Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report A8xYhQFvXo

Overview

General Information

Sample Name:A8xYhQFvXo (renamed file extension from none to dll)
Analysis ID:346331
MD5:83dd317c95f4acb8623d1f024945cfdb
SHA1:04f9227cc3bfde5626be669be106a5d38f4416b1
SHA256:5b2f060f1512100a0d500312fa579cdad9d3ea101778838173aa7215cd39700a
Tags:Mingloa

Most interesting Screenshot:

Detection

Score:60
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Machine Learning detection for sample
Checks if the current process is being debugged
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
One or more processes crash
PE file contains executable resources (Code or Archives)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • loaddll32.exe (PID: 6628 cmdline: loaddll32.exe 'C:\Users\user\Desktop\A8xYhQFvXo.dll' MD5: 2D39D4DFDE8F7151723794029AB8A034)
    • rundll32.exe (PID: 6652 cmdline: rundll32.exe C:\Users\user\Desktop\A8xYhQFvXo.dll,Hello001 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • WerFault.exe (PID: 6708 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6652 -s 712 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • rundll32.exe (PID: 6896 cmdline: rundll32.exe C:\Users\user\Desktop\A8xYhQFvXo.dll,Hello002 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • WerFault.exe (PID: 6972 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6896 -s 712 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • rundll32.exe (PID: 7004 cmdline: rundll32.exe C:\Users\user\Desktop\A8xYhQFvXo.dll,Hello003 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • WerFault.exe (PID: 7092 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7004 -s 712 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
A8xYhQFvXo.dllAPT34_PICKPOCKETunknownunknown
  • 0x200c9c:$s2: \nss3.dll
  • 0x249d10:$s2: \nss3.dll
  • 0x3fc4f0:$s4: | %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
  • 0x1d0d44:$s5: \Login Data
  • 0x1d0e34:$s5: \Login Data
  • 0x1d0f24:$s5: \Login Data
  • 0x1d1064:$s5: \Login Data
  • 0x1d1274:$s5: \Login Data
  • 0x1d12f4:$s5: \Login Data
  • 0x1d1374:$s5: \Login Data
  • 0x1d1438:$s5: \Login Data
  • 0x1d1634:$s5: \Login Data
  • 0x1d1744:$s5: \Login Data
  • 0x1d18d4:$s5: \Login Data
  • 0x1d1944:$s5: \Login Data
  • 0x200d10:$s6: %s\Mozilla\Firefox\profiles.ini
  • 0x249d90:$s6: %s\Mozilla\Firefox\profiles.ini
  • 0x1d0d45:$s7: Login Data
  • 0x1d0e35:$s7: Login Data
  • 0x1d0f25:$s7: Login Data
  • 0x1d1065:$s7: Login Data

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.236067014.000000001028B000.00000008.00020000.sdmpSUSP_XORed_MSDOS_Stub_MessageDetects suspicious XORed MSDOS stub messageFlorian Roth
  • 0x1556d6:$xo1: /\x13\x12\x08[\x0B\x09\x14\x1C\x09\x1A\x16[\x18\x1A\x15\x15\x14\x0F[\x19\x1E[\x09\x0E\x15[\x12\x15[?4([\x16\x14\x1F\x1E
00000007.00000002.245505715.000000001028B000.00000008.00020000.sdmpSUSP_XORed_MSDOS_Stub_MessageDetects suspicious XORed MSDOS stub messageFlorian Roth
  • 0x1556d6:$xo1: /\x13\x12\x08[\x0B\x09\x14\x1C\x09\x1A\x16[\x18\x1A\x15\x15\x14\x0F[\x19\x1E[\x09\x0E\x15[\x12\x15[?4([\x16\x14\x1F\x1E
00000001.00000002.230780419.000000001028B000.00000008.00020000.sdmpSUSP_XORed_MSDOS_Stub_MessageDetects suspicious XORed MSDOS stub messageFlorian Roth
  • 0x1556d6:$xo1: /\x13\x12\x08[\x0B\x09\x14\x1C\x09\x1A\x16[\x18\x1A\x15\x15\x14\x0F[\x19\x1E[\x09\x0E\x15[\x12\x15[?4([\x16\x14\x1F\x1E

Unpacked PEs

SourceRuleDescriptionAuthorStrings
1.2.rundll32.exe.10000000.1.unpackAPT34_PICKPOCKETunknownunknown
  • 0x200c9c:$s2: \nss3.dll
  • 0x249d10:$s2: \nss3.dll
  • 0x3fc4f0:$s4: | %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
  • 0x1d0d44:$s5: \Login Data
  • 0x1d0e34:$s5: \Login Data
  • 0x1d0f24:$s5: \Login Data
  • 0x1d1064:$s5: \Login Data
  • 0x1d1274:$s5: \Login Data
  • 0x1d12f4:$s5: \Login Data
  • 0x1d1374:$s5: \Login Data
  • 0x1d1438:$s5: \Login Data
  • 0x1d1634:$s5: \Login Data
  • 0x1d1744:$s5: \Login Data
  • 0x1d18d4:$s5: \Login Data
  • 0x1d1944:$s5: \Login Data
  • 0x200d10:$s6: %s\Mozilla\Firefox\profiles.ini
  • 0x249d90:$s6: %s\Mozilla\Firefox\profiles.ini
  • 0x1d0d45:$s7: Login Data
  • 0x1d0e35:$s7: Login Data
  • 0x1d0f25:$s7: Login Data
  • 0x1d1065:$s7: Login Data
4.2.rundll32.exe.10000000.1.unpackAPT34_PICKPOCKETunknownunknown
  • 0x200c9c:$s2: \nss3.dll
  • 0x249d10:$s2: \nss3.dll
  • 0x3fc4f0:$s4: | %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
  • 0x1d0d44:$s5: \Login Data
  • 0x1d0e34:$s5: \Login Data
  • 0x1d0f24:$s5: \Login Data
  • 0x1d1064:$s5: \Login Data
  • 0x1d1274:$s5: \Login Data
  • 0x1d12f4:$s5: \Login Data
  • 0x1d1374:$s5: \Login Data
  • 0x1d1438:$s5: \Login Data
  • 0x1d1634:$s5: \Login Data
  • 0x1d1744:$s5: \Login Data
  • 0x1d18d4:$s5: \Login Data
  • 0x1d1944:$s5: \Login Data
  • 0x200d10:$s6: %s\Mozilla\Firefox\profiles.ini
  • 0x249d90:$s6: %s\Mozilla\Firefox\profiles.ini
  • 0x1d0d45:$s7: Login Data
  • 0x1d0e35:$s7: Login Data
  • 0x1d0f25:$s7: Login Data
  • 0x1d1065:$s7: Login Data
7.2.rundll32.exe.10000000.1.unpackAPT34_PICKPOCKETunknownunknown
  • 0x200c9c:$s2: \nss3.dll
  • 0x249d10:$s2: \nss3.dll
  • 0x3fc4f0:$s4: | %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
  • 0x1d0d44:$s5: \Login Data
  • 0x1d0e34:$s5: \Login Data
  • 0x1d0f24:$s5: \Login Data
  • 0x1d1064:$s5: \Login Data
  • 0x1d1274:$s5: \Login Data
  • 0x1d12f4:$s5: \Login Data
  • 0x1d1374:$s5: \Login Data
  • 0x1d1438:$s5: \Login Data
  • 0x1d1634:$s5: \Login Data
  • 0x1d1744:$s5: \Login Data
  • 0x1d18d4:$s5: \Login Data
  • 0x1d1944:$s5: \Login Data
  • 0x200d10:$s6: %s\Mozilla\Firefox\profiles.ini
  • 0x249d90:$s6: %s\Mozilla\Firefox\profiles.ini
  • 0x1d0d45:$s7: Login Data
  • 0x1d0e35:$s7: Login Data
  • 0x1d0f25:$s7: Login Data
  • 0x1d1065:$s7: Login Data

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Multi AV Scanner detection for submitted fileShow sources
Source: A8xYhQFvXo.dllVirustotal: Detection: 17%Perma Link
Source: A8xYhQFvXo.dllMetadefender: Detection: 18%Perma Link
Source: A8xYhQFvXo.dllReversingLabs: Detection: 44%
Machine Learning detection for sampleShow sources
Source: A8xYhQFvXo.dllJoe Sandbox ML: detected

