Play interactive tour

Edit tour

Analysis Report V7F2H10gJw

Overview

General Information

Sample Name:	V7F2H10gJw (renamed file extension from none to dll)
Analysis ID:	346323
MD5:	0562f10f0c926a05eb28d3579fc86663
SHA1:	f75ad2980002d655410e7270825d51dcc53de0cc
SHA256:	8794893f687e487bfafaf085154a5b932612d9de0825a3b392931d414b2c1985
Tags:	Mingloa
Most interesting Screenshot:

Detection

Score:	64
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Machine Learning detection for sample

PE file has a writeable .text section

Checks if the current process is being debugged

One or more processes crash

PE file contains an invalid checksum

PE file contains executable resources (Code or Archives)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Yara signature match

Classification

Startup

System is w10x64

loaddll32.exe (PID: 6148 cmdline: loaddll32.exe 'C:\Users\user\Desktop\V7F2H10gJw.dll' MD5: 2D39D4DFDE8F7151723794029AB8A034)

WerFault.exe (PID: 4292 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6148 -s 612 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

rundll32.exe (PID: 6588 cmdline: rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello001 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 6608 cmdline: rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello001 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 6576 cmdline: rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello001 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 4176 cmdline: rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello001 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 1256 cmdline: rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello001 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 5992 cmdline: rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello001 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 6132 cmdline: rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello001 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 5212 cmdline: rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello001 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 6464 cmdline: rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello001 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 5708 cmdline: rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello001 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 6788 cmdline: rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello001 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 6688 cmdline: rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello001 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 6768 cmdline: rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello001 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 6656 cmdline: rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello001 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 6792 cmdline: rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello001 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 6760 cmdline: rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello001 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 6552 cmdline: rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello001 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 6916 cmdline: rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello001 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 7028 cmdline: rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello001 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 6860 cmdline: rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello001 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 5788 cmdline: rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello002 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 5688 cmdline: rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello002 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 5624 cmdline: rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello002 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 6684 cmdline: rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello002 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 6716 cmdline: rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello002 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 6784 cmdline: rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello002 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 6672 cmdline: rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello002 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 6828 cmdline: rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello002 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 6932 cmdline: rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello002 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 7036 cmdline: rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello002 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 6996 cmdline: rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello002 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 6648 cmdline: rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello003 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 6536 cmdline: rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello003 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 6912 cmdline: rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello003 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 7012 cmdline: rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello003 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

Source	Rule	Description	Author	Strings
V7F2H10gJw.dll	APT34_PICKPOCKET	unknown	unknown	0x1ffc9c:$s2: \nss3.dll 0x248d10:$s2: \nss3.dll 0x3fb4f0:$s4: \| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger'); 0x1cfd44:$s5: \Login Data 0x1cfe34:$s5: \Login Data 0x1cff24:$s5: \Login Data 0x1d0064:$s5: \Login Data 0x1d0274:$s5: \Login Data 0x1d02f4:$s5: \Login Data 0x1d0374:$s5: \Login Data 0x1d0438:$s5: \Login Data 0x1d0634:$s5: \Login Data 0x1d0744:$s5: \Login Data 0x1d08d4:$s5: \Login Data 0x1d0944:$s5: \Login Data 0x1ffd10:$s6: %s\Mozilla\Firefox\profiles.ini 0x248d90:$s6: %s\Mozilla\Firefox\profiles.ini 0x1cfd45:$s7: Login Data 0x1cfe35:$s7: Login Data 0x1cff25:$s7: Login Data 0x1d0065:$s7: Login Data

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for submitted file

Show sources

Source: V7F2H10gJw.dll	Virustotal: Detection: 20%			Perma Link
Source: V7F2H10gJw.dll	ReversingLabs: Detection: 44%

Machine Learning detection for sample

Show sources

Source: V7F2H10gJw.dll

Joe Sandbox ML: detected

Compliance:

Uses 32bit PE files

Show sources

Source: V7F2H10gJw.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Binary contains paths to debug symbols

Show sources

Source:	Binary string: winhttp.pdbV source: WerFault.exe, 00000003.00000003.678513455.0000000005918000.00000004.00000040.sdmp
Source:	Binary string: wininet.pdb source: WerFault.exe, 00000003.00000003.678513455.0000000005918000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdb source: WerFault.exe, 00000003.00000003.678513455.0000000005918000.00000004.00000040.sdmp
Source:	Binary string: msvcrt.pdbk source: WerFault.exe, 00000003.00000003.678504903.0000000005912000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 00000003.00000003.678490919.0000000005791000.00000004.00000001.sdmp
Source:	Binary string: crypt32.pdbN source: WerFault.exe, 00000003.00000003.678513455.0000000005918000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 00000003.00000003.678490919.0000000005791000.00000004.00000001.sdmp
Source:	Binary string: wldap32.pdb source: WerFault.exe, 00000003.00000003.678513455.0000000005918000.00000004.00000040.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 00000003.00000003.678504903.0000000005912000.00000004.00000040.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 00000003.00000003.678546892.0000000005915000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 00000003.00000003.678490919.0000000005791000.00000004.00000001.sdmp
Source:	Binary string: wrpcrt4.pdbk source: WerFault.exe, 00000003.00000003.678546892.0000000005915000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 00000003.00000003.678513455.0000000005918000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 00000003.00000003.678490919.0000000005791000.00000004.00000001.sdmp
Source:	Binary string: fltLib.pdb source: WerFault.exe, 00000003.00000003.678513455.0000000005918000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 00000003.00000003.678490919.0000000005791000.00000004.00000001.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 00000003.00000003.678541937.0000000005910000.00000004.00000040.sdmp
Source:	Binary string: shell32.pdb source: WerFault.exe, 00000003.00000003.678541937.0000000005910000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 00000003.00000003.678490919.0000000005791000.00000004.00000001.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 00000003.00000003.674734776.0000000003688000.00000004.00000001.sdmp
Source:	Binary string: version.pdb\ source: WerFault.exe, 00000003.00000003.678513455.0000000005918000.00000004.00000040.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 00000003.00000003.678513455.0000000005918000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 00000003.00000003.678513455.0000000005918000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 00000003.00000003.678490919.0000000005791000.00000004.00000001.sdmp
Source:	Binary string: setupapi.pdb source: WerFault.exe, 00000003.00000003.678513455.0000000005918000.00000004.00000040.sdmp
Source:	Binary string: winhttp.pdb source: WerFault.exe, 00000003.00000003.678513455.0000000005918000.00000004.00000040.sdmp
Source:	Binary string: wldap32.pdb~ source: WerFault.exe, 00000003.00000003.678513455.0000000005918000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb( source: WerFault.exe, 00000003.00000003.674970320.000000000367C000.00000004.00000001.sdmp
Source:	Binary string: profapi.pdb source: WerFault.exe, 00000003.00000003.678513455.0000000005918000.00000004.00000040.sdmp
Source:	Binary string: ws2_32.pdb source: WerFault.exe, 00000003.00000003.678513455.0000000005918000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 00000003.00000003.678490919.0000000005791000.00000004.00000001.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 00000003.00000003.678546892.0000000005915000.00000004.00000040.sdmp
Source:	Binary string: msasn1.pdbp source: WerFault.exe, 00000003.00000003.678513455.0000000005918000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb source: WerFault.exe, 00000003.00000003.678513455.0000000005918000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdbh source: WerFault.exe, 00000003.00000003.678513455.0000000005918000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdbb source: WerFault.exe, 00000003.00000003.678513455.0000000005918000.00000004.00000040.sdmp
Source:	Binary string: f:\sys\objfre_wxp_x86\i386\FsFilter32.pdb source: V7F2H10gJw.dll
Source:	Binary string: version.pdb source: WerFault.exe, 00000003.00000003.678513455.0000000005918000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdb source: WerFault.exe, 00000003.00000003.678513455.0000000005918000.00000004.00000040.sdmp
Source:	Binary string: ws2_32.pdbd source: WerFault.exe, 00000003.00000003.678513455.0000000005918000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdbZ source: WerFault.exe, 00000003.00000003.678513455.0000000005918000.00000004.00000040.sdmp
Source:	Binary string: msasn1.pdb source: WerFault.exe, 00000003.00000003.678513455.0000000005918000.00000004.00000040.sdmp
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000003.00000003.678513455.0000000005918000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 00000003.00000003.678541937.0000000005910000.00000004.00000040.sdmp
Source:	Binary string: f:\sys\objfre_wxp_x86\i386\FsFilter32.pdbpJ source: V7F2H10gJw.dll
Source:	Binary string: setupapi.pdb@ source: WerFault.exe, 00000003.00000003.678513455.0000000005918000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdbk source: WerFault.exe, 00000003.00000003.678546892.0000000005915000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb( source: WerFault.exe, 00000003.00000003.674734776.0000000003688000.00000004.00000001.sdmp
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 00000003.00000003.678513455.0000000005918000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000003.00000003.678541937.0000000005910000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 00000003.00000003.678513455.0000000005918000.00000004.00000040.sdmp
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 00000003.00000003.678541937.0000000005910000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb( source: WerFault.exe, 00000003.00000003.674651326.0000000003682000.00000004.00000001.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 00000003.00000003.678490919.0000000005791000.00000004.00000001.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 00000003.00000003.678490919.0000000005791000.00000004.00000001.sdmp
Source:	Binary string: f:\sys\objfre_win7_amd64\amd64\FsFilter64.pdb source: V7F2H10gJw.dll
Source:	Binary string: apmjrsmCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 00000003.00000002.682013956.00000000032B2000.00000004.00000010.sdmp
Source:	Binary string: crypt32.pdb source: WerFault.exe, 00000003.00000003.678513455.0000000005918000.00000004.00000040.sdmp

