Windows Analysis Report TYLNb8VvnmYA.dll

Overview

General Information

Sample Name:	TYLNb8VvnmYA.dll
Analysis ID:	532264
MD5:	2b155f0eb4240dbe18024ca82e2418ca
SHA1:	a84ba84de27be3294350f7428de56355b4417a79
SHA256:	60b8988a2c2fc3f2108ab8cb49d8a7a566f5bcd2036dca941c5863f9085c3a9d
Infos:
Most interesting Screenshot:

Detection

Emotet

Score:	84
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected Emotet

Sigma detected: Emotet RunDLL32 Process Creation

Changes security center settings (notifications, updates, antivirus, firewall)

C2 URLs / IPs found in malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Uses 32bit PE files

One or more processes crash

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Deletes files inside the Windows folder

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Uses code obfuscation techniques (call, push, ret)

Creates files inside the system directory

Internet Provider seen in connection with other malware

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to dynamically determine API calls

Contains functionality which may be used to detect a debugger (GetProcessHeap)

IP address seen in connection with other malware

Abnormal high CPU Usage

AV process strings found (often used to terminate AV products)

Tries to load missing DLLs

Contains functionality to read the PEB

Drops PE files to the windows directory (C:\Windows)

Checks if the current process is being debugged

Connects to several IPs in different countries

Found large amount of non-executed APIs

Creates a process in suspended mode (likely to inject code)

Classification

Signatures

AV Detection:

Found malware configuration

Source: 0.0.loaddll32.exe.9e0000.6.unpack

Malware Configuration Extractor: Emotet {"C2 list": ["46.55.222.11:443", "104.245.52.73:8080", "41.76.108.46:8080", "103.8.26.103:8080", "185.184.25.237:8080", "103.8.26.102:8080", "203.114.109.124:443", "45.118.115.99:8080", "178.79.147.66:8080", "58.227.42.236:80", "45.118.135.203:7080", "103.75.201.2:443", "195.154.133.20:443", "45.142.114.231:8080", "212.237.5.209:443", "207.38.84.195:8080", "104.251.214.46:8080", "212.237.17.99:8080", "212.237.56.116:7080", "216.158.226.206:443", "110.232.117.186:8080", "158.69.222.101:443", "107.182.225.142:8080", "176.104.106.96:8080", "81.0.236.90:443", "50.116.54.215:443", "138.185.72.26:8080", "51.68.175.8:8080", "210.57.217.132:8080"], "Public Key": ["RUNTMSAAAABAX3S2xNjcDD0fBno33Ln5t71eii+mofIPoXkNFOX1MeiwCh48iz97kB0mJjGGZXwardnDXKxI8GCHGNl0PFj5", "RUNLMSAAAADzozW1Di4r9DVWzQpMKT588RDdy7BPILP6AiDOTLYMHkSWvrQO5slbmr1OvZ2Pz+AQWzRMggQmAtO6rPH7nyx2"]}

Multi AV Scanner detection for submitted file

Source: TYLNb8VvnmYA.dll

Virustotal: Detection: 25%

Perma Link

Compliance:

Uses 32bit PE files

Source: TYLNb8VvnmYA.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LARGE_ADDRESS_AWARE

