Analysis Report V7F2H10gJw

Overview

General Information

Sample Name: V7F2H10gJw (renamed file extension from none to dll)
Analysis ID: 346323
MD5: 0562f10f0c926a05eb28d3579fc86663
SHA1: f75ad2980002d655410e7270825d51dcc53de0cc
SHA256: 8794893f687e487bfafaf085154a5b932612d9de0825a3b392931d414b2c1985
Tags: Mingloa

Most interesting Screenshot:

Detection

Score: 64
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Machine Learning detection for sample
PE file has a writeable .text section
Checks if the current process is being debugged
One or more processes crash
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Yara signature match

Classification

AV Detection:

barindex
Multi AV Scanner detection for submitted file
Source: V7F2H10gJw.dll Virustotal: Detection: 20% Perma Link
Source: V7F2H10gJw.dll ReversingLabs: Detection: 44%
Machine Learning detection for sample
Source: V7F2H10gJw.dll Joe Sandbox ML: detected

Compliance:

barindex
Uses 32bit PE files
Source: V7F2H10gJw.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Binary contains paths to debug symbols
Source: Binary string: winhttp.pdbV source: WerFault.exe, 00000003.00000003.678513455.0000000005918000.00000004.00000040.sdmp
Source: Binary string: wininet.pdb source: WerFault.exe, 00000003.00000003.678513455.0000000005918000.00000004.00000040.sdmp
Source: Binary string: ole32.pdb source: WerFault.exe, 00000003.00000003.678513455.0000000005918000.00000004.00000040.sdmp
Source: Binary string: msvcrt.pdbk source: WerFault.exe, 00000003.00000003.678504903.0000000005912000.00000004.00000040.sdmp
Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000003.00000003.678490919.0000000005791000.00000004.00000001.sdmp
Source: Binary string: crypt32.pdbN source: WerFault.exe, 00000003.00000003.678513455.0000000005918000.00000004.00000040.sdmp
Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000003.00000003.678490919.0000000005791000.00000004.00000001.sdmp
Source: Binary string: wldap32.pdb source: WerFault.exe, 00000003.00000003.678513455.0000000005918000.00000004.00000040.sdmp
Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000003.00000003.678504903.0000000005912000.00000004.00000040.sdmp
Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 00000003.00000003.678546892.0000000005915000.00000004.00000040.sdmp
Source: Binary string: wntdll.pdb source: WerFault.exe, 00000003.00000003.678490919.0000000005791000.00000004.00000001.sdmp
Source: Binary string: wrpcrt4.pdbk source: WerFault.exe, 00000003.00000003.678546892.0000000005915000.00000004.00000040.sdmp
Source: Binary string: shcore.pdb source: WerFault.exe, 00000003.00000003.678513455.0000000005918000.00000004.00000040.sdmp
Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000003.00000003.678490919.0000000005791000.00000004.00000001.sdmp
Source: Binary string: fltLib.pdb source: WerFault.exe, 00000003.00000003.678513455.0000000005918000.00000004.00000040.sdmp
Source: Binary string: advapi32.pdb source: WerFault.exe, 00000003.00000003.678490919.0000000005791000.00000004.00000001.sdmp
Source: Binary string: wsspicli.pdb source: WerFault.exe, 00000003.00000003.678541937.0000000005910000.00000004.00000040.sdmp
Source: Binary string: shell32.pdb source: WerFault.exe, 00000003.00000003.678541937.0000000005910000.00000004.00000040.sdmp
Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000003.00000003.678490919.0000000005791000.00000004.00000001.sdmp
Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000003.00000003.674734776.0000000003688000.00000004.00000001.sdmp
Source: Binary string: version.pdb\ source: WerFault.exe, 00000003.00000003.678513455.0000000005918000.00000004.00000040.sdmp
Source: Binary string: wimm32.pdb source: WerFault.exe, 00000003.00000003.678513455.0000000005918000.00000004.00000040.sdmp
Source: Binary string: shlwapi.pdb source: WerFault.exe, 00000003.00000003.678513455.0000000005918000.00000004.00000040.sdmp
Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000003.00000003.678490919.0000000005791000.00000004.00000001.sdmp
Source: Binary string: setupapi.pdb source: WerFault.exe, 00000003.00000003.678513455.0000000005918000.00000004.00000040.sdmp
Source: Binary string: winhttp.pdb source: WerFault.exe, 00000003.00000003.678513455.0000000005918000.00000004.00000040.sdmp
Source: Binary string: wldap32.pdb~ source: WerFault.exe, 00000003.00000003.678513455.0000000005918000.00000004.00000040.sdmp
Source: Binary string: wntdll.pdb( source: WerFault.exe, 00000003.00000003.674970320.000000000367C000.00000004.00000001.sdmp
Source: Binary string: profapi.pdb source: WerFault.exe, 00000003.00000003.678513455.0000000005918000.00000004.00000040.sdmp
Source: Binary string: ws2_32.pdb source: WerFault.exe, 00000003.00000003.678513455.0000000005918000.00000004.00000040.sdmp
Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000003.00000003.678490919.0000000005791000.00000004.00000001.sdmp
Source: Binary string: sechost.pdb source: WerFault.exe, 00000003.00000003.678546892.0000000005915000.00000004.00000040.sdmp
Source: Binary string: msasn1.pdbp source: WerFault.exe, 00000003.00000003.678513455.0000000005918000.00000004.00000040.sdmp
Source: Binary string: powrprof.pdb source: WerFault.exe, 00000003.00000003.678513455.0000000005918000.00000004.00000040.sdmp
Source: Binary string: shlwapi.pdbh source: WerFault.exe, 00000003.00000003.678513455.0000000005918000.00000004.00000040.sdmp
Source: Binary string: cfgmgr32.pdbb source: WerFault.exe, 00000003.00000003.678513455.0000000005918000.00000004.00000040.sdmp
Source: Binary string: f:\sys\objfre_wxp_x86\i386\FsFilter32.pdb source: V7F2H10gJw.dll
Source: Binary string: version.pdb source: WerFault.exe, 00000003.00000003.678513455.0000000005918000.00000004.00000040.sdmp
Source: Binary string: ole32.pdb source: WerFault.exe, 00000003.00000003.678513455.0000000005918000.00000004.00000040.sdmp
Source: Binary string: ws2_32.pdbd source: WerFault.exe, 00000003.00000003.678513455.0000000005918000.00000004.00000040.sdmp
Source: Binary string: fltLib.pdbZ source: WerFault.exe, 00000003.00000003.678513455.0000000005918000.00000004.00000040.sdmp
Source: Binary string: msasn1.pdb source: WerFault.exe, 00000003.00000003.678513455.0000000005918000.00000004.00000040.sdmp
Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000003.00000003.678513455.0000000005918000.00000004.00000040.sdmp
Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000003.00000003.678541937.0000000005910000.00000004.00000040.sdmp
Source: Binary string: f:\sys\objfre_wxp_x86\i386\FsFilter32.pdbpJ source: V7F2H10gJw.dll
Source: Binary string: setupapi.pdb@ source: WerFault.exe, 00000003.00000003.678513455.0000000005918000.00000004.00000040.sdmp
Source: Binary string: sechost.pdbk source: WerFault.exe, 00000003.00000003.678546892.0000000005915000.00000004.00000040.sdmp
Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 00000003.00000003.674734776.0000000003688000.00000004.00000001.sdmp
Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 00000003.00000003.678513455.0000000005918000.00000004.00000040.sdmp
Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000003.00000003.678541937.0000000005910000.00000004.00000040.sdmp
Source: Binary string: combase.pdb source: WerFault.exe, 00000003.00000003.678513455.0000000005918000.00000004.00000040.sdmp
Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 00000003.00000003.678541937.0000000005910000.00000004.00000040.sdmp
Source: Binary string: wkernel32.pdb( source: WerFault.exe, 00000003.00000003.674651326.0000000003682000.00000004.00000001.sdmp
Source: Binary string: apphelp.pdb source: WerFault.exe, 00000003.00000003.678490919.0000000005791000.00000004.00000001.sdmp
Source: Binary string: wuser32.pdb source: WerFault.exe, 00000003.00000003.678490919.0000000005791000.00000004.00000001.sdmp
Source: Binary string: f:\sys\objfre_win7_amd64\amd64\FsFilter64.pdb source: V7F2H10gJw.dll
Source: Binary string: apmjrsmCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 00000003.00000002.682013956.00000000032B2000.00000004.00000010.sdmp
Source: Binary string: crypt32.pdb source: WerFault.exe, 00000003.00000003.678513455.0000000005918000.00000004.00000040.sdmp
Source: V7F2H10gJw.dll String found in binary or memory: "name":"fb_dtsg","value":"name="fb_dtsg" value="Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: nonehttps://www.facebook.com/""2%d0https://graph.facebook.com/me/friends?access_token=%s&pretty=1&limit=1summarytotal_count{}summarytotal_count%dquery_friends.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: count = %d equals www.facebook.com (Facebook)
Source: V7F2H10gJw.dll String found in binary or memory: -3https://www.facebook.com/payments/settings/payment_methods/index.php?__a=1errorSummaryconfirmemail.phpcard_type_name-110query_payment2.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: ret = %s equals www.facebook.com (Facebook)
