Windows Analysis Report TYLNb8VvnmYA.dll

Overview

General Information

Sample Name: TYLNb8VvnmYA.dll
Analysis ID: 532264
MD5: 2b155f0eb4240dbe18024ca82e2418ca
SHA1: a84ba84de27be3294350f7428de56355b4417a79
SHA256: 60b8988a2c2fc3f2108ab8cb49d8a7a566f5bcd2036dca941c5863f9085c3a9d
Infos:

Most interesting Screenshot:

Detection

Emotet
Score: 96
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected Emotet
System process connects to network (likely due to code injection or exploit)
Sigma detected: Emotet RunDLL32 Process Creation
Multi AV Scanner detection for domain / URL
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
One or more processes crash
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to dynamically determine API calls
HTTP GET or POST without a user agent
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Abnormal high CPU Usage
Creates a DirectInput object (often for capturing keystrokes)
AV process strings found (often used to terminate AV products)
Contains functionality to read the PEB
Drops PE files to the windows directory (C:\Windows)
Checks if the current process is being debugged
Connects to several IPs in different countries
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)

Classification

AV Detection:

barindex
Found malware configuration
Source: 4.2.rundll32.exe.da0000.0.unpack Malware Configuration Extractor: Emotet {"C2 list": ["46.55.222.11:443", "104.245.52.73:8080", "41.76.108.46:8080", "103.8.26.103:8080", "185.184.25.237:8080", "103.8.26.102:8080", "203.114.109.124:443", "45.118.115.99:8080", "178.79.147.66:8080", "58.227.42.236:80", "45.118.135.203:7080", "103.75.201.2:443", "195.154.133.20:443", "45.142.114.231:8080", "212.237.5.209:443", "207.38.84.195:8080", "104.251.214.46:8080", "212.237.17.99:8080", "212.237.56.116:7080", "216.158.226.206:443", "110.232.117.186:8080", "158.69.222.101:443", "107.182.225.142:8080", "176.104.106.96:8080", "81.0.236.90:443", "50.116.54.215:443", "138.185.72.26:8080", "51.68.175.8:8080", "210.57.217.132:8080"], "Public Key": ["RUNLMSAAAADzozW1Di4r9DVWzQpMKT588RDdy7BPILP6AiDOTLYMHkSWvrQO5slbmr1OvZ2Pz+AQWzRMggQmAtO6rPH7nyx2", "RUNTMSAAAABAX3S2xNjcDD0fBno33Ln5t71eii+mofIPoXkNFOX1MeiwCh48iz97kB0mJjGGZXwardnDXKxI8GCHGNl0PFj5"]}
Multi AV Scanner detection for submitted file
Source: TYLNb8VvnmYA.dll Virustotal: Detection: 25% Perma Link
Multi AV Scanner detection for domain / URL
Source: https://46.55.222.11/ Virustotal: Detection: 7% Perma Link

Compliance:

barindex
Uses 32bit PE files
Source: TYLNb8VvnmYA.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LARGE_ADDRESS_AWARE
Source: unknown HTTPS traffic detected: 46.55.222.11:443 -> 192.168.2.4:49810 version: TLS 1.2
Source: TYLNb8VvnmYA.dll Static PE information: DYNAMIC_BASE, NX_COMPAT
Source: Binary string: wgdi32full.pdb source: WerFault.exe, 0000000E.00000003.949867302.0000000004E41000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.971559419.0000000005151000.00000004.00000001.sdmp
Source: Binary string: msvcp_win.pdb source: WerFault.exe, 0000000E.00000003.949867302.0000000004E41000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.971559419.0000000005151000.00000004.00000001.sdmp
Source: Binary string: wkernel32.pdb source: WerFault.exe, 0000000E.00000003.949867302.0000000004E41000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.947501464.0000000004AB7000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.971559419.0000000005151000.00000004.00000001.sdmp
Source: Binary string: ucrtbase.pdb source: WerFault.exe, 0000000E.00000003.949867302.0000000004E41000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.971559419.0000000005151000.00000004.00000001.sdmp
Source: Binary string: wkernelbase.pdb source: WerFault.exe, 0000000E.00000003.949867302.0000000004E41000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.971559419.0000000005151000.00000004.00000001.sdmp
Source: Binary string: wimm32.pdb source: WerFault.exe, 0000000E.00000003.949867302.0000000004E41000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.971559419.0000000005151000.00000004.00000001.sdmp
Source: Binary string: wwin32u.pdb source: WerFault.exe, 0000000E.00000003.949867302.0000000004E41000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.971559419.0000000005151000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdb source: WerFault.exe, 0000000E.00000003.949867302.0000000004E41000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.971559419.0000000005151000.00000004.00000001.sdmp
Source: Binary string: apphelp.pdb source: WerFault.exe, 0000000E.00000003.949867302.0000000004E41000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.971559419.0000000005151000.00000004.00000001.sdmp
Source: Binary string: wuser32.pdb source: WerFault.exe, 0000000E.00000003.949867302.0000000004E41000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.971559419.0000000005151000.00000004.00000001.sdmp
Source: Binary string: a[ojr^oCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 0000000E.00000002.957692909.0000000002C92000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdbk source: WerFault.exe, 0000000E.00000003.949867302.0000000004E41000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.971559419.0000000005151000.00000004.00000001.sdmp
Source: Binary string: wgdi32.pdb source: WerFault.exe, 0000000E.00000003.949867302.0000000004E41000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.971559419.0000000005151000.00000004.00000001.sdmp
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E572FE7 FindFirstFileExW, 0_2_6E572FE7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E572FE7 FindFirstFileExW, 3_2_6E572FE7