Source: TYLNb8VvnmYA.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 00000016.00000003.566851416.0000000004E91000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.590940435.00000000050B1000.00000004.00000001.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 00000016.00000003.566851416.0000000004E91000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.590940435.00000000050B1000.00000004.00000001.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 00000016.00000003.564262336.0000000002CDC000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.566851416.0000000004E91000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.590940435.00000000050B1000.00000004.00000001.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 00000016.00000003.566851416.0000000004E91000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.590940435.00000000050B1000.00000004.00000001.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 00000016.00000003.564338368.0000000002CA9000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.566851416.0000000004E91000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.564358097.0000000002CA9000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.590940435.00000000050B1000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 00000016.00000003.566851416.0000000004E91000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.590940435.00000000050B1000.00000004.00000001.sdmp
Source:	Binary string: wkernelbase.pdb( source: WerFault.exe, 00000016.00000003.564338368.0000000002CA9000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.564358097.0000000002CA9000.00000004.00000001.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 00000016.00000003.566851416.0000000004E91000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.590940435.00000000050B1000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 00000016.00000003.564520249.0000000002C9D000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.566851416.0000000004E91000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.564326548.0000000002C9D000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.585713559.000000000320C000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.590940435.00000000050B1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.586254473.000000000320C000.00000004.00000001.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 00000016.00000003.566851416.0000000004E91000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.590940435.00000000050B1000.00000004.00000001.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 00000016.00000003.566851416.0000000004E91000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.590940435.00000000050B1000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdbk source: WerFault.exe, 00000016.00000003.566851416.0000000004E91000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.590940435.00000000050B1000.00000004.00000001.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 00000016.00000003.566851416.0000000004E91000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.590940435.00000000050B1000.00000004.00000001.sdmp
Source:	Binary string: oCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 00000016.00000002.578653087.00000000005E2000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb( source: WerFault.exe, 00000016.00000003.564520249.0000000002C9D000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.564326548.0000000002C9D000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.585713559.000000000320C000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.586254473.000000000320C000.00000004.00000001.sdmp

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6ECE2FE7 FindFirstFileExW,		0_2_6ECE2FE7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6ECE2FE7 FindFirstFileExW,		4_2_6ECE2FE7

Networking:

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	IPs: 46.55.222.11:443
Source: Malware configuration extractor	IPs: 104.245.52.73:8080
Source: Malware configuration extractor	IPs: 41.76.108.46:8080
Source: Malware configuration extractor	IPs: 103.8.26.103:8080
Source: Malware configuration extractor	IPs: 185.184.25.237:8080
Source: Malware configuration extractor	IPs: 103.8.26.102:8080
Source: Malware configuration extractor	IPs: 203.114.109.124:443
Source: Malware configuration extractor	IPs: 45.118.115.99:8080
Source: Malware configuration extractor	IPs: 178.79.147.66:8080
Source: Malware configuration extractor	IPs: 58.227.42.236:80
Source: Malware configuration extractor	IPs: 45.118.135.203:7080
Source: Malware configuration extractor	IPs: 103.75.201.2:443
Source: Malware configuration extractor	IPs: 195.154.133.20:443
Source: Malware configuration extractor	IPs: 45.142.114.231:8080
Source: Malware configuration extractor	IPs: 212.237.5.209:443
Source: Malware configuration extractor	IPs: 207.38.84.195:8080
Source: Malware configuration extractor	IPs: 104.251.214.46:8080
Source: Malware configuration extractor	IPs: 212.237.17.99:8080
Source: Malware configuration extractor	IPs: 212.237.56.116:7080
Source: Malware configuration extractor	IPs: 216.158.226.206:443
Source: Malware configuration extractor	IPs: 110.232.117.186:8080
Source: Malware configuration extractor	IPs: 158.69.222.101:443
Source: Malware configuration extractor	IPs: 107.182.225.142:8080
Source: Malware configuration extractor	IPs: 176.104.106.96:8080
Source: Malware configuration extractor	IPs: 81.0.236.90:443
Source: Malware configuration extractor	IPs: 50.116.54.215:443
Source: Malware configuration extractor	IPs: 138.185.72.26:8080
Source: Malware configuration extractor	IPs: 51.68.175.8:8080
Source: Malware configuration extractor	IPs: 210.57.217.132:8080

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: OnlineSASFR OnlineSASFR
Source: Joe Sandbox View	ASN Name: ARUBA-ASNIT ARUBA-ASNIT
Source: Joe Sandbox View	ASN Name: RACKCORP-APRackCorpAU RACKCORP-APRackCorpAU

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 195.154.133.20 195.154.133.20
Source: Joe Sandbox View	IP Address: 212.237.17.99 212.237.17.99

