Windows Analysis Report 2gyA5uNl6VPQUA.dll

Overview

General Information

Sample Name:	2gyA5uNl6VPQUA.dll
Analysis ID:	532048
MD5:	5e20cb3466b66a9cdeac1ac74d9862e4
SHA1:	28ef4facb366de1fc7da62b975c8967997527c36
SHA256:	208939e34f46846c7c95383c6fea7813038b4dea87ea3819c157ccfbbf8aa09a
Tags:	dll
Infos:
Most interesting Screenshot:

Detection

Emotet

Score:	88
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected Emotet

System process connects to network (likely due to code injection or exploit)

Sigma detected: Emotet RunDLL32 Process Creation

C2 URLs / IPs found in malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

One or more processes crash

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Deletes files inside the Windows folder

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Creates files inside the system directory

Internet Provider seen in connection with other malware

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

JA3 SSL client fingerprint seen in connection with other malware

Contains functionality to dynamically determine API calls

HTTP GET or POST without a user agent

Contains functionality which may be used to detect a debugger (GetProcessHeap)

IP address seen in connection with other malware

Abnormal high CPU Usage

AV process strings found (often used to terminate AV products)

Contains functionality to read the PEB

Drops PE files to the windows directory (C:\Windows)

Checks if the current process is being debugged

Connects to several IPs in different countries

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Signatures

AV Detection:

Found malware configuration

Source: 5.2.rundll32.exe.7e0000.0.unpack

Malware Configuration Extractor: Emotet {"C2 list": ["46.55.222.11:443", "104.245.52.73:8080", "41.76.108.46:8080", "103.8.26.103:8080", "185.184.25.237:8080", "103.8.26.102:8080", "203.114.109.124:443", "45.118.115.99:8080", "178.79.147.66:8080", "58.227.42.236:80", "45.118.135.203:7080", "103.75.201.2:443", "195.154.133.20:443", "45.142.114.231:8080", "212.237.5.209:443", "207.38.84.195:8080", "104.251.214.46:8080", "212.237.17.99:8080", "212.237.56.116:7080", "216.158.226.206:443", "110.232.117.186:8080", "158.69.222.101:443", "107.182.225.142:8080", "176.104.106.96:8080", "81.0.236.90:443", "50.116.54.215:443", "138.185.72.26:8080", "51.68.175.8:8080", "210.57.217.132:8080"], "Public Key": ["RUNTMSAAAABAX3S2xNjcDD0fBno33Ln5t71eii+mofIPoXkNFOX1MeiwCh48iz97kB0mJjGGZXwardnDXKxI8GCHGNl0PFj5", "RUNLMSAAAADzozW1Di4r9DVWzQpMKT588RDdy7BPILP6AiDOTLYMHkSWvrQO5slbmr1OvZ2Pz+AQWzRMggQmAtO6rPH7nyx2"]}

Multi AV Scanner detection for submitted file

Source: 2gyA5uNl6VPQUA.dll

Virustotal: Detection: 17%

Perma Link

Compliance:

Uses 32bit PE files

Source: 2gyA5uNl6VPQUA.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LARGE_ADDRESS_AWARE

Source: unknown

HTTPS traffic detected: 46.55.222.11:443 -> 192.168.2.3:49806 version: TLS 1.2

Source: 2gyA5uNl6VPQUA.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 00000013.00000003.590625804.0000000005281000.00000004.00000001.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 00000013.00000003.590625804.0000000005281000.00000004.00000001.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 00000013.00000003.590625804.0000000005281000.00000004.00000001.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 00000013.00000003.590625804.0000000005281000.00000004.00000001.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 00000013.00000003.590625804.0000000005281000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 00000013.00000003.590625804.0000000005281000.00000004.00000001.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 00000013.00000003.590625804.0000000005281000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 00000013.00000003.590625804.0000000005281000.00000004.00000001.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 00000013.00000003.590625804.0000000005281000.00000004.00000001.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 00000013.00000003.590625804.0000000005281000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdbk source: WerFault.exe, 00000013.00000003.590625804.0000000005281000.00000004.00000001.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 00000013.00000003.590625804.0000000005281000.00000004.00000001.sdmp

Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6E9E2FE7 FindFirstFileExW,	1_2_6E9E2FE7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E9E2FE7 FindFirstFileExW,	3_2_6E9E2FE7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 25_2_012018AC FindFirstFileW,	25_2_012018AC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 25_2_01201750 FindFirstFileW,	25_2_01201750
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 25_2_0120183F FindFirstFileW,	25_2_0120183F

Networking:

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\rundll32.exe

Network Connect: 46.55.222.11 187

Source: Malware configuration extractor	IPs: 46.55.222.11:443
Source: Malware configuration extractor	IPs: 104.245.52.73:8080
Source: Malware configuration extractor	IPs: 41.76.108.46:8080
Source: Malware configuration extractor	IPs: 103.8.26.103:8080
Source: Malware configuration extractor	IPs: 185.184.25.237:8080
Source: Malware configuration extractor	IPs: 103.8.26.102:8080
Source: Malware configuration extractor	IPs: 203.114.109.124:443
Source: Malware configuration extractor	IPs: 45.118.115.99:8080
Source: Malware configuration extractor	IPs: 178.79.147.66:8080
Source: Malware configuration extractor	IPs: 58.227.42.236:80
Source: Malware configuration extractor	IPs: 45.118.135.203:7080
Source: Malware configuration extractor	IPs: 103.75.201.2:443
Source: Malware configuration extractor	IPs: 195.154.133.20:443
Source: Malware configuration extractor	IPs: 45.142.114.231:8080
Source: Malware configuration extractor	IPs: 212.237.5.209:443
Source: Malware configuration extractor	IPs: 207.38.84.195:8080
Source: Malware configuration extractor	IPs: 104.251.214.46:8080
Source: Malware configuration extractor	IPs: 212.237.17.99:8080
Source: Malware configuration extractor	IPs: 212.237.56.116:7080
Source: Malware configuration extractor	IPs: 216.158.226.206:443
Source: Malware configuration extractor	IPs: 110.232.117.186:8080
Source: Malware configuration extractor	IPs: 158.69.222.101:443
Source: Malware configuration extractor	IPs: 107.182.225.142:8080
Source: Malware configuration extractor	IPs: 176.104.106.96:8080
Source: Malware configuration extractor	IPs: 81.0.236.90:443
Source: Malware configuration extractor	IPs: 50.116.54.215:443
Source: Malware configuration extractor	IPs: 138.185.72.26:8080
Source: Malware configuration extractor	IPs: 51.68.175.8:8080
Source: Malware configuration extractor	IPs: 210.57.217.132:8080

Source: Joe Sandbox View	ASN Name: OnlineSASFR OnlineSASFR
Source: Joe Sandbox View	ASN Name: ARUBA-ASNIT ARUBA-ASNIT

Source: Joe Sandbox View	IP Address: 195.154.133.20 195.154.133.20
Source: Joe Sandbox View	IP Address: 212.237.17.99 212.237.17.99

Source: unknown	Network traffic detected: HTTP traffic on port 49806 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49806

Source: unknown	TCP traffic detected without corresponding DNS query: 46.55.222.11
Source: unknown	TCP traffic detected without corresponding DNS query: 46.55.222.11
Source: unknown	TCP traffic detected without corresponding DNS query: 46.55.222.11
Source: unknown	TCP traffic detected without corresponding DNS query: 46.55.222.11
Source: unknown	TCP traffic detected without corresponding DNS query: 46.55.222.11
Source: unknown	TCP traffic detected without corresponding DNS query: 46.55.222.11
Source: unknown	TCP traffic detected without corresponding DNS query: 46.55.222.11
Source: unknown	TCP traffic detected without corresponding DNS query: 46.55.222.11
Source: unknown	TCP traffic detected without corresponding DNS query: 46.55.222.11
Source: unknown	TCP traffic detected without corresponding DNS query: 46.55.222.11

