Windows Analysis Report 6zAcNlJXo7.dll

Overview

General Information

Sample Name:	6zAcNlJXo7.dll
Analysis ID:	532221
MD5:	c7e23f2764d6ed9b59b0fed69a4488b0
SHA1:	67f31b13485f91be7952b3df5628f14ef1c86a38
SHA256:	d048f196a39fc7dae500b057fa000ebbb81ae2e6c18b4ddff445e8d7163f20ab
Tags:	32dllexetrojan
Infos:
Most interesting Screenshot:

Detection

Emotet

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected Emotet

C2 URLs / IPs found in malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

One or more processes crash

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Deletes files inside the Windows folder

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Creates files inside the system directory

Internet Provider seen in connection with other malware

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Contains functionality to dynamically determine API calls

Contains functionality which may be used to detect a debugger (GetProcessHeap)

IP address seen in connection with other malware

Abnormal high CPU Usage

AV process strings found (often used to terminate AV products)

Contains functionality to read the PEB

Drops PE files to the windows directory (C:\Windows)

Checks if the current process is being debugged

Connects to several IPs in different countries

Queries disk information (often used to detect virtual machines)

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Signatures

AV Detection:

Found malware configuration

Source: 4.2.rundll32.exe.2d44168.1.raw.unpack

Malware Configuration Extractor: Emotet {"C2 list": ["46.55.222.11:443", "104.245.52.73:8080", "41.76.108.46:8080", "103.8.26.103:8080", "185.184.25.237:8080", "103.8.26.102:8080", "203.114.109.124:443", "45.118.115.99:8080", "178.79.147.66:8080", "58.227.42.236:80", "45.118.135.203:7080", "103.75.201.2:443", "195.154.133.20:443", "45.142.114.231:8080", "212.237.5.209:443", "207.38.84.195:8080", "104.251.214.46:8080", "212.237.17.99:8080", "212.237.56.116:7080", "216.158.226.206:443", "110.232.117.186:8080", "158.69.222.101:443", "107.182.225.142:8080", "176.104.106.96:8080", "81.0.236.90:443", "50.116.54.215:443", "138.185.72.26:8080", "51.68.175.8:8080", "210.57.217.132:8080"], "Public Key": ["RUNTMSAAAABAX3S2xNjcDD0fBno33Ln5t71eii+mofIPoXkNFOX1MeiwCh48iz97kB0mJjGGZXwardnDXKxI8GCHGNl0PFj5", "RUNLMSAAAADzozW1Di4r9DVWzQpMKT588RDdy7BPILP6AiDOTLYMHkSWvrQO5slbmr1OvZ2Pz+AQWzRMggQmAtO6rPH7nyx2"]}

Multi AV Scanner detection for submitted file

Source: 6zAcNlJXo7.dll	Virustotal: Detection: 23%			Perma Link
Source: 6zAcNlJXo7.dll	ReversingLabs: Detection: 24%

Compliance:

Uses 32bit PE files

Source: 6zAcNlJXo7.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LARGE_ADDRESS_AWARE

Source: 6zAcNlJXo7.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 00000011.00000003.605463455.0000000004DB1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.625076490.0000000005351000.00000004.00000001.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 00000011.00000003.605463455.0000000004DB1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.625076490.0000000005351000.00000004.00000001.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 00000011.00000003.602824148.00000000049DE000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.605463455.0000000004DB1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.625076490.0000000005351000.00000004.00000001.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 00000011.00000003.605463455.0000000004DB1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.625076490.0000000005351000.00000004.00000001.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 00000011.00000003.605463455.0000000004DB1000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.602932789.000000000328A000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.625076490.0000000005351000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 00000011.00000003.605463455.0000000004DB1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.625076490.0000000005351000.00000004.00000001.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 00000011.00000003.605463455.0000000004DB1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.625076490.0000000005351000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 00000011.00000003.605463455.0000000004DB1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.625076490.0000000005351000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.619910392.00000000031BC000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.620547498.00000000031BC000.00000004.00000001.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 00000011.00000003.605463455.0000000004DB1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.625076490.0000000005351000.00000004.00000001.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 00000011.00000003.605463455.0000000004DB1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.625076490.0000000005351000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdbk source: WerFault.exe, 00000011.00000003.605463455.0000000004DB1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.625076490.0000000005351000.00000004.00000001.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 00000011.00000003.605463455.0000000004DB1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.625076490.0000000005351000.00000004.00000001.sdmp
Source:	Binary string: oCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 00000011.00000002.611725686.0000000000912000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb( source: WerFault.exe, 00000014.00000003.619910392.00000000031BC000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.620547498.00000000031BC000.00000004.00000001.sdmp