Networking:

Source: V7F2H10gJw.dll	String found in binary or memory: "name":"fb_dtsg","value":"name="fb_dtsg" value="Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: nonehttps://www.facebook.com/""2%d0https://graph.facebook.com/me/friends?access_token=%s&pretty=1&limit=1summarytotal_count{}summarytotal_count%dquery_friends.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: count = %d equals www.facebook.com (Facebook)
Source: V7F2H10gJw.dll	String found in binary or memory: -3https://www.facebook.com/payments/settings/payment_methods/index.php?__a=1errorSummaryconfirmemail.phpcard_type_name-110query_payment2.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: ret = %s equals www.facebook.com (Facebook)
Source: V7F2H10gJw.dll	String found in binary or memory: accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9sec-fetch-dest: documentsec-fetch-mode: navigatesec-fetch-site: same-originreferer: https://www.messenger.com/origin: https://www.messenger.comhttps://www.messenger.com/login/nonce/ookie: c_user=ookie: xs=ookie: ;%[^;]; https://m.facebook.com/settings/email/<span class="_52ji _8uk3">accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9sec-fetch-dest: documentsec-fetch-mode: navigatesec-fetch-site: noneupgrade-insecure-requests: 1</span></span>@@@@https://m.facebook.com/settings/sms/<strong><span dir="ltr">accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9sec-fetch-dest: documentsec-fetch-mode: navigatesec-fetch-site: noneupgrade-insecure-requests: 1</span></span>+ https://m.facebook.com/pages/creation_flow/?step=name&cat_ref_page_id=0&ref_type=launch_point"dtsg":{"token":"accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9sec-fetch-dest: documentsec-fetch-mode: navigatesec-fetch-site: noneupgrade-insecure-requests: 1"https://m.facebook.com/pages/create/edit_name/"draftID":Accept: /Origin: https://m.facebook.comReferer: https://m.facebook.com/pages/creation_flow/?step=name&cat_ref_page_id=0&ref_type=launch_pointSec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: same-originX-Requested-With: XMLHttpRequestX-Response-Format: JSONStreampage_name=&m_sess=&fb_dtsg=&jazoest=&__csr=&__req=3&__user=,"https://m.facebook.com/pages/creation_flow/?step=category&draft_id=&cat_ref_page_id=0&extra_data=%7B%22page_name%22%3A%22%22%7D"dtsg":{"token":"accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9Referer: https://m.facebook.com/pages/creation_flow/?step=name&cat_ref_page_id=0&ref_type=launch_pointsec-fetch-dest: documentsec-fetch-mode: navigatesec-fetch-site: same-originSec-Fetch-User: ?1upgrade-insecure-requests: 1"https://m.facebook.com/pages/create/edit_category/"pageID":Referer: https://m.facebook.com/pages/creation_flow/?step=category&draft_id=&cat_ref_page_id=0&extra_data=%7B%22page_name%22%3A%22%22%7DAccept: /Origin: https://m.facebook.comSec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: same-originX-Response-Format: JSONStreamX-Requested-With: XMLHttpRequestpage_category=1300&draft_id=&m_sess=&fb_dtsg=&jazoest=&__csr=&__req=9&__user=}"+ .-_@@friends2page.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: pageid = %s equals www.facebook.com (Facebook)
Source: V7F2H10gJw.dll	String found in binary or memory: bad allocationSOFTWARE\Mozilla\Mozilla FirefoxCurrentVersion\\MainInstall Directory%s\firefox.exe{}[]"1""2""3"123bad allocationc_user=xs=https://www.facebook.com/adsmanager/manage/adshttps://business.facebook.com/adsmanager/manage/adssettings/?act=&access_token:""access_token":""query_token_account_id.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: account_id = %s token =%s equals www.facebook.com (Facebook)
Source: V7F2H10gJw.dll	String found in binary or memory: c_user=xs=https://www.facebook.com/ads/manager/account_settingsaccountID:"access_token:"Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: none""query_token_account_id_laomaozi.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: account_id = %s token =%s equals www.facebook.com (Facebook)
Source: V7F2H10gJw.dll	String found in binary or memory: c_user=xs=https://www.facebook.com/adsmanager/manage/adshttps://business.facebook.com/adsmanager/manage/adswindow.location.replace("")/act___accessToken="Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: nonehttps:act=/\/"%[0-9]query_token_account_id2.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: account_id = %s token =%s equals www.facebook.com (Facebook)
Source: V7F2H10gJw.dll	String found in binary or memory: https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: V7F2H10gJw.dll	String found in binary or memory: https://www.facebook.com/"name="fb_dtsg" value=""logout_hash":"""logout_hash":"logoutToken:""logoutToken:"https://www.facebook.com/comet/try/source=SETTINGS_MENU&nctr[_mod]=pagelet_bluebar&__user=&__a=1&__csr=&__req=14&__beoa=0&__pc=PHASED%3ADEFAULT&dpr=1&__ccg=EXCELLENT&fb_dtsg=&jazoest=for (;;);{https://m.facebook.com/logout.php?h=%s&t=%sc_user=deleted"encrypted":"https://m.facebook.com/?_rdr""name="fb_dtsg" value="logout.phpm_sess=&fb_dtsg=&jazoest=&__csr=&__req=9&__a=&__user=https://m.facebook.com/bookmarks/flyout/body/?id=u_0_6\https://m.facebook.com/logout.php%sc_user=deletedhttps://m.facebook.com/?soft=bookmarks"logoutURL":"\"logout.phphttps://m.facebook.com&source=mtouch_logout_button&persist_locale=1&button_name=logout&button_location=settings%s equals www.facebook.com (Facebook)
Source: V7F2H10gJw.dll	String found in binary or memory: https://www.facebook.com/ads/manager/account_settings equals www.facebook.com (Facebook)
Source: V7F2H10gJw.dll	String found in binary or memory: https://www.facebook.com/adsmanager/manage/ads equals www.facebook.com (Facebook)
Source: V7F2H10gJw.dll	String found in binary or memory: https://www.facebook.com/bookmarks/pages?ref_type=logout_gear equals www.facebook.com (Facebook)
Source: V7F2H10gJw.dll	String found in binary or memory: https://www.facebook.com/comet/try/ equals www.facebook.com (Facebook)
Source: V7F2H10gJw.dll	String found in binary or memory: https://www.facebook.com/connect/ping?client_id=124024574287414&domain=www.instagram.com&origin=1&redirect_uri=https%3A%2F%2Fstaticxx.facebook.com%2Fconnect%2Fxd_arbiter%2Fr%2F1e2RywyANNe.js%3Fversion%3D42%23cb%3Df19f2d8a0dd2f24%26domain%3Dwww.instagram.com%26origin%3Dhttps%253A%252F%252Fwww.instagram.com%252Ff2dc055ae1b1274%26relation%3Dparent&response_type=token%2Csigned_request%2Ccode&sdk=joey&version=v2.2 equals www.facebook.com (Facebook)
Source: V7F2H10gJw.dll	String found in binary or memory: https://www.facebook.com/connect/ping?client_id=124024574287414&domain=www.instagram.com&origin=1&redirect_uri=https%3A%2F%2Fstaticxx.facebook.com%2Fconnect%2Fxd_arbiter%2Fr%2F1e2RywyANNe.js%3Fversion%3D42%23cb%3Df19f2d8a0dd2f24%26domain%3Dwww.instagram.com%26origin%3Dhttps%253A%252F%252Fwww.instagram.com%252Ff2dc055ae1b1274%26relation%3Dparent&response_type=token%2Csigned_request%2Ccode&sdk=joey&version=v2.2&access_token=&expires_in=Location: query_instagram_cookie.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: token = %s equals www.facebook.com (Facebook)
Source: V7F2H10gJw.dll	String found in binary or memory: https://www.facebook.com/dialog/oauth?client_id=124024574287414&redirect_uri=https%3A%2F%2Fwww.instagram.com%2Faccounts%2Fsignup%2F&state=%7B%22fbLoginKey%22%3A%221l3a6gcoxzmx9bogry41n78unr193ooptzd1bmk8ggfxw5bdph1%22%2C%22fbLoginReturnURL%22%3A%22%2F%22%7D&scope=email&response_type=code%2Cgranted_scopes equals www.facebook.com (Facebook)
Source: V7F2H10gJw.dll	String found in binary or memory: https://www.facebook.com/dialog/oauth?client_id=124024574287414&redirect_uri=https%3A%2F%2Fwww.instagram.com%2Faccounts%2Fsignup%2F&state=%7B%22fbLoginKey%22%3A%221l3a6gcoxzmx9bogry41n78unr193ooptzd1bmk8ggfxw5bdph1%22%2C%22fbLoginReturnURL%22%3A%22%2F%22%7D&scope=email&response_type=code%2Cgranted_scopesLocation: equals www.facebook.com (Facebook)
Source: V7F2H10gJw.dll	String found in binary or memory: https://www.facebook.com/dialog/oauth?client_id=124024574287414&redirect_uri=https%3A%2F%2Fwww.instagram.com%2Faccounts%2Fsignup%2F&state=%7B%22fbLoginKey%22%3A%221l3a6gcoxzmx9bogry41n78unr193ooptzd1bmk8ggfxw5bdph1%22%2C%22fbLoginReturnURL%22%3A%22%2F%22%7D&scope=email&response_type=code%2Cgranted_scopesocation: equals www.facebook.com (Facebook)
Source: V7F2H10gJw.dll	String found in binary or memory: https://www.facebook.com/login/async_sso/messenger_dot_com/?__a=1 equals www.facebook.com (Facebook)
Source: V7F2H10gJw.dll	String found in binary or memory: https://www.facebook.com/login/async_sso/messenger_dot_com/?__a=1x-auth-result: query_mess_cookie.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: x_auth_result = %s equals www.facebook.com (Facebook)
Source: V7F2H10gJw.dll	String found in binary or memory: https://www.facebook.com/payments/settings/payment_methods/index.php?__a=1 equals www.facebook.com (Facebook)
Source: V7F2H10gJw.dll	String found in binary or memory: https://www.facebook.com/x/oauth/status?client_id=124024574287414&input_token&origin=1&redirect_uri= equals www.facebook.com (Facebook)
Source: V7F2H10gJw.dll	String found in binary or memory: https://www.facebook.com/x/oauth/status?client_id=124024574287414&input_token&origin=1&redirect_uri=origin: https://www.instagram.comsec-fetch-mode: corsreferer: https://www.instagram.com/sec-fetch-site: cross-sitefb-ar: equals www.facebook.com (Facebook)
Source: V7F2H10gJw.dll	String found in binary or memory: https://www.instagram.com/accounts/login/ajax/facebook/ equals www.facebook.com (Facebook)
Source: V7F2H10gJw.dll	String found in binary or memory: x-csrftoken: xhttps://www.instagram.com/accounts/login/ajax/facebook/"userId": "sessionid="";sessionid=;query_instagram_cookie.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: sessionid = %s equals www.facebook.com (Facebook)
Source: V7F2H10gJw.dll	String found in binary or memory: x-csrftoken: xhttps://www.instagram.com/accounts/login/ajax/facebook/"userId": "sessionid="";sessionid=;query_instagram_cookie_20191224.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: sessionid = %s equals www.facebook.com (Facebook)
Source: V7F2H10gJw.dll	String found in binary or memory: x-csrftoken: xhttps://www.instagram.com/accounts/login/ajax/facebook/"userId": "sessionid="";sessionid=;query_instagram_cookie_20200229.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: sessionid = %s equals www.facebook.com (Facebook)