Source: rundll32.exe, 00000019.00000002.816080192.000000000117E000.00000004.00000001.sdmp, rundll32.exe, 00000019.00000003.794999609.000000000117E000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000002.714011218.0000023EE6500000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: svchost.exe, 0000001B.00000002.713879734.0000023EE5CEF000.00000004.00000001.sdmp	String found in binary or memory: http://crl.ver)
Source: svchost.exe, 0000001B.00000003.688588185.0000023EE657F000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.688701923.0000023EE65D0000.00000004.00000001.sdmp	String found in binary or memory: http://help.disneyplus.com.
Source: Amcache.hve.19.dr	String found in binary or memory: http://upx.sf.net
Source: rundll32.exe, 00000019.00000002.816002840.000000000115E000.00000004.00000001.sdmp	String found in binary or memory: https://46.55.222.11/
Source: rundll32.exe, 00000019.00000002.815929088.0000000001137000.00000004.00000020.sdmp	String found in binary or memory: https://46.55.222.11/UKKmNexCiEZNdWysJnUxJeBGVUutat
Source: rundll32.exe, 00000019.00000002.815886128.000000000110A000.00000004.00000020.sdmp	String found in binary or memory: https://46.55.222.11/UKKmNexCiEZNdWysJnUxJeBGVUutatZ
Source: svchost.exe, 0000001B.00000003.688588185.0000023EE657F000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.688701923.0000023EE65D0000.00000004.00000001.sdmp	String found in binary or memory: https://disneyplus.com/legal.
Source: svchost.exe, 0000001B.00000003.688588185.0000023EE657F000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.688701923.0000023EE65D0000.00000004.00000001.sdmp	String found in binary or memory: https://www.disneyplus.com/legal/privacy-policy
Source: svchost.exe, 0000001B.00000003.688588185.0000023EE657F000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.688701923.0000023EE65D0000.00000004.00000001.sdmp	String found in binary or memory: https://www.disneyplus.com/legal/your-california-privacy-rights
Source: svchost.exe, 0000001B.00000003.694452575.0000023EE658F000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.694431854.0000023EE65A6000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.694469243.0000023EE6A02000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.694398444.0000023EE65A6000.00000004.00000001.sdmp	String found in binary or memory: https://www.tiktok.com/legal/report/feedback

Source: Yara match	File source: 1.0.loaddll32.exe.930000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.812098.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.f90000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.loaddll32.exe.930000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.loaddll32.exe.a63b70.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.loaddll32.exe.a63b70.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.loaddll32.exe.a63b70.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.loaddll32.exe.930000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.loaddll32.exe.a63b70.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.loaddll32.exe.930000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.loaddll32.exe.930000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.loaddll32.exe.930000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.loaddll32.exe.930000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.ec0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.7e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.eb2170.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.f90000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.eb2170.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.852098.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.loaddll32.exe.a63b70.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.loaddll32.exe.a63b70.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.loaddll32.exe.a63b70.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.rundll32.exe.1200000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.rundll32.exe.1200000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.loaddll32.exe.930000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.ec0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.loaddll32.exe.930000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.852098.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.570000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.loaddll32.exe.930000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.7e0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.570000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.f42468.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.loaddll32.exe.a63b70.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.loaddll32.exe.a63b70.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.f42468.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.12d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.loaddll32.exe.a63b70.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.12d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.812098.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000019.00000003.778115242.000000000112B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.578776757.0000000000A5D000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.578455384.00000000007FA000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.596108665.0000000000A5D000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.595999827.0000000000930000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.549793958.0000000000F90000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.663770243.0000000000EC0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.578639964.0000000000930000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.586858412.0000000000A5D000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.578325190.0000000000570000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.816294229.0000000001200000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.513859712.0000000003649000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.586723752.0000000000930000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.584768753.0000000000930000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.663823655.0000000000F2A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.585019489.0000000000A5D000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.567434432.0000000000A5D000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.564974375.0000000000930000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.538768779.0000000000E9A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.550893742.00000000012D0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.557633995.00000000007E0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.557657494.000000000083A000.00000004.00000020.sdmp, type: MEMORY

Source: C:\Windows\System32\loaddll32.exe	Code function: String function: 6E9C1C10 appears 97 times
Source: C:\Windows\System32\loaddll32.exe	Code function: String function: 6E9DD350 appears 33 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6E9C1C10 appears 97 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6E9DD350 appears 33 times

Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k unistacksvcgroup
Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\2gyA5uNl6VPQUA.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\2gyA5uNl6VPQUA.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\2gyA5uNl6VPQUA.dll,Control_RunDLL
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\2gyA5uNl6VPQUA.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\2gyA5uNl6VPQUA.dll,axamexdrqyrgb
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\2gyA5uNl6VPQUA.dll,bhramccfbdd
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\2gyA5uNl6VPQUA.dll",Control_RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Qrcyfrqyrevqn\zfjlg.mpd",GeWefLGOgdb
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\2gyA5uNl6VPQUA.dll",Control_RunDLL
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 6376 -ip 6376
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\2gyA5uNl6VPQUA.dll",Control_RunDLL
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6376 -s 304
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 164 -p 6376 -ip 6376
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6376 -s 308
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Qrcyfrqyrevqn\zfjlg.mpd",Control_RunDLL
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\2gyA5uNl6VPQUA.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\2gyA5uNl6VPQUA.dll,Control_RunDLL	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\2gyA5uNl6VPQUA.dll,axamexdrqyrgb	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\2gyA5uNl6VPQUA.dll,bhramccfbdd	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\2gyA5uNl6VPQUA.dll",#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Qrcyfrqyrevqn\zfjlg.mpd",GeWefLGOgdb	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\2gyA5uNl6VPQUA.dll",Control_RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\2gyA5uNl6VPQUA.dll",Control_RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\2gyA5uNl6VPQUA.dll",Control_RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Qrcyfrqyrevqn\zfjlg.mpd",Control_RunDLL	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 6376 -ip 6376	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6376 -s 304	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 164 -p 6376 -ip 6376	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6376 -s 308	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6376
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \BaseNamedObjects\Local\SM0:6284:64:WilError_01
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \BaseNamedObjects\Local\SM0:7092:64:WilError_01

Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK

Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_0093151C push ds; ret	1_2_00931527
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_0093150F push ds; ret	1_2_00931527
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6E9E9153 push ecx; ret	1_2_6E9E9166
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_012D150F push ds; ret	3_2_012D1527
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_012D151C push ds; ret	3_2_012D1527
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E9E9153 push ecx; ret	3_2_6E9E9166
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 25_2_0120150F push ds; ret	25_2_01201527
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 25_2_0120151C push ds; ret	25_2_01201527

Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: Amcache.hve.19.dr	Binary or memory string: VMware
Source: Amcache.hve.19.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
Source: Amcache.hve.19.dr	Binary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.19.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.19.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.19.dr	Binary or memory string: VMware Virtual disk SCSI Disk Devicehbin
Source: Amcache.hve.19.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.19.dr	Binary or memory string: VMware7,1
Source: Amcache.hve.19.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.19.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.19.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.13989454.B64.1906190538,BiosReleaseDate:06/19/2019,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: rundll32.exe, 00000019.00000003.795038474.000000000115E000.00000004.00000001.sdmp, rundll32.exe, 00000019.00000002.815929088.0000000001137000.00000004.00000020.sdmp, rundll32.exe, 00000019.00000002.816002840.000000000115E000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000002.713723013.0000023EE5C70000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000002.713872119.0000023EE5CE5000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.19.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.19.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.19.dr	Binary or memory string: VMware, Inc.me
Source: Amcache.hve.19.dr	Binary or memory string: VMware-42 35 d8 20 48 cb c7 ff-aa 5e d0 37 a0 49 53 d7
Source: Amcache.hve.19.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.19.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000

Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00944315 mov eax, dword ptr fs:[00000030h]	1_2_00944315
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6E9DC050 mov eax, dword ptr fs:[00000030h]	1_2_6E9DC050
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6E9DBFE0 mov esi, dword ptr fs:[00000030h]	1_2_6E9DBFE0
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6E9DBFE0 mov eax, dword ptr fs:[00000030h]	1_2_6E9DBFE0
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6E9E12CB mov ecx, dword ptr fs:[00000030h]	1_2_6E9E12CB
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6E9E298C mov eax, dword ptr fs:[00000030h]	1_2_6E9E298C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_012E4315 mov eax, dword ptr fs:[00000030h]	3_2_012E4315
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E9DC050 mov eax, dword ptr fs:[00000030h]	3_2_6E9DC050
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E9DBFE0 mov esi, dword ptr fs:[00000030h]	3_2_6E9DBFE0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E9DBFE0 mov eax, dword ptr fs:[00000030h]	3_2_6E9DBFE0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E9E12CB mov ecx, dword ptr fs:[00000030h]	3_2_6E9E12CB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E9E298C mov eax, dword ptr fs:[00000030h]	3_2_6E9E298C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 25_2_01214315 mov eax, dword ptr fs:[00000030h]	25_2_01214315