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EAA2FE7 FindFirstFileExW,		0_2_6EAA2FE7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6EAA2FE7 FindFirstFileExW,		2_2_6EAA2FE7

Networking:

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	IPs: 46.55.222.11:443
Source: Malware configuration extractor	IPs: 104.245.52.73:8080
Source: Malware configuration extractor	IPs: 41.76.108.46:8080
Source: Malware configuration extractor	IPs: 103.8.26.103:8080
Source: Malware configuration extractor	IPs: 185.184.25.237:8080
Source: Malware configuration extractor	IPs: 103.8.26.102:8080
Source: Malware configuration extractor	IPs: 203.114.109.124:443
Source: Malware configuration extractor	IPs: 45.118.115.99:8080
Source: Malware configuration extractor	IPs: 178.79.147.66:8080
Source: Malware configuration extractor	IPs: 58.227.42.236:80
Source: Malware configuration extractor	IPs: 45.118.135.203:7080
Source: Malware configuration extractor	IPs: 103.75.201.2:443
Source: Malware configuration extractor	IPs: 195.154.133.20:443
Source: Malware configuration extractor	IPs: 45.142.114.231:8080
Source: Malware configuration extractor	IPs: 212.237.5.209:443
Source: Malware configuration extractor	IPs: 207.38.84.195:8080
Source: Malware configuration extractor	IPs: 104.251.214.46:8080
Source: Malware configuration extractor	IPs: 212.237.17.99:8080
Source: Malware configuration extractor	IPs: 212.237.56.116:7080
Source: Malware configuration extractor	IPs: 216.158.226.206:443
Source: Malware configuration extractor	IPs: 110.232.117.186:8080
Source: Malware configuration extractor	IPs: 158.69.222.101:443
Source: Malware configuration extractor	IPs: 107.182.225.142:8080
Source: Malware configuration extractor	IPs: 176.104.106.96:8080
Source: Malware configuration extractor	IPs: 81.0.236.90:443
Source: Malware configuration extractor	IPs: 50.116.54.215:443
Source: Malware configuration extractor	IPs: 138.185.72.26:8080
Source: Malware configuration extractor	IPs: 51.68.175.8:8080
Source: Malware configuration extractor	IPs: 210.57.217.132:8080

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: OnlineSASFR OnlineSASFR
Source: Joe Sandbox View	ASN Name: ARUBA-ASNIT ARUBA-ASNIT

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 195.154.133.20 195.154.133.20
Source: Joe Sandbox View	IP Address: 212.237.17.99 212.237.17.99

Connects to several IPs in different countries

Source: unknown

Network traffic detected: IP country count 19

Source: svchost.exe, 00000008.00000003.547746216.00000162642A0000.00000004.00000001.sdmp, svchost.exe, 00000008.00000003.557044428.00000162642A0000.00000004.00000001.sdmp, svchost.exe, 00000008.00000002.700137823.00000162642A1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.640644218.0000000004F84000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.640563575.0000000004F70000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000002.642313149.0000000004F85000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: svchost.exe, 00000008.00000003.547746216.00000162642A0000.00000004.00000001.sdmp, svchost.exe, 00000008.00000003.557044428.00000162642A0000.00000004.00000001.sdmp, svchost.exe, 00000008.00000002.700137823.00000162642A1000.00000004.00000001.sdmp	String found in binary or memory: http://crl.ver)
Source: Amcache.hve.17.dr	String found in binary or memory: http://upx.sf.net

E-Banking Fraud:

Yara detected Emotet

Source: Yara match	File source: 0.0.loaddll32.exe.a60000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.a60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.b93b30.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.622160.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.2ce22d0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.a60000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.b93b30.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.a60000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.2ce22d0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.b93b30.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.b93b30.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.742148.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.3c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.622160.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.970000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.a60000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.b93b30.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.8e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.b93b30.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.742148.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.510000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.b93b30.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.3c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.510000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.8e0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.970000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.a60000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.2d44168.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.2d44168.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.a60000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.a60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.a60000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.b93b30.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.b93b30.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.b93b30.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.a60000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.598946349.000000000072A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.596768757.0000000000A60000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.615675303.0000000000B8C000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.557368858.0000000002D65000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.595689976.000000000060A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.597386823.00000000008E0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.642951852.0000000000A60000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.643045864.0000000000B8C000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.597549993.0000000000B8C000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.613993965.0000000000A60000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.615392489.0000000000A60000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.598782764.00000000003C0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.597443170.0000000000A60000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.599282857.0000000002D2A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.699398284.0000000002CCA000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.596835233.0000000000B8C000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.614123815.0000000000B8C000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.576404694.0000000000970000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.595650059.0000000000510000.00000040.00000010.sdmp, type: MEMORY