Source: V7F2H10gJw.dll String found in binary or memory: accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9sec-fetch-dest: documentsec-fetch-mode: navigatesec-fetch-site: same-originreferer: https://www.messenger.com/origin: https://www.messenger.comhttps://www.messenger.com/login/nonce/ookie: c_user=ookie: xs=ookie: ;%[^;]; https://m.facebook.com/settings/email/<span class="_52ji _8uk3">accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9sec-fetch-dest: documentsec-fetch-mode: navigatesec-fetch-site: noneupgrade-insecure-requests: 1</span></span>@&#064;@&#064;https://m.facebook.com/settings/sms/<strong><span dir="ltr">accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9sec-fetch-dest: documentsec-fetch-mode: navigatesec-fetch-site: noneupgrade-insecure-requests: 1</span></span>+ https://m.facebook.com/pages/creation_flow/?step=name&cat_ref_page_id=0&ref_type=launch_point"dtsg":{"token":"accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9sec-fetch-dest: documentsec-fetch-mode: navigatesec-fetch-site: noneupgrade-insecure-requests: 1"https://m.facebook.com/pages/create/edit_name/"draftID":Accept: */*Origin: https://m.facebook.comReferer: https://m.facebook.com/pages/creation_flow/?step=name&cat_ref_page_id=0&ref_type=launch_pointSec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: same-originX-Requested-With: XMLHttpRequestX-Response-Format: JSONStreampage_name=&m_sess=&fb_dtsg=&jazoest=&__csr=&__req=3&__user=,"https://m.facebook.com/pages/creation_flow/?step=category&draft_id=&cat_ref_page_id=0&extra_data=%7B%22page_name%22%3A%22%22%7D"dtsg":{"token":"accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Referer: https://m.facebook.com/pages/creation_flow/?step=name&cat_ref_page_id=0&ref_type=launch_pointsec-fetch-dest: documentsec-fetch-mode: navigatesec-fetch-site: same-originSec-Fetch-User: ?1upgrade-insecure-requests: 1"https://m.facebook.com/pages/create/edit_category/"pageID":Referer: https://m.facebook.com/pages/creation_flow/?step=category&draft_id=&cat_ref_page_id=0&extra_data=%7B%22page_name%22%3A%22%22%7DAccept: */*Origin: https://m.facebook.comSec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: same-originX-Response-Format: JSONStreamX-Requested-With: XMLHttpRequestpage_category=1300&draft_id=&m_sess=&fb_dtsg=&jazoest=&__csr=&__req=9&__user=}"+ .-_@@friends2page.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: pageid = %s equals www.facebook.com (Facebook)
Source: V7F2H10gJw.dll String found in binary or memory: bad allocationSOFTWARE\Mozilla\Mozilla FirefoxCurrentVersion\\MainInstall Directory%s\firefox.exe{}[]"1""2""3"123bad allocationc_user=xs=https://www.facebook.com/adsmanager/manage/adshttps://business.facebook.com/adsmanager/manage/adssettings/?act=&access_token:""access_token":""query_token_account_id.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: account_id = %s token =%s equals www.facebook.com (Facebook)
Source: V7F2H10gJw.dll String found in binary or memory: c_user=xs=https://www.facebook.com/ads/manager/account_settingsaccountID:"access_token:"Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: none""query_token_account_id_laomaozi.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: account_id = %s token =%s equals www.facebook.com (Facebook)
Source: V7F2H10gJw.dll String found in binary or memory: c_user=xs=https://www.facebook.com/adsmanager/manage/adshttps://business.facebook.com/adsmanager/manage/adswindow.location.replace("")/act___accessToken="Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: nonehttps:act=/\/"%[0-9]query_token_account_id2.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: account_id = %s token =%s equals www.facebook.com (Facebook)
Source: V7F2H10gJw.dll String found in binary or memory: https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: V7F2H10gJw.dll String found in binary or memory: https://www.facebook.com/"name="fb_dtsg" value=""logout_hash":"""logout_hash":"logoutToken:""logoutToken:"https://www.facebook.com/comet/try/source=SETTINGS_MENU&nctr[_mod]=pagelet_bluebar&__user=&__a=1&__csr=&__req=14&__beoa=0&__pc=PHASED%3ADEFAULT&dpr=1&__ccg=EXCELLENT&fb_dtsg=&jazoest=for (;;);{https://m.facebook.com/logout.php?h=%s&t=%sc_user=deleted"encrypted":"https://m.facebook.com/?_rdr""name="fb_dtsg" value="logout.phpm_sess=&fb_dtsg=&jazoest=&__csr=&__req=9&__a=&__user=https://m.facebook.com/bookmarks/flyout/body/?id=u_0_6\https://m.facebook.com/logout.php%sc_user=deletedhttps://m.facebook.com/?soft=bookmarks"logoutURL":"\"logout.phphttps://m.facebook.com&source=mtouch_logout_button&persist_locale=1&button_name=logout&button_location=settings%s equals www.facebook.com (Facebook)
Source: V7F2H10gJw.dll String found in binary or memory: https://www.facebook.com/ads/manager/account_settings equals www.facebook.com (Facebook)
Source: V7F2H10gJw.dll String found in binary or memory: https://www.facebook.com/adsmanager/manage/ads equals www.facebook.com (Facebook)
Source: V7F2H10gJw.dll String found in binary or memory: https://www.facebook.com/bookmarks/pages?ref_type=logout_gear equals www.facebook.com (Facebook)
Source: V7F2H10gJw.dll String found in binary or memory: https://www.facebook.com/comet/try/ equals www.facebook.com (Facebook)