Source: V7F2H10gJw.dll	String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceCodeSigningCA-1.crt0
Source: V7F2H10gJw.dll	String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: V7F2H10gJw.dll	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2HighAssuranceCodeSigningCA.crt0
Source: V7F2H10gJw.dll	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: V7F2H10gJw.dll	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0O
Source: V7F2H10gJw.dll	String found in binary or memory: http://crl3.digicert.com/ha-cs-2011a.crl0.
Source: V7F2H10gJw.dll	String found in binary or memory: http://crl3.digicert.com/sha2-ha-cs-g1.crl00
Source: V7F2H10gJw.dll	String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: V7F2H10gJw.dll	String found in binary or memory: http://crl4.digicert.com/ha-cs-2011a.crl0L
Source: V7F2H10gJw.dll	String found in binary or memory: http://crl4.digicert.com/sha2-ha-cs-g1.crl0L
Source: V7F2H10gJw.dll	String found in binary or memory: http://ocsp.digicert.com0I
Source: V7F2H10gJw.dll	String found in binary or memory: http://ocsp.digicert.com0P
Source: V7F2H10gJw.dll	String found in binary or memory: http://ocsp.digicert.com0R
Source: V7F2H10gJw.dll	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: V7F2H10gJw.dll	String found in binary or memory: http://www.interestvideo.com/video1.php
Source: V7F2H10gJw.dll	String found in binary or memory: https://01%s08%s15%s22%sWebGL%d%02d%s.club/http://01%s08%s15%s22%sFrankLin%d%02d%s.xyz/post_info.
Source: V7F2H10gJw.dll	String found in binary or memory: https://ads.google.com/nav/_/rpc/GaiaInfoService/Get?authuser=0&rpcTrackingId=GaiaInfoService.Get%3A
Source: V7F2H10gJw.dll	String found in binary or memory: https://ads.google.com/nav/_/rpc/UserByGaiaService/Get?authuser=0&rpcTrackingId=UserByGaiaService.Ge
Source: V7F2H10gJw.dll	String found in binary or memory: https://ads.google.com/nav/_/rpc/UserCustomerAccessService/List?authuser=0&rpcTrackingId=UserCustome
Source: V7F2H10gJw.dll	String found in binary or memory: https://ads.google.com/nav/selectaccount
Source: V7F2H10gJw.dll	String found in binary or memory: https://ads.google.com/nav/selectaccountocation:
Source: V7F2H10gJw.dll	String found in binary or memory: https://ads.google.comsec-fetch-dest:
Source: V7F2H10gJw.dll	String found in binary or memory: https://api.twitter.com/1.1/statuses/update.json
Source: V7F2H10gJw.dll	String found in binary or memory: https://api.twitter.com/1.1/statuses/update.jsoninclude_profile_interstitial_type=1&include_blocking
Source: V7F2H10gJw.dll	String found in binary or memory: https://curl.haxx.se/docs/http-cookies.html
Source: V7F2H10gJw.dll	String found in binary or memory: https://twitter.com/
Source: V7F2H10gJw.dll	String found in binary or memory: https://twitter.com/compose/tweetsec-fetch-dest:
Source: V7F2H10gJw.dll	String found in binary or memory: https://twitter.com/compose/tweetsec-fetch-mode:
Source: V7F2H10gJw.dll	String found in binary or memory: https://twitter.com/ookie:
Source: V7F2H10gJw.dll	String found in binary or memory: https://twitter.comReferer:
Source: V7F2H10gJw.dll	String found in binary or memory: https://twitter.comsec-fetch-dest:
Source: V7F2H10gJw.dll	String found in binary or memory: https://upload.twitter.com/i/media/upload.json
Source: V7F2H10gJw.dll	String found in binary or memory: https://upload.twitter.com/i/media/upload.json%dcommand=INIT&total_bytes=&media_type=image%2Fjpeg&me
Source: V7F2H10gJw.dll	String found in binary or memory: https://upload.twitter.com/i/media/upload.json?command=APPEND&media_id=%s&segment_index=0
Source: V7F2H10gJw.dll	String found in binary or memory: https://upload.twitter.com/i/media/upload.json?command=APPEND&media_id=%s&segment_index=0accept:
Source: V7F2H10gJw.dll	String found in binary or memory: https://upload.twitter.com/i/media/upload.jsoncommand=FINALIZE&media_id=
Source: V7F2H10gJw.dll	String found in binary or memory: https://www.digicert.com/CPS0
Source: V7F2H10gJw.dll	String found in binary or memory: https://www.instagram.com/
Source: V7F2H10gJw.dll	String found in binary or memory: https://www.instagram.com/accept:
Source: V7F2H10gJw.dll	String found in binary or memory: https://www.instagram.com/accounts/login/ajax/facebook/
Source: V7F2H10gJw.dll	String found in binary or memory: https://www.instagram.com/graphql/query/?query_hash=149bef52a3b2af88c0fec37913fe1cbc&variables=%7B%2
Source: V7F2H10gJw.dll	String found in binary or memory: https://www.instagram.com/sec-fetch-site:
Source: V7F2H10gJw.dll	String found in binary or memory: https://www.instagram.comsec-fetch-mode:
Source: V7F2H10gJw.dll	String found in binary or memory: https://www.messenger.com
Source: V7F2H10gJw.dll	String found in binary or memory: https://www.messenger.com/
Source: V7F2H10gJw.dll	String found in binary or memory: https://www.messenger.com/accept:
Source: V7F2H10gJw.dll	String found in binary or memory: https://www.messenger.com/login/nonce/
Source: V7F2H10gJw.dll	String found in binary or memory: https://www.messenger.com/origin:
Source: V7F2H10gJw.dll	String found in binary or memory: https://www.messenger.comhttps://www.messenger.com/login/nonce/ookie:

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: V7F2H10gJw.dll, type: SAMPLE

Matched rule: APT34_PICKPOCKET Author: unknown

PE file has a writeable .text section

Show sources

Source: V7F2H10gJw.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: unknown

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6148 -s 612

Source: V7F2H10gJw.dll	Static PE information: Resource name: CRX type: 7-zip archive data, version 0.3
Source: V7F2H10gJw.dll	Static PE information: Resource name: FF type: 7-zip archive data, version 0.3
Source: V7F2H10gJw.dll	Static PE information: Resource name: FRIENDS type: 7-zip archive data, version 0.3

Source: V7F2H10gJw.dll

Binary or memory string: OriginalFilenameFsFilter.sys vs V7F2H10gJw.dll

Source: V7F2H10gJw.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: V7F2H10gJw.dll, type: SAMPLE

Matched rule: APT34_PICKPOCKET Description = Detects the PICKPOCKET malware used by APT34, a browser credential-theft tool identified by FireEye in May 2018, Reference = https://www.fireeye.com/blog/threat-research/2019/07/hard-pass-declining-apt34-invite-to-join-their-professional-network.html

Source: V7F2H10gJw.dll

Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Source: V7F2H10gJw.dll

Static PE information: Section: .rsrc ZLIB complexity 0.999259599673

Source: classification engine

Classification label: mal64.winDLL@75/4@0/0

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6148

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER6A2C.tmp

Jump to behavior

Source: V7F2H10gJw.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello001

Source: V7F2H10gJw.dll	Virustotal: Detection: 20%
Source: V7F2H10gJw.dll	ReversingLabs: Detection: 44%

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\V7F2H10gJw.dll'
Source: unknown	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6148 -s 612
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello001
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello001
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello001
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello001
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello001
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello001
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello001
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello001
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello001
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello002
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello001
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello002
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello001
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello002
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello001
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello002
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello001
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello002
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello001
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello002
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello001
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello002
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello001
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello003
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello002
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello001
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello003
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello002
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello001
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello003
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello002
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello001
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello003
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello002
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello001
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello001
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello002
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello003
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello001
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello001
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello001
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello001
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello001
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello001
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello001
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello001
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello001
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello002
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello001
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello002
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello001
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello002
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello001
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello002
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello001
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello002
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello001
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello002
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello001
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello002
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello001
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello003
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello002
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello001
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello003
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello002
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello001
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello003
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello002
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello001
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: unknown unknown

Source: V7F2H10gJw.dll

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: V7F2H10gJw.dll

Static file information: File size 4919296 > 1048576

Source: V7F2H10gJw.dll	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x16f000
Source: V7F2H10gJw.dll	Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x118000
Source: V7F2H10gJw.dll	Static PE information: Raw size of .data is bigger than: 0x100000 < 0x180000

