Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report ALNgwfVtrB.dll

Overview

General Information

Sample Name:ALNgwfVtrB.dll
Analysis ID:553377
MD5:61308ba77d051e4e76e532f9709635e0
SHA1:95d2cd6c7be346d29735ed970d3f373d37b7e13f
SHA256:bd2c1b86de45c3e9d0d7c85322228c3512ce2c041765d95bb613cdf12647bea9
Tags:32dllexe
Infos:

Most interesting Screenshot:

Detection

Emotet
Score:92
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Yara detected Emotet
System process connects to network (likely due to code injection or exploit)
Sigma detected: Suspicious Call by Ordinal
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
One or more processes crash
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Found evasive API chain (may stop execution after checking a module file name)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
AV process strings found (often used to terminate AV products)
PE file contains an invalid checksum
PE file contains strange resources
Tries to load missing DLLs
Contains functionality to read the PEB
Drops PE files to the windows directory (C:\Windows)
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Detected TCP or UDP traffic on non-standard ports
Checks if the current process is being debugged
Connects to several IPs in different countries
Potential key logger detected (key state polling based)
Registers a DLL
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries disk information (often used to detect virtual machines)
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 6844 cmdline: loaddll32.exe "C:\Users\user\Desktop\ALNgwfVtrB.dll" MD5: 7DEB5DB86C0AC789123DEC286286B938)
    • cmd.exe (PID: 6856 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\ALNgwfVtrB.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 6880 cmdline: rundll32.exe "C:\Users\user\Desktop\ALNgwfVtrB.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
        • rundll32.exe (PID: 6928 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\ALNgwfVtrB.dll",DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
          • rundll32.exe (PID: 6980 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Hincluwb\rahvarmqzcvvrmz.lrz",dVvBCKXQNgS MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
            • rundll32.exe (PID: 7040 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Hincluwb\rahvarmqzcvvrmz.lrz",DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • regsvr32.exe (PID: 6868 cmdline: regsvr32.exe /s C:\Users\user\Desktop\ALNgwfVtrB.dll MD5: 426E7499F6A7346F0410DEAD0805586B)
      • rundll32.exe (PID: 3916 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\ALNgwfVtrB.dll",DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 6888 cmdline: rundll32.exe C:\Users\user\Desktop\ALNgwfVtrB.dll,DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • WerFault.exe (PID: 1256 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6844 -s 540 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • svchost.exe (PID: 4388 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6312 cmdline: C:\Windows\System32\svchost.exe -k WerSvcGroup MD5: 32569E403279B3FD2EDB7EBD036273FA)
    • WerFault.exe (PID: 6264 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 6844 -ip 6844 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • svchost.exe (PID: 4868 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6392 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6316 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6292 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • cleanup

Malware Configuration

Threatname: Emotet

{"C2 list": ["45.138.98.34:80", "69.16.218.101:8080", "51.210.242.234:8080", "185.148.168.220:8080", "142.4.219.173:8080", "54.38.242.185:443", "191.252.103.16:80", "104.131.62.48:8080", "62.171.178.147:8080", "217.182.143.207:443", "168.197.250.14:80", "37.44.244.177:8080", "66.42.57.149:443", "210.57.209.142:8080", "159.69.237.188:443", "116.124.128.206:8080", "128.199.192.135:8080", "195.154.146.35:443", "185.148.168.15:8080", "195.77.239.39:8080", "207.148.81.119:8080", "85.214.67.203:8080", "190.90.233.66:443", "78.46.73.125:443", "78.47.204.80:443", "37.59.209.141:8080", "54.37.228.122:443"], "Public Key": ["RUNTMSAAAAD0LxqDNhonUYwk8sqo7IWuUllRdUiUBnACc6romsQoe1YJD7wIe4AheqYofpZFucPDXCZ0z9i+ooUffqeoLZU0", "RUNLMSAAAADYNZPXY4tQxd/N4Wn5sTYAm5tUOxY2ol1ELrI4MNhHNi640vSLasjYTHpFRBoG+o84vtr7AJachCzOHjaAJFCW"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000000.410818073.0000000002670000.00000040.00000001.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
    00000004.00000002.410538874.00000000035A0000.00000040.00000001.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
      00000000.00000002.437780692.0000000002670000.00000040.00000001.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
        00000005.00000002.372384163.0000000004DA0000.00000040.00000001.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
          00000004.00000002.410931541.00000000053B1000.00000020.00000001.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
            Click to see the 26 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            4.2.rundll32.exe.5460000.4.raw.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
              5.2.rundll32.exe.5130000.11.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                5.2.rundll32.exe.4ad0000.2.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                  5.2.rundll32.exe.45a0000.0.raw.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                    5.2.rundll32.exe.4ad0000.2.raw.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                      Click to see the 42 entries

                      Sigma Overview

                      System Summary:

                      barindex
                      Sigma detected: Suspicious Call by OrdinalShow sources
                      Source: Process startedAuthor: Florian Roth: Data: Command: rundll32.exe "C:\Users\user\Desktop\ALNgwfVtrB.dll",#1, CommandLine: rundll32.exe "C:\Users\user\Desktop\ALNgwfVtrB.dll",#1, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\ALNgwfVtrB.dll",#1, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 6856, ProcessCommandLine: rundll32.exe "C:\Users\user\Desktop\ALNgwfVtrB.dll",#1, ProcessId: 6880

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 2.2.regsvr32.exe.9b0000.1.unpackMalware Configuration Extractor: Emotet {"C2 list": ["45.138.98.34:80", "69.16.218.101:8080", "51.210.242.234:8080", "185.148.168.220:8080", "142.4.219.173:8080", "54.38.242.185:443", "191.252.103.16:80", "104.131.62.48:8080", "62.171.178.147:8080", "217.182.143.207:443", "168.197.250.14:80", "37.44.244.177:8080", "66.42.57.149:443", "210.57.209.142:8080", "159.69.237.188:443", "116.124.128.206:8080", "128.199.192.135:8080", "195.154.146.35:443", "185.148.168.15:8080", "195.77.239.39:8080", "207.148.81.119:8080", "85.214.67.203:8080", "190.90.233.66:443", "78.46.73.125:443", "78.47.204.80:443", "37.59.209.141:8080", "54.37.228.122:443"], "Public Key": ["RUNTMSAAAAD0LxqDNhonUYwk8sqo7IWuUllRdUiUBnACc6romsQoe1YJD7wIe4AheqYofpZFucPDXCZ0z9i+ooUffqeoLZU0", "RUNLMSAAAADYNZPXY4tQxd/N4Wn5sTYAm5tUOxY2ol1ELrI4MNhHNi640vSLasjYTHpFRBoG+o84vtr7AJachCzOHjaAJFCW"]}
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: ALNgwfVtrB.dllVirustotal: Detection: 15%Perma Link
                      Source: ALNgwfVtrB.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                      Source: Binary string: ws2_32.pdb source: WerFault.exe, 0000000F.00000003.426800801.0000000005A28000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.426901007.0000000005A28000.00000004.00000040.sdmp
                      Source: Binary string: winspool.pdb source: WerFault.exe, 0000000F.00000003.426881288.0000000005A20000.00000004.00000040.sdmp
                      Source: Binary string: wgdi32full.pdb source: WerFault.exe, 0000000F.00000003.426438295.0000000005381000.00000004.00000001.sdmp
                      Source: Binary string: wkernel32.pdb source: WerFault.exe, 0000000F.00000003.426438295.0000000005381000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.415892986.00000000050F7000.00000004.00000001.sdmp
                      Source: Binary string: bcrypt.pdb source: WerFault.exe, 0000000F.00000003.426800801.0000000005A28000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.426901007.0000000005A28000.00000004.00000040.sdmp
                      Source: Binary string: sechost.pdb source: WerFault.exe, 0000000F.00000003.426786352.0000000005A22000.00000004.00000040.sdmp
                      Source: Binary string: iphlpapi.pdb source: WerFault.exe, 0000000F.00000003.426800801.0000000005A28000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.426901007.0000000005A28000.00000004.00000040.sdmp
                      Source: Binary string: ucrtbase.pdb source: WerFault.exe, 0000000F.00000003.426438295.0000000005381000.00000004.00000001.sdmp
                      Source: Binary string: msvcrt.pdb source: WerFault.exe, 0000000F.00000003.426438295.0000000005381000.00000004.00000001.sdmp
                      Source: Binary string: propsys.pdb source: WerFault.exe, 0000000F.00000003.426800801.0000000005A28000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.426901007.0000000005A28000.00000004.00000040.sdmp
                      Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000F.00000003.426894444.0000000005A25000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.426786352.0000000005A22000.00000004.00000040.sdmp
                      Source: Binary string: wntdll.pdb source: WerFault.exe, 0000000F.00000003.426438295.0000000005381000.00000004.00000001.sdmp
                      Source: Binary string: wrpcrt4.pdbk source: WerFault.exe, 0000000F.00000003.426894444.0000000005A25000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.426786352.0000000005A22000.00000004.00000040.sdmp
                      Source: Binary string: shcore.pdb source: WerFault.exe, 0000000F.00000003.426800801.0000000005A28000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.426901007.0000000005A28000.00000004.00000040.sdmp
                      Source: Binary string: wgdi32.pdb source: WerFault.exe, 0000000F.00000003.426438295.0000000005381000.00000004.00000001.sdmp
                      Source: Binary string: advapi32.pdb source: WerFault.exe, 0000000F.00000003.426438295.0000000005381000.00000004.00000001.sdmp
                      Source: Binary string: wsspicli.pdb source: WerFault.exe, 0000000F.00000003.426881288.0000000005A20000.00000004.00000040.sdmp
                      Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000000F.00000003.426881288.0000000005A20000.00000004.00000040.sdmp
                      Source: Binary string: msvcp_win.pdb source: WerFault.exe, 0000000F.00000003.426438295.0000000005381000.00000004.00000001.sdmp
                      Source: Binary string: cryptbase.pdb source: WerFault.exe, 0000000F.00000003.426800801.0000000005A28000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.426901007.0000000005A28000.00000004.00000040.sdmp
                      Source: Binary string: wimm32.pdb source: WerFault.exe, 0000000F.00000003.426800801.0000000005A28000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.426901007.0000000005A28000.00000004.00000040.sdmp
                      Source: Binary string: wkernelbase.pdb source: WerFault.exe, 0000000F.00000003.426438295.0000000005381000.00000004.00000001.sdmp
                      Source: Binary string: sechost.pdbk source: WerFault.exe, 0000000F.00000003.426786352.0000000005A22000.00000004.00000040.sdmp
                      Source: Binary string: shlwapi.pdb source: WerFault.exe, 0000000F.00000003.426800801.0000000005A28000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.426901007.0000000005A28000.00000004.00000040.sdmp
                      Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000F.00000003.426881288.0000000005A20000.00000004.00000040.sdmp
                      Source: Binary string: wwin32u.pdb source: WerFault.exe, 0000000F.00000003.426438295.0000000005381000.00000004.00000001.sdmp
                      Source: Binary string: combase.pdb source: WerFault.exe, 0000000F.00000003.426881288.0000000005A20000.00000004.00000040.sdmp
                      Source: Binary string: oleaut32.pdb source: WerFault.exe, 0000000F.00000003.426800801.0000000005A28000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.426901007.0000000005A28000.00000004.00000040.sdmp
                      Source: Binary string: apphelp.pdb source: WerFault.exe, 0000000F.00000003.426438295.0000000005381000.00000004.00000001.sdmp
                      Source: Binary string: wuser32.pdb source: WerFault.exe, 0000000F.00000003.426438295.0000000005381000.00000004.00000001.sdmp
                      Source: Binary string: a/pjr2pCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 0000000F.00000002.435812460.0000000003272000.00000004.00000001.sdmp