Source: C:\Windows\System32\loaddll32.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6E9DCB22 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_6E9DCB22
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6E9DD1CC IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_6E9DD1CC
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6E9E29E6 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_6E9E29E6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E9DCB22 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_6E9DCB22
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E9DD1CC IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_6E9DD1CC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E9E29E6 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_6E9E29E6

Source: svchost.exe, 00000000.00000002.816329484.000001D51B790000.00000002.00020000.sdmp, loaddll32.exe, 00000001.00000000.575281363.00000000010A0000.00000002.00020000.sdmp, loaddll32.exe, 00000001.00000000.585221007.00000000010A0000.00000002.00020000.sdmp, loaddll32.exe, 00000001.00000000.586969396.00000000010A0000.00000002.00020000.sdmp, loaddll32.exe, 00000001.00000000.578890630.00000000010A0000.00000002.00020000.sdmp, rundll32.exe, 00000019.00000002.817345899.0000000003560000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: svchost.exe, 00000000.00000002.816329484.000001D51B790000.00000002.00020000.sdmp, loaddll32.exe, 00000001.00000000.575281363.00000000010A0000.00000002.00020000.sdmp, loaddll32.exe, 00000001.00000000.585221007.00000000010A0000.00000002.00020000.sdmp, loaddll32.exe, 00000001.00000000.586969396.00000000010A0000.00000002.00020000.sdmp, loaddll32.exe, 00000001.00000000.578890630.00000000010A0000.00000002.00020000.sdmp, rundll32.exe, 00000019.00000002.817345899.0000000003560000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: svchost.exe, 00000000.00000002.816329484.000001D51B790000.00000002.00020000.sdmp, loaddll32.exe, 00000001.00000000.575281363.00000000010A0000.00000002.00020000.sdmp, loaddll32.exe, 00000001.00000000.585221007.00000000010A0000.00000002.00020000.sdmp, loaddll32.exe, 00000001.00000000.586969396.00000000010A0000.00000002.00020000.sdmp, loaddll32.exe, 00000001.00000000.578890630.00000000010A0000.00000002.00020000.sdmp, rundll32.exe, 00000019.00000002.817345899.0000000003560000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: svchost.exe, 00000000.00000002.816329484.000001D51B790000.00000002.00020000.sdmp, loaddll32.exe, 00000001.00000000.575281363.00000000010A0000.00000002.00020000.sdmp, loaddll32.exe, 00000001.00000000.585221007.00000000010A0000.00000002.00020000.sdmp, loaddll32.exe, 00000001.00000000.586969396.00000000010A0000.00000002.00020000.sdmp, loaddll32.exe, 00000001.00000000.578890630.00000000010A0000.00000002.00020000.sdmp, rundll32.exe, 00000019.00000002.817345899.0000000003560000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Source: Amcache.hve.19.dr, Amcache.hve.LOG1.19.dr	Binary or memory string: c:\users\user\desktop\procexp.exe
Source: Amcache.hve.19.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.19.dr, Amcache.hve.LOG1.19.dr	Binary or memory string: procexp.exe

Windows Analysis Report 2gyA5uNl6VPQUA.dll

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Spreading:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted URLs

