.hve.9.dr	String found in binary or memory: http://upx.sf.net
Source: svchost.exe, 00000015.00000003.503188635.000001E0BD571000.00000004.00000001.sdmp	String found in binary or memory: https://disneyplus.com/legal.
Source: svchost.exe, 00000015.00000003.503188635.000001E0BD571000.00000004.00000001.sdmp	String found in binary or memory: https://www.disneyplus.com/legal/privacy-policy
Source: svchost.exe, 00000015.00000003.503188635.000001E0BD571000.00000004.00000001.sdmp	String found in binary or memory: https://www.disneyplus.com/legal/your-california-privacy-rights
Source: svchost.exe, 00000015.00000003.504317499.000001E0BD583000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.504779704.000001E0BDA19000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.504403415.000001E0BD594000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.504445076.000001E0BD5A5000.00000004.00000001.sdmp	String found in binary or memory: https://www.tiktok.com/legal/report/feedback

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 3_2_10001280 recvfrom,

3_2_10001280

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Creates a DirectInput object (often for capturing keystrokes)

Source: loaddll32.exe, 00000000.00000000.380317596.0000000000D6B000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

Yara detected Emotet

Source: Yara match	File source: 5.2.rundll32.exe.5200000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.5a90000.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.54c0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.46a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.53b0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.b50000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.5490000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.b50000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.b50000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.56a0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.5640000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.46a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.b50000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.d30000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.56d0000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.55d0000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.5460000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.5600000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.53c0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.5200000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.b50000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.46d0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.3080000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.5930000.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.5640000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.5630000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.regsvr32.exe.4020000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.5900000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.55a0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.55a0000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.5380000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.5380000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.d30000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.33d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.56a0000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.4e60000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.5600000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.33b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.5670000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.regsvr32.exe.4020000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.54c0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.3080000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.3660000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.33d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.54f0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.4a10000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.5900000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.5a60000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.33b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.5a60000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.b50000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.regsvr32.exe.4050000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.d30000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.5460000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.388319825.0000000005640000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.388061342.00000000053B1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.388938400.0000000005A60000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.425302680.00000000054F1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.388421865.00000000056A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.421593787.0000000004051000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.403379597.0000000000D31000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.388494502.00000000056D1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.388374896.0000000005671000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.424744123.00000000033B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.390300102.0000000004A11000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.388137915.0000000005460000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.425412117.0000000005600000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.388743358.0000000005900000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.425380885.00000000055D1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.421559907.0000000004020000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.378920575.0000000000B50000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.387667842.0000000004E61000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.380234706.0000000000B50000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.389941280.0000000003080000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.377076576.00000000046D1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.380280063.0000000000D31000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.425231298.00000000053C1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.403315549.0000000000B50000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.387995858.0000000005380000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.379032722.0000000000D31000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.389038479.0000000005A91000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.425055302.0000000005200000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.376980438.00000000046A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.425273355.00000000054C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.425444879.0000000005631000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.388835673.0000000005931000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.424828975.0000000003661000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.387132452.00000000033D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.388209292.0000000005491000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.425344500.00000000055A0000.00000040.00000001.sdmp, type: MEMORY

System Summary:

Uses 32bit PE files

Source: ALNgwfVtrB.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

One or more processes crash

Source: C:\Windows\System32\svchost.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 164 -p 6764 -ip 6764