Networking:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 46.55.222.11 187 Jump to behavior
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor IPs: 46.55.222.11:443
Source: Malware configuration extractor IPs: 104.245.52.73:8080
Source: Malware configuration extractor IPs: 41.76.108.46:8080
Source: Malware configuration extractor IPs: 103.8.26.103:8080
Source: Malware configuration extractor IPs: 185.184.25.237:8080
Source: Malware configuration extractor IPs: 103.8.26.102:8080
Source: Malware configuration extractor IPs: 203.114.109.124:443
Source: Malware configuration extractor IPs: 45.118.115.99:8080
Source: Malware configuration extractor IPs: 178.79.147.66:8080
Source: Malware configuration extractor IPs: 58.227.42.236:80
Source: Malware configuration extractor IPs: 45.118.135.203:7080
Source: Malware configuration extractor IPs: 103.75.201.2:443
Source: Malware configuration extractor IPs: 195.154.133.20:443
Source: Malware configuration extractor IPs: 45.142.114.231:8080
Source: Malware configuration extractor IPs: 212.237.5.209:443
Source: Malware configuration extractor IPs: 207.38.84.195:8080
Source: Malware configuration extractor IPs: 104.251.214.46:8080
Source: Malware configuration extractor IPs: 212.237.17.99:8080
Source: Malware configuration extractor IPs: 212.237.56.116:7080
Source: Malware configuration extractor IPs: 216.158.226.206:443
Source: Malware configuration extractor IPs: 110.232.117.186:8080
Source: Malware configuration extractor IPs: 158.69.222.101:443
Source: Malware configuration extractor IPs: 107.182.225.142:8080
Source: Malware configuration extractor IPs: 176.104.106.96:8080
Source: Malware configuration extractor IPs: 81.0.236.90:443
Source: Malware configuration extractor IPs: 50.116.54.215:443
Source: Malware configuration extractor IPs: 138.185.72.26:8080
Source: Malware configuration extractor IPs: 51.68.175.8:8080
Source: Malware configuration extractor IPs: 210.57.217.132:8080
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: OnlineSASFR OnlineSASFR
Source: Joe Sandbox View ASN Name: ARUBA-ASNIT ARUBA-ASNIT
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 51c64c77e60f3980eea90869b68c58a8
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /MzlIoFkmcKcsrPXYulsIlJCKDmaMDeWzUVWmwgeGIDUlcKy HTTP/1.1Cookie: dCfK=bPbXwImjImCbbIF3qvzDRd9c+JKMawwsOWPVvyvqvwfrc+PArkcA5BPLaJwXtZJ/26S7XNKs2V04VEeAWv8c7JlriYcGnTOu1JJoCNAbvm5qitOiPZn25pevTEbtMXHhA91zhDkeqXH3zAdnS3t7MYD80E63CyQRmUhh3i2/7QMBBV27LwB0re2bo+wmxwzJsI2mhua6r/qE+UWH9MBwLiCAAOqSxIxCrYk+zOpNIhh9DHOGSKgaxEavFKGpLVtj9Afp1QLwZda7o/L5WwGI+DXaMIFTdoXTtumMHkNF47CoTUTOVchScAYNFU6zX7jdd55HFFAw3BINuxOhClTbJ63tOoKMLUbQ3Q==Host: 46.55.222.11Connection: Keep-AliveCache-Control: no-cache
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 195.154.133.20 195.154.133.20
Source: Joe Sandbox View IP Address: 212.237.17.99 212.237.17.99
Connects to several IPs in different countries
Source: unknown Network traffic detected: IP country count 18
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49810
Source: unknown Network traffic detected: HTTP traffic on port 49810 -> 443
Source: unknown TCP traffic detected without corresponding DNS query: 46.55.222.11
Source: unknown TCP traffic detected without corresponding DNS query: 46.55.222.11
Source: unknown TCP traffic detected without corresponding DNS query: 46.55.222.11
Source: unknown TCP traffic detected without corresponding DNS query: 46.55.222.11
Source: unknown TCP traffic detected without corresponding DNS query: 46.55.222.11
Source: unknown TCP traffic detected without corresponding DNS query: 46.55.222.11
Source: unknown TCP traffic detected without corresponding DNS query: 46.55.222.11
Source: unknown TCP traffic detected without corresponding DNS query: 46.55.222.11
Source: unknown TCP traffic detected without corresponding DNS query: 46.55.222.11
Source: unknown TCP traffic detected without corresponding DNS query: 46.55.222.11
Source: svchost.exe, 0000001B.00000003.1147321502.000001EEEB38F000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","A equals www.facebook.com (Facebook)
Source: svchost.exe, 0000001B.00000003.1147321502.000001EEEB38F000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","A equals www.twitter.com (Twitter)
Source: svchost.exe, 0000001B.00000003.1147321502.000001EEEB38F000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.1147295297.000001EEEB3A0000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-11-26T13:57:30.0386475Z||.||6f0c105d-3db6-47de-894d-fd95973349e2||1152921505694224549||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
Source: svchost.exe, 0000001B.00000003.1147321502.000001EEEB38F000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.1147295297.000001EEEB3A0000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-11-26T13:57:30.0386475Z||.||6f0c105d-3db6-47de-894d-fd95973349e2||1152921505694224549||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
Source: WerFault.exe, 00000011.00000003.986145656.0000000004E1A000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000002.987701658.0000000004E1C000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.986099516.0000000004E02000.00000004.00000001.sdmp, rundll32.exe, 00000013.00000002.1180365819.000000000099E000.00000004.00000001.sdmp, rundll32.exe, 00000013.00000003.1152320566.000000000099E000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000002.1162891462.000001EEEB300000.00000004.00000001.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: svchost.exe, 0000001B.00000002.1162702324.000001EEEAAEB000.00000004.00000001.sdmp String found in binary or memory: http://crl.ver)
Source: svchost.exe, 0000001B.00000003.1140780623.000001EEEB37F000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.1140862081.000001EEEB35D000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.1140819437.000001EEEB3C0000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.1140746669.000001EEEB36E000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.1140725417.000001EEEB35D000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.1140840971.000001EEEB3A0000.00000004.00000001.sdmp String found in binary or memory: http://help.disneyplus.com.
Source: Amcache.hve.14.dr String found in binary or memory: http://upx.sf.net
Source: rundll32.exe, 00000013.00000002.1180209791.0000000000964000.00000004.00000020.sdmp String found in binary or memory: https://46.55.222.11/
Source: rundll32.exe, 00000013.00000002.1180209791.0000000000964000.00000004.00000020.sdmp String found in binary or memory: https://46.55.222.11/8
Source: rundll32.exe, 00000013.00000002.1180209791.0000000000964000.00000004.00000020.sdmp, rundll32.exe, 00000013.00000003.1152435535.0000000000982000.00000004.00000001.sdmp String found in binary or memory: https://46.55.222.11/MzlIoFkmcKcsrPXYulsIlJCKDmaMDeWzUVWmwgeGIDUlcKy
Source: svchost.exe, 0000001B.00000003.1140780623.000001EEEB37F000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.1140862081.000001EEEB35D000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.1140819437.000001EEEB3C0000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.1140746669.000001EEEB36E000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.1140725417.000001EEEB35D000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.1140840971.000001EEEB3A0000.00000004.00000001.sdmp String found in binary or memory: https://disneyplus.com/legal.
Source: svchost.exe, 0000001B.00000003.1140780623.000001EEEB37F000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.1140862081.000001EEEB35D000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.1140819437.000001EEEB3C0000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.1140746669.000001EEEB36E000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.1140725417.000001EEEB35D000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.1140840971.000001EEEB3A0000.00000004.00000001.sdmp String found in binary or memory: https://www.disneyplus.com/legal/privacy-policy
Source: svchost.exe, 0000001B.00000003.1140780623.000001EEEB37F000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.1140862081.000001EEEB35D000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.1140819437.000001EEEB3C0000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.1140746669.000001EEEB36E000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.1140725417.000001EEEB35D000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.1140840971.000001EEEB3A0000.00000004.00000001.sdmp String found in binary or memory: https://www.disneyplus.com/legal/your-california-privacy-rights
Source: svchost.exe, 0000001B.00000003.1141777467.000001EEEB3C7000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.1141862625.000001EEEB363000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.1141880820.000001EEEB802000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.1141751737.000001EEEB3C7000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.1141812043.000001EEEB38F000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.1141826114.000001EEEB3B0000.00000004.00000001.sdmp String found in binary or memory: https://www.tiktok.com/legal/report/feedback
Source: global traffic HTTP traffic detected: GET /MzlIoFkmcKcsrPXYulsIlJCKDmaMDeWzUVWmwgeGIDUlcKy HTTP/1.1Cookie: dCfK=bPbXwImjImCbbIF3qvzDRd9c+JKMawwsOWPVvyvqvwfrc+PArkcA5BPLaJwXtZJ/26S7XNKs2V04VEeAWv8c7JlriYcGnTOu1JJoCNAbvm5qitOiPZn25pevTEbtMXHhA91zhDkeqXH3zAdnS3t7MYD80E63CyQRmUhh3i2/7QMBBV27LwB0re2bo+wmxwzJsI2mhua6r/qE+UWH9MBwLiCAAOqSxIxCrYk+zOpNIhh9DHOGSKgaxEavFKGpLVtj9Afp1QLwZda7o/L5WwGI+DXaMIFTdoXTtumMHkNF47CoTUTOVchScAYNFU6zX7jdd55HFFAw3BINuxOhClTbJ63tOoKMLUbQ3Q==Host: 46.55.222.11Connection: Keep-AliveCache-Control: no-cache
Source: unknown HTTPS traffic detected: 46.55.222.11:443 -> 192.168.2.4:49810 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a DirectInput object (often for capturing keystrokes)
Source: loaddll32.exe, 00000000.00000000.959570739.00000000014CB000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