Compliance:

barindex
Uses 32bit PE filesShow sources
Source: A8xYhQFvXo.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Binary contains paths to debug symbolsShow sources
Source: Binary string: f:\sys\objfre_wxp_x86\i386\FsFilter32.pdbpJ source: rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dll
Source: Binary string: f:\sys\objfre_wxp_x86\i386\FsFilter32.pdb source: rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dll
Source: Binary string: f:\sys\objfre_win7_amd64\amd64\FsFilter64.pdb source: rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dll
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_10147900 PathFileExistsA,_memset,_memset,_strcpy_s,_strcat_s,FindFirstFileA,_memset,_strcpy_s,_strcat_s,_strcat_s,_strcat_s,_strcat_s,PathFileExistsA,PathRemoveFileSpecA,_memset,_strlen,FindNextFileA,FindClose,
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_10145A40 FindFirstFileA,FindClose,
Source: A8xYhQFvXo.dllString found in binary or memory: "name":"fb_dtsg","value":"name="fb_dtsg" value="Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: nonehttps://www.facebook.com/""2%d0https://graph.facebook.com/me/friends?access_token=%s&pretty=1&limit=1summarytotal_count{}summarytotal_count%dquery_friends.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: count = %d equals www.facebook.com (Facebook)
Source: rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dllString found in binary or memory: -3https://www.facebook.com/payments/settings/payment_methods/index.php?__a=1errorSummaryconfirmemail.phpcard_type_name-110query_payment2.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: ret = %s equals www.facebook.com (Facebook)
Source: A8xYhQFvXo.dllString found in binary or memory: bad allocationSOFTWARE\Mozilla\Mozilla FirefoxCurrentVersion\\MainInstall Directory%s\firefox.exe{}[]"1""2""3"123bad allocationc_user=xs=https://www.facebook.com/adsmanager/manage/adshttps://business.facebook.com/adsmanager/manage/adssettings/?act=&access_token:""access_token":""query_token_account_id.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: account_id = %s token =%s equals www.facebook.com (Facebook)
Source: rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dllString found in binary or memory: c_user=xs=https://www.facebook.com/ads/manager/account_settingsaccountID:"access_token:"Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: none""query_token_account_id_laomaozi.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: account_id = %s token =%s equals www.facebook.com (Facebook)
Source: A8xYhQFvXo.dllString found in binary or memory: c_user=xs=https://www.facebook.com/adsmanager/manage/adshttps://business.facebook.com/adsmanager/manage/adswindow.location.replace("")/act___accessToken="Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: nonehttps:act=/\/"%[0-9]query_token_account_id2.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: account_id = %s token =%s equals www.facebook.com (Facebook)
Source: rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dllString found in binary or memory: https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: A8xYhQFvXo.dllString found in binary or memory: https://www.facebook.com/"name="fb_dtsg" value=""logout_hash":"""logout_hash":"logoutToken:""logoutToken:"https://www.facebook.com/comet/try/source=SETTINGS_MENU&nctr[_mod]=pagelet_bluebar&__user=&__a=1&__csr=&__req=14&__beoa=0&__pc=PHASED%3ADEFAULT&dpr=1&__ccg=EXCELLENT&fb_dtsg=&jazoest=for (;;);{https://m.facebook.com/logout.php?h=%s&t=%sc_user=deleted"encrypted":"https://m.facebook.com/?_rdr""name="fb_dtsg" value="logout.phpm_sess=&fb_dtsg=&jazoest=&__csr=&__req=9&__a=&__user=https://m.facebook.com/bookmarks/flyout/body/?id=u_0_6\https://m.facebook.com/logout.php%sc_user=deletedhttps://m.facebook.com/?soft=bookmarks"logoutURL":"\"logout.phphttps://m.facebook.com&source=mtouch_logout_button&persist_locale=1&button_name=logout&button_location=settings%s equals www.facebook.com (Facebook)
Source: rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dllString found in binary or memory: https://www.facebook.com/ads/manager/account_settings equals www.facebook.com (Facebook)
Source: rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dllString found in binary or memory: https://www.facebook.com/adsmanager/manage/ads equals www.facebook.com (Facebook)
Source: rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dllString found in binary or memory: https://www.facebook.com/bookmarks/pages?ref_type=logout_gear equals www.facebook.com (Facebook)
Source: rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dllString found in binary or memory: https://www.facebook.com/comet/try/ equals www.facebook.com (Facebook)
Source: A8xYhQFvXo.dllString found in binary or memory: https://www.facebook.com/connect/ping?client_id=124024574287414&domain=www.instagram.com&origin=1&redirect_uri=https%3A%2F%2Fstaticxx.facebook.com%2Fconnect%2Fxd_arbiter%2Fr%2F1e2RywyANNe.js%3Fversion%3D42%23cb%3Df19f2d8a0dd2f24%26domain%3Dwww.instagram.com%26origin%3Dhttps%253A%252F%252Fwww.instagram.com%252Ff2dc055ae1b1274%26relation%3Dparent&response_type=token%2Csigned_request%2Ccode&sdk=joey&version=v2.2 equals www.facebook.com (Facebook)
Source: A8xYhQFvXo.dllString found in binary or memory: https://www.facebook.com/connect/ping?client_id=124024574287414&domain=www.instagram.com&origin=1&redirect_uri=https%3A%2F%2Fstaticxx.facebook.com%2Fconnect%2Fxd_arbiter%2Fr%2F1e2RywyANNe.js%3Fversion%3D42%23cb%3Df19f2d8a0dd2f24%26domain%3Dwww.instagram.com%26origin%3Dhttps%253A%252F%252Fwww.instagram.com%252Ff2dc055ae1b1274%26relation%3Dparent&response_type=token%2Csigned_request%2Ccode&sdk=joey&version=v2.2&access_token=&expires_in=Location: query_instagram_cookie.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: token = %s equals www.facebook.com (Facebook)
Source: rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dllString found in binary or memory: https://www.facebook.com/dialog/oauth?client_id=124024574287414&redirect_uri=https%3A%2F%2Fwww.instagram.com%2Faccounts%2Fsignup%2F&state=%7B%22fbLoginKey%22%3A%221l3a6gcoxzmx9bogry41n78unr193ooptzd1bmk8ggfxw5bdph1%22%2C%22fbLoginReturnURL%22%3A%22%2F%22%7D&scope=email&response_type=code%2Cgranted_scopes equals www.facebook.com (Facebook)
Source: rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dllString found in binary or memory: https://www.facebook.com/dialog/oauth?client_id=124024574287414&redirect_uri=https%3A%2F%2Fwww.instagram.com%2Faccounts%2Fsignup%2F&state=%7B%22fbLoginKey%22%3A%221l3a6gcoxzmx9bogry41n78unr193ooptzd1bmk8ggfxw5bdph1%22%2C%22fbLoginReturnURL%22%3A%22%2F%22%7D&scope=email&response_type=code%2Cgranted_scopesLocation: equals www.facebook.com (Facebook)
Source: rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dllString found in binary or memory: https://www.facebook.com/dialog/oauth?client_id=124024574287414&redirect_uri=https%3A%2F%2Fwww.instagram.com%2Faccounts%2Fsignup%2F&state=%7B%22fbLoginKey%22%3A%221l3a6gcoxzmx9bogry41n78unr193ooptzd1bmk8ggfxw5bdph1%22%2C%22fbLoginReturnURL%22%3A%22%2F%22%7D&scope=email&response_type=code%2Cgranted_scopesocation: equals www.facebook.com (Facebook)
Source: rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dllString found in binary or memory: https://www.facebook.com/login/async_sso/messenger_dot_com/?__a=1 equals www.facebook.com (Facebook)
Source: rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dllString found in binary or memory: https://www.facebook.com/login/async_sso/messenger_dot_com/?__a=1x-auth-result: query_mess_cookie.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: x_auth_result = %s equals www.facebook.com (Facebook)
Source: rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dllString found in binary or memory: https://www.facebook.com/payments/settings/payment_methods/index.php?__a=1 equals www.facebook.com (Facebook)
Source: rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dllString found in binary or memory: https://www.facebook.com/x/oauth/status?client_id=124024574287414&input_token&origin=1&redirect_uri= equals www.facebook.com (Facebook)
Source: rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dllString found in binary or memory: https://www.facebook.com/x/oauth/status?client_id=124024574287414&input_token&origin=1&redirect_uri=origin: https://www.instagram.comsec-fetch-mode: corsreferer: https://www.instagram.com/sec-fetch-site: cross-sitefb-ar: equals www.facebook.com (Facebook)
Source: rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dllString found in binary or memory: https://www.instagram.com/accounts/login/ajax/facebook/ equals www.facebook.com (Facebook)
Source: A8xYhQFvXo.dllString found in binary or memory: https://www.messenger.com/login/nonce/ookie: c_user=ookie: xs=ookie: ;%[^;]; https://m.facebook.com/settings/email/<span class="_52ji _8uk3">accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9sec-fetch-dest: documentsec-fetch-mode: navigatesec-fetch-site: noneupgrade-insecure-requests: 1</span></span>@&#064;@&#064;https://m.facebook.com/settings/sms/<strong><span dir="ltr">accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9sec-fetch-dest: documentsec-fetch-mode: navigatesec-fetch-site: noneupgrade-insecure-requests: 1</span></span>+ https://m.facebook.com/pages/creation_flow/?step=name&cat_ref_page_id=0&ref_type=launch_point"dtsg":{"token":"accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9sec-fetch-dest: documentsec-fetch-mode: navigatesec-fetch-site: noneupgrade-insecure-requests: 1"https://m.facebook.com/pages/create/edit_name/"draftID":Accept: */*Origin: https://m.facebook.comReferer: https://m.facebook.com/pages/creation_flow/?step=name&cat_ref_page_id=0&ref_type=launch_pointSec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: same-originX-Requested-With: XMLHttpRequestX-Response-Format: JSONStreampage_name=&m_sess=&fb_dtsg=&jazoest=&__csr=&__req=3&__user=,"https://m.facebook.com/pages/creation_flow/?step=category&draft_id=&cat_ref_page_id=0&extra_data=%7B%22page_name%22%3A%22%22%7D"dtsg":{"token":"accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Referer: https://m.facebook.com/pages/creation_flow/?step=name&cat_ref_page_id=0&ref_type=launch_pointsec-fetch-dest: documentsec-fetch-mode: navigatesec-fetch-site: same-originSec-Fetch-User: ?1upgrade-insecure-requests: 1"https://m.facebook.com/pages/create/edit_category/"pageID":Referer: https://m.facebook.com/pages/creation_flow/?step=category&draft_id=&cat_ref_page_id=0&extra_data=%7B%22page_name%22%3A%22%22%7DAccept: */*Origin: https://m.facebook.comSec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: same-originX-Response-Format: JSONStreamX-Requested-With: XMLHttpRequestpage_category=1300&draft_id=&m_sess=&fb_dtsg=&jazoest=&__csr=&__req=9&__user=}"+ .-_@@friends2page.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: pageid = %s equals www.facebook.com (Facebook)
Source: rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dllString found in binary or memory: x-csrftoken: xhttps://www.instagram.com/accounts/login/ajax/facebook/"userId": "sessionid="";sessionid=;query_instagram_cookie.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: sessionid = %s equals www.facebook.com (Facebook)
Source: rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dllString found in binary or memory: x-csrftoken: xhttps://www.instagram.com/accounts/login/ajax/facebook/"userId": "sessionid="";sessionid=;query_instagram_cookie_20191224.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: sessionid = %s equals www.facebook.com (Facebook)
Source: rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dllString found in binary or memory: x-csrftoken: xhttps://www.instagram.com/accounts/login/ajax/facebook/"userId": "sessionid="";sessionid=;query_instagram_cookie_20200229.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: sessionid = %s equals www.facebook.com (Facebook)
Source: rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dllString found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceCodeSigningCA-1.crt0
Source: rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dllString found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dllString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2HighAssuranceCodeSigningCA.crt0
Source: rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dllString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dllString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0O
Source: rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dllString found in binary or memory: http://crl3.digicert.com/ha-cs-2011a.crl0.
Source: rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dllString found in binary or memory: http://crl3.digicert.com/sha2-ha-cs-g1.crl00
Source: A8xYhQFvXo.dllString found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dllString found in binary or memory: http://crl4.digicert.com/ha-cs-2011a.crl0L
Source: rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dllString found in binary or memory: http://crl4.digicert.com/sha2-ha-cs-g1.crl0L
Source: rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dllString found in binary or memory: http://ocsp.digicert.com0I
Source: rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dllString found in binary or memory: http://ocsp.digicert.com0P
Source: rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dllString found in binary or memory: http://ocsp.digicert.com0R
Source: rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dllString found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: A8xYhQFvXo.dllString found in binary or memory: http://www.interestvideo.com/video1.php
Source: rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dllString found in binary or memory: https://01%s08%s15%s22%sWebGL%d%02d%s.club/http://01%s08%s15%s22%sFrankLin%d%02d%s.xyz/post_info.
Source: A8xYhQFvXo.dllString found in binary or memory: https://ads.google.com/nav/_/rpc/GaiaInfoService/Get?authuser=0&rpcTrackingId=GaiaInfoService.Get%3A
Source: A8xYhQFvXo.dllString found in binary or memory: https://ads.google.com/nav/_/rpc/UserByGaiaService/Get?authuser=0&rpcTrackingId=UserByGaiaService.Ge
Source: A8xYhQFvXo.dllString found in binary or memory: https://ads.google.com/nav/_/rpc/UserCustomerAccessService/List?authuser=0&rpcTrackingId=UserCustome
Source: rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dllString found in binary or memory: https://ads.google.com/nav/selectaccount
Source: rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dllString found in binary or memory: https://ads.google.com/nav/selectaccountocation:
Source: A8xYhQFvXo.dllString found in binary or memory: https://ads.google.comsec-fetch-dest:
Source: rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dllString found in binary or memory: https://api.twitter.com/1.1/statuses/update.json
Source: rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dllString found in binary or memory: https://api.twitter.com/1.1/statuses/update.jsoninclude_profile_interstitial_type=1&include_blocking
Source: rundll32.exe, 00000001.00000002.230642928.0000000010171000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235936438.0000000010171000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245392829.0000000010171000.00000002.00020000.sdmp, A8xYhQFvXo.dllString found in binary or memory: https://curl.haxx.se/docs/http-cookies.html
Source: rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dllString found in binary or memory: https://twitter.com/
Source: rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dllString found in binary or memory: https://twitter.com/compose/tweetsec-fetch-dest:
Source: A8xYhQFvXo.dllString found in binary or memory: https://twitter.com/compose/tweetsec-fetch-mode:
Source: rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dllString found in binary or memory: https://twitter.com/ookie:
Source: A8xYhQFvXo.dllString found in binary or memory: https://twitter.comReferer:
Source: A8xYhQFvXo.dllString found in binary or memory: https://twitter.comsec-fetch-dest:
Source: rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dllString found in binary or memory: https://upload.twitter.com/i/media/upload.json
Source: rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dllString found in binary or memory: https://upload.twitter.com/i/media/upload.json%dcommand=INIT&total_bytes=&media_type=image%2Fjpeg&me
Source: rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dllString found in binary or memory: https://upload.twitter.com/i/media/upload.json?command=APPEND&media_id=%s&segment_index=0
Source: rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dllString found in binary or memory: https://upload.twitter.com/i/media/upload.json?command=APPEND&media_id=%s&segment_index=0accept:
Source: rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dllString found in binary or memory: https://upload.twitter.com/i/media/upload.jsoncommand=FINALIZE&media_id=
Source: rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dllString found in binary or memory: https://www.digicert.com/CPS0
Source: A8xYhQFvXo.dllString found in binary or memory: https://www.instagram.com/
Source: rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dllString found in binary or memory: https://www.instagram.com/accept:
Source: A8xYhQFvXo.dllString found in binary or memory: https://www.instagram.com/accounts/login/ajax/facebook/
Source: A8xYhQFvXo.dllString found in binary or memory: https://www.instagram.com/graphql/query/?query_hash=149bef52a3b2af88c0fec37913fe1cbc&variables=%7B%2
Source: rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dllString found in binary or memory: https://www.instagram.com/sec-fetch-site:
Source: rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dllString found in binary or memory: https://www.instagram.comsec-fetch-mode:
Source: rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dllString found in binary or memory: https://www.messenger.com
Source: rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dllString found in binary or memory: https://www.messenger.com/
Source: rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dllString found in binary or memory: https://www.messenger.com/accept:
Source: rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dllString found in binary or memory: https://www.messenger.com/login/nonce/
Source: rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dllString found in binary or memory: https://www.messenger.com/login/nonce/ookie:
Source: rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dllString found in binary or memory: https://www.messenger.com/origin:

System Summary:

barindex
Malicious sample detected (through community Yara rule)Show sources
Source: A8xYhQFvXo.dll, type: SAMPLEMatched rule: APT34_PICKPOCKET Author: unknown
Source: 1.2.rundll32.exe.10000000.1.unpack, type: UNPACKEDPEMatched rule: APT34_PICKPOCKET Author: unknown
Source: 4.2.rundll32.exe.10000000.1.unpack, type: UNPACKEDPEMatched rule: APT34_PICKPOCKET Author: unknown
Source: 7.2.rundll32.exe.10000000.1.unpack, type: UNPACKEDPEMatched rule: APT34_PICKPOCKET Author: unknown
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_10033BFE
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_10023C51
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_1002E58A
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_10042F70
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_10040780
Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6652 -s 712
Source: A8xYhQFvXo.dllStatic PE information: Resource name: CRX type: 7-zip archive data, version 0.3
Source: A8xYhQFvXo.dllStatic PE information: Resource name: FF type: 7-zip archive data, version 0.3
Source: A8xYhQFvXo.dllStatic PE information: Resource name: FRIENDS type: 7-zip archive data, version 0.3
Source: A8xYhQFvXo.dllBinary or memory string: OriginalFilenameFsFilter.sys vs A8xYhQFvXo.dll
Source: A8xYhQFvXo.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Source: A8xYhQFvXo.dll, type: SAMPLEMatched rule: APT34_PICKPOCKET Description = Detects the PICKPOCKET malware used by APT34, a browser credential-theft tool identified by FireEye in May 2018, Reference = https://www.fireeye.com/blog/threat-research/2019/07/hard-pass-declining-apt34-invite-to-join-their-professional-network.html
Source: 00000004.00000002.236067014.000000001028B000.00000008.00020000.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 00000007.00000002.245505715.000000001028B000.00000008.00020000.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 00000001.00000002.230780419.000000001028B000.00000008.00020000.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 1.2.rundll32.exe.10000000.1.unpack, type: UNPACKEDPEMatched rule: APT34_PICKPOCKET Description = Detects the PICKPOCKET malware used by APT34, a browser credential-theft tool identified by FireEye in May 2018, Reference = https://www.fireeye.com/blog/threat-research/2019/07/hard-pass-declining-apt34-invite-to-join-their-professional-network.html
Source: 4.2.rundll32.exe.10000000.1.unpack, type: UNPACKEDPEMatched rule: APT34_PICKPOCKET Description = Detects the PICKPOCKET malware used by APT34, a browser credential-theft tool identified by FireEye in May 2018, Reference = https://www.fireeye.com/blog/threat-research/2019/07/hard-pass-declining-apt34-invite-to-join-their-professional-network.html
Source: 7.2.rundll32.exe.10000000.1.unpack, type: UNPACKEDPEMatched rule: APT34_PICKPOCKET Description = Detects the PICKPOCKET malware used by APT34, a browser credential-theft tool identified by FireEye in May 2018, Reference = https://www.fireeye.com/blog/threat-research/2019/07/hard-pass-declining-apt34-invite-to-join-their-professional-network.html
Source: A8xYhQFvXo.dllStatic PE information: Section: .rsrc ZLIB complexity 0.999259599673
Source: classification engineClassification label: mal60.winDLL@10/12@0/0
Source: C:\Windows\SysWOW64\rundll32.exeMutant created: \Sessions\1\BaseNamedObjects\Global\exist_sign_task_Hello002
Source: C:\Windows\SysWOW64\rundll32.exeMutant created: \Sessions\1\BaseNamedObjects\Global\exist_sign_task_Hello001
Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6896
Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6652
Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7004
Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER3DB2.tmpJump to behavior
Source: A8xYhQFvXo.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\A8xYhQFvXo.dll,Hello001
Source: A8xYhQFvXo.dllVirustotal: Detection: 17%
Source: A8xYhQFvXo.dllMetadefender: Detection: 18%
Source: A8xYhQFvXo.dllReversingLabs: Detection: 44%
Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\A8xYhQFvXo.dll'
Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\A8xYhQFvXo.dll,Hello001
Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6652 -s 712
Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\A8xYhQFvXo.dll,Hello002
Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6896 -s 712
Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\A8xYhQFvXo.dll,Hello003
Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7004 -s 712
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\A8xYhQFvXo.dll,Hello001
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\A8xYhQFvXo.dll,Hello002
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\A8xYhQFvXo.dll,Hello003
Source: A8xYhQFvXo.dllStatic PE information: Virtual size of .text is bigger than: 0x100000
Source: A8xYhQFvXo.dllStatic file information: File size 4890624 > 1048576
Source: A8xYhQFvXo.dllStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x170000
Source: A8xYhQFvXo.dllStatic PE information: Raw size of .rdata is bigger than: 0x100000 < 0x118000
Source: A8xYhQFvXo.dllStatic PE information: Raw size of .data is bigger than: 0x100000 < 0x179000
Source: Binary string: f:\sys\objfre_wxp_x86\i386\FsFilter32.pdbpJ source: rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dll
Source: Binary string: f:\sys\objfre_wxp_x86\i386\FsFilter32.pdb source: rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dll
Source: Binary string: f:\sys\objfre_win7_amd64\amd64\FsFilter64.pdb source: rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dll
Source: A8xYhQFvXo.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: A8xYhQFvXo.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: A8xYhQFvXo.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: A8xYhQFvXo.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: A8xYhQFvXo.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_10037541 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__invoke_watson,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__invoke_watson,__decode_pointer,__decode_pointer,__decode_pointer,
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_1002EB91 push ecx; ret
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_10028D9A push ecx; ret
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_1014BE00 _memset,SHGetSpecialFolderPathA,_strcat_s,PathFileExistsA,_memset,GetPrivateProfileStringA,_strlen,_strlen,PathRemoveFileSpecA,_strcat_s,_strcat_s,PathFileExistsA,PathFindFileNameA,
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeLast function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_10147900 PathFileExistsA,_memset,_memset,_strcpy_s,_strcat_s,FindFirstFileA,_memset,_strcpy_s,_strcat_s,_strcat_s,_strcat_s,_strcat_s,PathFileExistsA,PathRemoveFileSpecA,_memset,_strlen,FindNextFileA,FindClose,
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_10145A40 FindFirstFileA,FindClose,
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_10023315 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_10037541 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__invoke_watson,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__invoke_watson,__decode_pointer,__decode_pointer,__decode_pointer,
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_1003AFFE __lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock,
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_10023315 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_10026CE8 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_10028D22 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_101456A0 InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateMutexA,GetLastError,
Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoA,
Source: C:\Windows\SysWOW64\rundll32.exeCode function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,
Source: C:\Windows\SysWOW64\rundll32.exeCode function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,
Source: C:\Windows\SysWOW64\rundll32.exeCode function: _TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,_ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itoa_s,
Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoA,_xtoa_s@20,
Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoA,
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_10145D10 _malloc,_memset,GetSystemTime,SystemTimeToFileTime,SystemTimeToFileTime,__aulldiv,

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsNative API1Path InterceptionProcess Injection1Virtualization/Sandbox Evasion1OS Credential DumpingSystem Time Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRundll321LSASS MemorySecurity Software Discovery3Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Software Packing1Security Account ManagerVirtualization/Sandbox Evasion1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection1NTDSFile and Directory Discovery1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptObfuscated Files or Information1LSA SecretsSystem Information Discovery12SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain CredentialsRemote System Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 346331 Sample: A8xYhQFvXo Startdate: 30/01/2021 Architecture: WINDOWS Score: 60 21 Malicious sample detected (through community Yara rule) 2->21 23 Multi AV Scanner detection for submitted file 2->23 25 Machine Learning detection for sample 2->25 7 loaddll32.exe 1 2->7         started        process3 process4 9 rundll32.exe 7->9         started        11 rundll32.exe 7->11         started        13 rundll32.exe 7->13         started        process5 15 WerFault.exe 23 9 9->15         started        17 WerFault.exe 9 11->17         started        19 WerFault.exe 2 9 13->19         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
A8xYhQFvXo.dll17%VirustotalBrowse
A8xYhQFvXo.dll19%MetadefenderBrowse
A8xYhQFvXo.dll44%ReversingLabsWin32.Trojan.Mingloa
A8xYhQFvXo.dll100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
https://01%s08%s15%s22%sWebGL%d%02d%s.club/http://01%s08%s15%s22%sFrankLin%d%02d%s.xyz/post_info.0%Avira URL Cloudsafe
https://twitter.comsec-fetch-dest:0%Avira URL Cloudsafe
https://www.instagram.comsec-fetch-mode:0%Avira URL Cloudsafe
https://twitter.comReferer:0%Avira URL Cloudsafe
http://www.interestvideo.com/video1.php0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
https://01%s08%s15%s22%sWebGL%d%02d%s.club/http://01%s08%s15%s22%sFrankLin%d%02d%s.xyz/post_info.rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dllfalse
  • Avira URL Cloud: safe
low
https://upload.twitter.com/i/media/upload.jsoncommand=FINALIZE&media_id=rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dllfalse
    		high
    https://twitter.com/compose/tweetsec-fetch-dest:rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dllfalse
      		high
      https://www.instagram.com/A8xYhQFvXo.dllfalse
        		high
        https://www.messenger.com/rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dllfalse
          		high
          https://upload.twitter.com/i/media/upload.json%dcommand=INIT&total_bytes=&media_type=image%2Fjpeg&merundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dllfalse
            		high
            https://upload.twitter.com/i/media/upload.json?command=APPEND&media_id=%s&segment_index=0accept:rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dllfalse
              		high
              https://api.twitter.com/1.1/statuses/update.jsoninclude_profile_interstitial_type=1&include_blockingrundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dllfalse
                		high
                https://www.messenger.com/origin:rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dllfalse
                  		high
                  https://twitter.com/rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dllfalse
                    		high
                    https://twitter.com/ookie:rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dllfalse
                      		high
                      https://api.twitter.com/1.1/statuses/update.jsonrundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dllfalse
                        		high
                        https://curl.haxx.se/docs/http-cookies.htmlrundll32.exe, 00000001.00000002.230642928.0000000010171000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235936438.0000000010171000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245392829.0000000010171000.00000002.00020000.sdmp, A8xYhQFvXo.dllfalse
                          		high
                          https://twitter.comsec-fetch-dest:A8xYhQFvXo.dllfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://upload.twitter.com/i/media/upload.jsonrundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dllfalse
                            		high
                            https://twitter.com/compose/tweetsec-fetch-mode:A8xYhQFvXo.dllfalse
                              		high
                              https://www.instagram.comsec-fetch-mode:rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dllfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://www.instagram.com/accounts/login/ajax/facebook/A8xYhQFvXo.dllfalse
                                		high
                                https://www.instagram.com/sec-fetch-site:rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dllfalse
                                  		high
                                  https://twitter.comReferer:A8xYhQFvXo.dllfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://www.messenger.com/accept:rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dllfalse
                                    		high
                                    http://www.interestvideo.com/video1.phpA8xYhQFvXo.dllfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://www.messenger.comrundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dllfalse
                                      		high
                                      https://www.instagram.com/accept:rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dllfalse
                                        		high
                                        https://www.messenger.com/login/nonce/rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dllfalse
                                          		high
                                          https://www.messenger.com/login/nonce/ookie:rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dllfalse
                                            		high
                                            https://upload.twitter.com/i/media/upload.json?command=APPEND&media_id=%s&segment_index=0rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dllfalse
                                              		high
                                              https://www.instagram.com/graphql/query/?query_hash=149bef52a3b2af88c0fec37913fe1cbc&variables=%7B%2A8xYhQFvXo.dllfalse
                                                		high