Connects to several IPs in different countries

Source: unknown

Network traffic detected: IP country count 18

Source: WerFault.exe, 00000019.00000003.599154810.0000000004D72000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000002.600553614.0000000004D72000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: WerFault.exe, 00000019.00000002.600418522.0000000003158000.00000004.00000020.sdmp	String found in binary or memory: http://crl.microsoft
Source: Amcache.hve.22.dr	String found in binary or memory: http://upx.sf.net
Source: svchost.exe, 00000009.00000002.398712161.000001424C613000.00000004.00000001.sdmp	String found in binary or memory: http://www.bingmapsportal.com
Source: svchost.exe, 00000002.00000002.679231655.0000018D2F245000.00000004.00000001.sdmp	String found in binary or memory: https://%s.dnet.xboxlive.com
Source: svchost.exe, 00000002.00000002.679231655.0000018D2F245000.00000004.00000001.sdmp	String found in binary or memory: https://%s.xboxlive.com
Source: svchost.exe, 00000002.00000002.679231655.0000018D2F245000.00000004.00000001.sdmp	String found in binary or memory: https://activity.windows.com
Source: svchost.exe, 00000009.00000003.369038841.000001424C662000.00000004.00000001.sdmp	String found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: svchost.exe, 00000002.00000002.679102531.0000018D2F22A000.00000004.00000001.sdmp	String found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 00000002.00000002.679102531.0000018D2F22A000.00000004.00000001.sdmp	String found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 00000009.00000003.369044474.000001424C65D000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000009.00000003.369049789.000001424C658000.00000004.00000001.sdmp, svchost.exe, 00000009.00000002.411168359.000001424C659000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 00000009.00000003.369038841.000001424C662000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 00000009.00000002.403271535.000001424C629000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 00000009.00000003.369049789.000001424C658000.00000004.00000001.sdmp, svchost.exe, 00000009.00000002.411168359.000001424C659000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Traffic/Incidents/
Source: svchost.exe, 00000009.00000002.413717159.000001424C66A000.00000004.00000001.sdmp, svchost.exe, 00000009.00000003.369025048.000001424C668000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Transit/Stops/
Source: svchost.exe, 00000009.00000003.369038841.000001424C662000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 00000009.00000003.369069267.000001424C642000.00000004.00000001.sdmp, svchost.exe, 00000009.00000003.369057963.000001424C641000.00000004.00000001.sdmp, svchost.exe, 00000009.00000002.409097273.000001424C64C000.00000004.00000001.sdmp, svchost.exe, 00000009.00000003.369083115.000001424C645000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 00000009.00000003.369049789.000001424C658000.00000004.00000001.sdmp, svchost.exe, 00000009.00000002.411168359.000001424C659000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 00000009.00000002.403271535.000001424C629000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 00000009.00000003.369038841.000001424C662000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 00000009.00000003.369038841.000001424C662000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 00000009.00000003.369038841.000001424C662000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 00000009.00000003.334621644.000001424C634000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Traffic/Incidents/
Source: svchost.exe, 00000009.00000002.412108697.000001424C660000.00000004.00000001.sdmp, svchost.exe, 00000009.00000003.369041405.000001424C65F000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 00000009.00000002.403271535.000001424C629000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
Source: svchost.exe, 00000009.00000003.369038841.000001424C662000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 00000009.00000003.369049789.000001424C658000.00000004.00000001.sdmp, svchost.exe, 00000009.00000002.411168359.000001424C659000.00000004.00000001.sdmp, svchost.exe, 00000009.00000003.369057963.000001424C641000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: svchost.exe, 00000009.00000003.369044474.000001424C65D000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 00000009.00000003.369049789.000001424C658000.00000004.00000001.sdmp, svchost.exe, 00000009.00000002.411168359.000001424C659000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000009.00000003.369049789.000001424C658000.00000004.00000001.sdmp, svchost.exe, 00000009.00000002.411168359.000001424C659000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000009.00000003.369083115.000001424C645000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.t
Source: svchost.exe, 00000009.00000003.369038841.000001424C662000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 00000009.00000002.403271535.000001424C629000.00000004.00000001.sdmp, svchost.exe, 00000009.00000003.334621644.000001424C634000.00000004.00000001.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000009.00000003.334621644.000001424C634000.00000004.00000001.sdmp, svchost.exe, 00000009.00000003.369075670.000001424C63D000.00000004.00000001.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 00000009.00000002.407719066.000001424C640000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 00000009.00000002.403271535.000001424C629000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 00000009.00000003.334621644.000001424C634000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000009.00000003.334621644.000001424C634000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000009.00000003.334621644.000001424C634000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 00000009.00000003.334621644.000001424C634000.00000004.00000001.sdmp, svchost.exe, 00000009.00000003.369075670.000001424C63D000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: svchost.exe, 00000009.00000003.369069267.000001424C642000.00000004.00000001.sdmp, svchost.exe, 00000009.00000003.369057963.000001424C641000.00000004.00000001.sdmp, svchost.exe, 00000009.00000002.409097273.000001424C64C000.00000004.00000001.sdmp, svchost.exe, 00000009.00000003.369083115.000001424C645000.00000004.00000001.sdmp	String found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen

E-Banking Fraud:

Yara detected Emotet

Source: Yara match	File source: 7.2.rundll32.exe.c620f8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.b10000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.632468.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.9e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.a63b78.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.9e0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.a63b78.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.1110000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.a10000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.1110000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.9e0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.a10000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.a63b78.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.632468.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.a63b78.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.9e0000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.a63b78.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.32a4168.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.c620f8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.a63b78.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.9e0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.9e0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.b10000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.a63b78.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.a63b78.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.9e0000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.32a4168.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.bc0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.9e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.10f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.3273688.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.10f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.bc0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.9e0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.a63b78.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.3273688.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.9e0000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.a63b78.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.540649559.00000000010F0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.557294263.0000000001110000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.582540666.0000000000A5C000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.546594533.0000000000A10000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.659478506.0000000000BC0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.558410733.0000000000A5C000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.558256416.00000000009E0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.581726309.0000000000A5C000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.582467938.00000000009E0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.659377295.000000000061A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.601059851.00000000009E0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.528291798.0000000000C69000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.601107965.0000000000A5C000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.557479491.000000000328A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.556361000.0000000000C4A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.559892277.0000000000A5C000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.556237004.0000000000B10000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.581678982.00000000009E0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.559720602.00000000009E0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.540803207.000000000325A000.00000004.00000020.sdmp, type: MEMORY

System Summary:

Uses 32bit PE files

Source: TYLNb8VvnmYA.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LARGE_ADDRESS_AWARE

One or more processes crash

Source: C:\Windows\System32\svchost.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 5808 -ip 5808

Deletes files inside the Windows folder

Source: C:\Windows\SysWOW64\rundll32.exe

File deleted: C:\Windows\SysWOW64\Gipupxhph\siawepkk.qzv:Zone.Identifier

Source: C:\Windows\System32\loaddll32.exe	Code function: String function: 6ECC1C10 appears 97 times
Source: C:\Windows\System32\loaddll32.exe	Code function: String function: 6ECDD350 appears 33 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6ECC1C10 appears 97 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6ECDD350 appears 33 times

Source: C:\Windows\System32\svchost.exe	Section loaded: xboxlivetitleid.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cdpsgshims.dll			Jump to behavior