Deletes files inside the Windows folder

Source: C:\Windows\SysWOW64\rundll32.exe

File deleted: C:\Windows\SysWOW64\Mhgwckn\ikgetkts.aey:Zone.Identifier

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D4EFDD	0_2_00D4EFDD
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D4CAD5	0_2_00D4CAD5
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D4CCD9	0_2_00D4CCD9
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D4D8DB	0_2_00D4D8DB
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D380C0	0_2_00D380C0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D4BEFD	0_2_00D4BEFD
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D4E4E5	0_2_00D4E4E5
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D3F0E9	0_2_00D3F0E9
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D500EF	0_2_00D500EF
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D53EE9	0_2_00D53EE9
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D546BD	0_2_00D546BD
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D40EBC	0_2_00D40EBC
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D3C6B8	0_2_00D3C6B8
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D40ABA	0_2_00D40ABA
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D4A2A5	0_2_00D4A2A5
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D31CA1	0_2_00D31CA1
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D3BAA9	0_2_00D3BAA9
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D43EAA	0_2_00D43EAA
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D536AA	0_2_00D536AA
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D4B257	0_2_00D4B257
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D42E5D	0_2_00D42E5D
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D44244	0_2_00D44244
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D37442	0_2_00D37442
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D3E640	0_2_00D3E640
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D4F840	0_2_00D4F840
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D3A445	0_2_00D3A445
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D4A474	0_2_00D4A474
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D3A871	0_2_00D3A871
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D4DC71	0_2_00D4DC71
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D3DE74	0_2_00D3DE74
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D37E79	0_2_00D37E79
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D37078	0_2_00D37078
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D4567B	0_2_00D4567B
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D50A64	0_2_00D50A64
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D44A66	0_2_00D44A66
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D53263	0_2_00D53263
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D48806	0_2_00D48806
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D49A01	0_2_00D49A01
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D47A0F	0_2_00D47A0F
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D52009	0_2_00D52009
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D33431	0_2_00D33431
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D38636	0_2_00D38636
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D3B820	0_2_00D3B820
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D4C5D5	0_2_00D4C5D5
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D4FBDE	0_2_00D4FBDE
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D3C5D8	0_2_00D3C5D8
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D3E7DE	0_2_00D3E7DE
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D407F4	0_2_00D407F4
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D49DF5	0_2_00D49DF5
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D485FF	0_2_00D485FF
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D4E1F8	0_2_00D4E1F8
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D355FF	0_2_00D355FF
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D427F9	0_2_00D427F9
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D34BFC	0_2_00D34BFC
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D467E6	0_2_00D467E6
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D32194	0_2_00D32194
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D43D85	0_2_00D43D85
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D40F86	0_2_00D40F86
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D46187	0_2_00D46187
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D3FB8E	0_2_00D3FB8E
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D3238C	0_2_00D3238C
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D4D1BC	0_2_00D4D1BC
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D517BD	0_2_00D517BD
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D357B8	0_2_00D357B8
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D3BFBE	0_2_00D3BFBE
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D377A3	0_2_00D377A3
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D48FAE	0_2_00D48FAE
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D507AA	0_2_00D507AA
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D4E955	0_2_00D4E955
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D52D53	0_2_00D52D53
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D4FF58	0_2_00D4FF58
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D47D5B	0_2_00D47D5B
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D42142	0_2_00D42142
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D4654A	0_2_00D4654A
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D3D14C	0_2_00D3D14C
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D44F74	0_2_00D44F74
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D49774	0_2_00D49774
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D36B7A	0_2_00D36B7A
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D45779	0_2_00D45779
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D4437A	0_2_00D4437A
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D4017B	0_2_00D4017B
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D3F369	0_2_00D3F369
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D45515	0_2_00D45515
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D3670B	0_2_00D3670B
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D52B09	0_2_00D52B09
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D4AD08	0_2_00D4AD08
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D3EF0C	0_2_00D3EF0C
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D45333	0_2_00D45333
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D48D3D	0_2_00D48D3D
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D31F38	0_2_00D31F38
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_100291F6	3_2_100291F6
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_1002F378	3_2_1002F378
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_100403D7	3_2_100403D7
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_1004250B	3_2_1004250B
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_10041557	3_2_10041557
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_100395A1	3_2_100395A1
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_1002F784	3_2_1002F784
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1004091B	4_2_1004091B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_100291F6	4_2_100291F6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1002EACF	4_2_1002EACF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_100403D7	4_2_100403D7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1004250B	4_2_1004250B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10041557	4_2_10041557
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10035D96	4_2_10035D96
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_100395A1	4_2_100395A1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10040E5F	4_2_10040E5F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_03672142	5_2_03672142
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0367654A	5_2_0367654A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0367FF58	5_2_0367FF58
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0366670B	5_2_0366670B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0367AD08	5_2_0367AD08
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0367EFDD	5_2_0367EFDD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0366C5D8	5_2_0366C5D8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_03674A66	5_2_03674A66
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0366DE74	5_2_0366DE74
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0366A445	5_2_0366A445
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_03668636	5_2_03668636
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_03682009	5_2_03682009
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_03677A0F	5_2_03677A0F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0366F369	5_2_0366F369
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_03674F74	5_2_03674F74
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_03679774	5_2_03679774
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_03666B7A	5_2_03666B7A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0367017B	5_2_0367017B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0367437A	5_2_0367437A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_03675779	5_2_03675779
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0366D14C	5_2_0366D14C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0367E955	5_2_0367E955
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_03682D53	5_2_03682D53
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_03677D5B	5_2_03677D5B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_03675333	5_2_03675333
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_03678D3D	5_2_03678D3D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_03661F38	5_2_03661F38
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_03682B09	5_2_03682B09
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0366EF0C	5_2_0366EF0C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_03675515	5_2_03675515
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_036767E6	5_2_036767E6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_03679DF5	5_2_03679DF5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_036707F4	5_2_036707F4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_036785FF	5_2_036785FF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_036655FF	5_2_036655FF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_03664BFC	5_2_03664BFC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_036727F9	5_2_036727F9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0367E1F8	5_2_0367E1F8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0367C5D5	5_2_0367C5D5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0366E7DE	5_2_0366E7DE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0367FBDE	5_2_0367FBDE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_036807AA	5_2_036807AA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_036677A3	5_2_036677A3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_03678FAE	5_2_03678FAE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_036817BD	5_2_036817BD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0366BFBE	5_2_0366BFBE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0367D1BC	5_2_0367D1BC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_036657B8	5_2_036657B8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_03676187	5_2_03676187
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_03670F86	5_2_03670F86
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_03673D85	5_2_03673D85
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0366FB8E	5_2_0366FB8E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0366238C	5_2_0366238C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_03662194	5_2_03662194
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_03683263	5_2_03683263
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_03680A64	5_2_03680A64
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0367A474	5_2_0367A474
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0367DC71	5_2_0367DC71
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0366A871	5_2_0366A871
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0367567B	5_2_0367567B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_03667078	5_2_03667078
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_03667E79	5_2_03667E79
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_03674244	5_2_03674244
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_03667442	5_2_03667442
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0366E640	5_2_0366E640
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0367F840	5_2_0367F840
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0367B257	5_2_0367B257
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_03672E5D	5_2_03672E5D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0366B820	5_2_0366B820
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_03663431	5_2_03663431
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_03678806	5_2_03678806
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_03679A01	5_2_03679A01
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_03683EE9	5_2_03683EE9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0367E4E5	5_2_0367E4E5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_036800EF	5_2_036800EF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0366F0E9	5_2_0366F0E9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0367BEFD	5_2_0367BEFD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_036680C0	5_2_036680C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0367CAD5	5_2_0367CAD5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0367D8DB	5_2_0367D8DB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0367CCD9	5_2_0367CCD9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0367A2A5	5_2_0367A2A5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_036836AA	5_2_036836AA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_03661CA1	5_2_03661CA1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_03673EAA	5_2_03673EAA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0366BAA9	5_2_0366BAA9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_036846BD	5_2_036846BD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_03670EBC	5_2_03670EBC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_03670ABA	5_2_03670ABA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0366C6B8	5_2_0366C6B8