                                                Contacted IPs

                                                No contacted IP infos

                                                General Information

                                                Joe Sandbox Version:31.0.0 Emerald
                                                Analysis ID:346331
                                                Start date:30.01.2021
                                                Start time:14:22:06
                                                Joe Sandbox Product:CloudBasic
                                                Overall analysis duration:0h 4m 38s
                                                Hypervisor based Inspection enabled:false
                                                Report type:light
                                                Sample file name:A8xYhQFvXo (renamed file extension from none to dll)
                                                Cookbook file name:default.jbs
                                                Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                Number of analysed new started processes analysed:10
                                                Number of new started drivers analysed:0
                                                Number of existing processes analysed:0
                                                Number of existing drivers analysed:0
                                                Number of injected processes analysed:0
                                                Technologies:
                                                • HCA enabled
                                                • EGA enabled
                                                • HDC enabled
                                                • AMSI enabled
                                                Analysis Mode:default
                                                Analysis stop reason:Timeout
                                                Detection:MAL
                                                Classification:mal60.winDLL@10/12@0/0
                                                EGA Information:Failed
                                                HDC Information:
                                                • Successful, ratio: 100% (good quality ratio 95.7%)
                                                • Quality average: 76.1%
                                                • Quality standard deviation: 26.4%
                                                HCA Information:Failed
                                                Cookbook Comments:
                                                • Adjust boot time
                                                • Enable AMSI
                                                • Stop behavior analysis, all processes terminated
                                                Warnings:
                                                Show All
                                                • Exclude process from analysis (whitelisted): WerFault.exe
                                                • Excluded IPs from analysis (whitelisted): 52.147.198.201, 13.88.21.125
                                                • Excluded domains from analysis (whitelisted): skypedataprdcoleus16.cloudapp.net, blobcollector.events.data.trafficmanager.net, watson.telemetry.microsoft.com, skypedataprdcolwus15.cloudapp.net

                                                Simulations

                                                Behavior and APIs

                                                TimeTypeDescription
                                                14:23:06API Interceptor3x Sleep call for process: WerFault.exe modified
                                                14:23:11API Interceptor1x Sleep call for process: loaddll32.exe modified

                                                Joe Sandbox View / Context

                                                IPs

                                                No context

                                                Domains

                                                No context

                                                ASN

                                                No context

                                                JA3 Fingerprints

                                                No context

                                                Dropped Files

                                                No context

                                                Created / dropped Files

                                                C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_rundll32.exe_5a155b1e9b8901355626d9881b9ed599cf1223_82810a17_1b0352d0\Report.wer
                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):12526
                                                Entropy (8bit):3.771298130946976
                                                Encrypted:false
                                                SSDEEP:192:Reiq0oXAdHBUZMX4jed+qM/u7sUS274ItWc7:Ei8XiBUZMX4jey/u7sUX4ItWc7
                                                MD5:DF86840392878D8F23C871F2E70B796C
                                                SHA1:C7C4E2ACF2DCC505C36F65B27AC6295237FE230D
                                                SHA-256:C4C8476A732491F39F347BB3CF53FB7859E52E335DEB280B0E3381832744431F
                                                SHA-512:A2015F5D4DF264A4C5BD994E7AA8B0E23632E410F07F7804EC05A5F57EC431926ED69B6E794E53F88C4BF9CBEC423A88AC1570700953B6E169E6ACAD42C10D4F
                                                Malicious:false
                                                Reputation:low
                                                Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.5.6.5.1.8.9.8.7.1.9.7.1.4.0.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.5.6.5.1.8.9.8.8.5.8.7.7.6.8.9.....R.e.p.o.r.t.S.t.a.t.u.s.=.2.6.8.4.3.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.e.6.a.9.8.9.6.-.1.5.6.6.-.4.a.c.5.-.9.9.8.2.-.b.3.d.9.7.e.d.a.e.e.1.c.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.0.1.7.d.0.8.3.-.2.8.e.6.-.4.b.5.c.-.8.d.d.2.-.8.e.7.8.f.1.2.e.8.5.3.7.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.a.f.0.-.0.0.0.1.-.0.0.1.7.-.b.8.d.d.-.b.c.7.a.5.6.f.7.d.6.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.b.c.c.5.d.c.3.2.2.2.0.3.4.d.3.f.2.5.7.f.1.f.d.3.5.8.8.9.e.5.b.e.9.0.
                                                C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_rundll32.exe_9155b230567b23dc90309f27732428df1d2d4b15_82810a17_1a0b4812\Report.wer
                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):12524
                                                Entropy (8bit):3.771244807080854
                                                Encrypted:false
                                                SSDEEP:192:s6i00oX0cHBUZMX4jed+qM/u7sUS274ItWcu:9iCXdBUZMX4jey/u7sUX4ItWcu
                                                MD5:A8BBCF85BFD93259DCA577CCBA62C6DF
                                                SHA1:130D348413E2ED000B1621AA9C2A3A0E80C8E559
                                                SHA-256:225C0218DF5763AD8275D5296449CCAB586476298EEA99B173609F90ADD1B05C
                                                SHA-512:937B31AFC1F835464D7A31251B051B77E493FF503C8D5A7819C30C4D95676E67C0DC04B76DB4E35534E3441F995A2D6317229CF075F40D28B71A76B0F13C3C70
                                                Malicious:false
                                                Reputation:low
                                                Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.5.6.5.1.8.9.8.4.2.9.0.8.9.9.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.5.6.5.1.8.9.8.5.3.3.7.7.7.7.5.....R.e.p.o.r.t.S.t.a.t.u.s.=.2.6.8.4.3.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.4.9.0.0.c.7.7.-.9.b.3.2.-.4.f.c.d.-.a.2.a.3.-.d.0.6.7.4.3.b.a.2.e.3.b.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.2.e.f.6.a.8.4.-.c.d.4.d.-.4.9.d.f.-.b.8.b.5.-.3.a.d.e.4.b.f.d.8.7.1.4.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.9.f.c.-.0.0.0.1.-.0.0.1.7.-.d.a.5.9.-.c.5.7.8.5.6.f.7.d.6.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.b.c.c.5.d.c.3.2.2.2.0.3.4.d.3.f.2.5.7.f.1.f.d.3.5.8.8.9.e.5.b.e.9.0.
                                                C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_rundll32.exe_9155b230567b23dc90309f27732428df1d2d4b15_82810a17_1b8b63b8\Report.wer
                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):12522
                                                Entropy (8bit):3.7708356318523943
                                                Encrypted:false
                                                SSDEEP:192:Geiy0oXMcHBUZMX4jed+qM/u7sUS274ItWcF:XiUXVBUZMX4jey/u7sUX4ItWcF
                                                MD5:192FD41F5E2D69E0D7466FA6DC55B573
                                                SHA1:6900AA02BA64E6BD4C83B288AFA06B8EB1B1F29A
                                                SHA-256:73475F8652413694AB066DD064A7CE658283399E8B15AB99DDE5EFDF1A4EA126
                                                SHA-512:9F399EB22247676DF72B14CED9E166DE4239BD197087FCE012CBE1357BE6F843BD9BBEBC3379B3BF30D48B5C58E02D2DFD2A4413344D247BB6C3FE13D96984B3
                                                Malicious:false
                                                Reputation:low
                                                Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.5.6.5.1.8.9.9.2.2.2.8.5.6.2.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.5.6.5.1.8.9.9.3.0.7.2.1.2.8.4.....R.e.p.o.r.t.S.t.a.t.u.s.=.2.6.8.4.3.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.a.8.6.a.a.9.4.-.6.2.d.7.-.4.6.f.7.-.a.7.3.1.-.b.2.c.d.8.e.c.2.5.9.a.7.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.2.9.7.b.e.d.d.-.4.6.f.0.-.4.c.b.d.-.9.3.9.f.-.7.8.f.2.8.3.d.2.2.b.9.4.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.5.c.-.0.0.0.1.-.0.0.1.7.-.7.f.c.2.-.a.c.7.c.5.6.f.7.d.6.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.b.c.c.5.d.c.3.2.2.2.0.3.4.d.3.f.2.5.7.f.1.f.d.3.5.8.8.9.e.5.b.e.9.0.
                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WER3DB2.tmp.dmp
                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                File Type:Mini DuMP crash report, 14 streams, Sat Jan 30 22:23:04 2021, 0x1205a4 type
                                                Category:dropped
                                                Size (bytes):54380
                                                Entropy (8bit):2.0015561523103194
                                                Encrypted:false
                                                SSDEEP:192:nCduNZT6NASLzm9NbqLzdtQGd2K/WjZerJWGZKXZh4KzNxVw:CLzwbiCO27VeAGZOZhrRw