                      Networking:

                      barindex
                      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                      Source: TrafficSnort IDS: 2404332 ET CNC Feodo Tracker Reported CnC Server TCP group 17 192.168.2.6:49727 -> 45.138.98.34:80
                      Source: TrafficSnort IDS: 2404338 ET CNC Feodo Tracker Reported CnC Server TCP group 20 192.168.2.6:49728 -> 69.16.218.101:8080
                      System process connects to network (likely due to code injection or exploit)Show sources
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 69.16.218.101 144
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 45.138.98.34 80
                      C2 URLs / IPs found in malware configurationShow sources
                      Source: Malware configuration extractorIPs: 45.138.98.34:80
                      Source: Malware configuration extractorIPs: 69.16.218.101:8080
                      Source: Malware configuration extractorIPs: 51.210.242.234:8080
                      Source: Malware configuration extractorIPs: 185.148.168.220:8080
                      Source: Malware configuration extractorIPs: 142.4.219.173:8080
                      Source: Malware configuration extractorIPs: 54.38.242.185:443
                      Source: Malware configuration extractorIPs: 191.252.103.16:80
                      Source: Malware configuration extractorIPs: 104.131.62.48:8080
                      Source: Malware configuration extractorIPs: 62.171.178.147:8080
                      Source: Malware configuration extractorIPs: 217.182.143.207:443
                      Source: Malware configuration extractorIPs: 168.197.250.14:80
                      Source: Malware configuration extractorIPs: 37.44.244.177:8080
                      Source: Malware configuration extractorIPs: 66.42.57.149:443
                      Source: Malware configuration extractorIPs: 210.57.209.142:8080
                      Source: Malware configuration extractorIPs: 159.69.237.188:443
                      Source: Malware configuration extractorIPs: 116.124.128.206:8080
                      Source: Malware configuration extractorIPs: 128.199.192.135:8080
                      Source: Malware configuration extractorIPs: 195.154.146.35:443
                      Source: Malware configuration extractorIPs: 185.148.168.15:8080
                      Source: Malware configuration extractorIPs: 195.77.239.39:8080
                      Source: Malware configuration extractorIPs: 207.148.81.119:8080
                      Source: Malware configuration extractorIPs: 85.214.67.203:8080
                      Source: Malware configuration extractorIPs: 190.90.233.66:443
                      Source: Malware configuration extractorIPs: 78.46.73.125:443
                      Source: Malware configuration extractorIPs: 78.47.204.80:443
                      Source: Malware configuration extractorIPs: 37.59.209.141:8080
                      Source: Malware configuration extractorIPs: 54.37.228.122:443
                      Source: Joe Sandbox ViewASN Name: AS-CHOOPAUS AS-CHOOPAUS
                      Source: Joe Sandbox ViewASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS
                      Source: Joe Sandbox ViewIP Address: 207.148.81.119 207.148.81.119
                      Source: Joe Sandbox ViewIP Address: 104.131.62.48 104.131.62.48
                      Source: global trafficTCP traffic: 192.168.2.6:49767 -> 69.16.218.101:8080
                      Source: unknownNetwork traffic detected: IP country count 12
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.138.98.34
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.138.98.34
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.138.98.34
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.16.218.101
                      Source: svchost.exe, 0000001A.00000003.528045020.00000190FDD9F000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2022-01-07T11:33:20.1626869Z||.||d5cdcec3-04df-404e-ba07-3240047c89f9||1152921505694348672||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailab
                      Source: svchost.exe, 0000001A.00000003.528045020.00000190FDD9F000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2022-01-07T11:33:20.1626869Z||.||d5cdcec3-04df-404e-ba07-3240047c89f9||1152921505694348672||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailab
                      Source: svchost.exe, 00000018.00000002.746554870.0000016F08064000.00000004.00000001.sdmp, svchost.exe, 0000001A.00000002.546504253.00000190FDD00000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                      Source: svchost.exe, 00000018.00000002.746432413.0000016F08012000.00000004.00000001.sdmp, svchost.exe, 0000001A.00000002.546303374.00000190FD4EC000.00000004.00000001.sdmpString found in binary or memory: http://crl.ver)
                      Source: 77EC63BDA74BD0D0E0426DC8F80085060.8.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
                      Source: svchost.exe, 0000001A.00000003.523925926.00000190FDDCC000.00000004.00000001.sdmp, svchost.exe, 0000001A.00000003.523839525.00000190FDDAE000.00000004.00000001.sdmp, svchost.exe, 0000001A.00000003.523818312.00000190FDDAD000.00000004.00000001.sdmp, svchost.exe, 0000001A.00000003.523879898.00000190FDD6C000.00000004.00000001.sdmp, svchost.exe, 0000001A.00000003.523895191.00000190FDD7D000.00000004.00000001.sdmpString found in binary or memory: http://help.disneyplus.com.
                      Source: Amcache.hve.15.drString found in binary or memory: http://upx.sf.net
                      Source: svchost.exe, 0000001A.00000003.523925926.00000190FDDCC000.00000004.00000001.sdmp, svchost.exe, 0000001A.00000003.523839525.00000190FDDAE000.00000004.00000001.sdmp, svchost.exe, 0000001A.00000003.523818312.00000190FDDAD000.00000004.00000001.sdmp, svchost.exe, 0000001A.00000003.523879898.00000190FDD6C000.00000004.00000001.sdmp, svchost.exe, 0000001A.00000003.523895191.00000190FDD7D000.00000004.00000001.sdmpString found in binary or memory: https://disneyplus.com/legal.
                      Source: svchost.exe, 0000001A.00000003.523925926.00000190FDDCC000.00000004.00000001.sdmp, svchost.exe, 0000001A.00000003.523839525.00000190FDDAE000.00000004.00000001.sdmp, svchost.exe, 0000001A.00000003.523818312.00000190FDDAD000.00000004.00000001.sdmp, svchost.exe, 0000001A.00000003.523879898.00000190FDD6C000.00000004.00000001.sdmp, svchost.exe, 0000001A.00000003.523895191.00000190FDD7D000.00000004.00000001.sdmpString found in binary or memory: https://www.disneyplus.com/legal/privacy-policy
                      Source: svchost.exe, 0000001A.00000003.523925926.00000190FDDCC000.00000004.00000001.sdmp, svchost.exe, 0000001A.00000003.523839525.00000190FDDAE000.00000004.00000001.sdmp, svchost.exe, 0000001A.00000003.523818312.00000190FDDAD000.00000004.00000001.sdmp, svchost.exe, 0000001A.00000003.523879898.00000190FDD6C000.00000004.00000001.sdmp, svchost.exe, 0000001A.00000003.523895191.00000190FDD7D000.00000004.00000001.sdmpString found in binary or memory: https://www.disneyplus.com/legal/your-california-privacy-rights
                      Source: svchost.exe, 0000001A.00000003.524958132.00000190FDD8B000.00000004.00000001.sdmp, svchost.exe, 0000001A.00000003.524976369.00000190FDDAC000.00000004.00000001.sdmp, svchost.exe, 0000001A.00000003.524929712.00000190FDDC3000.00000004.00000001.sdmp, svchost.exe, 0000001A.00000003.524992573.00000190FDD5B000.00000004.00000001.sdmp, svchost.exe, 0000001A.00000003.525007675.00000190FE202000.00000004.00000001.sdmp, svchost.exe, 0000001A.00000003.524909337.00000190FDDC3000.00000004.00000001.sdmpString found in binary or memory: https://www.tiktok.com/legal/report/feedback
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_10001280 recvfrom,
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_10027958 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10027958 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_10027958 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,

                      E-Banking Fraud:

                      barindex
                      Yara detected EmotetShow sources
                      Source: Yara matchFile source: 4.2.rundll32.exe.5460000.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.5130000.11.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.4ad0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.45a0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.4ad0000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.54c0000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.35a0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.4b00000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.regsvr32.exe.970000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.3590000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.regsvr32.exe.9b0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.54f0000.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.2670000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.5460000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.2f80000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.2670000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.3390000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.53b0000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.4d70000.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.3390000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.4d40000.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.35a0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.4be0000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.45d0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.5100000.10.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.2f80000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.regsvr32.exe.970000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.5490000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.5100000.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.2870000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.2670000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.4c10000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.4dd0000.9.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.2870000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.45a0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.54c0000.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.5380000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.5380000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.4d40000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.4da0000.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.4da0000.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.2fd0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.4be0000.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.2670000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.2670000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.2670000.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.35d0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000000.410818073.0000000002670000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.410538874.00000000035A0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.437780692.0000000002670000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.372384163.0000000004DA0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.410931541.00000000053B1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.410027990.0000000002670000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.410571626.00000000035D1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.375281998.0000000003390000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.372312583.0000000004D40000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.406521301.00000000009B1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.410099478.0000000002871000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.411026981.0000000005491000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.372437748.0000000004DD1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.372236483.0000000004C11000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.372523153.0000000005100000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.410908762.0000000002871000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.372348962.0000000004D71000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.411089485.00000000054F1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.372199700.0000000004BE0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.359482964.0000000002F80000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.410893526.0000000005380000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.406320669.0000000000970000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.411057565.00000000054C0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.371762481.00000000045A0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.371838274.00000000045D1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.375456992.0000000003591000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.372554631.0000000005131000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.372126938.0000000004B01000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.410997374.0000000005460000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.359639219.0000000002FD1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.372091623.0000000004AD0000.00000040.00000001.sdmp, type: MEMORY

                      System Summary:

                      barindex
                      Source: ALNgwfVtrB.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 6844 -ip 6844
                      Source: C:\Windows\SysWOW64\rundll32.exeFile deleted: C:\Windows\SysWOW64\Hincluwb\rahvarmqzcvvrmz.lrz:Zone.IdentifierJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\SysWOW64\Tnjzdjiubejyae\Jump to behavior
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_100291F6
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_1002F378
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_100403D7
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_1004250B
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_10041557
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_100395A1
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_1002F784
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_1004091B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_100291F6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1002F378
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_100403D7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1004250B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10041557
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_100395A1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1002F784
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1004091B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1002EACF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1002FBA4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10035D96
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10040E5F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1002EFA4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_100291F6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_1002F378
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_100403D7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_1004250B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_10041557
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_100395A1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_1002F784
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_1004091B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_1002EACF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_1002FBA4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_10035D96
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_10040E5F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_1002EFA4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_045EB257
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_045DA445
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_045DDE74
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_045E4A66
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_045E7A0F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_045F2009
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_045D8636
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_045EFF58
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_045EE955
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_045E654A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_045E2142
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_045D670B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_045EAD08
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_045EEFDD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_045DC5D8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_045E85FF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_045F17BD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_045E2E5D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_045E4244
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_045DE640
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_045EF840
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_045D7442
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_045D7E79
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_045D7078
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_045E567B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_045EA474
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_045DA871
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_045EDC71
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_045F0A64
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_045F3263
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_045E8806
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_045E9A01
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_045D3431
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_045DB820
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_045ED8DB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_045ECCD9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_045ECAD5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_045D80C0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_045EBEFD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_045F00EF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_045DF0E9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_045F3EE9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_045EE4E5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_045F46BD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_045E0EBC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_045E0ABA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_045DC6B8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_045E3EAA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_045DBAA9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_045F36AA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_045EA2A5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_045D1CA1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_045E7D5B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_045F2D53
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_045DD14C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_045E437A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_045E017B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_045E5779
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_045D6B7A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_045E4F74
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_045E9774
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_045DF369
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_045E5515
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_045DEF0C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_045F2B09
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_045E8D3D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_045D1F38
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_045E5333
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_045EFBDE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_045DE7DE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_045EC5D5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_045D4BFC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_045D55FF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_045EE1F8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_045E27F9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_045E07F4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_045E9DF5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_045E67E6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_045D2194
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_045D238C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_045DFB8E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_045E0F86
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_045E6187
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_045E3D85
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_045ED1BC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_045DBFBE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_045D57B8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_045E8FAE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_045F07AA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_045D77A3
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: String function: 10030E38 appears 42 times
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: String function: 10030535 appears 47 times
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 10030E38 appears 116 times
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 1003578B appears 46 times
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 10030535 appears 174 times
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 10030568 appears 32 times
                      Source: ALNgwfVtrB.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dll
                      Source: ALNgwfVtrB.dllVirustotal: Detection: 15%
                      Source: ALNgwfVtrB.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                      Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\ALNgwfVtrB.dll"
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\ALNgwfVtrB.dll",#1
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\ALNgwfVtrB.dll
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\ALNgwfVtrB.dll",#1
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\ALNgwfVtrB.dll,DllRegisterServer
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\ALNgwfVtrB.dll",DllRegisterServer
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Hincluwb\rahvarmqzcvvrmz.lrz",dVvBCKXQNgS
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Hincluwb\rahvarmqzcvvrmz.lrz",DllRegisterServer
                      Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\ALNgwfVtrB.dll",DllRegisterServer
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 6844 -ip 6844
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6844 -s 540
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\ALNgwfVtrB.dll",#1
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\ALNgwfVtrB.dll
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\ALNgwfVtrB.dll,DllRegisterServer
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\ALNgwfVtrB.dll",#1
                      Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\ALNgwfVtrB.dll",DllRegisterServer
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\ALNgwfVtrB.dll",DllRegisterServer
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Hincluwb\rahvarmqzcvvrmz.lrz",dVvBCKXQNgS
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Hincluwb\rahvarmqzcvvrmz.lrz",DllRegisterServer
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 6844 -ip 6844
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6844 -s 540
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess created: unknown unknown
                      Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32
                      Source: C:\Windows\System32\svchost.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERDCF5.tmpJump to behavior
                      Source: classification engineClassification label: mal92.troj.evad.winDLL@28/14@0/29
                      Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Users\desktop.iniJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\ALNgwfVtrB.dll",#1
                      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \BaseNamedObjects\Local\SM0:6264:64:WilError_01
                      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6844
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_10021183 LoadResource,LockResource,SizeofResource,
                      Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: Binary string: ws2_32.pdb source: WerFault.exe, 0000000F.00000003.426800801.0000000005A28000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.426901007.0000000005A28000.00000004.00000040.sdmp
                      Source: Binary string: winspool.pdb source: WerFault.exe, 0000000F.00000003.426881288.0000000005A20000.00000004.00000040.sdmp
                      Source: Binary string: wgdi32full.pdb source: WerFault.exe, 0000000F.00000003.426438295.0000000005381000.00000004.00000001.sdmp
                      Source: Binary string: wkernel32.pdb source: WerFault.exe, 0000000F.00000003.426438295.0000000005381000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.415892986.00000000050F7000.00000004.00000001.sdmp
                      Source: Binary string: bcrypt.pdb source: WerFault.exe, 0000000F.00000003.426800801.0000000005A28000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.426901007.0000000005A28000.00000004.00000040.sdmp
                      Source: Binary string: sechost.pdb source: WerFault.exe, 0000000F.00000003.426786352.0000000005A22000.00000004.00000040.sdmp
                      Source: Binary string: iphlpapi.pdb source: WerFault.exe, 0000000F.00000003.426800801.0000000005A28000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.426901007.0000000005A28000.00000004.00000040.sdmp
                      Source: Binary string: ucrtbase.pdb source: WerFault.exe, 0000000F.00000003.426438295.0000000005381000.00000004.00000001.sdmp
                      Source: Binary string: msvcrt.pdb source: WerFault.exe, 0000000F.00000003.426438295.0000000005381000.00000004.00000001.sdmp
                      Source: Binary string: propsys.pdb source: WerFault.exe, 0000000F.00000003.426800801.0000000005A28000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.426901007.0000000005A28000.00000004.00000040.sdmp
                      Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000F.00000003.426894444.0000000005A25000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.426786352.0000000005A22000.00000004.00000040.sdmp
                      Source: Binary string: wntdll.pdb source: WerFault.exe, 0000000F.00000003.426438295.0000000005381000.00000004.00000001.sdmp
                      Source: Binary string: wrpcrt4.pdbk source: WerFault.exe, 0000000F.00000003.426894444.0000000005A25000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.426786352.0000000005A22000.00000004.00000040.sdmp
                      Source: Binary string: shcore.pdb source: WerFault.exe, 0000000F.00000003.426800801.0000000005A28000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.426901007.0000000005A28000.00000004.00000040.sdmp
                      Source: Binary string: wgdi32.pdb source: WerFault.exe, 0000000F.00000003.426438295.0000000005381000.00000004.00000001.sdmp
                      Source: Binary string: advapi32.pdb source: WerFault.exe, 0000000F.00000003.426438295.0000000005381000.00000004.00000001.sdmp
                      Source: Binary string: wsspicli.pdb source: WerFault.exe, 0000000F.00000003.426881288.0000000005A20000.00000004.00000040.sdmp
                      Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000000F.00000003.426881288.0000000005A20000.00000004.00000040.sdmp
                      Source: Binary string: msvcp_win.pdb source: WerFault.exe, 0000000F.00000003.426438295.0000000005381000.00000004.00000001.sdmp
                      Source: Binary string: cryptbase.pdb source: WerFault.exe, 0000000F.00000003.426800801.0000000005A28000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.426901007.0000000005A28000.00000004.00000040.sdmp
                      Source: Binary string: wimm32.pdb source: WerFault.exe, 0000000F.00000003.426800801.0000000005A28000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.426901007.0000000005A28000.00000004.00000040.sdmp
                      Source: Binary string: wkernelbase.pdb source: WerFault.exe, 0000000F.00000003.426438295.0000000005381000.00000004.00000001.sdmp
                      Source: Binary string: sechost.pdbk source: WerFault.exe, 0000000F.00000003.426786352.0000000005A22000.00000004.00000040.sdmp
                      Source: Binary string: shlwapi.pdb source: WerFault.exe, 0000000F.00000003.426800801.0000000005A28000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.426901007.0000000005A28000.00000004.00000040.sdmp
                      Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000F.00000003.426881288.0000000005A20000.00000004.00000040.sdmp
                      Source: Binary string: wwin32u.pdb source: WerFault.exe, 0000000F.00000003.426438295.0000000005381000.00000004.00000001.sdmp
                      Source: Binary string: combase.pdb source: WerFault.exe, 0000000F.00000003.426881288.0000000005A20000.00000004.00000040.sdmp
                      Source: Binary string: oleaut32.pdb source: WerFault.exe, 0000000F.00000003.426800801.0000000005A28000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.426901007.0000000005A28000.00000004.00000040.sdmp
                      Source: Binary string: apphelp.pdb source: WerFault.exe, 0000000F.00000003.426438295.0000000005381000.00000004.00000001.sdmp
                      Source: Binary string: wuser32.pdb source: WerFault.exe, 0000000F.00000003.426438295.0000000005381000.00000004.00000001.sdmp
                      Source: Binary string: a/pjr2pCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 0000000F.00000002.435812460.0000000003272000.00000004.00000001.sdmp
                      Source: ALNgwfVtrB.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                      Source: ALNgwfVtrB.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                      Source: ALNgwfVtrB.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                      Source: ALNgwfVtrB.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                      Source: ALNgwfVtrB.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_1003060D push ecx; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1003060D push ecx; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10030E7D push ecx; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_1003060D push ecx; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_10030E7D push ecx; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_045D1195 push cs; iretd
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_1003E278 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,
                      Source: ALNgwfVtrB.dllStatic PE information: real checksum: 0x970bf should be: 0x9d4b2
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\ALNgwfVtrB.dll
                      Source: C:\Windows\SysWOW64\rundll32.exePE file moved: C:\Windows\SysWOW64\Hincluwb\rahvarmqzcvvrmz.lrzJump to behavior

