Windows Analysis Report ALNgwfVtrB.dll

Overview

General Information

Sample Name:	ALNgwfVtrB.dll
Analysis ID:	553377
MD5:	61308ba77d051e4e76e532f9709635e0
SHA1:	95d2cd6c7be346d29735ed970d3f373d37b7e13f
SHA256:	bd2c1b86de45c3e9d0d7c85322228c3512ce2c041765d95bb613cdf12647bea9
Tags:	32dllexe
Infos:
Most interesting Screenshot:

Detection

Emotet

Score:	92
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Multi AV Scanner detection for submitted file

Yara detected Emotet

System process connects to network (likely due to code injection or exploit)

Sigma detected: Suspicious Call by Ordinal

C2 URLs / IPs found in malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

One or more processes crash

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query locales information (e.g. system language)

Deletes files inside the Windows folder

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Creates files inside the system directory

Internet Provider seen in connection with other malware

Detected potential crypto function

Found potential string decryption / allocating functions

Found evasive API chain (may stop execution after checking a module file name)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to dynamically determine API calls

Contains functionality which may be used to detect a debugger (GetProcessHeap)

IP address seen in connection with other malware

AV process strings found (often used to terminate AV products)

PE file contains an invalid checksum

PE file contains strange resources

Tries to load missing DLLs

Contains functionality to read the PEB

Drops PE files to the windows directory (C:\Windows)

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Detected TCP or UDP traffic on non-standard ports

Checks if the current process is being debugged

Connects to several IPs in different countries

Potential key logger detected (key state polling based)

Registers a DLL

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries disk information (often used to detect virtual machines)

Found large amount of non-executed APIs

Creates a process in suspended mode (likely to inject code)

Classification

Signatures

AV Detection:

Found malware configuration

Source: 2.2.regsvr32.exe.9b0000.1.unpack

Malware Configuration Extractor: Emotet {"C2 list": ["45.138.98.34:80", "69.16.218.101:8080", "51.210.242.234:8080", "185.148.168.220:8080", "142.4.219.173:8080", "54.38.242.185:443", "191.252.103.16:80", "104.131.62.48:8080", "62.171.178.147:8080", "217.182.143.207:443", "168.197.250.14:80", "37.44.244.177:8080", "66.42.57.149:443", "210.57.209.142:8080", "159.69.237.188:443", "116.124.128.206:8080", "128.199.192.135:8080", "195.154.146.35:443", "185.148.168.15:8080", "195.77.239.39:8080", "207.148.81.119:8080", "85.214.67.203:8080", "190.90.233.66:443", "78.46.73.125:443", "78.47.204.80:443", "37.59.209.141:8080", "54.37.228.122:443"], "Public Key": ["RUNTMSAAAAD0LxqDNhonUYwk8sqo7IWuUllRdUiUBnACc6romsQoe1YJD7wIe4AheqYofpZFucPDXCZ0z9i+ooUffqeoLZU0", "RUNLMSAAAADYNZPXY4tQxd/N4Wn5sTYAm5tUOxY2ol1ELrI4MNhHNi640vSLasjYTHpFRBoG+o84vtr7AJachCzOHjaAJFCW"]}

Multi AV Scanner detection for submitted file

Source: ALNgwfVtrB.dll

Virustotal: Detection: 15%

Perma Link

Compliance:

Uses 32bit PE files

Source: ALNgwfVtrB.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source:	Binary string: ws2_32.pdb source: WerFault.exe, 0000000F.00000003.426800801.0000000005A28000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.426901007.0000000005A28000.00000004.00000040.sdmp
Source:	Binary string: winspool.pdb source: WerFault.exe, 0000000F.00000003.426881288.0000000005A20000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 0000000F.00000003.426438295.0000000005381000.00000004.00000001.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 0000000F.00000003.426438295.0000000005381000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.415892986.00000000050F7000.00000004.00000001.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 0000000F.00000003.426800801.0000000005A28000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.426901007.0000000005A28000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 0000000F.00000003.426786352.0000000005A22000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdb source: WerFault.exe, 0000000F.00000003.426800801.0000000005A28000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.426901007.0000000005A28000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 0000000F.00000003.426438295.0000000005381000.00000004.00000001.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 0000000F.00000003.426438295.0000000005381000.00000004.00000001.sdmp
Source:	Binary string: propsys.pdb source: WerFault.exe, 0000000F.00000003.426800801.0000000005A28000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.426901007.0000000005A28000.00000004.00000040.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000F.00000003.426894444.0000000005A25000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.426786352.0000000005A22000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 0000000F.00000003.426438295.0000000005381000.00000004.00000001.sdmp
Source:	Binary string: wrpcrt4.pdbk source: WerFault.exe, 0000000F.00000003.426894444.0000000005A25000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.426786352.0000000005A22000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 0000000F.00000003.426800801.0000000005A28000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.426901007.0000000005A28000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 0000000F.00000003.426438295.0000000005381000.00000004.00000001.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 0000000F.00000003.426438295.0000000005381000.00000004.00000001.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 0000000F.00000003.426881288.0000000005A20000.00000004.00000040.sdmp
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000000F.00000003.426881288.0000000005A20000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 0000000F.00000003.426438295.0000000005381000.00000004.00000001.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 0000000F.00000003.426800801.0000000005A28000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.426901007.0000000005A28000.00000004.00000040.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 0000000F.00000003.426800801.0000000005A28000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.426901007.0000000005A28000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 0000000F.00000003.426438295.0000000005381000.00000004.00000001.sdmp
Source:	Binary string: sechost.pdbk source: WerFault.exe, 0000000F.00000003.426786352.0000000005A22000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 0000000F.00000003.426800801.0000000005A28000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.426901007.0000000005A28000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000F.00000003.426881288.0000000005A20000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 0000000F.00000003.426438295.0000000005381000.00000004.00000001.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 0000000F.00000003.426881288.0000000005A20000.00000004.00000040.sdmp
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 0000000F.00000003.426800801.0000000005A28000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.426901007.0000000005A28000.00000004.00000040.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 0000000F.00000003.426438295.0000000005381000.00000004.00000001.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 0000000F.00000003.426438295.0000000005381000.00000004.00000001.sdmp
Source:	Binary string: a/pjr2pCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 0000000F.00000002.435812460.0000000003272000.00000004.00000001.sdmp

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic	Snort IDS: 2404332 ET CNC Feodo Tracker Reported CnC Server TCP group 17 192.168.2.6:49727 -> 45.138.98.34:80
Source: Traffic	Snort IDS: 2404338 ET CNC Feodo Tracker Reported CnC Server TCP group 20 192.168.2.6:49728 -> 69.16.218.101:8080

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 69.16.218.101 144			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 45.138.98.34 80			Jump to behavior

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	IPs: 45.138.98.34:80
Source: Malware configuration extractor	IPs: 69.16.218.101:8080
Source: Malware configuration extractor	IPs: 51.210.242.234:8080
Source: Malware configuration extractor	IPs: 185.148.168.220:8080
Source: Malware configuration extractor	IPs: 142.4.219.173:8080
Source: Malware configuration extractor	IPs: 54.38.242.185:443
Source: Malware configuration extractor	IPs: 191.252.103.16:80
Source: Malware configuration extractor	IPs: 104.131.62.48:8080
Source: Malware configuration extractor	IPs: 62.171.178.147:8080
Source: Malware configuration extractor	IPs: 217.182.143.207:443
Source: Malware configuration extractor	IPs: 168.197.250.14:80
Source: Malware configuration extractor	IPs: 37.44.244.177:8080
Source: Malware configuration extractor	IPs: 66.42.57.149:443
Source: Malware configuration extractor	IPs: 210.57.209.142:8080
Source: Malware configuration extractor	IPs: 159.69.237.188:443
Source: Malware configuration extractor	IPs: 116.124.128.206:8080
Source: Malware configuration extractor	IPs: 128.199.192.135:8080
Source: Malware configuration extractor	IPs: 195.154.146.35:443
Source: Malware configuration extractor	IPs: 185.148.168.15:8080
Source: Malware configuration extractor	IPs: 195.77.239.39:8080
Source: Malware configuration extractor	IPs: 207.148.81.119:8080
Source: Malware configuration extractor	IPs: 85.214.67.203:8080
Source: Malware configuration extractor	IPs: 190.90.233.66:443
Source: Malware configuration extractor	IPs: 78.46.73.125:443
Source: Malware configuration extractor	IPs: 78.47.204.80:443
Source: Malware configuration extractor	IPs: 37.59.209.141:8080
Source: Malware configuration extractor	IPs: 54.37.228.122:443

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: AS-CHOOPAUS AS-CHOOPAUS
Source: Joe Sandbox View	ASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 207.148.81.119 207.148.81.119
Source: Joe Sandbox View	IP Address: 104.131.62.48 104.131.62.48

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.6:49767 -> 69.16.218.101:8080

Connects to several IPs in different countries

Source: unknown

Network traffic detected: IP country count 12

Source: unknown	TCP traffic detected without corresponding DNS query: 45.138.98.34
Source: unknown	TCP traffic detected without corresponding DNS query: 45.138.98.34
Source: unknown	TCP traffic detected without corresponding DNS query: 45.138.98.34
Source: unknown	TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown	TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown	TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown	TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown	TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown	TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown	TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown	TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown	TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown	TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown	TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown	TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown	TCP traffic detected without corresponding DNS query: 69.16.218.101

