Windows Analysis Report 4NBdOVqTyL

Overview

General Information

Sample Name:	4NBdOVqTyL (renamed file extension from none to dll)
Analysis ID:	553378
MD5:	2b23fdac0d28360136a616b2803c286f
SHA1:	5e730fa1ccfc04c44a34fd385dadc3d03d72d9b3
SHA256:	cd5cb5b1c82dd0f301aac47ab966f00b4abc69a24a6a8c789ee7362a2c128537
Tags:	32dllexe
Infos:
Most interesting Screenshot:

Detection

Emotet

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Multi AV Scanner detection for submitted file

Yara detected Emotet

System process connects to network (likely due to code injection or exploit)

Changes security center settings (notifications, updates, antivirus, firewall)

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Sigma detected: Suspicious Call by Ordinal

C2 URLs / IPs found in malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

One or more processes crash

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query locales information (e.g. system language)

Deletes files inside the Windows folder

May sleep (evasive loops) to hinder dynamic analysis

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Uses code obfuscation techniques (call, push, ret)

Creates files inside the system directory

Internet Provider seen in connection with other malware

Detected potential crypto function

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Found evasive API chain (may stop execution after checking a module file name)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to dynamically determine API calls

Contains functionality which may be used to detect a debugger (GetProcessHeap)

IP address seen in connection with other malware

AV process strings found (often used to terminate AV products)

PE file contains an invalid checksum

PE file contains strange resources

Tries to load missing DLLs

Contains functionality to read the PEB

Drops PE files to the windows directory (C:\Windows)

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Detected TCP or UDP traffic on non-standard ports

Checks if the current process is being debugged

Connects to several IPs in different countries

Potential key logger detected (key state polling based)

Registers a DLL

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries disk information (often used to detect virtual machines)

Found large amount of non-executed APIs

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Signatures

AV Detection:

Found malware configuration

Source: 1.2.loaddll32.exe.2410000.0.raw.unpack

Malware Configuration Extractor: Emotet {"C2 list": ["45.138.98.34:80", "69.16.218.101:8080", "51.210.242.234:8080", "185.148.168.220:8080", "142.4.219.173:8080", "54.38.242.185:443", "191.252.103.16:80", "104.131.62.48:8080", "62.171.178.147:8080", "217.182.143.207:443", "168.197.250.14:80", "37.44.244.177:8080", "66.42.57.149:443", "210.57.209.142:8080", "159.69.237.188:443", "116.124.128.206:8080", "128.199.192.135:8080", "195.154.146.35:443", "185.148.168.15:8080", "195.77.239.39:8080", "207.148.81.119:8080", "85.214.67.203:8080", "190.90.233.66:443", "78.46.73.125:443", "78.47.204.80:443", "37.59.209.141:8080", "54.37.228.122:443"], "Public Key": ["RUNLMSAAAADYNZPXY4tQxd/N4Wn5sTYAm5tUOxY2ol1ELrI4MNhHNi640vSLasjYTHpFRBoG+o84vtr7AJachCzOHjaAJFCW", "RUNTMSAAAAD0LxqDNhonUYwk8sqo7IWuUllRdUiUBnACc6romsQoe1YJD7wIe4AheqYofpZFucPDXCZ0z9i+ooUffqeoLZU0"]}

Multi AV Scanner detection for submitted file

Source: 4NBdOVqTyL.dll	Virustotal: Detection: 16%			Perma Link
Source: 4NBdOVqTyL.dll	ReversingLabs: Detection: 16%

Compliance:

Uses 32bit PE files

Source: 4NBdOVqTyL.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source:	Binary string: ws2_32.pdb source: WerFault.exe, 0000000A.00000003.279991245.0000000005588000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.279928465.0000000005588000.00000004.00000040.sdmp
Source:	Binary string: winspool.pdb source: WerFault.exe, 0000000A.00000003.279976362.0000000005580000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 0000000A.00000003.279908980.0000000004EC1000.00000004.00000001.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 0000000A.00000003.276091697.0000000004BA4000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000003.279908980.0000000004EC1000.00000004.00000001.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 0000000A.00000003.279991245.0000000005588000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.279928465.0000000005588000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 0000000A.00000003.279919547.0000000005582000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdb source: WerFault.exe, 0000000A.00000003.279991245.0000000005588000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.279928465.0000000005588000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 0000000A.00000003.279908980.0000000004EC1000.00000004.00000001.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 0000000A.00000003.279908980.0000000004EC1000.00000004.00000001.sdmp
Source:	Binary string: propsys.pdb source: WerFault.exe, 0000000A.00000003.279991245.0000000005588000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.279928465.0000000005588000.00000004.00000040.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000A.00000003.279984565.0000000005585000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.279919547.0000000005582000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 0000000A.00000003.279908980.0000000004EC1000.00000004.00000001.sdmp
Source:	Binary string: wrpcrt4.pdbk source: WerFault.exe, 0000000A.00000003.279984565.0000000005585000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.279919547.0000000005582000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 0000000A.00000003.279991245.0000000005588000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.279928465.0000000005588000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 0000000A.00000003.279908980.0000000004EC1000.00000004.00000001.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 0000000A.00000003.279908980.0000000004EC1000.00000004.00000001.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 0000000A.00000003.279976362.0000000005580000.00000004.00000040.sdmp
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000000A.00000003.279976362.0000000005580000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 0000000A.00000003.279908980.0000000004EC1000.00000004.00000001.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 0000000A.00000003.279976362.0000000005580000.00000004.00000040.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 0000000A.00000003.279991245.0000000005588000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.279928465.0000000005588000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 0000000A.00000003.279908980.0000000004EC1000.00000004.00000001.sdmp
Source:	Binary string: sechost.pdbk source: WerFault.exe, 0000000A.00000003.279919547.0000000005582000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 0000000A.00000003.279991245.0000000005588000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.279928465.0000000005588000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000A.00000003.279976362.0000000005580000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 0000000A.00000003.279908980.0000000004EC1000.00000004.00000001.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 0000000A.00000003.279991245.0000000005588000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.279928465.0000000005588000.00000004.00000040.sdmp
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 0000000A.00000003.279991245.0000000005588000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.279928465.0000000005588000.00000004.00000040.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 0000000A.00000003.279908980.0000000004EC1000.00000004.00000001.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 0000000A.00000003.279908980.0000000004EC1000.00000004.00000001.sdmp
Source:	Binary string: awnjrznCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 0000000A.00000002.294194625.0000000002B12000.00000004.00000001.sdmp