                      Hooking and other Techniques for Hiding and Protection:

                      barindex
                      Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
                      Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SysWOW64\Tnjzdjiubejyae\dqrcdyesqxhfmw.cke:Zone.Identifier read attributes | delete
                      Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SysWOW64\Hincluwb\rahvarmqzcvvrmz.lrz:Zone.Identifier read attributes | delete
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_100250A3 IsIconic,GetWindowPlacement,GetWindowRect,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_100250A3 IsIconic,GetWindowPlacement,GetWindowRect,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1001DFC0 IsIconic,SendMessageA,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_100250A3 IsIconic,GetWindowPlacement,GetWindowRect,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_1001DFC0 IsIconic,SendMessageA,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon,
                      Source: C:\Windows\SysWOW64\rundll32.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\svchost.exe TID: 6356Thread sleep time: -30000s >= -30000s
                      Source: C:\Windows\System32\svchost.exe TID: 1768Thread sleep time: -30000s >= -30000s
                      Source: C:\Windows\SysWOW64\regsvr32.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
                      Source: C:\Windows\SysWOW64\rundll32.exeEvasive API call chain: GetModuleFileName,DecisionNodes,Sleep
                      Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0
                      Source: C:\Windows\SysWOW64\regsvr32.exeAPI coverage: 5.3 %
                      Source: C:\Windows\SysWOW64\rundll32.exeAPI coverage: 5.0 %
                      Source: C:\Windows\SysWOW64\rundll32.exeAPI coverage: 5.1 %
                      Source: C:\Windows\System32\svchost.exeProcess information queried: ProcessInformation
                      Source: C:\Windows\SysWOW64\regsvr32.exeAPI call chain: ExitProcess graph end node
                      Source: C:\Windows\SysWOW64\rundll32.exeAPI call chain: ExitProcess graph end node
                      Source: C:\Windows\SysWOW64\rundll32.exeAPI call chain: ExitProcess graph end node
                      Source: C:\Windows\SysWOW64\rundll32.exeAPI call chain: ExitProcess graph end node
                      Source: C:\Windows\SysWOW64\rundll32.exeFile Volume queried: C:\ FullSizeInformation
                      Source: Amcache.hve.15.drBinary or memory string: VMware
                      Source: Amcache.hve.15.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
                      Source: Amcache.hve.15.drBinary or memory string: VMware-42 35 34 13 2a 07 0a 9c-ee 7f dd c3 60 c7 b9 af
                      Source: Amcache.hve.15.drBinary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
                      Source: Amcache.hve.15.drBinary or memory string: VMware Virtual USB Mouse
                      Source: Amcache.hve.15.drBinary or memory string: VMware, Inc.
                      Source: Amcache.hve.15.drBinary or memory string: VMware Virtual disk SCSI Disk Devicehbin
                      Source: Amcache.hve.15.drBinary or memory string: Microsoft Hyper-V Generation Counter
                      Source: Amcache.hve.15.drBinary or memory string: VMware7,1
                      Source: Amcache.hve.15.drBinary or memory string: NECVMWar VMware SATA CD00
                      Source: Amcache.hve.15.drBinary or memory string: VMware Virtual disk SCSI Disk Device
                      Source: svchost.exe, 00000018.00000002.746512061.0000016F0804E000.00000004.00000001.sdmp, svchost.exe, 00000018.00000002.746554870.0000016F08064000.00000004.00000001.sdmp, svchost.exe, 0000001A.00000002.546303374.00000190FD4EC000.00000004.00000001.sdmp, svchost.exe, 0000001A.00000002.546113736.00000190FD488000.00000004.00000001.sdmp, svchost.exe, 0000001A.00000002.546062495.00000190FD481000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
                      Source: svchost.exe, 00000018.00000002.745495759.0000016F0282A000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW@p
                      Source: Amcache.hve.15.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
                      Source: Amcache.hve.15.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
                      Source: Amcache.hve.15.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.13989454.B64.1906190538,BiosReleaseDate:06/19/2019,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1x
                      Source: Amcache.hve.15.drBinary or memory string: VMware, Inc.me
                      Source: Amcache.hve.15.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
                      Source: Amcache.hve.15.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1002DB0D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_1003E278 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_10002D40 SetLastError,SetLastError,SetLastError,SetLastError,GetNativeSystemInfo,SetLastError,VirtualAlloc,VirtualAlloc,SetLastError,GetProcessHeap,HeapAlloc,VirtualFree,SetLastError,VirtualAlloc,SetLastError,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_045DF7F7 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\System32\loaddll32.exeProcess queried: DebugPort
                      Source: C:\Windows\System32\loaddll32.exeProcess queried: DebugPort
                      Source: C:\Windows\System32\loaddll32.exeProcess queried: DebugPort
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_1003A8D4 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1003A8D4 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1002DB0D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10032CB9 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_1003A8D4 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_1002DB0D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_10032CB9 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

                      HIPS / PFW / Operating System Protection Evasion:

                      barindex
                      System process connects to network (likely due to code injection or exploit)Show sources
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 69.16.218.101 144
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 45.138.98.34 80
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\ALNgwfVtrB.dll",#1
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 6844 -ip 6844
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6844 -s 540
                      Source: loaddll32.exe, 00000000.00000000.410775550.0000000001260000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.409992381.0000000001260000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
                      Source: loaddll32.exe, 00000000.00000000.410775550.0000000001260000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.409992381.0000000001260000.00000002.00020000.sdmpBinary or memory string: Progman
                      Source: loaddll32.exe, 00000000.00000000.410775550.0000000001260000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.409992381.0000000001260000.00000002.00020000.sdmpBinary or memory string: &Program Manager
                      Source: loaddll32.exe, 00000000.00000000.410775550.0000000001260000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.409992381.0000000001260000.00000002.00020000.sdmpBinary or memory string: Progmanlock
                      Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: GetLocaleInfoA,
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,InterlockedDecrement,InterlockedDecrement,
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: _strcpy_s,GetLocaleInfoA,__snwprintf_s,LoadLibraryA,
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,InterlockedDecrement,InterlockedDecrement,
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,__invoke_watson,___crtGetLocaleInfoW,
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: GetLocaleInfoA,GetLocaleInfoA,GetACP,
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: GetLocaleInfoA,_LcidFromHexString,_GetPrimaryLen,_strlen,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoA,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,InterlockedDecrement,InterlockedDecrement,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: _strcpy_s,GetLocaleInfoA,__snwprintf_s,LoadLibraryA,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,InterlockedDecrement,InterlockedDecrement,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,__invoke_watson,___crtGetLocaleInfoW,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoA,GetLocaleInfoA,GetACP,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoA,_LcidFromHexString,_GetPrimaryLen,_strlen,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoA,GetLocaleInfoA,_LocaleUpdate::_LocaleUpdate,___ascii_strnicmp,__tolower_l,__tolower_l,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: _LocaleUpdate::_LocaleUpdate,GetLocaleInfoW,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLastError,GetLocaleInfoW,__alloca_probe_16,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,GetLocaleInfoA,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,_ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itoa_s,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoA,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,InterlockedDecrement,InterlockedDecrement,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: _strcpy_s,GetLocaleInfoA,__snwprintf_s,LoadLibraryA,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,InterlockedDecrement,InterlockedDecrement,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,__invoke_watson,___crtGetLocaleInfoW,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoA,GetLocaleInfoA,GetACP,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoA,_LcidFromHexString,_GetPrimaryLen,_strlen,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoA,GetLocaleInfoA,_LocaleUpdate::_LocaleUpdate,___ascii_strnicmp,__tolower_l,__tolower_l,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: _LocaleUpdate::_LocaleUpdate,GetLocaleInfoW,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLastError,GetLocaleInfoW,__alloca_probe_16,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,GetLocaleInfoA,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,_ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itoa_s,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,
                      Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_1003732F GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10024F01 _memset,GetVersionExA,
                      Source: Amcache.hve.15.drBinary or memory string: c:\program files\windows defender\msmpeng.exe