IP	Domain	Country	ASN	ASN Name	Malicious
195.154.133.20	unknown	France	12876	OnlineSASFR	true
212.237.17.99	unknown	Italy	31034	ARUBA-ASNIT	true
110.232.117.186	unknown	Australia	56038	RACKCORP-APRackCorpAU	true
104.245.52.73	unknown	United States	63251	METRO-WIRELESSUS	true
138.185.72.26	unknown	Brazil	264343	EmpasoftLtdaMeBR	true
81.0.236.90	unknown	Czech Republic	15685	CASABLANCA-ASInternetCollocationProviderCZ	true
45.118.115.99	unknown	Indonesia	131717	IDNIC-CIFO-AS-IDPTCitraJelajahInformatikaID	true
103.75.201.2	unknown	Thailand	133496	CDNPLUSCOLTD-AS-APCDNPLUSCOLTDTH	true
216.158.226.206	unknown	United States	19318	IS-AS-1US	true
107.182.225.142	unknown	United States	32780	HOSTINGSERVICES-INCUS	true
45.118.135.203	unknown	Japan	63949	LINODE-APLinodeLLCUS	true
50.116.54.215	unknown	United States	63949	LINODE-APLinodeLLCUS	true
51.68.175.8	unknown	France	16276	OVHFR	true
103.8.26.102	unknown	Malaysia	132241	SKSATECH1-MYSKSATECHNOLOGYSDNBHDMY	true
46.55.222.11	unknown	Bulgaria	34841	BALCHIKNETBG	true
41.76.108.46	unknown	South Africa	327979	DIAMATRIXZA	true
103.8.26.103	unknown	Malaysia	132241	SKSATECH1-MYSKSATECHNOLOGYSDNBHDMY	true
178.79.147.66	unknown	United Kingdom	63949	LINODE-APLinodeLLCUS	true
212.237.5.209	unknown	Italy	31034	ARUBA-ASNIT	true
176.104.106.96	unknown	Serbia	198371	NINETRS	true
207.38.84.195	unknown	United States	30083	AS-30083-GO-DADDY-COM-LLCUS	true
212.237.56.116	unknown	Italy	31034	ARUBA-ASNIT	true
45.142.114.231	unknown	Germany	44066	DE-FIRSTCOLOwwwfirst-colonetDE	true
203.114.109.124	unknown	Thailand	131293	TOT-LLI-AS-APTOTPublicCompanyLimitedTH	true
210.57.217.132	unknown	Indonesia	38142	UNAIR-AS-IDUniversitasAirlanggaID	true
58.227.42.236	unknown	Korea Republic of	9318	SKB-ASSKBroadbandCoLtdKR	true
185.184.25.237	unknown	Turkey	209711	MUVHOSTTR	true
158.69.222.101	unknown	Canada	16276	OVHFR	true
104.251.214.46	unknown	United States	54540	INCERO-HVVCUS	true

ID:	532048
Product:	CloudBasic
Start time:	17:14:16
Start date:	01.12.2021
Sample:	2gyA5uNl6VPQUA.dll
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	5e20cb3466b66a9cdeac1ac74d9862e4
SHA1:	28ef4facb366de1fc7da62b975c8967997527c36
SHA256:	208939e34f46846c7c95383c6fea7813038b4dea87ea3819c157ccfbbf8aa09a
Filetype:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60%