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic	Snort IDS: 2404332 ET CNC Feodo Tracker Reported CnC Server TCP group 17 192.168.2.7:49769 -> 45.138.98.34:80
Source: Traffic	Snort IDS: 2404338 ET CNC Feodo Tracker Reported CnC Server TCP group 20 192.168.2.7:49775 -> 69.16.218.101:8080

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 69.16.218.101 144
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 45.138.98.34 80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	IPs: 45.138.98.34:80
Source: Malware configuration extractor	IPs: 69.16.218.101:8080
Source: Malware configuration extractor	IPs: 51.210.242.234:8080
Source: Malware configuration extractor	IPs: 185.148.168.220:8080
Source: Malware configuration extractor	IPs: 142.4.219.173:8080
Source: Malware configuration extractor	IPs: 54.38.242.185:443
Source: Malware configuration extractor	IPs: 191.252.103.16:80
Source: Malware configuration extractor	IPs: 104.131.62.48:8080
Source: Malware configuration extractor	IPs: 62.171.178.147:8080
Source: Malware configuration extractor	IPs: 217.182.143.207:443
Source: Malware configuration extractor	IPs: 168.197.250.14:80
Source: Malware configuration extractor	IPs: 37.44.244.177:8080
Source: Malware configuration extractor	IPs: 66.42.57.149:443
Source: Malware configuration extractor	IPs: 210.57.209.142:8080
Source: Malware configuration extractor	IPs: 159.69.237.188:443
Source: Malware configuration extractor	IPs: 116.124.128.206:8080
Source: Malware configuration extractor	IPs: 128.199.192.135:8080
Source: Malware configuration extractor	IPs: 195.154.146.35:443
Source: Malware configuration extractor	IPs: 185.148.168.15:8080
Source: Malware configuration extractor	IPs: 195.77.239.39:8080
Source: Malware configuration extractor	IPs: 207.148.81.119:8080
Source: Malware configuration extractor	IPs: 85.214.67.203:8080
Source: Malware configuration extractor	IPs: 190.90.233.66:443
Source: Malware configuration extractor	IPs: 78.46.73.125:443
Source: Malware configuration extractor	IPs: 78.47.204.80:443
Source: Malware configuration extractor	IPs: 37.59.209.141:8080
Source: Malware configuration extractor	IPs: 54.37.228.122:443

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: AS-CHOOPAUS AS-CHOOPAUS
Source: Joe Sandbox View	ASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 207.148.81.119 207.148.81.119
Source: Joe Sandbox View	IP Address: 104.131.62.48 104.131.62.48

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.7:49775 -> 69.16.218.101:8080

Connects to several IPs in different countries

Source: unknown

Network traffic detected: IP country count 12

Source: unknown	TCP traffic detected without corresponding DNS query: 45.138.98.34
Source: unknown	TCP traffic detected without corresponding DNS query: 45.138.98.34
Source: unknown	TCP traffic detected without corresponding DNS query: 45.138.98.34
Source: unknown	TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown	TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown	TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown	TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown	TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown	TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown	TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown	TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown	TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown	TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown	TCP traffic detected without corresponding DNS query: 69.16.218.101

Source: svchost.exe, 0000001F.00000003.445770498.0000020122F92000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","N equals www.facebook.com (Facebook)
Source: svchost.exe, 0000001F.00000003.445770498.0000020122F92000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","N equals www.twitter.com (Twitter)
Source: svchost.exe, 0000001F.00000003.445790114.0000020122FA3000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.445770498.0000020122F92000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2022-01-07T11:33:20.1626869Z\|\|.\|\|d5cdcec3-04df-404e-ba07-3240047c89f9\|\|1152921505694348672\|\|Null\|\|fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailab
Source: svchost.exe, 0000001F.00000003.445790114.0000020122FA3000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.445770498.0000020122F92000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2022-01-07T11:33:20.1626869Z\|\|.\|\|d5cdcec3-04df-404e-ba07-3240047c89f9\|\|1152921505694348672\|\|Null\|\|fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailab
Source: svchost.exe, 0000001F.00000003.445770498.0000020122F92000.00000004.00000001.sdmp	String found in binary or memory: Mstrings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","SkuTitle":"Spotify - Music and Podcasts","Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"ProductId":"9NCBCSZSJRSB","Properties":{"FulfillmentData":{"ProductId":"9NCBCSZSJRSB","WuCategoryId":"5c353b9c-7ac7-4d27-af07-923e7d9aa2e2","PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","SkuId":"0011"},"FulfillmentType":"WindowsUpdate","FulfillmentPluginId":null,"Packages":[{"Applications":[{"ApplicationId":"Spotify"}],"Architectures":["x86"],"Capabilities":["internetClient","runFullTrust","Microsoft.storeFilter.core.notSupported_8wekyb3d8bbwe"],"ExperienceIds":[],"MaxDownloadSizeInBytes":104380919,"MaxInstallSizeInBytes":203345920,"PackageFormat":"Appx","PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","MainPackageFamilyNameForDlc":null,"PackageFullName":"SpotifyAB.SpotifyMusic_1.176.447.0_x86__zpdnekdrzrea0","PackageId":"3fbafb47-f476-4c26-4445-49acb9a726e6-X86","PackageRank":30001,"PlatformDependencies":[{"MaxTested":2814750754275328,"MinVersion":2814750710366559,"PlatformName":"Windows.Desktop"}],"PlatformDependencyXmlBlob":"{\"blob.version\":1688867040526336,\"content.isMain\":false,\"content.packageId\":\"SpotifyAB.SpotifyMusic_1.176.447.0_x86__zpdnekdrzrea0\",\"content.productId\":\"caac1b9d-621b-4f96-b143-e10e1397740a\",\"content.targetPlatforms\":[{\"platform.maxVersionTested\":2814750754275328,\"platform.minVersion\":2814750710366559,\"platform.target\":3}],\"content.type\":7,\"policy\":{\"category.first\":\"app\",\"category.second\":\"Music\",\"optOut.backupRestore\":true,\"optOut.removeableMedia\":false},\"policy2\":{\"ageRating\":3,\"optOut.DVR\":false,\"thirdPartyAppRatings\":[{\"level\":9,\"systemId\":3},{\"le
Source: svchost.exe, 0000001F.00000003.445770498.0000020122F92000.00000004.00000001.sdmp	String found in binary or memory: Mstrings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","SkuTitle":"Spotify - Music and Podcasts","Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"ProductId":"9NCBCSZSJRSB","Properties":{"FulfillmentData":{"ProductId":"9NCBCSZSJRSB","WuCategoryId":"5c353b9c-7ac7-4d27-af07-923e7d9aa2e2","PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","SkuId":"0011"},"FulfillmentType":"WindowsUpdate","FulfillmentPluginId":null,"Packages":[{"Applications":[{"ApplicationId":"Spotify"}],"Architectures":["x86"],"Capabilities":["internetClient","runFullTrust","Microsoft.storeFilter.core.notSupported_8wekyb3d8bbwe"],"ExperienceIds":[],"MaxDownloadSizeInBytes":104380919,"MaxInstallSizeInBytes":203345920,"PackageFormat":"Appx","PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","MainPackageFamilyNameForDlc":null,"PackageFullName":"SpotifyAB.SpotifyMusic_1.176.447.0_x86__zpdnekdrzrea0","PackageId":"3fbafb47-f476-4c26-4445-49acb9a726e6-X86","PackageRank":30001,"PlatformDependencies":[{"MaxTested":2814750754275328,"MinVersion":2814750710366559,"PlatformName":"Windows.Desktop"}],"PlatformDependencyXmlBlob":"{\"blob.version\":1688867040526336,\"content.isMain\":false,\"content.packageId\":\"SpotifyAB.SpotifyMusic_1.176.447.0_x86__zpdnekdrzrea0\",\"content.productId\":\"caac1b9d-621b-4f96-b143-e10e1397740a\",\"content.targetPlatforms\":[{\"platform.maxVersionTested\":2814750754275328,\"platform.minVersion\":2814750710366559,\"platform.target\":3}],\"content.type\":7,\"policy\":{\"category.first\":\"app\",\"category.second\":\"Music\",\"optOut.backupRestore\":true,\"optOut.removeableMedia\":false},\"policy2\":{\"ageRating\":3,\"optOut.DVR\":false,\"thirdPartyAppRatings\":[{\"level\":9,\"systemId\":3},{\"le