                                                MD5:9960CD95476181EF57DFC589CA17D6CE
                                                SHA1:13DB12E3C3A8645F2FD0D1EA6A45272C7FD689BC
                                                SHA-256:FBA058585194DA498260F97D7D25451379657E0BB3DDA7231050553EC44F8473
                                                SHA-512:2562F958B912B8B367417C90446C6B6F3F925710DC3B79D97CFFBDC44A1421612680CDF12E100DC787CE9420E24C6302C2796F88701F30A1C38A27B6149A0213
                                                Malicious:false
                                                Reputation:low
                                                Preview: MDMP....... .......H..`...................U...........B......D ......GenuineIntelW...........T...........E..`.............................0..1...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................
                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WER4043.tmp.WERInternalMetadata.xml
                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):8266
                                                Entropy (8bit):3.6968442224830307
                                                Encrypted:false
                                                SSDEEP:192:Rrl7r3GLNiqT696YAT6Kh62mgmfTuSBCprRg89bNisfQvm:RrlsNie696Y06662mgmfTuSGdNhfl
                                                MD5:43BD54E768548B366930B31787D276A8
                                                SHA1:D5C19415165E51B494EAAD9DF4591D8EDB909D71
                                                SHA-256:335195883725319DA55D5CA8881958618530D96B6F0CE6CAAD6F82C44A658C95
                                                SHA-512:223D9237FC5DEC58112BFFCB7C646367A17B42E72708CFA0162F0137D61999929A30A3996950271577E0A1A5C800BFE4D0FF5055739455E8269B10A6A7B78A21
                                                Malicious:false
                                                Reputation:low
                                                Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.6.5.2.<./.P.i.d.>.......
                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WER413E.tmp.xml
                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):4629
                                                Entropy (8bit):4.472952170485334
                                                Encrypted:false
                                                SSDEEP:48:cvIwSD8zsxBJgtWI9G4WSC8BZ8fm8M4JCdsUFrX+q8/oJ34SrSCd:uITfVdxSNQJOX53DWCd
                                                MD5:779F5EA92B661C11A3A26AB103727370
                                                SHA1:366C7DDF4A32E5C0591C9E34849D9D6C4900BDC2
                                                SHA-256:74D3C03945E2A0F8211980261729AC387EDD10FB56F6DDD5F5CA78B61FDF8EAF
                                                SHA-512:86C1FE4E3C75BA60CF81BEC9C5A0C409E25BC5F24FCC0FA6084D90CBD2D113BA3770E81A683C09B18874713A7DB4D3C391AEA284AF46E90F4F124412D9878B91
                                                Malicious:false
                                                Reputation:low
                                                Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="839973" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WER493B.tmp.dmp
                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                File Type:Mini DuMP crash report, 14 streams, Sat Jan 30 22:23:07 2021, 0x1205a4 type
                                                Category:dropped
                                                Size (bytes):55552
                                                Entropy (8bit):1.962155911528806
                                                Encrypted:false
                                                SSDEEP:192:FciIrVXsfykKu65g9voRtOvi5QGd2K/WjZZdEyhZcw8InW:/w8fMuloRKvO27VZ2yhZ+IW
                                                MD5:C7014E8E5C3E4F741F04C9853D9797CF
                                                SHA1:FE187847ADBF96DB39301A1C1B04F30E3E3DB4E9
                                                SHA-256:EA37623DB683B059EFA3CB4954B86124F93301F3EC41F6CBDF0AED05298AEF88
                                                SHA-512:C8B0C4ADA17F15A753BF1CB71F3BDD3AF5A23FF1BBDED1427B41BFB9105AE34AE62227D30B899FC9C4897A1F8C4C59CFD531BB4A636837929279F5C9A734C394
                                                Malicious:false
                                                Reputation:low
                                                Preview: MDMP....... .......K..`...................U...........B......D ......GenuineIntelW...........T...........I..`.............................0..1...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................
                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WER4C88.tmp.WERInternalMetadata.xml
                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):8268
                                                Entropy (8bit):3.6953250354060008
                                                Encrypted:false
                                                SSDEEP:192:Rrl7r3GLNiMg6B6YAU6A2AgmfTZSBCprRx89bYQsf+Im:RrlsNir6B6Yj6A2AgmfTZSGeYjf4
                                                MD5:E3D77CF53ECF7ADB317D3A435DCD8159
                                                SHA1:D28D76FE62068ACB5D8F00D79923955617DB9998
                                                SHA-256:65DF5D85CE9B5BCABAD28554C8A00324EA2271DC2FD9464ADC2058E1D726619F
                                                SHA-512:5A297AC88ED72FFC3493E4072759293A4B52302719ECEE00A6B78070D63F7C4CC595C13ABE25E9F96149ACA7F3CC1593AF54248A772EED1DDC2C019AE2FF0693
                                                Malicious:false
                                                Reputation:low
                                                Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.8.9.6.<./.P.i.d.>.......
                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WER4DF0.tmp.xml
                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):4629
                                                Entropy (8bit):4.472021705479319
                                                Encrypted:false
                                                SSDEEP:48:cvIwSD8zsxBJgtWI9G4WSC8BK8fm8M4JCdsfFD3+q8/o64SrSOd:uITfVdxSNNJr3KDWOd
                                                MD5:11E5F02DEF35759B3C71A7D954F0F740
                                                SHA1:BAE0F45B66F1045B6D690D071B391A1BC3D68F70
                                                SHA-256:D7AAABAB2E17E78EC0F35AC3A9E23CBBBA452F34E44C07E5A0F0F03B8CDAF03E
                                                SHA-512:9E84C713910BE1D55E4D061C54D97C8CDA5075C231D0126A02D356BE37CD59949DC10C55A9D8DE80761CCB8760E969CD182417B3B07D5165034963718434AA4A
                                                Malicious:false
                                                Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="839973" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WER5CB4.tmp.dmp
                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                File Type:Mini DuMP crash report, 14 streams, Sat Jan 30 22:23:12 2021, 0x1205a4 type
                                                Category:dropped
                                                Size (bytes):50486
                                                Entropy (8bit):2.1510325720772263
                                                Encrypted:false
                                                SSDEEP:192:4i5J9Tm4BswRJDrI/QtC0cyflT5wkMQGd2K/WjZvB4Zp6w+jtgief6nLd:PJ9TmHwRJHQ3gO27VvqrF+jtASLd
                                                MD5:8408AA93B0C2C7F26D17D6D77B2C9832
                                                SHA1:63DA04E109DD39C3848A024E5E6BA1A3531F4D4B
                                                SHA-256:C99BD6708DD3A2B4C06BB07717D57723437098322F361CF951A41258210E99E7
                                                SHA-512:980E2D62707C2278EAF476907E7F7DA4801CC6D6FAA1F37A2C1D8A0238B0A6A80875C516B34B6054326BDD7859988AAF1B24E4DA64BE25AAB598A29BEBA89C01
                                                Malicious:false
                                                Preview: MDMP....... .......P..`...................U...........B......D ......GenuineIntelW...........T.......\...L..`.............................0..1...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................
                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WER5EA9.tmp.WERInternalMetadata.xml
                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):8248
                                                Entropy (8bit):3.693363910446504
                                                Encrypted:false
                                                SSDEEP:192:Rrl7r3GLNilM86F6YAg6ApgmfTuSBCpr989bDlsfMBm:RrlsNiF6F6YP6ApgmfTuSLD+fH
                                                MD5:A6CB8208BC27FA8FBA080B2E4D8BDD71
                                                SHA1:6215C7F1D310652F0A034ABAFF81E47DDC288508
                                                SHA-256:B762FAE10CCC9B0C448F8C9AED1AD334E847C464595377410972690F4AB6AEA1
                                                SHA-512:669B97305AC45D8D85B1A173C4ACE63AC58042570F0C7BCCC2850D6BA7D075D6989069896ACFA94071515F3F1B070AB4D20AE98263834F2387F2E79639615609
                                                Malicious:false
                                                Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.0.0.4.<./.P.i.d.>.......
                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WER5F65.tmp.xml
                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):4629
                                                Entropy (8bit):4.4740213509877185
                                                Encrypted:false
                                                SSDEEP:48:cvIwSD8zsxBJgtWI9G4WSC8Bq28fm8M4JCdsUFoi+q8/oqq4SrSBd:uITfVdxSNMJoaqDWBd
                                                MD5:33574F790F04EE4F15C8FD5D7F13B70F
                                                SHA1:D52A243595682BD5C96A40824A2D9B1475A8411D
                                                SHA-256:88413B191DD655B8B29D8FE0A469109C8867D9E8E97766F7B2D8F146067F7D95
                                                SHA-512:4E9040A48134C860CFE35DD67EE6FBFF8DF44B86ABC739B384CFD1F266A5D532B82B7E8F8B63CBF3502C0080B025F0E3FEECA9C01E139CA75F1542A504C2E325
                                                Malicious:false
                                                Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="839973" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