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected EmotetShow sources
                      Source: Yara matchFile source: 4.2.rundll32.exe.5460000.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.5130000.11.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.4ad0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.45a0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.4ad0000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.54c0000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.35a0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.4b00000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.regsvr32.exe.970000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.3590000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.regsvr32.exe.9b0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.54f0000.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.2670000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.5460000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.2f80000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.2670000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.3390000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.53b0000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.4d70000.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.3390000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.4d40000.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.35a0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.4be0000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.45d0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.5100000.10.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.2f80000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.regsvr32.exe.970000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.5490000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.5100000.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.2870000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.2670000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.4c10000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.4dd0000.9.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.2870000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.45a0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.54c0000.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.5380000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.5380000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.4d40000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.4da0000.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.4da0000.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.2fd0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.4be0000.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.2670000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.2670000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.loaddll32.exe.2670000.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.35d0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000000.410818073.0000000002670000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.410538874.00000000035A0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.437780692.0000000002670000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.372384163.0000000004DA0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.410931541.00000000053B1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.410027990.0000000002670000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.410571626.00000000035D1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.375281998.0000000003390000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.372312583.0000000004D40000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.406521301.00000000009B1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.410099478.0000000002871000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.411026981.0000000005491000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.372437748.0000000004DD1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.372236483.0000000004C11000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.372523153.0000000005100000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.410908762.0000000002871000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.372348962.0000000004D71000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.411089485.00000000054F1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.372199700.0000000004BE0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.359482964.0000000002F80000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.410893526.0000000005380000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.406320669.0000000000970000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.411057565.00000000054C0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.371762481.00000000045A0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.371838274.00000000045D1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.375456992.0000000003591000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.372554631.0000000005131000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.372126938.0000000004B01000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.410997374.0000000005460000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.359639219.0000000002FD1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.372091623.0000000004AD0000.00000040.00000001.sdmp, type: MEMORY
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_10001160 WSAStartup,_memset,htonl,htons,socket,bind,setsockopt,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10001160 WSAStartup,_memset,htonl,htons,socket,bind,setsockopt,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_10001160 WSAStartup,_memset,htonl,htons,socket,bind,setsockopt,

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsNative API2DLL Side-Loading1DLL Side-Loading1Deobfuscate/Decode Files or Information1Input Capture1System Time Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumIngress Tool Transfer1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsProcess Injection112Obfuscated Files or Information2LSASS MemoryFile and Directory Discovery1Remote Desktop ProtocolInput Capture1Exfiltration Over BluetoothEncrypted Channel1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)DLL Side-Loading1Security Account ManagerSystem Information Discovery35SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Standard Port1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)File Deletion1NTDSQuery Registry1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol1SIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptMasquerading2LSA SecretsSecurity Software Discovery51SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonVirtualization/Sandbox Evasion3Cached Domain CredentialsVirtualization/Sandbox Evasion3VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsProcess Injection112DCSyncProcess Discovery2Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobHidden Files and Directories1Proc FilesystemApplication Window Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                      Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Regsvr321/etc/passwd and /etc/shadowRemote System Discovery1Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
                      Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Rundll321Network SniffingProcess DiscoveryTaint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 553377 Sample: ALNgwfVtrB.dll Startdate: 14/01/2022 Architecture: WINDOWS Score: 92 44 210.57.209.142 UNAIR-AS-IDUniversitasAirlanggaID Indonesia 2->44 46 85.214.67.203 STRATOSTRATOAGDE Germany 2->46 48 23 other IPs or domains 2->48 58 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->58 60 Found malware configuration 2->60 62 Multi AV Scanner detection for submitted file 2->62 64 3 other signatures 2->64 11 loaddll32.exe 1 2->11         started        13 svchost.exe 4 2->13         started        16 svchost.exe 9 1 2->16         started        18 4 other processes 2->18 signatures3 process4 dnsIp5 20 cmd.exe 1 11->20         started        22 rundll32.exe 2 11->22         started        25 regsvr32.exe 11->25         started        27 WerFault.exe 3 9 11->27         started        54 192.168.2.1 unknown unknown 13->54 29 WerFault.exe 13->29         started        56 127.0.0.1 unknown unknown 16->56 process6 signatures7 31 rundll32.exe 20->31         started        68 Hides that the sample has been downloaded from the Internet (zone.identifier) 22->68 33 rundll32.exe 25->33         started        process8 process9 35 rundll32.exe 2 31->35         started        signatures10 66 Hides that the sample has been downloaded from the Internet (zone.identifier) 35->66 38 rundll32.exe 35->38         started        process11 process12 40 rundll32.exe 38->40         started        dnsIp13 50 45.138.98.34, 49766, 80 M247GB Germany 40->50 52 69.16.218.101, 49767, 8080 LIQUIDWEBUS United States 40->52 70 System process connects to network (likely due to code injection or exploit) 40->70 signatures14

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      ALNgwfVtrB.dll15%VirustotalBrowse

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      2.2.regsvr32.exe.9b0000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      6.2.rundll32.exe.3390000.0.unpack100%AviraHEUR/AGEN.1145233Download File
                      4.2.rundll32.exe.54c0000.6.unpack100%AviraHEUR/AGEN.1145233Download File
                      2.2.regsvr32.exe.970000.0.unpack100%AviraHEUR/AGEN.1145233Download File
                      3.2.rundll32.exe.2f80000.0.unpack100%AviraHEUR/AGEN.1145233Download File
                      4.2.rundll32.exe.5460000.4.unpack100%AviraHEUR/AGEN.1145233Download File
                      5.2.rundll32.exe.5130000.11.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      4.2.rundll32.exe.53b0000.3.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      5.2.rundll32.exe.4ad0000.2.unpack100%AviraHEUR/AGEN.1145233Download File
                      5.2.rundll32.exe.4d70000.7.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      5.2.rundll32.exe.4b00000.3.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      4.2.rundll32.exe.35a0000.0.unpack100%AviraHEUR/AGEN.1145233Download File
                      4.2.rundll32.exe.54f0000.7.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      6.2.rundll32.exe.3590000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      5.2.rundll32.exe.45d0000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      5.2.rundll32.exe.4be0000.4.unpack100%AviraHEUR/AGEN.1145233Download File
                      4.2.rundll32.exe.5490000.5.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      0.0.loaddll32.exe.2870000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      5.2.rundll32.exe.4dd0000.9.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      5.2.rundll32.exe.5100000.10.unpack100%AviraHEUR/AGEN.1145233Download File
                      5.2.rundll32.exe.4c10000.5.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      5.2.rundll32.exe.45a0000.0.unpack100%AviraHEUR/AGEN.1145233Download File
                      0.0.loaddll32.exe.2670000.0.unpack100%AviraHEUR/AGEN.1145233Download File
                      0.0.loaddll32.exe.2870000.4.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      4.2.rundll32.exe.5380000.2.unpack100%AviraHEUR/AGEN.1145233Download File
                      5.2.rundll32.exe.4d40000.6.unpack100%AviraHEUR/AGEN.1145233Download File
                      5.2.rundll32.exe.4da0000.8.unpack100%AviraHEUR/AGEN.1145233Download File
                      3.2.rundll32.exe.2fd0000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      0.0.loaddll32.exe.2670000.3.unpack100%AviraHEUR/AGEN.1145233Download File
                      0.2.loaddll32.exe.2670000.0.unpack100%AviraHEUR/AGEN.1145233Download File
                      4.2.rundll32.exe.35d0000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      https://www.disneyplus.com/legal/your-california-privacy-rights0%URL Reputationsafe
                      http://crl.ver)0%Avira URL Cloudsafe
                      https://www.disneyplus.com/legal/privacy-policy0%URL Reputationsafe
                      https://www.tiktok.com/legal/report/feedback0%URL Reputationsafe
                      http://help.disneyplus.com.0%URL Reputationsafe
                      https://disneyplus.com/legal.0%URL Reputationsafe

                      Domains and IPs

                      Contacted Domains

                      No contacted domains info

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      https://www.disneyplus.com/legal/your-california-privacy-rightssvchost.exe, 0000001A.00000003.523925926.00000190FDDCC000.00000004.00000001.sdmp, svchost.exe, 0000001A.00000003.523839525.00000190FDDAE000.00000004.00000001.sdmp, svchost.exe, 0000001A.00000003.523818312.00000190FDDAD000.00000004.00000001.sdmp, svchost.exe, 0000001A.00000003.523879898.00000190FDD6C000.00000004.00000001.sdmp, svchost.exe, 0000001A.00000003.523895191.00000190FDD7D000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://crl.ver)svchost.exe, 00000018.00000002.746432413.0000016F08012000.00000004.00000001.sdmp, svchost.exe, 0000001A.00000002.546303374.00000190FD4EC000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		low
                      https://www.disneyplus.com/legal/privacy-policysvchost.exe, 0000001A.00000003.523925926.00000190FDDCC000.00000004.00000001.sdmp, svchost.exe, 0000001A.00000003.523839525.00000190FDDAE000.00000004.00000001.sdmp, svchost.exe, 0000001A.00000003.523818312.00000190FDDAD000.00000004.00000001.sdmp, svchost.exe, 0000001A.00000003.523879898.00000190FDD6C000.00000004.00000001.sdmp, svchost.exe, 0000001A.00000003.523895191.00000190FDD7D000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://upx.sf.netAmcache.hve.15.drfalse
                        		high
                        https://www.tiktok.com/legal/report/feedbacksvchost.exe, 0000001A.00000003.524958132.00000190FDD8B000.00000004.00000001.sdmp, svchost.exe, 0000001A.00000003.524976369.00000190FDDAC000.00000004.00000001.sdmp, svchost.exe, 0000001A.00000003.524929712.00000190FDDC3000.00000004.00000001.sdmp, svchost.exe, 0000001A.00000003.524992573.00000190FDD5B000.00000004.00000001.sdmp, svchost.exe, 0000001A.00000003.525007675.00000190FE202000.00000004.00000001.sdmp, svchost.exe, 0000001A.00000003.524909337.00000190FDDC3000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://help.disneyplus.com.svchost.exe, 0000001A.00000003.523925926.00000190FDDCC000.00000004.00000001.sdmp, svchost.exe, 0000001A.00000003.523839525.00000190FDDAE000.00000004.00000001.sdmp, svchost.exe, 0000001A.00000003.523818312.00000190FDDAD000.00000004.00000001.sdmp, svchost.exe, 0000001A.00000003.523879898.00000190FDD6C000.00000004.00000001.sdmp, svchost.exe, 0000001A.00000003.523895191.00000190FDD7D000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://disneyplus.com/legal.svchost.exe, 0000001A.00000003.523925926.00000190FDDCC000.00000004.00000001.sdmp, svchost.exe, 0000001A.00000003.523839525.00000190FDDAE000.00000004.00000001.sdmp, svchost.exe, 0000001A.00000003.523818312.00000190FDDAD000.00000004.00000001.sdmp, svchost.exe, 0000001A.00000003.523879898.00000190FDD6C000.00000004.00000001.sdmp, svchost.exe, 0000001A.00000003.523895191.00000190FDD7D000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        		unknown

                        Contacted IPs

                        • No. of IPs < 25%
                        • 25% < No. of IPs < 50%
                        • 50% < No. of IPs < 75%
                        • 75% < No. of IPs

                        Public

                        IPDomainCountryFlagASNASN NameMalicious
                        207.148.81.119
                        		unknownUnited States
                        		20473AS-CHOOPAUStrue
                        104.131.62.48
                        		unknownUnited States
                        		14061DIGITALOCEAN-ASNUStrue
                        85.214.67.203
                        		unknownGermany
                        		6724STRATOSTRATOAGDEtrue
                        191.252.103.16
                        		unknownBrazil
                        		27715LocawebServicosdeInternetSABRtrue
                        168.197.250.14
                        		unknownArgentina
                        		264776OmarAnselmoRipollTDCNETARtrue
                        66.42.57.149
                        		unknownUnited States
                        		20473AS-CHOOPAUStrue
                        185.148.168.15
                        		unknownGermany
                        		44780EVERSCALE-ASDEtrue
                        51.210.242.234
                        		unknownFrance
                        		16276OVHFRtrue
                        217.182.143.207
                        		unknownFrance
                        		16276OVHFRtrue
                        69.16.218.101
                        		unknownUnited States
                        		32244LIQUIDWEBUStrue
                        159.69.237.188
                        		unknownGermany
                        		24940HETZNER-ASDEtrue
                        45.138.98.34
                        		unknownGermany
                        		9009M247GBtrue
                        116.124.128.206
                        		unknownKorea Republic of
                        		9318SKB-ASSKBroadbandCoLtdKRtrue
                        78.46.73.125
                        		unknownGermany
                        		24940HETZNER-ASDEtrue
                        37.59.209.141
                        		unknownFrance
                        		16276OVHFRtrue
                        210.57.209.142
                        		unknownIndonesia
                        		38142UNAIR-AS-IDUniversitasAirlanggaIDtrue
                        185.148.168.220
                        		unknownGermany
                        		44780EVERSCALE-ASDEtrue
                        54.37.228.122
                        		unknownFrance
                        		16276OVHFRtrue
                        190.90.233.66
                        		unknownColombia
                        		18678INTERNEXASAESPCOtrue
                        142.4.219.173
                        		unknownCanada
                        		16276OVHFRtrue
                        54.38.242.185
                        		unknownFrance
                        		16276OVHFRtrue
                        195.154.146.35
                        		unknownFrance
                        		12876OnlineSASFRtrue
                        195.77.239.39
                        		unknownSpain
                        		60493FICOSA-ASEStrue
                        78.47.204.80
                        		unknownGermany
                        		24940HETZNER-ASDEtrue
                        37.44.244.177
                        		unknownGermany
                        		47583AS-HOSTINGERLTtrue
                        62.171.178.147
                        		unknownUnited Kingdom
                        		51167CONTABODEtrue
                        128.199.192.135
                        		unknownUnited Kingdom
                        		14061DIGITALOCEAN-ASNUStrue