Source: svchost.exe, 00000006.00000002.605909216.000002862B800000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000002.468338657.0000020122F00000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: svchost.exe, 00000006.00000002.606054502.000002862B86F000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000002.468183652.00000201226F2000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.438323248.00000201226F2000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.438202775.00000201226F2000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.439895742.00000201226F2000.00000004.00000001.sdmp	String found in binary or memory: http://crl.ver)
Source: 77EC63BDA74BD0D0E0426DC8F80085060.21.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: svchost.exe, 0000001F.00000003.438357353.0000020122F65000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.438039962.0000020123403000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.438019016.0000020123402000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.437990261.0000020122F97000.00000004.00000001.sdmp	String found in binary or memory: http://help.disneyplus.com.
Source: svchost.exe, 00000006.00000002.605731158.00000286262B2000.00000004.00000001.sdmp, svchost.exe, 00000006.00000003.605257783.00000286262AD000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/0
Source: Amcache.hve.10.dr	String found in binary or memory: http://upx.sf.net
Source: svchost.exe, 0000000E.00000002.317874297.0000027DDB213000.00000004.00000001.sdmp	String found in binary or memory: http://www.bingmapsportal.com
Source: svchost.exe, 0000000C.00000002.780502610.000001715323D000.00000004.00000001.sdmp	String found in binary or memory: https://%s.dnet.xboxlive.com
Source: svchost.exe, 0000000C.00000002.780502610.000001715323D000.00000004.00000001.sdmp	String found in binary or memory: https://%s.xboxlive.com
Source: svchost.exe, 0000000C.00000002.780502610.000001715323D000.00000004.00000001.sdmp	String found in binary or memory: https://activity.windows.com
Source: svchost.exe, 0000000E.00000003.315431600.0000027DDB260000.00000004.00000001.sdmp	String found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: svchost.exe, 0000000C.00000002.780502610.000001715323D000.00000004.00000001.sdmp	String found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 0000000C.00000002.780502610.000001715323D000.00000004.00000001.sdmp	String found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 0000000E.00000003.315527076.0000027DDB249000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 0000000E.00000003.315431600.0000027DDB260000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 0000000E.00000002.318066079.0000027DDB23D000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 0000000E.00000002.318216228.0000027DDB269000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.315380905.0000027DDB267000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Transit/Stops/
Source: svchost.exe, 0000000E.00000003.315431600.0000027DDB260000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 0000000E.00000003.315710943.0000027DDB24F000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.315466244.0000027DDB24D000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 0000000E.00000003.293603660.0000027DDB230000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 0000000E.00000002.318066079.0000027DDB23D000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 0000000E.00000003.315431600.0000027DDB260000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 0000000E.00000003.315431600.0000027DDB260000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 0000000E.00000003.315431600.0000027DDB260000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 0000000E.00000003.293603660.0000027DDB230000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Traffic/Incidents/
Source: svchost.exe, 0000000E.00000003.315640761.0000027DDB241000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000002.318084456.0000027DDB242000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.315574324.0000027DDB240000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 0000000E.00000003.315640761.0000027DDB241000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000002.318084456.0000027DDB242000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.315574324.0000027DDB240000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
Source: svchost.exe, 0000000E.00000003.315431600.0000027DDB260000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 0000000E.00000003.315527076.0000027DDB249000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000002.318111308.0000027DDB24B000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.315574324.0000027DDB240000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: svchost.exe, 0000000E.00000003.293603660.0000027DDB230000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?entry=
Source: svchost.exe, 0000001F.00000003.438357353.0000020122F65000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.438039962.0000020123403000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.438019016.0000020123402000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.437990261.0000020122F97000.00000004.00000001.sdmp	String found in binary or memory: https://disneyplus.com/legal.
Source: svchost.exe, 0000000E.00000003.315527076.0000027DDB249000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 0000000E.00000003.315527076.0000027DDB249000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000002.318111308.0000027DDB24B000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 0000000E.00000003.315527076.0000027DDB249000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000002.318111308.0000027DDB24B000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 0000000E.00000003.315466244.0000027DDB24D000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.t
Source: svchost.exe, 0000000E.00000003.315431600.0000027DDB260000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 0000000E.00000003.293603660.0000027DDB230000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000002.318066079.0000027DDB23D000.00000004.00000001.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 0000000E.00000003.293603660.0000027DDB230000.00000004.00000001.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 0000000E.00000002.318066079.0000027DDB23D000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 0000000E.00000002.318066079.0000027DDB23D000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000002.317874297.0000027DDB213000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 0000000E.00000003.315624929.0000027DDB245000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.315574324.0000027DDB240000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 0000000E.00000003.315624929.0000027DDB245000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.315574324.0000027DDB240000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
Source: svchost.exe, 0000000E.00000003.293603660.0000027DDB230000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 0000000E.00000003.315665164.0000027DDB239000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.293603660.0000027DDB230000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: svchost.exe, 0000000E.00000003.315710943.0000027DDB24F000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.315466244.0000027DDB24D000.00000004.00000001.sdmp	String found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen
Source: svchost.exe, 0000001F.00000003.438357353.0000020122F65000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.438039962.0000020123403000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.438019016.0000020123402000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.437990261.0000020122F97000.00000004.00000001.sdmp	String found in binary or memory: https://www.disneyplus.com/legal/privacy-policy
Source: svchost.exe, 0000001F.00000003.438357353.0000020122F65000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.438039962.0000020123403000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.438019016.0000020123402000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.437990261.0000020122F97000.00000004.00000001.sdmp	String found in binary or memory: https://www.disneyplus.com/legal/your-california-privacy-rights
Source: svchost.exe, 0000001F.00000003.439771045.0000020122F86000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.439928882.0000020123419000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.439947599.0000020123402000.00000004.00000001.sdmp	String found in binary or memory: https://www.tiktok.com/legal/report/feedback