Source: svchost.exe, 0000001A.00000003.528045020.00000190FDD9F000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2022-01-07T11:33:20.1626869Z\|\|.\|\|d5cdcec3-04df-404e-ba07-3240047c89f9\|\|1152921505694348672\|\|Null\|\|fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailab
Source: svchost.exe, 0000001A.00000003.528045020.00000190FDD9F000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2022-01-07T11:33:20.1626869Z\|\|.\|\|d5cdcec3-04df-404e-ba07-3240047c89f9\|\|1152921505694348672\|\|Null\|\|fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailab

Source: svchost.exe, 00000018.00000002.746554870.0000016F08064000.00000004.00000001.sdmp, svchost.exe, 0000001A.00000002.546504253.00000190FDD00000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: svchost.exe, 00000018.00000002.746432413.0000016F08012000.00000004.00000001.sdmp, svchost.exe, 0000001A.00000002.546303374.00000190FD4EC000.00000004.00000001.sdmp	String found in binary or memory: http://crl.ver)
Source: 77EC63BDA74BD0D0E0426DC8F80085060.8.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: svchost.exe, 0000001A.00000003.523925926.00000190FDDCC000.00000004.00000001.sdmp, svchost.exe, 0000001A.00000003.523839525.00000190FDDAE000.00000004.00000001.sdmp, svchost.exe, 0000001A.00000003.523818312.00000190FDDAD000.00000004.00000001.sdmp, svchost.exe, 0000001A.00000003.523879898.00000190FDD6C000.00000004.00000001.sdmp, svchost.exe, 0000001A.00000003.523895191.00000190FDD7D000.00000004.00000001.sdmp	String found in binary or memory: http://help.disneyplus.com.
Source: Amcache.hve.15.dr	String found in binary or memory: http://upx.sf.net
Source: svchost.exe, 0000001A.00000003.523925926.00000190FDDCC000.00000004.00000001.sdmp, svchost.exe, 0000001A.00000003.523839525.00000190FDDAE000.00000004.00000001.sdmp, svchost.exe, 0000001A.00000003.523818312.00000190FDDAD000.00000004.00000001.sdmp, svchost.exe, 0000001A.00000003.523879898.00000190FDD6C000.00000004.00000001.sdmp, svchost.exe, 0000001A.00000003.523895191.00000190FDD7D000.00000004.00000001.sdmp	String found in binary or memory: https://disneyplus.com/legal.
Source: svchost.exe, 0000001A.00000003.523925926.00000190FDDCC000.00000004.00000001.sdmp, svchost.exe, 0000001A.00000003.523839525.00000190FDDAE000.00000004.00000001.sdmp, svchost.exe, 0000001A.00000003.523818312.00000190FDDAD000.00000004.00000001.sdmp, svchost.exe, 0000001A.00000003.523879898.00000190FDD6C000.00000004.00000001.sdmp, svchost.exe, 0000001A.00000003.523895191.00000190FDD7D000.00000004.00000001.sdmp	String found in binary or memory: https://www.disneyplus.com/legal/privacy-policy
Source: svchost.exe, 0000001A.00000003.523925926.00000190FDDCC000.00000004.00000001.sdmp, svchost.exe, 0000001A.00000003.523839525.00000190FDDAE000.00000004.00000001.sdmp, svchost.exe, 0000001A.00000003.523818312.00000190FDDAD000.00000004.00000001.sdmp, svchost.exe, 0000001A.00000003.523879898.00000190FDD6C000.00000004.00000001.sdmp, svchost.exe, 0000001A.00000003.523895191.00000190FDD7D000.00000004.00000001.sdmp	String found in binary or memory: https://www.disneyplus.com/legal/your-california-privacy-rights
Source: svchost.exe, 0000001A.00000003.524958132.00000190FDD8B000.00000004.00000001.sdmp, svchost.exe, 0000001A.00000003.524976369.00000190FDDAC000.00000004.00000001.sdmp, svchost.exe, 0000001A.00000003.524929712.00000190FDDC3000.00000004.00000001.sdmp, svchost.exe, 0000001A.00000003.524992573.00000190FDD5B000.00000004.00000001.sdmp, svchost.exe, 0000001A.00000003.525007675.00000190FE202000.00000004.00000001.sdmp, svchost.exe, 0000001A.00000003.524909337.00000190FDDC3000.00000004.00000001.sdmp	String found in binary or memory: https://www.tiktok.com/legal/report/feedback

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 2_2_10001280 recvfrom,

2_2_10001280

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Potential key logger detected (key state polling based)

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_10027958 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,	2_2_10027958
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10027958 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,	3_2_10027958
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10027958 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,	4_2_10027958

E-Banking Fraud:

Yara detected Emotet

Source: Yara match	File source: 4.2.rundll32.exe.5460000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.5130000.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.4ad0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.45a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.4ad0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.54c0000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.35a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.4b00000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.970000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.3590000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.9b0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.54f0000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.2670000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.5460000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.2f80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.2670000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.3390000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.53b0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.4d70000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.3390000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.4d40000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.35a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.4be0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.45d0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.5100000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.2f80000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.970000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.5490000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.5100000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.2870000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.2670000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.4c10000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.4dd0000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.2870000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.45a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.54c0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.5380000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.5380000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.4d40000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.4da0000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.4da0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.2fd0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.4be0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.2670000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.2670000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.2670000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.35d0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.410818073.0000000002670000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.410538874.00000000035A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.437780692.0000000002670000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.372384163.0000000004DA0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.410931541.00000000053B1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.410027990.0000000002670000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.410571626.00000000035D1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.375281998.0000000003390000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.372312583.0000000004D40000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.406521301.00000000009B1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.410099478.0000000002871000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.411026981.0000000005491000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.372437748.0000000004DD1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.372236483.0000000004C11000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.372523153.0000000005100000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.410908762.0000000002871000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.372348962.0000000004D71000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.411089485.00000000054F1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.372199700.0000000004BE0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.359482964.0000000002F80000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.410893526.0000000005380000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.406320669.0000000000970000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.411057565.00000000054C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.371762481.00000000045A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.371838274.00000000045D1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.375456992.0000000003591000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.372554631.0000000005131000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.372126938.0000000004B01000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.410997374.0000000005460000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.359639219.0000000002FD1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.372091623.0000000004AD0000.00000040.00000001.sdmp, type: MEMORY

System Summary:

Uses 32bit PE files

Source: ALNgwfVtrB.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

One or more processes crash

Source: C:\Windows\System32\svchost.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 6844 -ip 6844

Deletes files inside the Windows folder

Source: C:\Windows\SysWOW64\rundll32.exe

File deleted: C:\Windows\SysWOW64\Hincluwb\rahvarmqzcvvrmz.lrz:Zone.Identifier

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_100291F6	2_2_100291F6
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_1002F378	2_2_1002F378
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_100403D7	2_2_100403D7
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_1004250B	2_2_1004250B
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_10041557	2_2_10041557
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_100395A1	2_2_100395A1
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_1002F784	2_2_1002F784
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_1004091B	2_2_1004091B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_100291F6	3_2_100291F6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1002F378	3_2_1002F378
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_100403D7	3_2_100403D7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1004250B	3_2_1004250B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10041557	3_2_10041557
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_100395A1	3_2_100395A1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1002F784	3_2_1002F784
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1004091B	3_2_1004091B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1002EACF	3_2_1002EACF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1002FBA4	3_2_1002FBA4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10035D96	3_2_10035D96
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10040E5F	3_2_10040E5F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1002EFA4	3_2_1002EFA4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_100291F6	4_2_100291F6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1002F378	4_2_1002F378
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_100403D7	4_2_100403D7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1004250B	4_2_1004250B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10041557	4_2_10041557
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_100395A1	4_2_100395A1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1002F784	4_2_1002F784
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1004091B	4_2_1004091B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1002EACF	4_2_1002EACF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1002FBA4	4_2_1002FBA4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10035D96	4_2_10035D96
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10040E5F	4_2_10040E5F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1002EFA4	4_2_1002EFA4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_045EB257	5_2_045EB257
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_045DA445	5_2_045DA445
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_045DDE74	5_2_045DDE74
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_045E4A66	5_2_045E4A66
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_045E7A0F	5_2_045E7A0F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_045F2009	5_2_045F2009
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_045D8636	5_2_045D8636
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_045EFF58	5_2_045EFF58
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_045EE955	5_2_045EE955
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_045E654A	5_2_045E654A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_045E2142	5_2_045E2142
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_045D670B	5_2_045D670B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_045EAD08	5_2_045EAD08
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_045EEFDD	5_2_045EEFDD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_045DC5D8	5_2_045DC5D8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_045E85FF	5_2_045E85FF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_045F17BD	5_2_045F17BD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_045E2E5D	5_2_045E2E5D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_045E4244	5_2_045E4244
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_045DE640	5_2_045DE640
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_045EF840	5_2_045EF840
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_045D7442	5_2_045D7442
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_045D7E79	5_2_045D7E79
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_045D7078	5_2_045D7078
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_045E567B	5_2_045E567B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_045EA474	5_2_045EA474
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_045DA871	5_2_045DA871
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_045EDC71	5_2_045EDC71
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_045F0A64	5_2_045F0A64
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_045F3263	5_2_045F3263
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_045E8806	5_2_045E8806
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_045E9A01	5_2_045E9A01
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_045D3431	5_2_045D3431
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_045DB820	5_2_045DB820
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_045ED8DB	5_2_045ED8DB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_045ECCD9	5_2_045ECCD9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_045ECAD5	5_2_045ECAD5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_045D80C0	5_2_045D80C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_045EBEFD	5_2_045EBEFD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_045F00EF	5_2_045F00EF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_045DF0E9	5_2_045DF0E9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_045F3EE9	5_2_045F3EE9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_045EE4E5	5_2_045EE4E5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_045F46BD	5_2_045F46BD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_045E0EBC	5_2_045E0EBC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_045E0ABA	5_2_045E0ABA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_045DC6B8	5_2_045DC6B8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_045E3EAA	5_2_045E3EAA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_045DBAA9	5_2_045DBAA9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_045F36AA	5_2_045F36AA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_045EA2A5	5_2_045EA2A5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_045D1CA1	5_2_045D1CA1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_045E7D5B	5_2_045E7D5B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_045F2D53	5_2_045F2D53
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_045DD14C	5_2_045DD14C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_045E437A	5_2_045E437A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_045E017B	5_2_045E017B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_045E5779	5_2_045E5779
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_045D6B7A	5_2_045D6B7A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_045E4F74	5_2_045E4F74
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_045E9774	5_2_045E9774
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_045DF369	5_2_045DF369
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_045E5515	5_2_045E5515
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_045DEF0C	5_2_045DEF0C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_045F2B09	5_2_045F2B09
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_045E8D3D	5_2_045E8D3D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_045D1F38	5_2_045D1F38
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_045E5333	5_2_045E5333
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_045EFBDE	5_2_045EFBDE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_045DE7DE	5_2_045DE7DE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_045EC5D5	5_2_045EC5D5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_045D4BFC	5_2_045D4BFC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_045D55FF	5_2_045D55FF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_045EE1F8	5_2_045EE1F8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_045E27F9	5_2_045E27F9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_045E07F4	5_2_045E07F4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_045E9DF5	5_2_045E9DF5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_045E67E6	5_2_045E67E6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_045D2194	5_2_045D2194
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_045D238C	5_2_045D238C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_045DFB8E	5_2_045DFB8E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_045E0F86	5_2_045E0F86
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_045E6187	5_2_045E6187
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_045E3D85	5_2_045E3D85
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_045ED1BC	5_2_045ED1BC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_045DBFBE	5_2_045DBFBE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_045D57B8	5_2_045D57B8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_045E8FAE	5_2_045E8FAE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_045F07AA	5_2_045F07AA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_045D77A3	5_2_045D77A3