                                                Static File Info

                                                General

                                                File type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                Entropy (8bit):7.4522280470694
                                                TrID:
                                                • Win32 Dynamic Link Library (generic) (1002004/3) 99.60%
                                                • Generic Win/DOS Executable (2004/3) 0.20%
                                                • DOS Executable Generic (2002/1) 0.20%
                                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                File name:A8xYhQFvXo.dll
                                                File size:4890624
                                                MD5:83dd317c95f4acb8623d1f024945cfdb
                                                SHA1:04f9227cc3bfde5626be669be106a5d38f4416b1
                                                SHA256:5b2f060f1512100a0d500312fa579cdad9d3ea101778838173aa7215cd39700a
                                                SHA512:93cddc6bb6957e38d2485bea380d19b8291d3069d78e03cff58a792a5d6c5a56b983b34f166379a0ff9d1e009a461f71c21a59e98de8081503d9364ad91deb41
                                                SSDEEP:98304:jEn4O4Kkolx67k+Yj6i7SVSVSRDEdxA0L6EwSls/9kXUVje32C:jE4O4KW4rj6ESVSVSR/i6Ewb98d2C
                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......JG ..&N..&N..&N......&N...0..&N.).3./&N.). .@&N.).#.9'N..)...&N..)...&N..&O.4'N.).<.I&N.).4..&N.).2..&N.).6..&N.Rich.&N........