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 3_2_10001280 recvfrom,

3_2_10001280

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Potential key logger detected (key state polling based)

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_10027958 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,

4_2_10027958

E-Banking Fraud:

Yara detected Emotet

Source: Yara match	File source: 5.2.rundll32.exe.11e0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.1190000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.regsvr32.exe.3450000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.loaddll32.exe.2410000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.loaddll32.exe.2410000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.loaddll32.exe.2410000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.rundll32.exe.4f10000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.rundll32.exe.4ea0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.loaddll32.exe.2440000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.loaddll32.exe.2410000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.rundll32.exe.4ee0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.710000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.710000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.rundll32.exe.1080000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.1190000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.loaddll32.exe.2410000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.regsvr32.exe.3450000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.5220000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.rundll32.exe.1080000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.rundll32.exe.1100000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.50c0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.5280000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.rundll32.exe.4e70000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.loaddll32.exe.2440000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.rundll32.exe.d90000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.rundll32.exe.4ee0000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.rundll32.exe.4e70000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.5280000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.rundll32.exe.1200000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.50c0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.loaddll32.exe.2440000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.4fe0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.4fe0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.rundll32.exe.d90000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.5250000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.rundll32.exe.1200000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.loaddll32.exe.2410000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.7d0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.rundll32.exe.10b0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.regsvr32.exe.3600000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.5220000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.rundll32.exe.4d90000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.50f0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.5010000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.295170355.0000000002441000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.319311816.0000000004FE0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.264232474.0000000003450000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.264445003.0000000003601000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.271674594.0000000002441000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.311419094.0000000000710000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.318504064.00000000011E1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.317746254.0000000001101000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.319427752.00000000050C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.318779993.0000000004EE0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.319564676.0000000005251000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.351346080.00000000010B1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.318608097.0000000004D91000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.317543692.0000000000D90000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.319602388.0000000005280000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.317818773.0000000001200000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.269063962.0000000002410000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.269192745.0000000002441000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.319530979.0000000005220000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.295121036.0000000002410000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.351308553.0000000001080000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.271620291.0000000002410000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.318684339.0000000004E70000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.319354268.0000000005011000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.318831787.0000000004F11000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.318726166.0000000004EA1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.311608118.00000000007D1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.318456425.0000000001190000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.319460126.00000000050F1000.00000020.00000001.sdmp, type: MEMORY

System Summary:

Uses 32bit PE files

Source: 4NBdOVqTyL.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

One or more processes crash

Source: C:\Windows\System32\svchost.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 5652 -ip 5652