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: String function: 10030E38 appears 42 times
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: String function: 10030535 appears 47 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 10030E38 appears 116 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 1003578B appears 46 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 10030535 appears 174 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 10030568 appears 32 times

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\ALNgwfVtrB.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\ALNgwfVtrB.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\ALNgwfVtrB.dll
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\ALNgwfVtrB.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\ALNgwfVtrB.dll,DllRegisterServer
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\ALNgwfVtrB.dll",DllRegisterServer
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Hincluwb\rahvarmqzcvvrmz.lrz",dVvBCKXQNgS
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Hincluwb\rahvarmqzcvvrmz.lrz",DllRegisterServer
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\ALNgwfVtrB.dll",DllRegisterServer
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 6844 -ip 6844
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6844 -s 540
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\ALNgwfVtrB.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\ALNgwfVtrB.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\ALNgwfVtrB.dll,DllRegisterServer	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\ALNgwfVtrB.dll",#1	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\ALNgwfVtrB.dll",DllRegisterServer	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\ALNgwfVtrB.dll",DllRegisterServer	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Hincluwb\rahvarmqzcvvrmz.lrz",dVvBCKXQNgS	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Hincluwb\rahvarmqzcvvrmz.lrz",DllRegisterServer	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 6844 -ip 6844	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6844 -s 540	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \BaseNamedObjects\Local\SM0:6264:64:WilError_01
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6844

Source: C:\Windows\SysWOW64\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: ALNgwfVtrB.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: ALNgwfVtrB.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: ALNgwfVtrB.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: ALNgwfVtrB.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: ALNgwfVtrB.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_1003060D push ecx; ret	2_2_10030620
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1003060D push ecx; ret	3_2_10030620
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10030E7D push ecx; ret	3_2_10030E90
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1003060D push ecx; ret	4_2_10030620
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10030E7D push ecx; ret	4_2_10030E90
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_045D1195 push cs; iretd	5_2_045D1197

Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Tnjzdjiubejyae\dqrcdyesqxhfmw.cke:Zone.Identifier read attributes \| delete			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Hincluwb\rahvarmqzcvvrmz.lrz:Zone.Identifier read attributes \| delete			Jump to behavior

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_100250A3 IsIconic,GetWindowPlacement,GetWindowRect,	2_2_100250A3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_100250A3 IsIconic,GetWindowPlacement,GetWindowRect,	3_2_100250A3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1001DFC0 IsIconic,SendMessageA,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon,	3_2_1001DFC0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_100250A3 IsIconic,GetWindowPlacement,GetWindowRect,	4_2_100250A3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1001DFC0 IsIconic,SendMessageA,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon,	4_2_1001DFC0