System Summary:

Uses 32bit PE files

Source: 6zAcNlJXo7.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LARGE_ADDRESS_AWARE

One or more processes crash

Source: C:\Windows\System32\svchost.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4668 -ip 4668

Deletes files inside the Windows folder

Source: C:\Windows\SysWOW64\rundll32.exe

File deleted: C:\Windows\SysWOW64\Zsdkqzebleakbz\gnpornwqabjsi.vaq:Zone.Identifier

Source: C:\Windows\System32\loaddll32.exe	Code function: String function: 6EA9D350 appears 33 times
Source: C:\Windows\System32\loaddll32.exe	Code function: String function: 6EA81C10 appears 97 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6EA9D350 appears 33 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6EA81C10 appears 97 times

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\6zAcNlJXo7.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\6zAcNlJXo7.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\6zAcNlJXo7.dll,Control_RunDLL
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\6zAcNlJXo7.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\6zAcNlJXo7.dll,axamexdrqyrgb
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\6zAcNlJXo7.dll,bhramccfbdd
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\6zAcNlJXo7.dll",Control_RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Zsdkqzebleakbz\gnpornwqabjsi.vaq",YawfQDI
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\6zAcNlJXo7.dll",Control_RunDLL
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\6zAcNlJXo7.dll",Control_RunDLL
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4668 -ip 4668
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4668 -s 272
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4668 -ip 4668
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4668 -s 324
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\6zAcNlJXo7.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\6zAcNlJXo7.dll,Control_RunDLL	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\6zAcNlJXo7.dll,axamexdrqyrgb	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\6zAcNlJXo7.dll,bhramccfbdd	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\6zAcNlJXo7.dll",#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Zsdkqzebleakbz\gnpornwqabjsi.vaq",YawfQDI	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\6zAcNlJXo7.dll",Control_RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\6zAcNlJXo7.dll",Control_RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\6zAcNlJXo7.dll",Control_RunDLL	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4668 -ip 4668	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4668 -s 272	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4668 -ip 4668	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4668 -s 324	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \BaseNamedObjects\Local\SM0:2824:64:WilError_01
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \BaseNamedObjects\Local\SM0:3160:64:WilError_01
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4668

Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00A6005E push esp; iretd	0_2_00A60061
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00A6150F push ds; ret	0_2_00A61527
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00A6151C push ds; ret	0_2_00A61527
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EAA9153 push ecx; ret	0_2_6EAA9166
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0097005E push esp; iretd	2_2_00970061
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0097151C push ds; ret	2_2_00971527
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0097150F push ds; ret	2_2_00971527
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6EAA9153 push ecx; ret	2_2_6EAA9166
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0051005E push esp; iretd	3_2_00510061
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0051151C push ds; ret	3_2_00511527
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0051150F push ds; ret	3_2_00511527
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_003C005E push esp; iretd	5_2_003C0061
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_003C151C push ds; ret	5_2_003C1527
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_003C150F push ds; ret	5_2_003C1527