                                                File Icon

                                                Icon Hash:74f0e4ecccdce0e4

                                                Static PE Info

                                                General

                                                Entrypoint:0x100288f0
                                                Entrypoint Section:.text
                                                Digitally signed:false
                                                Imagebase:0x10000000
                                                Subsystem:windows gui
                                                Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                                                DLL Characteristics:
                                                Time Stamp:0x5F9F5377 [Mon Nov 2 00:31:51 2020 UTC]
                                                TLS Callbacks:
                                                CLR (.Net) Version:
                                                OS Version Major:4
                                                OS Version Minor:0
                                                File Version Major:4
                                                File Version Minor:0
                                                Subsystem Version Major:4
                                                Subsystem Version Minor:0
                                                Import Hash:7438c2384f3e113e7ab9f88b1b5e5108

                                                Entrypoint Preview

                                                Instruction
                                                cmp dword ptr [esp+08h], 01h
                                                jne 00007EFCF482E9C7h
                                                call 00007EFCF483A812h
                                                push dword ptr [esp+04h]
                                                mov ecx, dword ptr [esp+10h]
                                                mov edx, dword ptr [esp+0Ch]
                                                call 00007EFCF482E8B2h
                                                pop ecx
                                                retn 000Ch
                                                push ebp
                                                mov ebp, esp
                                                sub esp, 20h
                                                mov eax, dword ptr [ebp+08h]
                                                push esi
                                                push edi
                                                push 00000008h
                                                pop ecx
                                                mov esi, 10171808h
                                                lea edi, dword ptr [ebp-20h]
                                                rep movsd
                                                mov dword ptr [ebp-08h], eax
                                                mov eax, dword ptr [ebp+0Ch]
                                                test eax, eax
                                                pop edi
                                                mov dword ptr [ebp-04h], eax
                                                pop esi
                                                je 00007EFCF482E9CEh
                                                test byte ptr [eax], 00000008h
                                                je 00007EFCF482E9C9h
                                                mov dword ptr [ebp-0Ch], 01994000h
                                                lea eax, dword ptr [ebp-0Ch]
                                                push eax
                                                push dword ptr [ebp-10h]
                                                push dword ptr [ebp-1Ch]
                                                push dword ptr [ebp-20h]
                                                call dword ptr [10171320h]
                                                leave
                                                retn 0008h
                                                push ebp
                                                mov ebp, esp
                                                push ecx
                                                push ebx
                                                mov eax, dword ptr [ebp+0Ch]
                                                add eax, 0Ch
                                                mov dword ptr [ebp-04h], eax
                                                mov ebx, dword ptr fs:[00000000h]
                                                mov eax, dword ptr [ebx]
                                                mov dword ptr fs:[00000000h], eax
                                                mov eax, dword ptr [ebp+08h]
                                                mov ebx, dword ptr [ebp+0Ch]
                                                mov ebp, dword ptr [ebp-04h]
                                                mov esp, dword ptr [ebx-04h]
                                                jmp eax
                                                pop ebx
                                                leave
                                                retn 0008h
                                                pop eax
                                                pop ecx
                                                xchg dword ptr [esp], eax
                                                jmp eax
                                                push ebp
                                                mov ebp, esp
                                                push ecx
                                                push ecx
                                                push ebx
                                                push esi
                                                push edi
                                                mov esi, dword ptr fs:[00000000h]
                                                mov dword ptr [ebp-04h], esi
                                                mov dword ptr [ebp-08h], 100289BBh
                                                push 00000000h
                                                push dword ptr [ebp+0Ch]
                                                push dword ptr [ebp-08h]
                                                push dword ptr [ebp+08h]
                                                call 00007EFCF482E9E2h

                                                Rich Headers

                                                Programming Language:
                                                • [RES] VS2005 build 50727
                                                • [ C ] VS2005 build 50727
                                                • [EXP] VS2005 build 50727
                                                • [C++] VS2005 build 50727
                                                • [ASM] VS2005 build 50727
                                                • [LNK] VS2005 build 50727

                                                Data Directories

                                                NameVirtual AddressVirtual Size Is in Section
                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x2885700x6e.rdata
                                                IMAGE_DIRECTORY_ENTRY_IMPORT0x286c3c0x118.rdata
                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x4090000x98db0.rsrc
                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x4a20000xb370.reloc
                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x27b6580x40.rdata
                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_IAT0x1710000x4dc.rdata
                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                Sections

                                                NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                .text0x10000x16ff8b0x170000False0.486878104832data6.46262078477IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                .rdata0x1710000x1175de0x118000False0.4536996024data6.46893668097IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                .data0x2890000x17f0e40x179000False0.952282488188data7.96722658693IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                .rsrc0x4090000x98db00x99000False0.999259599673data7.99961057955IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                .reloc0x4a20000xea200xf000False0.511735026042data5.63038298318IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                Resources

                                                NameRVASizeTypeLanguageCountry
                                                CRX0x4091500x93697-zip archive data, version 0.3EnglishUnited States
                                                FF0x4124bc0x870507-zip archive data, version 0.3EnglishUnited States
                                                FRIENDS0x49950c0x884a7-zip archive data, version 0.3EnglishUnited States
                                                RT_MANIFEST0x4a1d580x56ASCII text, with CRLF line terminatorsEnglishUnited States

                                                Imports

                                                DLLImport
                                                KERNEL32.dllSetFilePointer, MapViewOfFile, UnmapViewOfFile, SetEndOfFile, HeapAlloc, QueryPerformanceCounter, HeapFree, WaitForSingleObject, InterlockedCompareExchange, UnlockFile, FlushViewOfFile, LockFile, WaitForSingleObjectEx, OutputDebugStringW, GetTickCount, UnlockFileEx, GetProcessHeap, GetSystemTimeAsFileTime, FormatMessageA, InitializeCriticalSection, LoadLibraryW, FormatMessageW, HeapDestroy, LeaveCriticalSection, GetFileAttributesA, HeapCreate, HeapValidate, GetFileAttributesW, FlushFileBuffers, GetTempPathW, HeapSize, LockFileEx, EnterCriticalSection, GetDiskFreeSpaceW, CreateFileMappingA, CreateFileMappingW, GetDiskFreeSpaceA, GetSystemInfo, GetFileAttributesExW, DeleteCriticalSection, GetCurrentThreadId, GetVersionExA, DeleteFileW, HeapCompact, GetTempPathA, AreFileApisANSI, WinExec, GetPrivateProfileStringA, CreateSemaphoreA, VirtualFree, VirtualAlloc, GetLocalTime, OpenFileMappingA, lstrcpynA, CopyFileA, SetFileAttributesA, FindResourceA, LoadResource, SizeofResource, MoveFileA, LockResource, GetWindowsDirectoryA, GetThreadContext, SetThreadContext, VirtualAllocEx, GetModuleHandleA, WriteProcessMemory, ResumeThread, GetThreadLocale, GetFileInformationByHandle, GetDriveTypeA, FileTimeToLocalFileTime, FileTimeToSystemTime, CreateMutexW, HeapReAlloc, GetFullPathNameA, GetFullPathNameW, GetModuleHandleW, DeviceIoControl, CreateFileW, GetVersionExW, GetVolumeInformationW, GetSystemDirectoryW, GetComputerNameW, OutputDebugStringA, DeleteFileA, GetSystemTime, LocalFree, CloseHandle, CreateMutexA, FindNextFileA, LocalAlloc, OpenMutexA, LoadLibraryA, FindClose, GetProcAddress, GetLastError, FindFirstFileA, MultiByteToWideChar, GetTimeZoneInformation, ReadFile, CreateProcessA, WideCharToMultiByte, WriteFile, CompareFileTime, GetCurrentProcess, SystemTimeToFileTime, FreeLibrary, lstrlenA, GetFileSize, CreateFileA, GetStringTypeExA, GetSystemDirectoryA, ExpandEnvironmentStringsA, WaitForMultipleObjects, PeekNamedPipe, SleepEx, SetCurrentDirectoryA, SetFileTime, SetFileAttributesW, CreateDirectoryW, GetCurrentDirectoryA, SetEnvironmentVariableA, GetCurrentProcessId, Sleep, CompareStringW, CompareStringA, WriteConsoleW, GetConsoleOutputCP, WriteConsoleA, SetStdHandle, GetLocaleInfoW, IsValidCodePage, IsValidLocale, EnumSystemLocalesA, GetLocaleInfoA, GetUserDefaultLCID, GetStringTypeW, GetStringTypeA, GetEnvironmentStringsW, FreeEnvironmentStringsW, GetEnvironmentStrings, FreeEnvironmentStringsA, GetConsoleMode, GetConsoleCP, GetStartupInfoA, GetFileType, SetHandleCount, GetModuleFileNameA, GetStdHandle, ExitProcess, InterlockedIncrement, InterlockedDecrement, InterlockedExchange, TerminateProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, CreateDirectoryA, ExitThread, CreateThread, GetCommandLineA, RaiseException, RtlUnwind, GetCPInfo, LCMapStringA, LCMapStringW, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, SetLastError, GetACP, GetOEMCP
                                                USER32.dllwsprintfA, LoadStringA, wsprintfW, GetSystemMetrics
                                                ADVAPI32.dllGetSidIdentifierAuthority, CryptDestroyKey, CryptEncrypt, CryptReleaseContext, CryptImportKey, CryptAcquireContextA, GetSecurityDescriptorSacl, SetSecurityInfo, ControlService, OpenSCManagerA, StartServiceA, CreateServiceA, DeleteService, CloseServiceHandle, OpenServiceA, LookupAccountNameW, GetSidSubAuthorityCount, GetSidSubAuthority, CryptCreateHash, RegCloseKey, RegEnumKeyExW, RegOpenKeyExW, RegOpenKeyExA, RegCreateKeyExA, SetSecurityDescriptorDacl, InitializeSecurityDescriptor, RegQueryValueExW, LookupAccountSidA, RegQueryValueExA, RegSetValueExA, GetTokenInformation, OpenProcessToken, CryptDestroyHash, CryptGetHashParam, CryptHashData
                                                SHELL32.dllSHGetPathFromIDListA, SHGetMalloc, SHGetSpecialFolderLocation, SHFileOperationA, SHGetSpecialFolderPathA
                                                ole32.dllCoInitialize, CoUninitialize, CoCreateInstance
                                                SHLWAPI.dllPathFindFileNameA, PathRemoveFileSpecA, PathFileExistsA, SHGetValueA
                                                WS2_32.dllgetpeername, closesocket, socket, connect, sendto, recvfrom, accept, listen, inet_addr, gethostbyname, inet_ntoa, getservbyname, gethostbyaddr, getservbyport, ioctlsocket, gethostname, getsockopt, htons, bind, ntohs, setsockopt, WSAIoctl, select, __WSAFDIsSet, WSASetLastError, send, recv, WSAGetLastError, WSAStartup, WSACleanup, htonl, getsockname, ntohl
                                                CRYPT32.dllCryptUnprotectData
                                                VERSION.dllGetFileVersionInfoA, GetFileVersionInfoSizeA, VerQueryValueA
                                                WINHTTP.dllWinHttpAddRequestHeaders, WinHttpQueryOption, WinHttpReceiveResponse, WinHttpSetTimeouts, WinHttpSetOption, WinHttpSendRequest, WinHttpConnect, WinHttpCloseHandle, WinHttpQueryHeaders, WinHttpQueryDataAvailable, WinHttpOpen, WinHttpOpenRequest, WinHttpReadData, WinHttpSetCredentials
                                                WININET.dllInternetGetCookieExA, InternetGetCookieA
                                                SETUPAPI.dllSetupDiGetDeviceRegistryPropertyA, SetupDiEnumDeviceInfo, SetupDiDestroyDeviceInfoList, SetupDiGetClassDevsA
                                                WLDAP32.dll