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\svchost.exe TID: 6356	Thread sleep time: -30000s >= -30000s			Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 1768	Thread sleep time: -30000s >= -30000s			Jump to behavior

Source: C:\Windows\SysWOW64\regsvr32.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Source: C:\Windows\SysWOW64\rundll32.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep

Source: C:\Windows\SysWOW64\regsvr32.exe	API coverage: 5.3 %
Source: C:\Windows\SysWOW64\rundll32.exe	API coverage: 5.0 %
Source: C:\Windows\SysWOW64\rundll32.exe	API coverage: 5.1 %

Source: C:\Windows\SysWOW64\regsvr32.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\rundll32.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\rundll32.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\rundll32.exe	API call chain: ExitProcess graph end node

Source: Amcache.hve.15.dr	Binary or memory string: VMware
Source: Amcache.hve.15.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
Source: Amcache.hve.15.dr	Binary or memory string: VMware-42 35 34 13 2a 07 0a 9c-ee 7f dd c3 60 c7 b9 af
Source: Amcache.hve.15.dr	Binary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.15.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.15.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.15.dr	Binary or memory string: VMware Virtual disk SCSI Disk Devicehbin
Source: Amcache.hve.15.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.15.dr	Binary or memory string: VMware7,1
Source: Amcache.hve.15.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.15.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: svchost.exe, 00000018.00000002.746512061.0000016F0804E000.00000004.00000001.sdmp, svchost.exe, 00000018.00000002.746554870.0000016F08064000.00000004.00000001.sdmp, svchost.exe, 0000001A.00000002.546303374.00000190FD4EC000.00000004.00000001.sdmp, svchost.exe, 0000001A.00000002.546113736.00000190FD488000.00000004.00000001.sdmp, svchost.exe, 0000001A.00000002.546062495.00000190FD481000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: svchost.exe, 00000018.00000002.745495759.0000016F0282A000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW@p
Source: Amcache.hve.15.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.15.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.15.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.13989454.B64.1906190538,BiosReleaseDate:06/19/2019,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1x
Source: Amcache.hve.15.dr	Binary or memory string: VMware, Inc.me
Source: Amcache.hve.15.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.15.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000

Source: C:\Windows\System32\loaddll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_1003A8D4 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_1003A8D4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1003A8D4 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_1003A8D4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1002DB0D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_1002DB0D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10032CB9 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_10032CB9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1003A8D4 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_1003A8D4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1002DB0D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	4_2_1002DB0D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10032CB9 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	4_2_10032CB9

Source: loaddll32.exe, 00000000.00000000.410775550.0000000001260000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.409992381.0000000001260000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: loaddll32.exe, 00000000.00000000.410775550.0000000001260000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.409992381.0000000001260000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: loaddll32.exe, 00000000.00000000.410775550.0000000001260000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.409992381.0000000001260000.00000002.00020000.sdmp	Binary or memory string: &Program Manager
Source: loaddll32.exe, 00000000.00000000.410775550.0000000001260000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.409992381.0000000001260000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: GetLocaleInfoA,	2_2_1003E000
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,InterlockedDecrement,InterlockedDecrement,	2_2_1003D098
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: _strcpy_s,GetLocaleInfoA,__snwprintf_s,LoadLibraryA,	2_2_1002129B
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,InterlockedDecrement,InterlockedDecrement,	2_2_1003D35E
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,__invoke_watson,___crtGetLocaleInfoW,	2_2_1003850E
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: GetLocaleInfoA,GetLocaleInfoA,GetACP,	2_2_1003D7AE
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,	2_2_1003C7D2
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,	2_2_1003D8C5
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: GetLocaleInfoA,_LcidFromHexString,_GetPrimaryLen,_strlen,	2_2_1003D95D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoA,	3_2_1003E000
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,InterlockedDecrement,InterlockedDecrement,	3_2_1003D098
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: _strcpy_s,GetLocaleInfoA,__snwprintf_s,LoadLibraryA,	3_2_1002129B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,InterlockedDecrement,InterlockedDecrement,	3_2_1003D35E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,__invoke_watson,___crtGetLocaleInfoW,	3_2_1003850E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoA,GetLocaleInfoA,GetACP,	3_2_1003D7AE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,	3_2_1003C7D2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,	3_2_1003D8C5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoA,_LcidFromHexString,_GetPrimaryLen,_strlen,	3_2_1003D95D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,	3_2_1003D9D1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoA,GetLocaleInfoA,_LocaleUpdate::_LocaleUpdate,___ascii_strnicmp,__tolower_l,__tolower_l,	3_2_1003F9F4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: _LocaleUpdate::_LocaleUpdate,GetLocaleInfoW,	3_2_1003EA86
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLastError,GetLocaleInfoW,__alloca_probe_16,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,GetLocaleInfoA,	3_2_1003EABA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,	3_2_1003DBA3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	3_2_1003EBF9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,	3_2_1003DC64
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,	3_2_1003DCCB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,_ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itoa_s,	3_2_1003DD07
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,	3_2_1003CE40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoA,	4_2_1003E000
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,InterlockedDecrement,InterlockedDecrement,	4_2_1003D098
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: _strcpy_s,GetLocaleInfoA,__snwprintf_s,LoadLibraryA,	4_2_1002129B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,InterlockedDecrement,InterlockedDecrement,	4_2_1003D35E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,__invoke_watson,___crtGetLocaleInfoW,	4_2_1003850E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoA,GetLocaleInfoA,GetACP,	4_2_1003D7AE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,	4_2_1003C7D2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,	4_2_1003D8C5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoA,_LcidFromHexString,_GetPrimaryLen,_strlen,	4_2_1003D95D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,	4_2_1003D9D1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoA,GetLocaleInfoA,_LocaleUpdate::_LocaleUpdate,___ascii_strnicmp,__tolower_l,__tolower_l,	4_2_1003F9F4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: _LocaleUpdate::_LocaleUpdate,GetLocaleInfoW,	4_2_1003EA86
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLastError,GetLocaleInfoW,__alloca_probe_16,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,GetLocaleInfoA,	4_2_1003EABA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,	4_2_1003DBA3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	4_2_1003EBF9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,	4_2_1003DC64
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,	4_2_1003DCCB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,_ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itoa_s,	4_2_1003DD07
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,	4_2_1003CE40