Deletes files inside the Windows folder

Source: C:\Windows\SysWOW64\rundll32.exe

File deleted: C:\Windows\SysWOW64\Qpmpohowskn\yxodzrkk.uat:Zone.Identifier

Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_0245EFDD	1_2_0245EFDD
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_0244A445	1_2_0244A445
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02454244	1_2_02454244
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_0244E640	1_2_0244E640
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_0245F840	1_2_0245F840
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02447442	1_2_02447442
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_0245B257	1_2_0245B257
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02452E5D	1_2_02452E5D
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02460A64	1_2_02460A64
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02454A66	1_2_02454A66
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02463263	1_2_02463263
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_0244DE74	1_2_0244DE74
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_0245A474	1_2_0245A474
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_0245DC71	1_2_0245DC71
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_0244A871	1_2_0244A871
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02447078	1_2_02447078
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02447E79	1_2_02447E79
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_0245567B	1_2_0245567B
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02458806	1_2_02458806
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02459A01	1_2_02459A01
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02457A0F	1_2_02457A0F
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02462009	1_2_02462009
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_0244B820	1_2_0244B820
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02448636	1_2_02448636
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02443431	1_2_02443431
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_024480C0	1_2_024480C0
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_0245CAD5	1_2_0245CAD5
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_0245CCD9	1_2_0245CCD9
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_0245D8DB	1_2_0245D8DB
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_0245E4E5	1_2_0245E4E5
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_024600EF	1_2_024600EF
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_0244F0E9	1_2_0244F0E9
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02463EE9	1_2_02463EE9
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_0245BEFD	1_2_0245BEFD
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_0245A2A5	1_2_0245A2A5
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02441CA1	1_2_02441CA1
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_024636AA	1_2_024636AA
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_0244BAA9	1_2_0244BAA9
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02453EAA	1_2_02453EAA
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02450EBC	1_2_02450EBC
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_024646BD	1_2_024646BD
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_0244C6B8	1_2_0244C6B8
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02450ABA	1_2_02450ABA
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02452142	1_2_02452142
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_0244D14C	1_2_0244D14C
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_0245654A	1_2_0245654A
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_0245E955	1_2_0245E955
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02462D53	1_2_02462D53
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_0245FF58	1_2_0245FF58
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02457D5B	1_2_02457D5B
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_0244F369	1_2_0244F369
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02454F74	1_2_02454F74
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02459774	1_2_02459774
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02455779	1_2_02455779
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02446B7A	1_2_02446B7A
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_0245017B	1_2_0245017B
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_0245437A	1_2_0245437A
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_0244EF0C	1_2_0244EF0C
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_0245AD08	1_2_0245AD08
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02462B09	1_2_02462B09
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_0244670B	1_2_0244670B
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02455515	1_2_02455515
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02455333	1_2_02455333
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02458D3D	1_2_02458D3D
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02441F38	1_2_02441F38
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_0245C5D5	1_2_0245C5D5
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_0244E7DE	1_2_0244E7DE
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_0245FBDE	1_2_0245FBDE
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_0244C5D8	1_2_0244C5D8
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_024567E6	1_2_024567E6
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02459DF5	1_2_02459DF5
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_024507F4	1_2_024507F4
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02444BFC	1_2_02444BFC
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_024585FF	1_2_024585FF
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_024455FF	1_2_024455FF
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_024527F9	1_2_024527F9
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_0245E1F8	1_2_0245E1F8
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02453D85	1_2_02453D85
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02456187	1_2_02456187
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02450F86	1_2_02450F86
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_0244238C	1_2_0244238C
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_0244FB8E	1_2_0244FB8E
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02442194	1_2_02442194
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_024477A3	1_2_024477A3
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02458FAE	1_2_02458FAE
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_024607AA	1_2_024607AA
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_0245D1BC	1_2_0245D1BC
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_0244BFBE	1_2_0244BFBE
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_024617BD	1_2_024617BD
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_024457B8	1_2_024457B8
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_1004091B	3_2_1004091B
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_100291F6	3_2_100291F6
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_1002EACF	3_2_1002EACF
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_100403D7	3_2_100403D7
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_1004250B	3_2_1004250B
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_10041557	3_2_10041557
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_10035D96	3_2_10035D96
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_100395A1	3_2_100395A1
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_10040E5F	3_2_10040E5F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_100291F6	4_2_100291F6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1002F378	4_2_1002F378
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_100403D7	4_2_100403D7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1004250B	4_2_1004250B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10041557	4_2_10041557
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_100395A1	4_2_100395A1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1002F784	4_2_1002F784
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1004091B	4_2_1004091B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1002EACF	4_2_1002EACF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1002FBA4	4_2_1002FBA4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10035D96	4_2_10035D96
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10040E5F	4_2_10040E5F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1002EFA4	4_2_1002EFA4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_011E670B	5_2_011E670B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_011FAD08	5_2_011FAD08
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_011FFF58	5_2_011FFF58
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_011FE955	5_2_011FE955
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_011F654A	5_2_011F654A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_011F2142	5_2_011F2142
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_012017BD	5_2_012017BD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_011FEFDD	5_2_011FEFDD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_011EC5D8	5_2_011EC5D8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_011F85FF	5_2_011F85FF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_011E91F6	5_2_011E91F6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_011F7A0F	5_2_011F7A0F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_01202009	5_2_01202009
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_011FB257	5_2_011FB257
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_011EDE74	5_2_011EDE74
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_011F4A66	5_2_011F4A66
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_011F5515	5_2_011F5515
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_011EEF0C	5_2_011EEF0C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_011F8D3D	5_2_011F8D3D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_011E1F38	5_2_011E1F38
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_01202B09	5_2_01202B09
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_011F5333	5_2_011F5333
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_011F7D5B	5_2_011F7D5B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_011ED14C	5_2_011ED14C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_011F017B	5_2_011F017B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_011E6B7A	5_2_011E6B7A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_011F437A	5_2_011F437A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_011F5779	5_2_011F5779
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_011F9774	5_2_011F9774
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_011F4F74	5_2_011F4F74
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_01202D53	5_2_01202D53
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_011EF369	5_2_011EF369
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_011E2194	5_2_011E2194
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_012007AA	5_2_012007AA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_011EFB8E	5_2_011EFB8E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_011E238C	5_2_011E238C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_011F6187	5_2_011F6187
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_011F0F86	5_2_011F0F86
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_011F3D85	5_2_011F3D85
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_011EBFBE	5_2_011EBFBE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_011FD1BC	5_2_011FD1BC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_011E57B8	5_2_011E57B8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_011F8FAE	5_2_011F8FAE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_011E77A3	5_2_011E77A3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_011EE7DE	5_2_011EE7DE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_011FFBDE	5_2_011FFBDE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_011FC5D5	5_2_011FC5D5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_011E55FF	5_2_011E55FF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_011E4BFC	5_2_011E4BFC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_011F27F9	5_2_011F27F9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_011FE1F8	5_2_011FE1F8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_011F9DF5	5_2_011F9DF5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_011F07F4	5_2_011F07F4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_011F67E6	5_2_011F67E6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_011F8806	5_2_011F8806
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_011F9A01	5_2_011F9A01
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_011E3431	5_2_011E3431
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_011EB820	5_2_011EB820
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_011F2E5D	5_2_011F2E5D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_01203263	5_2_01203263
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_01200A64	5_2_01200A64
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_011F4244	5_2_011F4244
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_011EA445	5_2_011EA445
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_011E7442	5_2_011E7442
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_011EE640	5_2_011EE640
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_011FF840	5_2_011FF840
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_011F567B	5_2_011F567B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_011E7078	5_2_011E7078
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_011E7E79	5_2_011E7E79
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_011FA474	5_2_011FA474
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_011FDC71	5_2_011FDC71
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_011EA871	5_2_011EA871
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_012036AA	5_2_012036AA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_012046BD	5_2_012046BD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_011F0EBC	5_2_011F0EBC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_011F0ABA	5_2_011F0ABA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_011EC6B8	5_2_011EC6B8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_011F3EAA	5_2_011F3EAA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_011EBAA9	5_2_011EBAA9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_011FA2A5	5_2_011FA2A5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_011E1CA1	5_2_011E1CA1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_011FD8DB	5_2_011FD8DB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_011FCCD9	5_2_011FCCD9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_01203EE9	5_2_01203EE9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_011FCAD5	5_2_011FCAD5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_012000EF	5_2_012000EF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_011E80C0	5_2_011E80C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_011FBEFD	5_2_011FBEFD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_011EF0E9	5_2_011EF0E9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_011FE4E5	5_2_011FE4E5