Source: V7F2H10gJw.dll String found in binary or memory: https://www.facebook.com/connect/ping?client_id=124024574287414&domain=www.instagram.com&origin=1&redirect_uri=https%3A%2F%2Fstaticxx.facebook.com%2Fconnect%2Fxd_arbiter%2Fr%2F1e2RywyANNe.js%3Fversion%3D42%23cb%3Df19f2d8a0dd2f24%26domain%3Dwww.instagram.com%26origin%3Dhttps%253A%252F%252Fwww.instagram.com%252Ff2dc055ae1b1274%26relation%3Dparent&response_type=token%2Csigned_request%2Ccode&sdk=joey&version=v2.2 equals www.facebook.com (Facebook)
Source: V7F2H10gJw.dll String found in binary or memory: https://www.facebook.com/connect/ping?client_id=124024574287414&domain=www.instagram.com&origin=1&redirect_uri=https%3A%2F%2Fstaticxx.facebook.com%2Fconnect%2Fxd_arbiter%2Fr%2F1e2RywyANNe.js%3Fversion%3D42%23cb%3Df19f2d8a0dd2f24%26domain%3Dwww.instagram.com%26origin%3Dhttps%253A%252F%252Fwww.instagram.com%252Ff2dc055ae1b1274%26relation%3Dparent&response_type=token%2Csigned_request%2Ccode&sdk=joey&version=v2.2&access_token=&expires_in=Location: query_instagram_cookie.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: token = %s equals www.facebook.com (Facebook)
Source: V7F2H10gJw.dll String found in binary or memory: https://www.facebook.com/dialog/oauth?client_id=124024574287414&redirect_uri=https%3A%2F%2Fwww.instagram.com%2Faccounts%2Fsignup%2F&state=%7B%22fbLoginKey%22%3A%221l3a6gcoxzmx9bogry41n78unr193ooptzd1bmk8ggfxw5bdph1%22%2C%22fbLoginReturnURL%22%3A%22%2F%22%7D&scope=email&response_type=code%2Cgranted_scopes equals www.facebook.com (Facebook)
Source: V7F2H10gJw.dll String found in binary or memory: https://www.facebook.com/dialog/oauth?client_id=124024574287414&redirect_uri=https%3A%2F%2Fwww.instagram.com%2Faccounts%2Fsignup%2F&state=%7B%22fbLoginKey%22%3A%221l3a6gcoxzmx9bogry41n78unr193ooptzd1bmk8ggfxw5bdph1%22%2C%22fbLoginReturnURL%22%3A%22%2F%22%7D&scope=email&response_type=code%2Cgranted_scopesLocation: equals www.facebook.com (Facebook)
Source: V7F2H10gJw.dll String found in binary or memory: https://www.facebook.com/dialog/oauth?client_id=124024574287414&redirect_uri=https%3A%2F%2Fwww.instagram.com%2Faccounts%2Fsignup%2F&state=%7B%22fbLoginKey%22%3A%221l3a6gcoxzmx9bogry41n78unr193ooptzd1bmk8ggfxw5bdph1%22%2C%22fbLoginReturnURL%22%3A%22%2F%22%7D&scope=email&response_type=code%2Cgranted_scopesocation: equals www.facebook.com (Facebook)
Source: V7F2H10gJw.dll String found in binary or memory: https://www.facebook.com/login/async_sso/messenger_dot_com/?__a=1 equals www.facebook.com (Facebook)
Source: V7F2H10gJw.dll String found in binary or memory: https://www.facebook.com/login/async_sso/messenger_dot_com/?__a=1x-auth-result: query_mess_cookie.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: x_auth_result = %s equals www.facebook.com (Facebook)
Source: V7F2H10gJw.dll String found in binary or memory: https://www.facebook.com/payments/settings/payment_methods/index.php?__a=1 equals www.facebook.com (Facebook)
Source: V7F2H10gJw.dll String found in binary or memory: https://www.facebook.com/x/oauth/status?client_id=124024574287414&input_token&origin=1&redirect_uri= equals www.facebook.com (Facebook)
Source: V7F2H10gJw.dll String found in binary or memory: https://www.facebook.com/x/oauth/status?client_id=124024574287414&input_token&origin=1&redirect_uri=origin: https://www.instagram.comsec-fetch-mode: corsreferer: https://www.instagram.com/sec-fetch-site: cross-sitefb-ar: equals www.facebook.com (Facebook)
Source: V7F2H10gJw.dll String found in binary or memory: https://www.instagram.com/accounts/login/ajax/facebook/ equals www.facebook.com (Facebook)
Source: V7F2H10gJw.dll String found in binary or memory: x-csrftoken: xhttps://www.instagram.com/accounts/login/ajax/facebook/"userId": "sessionid="";sessionid=;query_instagram_cookie.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: sessionid = %s equals www.facebook.com (Facebook)
Source: V7F2H10gJw.dll String found in binary or memory: x-csrftoken: xhttps://www.instagram.com/accounts/login/ajax/facebook/"userId": "sessionid="";sessionid=;query_instagram_cookie_20191224.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: sessionid = %s equals www.facebook.com (Facebook)
Source: V7F2H10gJw.dll String found in binary or memory: x-csrftoken: xhttps://www.instagram.com/accounts/login/ajax/facebook/"userId": "sessionid="";sessionid=;query_instagram_cookie_20200229.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: sessionid = %s equals www.facebook.com (Facebook)
Source: V7F2H10gJw.dll String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceCodeSigningCA-1.crt0
Source: V7F2H10gJw.dll String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: V7F2H10gJw.dll String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2HighAssuranceCodeSigningCA.crt0
Source: V7F2H10gJw.dll String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: V7F2H10gJw.dll String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0O