Windows Analysis Report ALNgwfVtrB.dll

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_10001160 WSAStartup,_memset,htonl,htons,socket,bind,setsockopt,	2_2_10001160
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10001160 WSAStartup,_memset,htonl,htons,socket,bind,setsockopt,	3_2_10001160
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10001160 WSAStartup,_memset,htonl,htons,socket,bind,setsockopt,	4_2_10001160

IP	Domain	Country	ASN	ASN Name	Malicious
207.148.81.119	unknown	United States	20473	AS-CHOOPAUS	true
104.131.62.48	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
85.214.67.203	unknown	Germany	6724	STRATOSTRATOAGDE	true
191.252.103.16	unknown	Brazil	27715	LocawebServicosdeInternetSABR	true
168.197.250.14	unknown	Argentina	264776	OmarAnselmoRipollTDCNETAR	true
66.42.57.149	unknown	United States	20473	AS-CHOOPAUS	true
185.148.168.15	unknown	Germany	44780	EVERSCALE-ASDE	true
51.210.242.234	unknown	France	16276	OVHFR	true
217.182.143.207	unknown	France	16276	OVHFR	true
69.16.218.101	unknown	United States	32244	LIQUIDWEBUS	true
159.69.237.188	unknown	Germany	24940	HETZNER-ASDE	true
45.138.98.34	unknown	Germany	9009	M247GB	true
116.124.128.206	unknown	Korea Republic of	9318	SKB-ASSKBroadbandCoLtdKR	true
78.46.73.125	unknown	Germany	24940	HETZNER-ASDE	true
37.59.209.141	unknown	France	16276	OVHFR	true
210.57.209.142	unknown	Indonesia	38142	UNAIR-AS-IDUniversitasAirlanggaID	true
185.148.168.220	unknown	Germany	44780	EVERSCALE-ASDE	true
54.37.228.122	unknown	France	16276	OVHFR	true
190.90.233.66	unknown	Colombia	18678	INTERNEXASAESPCO	true
142.4.219.173	unknown	Canada	16276	OVHFR	true
54.38.242.185	unknown	France	16276	OVHFR	true
195.154.146.35	unknown	France	12876	OnlineSASFR	true
195.77.239.39	unknown	Spain	60493	FICOSA-ASES	true
78.47.204.80	unknown	Germany	24940	HETZNER-ASDE	true
37.44.244.177	unknown	Germany	47583	AS-HOSTINGERLT	true
62.171.178.147	unknown	United Kingdom	51167	CONTABODE	true
128.199.192.135	unknown	United Kingdom	14061	DIGITALOCEAN-ASNUS	true

ID:	553377
Product:	CloudBasic
Start time:	19:49:34
Start date:	14.01.2022
Sample:	ALNgwfVtrB.dll
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	61308ba77d051e4e76e532f9709635e0
SHA1:	95d2cd6c7be346d29735ed970d3f373d37b7e13f
SHA256:	bd2c1b86de45c3e9d0d7c85322228c3512ce2c041765d95bb613cdf12647bea9
Filetype:	Win32 Dynamic Link Library (generic) (1002004/3) 98.32%