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: Amcache.hve.17.dr	Binary or memory string: VMware
Source: Amcache.hve.17.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
Source: svchost.exe, 00000008.00000002.699954981.0000016264261000.00000004.00000001.sdmp	Binary or memory string: "@Hyper-V RAW
Source: Amcache.hve.17.dr	Binary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.17.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.17.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.17.dr	Binary or memory string: VMware Virtual disk SCSI Disk Devicehbin
Source: Amcache.hve.17.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.17.dr	Binary or memory string: VMware7,1
Source: Amcache.hve.17.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.17.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.17.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.13989454.B64.1906190538,BiosReleaseDate:06/19/2019,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: svchost.exe, 00000008.00000002.699887933.000001626424D000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.640632475.0000000004F56000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000002.642248757.0000000004F57000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.640563575.0000000004F70000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000002.642284557.0000000004F72000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.17.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.17.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.17.dr	Binary or memory string: VMware, Inc.me
Source: Amcache.hve.17.dr	Binary or memory string: VMware-42 35 d8 20 48 cb c7 ff-aa 5e d0 37 a0 49 53 d7
Source: svchost.exe, 00000008.00000002.698194989.000001625EC29000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAWM&db
Source: Amcache.hve.17.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: WerFault.exe, 00000014.00000003.639127810.0000000004F42000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Amcache.hve.17.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00A74315 mov eax, dword ptr fs:[00000030h]	0_2_00A74315
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EA9C050 mov eax, dword ptr fs:[00000030h]	0_2_6EA9C050
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EA9BFE0 mov esi, dword ptr fs:[00000030h]	0_2_6EA9BFE0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EA9BFE0 mov eax, dword ptr fs:[00000030h]	0_2_6EA9BFE0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EAA12CB mov ecx, dword ptr fs:[00000030h]	0_2_6EAA12CB
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EAA298C mov eax, dword ptr fs:[00000030h]	0_2_6EAA298C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_00984315 mov eax, dword ptr fs:[00000030h]	2_2_00984315
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6EA9C050 mov eax, dword ptr fs:[00000030h]	2_2_6EA9C050
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6EA9BFE0 mov esi, dword ptr fs:[00000030h]	2_2_6EA9BFE0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6EA9BFE0 mov eax, dword ptr fs:[00000030h]	2_2_6EA9BFE0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6EAA12CB mov ecx, dword ptr fs:[00000030h]	2_2_6EAA12CB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6EAA298C mov eax, dword ptr fs:[00000030h]	2_2_6EAA298C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00524315 mov eax, dword ptr fs:[00000030h]	3_2_00524315
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_003D4315 mov eax, dword ptr fs:[00000030h]	5_2_003D4315

Source: C:\Windows\System32\loaddll32.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EA9CB22 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_6EA9CB22
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EAA29E6 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_6EAA29E6
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EA9D1CC IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_6EA9D1CC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6EA9CB22 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_6EA9CB22
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6EAA29E6 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_6EAA29E6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6EA9D1CC IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_6EA9D1CC

Source: loaddll32.exe, 00000000.00000000.614311053.0000000001240000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.615784660.0000000001240000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.597627953.0000000001240000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.596883586.0000000001240000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: loaddll32.exe, 00000000.00000000.614311053.0000000001240000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.615784660.0000000001240000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.597627953.0000000001240000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.596883586.0000000001240000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: loaddll32.exe, 00000000.00000000.614311053.0000000001240000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.615784660.0000000001240000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.597627953.0000000001240000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.596883586.0000000001240000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: loaddll32.exe, 00000000.00000000.614311053.0000000001240000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.615784660.0000000001240000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.597627953.0000000001240000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.596883586.0000000001240000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: Amcache.hve.17.dr, Amcache.hve.LOG1.17.dr	Binary or memory string: c:\users\user\desktop\procexp.exe
Source: Amcache.hve.17.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.17.dr, Amcache.hve.LOG1.17.dr	Binary or memory string: procexp.exe