                        Private

                        IP
                        192.168.2.1
                        127.0.0.1

                        General Information

                        Joe Sandbox Version:34.0.0 Boulder Opal
                        Analysis ID:553377
                        Start date:14.01.2022
                        Start time:19:49:34
                        Joe Sandbox Product:CloudBasic
                        Overall analysis duration:0h 12m 57s
                        Hypervisor based Inspection enabled:false
                        Report type:light
                        Sample file name:ALNgwfVtrB.dll
                        Cookbook file name:default.jbs
                        Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                        Run name:Run with higher sleep bypass
                        Number of analysed new started processes analysed:31
                        Number of new started drivers analysed:0
                        Number of existing processes analysed:0
                        Number of existing drivers analysed:0
                        Number of injected processes analysed:0
                        Technologies:
                        • HCA enabled
                        • EGA enabled
                        • HDC enabled
                        • AMSI enabled
                        Analysis Mode:default
                        Analysis stop reason:Timeout
                        Detection:MAL
                        Classification:mal92.troj.evad.winDLL@28/14@0/29
                        EGA Information:
                        • Successful, ratio: 80%
                        HDC Information:
                        • Successful, ratio: 99.3% (good quality ratio 92.4%)
                        • Quality average: 70.9%
                        • Quality standard deviation: 27.1%
                        HCA Information:
                        • Successful, ratio: 80%
                        • Number of executed functions: 0
                        • Number of non-executed functions: 0
                        Cookbook Comments:
                        • Adjust boot time
                        • Enable AMSI
                        • Sleeps bigger than 120000ms are automatically reduced to 1000ms
                        • Found application associated with file extension: .dll
                        Warnings:
                        Show All
                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, wuapihost.exe
                        • Excluded IPs from analysis (whitelisted): 23.211.6.115, 173.222.108.210, 173.222.108.226, 20.54.110.249, 23.213.164.66
                        • Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, wu-shim.trafficmanager.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, store-images.s-microsoft.com-c.edgekey.net, ctldl.windowsupdate.com, e1723.g.akamaiedge.net, a767.dspw65.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, download.windowsupdate.com.edgesuite.net, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, store-images.s-microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                        • Not all processes where analyzed, report is missing behavior information
                        • Report creation exceeded maximum time and may have missing disassembly code information.
                        • Report size exceeded maximum capacity and may have missing behavior information.
                        • Report size getting too big, too many NtOpenKeyEx calls found.
                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                        • Report size getting too big, too many NtQueryValueKey calls found.

                        Simulations

                        Behavior and APIs

                        TimeTypeDescription
                        19:51:53API Interceptor1x Sleep call for process: svchost.exe modified