Source:	Binary string: winhttp.pdbV source: WerFault.exe, 00000003.00000003.678513455.0000000005918000.00000004.00000040.sdmp
Source:	Binary string: wininet.pdb source: WerFault.exe, 00000003.00000003.678513455.0000000005918000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdb source: WerFault.exe, 00000003.00000003.678513455.0000000005918000.00000004.00000040.sdmp
Source:	Binary string: msvcrt.pdbk source: WerFault.exe, 00000003.00000003.678504903.0000000005912000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 00000003.00000003.678490919.0000000005791000.00000004.00000001.sdmp
Source:	Binary string: crypt32.pdbN source: WerFault.exe, 00000003.00000003.678513455.0000000005918000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 00000003.00000003.678490919.0000000005791000.00000004.00000001.sdmp
Source:	Binary string: wldap32.pdb source: WerFault.exe, 00000003.00000003.678513455.0000000005918000.00000004.00000040.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 00000003.00000003.678504903.0000000005912000.00000004.00000040.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 00000003.00000003.678546892.0000000005915000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 00000003.00000003.678490919.0000000005791000.00000004.00000001.sdmp
Source:	Binary string: wrpcrt4.pdbk source: WerFault.exe, 00000003.00000003.678546892.0000000005915000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 00000003.00000003.678513455.0000000005918000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 00000003.00000003.678490919.0000000005791000.00000004.00000001.sdmp
Source:	Binary string: fltLib.pdb source: WerFault.exe, 00000003.00000003.678513455.0000000005918000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 00000003.00000003.678490919.0000000005791000.00000004.00000001.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 00000003.00000003.678541937.0000000005910000.00000004.00000040.sdmp
Source:	Binary string: shell32.pdb source: WerFault.exe, 00000003.00000003.678541937.0000000005910000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 00000003.00000003.678490919.0000000005791000.00000004.00000001.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 00000003.00000003.674734776.0000000003688000.00000004.00000001.sdmp
Source:	Binary string: version.pdb\ source: WerFault.exe, 00000003.00000003.678513455.0000000005918000.00000004.00000040.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 00000003.00000003.678513455.0000000005918000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 00000003.00000003.678513455.0000000005918000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 00000003.00000003.678490919.0000000005791000.00000004.00000001.sdmp
Source:	Binary string: setupapi.pdb source: WerFault.exe, 00000003.00000003.678513455.0000000005918000.00000004.00000040.sdmp
Source:	Binary string: winhttp.pdb source: WerFault.exe, 00000003.00000003.678513455.0000000005918000.00000004.00000040.sdmp
Source:	Binary string: wldap32.pdb~ source: WerFault.exe, 00000003.00000003.678513455.0000000005918000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb( source: WerFault.exe, 00000003.00000003.674970320.000000000367C000.00000004.00000001.sdmp
Source:	Binary string: profapi.pdb source: WerFault.exe, 00000003.00000003.678513455.0000000005918000.00000004.00000040.sdmp
Source:	Binary string: ws2_32.pdb source: WerFault.exe, 00000003.00000003.678513455.0000000005918000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 00000003.00000003.678490919.0000000005791000.00000004.00000001.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 00000003.00000003.678546892.0000000005915000.00000004.00000040.sdmp
Source:	Binary string: msasn1.pdbp source: WerFault.exe, 00000003.00000003.678513455.0000000005918000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb source: WerFault.exe, 00000003.00000003.678513455.0000000005918000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdbh source: WerFault.exe, 00000003.00000003.678513455.0000000005918000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdbb source: WerFault.exe, 00000003.00000003.678513455.0000000005918000.00000004.00000040.sdmp
Source:	Binary string: f:\sys\objfre_wxp_x86\i386\FsFilter32.pdb source: V7F2H10gJw.dll
Source:	Binary string: version.pdb source: WerFault.exe, 00000003.00000003.678513455.0000000005918000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdb source: WerFault.exe, 00000003.00000003.678513455.0000000005918000.00000004.00000040.sdmp
Source:	Binary string: ws2_32.pdbd source: WerFault.exe, 00000003.00000003.678513455.0000000005918000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdbZ source: WerFault.exe, 00000003.00000003.678513455.0000000005918000.00000004.00000040.sdmp
Source:	Binary string: msasn1.pdb source: WerFault.exe, 00000003.00000003.678513455.0000000005918000.00000004.00000040.sdmp
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000003.00000003.678513455.0000000005918000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 00000003.00000003.678541937.0000000005910000.00000004.00000040.sdmp
Source:	Binary string: f:\sys\objfre_wxp_x86\i386\FsFilter32.pdbpJ source: V7F2H10gJw.dll
Source:	Binary string: setupapi.pdb@ source: WerFault.exe, 00000003.00000003.678513455.0000000005918000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdbk source: WerFault.exe, 00000003.00000003.678546892.0000000005915000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb( source: WerFault.exe, 00000003.00000003.674734776.0000000003688000.00000004.00000001.sdmp
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 00000003.00000003.678513455.0000000005918000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000003.00000003.678541937.0000000005910000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 00000003.00000003.678513455.0000000005918000.00000004.00000040.sdmp
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 00000003.00000003.678541937.0000000005910000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb( source: WerFault.exe, 00000003.00000003.674651326.0000000003682000.00000004.00000001.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 00000003.00000003.678490919.0000000005791000.00000004.00000001.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 00000003.00000003.678490919.0000000005791000.00000004.00000001.sdmp
Source:	Binary string: f:\sys\objfre_win7_amd64\amd64\FsFilter64.pdb source: V7F2H10gJw.dll
Source:	Binary string: apmjrsmCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 00000003.00000002.682013956.00000000032B2000.00000004.00000010.sdmp
Source:	Binary string: crypt32.pdb source: WerFault.exe, 00000003.00000003.678513455.0000000005918000.00000004.00000040.sdmp

Data Obfuscation:

Source: V7F2H10gJw.dll

Static PE information: real checksum: 0x4b39df should be: 0x4be8c9

Hooking and other Techniques for Hiding and Protection:

Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Source: WerFault.exe, 00000003.00000002.683217839.0000000005930000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: WerFault.exe, 00000003.00000002.683217839.0000000005930000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: WerFault.exe, 00000003.00000002.683217839.0000000005930000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: WerFault.exe, 00000003.00000002.683217839.0000000005930000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Anti Debugging:

Source: C:\Windows\System32\loaddll32.exe	Process queried: DebugPort
Source: C:\Windows\System32\loaddll32.exe	Process queried: DebugPort
Source: C:\Windows\System32\loaddll32.exe	Process queried: DebugPort
Source: C:\Windows\System32\loaddll32.exe	Process queried: DebugPort

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Process Injection1	Virtualization/Sandbox Evasion1	OS Credential Dumping	Security Software Discovery11	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	Data Obfuscation	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rundll321	LSASS Memory	Virtualization/Sandbox Evasion1	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Software Packing1	Security Account Manager	System Information Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Process Injection1	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
V7F2H10gJw.dll	20%	Virustotal		Browse
V7F2H10gJw.dll	45%	ReversingLabs	Win32.Trojan.Mingloa
V7F2H10gJw.dll	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
https://01%s08%s15%s22%sWebGL%d%02d%s.club/http://01%s08%s15%s22%sFrankLin%d%02d%s.xyz/post_info.	0%	Avira URL Cloud	safe
https://twitter.comsec-fetch-dest:	0%	Avira URL Cloud	safe
https://www.instagram.comsec-fetch-mode:	0%	Avira URL Cloud	safe
https://twitter.comReferer:	0%	Avira URL Cloud	safe
http://www.interestvideo.com/video1.php	0%	Avira URL Cloud	safe
https://www.messenger.comhttps://www.messenger.com/login/nonce/ookie:	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://01%s08%s15%s22%sWebGL%d%02d%s.club/http://01%s08%s15%s22%sFrankLin%d%02d%s.xyz/post_info.	V7F2H10gJw.dll	false	Avira URL Cloud: safe	low
https://upload.twitter.com/i/media/upload.jsoncommand=FINALIZE&media_id=	V7F2H10gJw.dll	false		high
https://twitter.com/compose/tweetsec-fetch-dest:	V7F2H10gJw.dll	false		high
https://www.instagram.com/	V7F2H10gJw.dll	false		high
https://www.messenger.com/	V7F2H10gJw.dll	false		high
https://upload.twitter.com/i/media/upload.json%dcommand=INIT&total_bytes=&media_type=image%2Fjpeg&me	V7F2H10gJw.dll	false		high
https://upload.twitter.com/i/media/upload.json?command=APPEND&media_id=%s&segment_index=0accept:	V7F2H10gJw.dll	false		high
https://api.twitter.com/1.1/statuses/update.jsoninclude_profile_interstitial_type=1&include_blocking	V7F2H10gJw.dll	false		high
https://www.messenger.com/origin:	V7F2H10gJw.dll	false		high
https://twitter.com/	V7F2H10gJw.dll	false		high
https://twitter.com/ookie:	V7F2H10gJw.dll	false		high
https://api.twitter.com/1.1/statuses/update.json	V7F2H10gJw.dll	false		high
https://curl.haxx.se/docs/http-cookies.html	V7F2H10gJw.dll	false		high
https://twitter.comsec-fetch-dest:	V7F2H10gJw.dll	false	Avira URL Cloud: safe	unknown
https://upload.twitter.com/i/media/upload.json	V7F2H10gJw.dll	false		high
https://twitter.com/compose/tweetsec-fetch-mode:	V7F2H10gJw.dll	false		high
https://www.instagram.comsec-fetch-mode:	V7F2H10gJw.dll	false	Avira URL Cloud: safe	unknown
https://www.instagram.com/accounts/login/ajax/facebook/	V7F2H10gJw.dll	false		high
https://www.instagram.com/sec-fetch-site:	V7F2H10gJw.dll	false		high
https://twitter.comReferer:	V7F2H10gJw.dll	false	Avira URL Cloud: safe	unknown
https://www.messenger.com/accept:	V7F2H10gJw.dll	false		high
http://www.interestvideo.com/video1.php	V7F2H10gJw.dll	false	Avira URL Cloud: safe	unknown
https://www.messenger.com	V7F2H10gJw.dll	false		high
https://www.instagram.com/accept:	V7F2H10gJw.dll	false		high
https://www.messenger.com/login/nonce/	V7F2H10gJw.dll	false		high
https://upload.twitter.com/i/media/upload.json?command=APPEND&media_id=%s&segment_index=0	V7F2H10gJw.dll	false		high
https://www.messenger.comhttps://www.messenger.com/login/nonce/ookie:	V7F2H10gJw.dll	false	Avira URL Cloud: safe	unknown
https://www.instagram.com/graphql/query/?query_hash=149bef52a3b2af88c0fec37913fe1cbc&variables=%7B%2	V7F2H10gJw.dll	false		high

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	346323
Start date:	30.01.2021
Start time:	14:16:28
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 8m 44s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	V7F2H10gJw (renamed file extension from none to dll)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	40
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal64.winDLL@75/4@0/0
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI
Warnings:	Show All Exclude process from analysis (whitelisted): WerFault.exe, svchost.exe Report size exceeded maximum capacity and may have missing behavior information.