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: String function: 10030E38 appears 49 times
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: String function: 10030535 appears 32 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 10030E38 appears 55 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 10030535 appears 86 times

Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: xboxlivetitleid.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cdpsgshims.dll	Jump to behavior

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\4NBdOVqTyL.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\4NBdOVqTyL.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\4NBdOVqTyL.dll
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\4NBdOVqTyL.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\4NBdOVqTyL.dll,DllRegisterServer
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\4NBdOVqTyL.dll",DllRegisterServer
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 5652 -ip 5652
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5652 -s 524
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknown	Process created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\4NBdOVqTyL.dll",DllRegisterServer
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Qpmpohowskn\yxodzrkk.uat",KEPxusHldvFY
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Qpmpohowskn\yxodzrkk.uat",DllRegisterServer
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\4NBdOVqTyL.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\4NBdOVqTyL.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\4NBdOVqTyL.dll,DllRegisterServer	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\4NBdOVqTyL.dll",#1	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\4NBdOVqTyL.dll",DllRegisterServer	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\4NBdOVqTyL.dll",DllRegisterServer	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Qpmpohowskn\yxodzrkk.uat",KEPxusHldvFY	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 5652 -ip 5652	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5652 -s 524	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Qpmpohowskn\yxodzrkk.uat",DllRegisterServer	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:800:120:WilError_01
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5652
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \BaseNamedObjects\Local\SM0:2132:64:WilError_01

Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: 4NBdOVqTyL.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 4NBdOVqTyL.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 4NBdOVqTyL.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 4NBdOVqTyL.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 4NBdOVqTyL.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02441195 push cs; iretd	1_2_02441197
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_1003060D push ecx; ret	3_2_10030620
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_10030E7D push ecx; ret	3_2_10030E90
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1003060D push ecx; ret	4_2_10030620
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10030E7D push ecx; ret	4_2_10030E90
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_011E1195 push cs; iretd	5_2_011E1197

Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Qpmpohowskn\yxodzrkk.uat:Zone.Identifier read attributes \| delete			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Rfvwwqpmezfct\nnxyp.oiy:Zone.Identifier read attributes \| delete			Jump to behavior

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_100250A3 IsIconic,GetWindowPlacement,GetWindowRect,	3_2_100250A3
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_1001DFC0 IsIconic,SendMessageA,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon,	3_2_1001DFC0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_100250A3 IsIconic,GetWindowPlacement,GetWindowRect,	4_2_100250A3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1001DFC0 IsIconic,SendMessageA,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon,	4_2_1001DFC0

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\svchost.exe TID: 4808	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 5860	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 5828	Thread sleep time: -30000s >= -30000s

Source: C:\Windows\SysWOW64\regsvr32.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep
Source: C:\Windows\SysWOW64\regsvr32.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Source: C:\Windows\SysWOW64\rundll32.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep
Source: C:\Windows\SysWOW64\rundll32.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess

Source: C:\Windows\SysWOW64\regsvr32.exe	API coverage: 5.5 %
Source: C:\Windows\SysWOW64\rundll32.exe	API coverage: 5.3 %

Source: C:\Windows\SysWOW64\regsvr32.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\rundll32.exe	API call chain: ExitProcess graph end node

Source: svchost.exe, 00000006.00000002.605605024.0000028626229000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW ?
Source: Amcache.hve.10.dr	Binary or memory string: VMware
Source: Amcache.hve.10.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
Source: svchost.exe, 00000006.00000002.606037381.000002862B861000.00000004.00000001.sdmp	Binary or memory string: "@Hyper-V RAW(@
Source: Amcache.hve.10.dr	Binary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.10.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.10.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.10.dr	Binary or memory string: VMware Virtual disk SCSI Disk Devicehbin
Source: Amcache.hve.10.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.10.dr	Binary or memory string: VMware7,1
Source: Amcache.hve.10.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.10.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.10.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.13989454.B64.1906190538,BiosReleaseDate:06/19/2019,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: svchost.exe, 00000006.00000002.606008946.000002862B854000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000002.468183652.00000201226F2000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.438323248.00000201226F2000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000002.468067650.0000020122670000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.438202775.00000201226F2000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.439895742.00000201226F2000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.10.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.10.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.10.dr	Binary or memory string: VMware, Inc.me
Source: Amcache.hve.10.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.10.dr	Binary or memory string: VMware-42 35 44 6e 75 85 11 47-bd a2 bb ed 21 43 9f 89
Source: svchost.exe, 0000000C.00000002.780502610.000001715323D000.00000004.00000001.sdmp, svchost.exe, 0000000D.00000002.780556656.00000237F9E29000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Amcache.hve.10.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000

Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_0244F7F7 mov eax, dword ptr fs:[00000030h]		1_2_0244F7F7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_011EF7F7 mov eax, dword ptr fs:[00000030h]		5_2_011EF7F7

Source: C:\Windows\System32\loaddll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_1003A8D4 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_1003A8D4
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_1002DB0D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_1002DB0D
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_10032CB9 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_10032CB9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1003A8D4 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_1003A8D4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1002DB0D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	4_2_1002DB0D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10032CB9 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	4_2_10032CB9