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\TYLNb8VvnmYA.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\TYLNb8VvnmYA.dll",#1
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\TYLNb8VvnmYA.dll,Control_RunDLL
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\TYLNb8VvnmYA.dll",#1
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\TYLNb8VvnmYA.dll,axamexdrqyrgb
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\TYLNb8VvnmYA.dll,bhramccfbdd
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknown	Process created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\TYLNb8VvnmYA.dll",Control_RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Gipupxhph\siawepkk.qzv",iJIySwmeuqOefH
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\TYLNb8VvnmYA.dll",Control_RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\TYLNb8VvnmYA.dll",Control_RunDLL
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 5808 -ip 5808
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5808 -s 304
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 5808 -ip 5808
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5808 -s 324
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Gipupxhph\siawepkk.qzv",Control_RunDLL
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\TYLNb8VvnmYA.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\TYLNb8VvnmYA.dll,Control_RunDLL	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\TYLNb8VvnmYA.dll,axamexdrqyrgb	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\TYLNb8VvnmYA.dll,bhramccfbdd	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\TYLNb8VvnmYA.dll",#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Gipupxhph\siawepkk.qzv",iJIySwmeuqOefH	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\TYLNb8VvnmYA.dll",Control_RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\TYLNb8VvnmYA.dll",Control_RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\TYLNb8VvnmYA.dll",Control_RunDLL	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Gipupxhph\siawepkk.qzv",Control_RunDLL	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 5808 -ip 5808	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5808 -s 304	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 5808 -ip 5808	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5808 -s 324	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \BaseNamedObjects\Local\SM0:3644:64:WilError_01
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \BaseNamedObjects\Local\SM0:6424:64:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:2532:120:WilError_01
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5808

Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6ECE9153 push ecx; ret	0_2_6ECE9166
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6ECE9153 push ecx; ret	4_2_6ECE9166
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_010F150F push ds; ret	5_2_010F1527
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_010F151C push ds; ret	5_2_010F1527
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0111151C push ds; ret	8_2_01111527
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0111150F push ds; ret	8_2_01111527
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_00BC151C push ds; ret	13_2_00BC1527
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_00BC150F push ds; ret	13_2_00BC1527

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Windows\System32\loaddll32.exe	API coverage: 6.9 %
Source: C:\Windows\SysWOW64\rundll32.exe	API coverage: 7.6 %

Source: Amcache.hve.22.dr	Binary or memory string: VMware
Source: Amcache.hve.22.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
Source: Amcache.hve.22.dr	Binary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.22.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.22.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.22.dr	Binary or memory string: VMware Virtual disk SCSI Disk Devicehbin
Source: WerFault.exe, 00000019.00000003.597789583.0000000004D37000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll3
Source: Amcache.hve.22.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.22.dr	Binary or memory string: VMware7,1
Source: Amcache.hve.22.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.22.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.22.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.13989454.B64.1906190538,BiosReleaseDate:06/19/2019,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: WerFault.exe, 00000019.00000003.599090824.0000000004D5D000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000002.600542842.0000000004D5F000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.22.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.22.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.22.dr	Binary or memory string: VMware, Inc.me
Source: Amcache.hve.22.dr	Binary or memory string: VMware-42 35 d8 20 48 cb c7 ff-aa 5e d0 37 a0 49 53 d7
Source: Amcache.hve.22.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: WerFault.exe, 00000019.00000002.600515890.0000000004D38000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.599177113.0000000004D38000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: svchost.exe, 00000002.00000002.679402834.0000018D2F268000.00000004.00000001.sdmp, svchost.exe, 00000006.00000002.678647533.00000193C6A29000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Amcache.hve.22.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6ECDC050 mov eax, dword ptr fs:[00000030h]	0_2_6ECDC050
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6ECDBFE0 mov esi, dword ptr fs:[00000030h]	0_2_6ECDBFE0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6ECDBFE0 mov eax, dword ptr fs:[00000030h]	0_2_6ECDBFE0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6ECE12CB mov ecx, dword ptr fs:[00000030h]	0_2_6ECE12CB
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6ECE298C mov eax, dword ptr fs:[00000030h]	0_2_6ECE298C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6ECDC050 mov eax, dword ptr fs:[00000030h]	4_2_6ECDC050
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6ECDBFE0 mov esi, dword ptr fs:[00000030h]	4_2_6ECDBFE0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6ECDBFE0 mov eax, dword ptr fs:[00000030h]	4_2_6ECDBFE0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6ECE12CB mov ecx, dword ptr fs:[00000030h]	4_2_6ECE12CB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6ECE298C mov eax, dword ptr fs:[00000030h]	4_2_6ECE298C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_01104315 mov eax, dword ptr fs:[00000030h]	5_2_01104315
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_01124315 mov eax, dword ptr fs:[00000030h]	8_2_01124315
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_00BD4315 mov eax, dword ptr fs:[00000030h]	13_2_00BD4315