Source: V7F2H10gJw.dll String found in binary or memory: http://crl3.digicert.com/ha-cs-2011a.crl0.
Source: V7F2H10gJw.dll String found in binary or memory: http://crl3.digicert.com/sha2-ha-cs-g1.crl00
Source: V7F2H10gJw.dll String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: V7F2H10gJw.dll String found in binary or memory: http://crl4.digicert.com/ha-cs-2011a.crl0L
Source: V7F2H10gJw.dll String found in binary or memory: http://crl4.digicert.com/sha2-ha-cs-g1.crl0L
Source: V7F2H10gJw.dll String found in binary or memory: http://ocsp.digicert.com0I
Source: V7F2H10gJw.dll String found in binary or memory: http://ocsp.digicert.com0P
Source: V7F2H10gJw.dll String found in binary or memory: http://ocsp.digicert.com0R
Source: V7F2H10gJw.dll String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: V7F2H10gJw.dll String found in binary or memory: http://www.interestvideo.com/video1.php
Source: V7F2H10gJw.dll String found in binary or memory: https://01%s08%s15%s22%sWebGL%d%02d%s.club/http://01%s08%s15%s22%sFrankLin%d%02d%s.xyz/post_info.
Source: V7F2H10gJw.dll String found in binary or memory: https://ads.google.com/nav/_/rpc/GaiaInfoService/Get?authuser=0&rpcTrackingId=GaiaInfoService.Get%3A
Source: V7F2H10gJw.dll String found in binary or memory: https://ads.google.com/nav/_/rpc/UserByGaiaService/Get?authuser=0&rpcTrackingId=UserByGaiaService.Ge
Source: V7F2H10gJw.dll String found in binary or memory: https://ads.google.com/nav/_/rpc/UserCustomerAccessService/List?authuser=0&rpcTrackingId=UserCustome
Source: V7F2H10gJw.dll String found in binary or memory: https://ads.google.com/nav/selectaccount
Source: V7F2H10gJw.dll String found in binary or memory: https://ads.google.com/nav/selectaccountocation:
Source: V7F2H10gJw.dll String found in binary or memory: https://ads.google.comsec-fetch-dest:
Source: V7F2H10gJw.dll String found in binary or memory: https://api.twitter.com/1.1/statuses/update.json
Source: V7F2H10gJw.dll String found in binary or memory: https://api.twitter.com/1.1/statuses/update.jsoninclude_profile_interstitial_type=1&include_blocking
Source: V7F2H10gJw.dll String found in binary or memory: https://curl.haxx.se/docs/http-cookies.html
Source: V7F2H10gJw.dll String found in binary or memory: https://twitter.com/
Source: V7F2H10gJw.dll String found in binary or memory: https://twitter.com/compose/tweetsec-fetch-dest:
Source: V7F2H10gJw.dll String found in binary or memory: https://twitter.com/compose/tweetsec-fetch-mode:
Source: V7F2H10gJw.dll String found in binary or memory: https://twitter.com/ookie:
Source: V7F2H10gJw.dll String found in binary or memory: https://twitter.comReferer:
Source: V7F2H10gJw.dll String found in binary or memory: https://twitter.comsec-fetch-dest:
Source: V7F2H10gJw.dll String found in binary or memory: https://upload.twitter.com/i/media/upload.json
Source: V7F2H10gJw.dll String found in binary or memory: https://upload.twitter.com/i/media/upload.json%dcommand=INIT&total_bytes=&media_type=image%2Fjpeg&me
Source: V7F2H10gJw.dll String found in binary or memory: https://upload.twitter.com/i/media/upload.json?command=APPEND&media_id=%s&segment_index=0
Source: V7F2H10gJw.dll String found in binary or memory: https://upload.twitter.com/i/media/upload.json?command=APPEND&media_id=%s&segment_index=0accept:
Source: V7F2H10gJw.dll String found in binary or memory: https://upload.twitter.com/i/media/upload.jsoncommand=FINALIZE&media_id=
Source: V7F2H10gJw.dll String found in binary or memory: https://www.digicert.com/CPS0
Source: V7F2H10gJw.dll String found in binary or memory: https://www.instagram.com/
Source: V7F2H10gJw.dll String found in binary or memory: https://www.instagram.com/accept:
Source: V7F2H10gJw.dll String found in binary or memory: https://www.instagram.com/accounts/login/ajax/facebook/
Source: V7F2H10gJw.dll String found in binary or memory: https://www.instagram.com/graphql/query/?query_hash=149bef52a3b2af88c0fec37913fe1cbc&variables=%7B%2
Source: V7F2H10gJw.dll String found in binary or memory: https://www.instagram.com/sec-fetch-site:
Source: V7F2H10gJw.dll String found in binary or memory: https://www.instagram.comsec-fetch-mode:
Source: V7F2H10gJw.dll String found in binary or memory: https://www.messenger.com
Source: V7F2H10gJw.dll String found in binary or memory: https://www.messenger.com/
Source: V7F2H10gJw.dll String found in binary or memory: https://www.messenger.com/accept:
Source: V7F2H10gJw.dll String found in binary or memory: https://www.messenger.com/login/nonce/
Source: V7F2H10gJw.dll String found in binary or memory: https://www.messenger.com/origin:
Source: V7F2H10gJw.dll String found in binary or memory: https://www.messenger.comhttps://www.messenger.com/login/nonce/ookie:

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: V7F2H10gJw.dll, type: SAMPLE Matched rule: APT34_PICKPOCKET Author: unknown
PE file has a writeable .text section
Source: V7F2H10gJw.dll Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
One or more processes crash
Source: unknown Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6148 -s 612
PE file contains executable resources (Code or Archives)
Source: V7F2H10gJw.dll Static PE information: Resource name: CRX type: 7-zip archive data, version 0.3
Source: V7F2H10gJw.dll Static PE information: Resource name: FF type: 7-zip archive data, version 0.3
Source: V7F2H10gJw.dll Static PE information: Resource name: FRIENDS type: 7-zip archive data, version 0.3
Sample file is different than original file name gathered from version info
Source: V7F2H10gJw.dll Binary or memory string: OriginalFilenameFsFilter.sys vs V7F2H10gJw.dll
Uses 32bit PE files
Source: V7F2H10gJw.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Yara signature match
Source: V7F2H10gJw.dll, type: SAMPLE Matched rule: APT34_PICKPOCKET Description = Detects the PICKPOCKET malware used by APT34, a browser credential-theft tool identified by FireEye in May 2018, Reference = https://www.fireeye.com/blog/threat-research/2019/07/hard-pass-declining-apt34-invite-to-join-their-professional-network.html
Source: V7F2H10gJw.dll Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
Source: V7F2H10gJw.dll Static PE information: Section: .rsrc ZLIB complexity 0.999259599673
Source: classification engine Classification label: mal64.winDLL@75/4@0/0
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6148
Source: C:\Windows\SysWOW64\WerFault.exe File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER6A2C.tmp Jump to behavior
Source: V7F2H10gJw.dll Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello001
Source: V7F2H10gJw.dll Virustotal: Detection: 20%
Source: V7F2H10gJw.dll ReversingLabs: Detection: 44%
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\V7F2H10gJw.dll'
Source: unknown Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6148 -s 612
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello001
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello001
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello001
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello001
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello001
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello001
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello001
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello001
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello001
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello002
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello001
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello002
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello001
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello002
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello001
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello002
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello001
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello002
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello001
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello002
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello001
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello002
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello001
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello003
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello002
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello001
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello003
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello002
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello001
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello003
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello002
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello001
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello003
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello002
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello001
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello001 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello002 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello003 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello001 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello001 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello001 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello001 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello001 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello001 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello001 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello001 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello001 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello002 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello001 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello002 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello001 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello002 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello001 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello002 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello001 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello002 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello001 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello002 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello001 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello002 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello001 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello003 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello002 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello001 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello003 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello002 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello001 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello003 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello002
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello001
Source: C:\Windows\SysWOW64\rundll32.exe Process created: unknown unknown
Source: C:\Windows\SysWOW64\rundll32.exe Process created: unknown unknown
Source: C:\Windows\SysWOW64\rundll32.exe Process created: unknown unknown
Source: V7F2H10gJw.dll Static PE information: Virtual size of .text is bigger than: 0x100000
Source: V7F2H10gJw.dll Static file information: File size 4919296 > 1048576
Source: V7F2H10gJw.dll Static PE information: Raw size of .text is bigger than: 0x100000 < 0x16f000
Source: V7F2H10gJw.dll Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x118000
Source: V7F2H10gJw.dll Static PE information: Raw size of .data is bigger than: 0x100000 < 0x180000