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: String function: 10030E38 appears 38 times
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: String function: 10030535 appears 40 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 10030E38 appears 45 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 10030535 appears 32 times

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\ALNgwfVtrB.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\ALNgwfVtrB.dll",#1
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\ALNgwfVtrB.dll
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\ALNgwfVtrB.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\ALNgwfVtrB.dll,DllRegisterServer
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\ALNgwfVtrB.dll",DllRegisterServer
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 164 -p 6764 -ip 6764
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6764 -s 528
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Mhgwckn\ikgetkts.aey",QTEnBIyMIuE
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Mhgwckn\ikgetkts.aey",DllRegisterServer
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\ALNgwfVtrB.dll",DllRegisterServer
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\ALNgwfVtrB.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\ALNgwfVtrB.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\ALNgwfVtrB.dll,DllRegisterServer	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\ALNgwfVtrB.dll",#1	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\ALNgwfVtrB.dll",DllRegisterServer	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\ALNgwfVtrB.dll",DllRegisterServer	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Mhgwckn\ikgetkts.aey",QTEnBIyMIuE	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 164 -p 6764 -ip 6764	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6764 -s 528	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Mhgwckn\ikgetkts.aey",DllRegisterServer	Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \BaseNamedObjects\Local\SM0:4680:64:WilError_01
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6764

Source: C:\Windows\SysWOW64\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: ALNgwfVtrB.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: ALNgwfVtrB.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: ALNgwfVtrB.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: ALNgwfVtrB.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: ALNgwfVtrB.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D31195 push cs; iretd	0_2_00D31197
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_1003060D push ecx; ret	3_2_10030620
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1003060D push ecx; ret	4_2_10030620
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10030E7D push ecx; ret	4_2_10030E90
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_03661195 push cs; iretd	5_2_03661197

Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Sqvvzhazj\lzmoqnoyzvyzrne.eqq:Zone.Identifier read attributes \| delete			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Mhgwckn\ikgetkts.aey:Zone.Identifier read attributes \| delete			Jump to behavior

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_100250A3 IsIconic,GetWindowPlacement,GetWindowRect,	3_2_100250A3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_100250A3 IsIconic,GetWindowPlacement,GetWindowRect,	4_2_100250A3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1001DFC0 IsIconic,SendMessageA,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon,	4_2_1001DFC0

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\svchost.exe TID: 1692	Thread sleep time: -150000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 340	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 5688	Thread sleep time: -30000s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\regsvr32.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep
Source: C:\Windows\SysWOW64\regsvr32.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Source: C:\Windows\SysWOW64\rundll32.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep
Source: C:\Windows\SysWOW64\rundll32.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess

Source: C:\Windows\SysWOW64\regsvr32.exe	API coverage: 5.9 %
Source: C:\Windows\SysWOW64\rundll32.exe	API coverage: 4.7 %

Source: C:\Windows\SysWOW64\regsvr32.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\rundll32.exe	API call chain: ExitProcess graph end node

Source: Amcache.hve.9.dr	Binary or memory string: VMware
Source: Amcache.hve.9.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
Source: Amcache.hve.9.dr	Binary or memory string: VMware-42 35 34 13 2a 07 0a 9c-ee 7f dd c3 60 c7 b9 af
Source: Amcache.hve.9.dr	Binary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.9.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.9.dr	Binary or memory string: VMware, Inc.
Source: svchost.exe, 00000018.00000002.863748399.000002E116062000.00000004.00000001.sdmp	Binary or memory string: @Hyper-V RAW
Source: Amcache.hve.9.dr	Binary or memory string: VMware Virtual disk SCSI Disk Devicehbin
Source: Amcache.hve.9.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.9.dr	Binary or memory string: VMware7,1
Source: Amcache.hve.9.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.9.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: svchost.exe, 00000015.00000002.527636071.000001E0BCC7F000.00000004.00000001.sdmp, svchost.exe, 00000015.00000002.527944145.000001E0BCCEE000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.526784558.000001E0BCC7F000.00000004.00000001.sdmp, svchost.exe, 00000018.00000002.863698910.000002E11604C000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.9.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.9.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.9.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.13989454.B64.1906190538,BiosReleaseDate:06/19/2019,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1x
Source: Amcache.hve.9.dr	Binary or memory string: VMware, Inc.me
Source: Amcache.hve.9.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: svchost.exe, 00000018.00000002.863117295.000002E110A29000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW`c
Source: Amcache.hve.9.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D3F7F7 mov eax, dword ptr fs:[00000030h]		0_2_00D3F7F7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0366F7F7 mov eax, dword ptr fs:[00000030h]		5_2_0366F7F7

Source: C:\Windows\System32\loaddll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1003A8D4 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_1003A8D4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1002DB0D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	4_2_1002DB0D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10032CB9 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	4_2_10032CB9

Source: loaddll32.exe, 00000000.00000000.380455229.00000000011F0000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.379465543.00000000011F0000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: loaddll32.exe, 00000000.00000000.380455229.00000000011F0000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.379465543.00000000011F0000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: loaddll32.exe, 00000000.00000000.380455229.00000000011F0000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.379465543.00000000011F0000.00000002.00020000.sdmp	Binary or memory string: &Program Manager
Source: loaddll32.exe, 00000000.00000000.380455229.00000000011F0000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.379465543.00000000011F0000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior

Windows Analysis Report ALNgwfVtrB

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: GetLocaleInfoA,	3_2_1003E000
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,InterlockedDecrement,InterlockedDecrement,	3_2_1003D098
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: _strcpy_s,GetLocaleInfoA,__snwprintf_s,LoadLibraryA,	3_2_1002129B
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,InterlockedDecrement,InterlockedDecrement,	3_2_1003D35E
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,__invoke_watson,___crtGetLocaleInfoW,	3_2_1003850E
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: GetLocaleInfoA,GetLocaleInfoA,GetACP,	3_2_1003D7AE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoA,	4_2_1003E000
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,InterlockedDecrement,InterlockedDecrement,	4_2_1003D098
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,	4_2_1003D8C5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoA,_LcidFromHexString,_GetPrimaryLen,_strlen,	4_2_1003D95D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,	4_2_1003D9D1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoA,GetLocaleInfoA,_LocaleUpdate::_LocaleUpdate,___ascii_strnicmp,__tolower_l,__tolower_l,	4_2_1003F9F4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: _LocaleUpdate::_LocaleUpdate,GetLocaleInfoW,	4_2_1003EA86
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: _strcpy_s,GetLocaleInfoA,__snwprintf_s,LoadLibraryA,	4_2_1002129B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLastError,GetLocaleInfoW,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,GetLocaleInfoA,	4_2_1003EABA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,InterlockedDecrement,InterlockedDecrement,	4_2_1003D35E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,	4_2_1003DBA3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	4_2_1003EBF9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,	4_2_1003DC64
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,	4_2_1003DCCB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,_ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itoa_s,	4_2_1003DD07
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,__invoke_watson,___crtGetLocaleInfoW,	4_2_1003850E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,	4_2_1003CE40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoA,GetLocaleInfoA,GetACP,	4_2_1003D7AE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,	4_2_1003C7D2

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_10001160 WSAStartup,_memset,htonl,htons,socket,bind,setsockopt,		3_2_10001160
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10001160 WSAStartup,_memset,htonl,htons,socket,bind,setsockopt,		4_2_10001160

IP	Domain	Country	ASN	ASN Name	Malicious
207.148.81.119	unknown	United States	20473	AS-CHOOPAUS	true
104.131.62.48	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
85.214.67.203	unknown	Germany	6724	STRATOSTRATOAGDE	true
191.252.103.16	unknown	Brazil	27715	LocawebServicosdeInternetSABR	true
168.197.250.14	unknown	Argentina	264776	OmarAnselmoRipollTDCNETAR	true
66.42.57.149	unknown	United States	20473	AS-CHOOPAUS	true
185.148.168.15	unknown	Germany	44780	EVERSCALE-ASDE	true
51.210.242.234	unknown	France	16276	OVHFR	true
217.182.143.207	unknown	France	16276	OVHFR	true
69.16.218.101	unknown	United States	32244	LIQUIDWEBUS	true
159.69.237.188	unknown	Germany	24940	HETZNER-ASDE	true
45.138.98.34	unknown	Germany	9009	M247GB	true
116.124.128.206	unknown	Korea Republic of	9318	SKB-ASSKBroadbandCoLtdKR	true
78.46.73.125	unknown	Germany	24940	HETZNER-ASDE	true
37.59.209.141	unknown	France	16276	OVHFR	true
210.57.209.142	unknown	Indonesia	38142	UNAIR-AS-IDUniversitasAirlanggaID	true
185.148.168.220	unknown	Germany	44780	EVERSCALE-ASDE	true
54.37.228.122	unknown	France	16276	OVHFR	true
190.90.233.66	unknown	Colombia	18678	INTERNEXASAESPCO	true
142.4.219.173	unknown	Canada	16276	OVHFR	true
54.38.242.185	unknown	France	16276	OVHFR	true
195.154.146.35	unknown	France	12876	OnlineSASFR	true
195.77.239.39	unknown	Spain	60493	FICOSA-ASES	true
78.47.204.80	unknown	Germany	24940	HETZNER-ASDE	true
37.44.244.177	unknown	Germany	47583	AS-HOSTINGERLT	true
62.171.178.147	unknown	United Kingdom	51167	CONTABODE	true
128.199.192.135	unknown	United Kingdom	14061	DIGITALOCEAN-ASNUS	true

ID:	553377
Product:	CloudBasic
Start time:	19:31:37
Start date:	14.01.2022
Sample:	ALNgwfVtrB
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	61308ba77d051e4e76e532f9709635e0
SHA1:	95d2cd6c7be346d29735ed970d3f373d37b7e13f
SHA256:	bd2c1b86de45c3e9d0d7c85322228c3512ce2c041765d95bb613cdf12647bea9
Filetype:	Win32 Dynamic Link Library (generic) (1002004/3) 98.32%