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_loaddll32.exe_f49b738aac9d445c211ec1cdbddf7abb15fde6_d70d8aa6_11633778\Report.wer	Little-endian UTF-16 Unicode text, with CRLF line terminators	E83A379E3F886DDE0737C94E50929972	DA440B10630A1447F76F6C2862518D9160FDCEAD	A74B68A5207DE2A571DEB46A8BB4D2697847550544A48C245EBAF1143003FEFE
C:\ProgramData\Microsoft\Windows\WER\Temp\WER222B.tmp.dmp	Mini DuMP crash report, 15 streams, Thu Dec 2 01:17:32 2021, 0x1205a4 type	670CEBD327DDCA577AC879415816A643	766C3E525ACD73736895C152C4625F3BC7374358	E8684DD3A530CE34589F57A65BC112B6731FD48CC1D0AEB3C460F6DFC042C1F2
C:\ProgramData\Microsoft\Windows\WER\Temp\WER2D57.tmp.WERInternalMetadata.xml	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators	E2B2081F14B077D36894F2FBFE2DE9A1	8D9897122DBA59B590D5C6EB3C68FEAA19125CAD	21255234A624CE66D5028E8CF5A3F7DBBA484C3B317D25479E38A5ADCA916DB8
C:\ProgramData\Microsoft\Windows\WER\Temp\WER3017.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	77292526940A2CED31107FF887CF478D	5A5EF4621DB426B1C1AAA50CCB671D827939DB6C	0E439CD01CFB1E0C2F8A007628584A04407C49A280EB46342061B64E9CA89142
C:\ProgramData\Microsoft\Windows\WER\Temp\WERF6A5.tmp.csv	data	8FEF32FC113E0BCF8D366D66F16EC790	37A22ADB628537B727D8539FCCB33C85C214DFB8	1D95DBAE0901FF25A3D05638B69A7512E3CAD0D307184455AEBBC20C1C48C3BD
C:\ProgramData\Microsoft\Windows\WER\Temp\WERFB88.tmp.txt	data	68FAB6CF0A1C67CFDA5D7D3172021128	7973B130C320119EFA6FCD2F5B8147D9BD67F297	8F75ADED1A75A89914048407334B829B9423A00B2C712593584F317C4089CB96
C:\Users\user\AppData\Local\Packages\ActiveSync\LocalState\DiagOutputDir\SyncVerbose.etl	data	304F8E8A64A52D1042A868BF53A274A9	34794F576562C1B52503BE3DB1A3A3C06FFFA4DC	E0B53FD64378D8D6C08182571B8348AB0E6FABE16E1039EEA88BF81D8D28FB17
C:\Users\user\AppData\Local\Packages\ActiveSync\LocalState\DiagOutputDir\UnistackCircular.etl	data	254EF8903F3E46FE33D061FA09DB6F91	A2EEB09AA95C9B63CC6CC7BF8E15C5FE1524ADA7	49855F5818E1B7C04CBC2B1B240B87366CC342BEAFD52A7D1072C151B91924DA
C:\Users\user\AppData\Local\Packages\ActiveSync\LocalState\DiagOutputDir\UnistackCritical.etl	data	C515E0C260990B027D1F7FEBEF240EE1	FD40240D458157A83466D10DD178839CFDA17DC5	46AA93A0B18E3B4E2450FE9D9C9C68771EBBB88A1BF3706EE5153F143BF9F114
C:\Users\user\AppData\Local\packages\ActiveSync\LocalState\DiagOutputDir\SyncVerbose.etl.0001s (copy)	data	304F8E8A64A52D1042A868BF53A274A9	34794F576562C1B52503BE3DB1A3A3C06FFFA4DC	E0B53FD64378D8D6C08182571B8348AB0E6FABE16E1039EEA88BF81D8D28FB17
C:\Users\user\AppData\Local\packages\ActiveSync\LocalState\DiagOutputDir\UnistackCircular.etl.0001 (copy)	data	254EF8903F3E46FE33D061FA09DB6F91	A2EEB09AA95C9B63CC6CC7BF8E15C5FE1524ADA7	49855F5818E1B7C04CBC2B1B240B87366CC342BEAFD52A7D1072C151B91924DA
C:\Users\user\AppData\Local\packages\ActiveSync\LocalState\DiagOutputDir\UnistackCritical.etl.0001". (copy)	data	C515E0C260990B027D1F7FEBEF240EE1	FD40240D458157A83466D10DD178839CFDA17DC5	46AA93A0B18E3B4E2450FE9D9C9C68771EBBB88A1BF3706EE5153F143BF9F114
C:\Windows\appcompat\Programs\Amcache.hve	MS Windows registry file, NT/2000 or above	305D4C175594DF05FB83B45660590C29	01F281B8B203EFB2DDB2BC2844C383455CB37A14	A5DFB5C0E762FF548CDAA3BB4E47BB467810EEFCB8E7C777AA83623D2EAF0D12
C:\Windows\appcompat\Programs\Amcache.hve.LOG1	MS Windows registry file, NT/2000 or above	5BB0E539B72B081DABC6C8198F44E54F	6BB4C4196D6EEAFC231496D782B34FAE6F1E99E2	849E684F49774DF0D027715B8421B45779C556BD0E7CC471CFB0A115BCA94E0D