IP	Domain	Country	ASN	ASN Name	Malicious
195.154.133.20	unknown	France	12876	OnlineSASFR	true
212.237.17.99	unknown	Italy	31034	ARUBA-ASNIT	true
110.232.117.186	unknown	Australia	56038	RACKCORP-APRackCorpAU	true
104.245.52.73	unknown	United States	63251	METRO-WIRELESSUS	true
138.185.72.26	unknown	Brazil	264343	EmpasoftLtdaMeBR	true
81.0.236.90	unknown	Czech Republic	15685	CASABLANCA-ASInternetCollocationProviderCZ	true
45.118.115.99	unknown	Indonesia	131717	IDNIC-CIFO-AS-IDPTCitraJelajahInformatikaID	true
103.75.201.2	unknown	Thailand	133496	CDNPLUSCOLTD-AS-APCDNPLUSCOLTDTH	true
216.158.226.206	unknown	United States	19318	IS-AS-1US	true
107.182.225.142	unknown	United States	32780	HOSTINGSERVICES-INCUS	true
45.118.135.203	unknown	Japan	63949	LINODE-APLinodeLLCUS	true
50.116.54.215	unknown	United States	63949	LINODE-APLinodeLLCUS	true
51.68.175.8	unknown	France	16276	OVHFR	true
103.8.26.102	unknown	Malaysia	132241	SKSATECH1-MYSKSATECHNOLOGYSDNBHDMY	true
46.55.222.11	unknown	Bulgaria	34841	BALCHIKNETBG	true
41.76.108.46	unknown	South Africa	327979	DIAMATRIXZA	true
103.8.26.103	unknown	Malaysia	132241	SKSATECH1-MYSKSATECHNOLOGYSDNBHDMY	true
178.79.147.66	unknown	United Kingdom	63949	LINODE-APLinodeLLCUS	true
212.237.5.209	unknown	Italy	31034	ARUBA-ASNIT	true
176.104.106.96	unknown	Serbia	198371	NINETRS	true
207.38.84.195	unknown	United States	30083	AS-30083-GO-DADDY-COM-LLCUS	true
212.237.56.116	unknown	Italy	31034	ARUBA-ASNIT	true
45.142.114.231	unknown	Germany	44066	DE-FIRSTCOLOwwwfirst-colonetDE	true
203.114.109.124	unknown	Thailand	131293	TOT-LLI-AS-APTOTPublicCompanyLimitedTH	true
210.57.217.132	unknown	Indonesia	38142	UNAIR-AS-IDUniversitasAirlanggaID	true
58.227.42.236	unknown	Korea Republic of	9318	SKB-ASSKBroadbandCoLtdKR	true
185.184.25.237	unknown	Turkey	209711	MUVHOSTTR	true
158.69.222.101	unknown	Canada	16276	OVHFR	true
104.251.214.46	unknown	United States	54540	INCERO-HVVCUS	true

ID:	532221
Product:	CloudBasic
Start time:	20:58:28
Start date:	01.12.2021
Sample:	6zAcNlJXo7.dll
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	c7e23f2764d6ed9b59b0fed69a4488b0
SHA1:	67f31b13485f91be7952b3df5628f14ef1c86a38
SHA256:	d048f196a39fc7dae500b057fa000ebbb81ae2e6c18b4ddff445e8d7163f20ab
Filetype:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60%