                        Joe Sandbox View / Context

                        IPs

                        No context

                        Domains

                        No context

                        ASN

                        No context

                        JA3 Fingerprints

                        No context

                        Dropped Files

                        No context

                        Created / dropped Files

                        C:\ProgramData\Microsoft\Network\Downloader\edb.log
                        Process:C:\Windows\System32\svchost.exe
                        File Type:MPEG-4 LOAS
                        Category:dropped
                        Size (bytes):1310720
                        Entropy (8bit):0.24860080561813114
                        Encrypted:false
                        SSDEEP:1536:BJiRdfVzkZm3lyf49uyc0ga04PdHS9LrM/oVMUdSRU44:BJiRdwfu2SRU44
                        MD5:98942C19F83BA334A7BEA02787DDF565
                        SHA1:17E45CD6A8DF28C6ACC1668425DF4E14E48BEA13
                        SHA-256:207DEC27611F335595E311FBAD0E00DBBBCDB7B8E43F965544EA1FD60617F08D
                        SHA-512:B1B96546C07B86E5AF8B61AA9B25D71E20D64BC9BF7FBDEF82E713F0B251B30D9C6D90B77627AB4A3B85C862758F51EF18EB0C866E6D50474E87020A6DB39C87
                        Malicious:false
                        Preview: V.d.........@..@.3...w...........................3...w..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@.........................................d#.................................................................................................................................................................................................................................................................................................................................................
                        C:\ProgramData\Microsoft\Network\Downloader\qmgr.db
                        Process:C:\Windows\System32\svchost.exe
                        File Type:Extensible storage user DataBase, version 0x620, checksum 0x28d584a9, page size 16384, DirtyShutdown, Windows version 10.0
                        Category:dropped
                        Size (bytes):786432
                        Entropy (8bit):0.2506959082534172
                        Encrypted:false
                        SSDEEP:384:8+W0StseCJ48EApW0StseCJ48E2rTSjlK/ebmLerYSRSY1J2:jSB2nSB2RSjlK/+mLesOj1J2
                        MD5:64BCD76C8E6657CDB9185061ACE13696
                        SHA1:924CF853C09B694E93E47727D8F7F16D5F54D36C
                        SHA-256:F49E16CBDEFB4CA2296F0F8479D479C29185E948D8A9961854B1DA1D890424F0
                        SHA-512:33010E06AA84DCAD09E6056DE5840DA8CB820D77ECBBAE0027980091AE251D3A415D4227C4CD566AC50A610E2AD9AEB991D10F2501577B17D3CD66FE10AA971D
                        Malicious:false
                        Preview: (..... ................e.f.3...w........................&..........w..53...zW.h.(..............................3...w...........................................................................................................B...........@...................................................................................................... ........3...w......................................................................................................................................................................................................................................}F..53...z.s................zY..53...zW.........................................................................................................................................................................................................................................................................................................................................................................................
                        C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm
                        Process:C:\Windows\System32\svchost.exe
                        File Type:data
                        Category:dropped
                        Size (bytes):16384
                        Entropy (8bit):0.07689334245217043
                        Encrypted:false
                        SSDEEP:3:ddSl9EvQWA+j8l/bJdAtidmfkill3Vkttlmlnl:fWYQWbj8t4UmfB3
                        MD5:229C4C99BF7C6829926E52D8B49633C7
                        SHA1:B0A4413F54EB5AE9534D2965A34B5A3B78878442
                        SHA-256:9EF3AA9B9D4B0ADDE141F8F4DB8A9F4FBF0ABFDFCA55774CEC2BC6EA44A9678E
                        SHA-512:5D31C653A7CA333BEC433DC18941E102F452E1DDF041F21C6BFA42DC805F2FD8FABA70555825AF26D439F05AA0B4175CA78C4561C0B7119DAA2A648904BBBA49
                        Malicious:false
                        Preview: \..8.....................................3...w..53...zW......w...............w.......w....:O.....w..................zY..53...zW.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                        C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_loaddll32.exe_669a8c10d0efd6a57917dbe0788b74fa72a925de_7cac0383_056a4d11\Report.wer
                        Process:C:\Windows\SysWOW64\WerFault.exe
                        File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):65536
                        Entropy (8bit):0.7988956240777769
                        Encrypted:false
                        SSDEEP:96:/HinYyJy9haol7JfHpXIQcQSc6mcEUcw3/s+a+z+HbHgNVG4rmMoVazWvMOpNn9x:yn4Hsieryjlq/u7swS274ItW
                        MD5:ED62A7C01BB01659798A5726741F13C6
                        SHA1:B5BF80209FB7AF26C9A90D1AE8352F9C6359B510
                        SHA-256:DBCED419A0335123A05013563CF0C23A71CBC0640E5365CAE26E80072EE5B095
                        SHA-512:8DF621AA77D986E155A5E6AA75E86E50B7A6E7349648419904395A395F239C8CFA842554DF21646660677ED68623A365D7A844DA07A9D35D2188157E5723C39E
                        Malicious:false
                        Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.8.6.6.9.2.2.6.7.2.3.8.5.2.2.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.a.c.4.c.9.e.7.-.e.d.e.3.-.4.9.b.e.-.9.6.5.f.-.d.e.3.b.0.e.4.7.e.0.e.7.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.a.c.d.9.5.7.4.-.6.6.e.e.-.4.f.c.7.-.8.1.3.1.-.7.6.f.5.c.c.6.8.6.4.3.b.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.l.o.a.d.d.l.l.3.2...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.a.b.c.-.0.0.0.1.-.0.0.1.7.-.2.5.1.e.-.0.3.0.d.c.3.0.9.d.8.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.d.a.3.9.a.3.e.e.5.e.6.b.4.b.0.d.3.2.5.5.b.f.e.f.9.5.6.0.1.8.9.0.a.f.d.8.0.7.0.9.!.0.0.0.0.d.a.3.9.a.3.e.e.5.e.6.b.4.b.0.d.3.2.5.5.b.f.e.f.9.5.6.0.1.8.9.0.a.f.d.8.0.7.0.9.!.l.o.a.d.d.l.l.3.2...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.1././.1.2././.1.3.:.0.9.:.0.7.:.1.6.!.0.!.l.o.a.d.d.l.l.3.2...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.
                        C:\ProgramData\Microsoft\Windows\WER\Temp\WER3090.tmp.dmp
                        Process:C:\Windows\SysWOW64\WerFault.exe
                        File Type:Mini DuMP crash report, 15 streams, Sat Jan 15 03:51:09 2022, 0x1205a4 type
                        Category:dropped
                        Size (bytes):45404
                        Entropy (8bit):2.078652014102664
                        Encrypted:false
                        SSDEEP:192:Q9WY29QWSOOQNcIFmAGrRdg1P0FToB1Dw/QRf0mI1mHUqbxLD14I:SaQWtOw1FjgRdK0p01Dw/rmI1mHU6
                        MD5:BC29120C58719C8580F783A2B29F6B8A
                        SHA1:9F9E546EB934E908D56DF95B993DBBC69157DA5C
                        SHA-256:9D632CC2C998D65785D832447E7C8B38ECA3FC2DC03B1B6B5565F5D8483FFDAA
                        SHA-512:22BB789CECC57A6283EFA19F56D8DE21E61146B6C7526228ED0F98B29DBA68227A5D47490FEE52F4F406F6F2CE3FFB2259F76EF708D046E9A7E7BD9EFB9F8BDA
                        Malicious:false
                        Preview: MDMP....... ........D.a....................................$...T............%..........`.......8...........T...............\...........x...........d....................................................................U...........B..............GenuineIntelW...........T............D.a.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.........................................................................................................................................................................................................................................................................................................................................................................................................................................
                        C:\ProgramData\Microsoft\Windows\WER\Temp\WER40FC.tmp.WERInternalMetadata.xml
                        Process:C:\Windows\SysWOW64\WerFault.exe
                        File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):8352
                        Entropy (8bit):3.696480840868291
                        Encrypted:false
                        SSDEEP:192:Rrl7r3GLNikXb6JErZ6YJRSUyNiuWlGgmfMSwGTriCpBr89baQsfp+m:RrlsNiUb6JErZ6YfSUyNiu9gmfMSwcU2
                        MD5:B4CAC76777AD7D10598974392C4AB2C1
                        SHA1:D57DE457573E8BF1D9ADDD4EABE77205CA1AF2C1
                        SHA-256:E887F48ECA9F3D5AD6734AA6C3612A03D0556EF5EB075E50421B25B342BC5C0C
                        SHA-512:740E164E8CF04E9CBE70CFC90F9478E538551CCB789C8C427F93CDE3415B4F22AC85A30BCD450685A636667FE5C8E0A58B8C56A9AFE94442613165669D6A5D7A
                        Malicious:false
                        Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.8.4.4.<./.P.i.d.>.......
                        C:\ProgramData\Microsoft\Windows\WER\Temp\WER44E5.tmp.xml
                        Process:C:\Windows\SysWOW64\WerFault.exe
                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):4598
                        Entropy (8bit):4.47158436246399
                        Encrypted:false
                        SSDEEP:48:cvIwSD8zsbtJgtWI9xlWSC8BnU8fm8M4J2+dZF5+q84pUlKcQIcQw0ad:uITfDKUSNxZJH9mlKkw0ad
                        MD5:6A28391685604A506DE880F3C2B59083
                        SHA1:5EFF550EE828DC992A6E04DE15E988E3C39F4359
                        SHA-256:BA1DBB2C19D23D2D24D4AD6E119B3D48426653EB69CB1F383F45068050CFD03E
                        SHA-512:4516E24E8B03E39E7FC88A865D13DB439613EFA1B36B101231B81D63122ACA53F6E9BF0640E9FE295327F405E58411C4CE4D0C6CC6CDDE26A760E58CC5E6F4CB
                        Malicious:false
                        Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1342861" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
                        C:\ProgramData\Microsoft\Windows\WER\Temp\WERDCF5.tmp.csv
                        Process:C:\Windows\System32\svchost.exe
                        File Type:data
                        Category:dropped
                        Size (bytes):49638
                        Entropy (8bit):3.06405703571207
                        Encrypted:false
                        SSDEEP:1536:MaHcQVN5sb/unLssEAHQWtXoXlgNAvluQR:MaHcQVN5sb/unLssEAHQWtXo1gNAvlu0
                        MD5:CD56236F3283E18C8DF2E0316D3A8BE6
                        SHA1:F211242733EC608B56A81C856A2FED32CDC70114
                        SHA-256:341DE1EB18C7DA213F6434B8B97180625B543B3E35632D56D258A276E5F0B773
                        SHA-512:69608B0895D268DD5BC7824242FEB30A79D1B52D8E8D472D33BF0230FAA48A94D9B9C85D3F2F37A9623344877F4DB8A2CF51034416074435411B38CF420BC07B
                        Malicious:false
                        Preview: I.m.a.g.e.N.a.m.e.,.U.n.i.q.u.e.P.r.o.c.e.s.s.I.d.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.,.W.o.r.k.i.n.g.S.e.t.P.r.i.v.a.t.e.S.i.z.e.,.H.a.r.d.F.a.u.l.t.C.o.u.n.t.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.H.i.g.h.W.a.t.e.r.m.a.r.k.,.C.y.c.l.e.T.i.m.e.,.C.r.e.a.t.e.T.i.m.e.,.U.s.e.r.T.i.m.e.,.K.e.r.n.e.l.T.i.m.e.,.B.a.s.e.P.r.i.o.r.i.t.y.,.P.e.a.k.V.i.r.t.u.a.l.S.i.z.e.,.V.i.r.t.u.a.l.S.i.z.e.,.P.a.g.e.F.a.u.l.t.C.o.u.n.t.,.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.P.e.a.k.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.Q.u.o.t.a.P.e.a.k.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.e.a.k.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.e.a.k.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.r.i.v.a.t.e.P.a.g.e.C.o.u.n.t.,.R.e.a.d.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.W.r.i.t.e.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.O.t.h.e.r.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.R.e.a.d.T.r.a.n.s.f.e.r.C.o.u.n.t.,.W.r.i.t.e.T.r.a.n.s.f.e.r.C.o.u.n.t.,.O.t.h.e.r.T.r.a.n.s.f.e.r.C.o.u.n.t.,.H.a.n.
                        C:\ProgramData\Microsoft\Windows\WER\Temp\WERE207.tmp.txt
                        Process:C:\Windows\System32\svchost.exe
                        File Type:data
                        Category:dropped
                        Size (bytes):13340
                        Entropy (8bit):2.6962620993254744
                        Encrypted:false
                        SSDEEP:96:9GiZYWaMiE3yaY2YcIrWGUI+HgYEZaftriuFoDOw4rShF2ax68iZDIZJ3:9jZDZZhjWmxrBax68iZMZJ3
                        MD5:DEBDF02A58054A48A26A6291D98F3BDF
                        SHA1:01BF160F5143ABE8AA8CF52519B86AE93B7E9506
                        SHA-256:41100A2C989476F02D6C0BA977AEB87013E7A054794403537A8FD60BEBF59CE0
                        SHA-512:48067E9CE80DD77D3FC0DA43D8BE1006BF163754768360413F558B3DD88262665A22EC02150F0574FC3C790B3E856F1CF520B4A9F553355DAA8FA43C6B2EF24F
                        Malicious:false
                        Preview: B...T.i.m.e.r.R.e.s.o.l.u.t.i.o.n. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.5.6.2.5.0.....B...P.a.g.e.S.i.z.e. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4.0.9.6.....B...N.u.m.b.e.r.O.f.P.h.y.s.i.c.a.l.P.a.g.e.s. . . . . . . . . . . . . . . . . . . . . . . . . . .1.0.4.8.3.1.5.....B...L.o.w.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.....B...H.i.g.h.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . .1.3.1.0.7.1.9.....B...A.l.l.o.c.a.t.i.o.n.G.r.a.n.u.l.a.r.i.t.y. . . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.i.n.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.a.x.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . .1.4.0.7.3.7.4.8.8.2.8.9.7.9.1.....B...A.c.t.i.v.e.P.r.o.c.e.s.s.o.r.s.A.f.f.i.n.i.t.y.M.a.s.k. . . . . . .
                        C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506
                        Process:C:\Windows\SysWOW64\rundll32.exe
                        File Type:Microsoft Cabinet archive data, 61414 bytes, 1 file
                        Category:dropped
                        Size (bytes):61414
                        Entropy (8bit):7.995245868798237
                        Encrypted:true
                        SSDEEP:1536:EysgU6qmzixT64jYMZ8HbVPGfVDwm/xLZ9rP:wF6qmeo4eH1m9wmLvrP
                        MD5:ACAEDA60C79C6BCAC925EEB3653F45E0
                        SHA1:2AAAE490BCDACCC6172240FF1697753B37AC5578
                        SHA-256:6B0CECCF0103AFD89844761417C1D23ACC41F8AEBF3B7230765209B61EEE5658
                        SHA-512:FEAA6E7ED7DDA1583739B3E531AB5C562A222EE6ECD042690AE7DCFF966717C6E968469A7797265A11F6E899479AE0F3031E8CF5BEBE1492D5205E9C59690900
                        Malicious:false
                        Preview: MSCF............,...................I.......;w........RSNj .authroot.stl..>.(.5..CK..8T....c_.d...A.K...+.d.H..*i.RJJ.IQIR..$t)Kd.-[..T\{..ne......<.w......A..B........c...wi......D....c.0D,L........fy....Rg...=........i,3.3..Z....~^ve<...TF.*...f.zy.,...m.@.0.0...m.3..I(..+..v#...(.2....e...L..*y..V.......~U...."<ke.....l.X:Dt..R<7.5\A7L0=..T.V...IDr..8<....r&...I-.^..b.b.".Af....E.._..r.>.`;,.Hob..S.....7'..\.R$.".g..+..64..@nP.....k3...B.`.G..@D.....L.....`^...#OpW.....!....`.....rf:.}.R.@....gR.#7....l..H.#...d.Qh..3..fCX....==#..M.l..~&....[.J9.\..Ww.....Tx.%....]..a4E...q.+...#.*a..x..O..V.t..Y1!.T..`U...-...< _@...|(.....0..3.`.LU...E0.Gu.4KN....5...?.....I.p..'..........N<.d.O..dH@c1t...[w/...T....cYK.X>.0..Z.....O>..9.3.#9X.%.b...5.YK.E.V.....`./.3.._..nN]..=..M.o.F.._..z....._...gY..!Z..?l....vp.l.:.d.Z..W.....~...N.._.k...&.....$......i.F.d.....D!e.....Y..,.E..m.;.1... $.F..O.F.o_}.uG....,.%.>,.Zx.......o....c../.;....g&.....
                        C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
                        Process:C:\Windows\SysWOW64\rundll32.exe
                        File Type:data
                        Category:modified
                        Size (bytes):328
                        Entropy (8bit):3.1084656046114056
                        Encrypted:false
                        SSDEEP:6:kKwk8SN+SkQlPlEGYRMY9z+4KlDA3RUeYlUmlUR/t:I9kPlE99SNxAhUeYlUSA/t
                        MD5:92EC2722EB0774E315A06B41F879CE4F
                        SHA1:02A00642E9BCEC7FD488705056CE9549BCDDBFC2
                        SHA-256:3D5D7BF6B7BD1645E10B8786DDFF2235AFDD6FD39AE9D0842A2ADF4BA0A60E3D
                        SHA-512:D2A6BF91EDC20D4502E0C1F77F054D1091139D67A88E4D7E0270155C249A4D51C8E5A774F613ABAFD7569B9F4FB746C137149740B42AD0FD2255067A1EFF153C
                        Malicious:false
                        Preview: p...... .........w&....(....................................................... ........q.\].......&...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".0.7.1.e.1.5.c.5.d.c.4.d.7.1.:.0."...
                        C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
                        Process:C:\Windows\System32\svchost.exe
                        File Type:ASCII text, with no line terminators
                        Category:dropped
                        Size (bytes):55
                        Entropy (8bit):4.306461250274409
                        Encrypted:false
                        SSDEEP:3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
                        MD5:DCA83F08D448911A14C22EBCACC5AD57
                        SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
                        SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
                        SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
                        Malicious:false
                        Preview: {"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}
                        C:\Windows\appcompat\Programs\Amcache.hve
                        Process:C:\Windows\SysWOW64\WerFault.exe
                        File Type:MS Windows registry file, NT/2000 or above
                        Category:dropped
                        Size (bytes):1572864
                        Entropy (8bit):4.213755152490915
                        Encrypted:false
                        SSDEEP:12288:6cnncucuMx5OmsWFJYTtVF4XFcuzvFoBms28NO/UBClPC4CEJ8jQQu:tnncucuMx5bsWFeGyOFK
                        MD5:F3B123CAE8BEBB300C19F9635B15CA3F
                        SHA1:B531DCAA28AC796C14FD8CA532A66C4D303E43BD
                        SHA-256:87311C7DDAA16AFF59D85DB8170FF3719DA99E70E610FAD76BB6E4A6217A41A1
                        SHA-512:03A3292CCBA10874D889E1A94FD60BE2F1A7E5287BDEC9A34FD64F1825B120B3A9A1BDE35A4575566D1EE26629DF3A5FB0ED7D30BB473BF9AF7DEC7DEE41A699
                        Malicious:false
                        Preview: regfV...V...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm..2...................................................................................................................................................................................................................................................................................................................................................9B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                        C:\Windows\appcompat\Programs\Amcache.hve.LOG1
                        Process:C:\Windows\SysWOW64\WerFault.exe
                        File Type:MS Windows registry file, NT/2000 or above
                        Category:dropped
                        Size (bytes):16384
                        Entropy (8bit):2.8902670868682057
                        Encrypted:false
                        SSDEEP:192:Zuyy1WD1IVU2Y45FSETDq/bDIpn8h8M1ZV6nGocW:ZfI53AIpn88MTVgGfW
                        MD5:555B3553C63A6B5D9143D300AA8A7997
                        SHA1:55FFB569B56C1C2EBA175886AA8EA93D5E789883
                        SHA-256:037F15AE48A5FF1B040E8079ABC616D7758164F0E3E90E1B796C0F00472C6FD5
                        SHA-512:1FAB22B573EA395ECC772EDE1B37F290CC20934F04DCDBDF72F41EF739AE07A9B05E84A373E24E83CEAE7E653E3C2AF72649306F0D68E0DC7D7A370A171D5524
                        Malicious:false
                        Preview: regfU...U...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm..2...................................................................................................................................................................................................................................................................................................................................................9BHvLE.>......U..............r.%..d.'&H-m..................p......hbin................p.\..,..........nk,..s4..................................... ...........................&...{ad79c032-a2ea-f756-e377-72fb9332c3ae}......nk ..s4......... ........................... .......Z.......................Root........lf......Root....nk ..s4......................}.............. ...............*...............DeviceCensus........................vk..................WritePermissionsCheck.......p...

                        Static File Info

                        General

                        File type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                        Entropy (8bit):6.767598862658865
                        TrID:
                        • Win32 Dynamic Link Library (generic) (1002004/3) 98.32%
                        • Windows Screen Saver (13104/52) 1.29%
                        • Generic Win/DOS Executable (2004/3) 0.20%
                        • DOS Executable Generic (2002/1) 0.20%
                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                        File name:ALNgwfVtrB.dll
                        File size:588288
                        MD5:61308ba77d051e4e76e532f9709635e0
                        SHA1:95d2cd6c7be346d29735ed970d3f373d37b7e13f
                        SHA256:bd2c1b86de45c3e9d0d7c85322228c3512ce2c041765d95bb613cdf12647bea9
                        SHA512:2baf01ad017b6e5f2940398b8866aed84daa66a069e29e77ecad4dadf4854b206e14e1e8175f59c26f7d6d5a17ea1b2f4e258595d8a33fd4e8675898c576c618
                        SSDEEP:6144:cNU5LwA22222GgngDrDRVyYli/ci2tEGW78ODQiE4tvOSk5DKXOW14IkFxVFgY4E:x5w7YM/cYVV7E5OpOJyvnHtytFyQ
                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m.......................................^F......^P.n....^W.t....^Y......^A......^G......^B.....Rich....................PE..L..