Source: loaddll32.exe, 00000001.00000000.271456102.0000000000E60000.00000002.00020000.sdmp, loaddll32.exe, 00000001.00000000.268957280.0000000000E60000.00000002.00020000.sdmp	Binary or memory string: uProgram Manager
Source: loaddll32.exe, 00000001.00000000.271456102.0000000000E60000.00000002.00020000.sdmp, loaddll32.exe, 00000001.00000000.268957280.0000000000E60000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: loaddll32.exe, 00000001.00000000.271456102.0000000000E60000.00000002.00020000.sdmp, loaddll32.exe, 00000001.00000000.268957280.0000000000E60000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: loaddll32.exe, 00000001.00000000.271456102.0000000000E60000.00000002.00020000.sdmp, loaddll32.exe, 00000001.00000000.268957280.0000000000E60000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Windows Analysis Report 4NBdOVqTyL

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: GetLocaleInfoA,	3_2_1003E000
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,InterlockedDecrement,InterlockedDecrement,	3_2_1003D098
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,	3_2_1003D8C5
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: GetLocaleInfoA,_LcidFromHexString,_GetPrimaryLen,_strlen,	3_2_1003D95D
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,	3_2_1003D9D1
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: GetLocaleInfoA,_LocaleUpdate::_LocaleUpdate,___ascii_strnicmp,__tolower_l,__tolower_l,	3_2_1003F9F4
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: _LocaleUpdate::_LocaleUpdate,GetLocaleInfoW,	3_2_1003EA86
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: _strcpy_s,GetLocaleInfoA,__snwprintf_s,LoadLibraryA,	3_2_1002129B
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLastError,GetLocaleInfoW,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,GetLocaleInfoA,	3_2_1003EABA
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,InterlockedDecrement,InterlockedDecrement,	3_2_1003D35E
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,	3_2_1003DBA3
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	3_2_1003EBF9
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,	3_2_1003DC64
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,	3_2_1003DCCB
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,_ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itoa_s,	3_2_1003DD07
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,__invoke_watson,___crtGetLocaleInfoW,	3_2_1003850E
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,	3_2_1003CE40
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: GetLocaleInfoA,GetLocaleInfoA,GetACP,	3_2_1003D7AE
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,	3_2_1003C7D2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoA,	4_2_1003E000
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,InterlockedDecrement,InterlockedDecrement,	4_2_1003D098
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: _strcpy_s,GetLocaleInfoA,__snwprintf_s,LoadLibraryA,	4_2_1002129B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,InterlockedDecrement,InterlockedDecrement,	4_2_1003D35E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,__invoke_watson,___crtGetLocaleInfoW,	4_2_1003850E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoA,GetLocaleInfoA,GetACP,	4_2_1003D7AE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,	4_2_1003C7D2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,	4_2_1003D8C5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoA,_LcidFromHexString,_GetPrimaryLen,_strlen,	4_2_1003D95D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,	4_2_1003D9D1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoA,_LocaleUpdate::_LocaleUpdate,___ascii_strnicmp,__tolower_l,__tolower_l,	4_2_1003F9F4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: _LocaleUpdate::_LocaleUpdate,GetLocaleInfoW,	4_2_1003EA86
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLastError,GetLocaleInfoW,__alloca_probe_16,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,GetLocaleInfoA,	4_2_1003EABA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,	4_2_1003DBA3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	4_2_1003EBF9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,	4_2_1003DC64
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,	4_2_1003DCCB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,_ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itoa_s,	4_2_1003DD07
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,	4_2_1003CE40

Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct

Source: svchost.exe, 00000010.00000002.780637344.0000027F36434000.00000004.00000001.sdmp	Binary or memory string: ender\MsMpeng.exe
Source: Amcache.hve.10.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: svchost.exe, 00000010.00000002.780668076.0000027F3643D000.00000004.00000001.sdmp	Binary or memory string: (@V%ProgramFiles%\Windows Defender\MsMpeng.exe
Source: svchost.exe, 00000010.00000002.780727749.0000027F36502000.00000004.00000001.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_10001160 WSAStartup,_memset,htonl,htons,socket,bind,setsockopt,		3_2_10001160
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10001160 WSAStartup,_memset,htonl,htons,socket,bind,setsockopt,		4_2_10001160

IP	Domain	Country	ASN	ASN Name	Malicious
207.148.81.119	unknown	United States	20473	AS-CHOOPAUS	true
104.131.62.48	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
85.214.67.203	unknown	Germany	6724	STRATOSTRATOAGDE	true
191.252.103.16	unknown	Brazil	27715	LocawebServicosdeInternetSABR	true
168.197.250.14	unknown	Argentina	264776	OmarAnselmoRipollTDCNETAR	true
66.42.57.149	unknown	United States	20473	AS-CHOOPAUS	true
185.148.168.15	unknown	Germany	44780	EVERSCALE-ASDE	true
51.210.242.234	unknown	France	16276	OVHFR	true
217.182.143.207	unknown	France	16276	OVHFR	true
69.16.218.101	unknown	United States	32244	LIQUIDWEBUS	true
159.69.237.188	unknown	Germany	24940	HETZNER-ASDE	true
45.138.98.34	unknown	Germany	9009	M247GB	true
116.124.128.206	unknown	Korea Republic of	9318	SKB-ASSKBroadbandCoLtdKR	true
78.46.73.125	unknown	Germany	24940	HETZNER-ASDE	true
37.59.209.141	unknown	France	16276	OVHFR	true
210.57.209.142	unknown	Indonesia	38142	UNAIR-AS-IDUniversitasAirlanggaID	true
185.148.168.220	unknown	Germany	44780	EVERSCALE-ASDE	true
54.37.228.122	unknown	France	16276	OVHFR	true
190.90.233.66	unknown	Colombia	18678	INTERNEXASAESPCO	true
142.4.219.173	unknown	Canada	16276	OVHFR	true
54.38.242.185	unknown	France	16276	OVHFR	true
195.154.146.35	unknown	France	12876	OnlineSASFR	true
195.77.239.39	unknown	Spain	60493	FICOSA-ASES	true
78.47.204.80	unknown	Germany	24940	HETZNER-ASDE	true
37.44.244.177	unknown	Germany	47583	AS-HOSTINGERLT	true
62.171.178.147	unknown	United Kingdom	51167	CONTABODE	true
128.199.192.135	unknown	United Kingdom	14061	DIGITALOCEAN-ASNUS	true