barindex
Yara detected Emotet
Source: Yara match File source: 0.0.loaddll32.exe.14e38e8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.1240000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.14e38e8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.3010000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.d12468.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.7d0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.14e38e8.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.d12468.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.c40000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.14e38e8.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.c521c0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.da0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.c521c0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.14e38e8.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.30721c0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.rundll32.exe.7a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.1240000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.2fb3548.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.1240000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.30721c0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.c40000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.14e38e8.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.3010000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.1240000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.2fb3548.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.1240000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.14e38e8.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.14e38e8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.1240000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.620000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.1240000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.7d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.da0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.1240000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.1240000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.620000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.rundll32.exe.7a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.14e38e8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.1240000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.14e38e8.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000013.00000003.1133192472.000000000094A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.939874518.0000000003010000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.919228710.0000000000620000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.939979664.000000000305A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.959570739.00000000014CB000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.1025809484.0000000000C40000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.988196686.0000000001240000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.939715779.00000000007D0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.959524190.0000000001240000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.941875842.00000000014CB000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.912530116.0000000000DA0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.960569853.0000000001240000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.943150196.00000000014CB000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.891306491.000000000079A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.936544594.0000000002F9A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.1179908495.00000000007A0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.939909741.0000000000C3A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.1025975580.0000000000CFA000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.988254335.00000000014CB000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.960680402.00000000014CB000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.942948802.0000000001240000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.941755478.0000000001240000.00000040.00000010.sdmp, type: MEMORY

System Summary:

barindex
Uses 32bit PE files
Source: TYLNb8VvnmYA.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LARGE_ADDRESS_AWARE
One or more processes crash
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 5244 -ip 5244
Deletes files inside the Windows folder
Source: C:\Windows\SysWOW64\rundll32.exe File deleted: C:\Windows\SysWOW64\Vmizynodtqcc\ubilavwdqio.euv:Zone.Identifier Jump to behavior
Creates files inside the system directory
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Windows\SysWOW64\Vmizynodtqcc\ Jump to behavior
Detected potential crypto function
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E55A6D0 0_2_6E55A6D0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E55E6E0 0_2_6E55E6E0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E5566E0 0_2_6E5566E0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E555EA0 0_2_6E555EA0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E560F10 0_2_6E560F10
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E551C10 0_2_6E551C10
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E559D50 0_2_6E559D50
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E5575F4 0_2_6E5575F4
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E570A61 0_2_6E570A61
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E55D380 0_2_6E55D380
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E5538C0 0_2_6E5538C0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E5601D0 0_2_6E5601D0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0063604E 3_2_0063604E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0063BA18 3_2_0063BA18
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_006406EF 3_2_006406EF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_006356A9 3_2_006356A9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0062AEB9 3_2_0062AEB9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0062F699 3_2_0062F699
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0062196D 3_2_0062196D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00622B7C 3_2_00622B7C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00628D59 3_2_00628D59
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00633130 3_2_00633130
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00628112 3_2_00628112
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00625314 3_2_00625314
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_006391F7 3_2_006391F7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0063E7DA 3_2_0063E7DA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_006389DA 3_2_006389DA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0063ED95 3_2_0063ED95
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00640C66 3_2_00640C66
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00641C71 3_2_00641C71
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0063E478 3_2_0063E478
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0063645F 3_2_0063645F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00630824 3_2_00630824
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00630A37 3_2_00630A37
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00623E3B 3_2_00623E3B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0063CC3F 3_2_0063CC3F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0062F20D 3_2_0062F20D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00631C12 3_2_00631C12
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00642C16 3_2_00642C16
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0062A8E8 3_2_0062A8E8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0062BEF5 3_2_0062BEF5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_006420F8 3_2_006420F8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0062E6FD 3_2_0062E6FD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_006254C0 3_2_006254C0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00640AD3 3_2_00640AD3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00637EDD 3_2_00637EDD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_006304A4 3_2_006304A4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0062F4A5 3_2_0062F4A5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_006268AD 3_2_006268AD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0063B0BA 3_2_0063B0BA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00633ABE 3_2_00633ABE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00623085 3_2_00623085
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0062C69B 3_2_0062C69B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0062D899 3_2_0062D899
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0063F561 3_2_0063F561
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00625166 3_2_00625166
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0062DD66 3_2_0062DD66
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00642560 3_2_00642560
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00629565 3_2_00629565
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0062996C 3_2_0062996C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0063C772 3_2_0063C772
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00622176 3_2_00622176
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00622575 3_2_00622575
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00635B7C 3_2_00635B7C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0062597D 3_2_0062597D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00624F42 3_2_00624F42
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0063C145 3_2_0063C145
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00642D4F 3_2_00642D4F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0064314A 3_2_0064314A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0062635F 3_2_0062635F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00626125 3_2_00626125
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0062B12E 3_2_0062B12E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0063CF2C 3_2_0063CF2C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0062E336 3_2_0062E336
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0063473A 3_2_0063473A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00627739 3_2_00627739
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00643306 3_2_00643306
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0063D10B 3_2_0063D10B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0063710D 3_2_0063710D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00624716 3_2_00624716
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00638518 3_2_00638518
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_006435E3 3_2_006435E3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0062FBEF 3_2_0062FBEF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0062B7EC 3_2_0062B7EC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00621DF9 3_2_00621DF9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00626BFE 3_2_00626BFE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0063D5FE 3_2_0063D5FE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00625DC3 3_2_00625DC3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_006239C3 3_2_006239C3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00634DC5 3_2_00634DC5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00630FC5 3_2_00630FC5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00622DC5 3_2_00622DC5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_006313DB 3_2_006313DB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0063BFA1 3_2_0063BFA1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_006377A7 3_2_006377A7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_006233A9 3_2_006233A9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00641987 3_2_00641987
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00627D87 3_2_00627D87
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0062F984 3_2_0062F984
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0062938F 3_2_0062938F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00636B91 3_2_00636B91
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E55A6D0 3_2_6E55A6D0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E55E6E0 3_2_6E55E6E0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E5566E0 3_2_6E5566E0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E555EA0 3_2_6E555EA0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E560F10 3_2_6E560F10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E551C10 3_2_6E551C10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E559D50 3_2_6E559D50
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E5575F4 3_2_6E5575F4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E570A61 3_2_6E570A61
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E55D380 3_2_6E55D380
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E5538C0 3_2_6E5538C0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E5601D0 3_2_6E5601D0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00DC06EF 4_2_00DC06EF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00DBED95 4_2_00DBED95
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00DB7EDD 4_2_00DB7EDD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00DC0AD3 4_2_00DC0AD3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00DA54C0 4_2_00DA54C0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00DC20F8 4_2_00DC20F8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00DAE6FD 4_2_00DAE6FD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00DABEF5 4_2_00DABEF5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00DAA8E8 4_2_00DAA8E8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00DAC69B 4_2_00DAC69B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00DAF699 4_2_00DAF699
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00DAD899 4_2_00DAD899
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00DA3085 4_2_00DA3085
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00DBB0BA 4_2_00DBB0BA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00DAAEB9 4_2_00DAAEB9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00DB3ABE 4_2_00DB3ABE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00DB56A9 4_2_00DB56A9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00DB04A4 4_2_00DB04A4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00DAF4A5 4_2_00DAF4A5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00DB645F 4_2_00DB645F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00DB604E 4_2_00DB604E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00DBE478 4_2_00DBE478
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00DC1C71 4_2_00DC1C71
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00DC0C66 4_2_00DC0C66
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00DBBA18 4_2_00DBBA18
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00DB1C12 4_2_00DB1C12
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00DC2C16 4_2_00DC2C16
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00DAF20D 4_2_00DAF20D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00DA3E3B 4_2_00DA3E3B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00DBCC3F 4_2_00DBCC3F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00DB0A37 4_2_00DB0A37
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00DB0824 4_2_00DB0824