Source: Binary string: winhttp.pdbV source: WerFault.exe, 00000003.00000003.678513455.0000000005918000.00000004.00000040.sdmp
Source: Binary string: wininet.pdb source: WerFault.exe, 00000003.00000003.678513455.0000000005918000.00000004.00000040.sdmp
Source: Binary string: ole32.pdb source: WerFault.exe, 00000003.00000003.678513455.0000000005918000.00000004.00000040.sdmp
Source: Binary string: msvcrt.pdbk source: WerFault.exe, 00000003.00000003.678504903.0000000005912000.00000004.00000040.sdmp
Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000003.00000003.678490919.0000000005791000.00000004.00000001.sdmp
Source: Binary string: crypt32.pdbN source: WerFault.exe, 00000003.00000003.678513455.0000000005918000.00000004.00000040.sdmp
Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000003.00000003.678490919.0000000005791000.00000004.00000001.sdmp
Source: Binary string: wldap32.pdb source: WerFault.exe, 00000003.00000003.678513455.0000000005918000.00000004.00000040.sdmp
Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000003.00000003.678504903.0000000005912000.00000004.00000040.sdmp
Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 00000003.00000003.678546892.0000000005915000.00000004.00000040.sdmp
Source: Binary string: wntdll.pdb source: WerFault.exe, 00000003.00000003.678490919.0000000005791000.00000004.00000001.sdmp
Source: Binary string: wrpcrt4.pdbk source: WerFault.exe, 00000003.00000003.678546892.0000000005915000.00000004.00000040.sdmp
Source: Binary string: shcore.pdb source: WerFault.exe, 00000003.00000003.678513455.0000000005918000.00000004.00000040.sdmp
Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000003.00000003.678490919.0000000005791000.00000004.00000001.sdmp
Source: Binary string: fltLib.pdb source: WerFault.exe, 00000003.00000003.678513455.0000000005918000.00000004.00000040.sdmp
Source: Binary string: advapi32.pdb source: WerFault.exe, 00000003.00000003.678490919.0000000005791000.00000004.00000001.sdmp
Source: Binary string: wsspicli.pdb source: WerFault.exe, 00000003.00000003.678541937.0000000005910000.00000004.00000040.sdmp
Source: Binary string: shell32.pdb source: WerFault.exe, 00000003.00000003.678541937.0000000005910000.00000004.00000040.sdmp
Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000003.00000003.678490919.0000000005791000.00000004.00000001.sdmp
Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000003.00000003.674734776.0000000003688000.00000004.00000001.sdmp
Source: Binary string: version.pdb\ source: WerFault.exe, 00000003.00000003.678513455.0000000005918000.00000004.00000040.sdmp
Source: Binary string: wimm32.pdb source: WerFault.exe, 00000003.00000003.678513455.0000000005918000.00000004.00000040.sdmp
Source: Binary string: shlwapi.pdb source: WerFault.exe, 00000003.00000003.678513455.0000000005918000.00000004.00000040.sdmp
Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000003.00000003.678490919.0000000005791000.00000004.00000001.sdmp
Source: Binary string: setupapi.pdb source: WerFault.exe, 00000003.00000003.678513455.0000000005918000.00000004.00000040.sdmp
Source: Binary string: winhttp.pdb source: WerFault.exe, 00000003.00000003.678513455.0000000005918000.00000004.00000040.sdmp
Source: Binary string: wldap32.pdb~ source: WerFault.exe, 00000003.00000003.678513455.0000000005918000.00000004.00000040.sdmp
Source: Binary string: wntdll.pdb( source: WerFault.exe, 00000003.00000003.674970320.000000000367C000.00000004.00000001.sdmp
Source: Binary string: profapi.pdb source: WerFault.exe, 00000003.00000003.678513455.0000000005918000.00000004.00000040.sdmp
Source: Binary string: ws2_32.pdb source: WerFault.exe, 00000003.00000003.678513455.0000000005918000.00000004.00000040.sdmp
Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000003.00000003.678490919.0000000005791000.00000004.00000001.sdmp
Source: Binary string: sechost.pdb source: WerFault.exe, 00000003.00000003.678546892.0000000005915000.00000004.00000040.sdmp
Source: Binary string: msasn1.pdbp source: WerFault.exe, 00000003.00000003.678513455.0000000005918000.00000004.00000040.sdmp
Source: Binary string: powrprof.pdb source: WerFault.exe, 00000003.00000003.678513455.0000000005918000.00000004.00000040.sdmp
Source: Binary string: shlwapi.pdbh source: WerFault.exe, 00000003.00000003.678513455.0000000005918000.00000004.00000040.sdmp
Source: Binary string: cfgmgr32.pdbb source: WerFault.exe, 00000003.00000003.678513455.0000000005918000.00000004.00000040.sdmp
Source: Binary string: f:\sys\objfre_wxp_x86\i386\FsFilter32.pdb source: V7F2H10gJw.dll
Source: Binary string: version.pdb source: WerFault.exe, 00000003.00000003.678513455.0000000005918000.00000004.00000040.sdmp
Source: Binary string: ole32.pdb source: WerFault.exe, 00000003.00000003.678513455.0000000005918000.00000004.00000040.sdmp
Source: Binary string: ws2_32.pdbd source: WerFault.exe, 00000003.00000003.678513455.0000000005918000.00000004.00000040.sdmp
Source: Binary string: fltLib.pdbZ source: WerFault.exe, 00000003.00000003.678513455.0000000005918000.00000004.00000040.sdmp
Source: Binary string: msasn1.pdb source: WerFault.exe, 00000003.00000003.678513455.0000000005918000.00000004.00000040.sdmp
Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000003.00000003.678513455.0000000005918000.00000004.00000040.sdmp
Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000003.00000003.678541937.0000000005910000.00000004.00000040.sdmp
Source: Binary string: f:\sys\objfre_wxp_x86\i386\FsFilter32.pdbpJ source: V7F2H10gJw.dll
Source: Binary string: setupapi.pdb@ source: WerFault.exe, 00000003.00000003.678513455.0000000005918000.00000004.00000040.sdmp
Source: Binary string: sechost.pdbk source: WerFault.exe, 00000003.00000003.678546892.0000000005915000.00000004.00000040.sdmp
Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 00000003.00000003.674734776.0000000003688000.00000004.00000001.sdmp
Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 00000003.00000003.678513455.0000000005918000.00000004.00000040.sdmp
Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000003.00000003.678541937.0000000005910000.00000004.00000040.sdmp
Source: Binary string: combase.pdb source: WerFault.exe, 00000003.00000003.678513455.0000000005918000.00000004.00000040.sdmp
Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 00000003.00000003.678541937.0000000005910000.00000004.00000040.sdmp
Source: Binary string: wkernel32.pdb( source: WerFault.exe, 00000003.00000003.674651326.0000000003682000.00000004.00000001.sdmp
Source: Binary string: apphelp.pdb source: WerFault.exe, 00000003.00000003.678490919.0000000005791000.00000004.00000001.sdmp
Source: Binary string: wuser32.pdb source: WerFault.exe, 00000003.00000003.678490919.0000000005791000.00000004.00000001.sdmp
Source: Binary string: f:\sys\objfre_win7_amd64\amd64\FsFilter64.pdb source: V7F2H10gJw.dll
Source: Binary string: apmjrsmCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 00000003.00000002.682013956.00000000032B2000.00000004.00000010.sdmp
Source: Binary string: crypt32.pdb source: WerFault.exe, 00000003.00000003.678513455.0000000005918000.00000004.00000040.sdmp