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\Microsoft\Network\Downloader\edb.log	MPEG-4 LOAS	98942C19F83BA334A7BEA02787DDF565	17E45CD6A8DF28C6ACC1668425DF4E14E48BEA13	207DEC27611F335595E311FBAD0E00DBBBCDB7B8E43F965544EA1FD60617F08D
C:\ProgramData\Microsoft\Network\Downloader\qmgr.db	Extensible storage user DataBase, version 0x620, checksum 0x28d584a9, page size 16384, DirtyShutdown, Windows version 10.0	64BCD76C8E6657CDB9185061ACE13696	924CF853C09B694E93E47727D8F7F16D5F54D36C	F49E16CBDEFB4CA2296F0F8479D479C29185E948D8A9961854B1DA1D890424F0
C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm	data	229C4C99BF7C6829926E52D8B49633C7	B0A4413F54EB5AE9534D2965A34B5A3B78878442	9EF3AA9B9D4B0ADDE141F8F4DB8A9F4FBF0ABFDFCA55774CEC2BC6EA44A9678E
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_loaddll32.exe_669a8c10d0efd6a57917dbe0788b74fa72a925de_7cac0383_056a4d11\Report.wer	Little-endian UTF-16 Unicode text, with CRLF line terminators	ED62A7C01BB01659798A5726741F13C6	B5BF80209FB7AF26C9A90D1AE8352F9C6359B510	DBCED419A0335123A05013563CF0C23A71CBC0640E5365CAE26E80072EE5B095
C:\ProgramData\Microsoft\Windows\WER\Temp\WER3090.tmp.dmp	Mini DuMP crash report, 15 streams, Sat Jan 15 03:51:09 2022, 0x1205a4 type	BC29120C58719C8580F783A2B29F6B8A	9F9E546EB934E908D56DF95B993DBBC69157DA5C	9D632CC2C998D65785D832447E7C8B38ECA3FC2DC03B1B6B5565F5D8483FFDAA
C:\ProgramData\Microsoft\Windows\WER\Temp\WER40FC.tmp.WERInternalMetadata.xml	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators	B4CAC76777AD7D10598974392C4AB2C1	D57DE457573E8BF1D9ADDD4EABE77205CA1AF2C1	E887F48ECA9F3D5AD6734AA6C3612A03D0556EF5EB075E50421B25B342BC5C0C
C:\ProgramData\Microsoft\Windows\WER\Temp\WER44E5.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	6A28391685604A506DE880F3C2B59083	5EFF550EE828DC992A6E04DE15E988E3C39F4359	BA1DBB2C19D23D2D24D4AD6E119B3D48426653EB69CB1F383F45068050CFD03E
C:\ProgramData\Microsoft\Windows\WER\Temp\WERDCF5.tmp.csv	data	CD56236F3283E18C8DF2E0316D3A8BE6	F211242733EC608B56A81C856A2FED32CDC70114	341DE1EB18C7DA213F6434B8B97180625B543B3E35632D56D258A276E5F0B773
C:\ProgramData\Microsoft\Windows\WER\Temp\WERE207.tmp.txt	data	DEBDF02A58054A48A26A6291D98F3BDF	01BF160F5143ABE8AA8CF52519B86AE93B7E9506	41100A2C989476F02D6C0BA977AEB87013E7A054794403537A8FD60BEBF59CE0
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506	Microsoft Cabinet archive data, 61414 bytes, 1 file	ACAEDA60C79C6BCAC925EEB3653F45E0	2AAAE490BCDACCC6172240FF1697753B37AC5578	6B0CECCF0103AFD89844761417C1D23ACC41F8AEBF3B7230765209B61EEE5658
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	data	92EC2722EB0774E315A06B41F879CE4F	02A00642E9BCEC7FD488705056CE9549BCDDBFC2	3D5D7BF6B7BD1645E10B8786DDFF2235AFDD6FD39AE9D0842A2ADF4BA0A60E3D
C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp	ASCII text, with no line terminators	DCA83F08D448911A14C22EBCACC5AD57	91270525521B7FE0D986DB19747F47D34B6318AD	2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
C:\Windows\appcompat\Programs\Amcache.hve	MS Windows registry file, NT/2000 or above	F3B123CAE8BEBB300C19F9635B15CA3F	B531DCAA28AC796C14FD8CA532A66C4D303E43BD	87311C7DDAA16AFF59D85DB8170FF3719DA99E70E610FAD76BB6E4A6217A41A1
C:\Windows\appcompat\Programs\Amcache.hve.LOG1	MS Windows registry file, NT/2000 or above	555B3553C63A6B5D9143D300AA8A7997	55FFB569B56C1C2EBA175886AA8EA93D5E789883	037F15AE48A5FF1B040E8079ABC616D7758164F0E3E90E1B796C0F00472C6FD5