                        File Icon

                        Icon Hash:71b018ccc6577131

                        Static PE Info

                        General

                        Entrypoint:0x1002eaac
                        Entrypoint Section:.text
                        Digitally signed:false
                        Imagebase:0x10000000
                        Subsystem:windows gui
                        Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                        DLL Characteristics:
                        Time Stamp:0x61E03DE6 [Thu Jan 13 14:57:42 2022 UTC]
                        TLS Callbacks:
                        CLR (.Net) Version:
                        OS Version Major:5
                        OS Version Minor:0
                        File Version Major:5
                        File Version Minor:0
                        Subsystem Version Major:5
                        Subsystem Version Minor:0
                        Import Hash:7f57698bb210fa88a6b01b1feaf20957

                        Entrypoint Preview

                        Instruction
                        mov edi, edi
                        push ebp
                        mov ebp, esp
                        cmp dword ptr [ebp+0Ch], 01h
                        jne 00007F0130AF57F7h
                        call 00007F0130AFE068h
                        push dword ptr [ebp+08h]
                        mov ecx, dword ptr [ebp+10h]
                        mov edx, dword ptr [ebp+0Ch]
                        call 00007F0130AF56E1h
                        pop ecx
                        pop ebp
                        retn 000Ch
                        mov edi, edi
                        push ebp
                        mov ebp, esp
                        push esi
                        push edi
                        mov edi, dword ptr [ebp+10h]
                        mov eax, edi
                        sub eax, 00000000h
                        je 00007F0130AF6DDBh
                        dec eax
                        je 00007F0130AF6DC3h
                        dec eax
                        je 00007F0130AF6D8Eh
                        dec eax
                        je 00007F0130AF6D3Fh
                        dec eax
                        je 00007F0130AF6CAFh
                        mov ecx, dword ptr [ebp+0Ch]
                        mov eax, dword ptr [ebp+08h]
                        push ebx
                        push 00000020h
                        pop edx
                        jmp 00007F0130AF5C67h
                        mov esi, dword ptr [eax]
                        cmp esi, dword ptr [ecx]
                        je 00007F0130AF586Eh
                        movzx esi, byte ptr [eax]
                        movzx ebx, byte ptr [ecx]
                        sub esi, ebx
                        je 00007F0130AF5807h
                        xor ebx, ebx
                        test esi, esi
                        setnle bl
                        lea ebx, dword ptr [ebx+ebx-01h]
                        mov esi, ebx
                        test esi, esi
                        jne 00007F0130AF5C5Fh
                        movzx esi, byte ptr [eax+01h]
                        movzx ebx, byte ptr [ecx+01h]
                        sub esi, ebx
                        je 00007F0130AF5807h
                        xor ebx, ebx
                        test esi, esi
                        setnle bl
                        lea ebx, dword ptr [ebx+ebx-01h]
                        mov esi, ebx
                        test esi, esi
                        jne 00007F0130AF5C3Eh
                        movzx esi, byte ptr [eax+02h]
                        movzx ebx, byte ptr [ecx+02h]
                        sub esi, ebx
                        je 00007F0130AF5807h
                        xor ebx, ebx
                        test esi, esi
                        setnle bl
                        lea ebx, dword ptr [ebx+ebx-01h]
                        mov esi, ebx
                        test esi, esi
                        jne 00007F0130AF5C1Dh

                        Rich Headers

                        Programming Language:
                        • [ C ] VS2008 build 21022
                        • [LNK] VS2008 build 21022
                        • [ C ] VS2005 build 50727
                        • [ASM] VS2008 build 21022
                        • [IMP] VS2005 build 50727
                        • [RES] VS2008 build 21022
                        • [EXP] VS2008 build 21022
                        • [C++] VS2008 build 21022

                        Data Directories

                        NameVirtual AddressVirtual Size Is in Section
                        IMAGE_DIRECTORY_ENTRY_EXPORT0x50bc00x50.rdata
                        IMAGE_DIRECTORY_ENTRY_IMPORT0x4f5380xb4.rdata
                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x890000x3410.rsrc
                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x8d0000x415c.reloc
                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x4bd000x40.rdata
                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IAT0x470000x454.rdata
                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x4f4b00x40.rdata
                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                        Sections

                        NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                        .text0x10000x45bb90x45c00False0.379756804435data6.37093799262IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                        .rdata0x470000x9c100x9e00False0.357397151899data5.22204269745IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                        .data0x510000x3735c0x33800False0.741035535498data6.11335979295IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                        .rsrc0x890000x34100x3600False0.306640625data4.34913645958IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                        .reloc0x8d0000x8c340x8e00False0.346308318662data4.00973830682IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                        Resources

                        NameRVASizeTypeLanguageCountry
                        RT_CURSOR0x89ac00x134dataChineseChina
                        RT_CURSOR0x89bf40xb4dataChineseChina
                        RT_CURSOR0x89ca80x134AmigaOS bitmap fontChineseChina
                        RT_CURSOR0x89ddc0x134dataChineseChina
                        RT_CURSOR0x89f100x134dataChineseChina
                        RT_CURSOR0x8a0440x134dataChineseChina
                        RT_CURSOR0x8a1780x134dataChineseChina
                        RT_CURSOR0x8a2ac0x134dataChineseChina
                        RT_CURSOR0x8a3e00x134dataChineseChina
                        RT_CURSOR0x8a5140x134dataChineseChina
                        RT_CURSOR0x8a6480x134dataChineseChina
                        RT_CURSOR0x8a77c0x134dataChineseChina
                        RT_CURSOR0x8a8b00x134AmigaOS bitmap fontChineseChina
                        RT_CURSOR0x8a9e40x134dataChineseChina
                        RT_CURSOR0x8ab180x134dataChineseChina
                        RT_CURSOR0x8ac4c0x134dataChineseChina
                        RT_BITMAP0x8ad800xb8dataChineseChina
                        RT_BITMAP0x8ae380x144dataChineseChina
                        RT_ICON0x8af7c0x2e8dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 67108992, next used block 3293332676ChineseChina
                        RT_ICON0x8b2640x128GLS_BINARY_LSB_FIRSTChineseChina
                        RT_DIALOG0x8b38c0x33cdataChineseChina
                        RT_DIALOG0x8b6c80xe2dataChineseChina
                        RT_DIALOG0x8b7ac0x34dataChineseChina
                        RT_STRING0x8b7e00x4edataChineseChina
                        RT_STRING0x8b8300x2cdataChineseChina
                        RT_STRING0x8b85c0x82dataChineseChina
                        RT_STRING0x8b8e00x1d6dataChineseChina
                        RT_STRING0x8bab80x160dataChineseChina
                        RT_STRING0x8bc180x12edataChineseChina
                        RT_STRING0x8bd480x50dataChineseChina
                        RT_STRING0x8bd980x44dataChineseChina
                        RT_STRING0x8bddc0x68dataChineseChina
                        RT_STRING0x8be440x1b8dataChineseChina
                        RT_STRING0x8bffc0x104dataChineseChina
                        RT_STRING0x8c1000x24dataChineseChina
                        RT_STRING0x8c1240x30dataChineseChina
                        RT_GROUP_CURSOR0x8c1540x22Lotus unknown worksheet or configuration, revision 0x2ChineseChina
                        RT_GROUP_CURSOR0x8c1780x14Lotus unknown worksheet or configuration, revision 0x1ChineseChina
                        RT_GROUP_CURSOR0x8c18c0x14Lotus unknown worksheet or configuration, revision 0x1ChineseChina
                        RT_GROUP_CURSOR0x8c1a00x14Lotus unknown worksheet or configuration, revision 0x1ChineseChina
                        RT_GROUP_CURSOR0x8c1b40x14Lotus unknown worksheet or configuration, revision 0x1ChineseChina
                        RT_GROUP_CURSOR0x8c1c80x14Lotus unknown worksheet or configuration, revision 0x1ChineseChina
                        RT_GROUP_CURSOR0x8c1dc0x14Lotus unknown worksheet or configuration, revision 0x1ChineseChina
                        RT_GROUP_CURSOR0x8c1f00x14Lotus unknown worksheet or configuration, revision 0x1ChineseChina
                        RT_GROUP_CURSOR0x8c2040x14Lotus unknown worksheet or configuration, revision 0x1ChineseChina
                        RT_GROUP_CURSOR0x8c2180x14Lotus unknown worksheet or configuration, revision 0x1ChineseChina
                        RT_GROUP_CURSOR0x8c22c0x14Lotus unknown worksheet or configuration, revision 0x1ChineseChina
                        RT_GROUP_CURSOR0x8c2400x14Lotus unknown worksheet or configuration, revision 0x1ChineseChina
                        RT_GROUP_CURSOR0x8c2540x14Lotus unknown worksheet or configuration, revision 0x1ChineseChina
                        RT_GROUP_CURSOR0x8c2680x14Lotus unknown worksheet or configuration, revision 0x1ChineseChina
                        RT_GROUP_CURSOR0x8c27c0x14Lotus unknown worksheet or configuration, revision 0x1ChineseChina
                        RT_GROUP_ICON0x8c2900x22dataChineseChina
                        RT_MANIFEST0x8c2b40x15aASCII text, with CRLF line terminatorsEnglishUnited States

                        Imports

                        DLLImport
                        KERNEL32.dllGetOEMCP, GetCommandLineA, RtlUnwind, ExitProcess, HeapReAlloc, RaiseException, HeapSize, TerminateProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, GetACP, IsValidCodePage, LCMapStringA, LCMapStringW, HeapCreate, HeapDestroy, GetStdHandle, GetCPInfo, GetFileType, GetStartupInfoA, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, GetEnvironmentStringsW, QueryPerformanceCounter, GetTickCount, GetSystemTimeAsFileTime, InitializeCriticalSectionAndSpinCount, GetConsoleCP, GetConsoleMode, GetStringTypeA, GetStringTypeW, GetUserDefaultLCID, EnumSystemLocalesA, IsValidLocale, GetLocaleInfoW, SetStdHandle, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, GetModuleHandleW, CreateFileA, GetCurrentProcess, FlushFileBuffers, SetFilePointer, WriteFile, ReadFile, InterlockedIncrement, TlsFree, LocalReAlloc, TlsSetValue, TlsAlloc, GlobalHandle, GlobalReAlloc, TlsGetValue, LocalAlloc, WritePrivateProfileStringA, GlobalFlags, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSection, GlobalGetAtomNameA, GlobalFindAtomA, lstrcmpW, GetVersionExA, FormatMessageA, LocalFree, lstrlenA, InterlockedDecrement, MulDiv, MultiByteToWideChar, GlobalUnlock, GlobalFree, FreeResource, GlobalAddAtomA, GetCurrentProcessId, GetLastError, GlobalDeleteAtom, GetCurrentThread, GetCurrentThreadId, ConvertDefaultLocale, EnumResourceLanguagesA, GetModuleFileNameA, GetLocaleInfoA, WideCharToMultiByte, CompareStringA, FindResourceA, LoadResource, LockResource, SizeofResource, InterlockedExchange, GlobalLock, lstrcmpA, GlobalAlloc, GetModuleHandleA, CreateThread, CloseHandle, VirtualProtect, LoadLibraryA, VirtualAlloc, GetProcAddress, SetLastError, Sleep, IsBadReadPtr, GetProcessHeap, VirtualFree, HeapFree, HeapAlloc, FreeLibrary, VirtualQuery, SetHandleCount, GetNativeSystemInfo
                        USER32.dllLoadCursorA, GetSysColorBrush, SetWindowTextA, IsDialogMessageA, SetDlgItemTextA, GetDlgItemTextA, RegisterWindowMessageA, SendDlgItemMessageA, WinHelpA, GetCapture, GetClassLongA, GetClassNameA, SetPropA, GetPropA, RemovePropA, GetForegroundWindow, GetTopWindow, GetMessageTime, GetMessagePos, MapWindowPoints, SetMenu, SetForegroundWindow, CreateWindowExA, GetClassInfoExA, GetClassInfoA, RegisterClassA, AdjustWindowRectEx, CopyRect, PtInRect, GetDlgCtrlID, DefWindowProcA, CallWindowProcA, SetWindowLongA, SetWindowPos, SystemParametersInfoA, GetWindowPlacement, GetWindowRect, GetMenuItemID, GetMenuItemCount, GetSubMenu, UnhookWindowsHookEx, GetSysColor, EndPaint, BeginPaint, ReleaseDC, GetDC, ClientToScreen, GrayStringA, DrawTextExA, DrawTextA, TabbedTextOutA, GetWindowTextLengthA, GetWindowTextA, GetWindow, SetFocus, GetDesktopWindow, SetActiveWindow, CreateDialogIndirectParamA, DestroyWindow, IsWindow, GetDlgItem, GetNextDlgTabItem, EndDialog, SetWindowsHookExA, CallNextHookEx, GetMessageA, DestroyMenu, UpdateWindow, TranslateMessage, DispatchMessageA, GetActiveWindow, IsWindowVisible, GetKeyState, PeekMessageA, GetCursorPos, ValidateRect, GetWindowThreadProcessId, GetWindowLongA, GetLastActivePopup, IsWindowEnabled, MessageBoxA, SetCursor, PostQuitMessage, SetMenuItemBitmaps, GetMenuCheckMarkDimensions, LoadBitmapA, GetFocus, GetParent, ModifyMenuA, GetMenuState, EnableMenuItem, CheckMenuItem, SetTimer, IsIconic, KillTimer, LoadIconA, DrawIcon, GetClientRect, SendMessageA, ShowWindow, PostMessageA, GetSystemMetrics, EnableWindow, GetMenu
                        GDI32.dllGetStockObject, SelectObject, GetDeviceCaps, DeleteDC, Escape, ExtTextOutA, TextOutA, RectVisible, ScaleWindowExtEx, SetWindowExtEx, ScaleViewportExtEx, SetViewportExtEx, OffsetViewportOrgEx, CreateBitmap, PtVisible, GetObjectA, DeleteObject, GetClipBox, SetMapMode, SetTextColor, SetBkColor, RestoreDC, SaveDC, SetViewportOrgEx
                        WINSPOOL.DRVDocumentPropertiesA, ClosePrinter, OpenPrinterA
                        ADVAPI32.dllRegSetValueExA, RegCreateKeyExA, RegQueryValueA, RegOpenKeyA, RegEnumKeyA, RegDeleteKeyA, RegOpenKeyExA, RegQueryValueExA, RegCloseKey
                        SHLWAPI.dllPathFindExtensionA
                        OLEAUT32.dllVariantClear, VariantChangeType, VariantInit
                        WS2_32.dllhtons, setsockopt, sendto, htonl, bind, socket, closesocket, inet_addr, recvfrom, WSACleanup, WSAStartup