ID:	553378
Product:	CloudBasic
Start time:	19:31:39
Start date:	14.01.2022
Sample:	4NBdOVqTyL
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	2b23fdac0d28360136a616b2803c286f
SHA1:	5e730fa1ccfc04c44a34fd385dadc3d03d72d9b3
SHA256:	cd5cb5b1c82dd0f301aac47ab966f00b4abc69a24a6a8c789ee7362a2c128537
Filetype:	Win32 Dynamic Link Library (generic) (1002004/3) 98.32%

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\Microsoft\Network\Downloader\edb.chk	data	BF1DC7D5D8DAD7478F426DF8B3F8BAA6	C6B0BDE788F553F865D65F773D8F6A3546887E42	BE47C764C38CA7A90A345BE183F5261E89B98743B5E35989E9A8BE0DA498C0F2
C:\ProgramData\Microsoft\Network\Downloader\edb.log	MPEG-4 LOAS	55686B32674428642BBC795D959857EA	D8F1BC68B500849E80E98744DFF796EF0889F274	A9CD587E2411E1AA24BBE9E2171E9CB75C047953C263320C850B36894F18D4C7
C:\ProgramData\Microsoft\Network\Downloader\qmgr.db	Extensible storage engine DataBase, version 0x620, checksum 0x68df5540, page size 16384, Windows version 10.0	9FC4FEC6A7BC4CEF63BFA6D9B86BB987	87A4CC250167CA4D7BD0CEDBCF85CBD9248948BC	CBD67808BC18D3F7DC6476D2D7F652AD74DC2E2E5F392D88EABC62588DCEFBBB
C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm	data	C2B0D7F1250DD8E20FD91D401E0531E0	C444C0C78C44B7158DDBCD3AD2439A7CA0D18903	33AFD3B366529D403F2946C14F39BE5190F789B9401B615680F3F4DE4A9CC36E
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_loaddll32.exe_1c231079c1eee0bd6cde4039f77d852b16453f3a_7cac0383_0cc6464d\Report.wer	Little-endian UTF-16 Unicode text, with CRLF line terminators	BB4B99D405692C46A14C803E0900C7A6	3AF2DEEA96C031260C2398DF0C97F29F606B1E23	0323B70581D8F7A943283C86D54FDCFAAF72AD3F2DF448FA7611E45E5F52D52A
C:\ProgramData\Microsoft\Windows\WER\Temp\WER1253.tmp.csv	data	4B8EAC1DB51195E040CCBA76EDEE61E1	3AA308A718DD8D9676D0D43B731F7269778C292D	853F6BDEE9EE00C836A8CA2B73BAD763530C295CF67111A97B0FD3D6872D6A68
C:\ProgramData\Microsoft\Windows\WER\Temp\WER18FB.tmp.txt	data	DF90D7A1471C9A47867DB77871A9435B	49987F21AE601D9D235F85FF3F5152165C66DDB6	16E820472FA9BB609306FA51745C655FFE167E17BCABFFB84569CC7EA150989A
C:\ProgramData\Microsoft\Windows\WER\Temp\WER3045.tmp.dmp	Mini DuMP crash report, 15 streams, Sat Jan 15 03:32:54 2022, 0x1205a4 type	29A612CE84AC47FA35E4D98A7C1C26A2	BCCA78414A2AD7E0BDCBBF15AE56A65F63E1EA7C	B3D3FA09280C1C1A5558DCA693343E98D295A5E7851EEF6C9CAD5CD38088DA3D
C:\ProgramData\Microsoft\Windows\WER\Temp\WER367F.tmp.WERInternalMetadata.xml	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators	6EE214D2730130B59E38960E3B18746C	468D7D69E2B5613006A276879D4249354D3E45D3	6FBFF4D9451F13EDDEEE8078AC902AAB613223B9B2D537066E3D48E73E407245
C:\ProgramData\Microsoft\Windows\WER\Temp\WER3AF5.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	7B05A9EB5BF8B4F035A087F2164F9AD9	1730909832988505691C3E946BDFDC2931BD6AFB	560C858943AE6BE4B555A6A7EFAC25C981D475F824EA234184BE1FDF13A057E5
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506	Microsoft Cabinet archive data, 61414 bytes, 1 file	ACAEDA60C79C6BCAC925EEB3653F45E0	2AAAE490BCDACCC6172240FF1697753B37AC5578	6B0CECCF0103AFD89844761417C1D23ACC41F8AEBF3B7230765209B61EEE5658
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	data	82BFD5476A02AB3CEB5DF1B89199273E	FF3097527830DCCBA32C17559010963CF7D58196	0B73615D826682F7998580900B4041A2594CE277C4BE64B28AAA2AF1B1D856AC
C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp	ASCII text, with no line terminators	DCA83F08D448911A14C22EBCACC5AD57	91270525521B7FE0D986DB19747F47D34B6318AD	2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\MpCmdRun.log	Little-endian UTF-16 Unicode text, with CRLF, CR line terminators	6E940B12B18E836E87AB9AC520D4EE40	0922F9CACAC95835DFDE82F826D431387E6E2885	25790EDB7F5805CE0154F57E32507A63461D54E50F74465D962636C1DF440D1C
C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\Logs\dosvc.20220115_033259_038.etl	data	F329110B10B665A14EA2F28B1DDC3253	D3BE41460CD5DE843AF1FD4299A3CA16E8B16F39	E65CB23B920917FAE150408855C0A5D2FE79EDADB318A0D23438DF1DF5C63182
C:\Windows\appcompat\Programs\Amcache.hve	MS Windows registry file, NT/2000 or above	85338E02E4C5D4045493B837D3142D71	502265428823535B0A7F8FD98BD082B81863BD03	707584926ACB800EC190BB243CED094A93D9BC9E24AF756E44F9A8359FFA48A5
C:\Windows\appcompat\Programs\Amcache.hve.LOG1	MS Windows registry file, NT/2000 or above	4C13D5EE6A73A620C968B707DEF35488	0A6241F39FDC15EE7BDE6C7AB5CC7BA2DDE5117A	A8B59C186AF456DA868CA5605AD7ED2A4F8EE67CC6BAC51F3AD3EF37C6C3DDB4