                                                Exports

                                                NameOrdinalAddress
                                                Hello00110x10148400
                                                Hello00220x10148370
                                                Hello00330x10148300

                                                Possible Origin

                                                Language of compilation systemCountry where language is spokenMap
                                                EnglishUnited States

                                                Network Behavior

                                                Network Port Distribution

                                                UDP Packets

                                                TimestampSource PortDest PortSource IPDest IP
                                                Jan 30, 2021 14:22:57.140047073 CET5598453192.168.2.38.8.8.8
                                                Jan 30, 2021 14:22:57.199223042 CET53559848.8.8.8192.168.2.3
                                                Jan 30, 2021 14:22:58.107640028 CET6418553192.168.2.38.8.8.8
                                                Jan 30, 2021 14:22:58.155550957 CET53641858.8.8.8192.168.2.3
                                                Jan 30, 2021 14:22:59.079483032 CET6511053192.168.2.38.8.8.8
                                                Jan 30, 2021 14:22:59.130264997 CET53651108.8.8.8192.168.2.3
                                                Jan 30, 2021 14:23:00.114022017 CET5836153192.168.2.38.8.8.8
                                                Jan 30, 2021 14:23:00.171459913 CET53583618.8.8.8192.168.2.3
                                                Jan 30, 2021 14:23:01.126566887 CET6349253192.168.2.38.8.8.8
                                                Jan 30, 2021 14:23:01.185852051 CET53634928.8.8.8192.168.2.3
                                                Jan 30, 2021 14:23:02.291366100 CET6083153192.168.2.38.8.8.8
                                                Jan 30, 2021 14:23:02.339575052 CET53608318.8.8.8192.168.2.3
                                                Jan 30, 2021 14:23:03.112068892 CET6010053192.168.2.38.8.8.8
                                                Jan 30, 2021 14:23:03.164654016 CET53601008.8.8.8192.168.2.3
                                                Jan 30, 2021 14:23:04.301146030 CET5319553192.168.2.38.8.8.8
                                                Jan 30, 2021 14:23:04.349097967 CET53531958.8.8.8192.168.2.3
                                                Jan 30, 2021 14:23:05.443454981 CET5014153192.168.2.38.8.8.8
                                                Jan 30, 2021 14:23:05.495985985 CET53501418.8.8.8192.168.2.3
                                                Jan 30, 2021 14:23:06.295280933 CET5302353192.168.2.38.8.8.8
                                                Jan 30, 2021 14:23:06.353816032 CET53530238.8.8.8192.168.2.3
                                                Jan 30, 2021 14:23:06.400911093 CET4956353192.168.2.38.8.8.8
                                                Jan 30, 2021 14:23:06.448723078 CET53495638.8.8.8192.168.2.3
                                                Jan 30, 2021 14:23:09.283931971 CET5135253192.168.2.38.8.8.8
                                                Jan 30, 2021 14:23:09.332432985 CET53513528.8.8.8192.168.2.3
                                                Jan 30, 2021 14:23:10.654191971 CET5934953192.168.2.38.8.8.8
                                                Jan 30, 2021 14:23:10.708065033 CET53593498.8.8.8192.168.2.3
                                                Jan 30, 2021 14:23:11.519303083 CET5708453192.168.2.38.8.8.8
                                                Jan 30, 2021 14:23:11.568506002 CET53570848.8.8.8192.168.2.3
                                                Jan 30, 2021 14:23:12.727240086 CET5882353192.168.2.38.8.8.8
                                                Jan 30, 2021 14:23:12.777928114 CET53588238.8.8.8192.168.2.3
                                                Jan 30, 2021 14:23:13.687099934 CET5756853192.168.2.38.8.8.8
                                                Jan 30, 2021 14:23:13.734935999 CET53575688.8.8.8192.168.2.3
                                                Jan 30, 2021 14:23:13.957366943 CET5054053192.168.2.38.8.8.8
                                                Jan 30, 2021 14:23:14.016382933 CET53505408.8.8.8192.168.2.3

                                                Code Manipulations

                                                Statistics

                                                Behavior

                                                Click to jump to process

                                                System Behavior

                                                Analysis Process: loaddll32.exe PID: 6628 Parent PID: 5680

                                                General

                                                Start time:14:23:01
                                                Start date:30/01/2021
                                                Path:C:\Windows\System32\loaddll32.exe
                                                Wow64 process (32bit):true
                                                Commandline:loaddll32.exe 'C:\Users\user\Desktop\A8xYhQFvXo.dll'
                                                Imagebase:0x1240000
                                                File size:120832 bytes
                                                MD5 hash:2D39D4DFDE8F7151723794029AB8A034
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:moderate

                                                Analysis Process: rundll32.exe PID: 6652 Parent PID: 6628

                                                General

                                                Start time:14:23:01
                                                Start date:30/01/2021
                                                Path:C:\Windows\SysWOW64\rundll32.exe
                                                Wow64 process (32bit):true
                                                Commandline:rundll32.exe C:\Users\user\Desktop\A8xYhQFvXo.dll,Hello001
                                                Imagebase:0xf50000
                                                File size:61952 bytes
                                                MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Yara matches:
                                                • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000001.00000002.230780419.000000001028B000.00000008.00020000.sdmp, Author: Florian Roth
                                                Reputation:high

                                                Analysis Process: WerFault.exe PID: 6708 Parent PID: 6652

                                                General

                                                Start time:14:23:03
                                                Start date:30/01/2021
                                                Path:C:\Windows\SysWOW64\WerFault.exe
                                                Wow64 process (32bit):true
                                                Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6652 -s 712
                                                Imagebase:0x12b0000
                                                File size:434592 bytes
                                                MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high

                                                Analysis Process: rundll32.exe PID: 6896 Parent PID: 6628

                                                General

                                                Start time:14:23:05
                                                Start date:30/01/2021
                                                Path:C:\Windows\SysWOW64\rundll32.exe
                                                Wow64 process (32bit):true
                                                Commandline:rundll32.exe C:\Users\user\Desktop\A8xYhQFvXo.dll,Hello002
                                                Imagebase:0xf50000
                                                File size:61952 bytes
                                                MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Yara matches:
                                                • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000004.00000002.236067014.000000001028B000.00000008.00020000.sdmp, Author: Florian Roth
                                                Reputation:high

                                                Analysis Process: WerFault.exe PID: 6972 Parent PID: 6896

                                                General

                                                Start time:14:23:06
                                                Start date:30/01/2021
                                                Path:C:\Windows\SysWOW64\WerFault.exe
                                                Wow64 process (32bit):true
                                                Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6896 -s 712
                                                Imagebase:0x12b0000
                                                File size:434592 bytes
                                                MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high

                                                Analysis Process: rundll32.exe PID: 7004 Parent PID: 6628

                                                General

                                                Start time:14:23:08
                                                Start date:30/01/2021
                                                Path:C:\Windows\SysWOW64\rundll32.exe
                                                Wow64 process (32bit):true
                                                Commandline:rundll32.exe C:\Users\user\Desktop\A8xYhQFvXo.dll,Hello003
                                                Imagebase:0xf50000
                                                File size:61952 bytes
                                                MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Yara matches:
                                                • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000007.00000002.245505715.000000001028B000.00000008.00020000.sdmp, Author: Florian Roth
                                                Reputation:high

                                                Analysis Process: WerFault.exe PID: 7092 Parent PID: 7004

                                                General

                                                Start time:14:23:11
                                                Start date:30/01/2021
                                                Path:C:\Windows\SysWOW64\WerFault.exe
                                                Wow64 process (32bit):true
                                                Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7004 -s 712
                                                Imagebase:0x12b0000
                                                File size:434592 bytes
                                                MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high

                                                Disassembly

                                                Code Analysis

                                                Reset < >