Simulations

Behavior and APIs

Time	Type	Description
14:17:43	API Interceptor	1x Sleep call for process: loaddll32.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_loaddll32.exe_c9fe8838cffade97faaf2b4b1f1bdd540aa1221_b4806494_108474bb\Report.wer Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	10690
Entropy (8bit):	3.756808408671022
Encrypted:	false
SSDEEP:	96:4TfCW0yWey9hTzFD7fVpXIQcQEc6ncE1cw35j+a+z+HbHg9yVG4rmMoVazWbSmfd:RUeJHqj/NDjoyq/u7sNS274ItWe
MD5:	4E699D681620248ACD5DFA2DEA3BA7B9
SHA1:	6FEB84914BF690DB1302EA63DC29860C7800B4F7
SHA-256:	6C8454C0112760072ABA461CA9B2A81B968E0EA90A370CB149D03343CC6A6C74
SHA-512:	6A52339C347E64A6D3B9DBE0A97531D70B3D75BB504A83FF22DA7BBE6A493ACE578A1385360DCA1C11DB0FAB0FE1FCEF7D0717A8F506852933098DC52BD4DEDC
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.5.6.4.8.6.2.4.9.7.1.0.4.3.0.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.d.5.8.1.f.5.0.-.d.0.f.3.-.4.a.f.f.-.a.0.c.b.-.5.b.d.a.a.6.4.9.c.6.4.4.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.8.7.5.1.5.9.4.-.1.5.b.5.-.4.f.e.9.-.b.7.0.2.-.e.6.b.d.8.c.d.4.9.a.0.8.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.l.o.a.d.d.l.l.3.2...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.8.0.4.-.0.0.0.1.-.0.0.1.b.-.4.b.6.1.-.b.f.4.0.0.a.f.7.d.6.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.d.a.3.9.a.3.e.e.5.e.6.b.4.b.0.d.3.2.5.5.b.f.e.f.9.5.6.0.1.8.9.0.a.f.d.8.0.7.0.9.!.0.0.0.0.d.a.3.9.a.3.e.e.5.e.6.b.4.b.0.d.3.2.5.5.b.f.e.f.9.5.6.0.1.8.9.0.a.f.d.8.0.7.0.9.!.l.o.a.d.d.l.l.3.2...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.0././.1.1././.3.0.:.1.2.:.1.5.:.2.1.!.0.!.l.o.a.d.d.l.l.3.2...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6A2C.tmp.dmp Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Sat Jan 30 13:17:31 2021, 0x1205a4 type
Category:	dropped
Size (bytes):	51280
Entropy (8bit):	2.0109397708123162
Encrypted:	false
SSDEEP:	192:waEwHQehyNyAy0uk8RZiW4UOLGqY+yOJLWuj9cm7/P2+p:sE/kI83jUujve+p
MD5:	0AB3DC0535E3AE6CD84526DE07F8146E
SHA1:	5111A6143A65A39DF91EC6C27897284CF95DBA16
SHA-256:	99B9D1C19E28F0B4F70982760011694539CE71A75935E48131AA5663339B2C6A
SHA-512:	EB16A690BAE03E6D9D510D60AFE62DF2BE568DBBF418427A858DFFAF1B49735410BADB2E67B11E50F958C3569DBE3EBA0A4C87972D854AA2A36E0F07AA928957
Malicious:	false
Preview:	MDMP....... .......k\.`...................U...........B..............GenuineIntelW...........T...........f\.`.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .D.a.y.l.i.g.h.t. .T.i.m.e.......................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6FDA.tmp.WERInternalMetadata.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8288
Entropy (8bit):	3.6952939069491113
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNiBo6Km6YreSUc7ngmfR0RSwM+pBe89b/nEsfnVm:RrlsNiO616YSSUc7ngmfR0RSw1/n3f4
MD5:	B0750D1084BC796380ED0ADE74594FE8
SHA1:	73006542D25B7935568DFFC316DC678FD71B1E5D
SHA-256:	BD0526E96167E9B357F10B85AF38093845D881AE54702537EDC854130E44D7D5
SHA-512:	EDE0EE1D6B725E40977537D49F9A65B8EB897DA7252BD42010A62FDED229832B4F5EEC592E2D000C577D14ABF3B1DE0B1164BB3E6096CECBF65C636B81FC171E
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.1.4.8.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WER71A0.tmp.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4563
Entropy (8bit):	4.450489240462594
Encrypted:	false
SSDEEP:	48:cvIwSD8zsxeJgtWI9Y2WSC8Bk8fm8M4JO0Fx+q8yJKcQIcQwv+Td:uITfKjXSNrJthKkwv+Td
MD5:	DDC3C95B95F150C900E490FCA441E423
SHA1:	662BE3D44DCBB017B19BBD2786C54F82976D01C2
SHA-256:	37034CE0E2FC7D5AFF231D2270C32A07AFC2E0416C1A1849F121CA0639129C10
SHA-512:	4A9C22583C40F2C93BDAB1534A20C6E0BE68CE692EB40F92342B7848BC909DD15955A9F26D532D153074540C8201B9E768F2848742F8274D562AA6B2A5E4C1DE
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="839428" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

Static File Info

General
File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.402189489957624
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	V7F2H10gJw.dll
File size:	4919296
MD5:	0562f10f0c926a05eb28d3579fc86663
SHA1:	f75ad2980002d655410e7270825d51dcc53de0cc
SHA256:	8794893f687e487bfafaf085154a5b932612d9de0825a3b392931d414b2c1985
SHA512:	956ba87811b21ba6584d9b213d0e78429d4dcb48dca777dcc46e859819e4df4d9eb67ceb4df1294942ea72c074e26ee1dc5784b02d3278552790837f6b158619
SSDEEP:	98304:42fbNEOO9ojnF+x6Fk+1mKi7SVSVSRDEdxA0L6EwSlyZ/9kXUVje32:46htO9oz2umKESVSVSR/i6Ewx98d2
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......JG ..&N..&N..&N......&N...0..&N.).3./&N.). .@&N.).#.9'N..)...&N..)...&N..&O.4'N.).<.I&N.).4..&N.).2..&N.).6..&N.Rich.&N........

File Icon


Icon Hash:	74f0e4ecccdce0e4

Static PE Info

General
Entrypoint:	0x2de88f0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x2dc0000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
DLL Characteristics:
Time Stamp:	0x5FBCCF22 [Tue Nov 24 09:15:14 2020 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	c046337d6f2b7d6f6998381b0c3e7501

Entrypoint Preview

Instruction
cmp dword ptr [esp+08h], 01h
jne 00007F08809EA587h
call 00007F08809F63D2h
push dword ptr [esp+04h]
mov ecx, dword ptr [esp+10h]
mov edx, dword ptr [esp+0Ch]
call 00007F08809EA472h
pop ecx
retn 000Ch
push ebp
mov ebp, esp
sub esp, 20h
mov eax, dword ptr [ebp+08h]
push esi
push edi
push 00000008h
pop ecx
mov esi, 02F30808h
lea edi, dword ptr [ebp-20h]
rep movsd
mov dword ptr [ebp-08h], eax
mov eax, dword ptr [ebp+0Ch]
test eax, eax
pop edi
mov dword ptr [ebp-04h], eax
pop esi
je 00007F08809EA58Eh
test byte ptr [eax], 00000008h
je 00007F08809EA589h
mov dword ptr [ebp-0Ch], 01994000h
lea eax, dword ptr [ebp-0Ch]
push eax
push dword ptr [ebp-10h]
push dword ptr [ebp-1Ch]
push dword ptr [ebp-20h]
call dword ptr [02F30320h]
leave
retn 0008h
push ebp
mov ebp, esp
push ecx
push ebx
mov eax, dword ptr [ebp+0Ch]
add eax, 0Ch
mov dword ptr [ebp-04h], eax
mov ebx, dword ptr fs:[00000000h]
mov eax, dword ptr [ebx]
mov dword ptr fs:[00000000h], eax
mov eax, dword ptr [ebp+08h]
mov ebx, dword ptr [ebp+0Ch]
mov ebp, dword ptr [ebp-04h]
mov esp, dword ptr [ebx-04h]
jmp eax
pop ebx
leave
retn 0008h
pop eax
pop ecx
xchg dword ptr [esp], eax
jmp eax
push ebp
mov ebp, esp
push ecx
push ecx
push ebx
push esi
push edi
mov esi, dword ptr fs:[00000000h]
mov dword ptr [ebp-04h], esi
mov dword ptr [ebp-08h], 02DE89BBh
push 00000000h
push dword ptr [ebp+0Ch]
push dword ptr [ebp-08h]
push dword ptr [ebp+08h]
call 00007F08809EA5A2h