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\Microsoft\Network\Downloader\edb.log	MPEG-4 LOAS	5AA9010F86AAA454CA8AEE0BC5432844	6386A8DADB09CD4AAB9D91049CD1D1963B92A931	47DA8C9FC8223551A0BD062C9DECFC1D0D6F9AFD5FDD71D3708F4A019B47ED4A
C:\ProgramData\Microsoft\Network\Downloader\qmgr.db	Extensible storage engine DataBase, version 0x620, checksum 0xce62c60e, page size 16384, DirtyShutdown, Windows version 10.0	6AB5EC32ABEAAD3B2D169DAD0DB571C1	678C6CFA14486816AEE71C4414F21ADAD5FD6188	7246BA67A66D83694DECB8DA5F406339E7D4DD0BC106A0434FA3A18DE8DB9267
C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm	data	D931A9ECA494794C06C28E09F3FEED68	A58E08E3E371B8B5FA3BBC3F794D8AFA3FE80466	84BE51EED8346F223265ADF7BD72801632C85C5B6E7459BC7446E62095ADF39D
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_loaddll32.exe_8c5962cbbdb13a8671f1f3c3793157e73bd5d897_d70d8aa6_1403bece\Report.wer	Little-endian UTF-16 Unicode text, with CRLF line terminators	E551AE87CD4BFFDB52D2729EB71CA116	25E9433B73898DDF598B3C6AA832943A20204A38	2139D02A6621817D10D5087037509E8EAD4748A15BF6DED6D219712F321A15CA
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_loaddll32.exe_d71d33d652a62c864cb684e881f783bcee8c2df7_d70d8aa6_0ebff56f\Report.wer	Little-endian UTF-16 Unicode text, with CRLF line terminators	9315D9FBF557FA80186C275A58BD321A	757D0034D1502A4A2BE1598CFAE67783FBA4ED66	277F69162DD92575BF47BF9D18909659F3AE992F9FE8C2500CD7635FA0BECF8D
C:\ProgramData\Microsoft\Windows\WER\Temp\WER2C87.tmp.csv	data	C02DA58C9163875DDE4A126EB462E9A1	0A2F8FDCF105F9B01A97FE544632CADBEB57CB01	E7F165C48F9A84354B60EE280D62E72E364E282ACCE1F73D91CE24E2D2A557DD
C:\ProgramData\Microsoft\Windows\WER\Temp\WER3041.tmp.txt	data	30F32608D2A56E14CAC4A2EEB0A4F51D	2C38E92DCC306540B28DC098EA8A26B89B58FD12	EBEB6A9A01BB1141B1C90052011DBDA150B6F053AF34EEA02417F94EC5ADCAA6
C:\ProgramData\Microsoft\Windows\WER\Temp\WER507C.tmp.csv	data	B3690B79E2319DD5C7A0A447090B9B47	09C24AB18C0AB36AE28D3BA286F3C0CBDE03BF18	FCA6A165CDA7189936ECE2410340E6BD9EDD19122DF254C33A70CF9F2D548CD0
C:\ProgramData\Microsoft\Windows\WER\Temp\WER5EC5.tmp.txt	data	79B97CAE7376674F218C321A353AA8CB	2F137749749239960FB3DD68BFE1D6DA62ABC6DA	7720CF386642AB215CBE095291534BED4EF24B40D1E414D078CC8A5C4EB5D062
C:\ProgramData\Microsoft\Windows\WER\Temp\WERB1ED.tmp.dmp	Mini DuMP crash report, 15 streams, Thu Dec 2 05:01:53 2021, 0x1205a4 type	E414D434C126C5E3A34B58BF2C2691E2	E3E1241B44D69FF7425AD84838DF348E2BCDB613	9D2635AB0D5B57C214B5983F7A7E0D5D24EE84C6FFA50FEC14F8F9BE448339E8
C:\ProgramData\Microsoft\Windows\WER\Temp\WERB5D6.tmp.WERInternalMetadata.xml	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators	7439244D3ACB486F21A0681908A0773A	081E8D4257C5DB8CEF0A9EE9B011D2EE05D3E7C7	FEA0D259E46748096FFA28A6B6B09EDF7B54A26F651D1E10B49BED15B7A376D6
C:\ProgramData\Microsoft\Windows\WER\Temp\WERB858.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	A78FEB1C65A67FC0A5A5CECF5CFFDC92	0244D7CCB68AEA72550587A4A08CBCA6FA3C9530	884FCFEEB48463B3A3B83B85E683B4527E7ADAFA4ECCF36A63BB85AD3F27ACB9
C:\ProgramData\Microsoft\Windows\WER\Temp\WERD1D9.tmp.dmp	Mini DuMP crash report, 15 streams, Thu Dec 2 05:02:01 2021, 0x1205a4 type	621936AFF9F5A401CBDBA7ED16571403	29F29ACC36431B4D59B2C5BF4BE163DAB5F0DEBB	10EC4FA7950277BECF177024730901D9DAAE25BF03FD394C364AAFE29D33CA7E
C:\ProgramData\Microsoft\Windows\WER\Temp\WERD9D9.tmp.WERInternalMetadata.xml	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators	F60B15870675CDB4422B00D653EFF506	F580DE8D043587932F0272A555FAD4C617E6F798	04BFA5603A7A900A5848F91F5A0CFFD16A41EC35324C6118871D4A7105652801
C:\ProgramData\Microsoft\Windows\WER\Temp\WERDC99.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	E61215813E5A9C6F105D95D2D3B85DA6	3D13151819D197C4856EB99B5C9A881CAF0A3021	16995677FCAE98C3F5AB6860B39580B89D7BD207BBC7AC5EEEA5D60E789E2663
C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp	ASCII text, with no line terminators	DCA83F08D448911A14C22EBCACC5AD57	91270525521B7FE0D986DB19747F47D34B6318AD	2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
C:\Windows\appcompat\Programs\Amcache.hve	MS Windows registry file, NT/2000 or above	0952282E9A8B733598FC12A6EAB089AD	CDCECB08EBD1E2DC3D1F958850315EA86B0991C1	D532EBDC2C479220E74B6C594EC73B30FF2FCE90DEAC7AA86A0A92DE83B7D3C3
C:\Windows\appcompat\Programs\Amcache.hve.LOG1	MS Windows registry file, NT/2000 or above	1F2A51FB996D298AAD0AD576423CA175	E1E1446F0AB98723F7302916CE450E6FF6EAD747	14CDC5B0A0F19BA0B829584F4A3977064BA40D1813776CCFF050F2CD2D0103C3

Windows Analysis Report 6zAcNlJXo7.dll

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Spreading:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private