Source: C:\Windows\System32\loaddll32.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6ECDCB22 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_6ECDCB22
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6ECDD1CC IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_6ECDD1CC
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6ECE29E6 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_6ECE29E6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6ECDCB22 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	4_2_6ECDCB22
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6ECDD1CC IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_6ECDD1CC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6ECE29E6 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_6ECE29E6

Source: loaddll32.exe, 00000000.00000000.560057714.0000000001120000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.558542817.0000000001120000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.581833872.0000000001120000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.582621925.0000000001120000.00000002.00020000.sdmp, rundll32.exe, 0000001D.00000002.679386808.00000000031A0000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: loaddll32.exe, 00000000.00000000.560057714.0000000001120000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.558542817.0000000001120000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.581833872.0000000001120000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.582621925.0000000001120000.00000002.00020000.sdmp, rundll32.exe, 0000001D.00000002.679386808.00000000031A0000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: loaddll32.exe, 00000000.00000000.560057714.0000000001120000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.558542817.0000000001120000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.581833872.0000000001120000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.582621925.0000000001120000.00000002.00020000.sdmp, rundll32.exe, 0000001D.00000002.679386808.00000000031A0000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: loaddll32.exe, 00000000.00000000.560057714.0000000001120000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.558542817.0000000001120000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.581833872.0000000001120000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.582621925.0000000001120000.00000002.00020000.sdmp, rundll32.exe, 0000001D.00000002.679386808.00000000031A0000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct

Source: Amcache.hve.LOG1.22.dr, Amcache.hve.22.dr	Binary or memory string: c:\users\user\desktop\procexp.exe
Source: Amcache.hve.22.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: svchost.exe, 0000000B.00000002.678404306.00000262C083D000.00000004.00000001.sdmp	Binary or memory string: (@V%ProgramFiles%\Windows Defender\MsMpeng.exe
Source: svchost.exe, 0000000B.00000002.678609431.00000262C0902000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000002.678341900.00000262C0829000.00000004.00000001.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: Amcache.hve.LOG1.22.dr, Amcache.hve.22.dr	Binary or memory string: procexp.exe

IP	Domain	Country	ASN	ASN Name	Malicious
195.154.133.20	unknown	France	12876	OnlineSASFR	true
212.237.17.99	unknown	Italy	31034	ARUBA-ASNIT	true
110.232.117.186	unknown	Australia	56038	RACKCORP-APRackCorpAU	true
104.245.52.73	unknown	United States	63251	METRO-WIRELESSUS	true
138.185.72.26	unknown	Brazil	264343	EmpasoftLtdaMeBR	true
81.0.236.90	unknown	Czech Republic	15685	CASABLANCA-ASInternetCollocationProviderCZ	true
45.118.115.99	unknown	Indonesia	131717	IDNIC-CIFO-AS-IDPTCitraJelajahInformatikaID	true
103.75.201.2	unknown	Thailand	133496	CDNPLUSCOLTD-AS-APCDNPLUSCOLTDTH	true
216.158.226.206	unknown	United States	19318	IS-AS-1US	true
107.182.225.142	unknown	United States	32780	HOSTINGSERVICES-INCUS	true
45.118.135.203	unknown	Japan	63949	LINODE-APLinodeLLCUS	true
50.116.54.215	unknown	United States	63949	LINODE-APLinodeLLCUS	true
51.68.175.8	unknown	France	16276	OVHFR	true
103.8.26.102	unknown	Malaysia	132241	SKSATECH1-MYSKSATECHNOLOGYSDNBHDMY	true
46.55.222.11	unknown	Bulgaria	34841	BALCHIKNETBG	true
41.76.108.46	unknown	South Africa	327979	DIAMATRIXZA	true
103.8.26.103	unknown	Malaysia	132241	SKSATECH1-MYSKSATECHNOLOGYSDNBHDMY	true
178.79.147.66	unknown	United Kingdom	63949	LINODE-APLinodeLLCUS	true
212.237.5.209	unknown	Italy	31034	ARUBA-ASNIT	true
176.104.106.96	unknown	Serbia	198371	NINETRS	true
207.38.84.195	unknown	United States	30083	AS-30083-GO-DADDY-COM-LLCUS	true
212.237.56.116	unknown	Italy	31034	ARUBA-ASNIT	true
45.142.114.231	unknown	Germany	44066	DE-FIRSTCOLOwwwfirst-colonetDE	true
203.114.109.124	unknown	Thailand	131293	TOT-LLI-AS-APTOTPublicCompanyLimitedTH	true
210.57.217.132	unknown	Indonesia	38142	UNAIR-AS-IDUniversitasAirlanggaID	true
58.227.42.236	unknown	Korea Republic of	9318	SKB-ASSKBroadbandCoLtdKR	true
185.184.25.237	unknown	Turkey	209711	MUVHOSTTR	true
158.69.222.101	unknown	Canada	16276	OVHFR	true
104.251.214.46	unknown	United States	54540	INCERO-HVVCUS	true