Rich Headers

Programming Language:

[RES] VS2005 build 50727
[ C ] VS2005 build 50727
[EXP] VS2005 build 50727
[C++] VS2005 build 50727
[ASM] VS2005 build 50727
[LNK] VS2005 build 50727

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x2878f0	0x6e	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x4b0000	0x1cc	.reloc
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x408000	0x98db0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x4a1000	0xb218	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x27ac48	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x170000	0x4dc	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x16f000	0x16f000	False	0.486302180901	data	6.4550270524	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x170000	0x118000	0x118000	False	0.453717041016	data	6.47622570334	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.data	0x288000	0x180000	0x180000	False	0.945496877035	data	7.95536782686	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x408000	0x99000	0x99000	False	0.999259599673	data	7.99961070533	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.reloc	0x4a1000	0x10000	0x10000	False	0.00935363769531	data	0.137993413483	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
CRX	0x408150	0x9369	7-zip archive data, version 0.3	English	United States
FF	0x4114bc	0x87050	7-zip archive data, version 0.3	English	United States
FRIENDS	0x49850c	0x884a	7-zip archive data, version 0.3	English	United States
RT_MANIFEST	0x4a0d58	0x56	ASCII text, with CRLF line terminators	English	United States

Imports

DLL	Import
KERNEL32.dll	SetFilePointer, MapViewOfFile, UnmapViewOfFile, SetEndOfFile, HeapAlloc, QueryPerformanceCounter, HeapFree, WaitForSingleObject, InterlockedCompareExchange, UnlockFile, FlushViewOfFile, LockFile, WaitForSingleObjectEx, OutputDebugStringW, GetTickCount, UnlockFileEx, GetProcessHeap, GetSystemTimeAsFileTime, FormatMessageA, InitializeCriticalSection, LoadLibraryW, FormatMessageW, HeapDestroy, LeaveCriticalSection, GetFileAttributesA, HeapCreate, HeapValidate, GetFileAttributesW, FlushFileBuffers, GetTempPathW, HeapSize, LockFileEx, EnterCriticalSection, GetDiskFreeSpaceW, CreateFileMappingA, CreateFileMappingW, GetDiskFreeSpaceA, GetSystemInfo, GetFileAttributesExW, DeleteCriticalSection, GetCurrentThreadId, GetVersionExA, DeleteFileW, HeapCompact, GetTempPathA, AreFileApisANSI, WinExec, GetPrivateProfileStringA, CreateSemaphoreA, VirtualFree, VirtualAlloc, GetLocalTime, OpenFileMappingA, lstrcpynA, CopyFileA, SetFileAttributesA, FindResourceA, LoadResource, SizeofResource, MoveFileA, LockResource, GetWindowsDirectoryA, GetThreadContext, SetThreadContext, VirtualAllocEx, GetModuleHandleA, WriteProcessMemory, ResumeThread, GetThreadLocale, GetFileInformationByHandle, GetDriveTypeA, FileTimeToLocalFileTime, FileTimeToSystemTime, CreateMutexW, HeapReAlloc, GetFullPathNameA, GetFullPathNameW, GetModuleHandleW, DeviceIoControl, CreateFileW, GetVersionExW, GetVolumeInformationW, GetSystemDirectoryW, GetComputerNameW, OutputDebugStringA, DeleteFileA, GetSystemTime, LocalFree, CloseHandle, CreateMutexA, FindNextFileA, LocalAlloc, OpenMutexA, LoadLibraryA, FindClose, GetProcAddress, GetLastError, FindFirstFileA, MultiByteToWideChar, GetTimeZoneInformation, ReadFile, CreateProcessA, WideCharToMultiByte, WriteFile, CompareFileTime, GetCurrentProcess, SystemTimeToFileTime, FreeLibrary, lstrlenA, GetFileSize, CreateFileA, GetStringTypeExA, GetSystemDirectoryA, ExpandEnvironmentStringsA, WaitForMultipleObjects, PeekNamedPipe, SleepEx, SetCurrentDirectoryA, SetFileTime, SetFileAttributesW, CreateDirectoryW, GetCurrentDirectoryA, SetEnvironmentVariableA, GetCurrentProcessId, Sleep, CompareStringW, CompareStringA, WriteConsoleW, GetConsoleOutputCP, WriteConsoleA, SetStdHandle, GetLocaleInfoW, IsValidCodePage, IsValidLocale, EnumSystemLocalesA, GetLocaleInfoA, GetUserDefaultLCID, GetStringTypeW, GetStringTypeA, GetEnvironmentStringsW, FreeEnvironmentStringsW, GetEnvironmentStrings, FreeEnvironmentStringsA, GetConsoleMode, GetConsoleCP, GetStartupInfoA, GetFileType, SetHandleCount, GetModuleFileNameA, GetStdHandle, ExitProcess, InterlockedIncrement, InterlockedDecrement, InterlockedExchange, TerminateProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, CreateDirectoryA, ExitThread, CreateThread, GetCommandLineA, RaiseException, RtlUnwind, GetCPInfo, LCMapStringA, LCMapStringW, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, SetLastError, GetACP, GetOEMCP
USER32.dll	wsprintfA, LoadStringA, wsprintfW, GetSystemMetrics
ADVAPI32.dll	GetSidIdentifierAuthority, CryptDestroyKey, CryptEncrypt, CryptReleaseContext, CryptImportKey, CryptAcquireContextA, GetSecurityDescriptorSacl, SetSecurityInfo, ControlService, OpenSCManagerA, StartServiceA, CreateServiceA, DeleteService, CloseServiceHandle, OpenServiceA, LookupAccountNameW, GetSidSubAuthorityCount, GetSidSubAuthority, CryptCreateHash, RegCloseKey, RegEnumKeyExW, RegOpenKeyExW, RegOpenKeyExA, RegCreateKeyExA, SetSecurityDescriptorDacl, InitializeSecurityDescriptor, RegQueryValueExW, LookupAccountSidA, RegQueryValueExA, RegSetValueExA, GetTokenInformation, OpenProcessToken, CryptDestroyHash, CryptGetHashParam, CryptHashData
SHELL32.dll	SHGetPathFromIDListA, SHGetMalloc, SHGetSpecialFolderLocation, SHFileOperationA, SHGetSpecialFolderPathA
ole32.dll	CoInitialize, CoUninitialize, CoCreateInstance
SHLWAPI.dll	PathFindFileNameA, PathRemoveFileSpecA, PathFileExistsA, SHGetValueA
WS2_32.dll	getpeername, closesocket, socket, connect, sendto, recvfrom, accept, listen, inet_addr, gethostbyname, inet_ntoa, getservbyname, gethostbyaddr, getservbyport, ioctlsocket, gethostname, getsockopt, htons, bind, ntohs, setsockopt, WSAIoctl, select, __WSAFDIsSet, WSASetLastError, send, recv, WSAGetLastError, WSAStartup, WSACleanup, htonl, getsockname, ntohl
CRYPT32.dll	CryptUnprotectData
VERSION.dll	GetFileVersionInfoA, GetFileVersionInfoSizeA, VerQueryValueA
WINHTTP.dll	WinHttpAddRequestHeaders, WinHttpQueryOption, WinHttpReceiveResponse, WinHttpSetTimeouts, WinHttpSetOption, WinHttpSendRequest, WinHttpConnect, WinHttpCloseHandle, WinHttpQueryHeaders, WinHttpQueryDataAvailable, WinHttpOpen, WinHttpOpenRequest, WinHttpReadData, WinHttpSetCredentials
WININET.dll	InternetGetCookieExA, InternetGetCookieA
SETUPAPI.dll	SetupDiGetDeviceRegistryPropertyA, SetupDiEnumDeviceInfo, SetupDiDestroyDeviceInfoList, SetupDiGetClassDevsA
WLDAP32.dll
msvcp_win.dll	??5?$basic_istream@_WU?$char_traits@_W@std@@@std@@QAEAAV01@AAI@Z
msvcp_win.dll	??5?$basic_istream@_WU?$char_traits@_W@std@@@std@@QAEAAV01@AAK@Z
WS2_32.dll	getaddrinfo
WS2_32.dll	getnameinfo
WS2_32.dll	FreeAddrInfoW
SHCORE.dll	SetProcessDpiAwareness
GDI32.dll	gdiPlaySpoolStream
ADVAPI32.dll	ConvertStringSecurityDescriptorToSecurityDescriptorW
gdi32full.dll	EndPageImpl