Data Obfuscation:

barindex
PE file contains an invalid checksum
Source: V7F2H10gJw.dll Static PE information: real checksum: 0x4b39df should be: 0x4be8c9
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: WerFault.exe, 00000003.00000002.683217839.0000000005930000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: WerFault.exe, 00000003.00000002.683217839.0000000005930000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: WerFault.exe, 00000003.00000002.683217839.0000000005930000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: WerFault.exe, 00000003.00000002.683217839.0000000005930000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Anti Debugging:

barindex
Checks if the current process is being debugged
Source: C:\Windows\System32\loaddll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process queried: DebugPort Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 346323 Sample: V7F2H10gJw Startdate: 30/01/2021 Architecture: WINDOWS Score: 64 60 Malicious sample detected (through community Yara rule) 2->60 62 Multi AV Scanner detection for submitted file 2->62 64 Machine Learning detection for sample 2->64 66 PE file has a writeable .text section 2->66 14 loaddll32.exe 1 2->14         started        process3 process4 16 rundll32.exe 14->16         started        18 rundll32.exe 14->18         started        20 rundll32.exe 14->20         started        22 WerFault.exe 3 9 14->22         started        process5 24 rundll32.exe 16->24         started        26 rundll32.exe 18->26         started        28 rundll32.exe 20->28         started        process6 30 rundll32.exe 24->30         started        32 rundll32.exe 26->32         started        34 rundll32.exe 28->34         started        process7 36 rundll32.exe 30->36         started        38 rundll32.exe 32->38         started        40 rundll32.exe 34->40         started        process8 42 rundll32.exe 36->42         started        44 rundll32.exe 38->44         started        process9 46 rundll32.exe 42->46         started        48 rundll32.exe 44->48         started        process10 50 rundll32.exe 46->50         started        52 rundll32.exe 48->52         started        process11 54 rundll32.exe 50->54         started        56 rundll32.exe 52->56         started        process12 58 rundll32.exe 54->58         started       
No contacted IP infos