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00DB13DB 4_2_00DB13DB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00DBE7DA 4_2_00DBE7DA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00DB89DA 4_2_00DB89DA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00DA5DC3 4_2_00DA5DC3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00DA39C3 4_2_00DA39C3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00DB4DC5 4_2_00DB4DC5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00DB0FC5 4_2_00DB0FC5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00DA2DC5 4_2_00DA2DC5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00DA1DF9 4_2_00DA1DF9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00DA6BFE 4_2_00DA6BFE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00DBD5FE 4_2_00DBD5FE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00DB91F7 4_2_00DB91F7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00DAFBEF 4_2_00DAFBEF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00DAB7EC 4_2_00DAB7EC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00DC35E3 4_2_00DC35E3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00DB6B91 4_2_00DB6B91
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00DA938F 4_2_00DA938F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00DC1987 4_2_00DC1987
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00DA7D87 4_2_00DA7D87
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00DAF984 4_2_00DAF984
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00DA33A9 4_2_00DA33A9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00DBBFA1 4_2_00DBBFA1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00DB77A7 4_2_00DB77A7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00DA8D59 4_2_00DA8D59
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00DA635F 4_2_00DA635F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00DC2D4F 4_2_00DC2D4F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00DC314A 4_2_00DC314A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00DA4F42 4_2_00DA4F42
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00DBC145 4_2_00DBC145
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00DA2B7C 4_2_00DA2B7C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00DB5B7C 4_2_00DB5B7C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00DA597D 4_2_00DA597D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00DBC772 4_2_00DBC772
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00DA2176 4_2_00DA2176
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00DA2575 4_2_00DA2575
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00DA996C 4_2_00DA996C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00DA196D 4_2_00DA196D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00DBF561 4_2_00DBF561
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00DA5166 4_2_00DA5166
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00DADD66 4_2_00DADD66
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00DC2560 4_2_00DC2560
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00DA9565 4_2_00DA9565
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00DB8518 4_2_00DB8518
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00DA8112 4_2_00DA8112
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00DA4716 4_2_00DA4716
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00DA5314 4_2_00DA5314
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00DBD10B 4_2_00DBD10B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00DB710D 4_2_00DB710D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00DC3306 4_2_00DC3306
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00DB473A 4_2_00DB473A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00DA7739 4_2_00DA7739
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00DB3130 4_2_00DB3130
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00DAE336 4_2_00DAE336
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00DAB12E 4_2_00DAB12E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00DBCF2C 4_2_00DBCF2C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00DA6125 4_2_00DA6125
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_007F06EF 7_2_007F06EF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_007EED95 7_2_007EED95
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_007EE478 7_2_007EE478
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_007F1C71 7_2_007F1C71
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_007F0C66 7_2_007F0C66
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_007E645F 7_2_007E645F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_007E604E 7_2_007E604E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_007ECC3F 7_2_007ECC3F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_007D3E3B 7_2_007D3E3B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_007E0A37 7_2_007E0A37
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_007E0824 7_2_007E0824
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_007EBA18 7_2_007EBA18
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_007F2C16 7_2_007F2C16
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_007E1C12 7_2_007E1C12
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_007DF20D 7_2_007DF20D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_007DE6FD 7_2_007DE6FD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_007F20F8 7_2_007F20F8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_007DBEF5 7_2_007DBEF5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_007DA8E8 7_2_007DA8E8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_007E7EDD 7_2_007E7EDD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_007F0AD3 7_2_007F0AD3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_007D54C0 7_2_007D54C0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_007E3ABE 7_2_007E3ABE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_007EB0BA 7_2_007EB0BA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_007DAEB9 7_2_007DAEB9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_007E56A9 7_2_007E56A9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_007DF4A5 7_2_007DF4A5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_007E04A4 7_2_007E04A4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_007DF699 7_2_007DF699
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_007DD899 7_2_007DD899
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_007DC69B 7_2_007DC69B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_007D3085 7_2_007D3085
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_007D597D 7_2_007D597D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_007D2B7C 7_2_007D2B7C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_007E5B7C 7_2_007E5B7C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_007D2575 7_2_007D2575
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_007D2176 7_2_007D2176
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_007EC772 7_2_007EC772
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_007D196D 7_2_007D196D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_007D996C 7_2_007D996C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_007D9565 7_2_007D9565
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_007D5166 7_2_007D5166
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_007DDD66 7_2_007DDD66
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_007EF561 7_2_007EF561
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_007F2560 7_2_007F2560
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_007D635F 7_2_007D635F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_007D8D59 7_2_007D8D59
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_007F2D4F 7_2_007F2D4F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_007F314A 7_2_007F314A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_007EC145 7_2_007EC145
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_007D4F42 7_2_007D4F42
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_007D7739 7_2_007D7739
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_007E473A 7_2_007E473A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_007DE336 7_2_007DE336
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_007E3130 7_2_007E3130
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_007ECF2C 7_2_007ECF2C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_007DB12E 7_2_007DB12E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_007D6125 7_2_007D6125
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_007E8518 7_2_007E8518
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_007D5314 7_2_007D5314
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_007D4716 7_2_007D4716
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_007D8112 7_2_007D8112
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_007E710D 7_2_007E710D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_007ED10B 7_2_007ED10B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_007F3306 7_2_007F3306
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_007ED5FE 7_2_007ED5FE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_007D6BFE 7_2_007D6BFE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_007D1DF9 7_2_007D1DF9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_007E91F7 7_2_007E91F7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_007DB7EC 7_2_007DB7EC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_007DFBEF 7_2_007DFBEF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_007F35E3 7_2_007F35E3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_007EE7DA 7_2_007EE7DA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_007E89DA 7_2_007E89DA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_007E13DB 7_2_007E13DB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_007D2DC5 7_2_007D2DC5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_007E4DC5 7_2_007E4DC5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_007E0FC5 7_2_007E0FC5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_007D5DC3 7_2_007D5DC3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_007D39C3 7_2_007D39C3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_007D33A9 7_2_007D33A9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_007E77A7 7_2_007E77A7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_007EBFA1 7_2_007EBFA1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_007E6B91 7_2_007E6B91
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_007D938F 7_2_007D938F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_007F1987 7_2_007F1987
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_007DF984 7_2_007DF984
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_007D7D87 7_2_007D7D87
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00C606EF 9_2_00C606EF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00C5ED95 9_2_00C5ED95
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00C454C0 9_2_00C454C0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00C60AD3 9_2_00C60AD3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00C57EDD 9_2_00C57EDD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00C4A8E8 9_2_00C4A8E8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00C4BEF5 9_2_00C4BEF5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00C4E6FD 9_2_00C4E6FD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00C620F8 9_2_00C620F8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00C43085 9_2_00C43085
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00C4F699 9_2_00C4F699
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00C4D899 9_2_00C4D899
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00C4C69B 9_2_00C4C69B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00C504A4 9_2_00C504A4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00C4F4A5 9_2_00C4F4A5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00C556A9 9_2_00C556A9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00C53ABE 9_2_00C53ABE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00C4AEB9 9_2_00C4AEB9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00C5B0BA 9_2_00C5B0BA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00C5604E 9_2_00C5604E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00C5645F 9_2_00C5645F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00C60C66 9_2_00C60C66
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00C61C71 9_2_00C61C71
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00C5E478 9_2_00C5E478
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00C4F20D 9_2_00C4F20D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00C62C16 9_2_00C62C16
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00C51C12 9_2_00C51C12
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00C5BA18 9_2_00C5BA18
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00C50824 9_2_00C50824
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00C50A37 9_2_00C50A37
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00C5CC3F 9_2_00C5CC3F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00C43E3B 9_2_00C43E3B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00C54DC5 9_2_00C54DC5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00C50FC5 9_2_00C50FC5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00C42DC5 9_2_00C42DC5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00C45DC3 9_2_00C45DC3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00C439C3 9_2_00C439C3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00C513DB 9_2_00C513DB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00C5E7DA 9_2_00C5E7DA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00C589DA 9_2_00C589DA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00C635E3 9_2_00C635E3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00C4B7EC 9_2_00C4B7EC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00C4FBEF 9_2_00C4FBEF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00C591F7 9_2_00C591F7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00C46BFE 9_2_00C46BFE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00C5D5FE 9_2_00C5D5FE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00C41DF9 9_2_00C41DF9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00C4F984 9_2_00C4F984
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00C61987 9_2_00C61987
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00C47D87 9_2_00C47D87
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00C4938F 9_2_00C4938F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00C56B91 9_2_00C56B91
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00C577A7 9_2_00C577A7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00C5BFA1 9_2_00C5BFA1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00C433A9 9_2_00C433A9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00C5C145 9_2_00C5C145
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00C44F42 9_2_00C44F42
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00C62D4F 9_2_00C62D4F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00C6314A 9_2_00C6314A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00C4635F 9_2_00C4635F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00C48D59 9_2_00C48D59
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00C49565 9_2_00C49565
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00C45166 9_2_00C45166
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00C4DD66 9_2_00C4DD66
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00C5F561 9_2_00C5F561
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00C62560 9_2_00C62560
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00C4996C 9_2_00C4996C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00C4196D 9_2_00C4196D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00C42575 9_2_00C42575
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00C42176 9_2_00C42176
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00C5C772 9_2_00C5C772
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00C42B7C 9_2_00C42B7C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00C55B7C 9_2_00C55B7C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00C4597D 9_2_00C4597D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00C63306 9_2_00C63306
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00C5710D 9_2_00C5710D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00C5D10B 9_2_00C5D10B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00C45314 9_2_00C45314
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00C44716 9_2_00C44716
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00C48112 9_2_00C48112
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00C58518 9_2_00C58518
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00C46125 9_2_00C46125
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00C5CF2C 9_2_00C5CF2C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00C4B12E 9_2_00C4B12E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00C4E336 9_2_00C4E336
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00C53130 9_2_00C53130
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00C47739 9_2_00C47739
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00C5473A 9_2_00C5473A
Found potential string decryption / allocating functions
Source: C:\Windows\System32\loaddll32.exe Code function: String function: 6E551C10 appears 97 times
Source: C:\Windows\System32\loaddll32.exe Code function: String function: 6E56D350 appears 33 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 6E551C10 appears 97 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 6E56D350 appears 33 times
Abnormal high CPU Usage
Source: C:\Windows\SysWOW64\rundll32.exe Process Stats: CPU usage > 98%
Source: TYLNb8VvnmYA.dll Virustotal: Detection: 25%
Source: TYLNb8VvnmYA.dll Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\TYLNb8VvnmYA.dll"
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\TYLNb8VvnmYA.dll",#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\TYLNb8VvnmYA.dll,Control_RunDLL
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\TYLNb8VvnmYA.dll",#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\TYLNb8VvnmYA.dll,axamexdrqyrgb
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\TYLNb8VvnmYA.dll,bhramccfbdd
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\TYLNb8VvnmYA.dll",Control_RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Vmizynodtqcc\ubilavwdqio.euv",bFzJjrBOyBxj
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\TYLNb8VvnmYA.dll",Control_RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\TYLNb8VvnmYA.dll",Control_RunDLL
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 5244 -ip 5244
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5244 -s 308
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 5244 -ip 5244
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5244 -s 316
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Vmizynodtqcc\ubilavwdqio.euv",Control_RunDLL
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\TYLNb8VvnmYA.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\TYLNb8VvnmYA.dll,Control_RunDLL Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\TYLNb8VvnmYA.dll,axamexdrqyrgb Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\TYLNb8VvnmYA.dll,bhramccfbdd Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\TYLNb8VvnmYA.dll",#1 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Vmizynodtqcc\ubilavwdqio.euv",bFzJjrBOyBxj Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\TYLNb8VvnmYA.dll",Control_RunDLL Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\TYLNb8VvnmYA.dll",Control_RunDLL Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\TYLNb8VvnmYA.dll",Control_RunDLL Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Vmizynodtqcc\ubilavwdqio.euv",Control_RunDLL Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 5244 -ip 5244 Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5244 -s 308 Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 5244 -ip 5244 Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5244 -s 316 Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: C:\Windows\System32\svchost.exe File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERBDF8.tmp Jump to behavior
Source: classification engine Classification label: mal96.troj.evad.winDLL@36/14@0/29
Source: C:\Windows\SysWOW64\rundll32.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\TYLNb8VvnmYA.dll,Control_RunDLL
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \BaseNamedObjects\Local\SM0:6248:64:WilError_01
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \BaseNamedObjects\Local\SM0:6204:64:WilError_01
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5244
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: TYLNb8VvnmYA.dll Static PE information: DYNAMIC_BASE, NX_COMPAT
Source: TYLNb8VvnmYA.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: wgdi32full.pdb source: WerFault.exe, 0000000E.00000003.949867302.0000000004E41000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.971559419.0000000005151000.00000004.00000001.sdmp
Source: Binary string: msvcp_win.pdb source: WerFault.exe, 0000000E.00000003.949867302.0000000004E41000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.971559419.0000000005151000.00000004.00000001.sdmp
Source: Binary string: wkernel32.pdb source: WerFault.exe, 0000000E.00000003.949867302.0000000004E41000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.947501464.0000000004AB7000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.971559419.0000000005151000.00000004.00000001.sdmp
Source: Binary string: ucrtbase.pdb source: WerFault.exe, 0000000E.00000003.949867302.0000000004E41000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.971559419.0000000005151000.00000004.00000001.sdmp
Source: Binary string: wkernelbase.pdb source: WerFault.exe, 0000000E.00000003.949867302.0000000004E41000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.971559419.0000000005151000.00000004.00000001.sdmp
Source: Binary string: wimm32.pdb source: WerFault.exe, 0000000E.00000003.949867302.0000000004E41000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.971559419.0000000005151000.00000004.00000001.sdmp
Source: Binary string: wwin32u.pdb source: WerFault.exe, 0000000E.00000003.949867302.0000000004E41000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.971559419.0000000005151000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdb source: WerFault.exe, 0000000E.00000003.949867302.0000000004E41000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.971559419.0000000005151000.00000004.00000001.sdmp
Source: Binary string: apphelp.pdb source: WerFault.exe, 0000000E.00000003.949867302.0000000004E41000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.971559419.0000000005151000.00000004.00000001.sdmp
Source: Binary string: wuser32.pdb source: WerFault.exe, 0000000E.00000003.949867302.0000000004E41000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.971559419.0000000005151000.00000004.00000001.sdmp
Source: Binary string: a[ojr^oCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 0000000E.00000002.957692909.0000000002C92000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdbk source: WerFault.exe, 0000000E.00000003.949867302.0000000004E41000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.971559419.0000000005151000.00000004.00000001.sdmp
Source: Binary string: wgdi32.pdb source: WerFault.exe, 0000000E.00000003.949867302.0000000004E41000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.971559419.0000000005151000.00000004.00000001.sdmp

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E579153 push ecx; ret 0_2_6E579166
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0062150F push ds; ret 3_2_00621527
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0062151C push ds; ret 3_2_00621527
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E579153 push ecx; ret 3_2_6E579166
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00DA151C push ds; ret 4_2_00DA1527
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00DA150F push ds; ret 4_2_00DA1527
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_007D151C push ds; ret 7_2_007D1527
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_007D150F push ds; ret 7_2_007D1527
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00C4150F push ds; ret 9_2_00C41527
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00C4151C push ds; ret 9_2_00C41527
Contains functionality to dynamically determine API calls
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E55E4E0 WaitForSingleObjectEx,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetCurrentProcess,CreateMutexA,CloseHandle,ReleaseMutex, 0_2_6E55E4E0

Persistence and Installation Behavior:

barindex
Drops PE files to the windows directory (C:\Windows)
Source: C:\Windows\SysWOW64\rundll32.exe PE file moved: C:\Windows\SysWOW64\Vmizynodtqcc\ubilavwdqio.euv Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Vmizynodtqcc\ubilavwdqio.euv:Zone.Identifier read attributes | delete Jump to behavior
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Windows\SysWOW64\WerFault.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\svchost.exe TID: 6400 Thread sleep time: -150000s >= -30000s
Found large amount of non-executed APIs
Source: C:\Windows\System32\loaddll32.exe API coverage: 7.0 %
Source: C:\Windows\System32\svchost.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E572FE7 FindFirstFileExW, 0_2_6E572FE7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E572FE7 FindFirstFileExW, 3_2_6E572FE7
Source: C:\Windows\SysWOW64\rundll32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: Amcache.hve.14.dr Binary or memory string: VMware
Source: Amcache.hve.14.dr Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
Source: Amcache.hve.14.dr Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.14.dr Binary or memory string: VMware, Inc.
Source: rundll32.exe, 00000013.00000002.1180209791.0000000000964000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAWp
Source: rundll32.exe, 00000013.00000003.1152435535.0000000000982000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAWq
Source: Amcache.hve.14.dr Binary or memory string: VMware Virtual disk SCSI Disk Devicehbin
Source: WerFault.exe, 00000011.00000002.987689088.0000000004E05000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.986099516.0000000004E02000.00000004.00000001.sdmp, rundll32.exe, 00000013.00000003.1152435535.0000000000982000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000002.1162702324.000001EEEAAEB000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000002.1162540388.000001EEEAA70000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW
Source: Amcache.hve.14.dr Binary or memory string: VMware, Inc.me
Source: WerFault.exe, 00000011.00000002.987689088.0000000004E05000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.986099516.0000000004E02000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW,
Source: WerFault.exe, 00000011.00000003.986185428.0000000004DD9000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000002.987658833.0000000004DD9000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW
Source: WerFault.exe, 00000011.00000003.984549522.0000000004DD7000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Amcache.hve.14.dr Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
Source: svchost.exe, 0000001B.00000002.1162714900.000001EEEAAFA000.00000004.00000001.sdmp Binary or memory string: "@Hyper-V RAW
Source: Amcache.hve.14.dr Binary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.14.dr Binary or memory string: VMware-42 35 9c fb 73 fa 4e 1b-fb a4 60 e7 7b e5 4a ed
Source: Amcache.hve.14.dr Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.14.dr Binary or memory string: VMware7,1
Source: Amcache.hve.14.dr Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.14.dr Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.14.dr Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.13989454.B64.1906190538,BiosReleaseDate:06/19/2019,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.14.dr Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.14.dr Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.14.dr Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E56D1CC IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_6E56D1CC
Contains functionality to dynamically determine API calls
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E55E4E0 WaitForSingleObjectEx,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetCurrentProcess,CreateMutexA,CloseHandle,ReleaseMutex, 0_2_6E55E4E0
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E551290 GetProcessHeap,HeapAlloc,RtlAllocateHeap,HeapFree, 0_2_6E551290
Contains functionality to read the PEB
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E56C050 mov eax, dword ptr fs:[00000030h] 0_2_6E56C050
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E56BFE0 mov esi, dword ptr fs:[00000030h] 0_2_6E56BFE0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E56BFE0 mov eax, dword ptr fs:[00000030h] 0_2_6E56BFE0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E5712CB mov ecx, dword ptr fs:[00000030h] 0_2_6E5712CB
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E57298C mov eax, dword ptr fs:[00000030h] 0_2_6E57298C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00634315 mov eax, dword ptr fs:[00000030h] 3_2_00634315
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E56C050 mov eax, dword ptr fs:[00000030h] 3_2_6E56C050
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E56BFE0 mov esi, dword ptr fs:[00000030h] 3_2_6E56BFE0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E56BFE0 mov eax, dword ptr fs:[00000030h] 3_2_6E56BFE0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E5712CB mov ecx, dword ptr fs:[00000030h] 3_2_6E5712CB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E57298C mov eax, dword ptr fs:[00000030h] 3_2_6E57298C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00DB4315 mov eax, dword ptr fs:[00000030h] 4_2_00DB4315
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_007E4315 mov eax, dword ptr fs:[00000030h] 7_2_007E4315
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00C54315 mov eax, dword ptr fs:[00000030h] 9_2_00C54315
Checks if the current process is being debugged
Source: C:\Windows\System32\loaddll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E56CB22 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_6E56CB22
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E56D1CC IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_6E56D1CC
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E5729E6 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_6E5729E6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E56CB22 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 3_2_6E56CB22
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E56D1CC IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_6E56D1CC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E5729E6 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_6E5729E6

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 46.55.222.11 187 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\TYLNb8VvnmYA.dll",#1 Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 5244 -ip 5244 Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5244 -s 308 Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 5244 -ip 5244 Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5244 -s 316 Jump to behavior
Source: loaddll32.exe, 00000000.00000000.960924600.0000000001950000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.959624705.0000000001950000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.941981877.0000000001950000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.943283652.0000000001950000.00000002.00020000.sdmp, rundll32.exe, 00000013.00000002.1182011580.0000000002FF0000.00000002.00020000.sdmp Binary or memory string: Program Manager
Source: loaddll32.exe, 00000000.00000000.960924600.0000000001950000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.959624705.0000000001950000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.941981877.0000000001950000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.943283652.0000000001950000.00000002.00020000.sdmp, rundll32.exe, 00000013.00000002.1182011580.0000000002FF0000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: loaddll32.exe, 00000000.00000000.960924600.0000000001950000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.959624705.0000000001950000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.941981877.0000000001950000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.943283652.0000000001950000.00000002.00020000.sdmp, rundll32.exe, 00000013.00000002.1182011580.0000000002FF0000.00000002.00020000.sdmp Binary or memory string: Progman
Source: loaddll32.exe, 00000000.00000000.960924600.0000000001950000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.959624705.0000000001950000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.941981877.0000000001950000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.943283652.0000000001950000.00000002.00020000.sdmp, rundll32.exe, 00000013.00000002.1182011580.0000000002FF0000.00000002.00020000.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E56CC44 cpuid 0_2_6E56CC44
Source: C:\Windows\SysWOW64\rundll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E56CE15 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_6E56CE15

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
AV process strings found (often used to terminate AV products)
Source: Amcache.hve.14.dr Binary or memory string: c:\program files\windows defender\msmpeng.exe

Stealing of Sensitive Information:

barindex
Yara detected Emotet
Source: Yara match File source: 0.0.loaddll32.exe.14e38e8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.1240000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.14e38e8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.3010000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.d12468.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.7d0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.14e38e8.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.d12468.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.c40000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.14e38e8.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.c521c0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.da0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.c521c0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.14e38e8.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.30721c0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.rundll32.exe.7a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.1240000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.2fb3548.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.1240000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.30721c0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.c40000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.14e38e8.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.3010000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.1240000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.2fb3548.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.1240000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.14e38e8.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.14e38e8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.1240000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.620000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.1240000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.7d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.da0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.1240000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.1240000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.620000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.rundll32.exe.7a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.14e38e8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.1240000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.14e38e8.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000013.00000003.1133192472.000000000094A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.939874518.0000000003010000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.919228710.0000000000620000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.939979664.000000000305A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.959570739.00000000014CB000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.1025809484.0000000000C40000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.988196686.0000000001240000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.939715779.00000000007D0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.959524190.0000000001240000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.941875842.00000000014CB000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.912530116.0000000000DA0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.960569853.0000000001240000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.943150196.00000000014CB000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.891306491.000000000079A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.936544594.0000000002F9A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.1179908495.00000000007A0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.939909741.0000000000C3A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.1025975580.0000000000CFA000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.988254335.00000000014CB000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.960680402.00000000014CB000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.942948802.0000000001240000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.941755478.0000000001240000.00000040.00000010.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 532264 Sample: TYLNb8VvnmYA.dll Startdate: 01/12/2021 Architecture: WINDOWS Score: 96 44 210.57.217.132 UNAIR-AS-IDUniversitasAirlanggaID Indonesia 2->44 46 203.114.109.124 TOT-LLI-AS-APTOTPublicCompanyLimitedTH Thailand 2->46 48 26 other IPs or domains 2->48 54 Sigma detected: Emotet RunDLL32 Process Creation 2->54 56 Multi AV Scanner detection for domain / URL 2->56 58 Found malware configuration 2->58 60 3 other signatures 2->60 9 loaddll32.exe 1 2->9         started        11 svchost.exe 3 8 2->11         started        13 svchost.exe 1 2->13         started        15 3 other processes 2->15 signatures3 process4 process5 17 rundll32.exe 2 9->17         started        20 cmd.exe 1 9->20         started        22 rundll32.exe 9->22         started        28 3 other processes 9->28 24 WerFault.exe 11->24         started        26 WerFault.exe 11->26         started        signatures6 52 Hides that the sample has been downloaded from the Internet (zone.identifier) 17->52 30 rundll32.exe 17->30         started        32 rundll32.exe 20->32         started        34 rundll32.exe 22->34         started        36 rundll32.exe 28->36         started        process7 process8 38 rundll32.exe 30->38         started        42 rundll32.exe 32->42         started        dnsIp9 50 46.55.222.11, 443, 49810 BALCHIKNETBG Bulgaria 38->50 62 System process connects to network (likely due to code injection or exploit) 38->62 signatures10
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
195.154.133.20
 unknown France
12876 OnlineSASFR true
212.237.17.99
 unknown Italy
31034 ARUBA-ASNIT true
110.232.117.186
 unknown Australia
56038 RACKCORP-APRackCorpAU true
104.245.52.73
 unknown United States
63251 METRO-WIRELESSUS true
138.185.72.26
 unknown Brazil
264343 EmpasoftLtdaMeBR true
81.0.236.90
 unknown Czech Republic
15685 CASABLANCA-ASInternetCollocationProviderCZ true
45.118.115.99
 unknown Indonesia
131717 IDNIC-CIFO-AS-IDPTCitraJelajahInformatikaID true
103.75.201.2
 unknown Thailand
133496 CDNPLUSCOLTD-AS-APCDNPLUSCOLTDTH true
216.158.226.206
 unknown United States
19318 IS-AS-1US true
107.182.225.142
 unknown United States
32780 HOSTINGSERVICES-INCUS true
45.118.135.203
 unknown Japan 63949 LINODE-APLinodeLLCUS true
50.116.54.215
 unknown United States
63949 LINODE-APLinodeLLCUS true
51.68.175.8
 unknown France
16276 OVHFR true
103.8.26.102
 unknown Malaysia
132241 SKSATECH1-MYSKSATECHNOLOGYSDNBHDMY true
46.55.222.11
 unknown Bulgaria
34841 BALCHIKNETBG true
41.76.108.46
 unknown South Africa
327979 DIAMATRIXZA true
103.8.26.103
 unknown Malaysia
132241 SKSATECH1-MYSKSATECHNOLOGYSDNBHDMY true
178.79.147.66
 unknown United Kingdom
63949 LINODE-APLinodeLLCUS true
212.237.5.209
 unknown Italy
31034 ARUBA-ASNIT true
176.104.106.96
 unknown Serbia
198371 NINETRS true
207.38.84.195
 unknown United States
30083 AS-30083-GO-DADDY-COM-LLCUS true
212.237.56.116
 unknown Italy
31034 ARUBA-ASNIT true
45.142.114.231
 unknown Germany
44066 DE-FIRSTCOLOwwwfirst-colonetDE true
203.114.109.124
 unknown Thailand
131293 TOT-LLI-AS-APTOTPublicCompanyLimitedTH true
210.57.217.132
 unknown Indonesia
38142 UNAIR-AS-IDUniversitasAirlanggaID true
58.227.42.236
 unknown Korea Republic of
9318 SKB-ASSKBroadbandCoLtdKR true
185.184.25.237
 unknown Turkey
209711 MUVHOSTTR true
158.69.222.101
 unknown Canada
16276 OVHFR true
104.251.214.46
 unknown United States
54540 INCERO-HVVCUS true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://46.55.222.11/MzlIoFkmcKcsrPXYulsIlJCKDmaMDeWzUVWmwgeGIDUlcKy true
  • Avira URL Cloud: safe
 unknown