Exports

Name	Ordinal	Address
Hello001	1	0x2f08270
Hello002	2	0x2f081e0
Hello003	3	0x2f08170

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

No network behavior found

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: loaddll32.exe PID: 6148 Parent PID: 5876

General

Start time:	14:17:26
Start date:	30/01/2021
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe 'C:\Users\user\Desktop\V7F2H10gJw.dll'
Imagebase:	0x250000
File size:	120832 bytes
MD5 hash:	2D39D4DFDE8F7151723794029AB8A034
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Analysis Process: WerFault.exe PID: 4292 Parent PID: 6148

General

Start time:	14:17:27
Start date:	30/01/2021
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 6148 -s 612
Imagebase:	0xbd0000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: rundll32.exe PID: 6588 Parent PID: 6148

General

Start time:	14:17:33
Start date:	30/01/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello001
Imagebase:	0xfd0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: rundll32.exe PID: 6608 Parent PID: 6588

General

Start time:	14:17:33
Start date:	30/01/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello001
Imagebase:	0xfd0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: rundll32.exe PID: 6576 Parent PID: 6608

General

Start time:	14:17:34
Start date:	30/01/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello001
Imagebase:	0xfd0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: rundll32.exe PID: 4176 Parent PID: 6576

General

Start time:	14:17:34
Start date:	30/01/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello001
Imagebase:	0xfd0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: rundll32.exe PID: 1256 Parent PID: 4176

General

Start time:	14:17:35
Start date:	30/01/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello001
Imagebase:	0xfd0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: rundll32.exe PID: 5992 Parent PID: 1256

General

Start time:	14:17:35
Start date:	30/01/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello001
Imagebase:	0xfd0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: rundll32.exe PID: 6132 Parent PID: 5992

General

Start time:	14:17:35
Start date:	30/01/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello001
Imagebase:	0xfd0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: rundll32.exe PID: 5212 Parent PID: 6132

General

Start time:	14:17:36
Start date:	30/01/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello001
Imagebase:	0xfd0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: rundll32.exe PID: 6464 Parent PID: 5212

General

Start time:	14:17:36
Start date:	30/01/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello001
Imagebase:	0xfd0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: rundll32.exe PID: 5788 Parent PID: 6148

General

Start time:	14:17:36
Start date:	30/01/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello002
Imagebase:	0xfd0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: rundll32.exe PID: 5708 Parent PID: 6464

General

Start time:	14:17:37
Start date:	30/01/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello001
Imagebase:	0xfd0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: rundll32.exe PID: 5688 Parent PID: 5788

General

Start time:	14:17:37
Start date:	30/01/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello002
Imagebase:	0xfd0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: rundll32.exe PID: 6788 Parent PID: 5708

General

Start time:	14:17:37
Start date:	30/01/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello001
Imagebase:	0xfd0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: rundll32.exe PID: 5624 Parent PID: 5688

General

Start time:	14:17:37
Start date:	30/01/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello002
Imagebase:	0xfd0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: rundll32.exe PID: 6688 Parent PID: 6788

General

Start time:	14:17:38
Start date:	30/01/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello001
Imagebase:	0xfd0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: rundll32.exe PID: 6684 Parent PID: 5624

General

Start time:	14:17:38
Start date:	30/01/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello002
Imagebase:	0xfd0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: rundll32.exe PID: 6768 Parent PID: 6688

General

Start time:	14:17:38
Start date:	30/01/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello001
Imagebase:	0xfd0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: rundll32.exe PID: 6716 Parent PID: 6684

General

Start time:	14:17:38
Start date:	30/01/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello002
Imagebase:	0xfd0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: rundll32.exe PID: 6656 Parent PID: 6768

General

Start time:	14:17:39
Start date:	30/01/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello001
Imagebase:	0xfd0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: rundll32.exe PID: 6784 Parent PID: 6716

General

Start time:	14:17:39
Start date:	30/01/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello002
Imagebase:	0xfd0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: rundll32.exe PID: 6792 Parent PID: 6656

General

Start time:	14:17:39
Start date:	30/01/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello001
Imagebase:	0xfd0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: rundll32.exe PID: 6672 Parent PID: 6784

General

Start time:	14:17:39
Start date:	30/01/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello002
Imagebase:	0xfd0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: rundll32.exe PID: 6760 Parent PID: 6792

General

Start time:	14:17:40
Start date:	30/01/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello001
Imagebase:	0xfd0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: rundll32.exe PID: 6648 Parent PID: 6148

General

Start time:	14:17:40
Start date:	30/01/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello003
Imagebase:	0xfd0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: rundll32.exe PID: 6828 Parent PID: 6672

General

Start time:	14:17:40
Start date:	30/01/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello002
Imagebase:	0xfd0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: rundll32.exe PID: 6552 Parent PID: 6760

General

Start time:	14:17:40
Start date:	30/01/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello001
Imagebase:	0xfd0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: rundll32.exe PID: 6536 Parent PID: 6648

General

Start time:	14:17:40
Start date:	30/01/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello003
Imagebase:	0xfd0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: rundll32.exe PID: 6932 Parent PID: 6828

General

Start time:	14:17:41
Start date:	30/01/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello002
Imagebase:	0xfd0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: rundll32.exe PID: 6916 Parent PID: 6552

General

Start time:	14:17:41
Start date:	30/01/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello001
Imagebase:	0xfd0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: rundll32.exe PID: 6912 Parent PID: 6536

General

Start time:	14:17:41
Start date:	30/01/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello003
Imagebase:	0xfd0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: rundll32.exe PID: 7036 Parent PID: 6932

General

Start time:	14:17:42
Start date:	30/01/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello002
Imagebase:	0xfd0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: rundll32.exe PID: 7028 Parent PID: 6916

General

Start time:	14:17:42
Start date:	30/01/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello001
Imagebase:	0xfd0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: rundll32.exe PID: 7012 Parent PID: 6912

General

Start time:	14:17:42
Start date:	30/01/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello003
Imagebase:	0xfd0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: rundll32.exe PID: 6996 Parent PID: 7036

General

Start time:	14:17:42
Start date:	30/01/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello002
Imagebase:	0xfd0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: rundll32.exe PID: 6860 Parent PID: 7028

General

Start time:	14:17:44
Start date:	30/01/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\V7F2H10gJw.dll,Hello001
Imagebase:	0xfd0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report V7F2H10gJw

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Initial Sample

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Networking:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Exports

Possible Origin

Network Behavior

Code Manipulations

Statistics

Behavior

System Behavior

Analysis Process: loaddll32.exe PID: 6148 Parent PID: 5876

General

Analysis Process: WerFault.exe PID: 4292 Parent PID: 6148

General

Analysis Process: rundll32.exe PID: 6588 Parent PID: 6148

General

Analysis Process: rundll32.exe PID: 6608 Parent PID: 6588

General

Analysis Process: rundll32.exe PID: 6576 Parent PID: 6608

General

Analysis Process: rundll32.exe PID: 4176 Parent PID: 6576