ID:	532264
Product:	CloudBasic
Start time:	22:40:12
Start date:	01.12.2021
Sample:	TYLNb8VvnmYA.dll
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	2b155f0eb4240dbe18024ca82e2418ca
SHA1:	a84ba84de27be3294350f7428de56355b4417a79
SHA256:	60b8988a2c2fc3f2108ab8cb49d8a7a566f5bcd2036dca941c5863f9085c3a9d
Filetype:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60%

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_loaddll32.exe_8c5962cbbdb13a8671f1f3c3793157e73bd5d897_d70d8aa6_1a5fcb12\Report.wer	Little-endian UTF-16 Unicode text, with CRLF line terminators	FC1E6BBF064002B185093E97A89FEB0F	FFACD8D43A3B1FD5834E9BB4FB4BAC48A176B49E	63E485D105F112B116B9FB47235E53B0D6376B04342D2AB28A4F8F426DA4A54F
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_loaddll32.exe_d71d33d652a62c864cb684e881f783bcee8c2df7_d70d8aa6_170bfc05\Report.wer	Little-endian UTF-16 Unicode text, with CRLF line terminators	3A91ED7DB80E2A50F337747C63E92044	3DB3D584FC42282ACE58A5FD2B6383E4BDE4473B	99FDD8B6BAA4137528E8DA0B317C653F67914ED4997B83EB5795D31150453C8D
C:\ProgramData\Microsoft\Windows\WER\Temp\WER2699.tmp.csv	data	C8CD55BBE6C4E459BDC838F197DE35B0	68368C6EB2B79FDD633D566F2486B9EB94AF55FB	170D063E2726B28C161BE0F834CE35EFA5821A5E2720B6B900ADEDDA04A1A797
C:\ProgramData\Microsoft\Windows\WER\Temp\WER2A53.tmp.txt	data	612F47EB9D24FD4E61DDEC29F295FDB0	EAAF045CE1E96207ED97A4B6BEFAE022A5E3E72F	B33577DB2BA85360CCE16F3AB1350811F0C34BC7BBD413DCFCB3FEB51B0902B3
C:\ProgramData\Microsoft\Windows\WER\Temp\WERBD95.tmp.dmp	Mini DuMP crash report, 15 streams, Thu Dec 2 06:43:18 2021, 0x1205a4 type	C8B2D2828CD8CAF6D8C251B3CDA0580A	4A167C9CFCC527998A72BDD884BB8C4C86B7E312	DDCDA1AD68395279378CF48738DAF2C3C9BA7AC8C170FA4753BE026E7A7C3AA4
C:\ProgramData\Microsoft\Windows\WER\Temp\WERC21A.tmp.WERInternalMetadata.xml	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators	57C5752D6E1511D0F91470D87254D736	1113698518A90728FB2D9BEDCFE6653C2DB1C3C8	C48BC6E8CF9B7615CDC9F042485275E3CE858D0E5C47FCC954D10BCDA7B7CA7B
C:\ProgramData\Microsoft\Windows\WER\Temp\WERC567.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	B739F4FD9D0B752A1E071F45EBADDF66	4EF87B8B0EE996EBBE5487882D88A5C86C79C5B0	83483881D268A949AA0E1A03931505E2180483C4BF082AB4850263FCE07CCE92