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\Microsoft\Network\Downloader\edb.chk	data	BF1DC7D5D8DAD7478F426DF8B3F8BAA6	C6B0BDE788F553F865D65F773D8F6A3546887E42	BE47C764C38CA7A90A345BE183F5261E89B98743B5E35989E9A8BE0DA498C0F2
C:\ProgramData\Microsoft\Network\Downloader\edb.log	MPEG-4 LOAS	ACEC30FA0B2887F7209FFA7C485EF3E6	729B9EBF8483F0E62F50146AB125A7E594EE5397	012529C218728BF9B3632898D3B6DAD496391C68D17E00E5B3B7D519D3B63238
C:\ProgramData\Microsoft\Network\Downloader\qmgr.db	Extensible storage user DataBase, version 0x620, checksum 0x1ff79e9b, page size 16384, Windows version 10.0	6A5F82169C1E928B7B2813D982DF0CC4	5E00E7DC875F2290DEB199B7CDFD88EB7F00FA2B	9499ABBD834BC69C141A5659C76E2C1A226C0579893B10375BB19AA659A9BCD5
C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm	data	72D779F2D6EEF5FD6670D0AA17207A6A	C9D5EC2D9E22E21027BE655F633AE052EA6991ED	1FB083D386ED7399D0F5BF9006A1A2283F66D8DCD0CC6106B14D3E439F0CD0EA
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_loaddll32.exe_669a8c10d0efd6a57917dbe0788b74fa72a925de_7cac0383_1987fea0\Report.wer	Little-endian UTF-16 Unicode text, with CRLF line terminators	A403F656EF604A2E49F9E4ACC2129A24	AF381E16D8639F6C2A553E58499FC088D151624C	198C574233F816519CA62027DD72FF837F64C00F391442DB3BE612A4F6C9BCD7
C:\ProgramData\Microsoft\Windows\WER\Temp\WER178B.tmp.csv	data	F15E9557C7C73AC82EE1B580B68A2CED	3BE551D3FA3D2713F9A1E990F026642749A95291	0884B007D12886A2952F62389F88D2AE4DB62DBB9932C30C436D19C3E17E5255
C:\ProgramData\Microsoft\Windows\WER\Temp\WER20B4.tmp.txt	data	D49BF9037244600A0CD2D79B93509810	2833D9A483D595D915E9DEB58BC9926FED4F759E	BF470317ADFF9552AA6D0DCF8D8670396BCAC888218FB8315367F8092BB7DE87
C:\ProgramData\Microsoft\Windows\WER\Temp\WERE79D.tmp.dmp	Mini DuMP crash report, 15 streams, Sat Jan 15 03:32:59 2022, 0x1205a4 type	DAB40B8A2FE746E26BD59BF1F619D0B3	997A811F47D255D8D0122ABBA88DCF5C55B2AF63	F92B6C9AE0E483FBCB33AC6439A2EF5037B44FF2CC6D551DDC85579E5186E2C2
C:\ProgramData\Microsoft\Windows\WER\Temp\WEREDA9.tmp.WERInternalMetadata.xml	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators	D514B316FFDBD11B597FD5F66CA24489	6D718BA8A62C1BB7319632453784636A802D7250	2B1E5FC24CE57AAAFD0293E548E6B8E3593AD7F7C314DBC9A48AD30B29759D23
C:\ProgramData\Microsoft\Windows\WER\Temp\WERF2EA.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	3A20FBA7560974648D5C6FD0FBE27049	1B2936A30334473F327037AD839B933AB7B62DAB	A4BB07E9135F384984942E1A3465ECE84D992E9D258186FED1A1F8E97542996C
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506	Microsoft Cabinet archive data, 61414 bytes, 1 file	ACAEDA60C79C6BCAC925EEB3653F45E0	2AAAE490BCDACCC6172240FF1697753B37AC5578	6B0CECCF0103AFD89844761417C1D23ACC41F8AEBF3B7230765209B61EEE5658
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	data	07CC39D29F4CA82C03F8504E0C7EA130	70415CF2F85A8F938BD8F2B8C6EBF715C456DDFB	0355462F022A6428FFBA5E817D4F32023BF3DEC73C4B4225DBE147E91525B423
C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp	ASCII text, with no line terminators	DCA83F08D448911A14C22EBCACC5AD57	91270525521B7FE0D986DB19747F47D34B6318AD	2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
C:\Windows\appcompat\Programs\Amcache.hve	MS Windows registry file, NT/2000 or above	868DF6447DD2874362A5BE2ADAF2146A	2526129D9344E32246BCC0FEC54AB4D11F103242	3E47D1DB4AC1E014C1CCAC89CD1269991F017F8DB9E735BE47D7DEC809BE0C2F
C:\Windows\appcompat\Programs\Amcache.hve.LOG1	MS Windows registry file, NT/2000 or above	8E5C9B7424BDF99BA1911FB3FC1025DF	40EC7528423D63ED6763EE2C849B0EBED3E1BB30	D7C473E994FCF24BA803756C84131603042C482D06787A0274B23AC0E749A38D