                        Exports

                        NameOrdinalAddress
                        DllRegisterServer10x1001df20

                        Possible Origin

                        Language of compilation systemCountry where language is spokenMap
                        ChineseChina
                        EnglishUnited States

                        Network Behavior

                        Snort IDS Alerts

                        TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                        01/14/22-19:33:26.871063TCP2404332ET CNC Feodo Tracker Reported CnC Server TCP group 174972780192.168.2.645.138.98.34
                        01/14/22-19:33:28.093726TCP2404338ET CNC Feodo Tracker Reported CnC Server TCP group 20497288080192.168.2.669.16.218.101

                        Network Port Distribution

                        TCP Packets

                        TimestampSource PortDest PortSource IPDest IP
                        Jan 14, 2022 19:51:14.432269096 CET4976680192.168.2.645.138.98.34
                        Jan 14, 2022 19:51:14.449347019 CET804976645.138.98.34192.168.2.6
                        Jan 14, 2022 19:51:15.006055117 CET4976680192.168.2.645.138.98.34
                        Jan 14, 2022 19:51:15.022975922 CET804976645.138.98.34192.168.2.6
                        Jan 14, 2022 19:51:15.709196091 CET4976680192.168.2.645.138.98.34
                        Jan 14, 2022 19:51:15.726278067 CET804976645.138.98.34192.168.2.6
                        Jan 14, 2022 19:51:15.734740973 CET497678080192.168.2.669.16.218.101
                        Jan 14, 2022 19:51:15.865607977 CET80804976769.16.218.101192.168.2.6
                        Jan 14, 2022 19:51:15.865727901 CET497678080192.168.2.669.16.218.101
                        Jan 14, 2022 19:51:15.914750099 CET497678080192.168.2.669.16.218.101
                        Jan 14, 2022 19:51:16.045454025 CET80804976769.16.218.101192.168.2.6
                        Jan 14, 2022 19:51:16.058274031 CET80804976769.16.218.101192.168.2.6
                        Jan 14, 2022 19:51:16.058351994 CET80804976769.16.218.101192.168.2.6
                        Jan 14, 2022 19:51:16.058367968 CET497678080192.168.2.669.16.218.101
                        Jan 14, 2022 19:51:16.058393955 CET497678080192.168.2.669.16.218.101
                        Jan 14, 2022 19:51:19.641874075 CET497678080192.168.2.669.16.218.101
                        Jan 14, 2022 19:51:19.772330046 CET80804976769.16.218.101192.168.2.6
                        Jan 14, 2022 19:51:19.772813082 CET80804976769.16.218.101192.168.2.6
                        Jan 14, 2022 19:51:19.773953915 CET497678080192.168.2.669.16.218.101
                        Jan 14, 2022 19:51:19.785267115 CET497678080192.168.2.669.16.218.101
                        Jan 14, 2022 19:51:19.916328907 CET80804976769.16.218.101192.168.2.6
                        Jan 14, 2022 19:51:20.533301115 CET80804976769.16.218.101192.168.2.6
                        Jan 14, 2022 19:51:20.533576965 CET497678080192.168.2.669.16.218.101
                        Jan 14, 2022 19:51:23.531250000 CET80804976769.16.218.101192.168.2.6
                        Jan 14, 2022 19:51:23.531274080 CET80804976769.16.218.101192.168.2.6
                        Jan 14, 2022 19:51:23.531445980 CET497678080192.168.2.669.16.218.101
                        Jan 14, 2022 19:51:23.531528950 CET497678080192.168.2.669.16.218.101
                        Jan 14, 2022 19:53:04.349497080 CET497678080192.168.2.669.16.218.101
                        Jan 14, 2022 19:53:04.349536896 CET497678080192.168.2.669.16.218.101

                        Code Manipulations

                        Statistics

                        Behavior

                        Click to jump to process

                        System Behavior

                        Analysis Process: loaddll32.exe PID: 6844 Parent PID: 5216

                        General

                        Start time:19:50:34
                        Start date:14/01/2022
                        Path:C:\Windows\System32\loaddll32.exe
                        Wow64 process (32bit):true
                        Commandline:loaddll32.exe "C:\Users\user\Desktop\ALNgwfVtrB.dll"
                        Imagebase:0x810000
                        File size:116736 bytes
                        MD5 hash:7DEB5DB86C0AC789123DEC286286B938
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000000.00000000.410818073.0000000002670000.00000040.00000001.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000000.00000002.437780692.0000000002670000.00000040.00000001.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000000.00000000.410027990.0000000002670000.00000040.00000001.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000000.00000000.410099478.0000000002871000.00000020.00000001.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000000.00000000.410908762.0000000002871000.00000020.00000001.sdmp, Author: Joe Security
                        Reputation:moderate

                        Analysis Process: cmd.exe PID: 6856 Parent PID: 6844

                        General

                        Start time:19:50:35
                        Start date:14/01/2022
                        Path:C:\Windows\SysWOW64\cmd.exe
                        Wow64 process (32bit):true
                        Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\ALNgwfVtrB.dll",#1
                        Imagebase:0x2a0000
                        File size:232960 bytes
                        MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high

                        Analysis Process: regsvr32.exe PID: 6868 Parent PID: 6844

                        General

                        Start time:19:50:35
                        Start date:14/01/2022
                        Path:C:\Windows\SysWOW64\regsvr32.exe
                        Wow64 process (32bit):true
                        Commandline:regsvr32.exe /s C:\Users\user\Desktop\ALNgwfVtrB.dll
                        Imagebase:0x11e0000
                        File size:20992 bytes
                        MD5 hash:426E7499F6A7346F0410DEAD0805586B
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000002.00000002.406521301.00000000009B1000.00000020.00000001.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000002.00000002.406320669.0000000000970000.00000040.00000001.sdmp, Author: Joe Security
                        Reputation:high

                        Analysis Process: rundll32.exe PID: 6880 Parent PID: 6856

                        General

                        Start time:19:50:35
                        Start date:14/01/2022
                        Path:C:\Windows\SysWOW64\rundll32.exe
                        Wow64 process (32bit):true
                        Commandline:rundll32.exe "C:\Users\user\Desktop\ALNgwfVtrB.dll",#1
                        Imagebase:0xde0000
                        File size:61952 bytes
                        MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000003.00000002.359482964.0000000002F80000.00000040.00000001.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000003.00000002.359639219.0000000002FD1000.00000020.00000001.sdmp, Author: Joe Security
                        Reputation:high

                        Analysis Process: rundll32.exe PID: 6888 Parent PID: 6844

                        General

                        Start time:19:50:36
                        Start date:14/01/2022
                        Path:C:\Windows\SysWOW64\rundll32.exe
                        Wow64 process (32bit):true
                        Commandline:rundll32.exe C:\Users\user\Desktop\ALNgwfVtrB.dll,DllRegisterServer
                        Imagebase:0xde0000
                        File size:61952 bytes
                        MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000002.410538874.00000000035A0000.00000040.00000001.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000002.410931541.00000000053B1000.00000020.00000001.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000002.410571626.00000000035D1000.00000020.00000001.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000002.411026981.0000000005491000.00000020.00000001.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000002.411089485.00000000054F1000.00000020.00000001.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000002.410893526.0000000005380000.00000040.00000001.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000002.411057565.00000000054C0000.00000040.00000001.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000002.410997374.0000000005460000.00000040.00000001.sdmp, Author: Joe Security
                        Reputation:high

                        Analysis Process: rundll32.exe PID: 6928 Parent PID: 6880

                        General

                        Start time:19:50:37
                        Start date:14/01/2022
                        Path:C:\Windows\SysWOW64\rundll32.exe
                        Wow64 process (32bit):true
                        Commandline:C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\ALNgwfVtrB.dll",DllRegisterServer
                        Imagebase:0xde0000
                        File size:61952 bytes
                        MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000005.00000002.372384163.0000000004DA0000.00000040.00000001.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000005.00000002.372312583.0000000004D40000.00000040.00000001.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000005.00000002.372437748.0000000004DD1000.00000020.00000001.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000005.00000002.372236483.0000000004C11000.00000020.00000001.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000005.00000002.372523153.0000000005100000.00000040.00000001.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000005.00000002.372348962.0000000004D71000.00000020.00000001.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000005.00000002.372199700.0000000004BE0000.00000040.00000001.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000005.00000002.371762481.00000000045A0000.00000040.00000001.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000005.00000002.371838274.00000000045D1000.00000020.00000001.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000005.00000002.372554631.0000000005131000.00000020.00000001.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000005.00000002.372126938.0000000004B01000.00000020.00000001.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000005.00000002.372091623.0000000004AD0000.00000040.00000001.sdmp, Author: Joe Security
                        Reputation:high

                        Analysis Process: rundll32.exe PID: 6980 Parent PID: 6928

                        General

                        Start time:19:50:43
                        Start date:14/01/2022
                        Path:C:\Windows\SysWOW64\rundll32.exe
                        Wow64 process (32bit):true
                        Commandline:C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Hincluwb\rahvarmqzcvvrmz.lrz",dVvBCKXQNgS
                        Imagebase:0xde0000
                        File size:61952 bytes
                        MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000006.00000002.375281998.0000000003390000.00000040.00000001.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000006.00000002.375456992.0000000003591000.00000020.00000001.sdmp, Author: Joe Security
                        Reputation:high

                        Analysis Process: rundll32.exe PID: 7040 Parent PID: 6980

                        General

                        Start time:19:50:45
                        Start date:14/01/2022
                        Path:C:\Windows\SysWOW64\rundll32.exe
                        Wow64 process (32bit):true
                        Commandline:C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Hincluwb\rahvarmqzcvvrmz.lrz",DllRegisterServer
                        Imagebase:0xde0000
                        File size:61952 bytes
                        MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high

                        Analysis Process: rundll32.exe PID: 3916 Parent PID: 6868

                        General

                        Start time:19:51:00
                        Start date:14/01/2022
                        Path:C:\Windows\SysWOW64\rundll32.exe
                        Wow64 process (32bit):true
                        Commandline:C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\ALNgwfVtrB.dll",DllRegisterServer
                        Imagebase:0xde0000
                        File size:61952 bytes
                        MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high

                        Analysis Process: svchost.exe PID: 4388 Parent PID: 560

                        General

                        Start time:19:51:00
                        Start date:14/01/2022
                        Path:C:\Windows\System32\svchost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                        Imagebase:0x7ff6b7590000
                        File size:51288 bytes
                        MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language

                        Analysis Process: svchost.exe PID: 6312 Parent PID: 560

                        General

                        Start time:19:51:01
                        Start date:14/01/2022
                        Path:C:\Windows\System32\svchost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\System32\svchost.exe -k WerSvcGroup
                        Imagebase:0x7ff6b7590000
                        File size:51288 bytes
                        MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language

                        Analysis Process: WerFault.exe PID: 6264 Parent PID: 6312

                        General

                        Start time:19:51:02
                        Start date:14/01/2022
                        Path:C:\Windows\SysWOW64\WerFault.exe
                        Wow64 process (32bit):true
                        Commandline:C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 6844 -ip 6844
                        Imagebase:0xf30000
                        File size:434592 bytes
                        MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language

                        Analysis Process: WerFault.exe PID: 1256 Parent PID: 6844

                        General

                        Start time:19:51:04
                        Start date:14/01/2022
                        Path:C:\Windows\SysWOW64\WerFault.exe
                        Wow64 process (32bit):true
                        Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6844 -s 540
                        Imagebase:0xf30000
                        File size:434592 bytes
                        MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language

                        Analysis Process: svchost.exe PID: 4868 Parent PID: 560

                        General

                        Start time:19:51:23
                        Start date:14/01/2022
                        Path:C:\Windows\System32\svchost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                        Imagebase:0x7ff6b7590000
                        File size:51288 bytes
                        MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language

                        Analysis Process: svchost.exe PID: 6392 Parent PID: 560

                        General

                        Start time:19:51:42
                        Start date:14/01/2022
                        Path:C:\Windows\System32\svchost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                        Imagebase:0x7ff6b7590000
                        File size:51288 bytes
                        MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language

                        Analysis Process: svchost.exe PID: 6316 Parent PID: 560

                        General

                        Start time:19:51:52
                        Start date:14/01/2022
                        Path:C:\Windows\System32\svchost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                        Imagebase:0x7ff6b7590000
                        File size:51288 bytes
                        MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language

                        Analysis Process: svchost.exe PID: 6292 Parent PID: 560

                        General

                        Start time:19:51:54
                        Start date:14/01/2022
                        Path:C:\Windows\System32\svchost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                        Imagebase:0x7ff6b7590000
                        File size:51288 bytes
                        MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language

                        Disassembly

                        Code Analysis

                        Reset < >