C:\ProgramData\Microsoft\Windows\WER\Temp\WERE5BE.tmp.dmp	Mini DuMP crash report, 15 streams, Thu Dec 2 06:43:28 2021, 0x1205a4 type	3FA64B42A2B811103CC6E48B6B1AE88B	0AAEA0C7B37591220CA46EF80886AA55A91FF40A	47571B1F5B94D863716BE43CAE1AA4F1E495585F7D731B05FB157AD04CE14B00
C:\ProgramData\Microsoft\Windows\WER\Temp\WEREDFD.tmp.WERInternalMetadata.xml	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators	44F69CAA4D135F5CD097FEE4DB7DEE7C	79FDAE5E64EB40E2392403391CB6EC47CFD76A53	1BC373F8157031EFD4F1E9DFA3D07E7D7A264D0752E87D34F7A6415A8213C331
C:\ProgramData\Microsoft\Windows\WER\Temp\WERF04F.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	3EB2E3C69407A4BD9F6749D709EF66D7	CBFD8C507029F2CDCA987AC02E7B1B08587B5FC7	5590CC5A365588272219BCE01663F3873D5AE6D227A17C299EF8330C910F3497
C:\ProgramData\Microsoft\Windows\WER\Temp\WERFB9F.tmp.csv	data	D1A2FA41294FBD1EA458D6CF85921A7B	E1BC5C1A5C644CD70181AD2EA97F7339F041E039	0837245B4CE7F32A21700E4F1FD8854EE5C9055A253F03F04309D2C8BED57923
C:\ProgramData\Microsoft\Windows\WER\Temp\WERFF2A.tmp.txt	data	42FC2DA6DDCB05ED192B260D93C40EDE	ADA824AAF1B1459C68E39BA5BBBB6FF9B1CECAA0	6FFEFDFD389A559B3D34D1B7D5CCBB3FC0A66B9016F55ED884049DE205138288
C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\MpCmdRun.log	Little-endian UTF-16 Unicode text, with CRLF, CR line terminators	BD2716FAABCDBA0419357545346C9D65	D82A6668E3B155343BF6FFCE052A7C296AC851DD	FAC513272E863609EE8005B67F9667410AA40C9855FCC4EAD109DA5E3E35822B
C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\Logs\dosvc.20211202_064124_066.etl	data	29DCD877FBBA64860CCD5A42BC993715	3E18E0658F586F01524F4F7A2A6441E330BC34DF	FB95E88E62E6139A75E6178A9729DE4531FB002552E7E5DB3F334992CFB79AF2
C:\Windows\appcompat\Programs\Amcache.hve	MS Windows registry file, NT/2000 or above	8291D8E3272043357F076C4286BB25C0	80FCAEFEEC837176E6AD51F131393E6DD4C5F692	CF6B8C452C2EC817592E7E665E3EDA3A52B8D19EB9B10DD0ACD1C19C68E5674C
C:\Windows\appcompat\Programs\Amcache.hve.LOG1	MS Windows registry file, NT/2000 or above	2AC2AE14419AC5DEDEC626959210E553	FA562D8A95A8C10F0237BBDF5B97C467B77EB121	3E018745B93A840DB43BE4D13BE9857BBA3F1435632744CDC68F2592B0AE8730

Windows Analysis Report TYLNb8VvnmYA.dll

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Spreading:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs