Loading ...

Play interactive tourEdit tour

Analysis Report fff572167e03d2446c.dll

Overview

General Information

Sample Name:fff572167e03d2446c.dll
Analysis ID:399730
MD5:2e475c357cce84559352b7e0a6bcf631
SHA1:8a03f2a1a97a38d318195b3e2a65ec3bba25e1ce
SHA256:fff572167e03d2446c8abd0b5ddfe8657692ff07967bdd380881469df7df1484
Infos:

Most interesting Screenshot:

Detection

Qbot
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Multi AV Scanner detection for submitted file
Sigma detected: Schedule REGSVR windows binary
Yara detected Qbot
Allocates memory in foreign processes
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality to dynamically determine API calls
Contains functionality to read the PEB
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Found evasive API chain (date check)
Found evasive API chain checking for process token information
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE / OLE file has an invalid certificate
PE file contains an invalid checksum
PE file contains sections with non-standard names
PE file contains strange resources
PE file does not import any functions
Queries the volume information (name, serial number etc) of a device
Registers a DLL
Sample execution stops while process was sleeping (likely an evasion)
Tries to load missing DLLs
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • loaddll32.exe (PID: 7132 cmdline: loaddll32.exe 'C:\Users\user\Desktop\fff572167e03d2446c.dll' MD5: 542795ADF7CC08EFCF675D65310596E8)
    • cmd.exe (PID: 7152 cmdline: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\fff572167e03d2446c.dll',#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 6424 cmdline: rundll32.exe 'C:\Users\user\Desktop\fff572167e03d2446c.dll',#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
        • explorer.exe (PID: 5160 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: 166AB1B9462E5C1D6D18EC5EC0B6A5F7)
          • schtasks.exe (PID: 6016 cmdline: 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn vdvoloyt /tr 'regsvr32.exe -s \'C:\Users\user\Desktop\fff572167e03d2446c.dll\'' /SC ONCE /Z /ST 05:52 /ET 06:04 MD5: 15FF7D8324231381BAD48A052F85DF04)
            • conhost.exe (PID: 660 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • explorer.exe (PID: 3492 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: 166AB1B9462E5C1D6D18EC5EC0B6A5F7)
  • regsvr32.exe (PID: 6176 cmdline: regsvr32.exe -s 'C:\Users\user\Desktop\fff572167e03d2446c.dll' MD5: D78B75FC68247E8A63ACBA846182740E)
    • regsvr32.exe (PID: 6288 cmdline: -s 'C:\Users\user\Desktop\fff572167e03d2446c.dll' MD5: 426E7499F6A7346F0410DEAD0805586B)
      • WerFault.exe (PID: 4528 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6288 -s 652 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • regsvr32.exe (PID: 2740 cmdline: regsvr32.exe -s 'C:\Users\user\Desktop\fff572167e03d2446c.dll' MD5: D78B75FC68247E8A63ACBA846182740E)
    • regsvr32.exe (PID: 3064 cmdline: -s 'C:\Users\user\Desktop\fff572167e03d2446c.dll' MD5: 426E7499F6A7346F0410DEAD0805586B)
      • WerFault.exe (PID: 6608 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 3064 -s 652 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • cleanup

Malware Configuration

Threatname: Qbot

{"C2 list": ["203.106.195.67:443", "58.152.9.133:443", "67.61.157.208:443", "211.24.72.253:443", "82.10.43.130:2222", "200.75.136.78:443", "120.159.238.185:2222", "196.151.252.84:443", "105.198.236.101:443", "197.161.154.132:443", "79.172.26.240:443", "41.233.153.21:993", "103.102.100.78:2222", "82.223.205.216:443", "90.23.117.67:2222", "81.214.126.173:2222", "95.56.177.11:995", "217.128.117.218:2222", "185.163.221.77:2222", "120.151.95.167:443", "87.218.53.206:2222", "94.49.188.240:443", "2.90.33.130:443", "70.124.29.226:443", "81.150.181.168:2222", "109.154.193.21:2222", "120.150.218.241:995", "96.40.175.33:443", "5.2.188.253:443", "86.125.209.126:443", "89.137.211.239:443", "189.252.72.41:995", "109.209.94.165:2222", "79.115.171.106:2222", "61.1.205.150:443", "68.46.142.48:995", "69.11.247.242:443", "123.136.59.45:443", "87.27.110.90:2222", "39.61.33.253:995", "217.133.54.140:32100", "181.129.155.10:443", "27.223.92.142:995", "175.137.119.141:443", "197.51.82.115:995", "197.45.110.165:995", "174.62.13.151:443", "71.10.43.79:443", "75.136.26.147:443", "156.205.103.107:995", "189.150.40.192:2222", "116.240.78.45:995", "80.110.42.35:443", "85.132.36.111:2222", "144.202.38.185:443", "41.97.178.190:443", "68.224.121.148:993", "78.101.145.96:61201", "47.146.34.236:443", "149.28.98.196:443", "45.77.193.83:443", "31.5.168.31:443", "82.76.47.211:443", "149.28.98.196:995", "144.202.38.185:2222", "24.95.61.62:443", "149.28.98.196:2222", "45.63.107.192:2222", "149.28.99.97:2222", "149.28.99.97:443", "45.63.107.192:995", "72.29.181.78:2222", "144.202.38.185:995", "37.21.231.245:995", "41.227.82.102:443", "182.161.6.57:3389", "94.49.90.92:995", "178.222.114.132:995", "98.121.187.78:443", "108.23.22.28:0", "41.39.134.183:443", "109.205.204.229:2222", "120.150.34.178:443", "95.77.223.148:443", "176.45.233.94:995", "50.244.112.10:995", "173.173.1.164:443", "108.30.125.94:443", "78.187.125.116:2222", "79.113.119.125:443", "86.121.43.200:443", "85.52.72.32:2222", "31.5.21.66:995", "189.231.3.63:443", "105.103.33.188:443", "218.227.162.13:443", "95.76.27.6:443", "91.104.44.226:995", "81.97.154.100:443", "47.44.217.98:443", "217.133.54.140:32100", "37.209.255.10:443", "161.142.217.62:443", "85.204.189.105:443", "68.15.109.125:443", "37.211.86.156:443", "156.220.32.217:995", "90.101.117.122:2222", "96.225.88.23:443", "2.50.56.81:443", "47.21.192.182:2222", "93.146.133.102:2222", "96.21.251.127:2222", "184.98.97.227:995", "58.179.21.147:995", "72.36.59.46:2222", "189.157.3.12:443", "219.76.148.249:443", "198.2.35.226:2222", "86.98.59.208:443", "47.22.148.6:443", "197.86.204.38:443", "120.150.60.189:995", "45.118.65.34:443", "110.142.205.182:443", "37.210.133.63:995", "94.98.242.243:443", "45.32.162.253:443", "83.110.150.100:443", "140.82.27.132:443", "45.32.165.134:443", "39.36.30.92:995", "94.176.40.234:443", "73.244.83.199:443", "2.88.67.161:995", "86.98.34.84:995", "65.131.47.74:995", "181.208.249.141:443", "200.110.188.218:443", "151.33.226.156:443", "73.51.245.231:995", "37.210.131.246:443", "71.220.164.199:443", "172.87.157.235:443", "47.24.47.218:443", "195.97.101.40:443", "184.21.136.237:995", "118.70.55.146:443", "103.76.160.110:443", "2.89.183.206:443"], "Bot id": "abc106", "Campaign": "1606896670"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.1071463160.0000000000860000.00000040.00000001.sdmpJoeSecurity_QbotYara detected QbotJoe Security
    00000000.00000002.644313278.0000000001570000.00000004.00000001.sdmpJoeSecurity_QbotYara detected QbotJoe Security
      00000003.00000002.644491126.00000000012D0000.00000004.00000001.sdmpJoeSecurity_QbotYara detected QbotJoe Security
        00000004.00000002.644518920.0000000000CB0000.00000040.00000001.sdmpJoeSecurity_QbotYara detected QbotJoe Security

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          3.2.rundll32.exe.12d0000.1.unpackJoeSecurity_QbotYara detected QbotJoe Security
            4.2.explorer.exe.cb0000.0.raw.unpackJoeSecurity_QbotYara detected QbotJoe Security
              0.2.loaddll32.exe.1570000.1.unpackJoeSecurity_QbotYara detected QbotJoe Security
                0.2.loaddll32.exe.1570000.1.raw.unpackJoeSecurity_QbotYara detected QbotJoe Security
                  4.2.explorer.exe.cb0000.0.unpackJoeSecurity_QbotYara detected QbotJoe Security
                    Click to see the 3 entries

                    Sigma Overview

                    System Summary:

                    barindex
                    Sigma detected: Schedule REGSVR windows binaryShow sources
                    Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn vdvoloyt /tr 'regsvr32.exe -s \'C:\Users\user\Desktop\fff572167e03d2446c.dll\'' /SC ONCE /Z /ST 05:52 /ET 06:04, CommandLine: 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn vdvoloyt /tr 'regsvr32.exe -s \'C:\Users\user\Desktop\fff572167e03d2446c.dll\'' /SC ONCE /Z /ST 05:52 /ET 06:04, CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Windows\SysWOW64\explorer.exe, ParentImage: C:\Windows\SysWOW64\explorer.exe, ParentProcessId: 5160, ProcessCommandLine: 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn vdvoloyt /tr 'regsvr32.exe -s \'C:\Users\user\Desktop\fff572167e03d2446c.dll\'' /SC ONCE /Z /ST 05:52 /ET 06:04, ProcessId: 6016

                    Signature Overview

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection:

                    barindex
                    Antivirus / Scanner detection for submitted sampleShow sources
                    Source: fff572167e03d2446c.dllAvira: detected
                    Found malware configurationShow sources
                    Source: 0.2.loaddll32.exe.1570000.1.raw.unpackMalware Configuration Extractor: Qbot {"C2 list": ["203.106.195.67:443", "58.152.9.133:443", "67.61.157.208:443", "211.24.72.253:443", "82.10.43.130:2222", "200.75.136.78:443", "120.159.238.185:2222", "196.151.252.84:443", "105.198.236.101:443", "197.161.154.132:443", "79.172.26.240:443", "41.233.153.21:993", "103.102.100.78:2222", "82.223.205.216:443", "90.23.117.67:2222", "81.214.126.173:2222", "95.56.177.11:995", "217.128.117.218:2222", "185.163.221.77:2222", "120.151.95.167:443", "87.218.53.206:2222", "94.49.188.240:443", "2.90.33.130:443", "70.124.29.226:443", "81.150.181.168:2222", "109.154.193.21:2222", "120.150.218.241:995", "96.40.175.33:443", "5.2.188.253:443", "86.125.209.126:443", "89.137.211.239:443", "189.252.72.41:995", "109.209.94.165:2222", "79.115.171.106:2222", "61.1.205.150:443", "68.46.142.48:995", "69.11.247.242:443", "123.136.59.45:443", "87.27.110.90:2222", "39.61.33.253:995", "217.133.54.140:32100", "181.129.155.10:443", "27.223.92.142:995", "175.137.119.141:443", "197.51.82.115:995", "197.45.110.165:995", "174.62.13.151:443", "71.10.43.79:443", "75.136.26.147:443", "156.205.103.107:995", "189.150.40.192:2222", "116.240.78.45:995", "80.110.42.35:443", "85.132.36.111:2222", "144.202.38.185:443", "41.97.178.190:443", "68.224.121.148:993", "78.101.145.96:61201", "47.146.34.236:443", "149.28.98.196:443", "45.77.193.83:443", "31.5.168.31:443", "82.76.47.211:443", "149.28.98.196:995", "144.202.38.185:2222", "24.95.61.62:443", "149.28.98.196:2222", "45.63.107.192:2222", "149.28.99.97:2222", "149.28.99.97:443", "45.63.107.192:995", "72.29.181.78:2222", "144.202.38.185:995", "37.21.231.245:995", "41.227.82.102:443", "182.161.6.57:3389", "94.49.90.92:995", "178.222.114.132:995", "98.121.187.78:443", "108.23.22.28:0", "41.39.134.183:443", "109.205.204.229:2222", "120.150.34.178:443", "95.77.223.148:443", "176.45.233.94:995", "50.244.112.10:995", "173.173.1.164:443", "108.30.125.94:443", "78.187.125.116:2222", "79.113.119.125:443", "86.121.43.200:443", "85.52.72.32:2222", "31.5.21.66:995", "189.231.3.63:443", "105.103.33.188:443", "218.227.162.13:443", "95.76.27.6:443", "91.104.44.226:995", "81.97.154.100:443", "47.44.217.98:443", "217.133.54.140:32100", "37.209.255.10:443", "161.142.217.62:443", "85.204.189.105:443", "68.15.109.125:443", "37.211.86.156:443", "156.220.32.217:995", "90.101.117.122:2222", "96.225.88.23:443", "2.50.56.81:443", "47.21.192.182:2222", "93.146.133.102:2222", "96.21.251.127:2222", "184.98.97.227:995", "58.179.21.147:995", "72.36.59.46:2222", "189.157.3.12:443", "219.76.148.249:443", "198.2.35.226:2222", "86.98.59.208:443", "47.22.148.6:443", "197.86.204.38:443", "120.150.60.189:995", "45.118.65.34:443", "110.142.205.182:443", "37.210.133.63:995", "94.98.242.243:443", "45.32.162.253:443", "83.110.150.100:443", "140.82.27.132:443", "45.32.165.134:443", "39.36.30.92:995", "94.176.40.234:443", "73.244.83.199:443", "2.88.67.161:995", "86.98.34.84:995", "65.131.47.74:995", "181.208.249.141:443", "200.110.188.218:443", "151.33.226.156:443", "73.51
                    Multi AV Scanner detection for submitted fileShow sources
                    Source: fff572167e03d2446c.dllVirustotal: Detection: 46%Perma Link
                    Source: fff572167e03d2446c.dllMetadefender: Detection: 43%Perma Link
                    Source: fff572167e03d2446c.dllReversingLabs: Detection: 80%
                    Machine Learning detection for dropped fileShow sources
                    Source: C:\Users\user\Desktop\fff572167e03d2446c.dllJoe Sandbox ML: detected
                    Source: 3.2.rundll32.exe.3510000.2.unpackAvira: Label: TR/Crypt.EPACK.Gen2
                    Source: 0.2.loaddll32.exe.1530000.0.unpackAvira: Label: TR/Crypt.EPACK.Gen2
                    Source: fff572167e03d2446c.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                    Source: Binary string: ole32.pdb source: WerFault.exe, 0000001E.00000003.836494873.0000000003EA6000.00000004.00000040.sdmp
                    Source: Binary string: wkernel32.pdb source: WerFault.exe, 0000000C.00000003.653639644.0000000003791000.00000004.00000001.sdmp, WerFault.exe, 0000001E.00000003.831194728.0000000002FB4000.00000004.00000001.sdmp
                    Source: Binary string: sfc_os.pdb source: WerFault.exe, 0000000C.00000003.656927376.0000000003AD6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.836494873.0000000003EA6000.00000004.00000040.sdmp
                    Source: Binary string: bcrypt.pdb source: WerFault.exe, 0000000C.00000003.656927376.0000000003AD6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.836494873.0000000003EA6000.00000004.00000040.sdmp
                    Source: Binary string: combase.pdb2 source: WerFault.exe, 0000001E.00000003.836494873.0000000003EA6000.00000004.00000040.sdmp
                    Source: Binary string: ucrtbase.pdb source: WerFault.exe, 0000000C.00000003.656910480.0000000003B01000.00000004.00000001.sdmp, WerFault.exe, 0000001E.00000003.836463723.0000000003D21000.00000004.00000001.sdmp
                    Source: Binary string: msvcrt.pdb source: WerFault.exe, 0000000C.00000003.656910480.0000000003B01000.00000004.00000001.sdmp, WerFault.exe, 0000001E.00000003.836463723.0000000003D21000.00000004.00000001.sdmp
                    Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000C.00000003.656921901.0000000003AD0000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.836482936.0000000003EA0000.00000004.00000040.sdmp
                    Source: Binary string: wntdll.pdb source: WerFault.exe, 0000000C.00000003.656910480.0000000003B01000.00000004.00000001.sdmp, WerFault.exe, 0000001E.00000003.836463723.0000000003D21000.00000004.00000001.sdmp
                    Source: Binary string: shcore.pdb source: WerFault.exe, 0000000C.00000003.656921901.0000000003AD0000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.836482936.0000000003EA0000.00000004.00000040.sdmp
                    Source: Binary string: setupapi.pdb?I source: WerFault.exe, 0000000C.00000003.656927376.0000000003AD6000.00000004.00000040.sdmp
                    Source: Binary string: wgdi32.pdb source: WerFault.exe, 0000000C.00000003.656910480.0000000003B01000.00000004.00000001.sdmp, WerFault.exe, 0000001E.00000003.836463723.0000000003D21000.00000004.00000001.sdmp
                    Source: Binary string: fltLib.pdb source: WerFault.exe, 0000000C.00000003.656927376.0000000003AD6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.836494873.0000000003EA6000.00000004.00000040.sdmp
                    Source: Binary string: advapi32.pdb source: WerFault.exe, 0000000C.00000003.656927376.0000000003AD6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.836494873.0000000003EA6000.00000004.00000040.sdmp
                    Source: Binary string: wsspicli.pdb source: WerFault.exe, 0000000C.00000003.656927376.0000000003AD6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.836494873.0000000003EA6000.00000004.00000040.sdmp
                    Source: Binary string: aCojrFoCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 0000001E.00000002.845082772.0000000002972000.00000004.00000001.sdmp
                    Source: Binary string: regsvr32.pdbk source: WerFault.exe, 0000000C.00000003.656910480.0000000003B01000.00000004.00000001.sdmp, WerFault.exe, 0000001E.00000003.836463723.0000000003D21000.00000004.00000001.sdmp
                    Source: Binary string: shell32.pdb source: WerFault.exe, 0000000C.00000003.656910480.0000000003B01000.00000004.00000001.sdmp, WerFault.exe, 0000001E.00000003.836482936.0000000003EA0000.00000004.00000040.sdmp
                    Source: Binary string: fltLib.pdbO source: WerFault.exe, 0000001E.00000003.836494873.0000000003EA6000.00000004.00000040.sdmp
                    Source: Binary string: msvcp_win.pdb source: WerFault.exe, 0000000C.00000003.656910480.0000000003B01000.00000004.00000001.sdmp, WerFault.exe, 0000001E.00000003.836463723.0000000003D21000.00000004.00000001.sdmp
                    Source: Binary string: wkernelbase.pdb source: WerFault.exe, 0000000C.00000003.656910480.0000000003B01000.00000004.00000001.sdmp, WerFault.exe, 0000001E.00000003.836463723.0000000003D21000.00000004.00000001.sdmp
                    Source: Binary string: mpr.pdb source: WerFault.exe, 0000000C.00000003.656921901.0000000003AD0000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.836482936.0000000003EA0000.00000004.00000040.sdmp
                    Source: Binary string: shlwapi.pdb source: WerFault.exe, 0000000C.00000003.656927376.0000000003AD6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.836494873.0000000003EA6000.00000004.00000040.sdmp
                    Source: Binary string: wwin32u.pdb source: WerFault.exe, 0000000C.00000003.656910480.0000000003B01000.00000004.00000001.sdmp, WerFault.exe, 0000001E.00000003.836463723.0000000003D21000.00000004.00000001.sdmp
                    Source: Binary string: setupapi.pdb source: WerFault.exe, 0000000C.00000003.656927376.0000000003AD6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.836494873.0000000003EA6000.00000004.00000040.sdmp
                    Source: Binary string: regsvr32.pdb source: WerFault.exe, 0000000C.00000003.656910480.0000000003B01000.00000004.00000001.sdmp, WerFault.exe, 0000001E.00000003.836463723.0000000003D21000.00000004.00000001.sdmp
                    Source: Binary string: advapi32.pdb3I source: WerFault.exe, 0000000C.00000003.656927376.0000000003AD6000.00000004.00000040.sdmp
                    Source: Binary string: shcore.pdbk source: WerFault.exe, 0000000C.00000003.656921901.0000000003AD0000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.836482936.0000000003EA0000.00000004.00000040.sdmp
                    Source: Binary string: wntdll.pdb( source: WerFault.exe, 0000001E.00000003.831186942.0000000002FAE000.00000004.00000001.sdmp
                    Source: Binary string: regsvr32.pdb( source: WerFault.exe, 0000001E.00000003.831055788.0000000002FA8000.00000004.00000001.sdmp
                    Source: Binary string: profapi.pdb source: WerFault.exe, 0000000C.00000003.656927376.0000000003AD6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.836494873.0000000003EA6000.00000004.00000040.sdmp
                    Source: Binary string: winspool.pdb source: WerFault.exe, 0000000C.00000003.656927376.0000000003AD6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.836494873.0000000003EA6000.00000004.00000040.sdmp
                    Source: Binary string: wgdi32full.pdb source: WerFault.exe, 0000000C.00000003.656910480.0000000003B01000.00000004.00000001.sdmp, WerFault.exe, 0000001E.00000003.836463723.0000000003D21000.00000004.00000001.sdmp
                    Source: Binary string: shell32.pdbk source: WerFault.exe, 0000001E.00000003.836482936.0000000003EA0000.00000004.00000040.sdmp
                    Source: Binary string: advapi32.pdb, source: WerFault.exe, 0000001E.00000003.836494873.0000000003EA6000.00000004.00000040.sdmp
                    Source: Binary string: sechost.pdb source: WerFault.exe, 0000000C.00000003.656927376.0000000003AD6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.836494873.0000000003EA6000.00000004.00000040.sdmp
                    Source: Binary string: shlwapi.pdbMI source: WerFault.exe, 0000000C.00000003.656927376.0000000003AD6000.00000004.00000040.sdmp
                    Source: Binary string: iphlpapi.pdb source: WerFault.exe, 0000000C.00000003.656927376.0000000003AD6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.836494873.0000000003EA6000.00000004.00000040.sdmp
                    Source: Binary string: propsys.pdb source: WerFault.exe, 0000000C.00000003.656927376.0000000003AD6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.836494873.0000000003EA6000.00000004.00000040.sdmp
                    Source: Binary string: cfgmgr32.pdbk source: WerFault.exe, 0000000C.00000003.656921901.0000000003AD0000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.836482936.0000000003EA0000.00000004.00000040.sdmp
                    Source: Binary string: lCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 0000000C.00000002.660821803.00000000026E2000.00000004.00000001.sdmp
                    Source: Binary string: sfc.pdbK source: WerFault.exe, 0000000C.00000003.656927376.0000000003AD6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.836494873.0000000003EA6000.00000004.00000040.sdmp
                    Source: Binary string: powrprof.pdb source: WerFault.exe, 0000000C.00000003.656927376.0000000003AD6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.836494873.0000000003EA6000.00000004.00000040.sdmp
                    Source: Binary string: ole32.pdb source: WerFault.exe, 0000000C.00000003.656927376.0000000003AD6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.836494873.0000000003EA6000.00000004.00000040.sdmp
                    Source: Binary string: AcLayers.pdb source: WerFault.exe, 0000000C.00000003.656910480.0000000003B01000.00000004.00000001.sdmp, WerFault.exe, 0000001E.00000003.836463723.0000000003D21000.00000004.00000001.sdmp
                    Source: Binary string: mpr.pdbW[= source: WerFault.exe, 0000000C.00000003.656921901.0000000003AD0000.00000004.00000040.sdmp
                    Source: Binary string: powrprof.pdb%I source: WerFault.exe, 0000000C.00000003.656927376.0000000003AD6000.00000004.00000040.sdmp
                    Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000000C.00000003.656921901.0000000003AD0000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.836482936.0000000003EA0000.00000004.00000040.sdmp
                    Source: Binary string: bcrypt.pdb+I source: WerFault.exe, 0000000C.00000003.656927376.0000000003AD6000.00000004.00000040.sdmp
                    Source: Binary string: cryptbase.pdb source: WerFault.exe, 0000000C.00000003.656927376.0000000003AD6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.836494873.0000000003EA6000.00000004.00000040.sdmp
                    Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 0000000C.00000003.656921901.0000000003AD0000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.836482936.0000000003EA0000.00000004.00000040.sdmp
                    Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000C.00000003.656921901.0000000003AD0000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.836482936.0000000003EA0000.00000004.00000040.sdmp
                    Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 0000001E.00000003.831730206.0000000002FBA000.00000004.00000001.sdmp
                    Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 0000000C.00000003.656921901.0000000003AD0000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.836482936.0000000003EA0000.00000004.00000040.sdmp
                    Source: Binary string: combase.pdb source: WerFault.exe, 0000000C.00000003.656927376.0000000003AD6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.836494873.0000000003EA6000.00000004.00000040.sdmp
                    Source: Binary string: wkernel32.pdb( source: WerFault.exe, 0000001E.00000003.831194728.0000000002FB4000.00000004.00000001.sdmp
                    Source: Binary string: oleaut32.pdb source: WerFault.exe, 0000000C.00000003.656927376.0000000003AD6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.836494873.0000000003EA6000.00000004.00000040.sdmp
                    Source: Binary string: sfc.pdb source: WerFault.exe, 0000000C.00000003.656927376.0000000003AD6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.836494873.0000000003EA6000.00000004.00000040.sdmp
                    Source: Binary string: apphelp.pdb source: WerFault.exe, 0000000C.00000003.656910480.0000000003B01000.00000004.00000001.sdmp, WerFault.exe, 0000001E.00000003.836463723.0000000003D21000.00000004.00000001.sdmp
                    Source: Binary string: ole32.pdbI source: WerFault.exe, 0000000C.00000003.656927376.0000000003AD6000.00000004.00000040.sdmp
                    Source: Binary string: wuser32.pdb source: WerFault.exe, 0000000C.00000003.656910480.0000000003B01000.00000004.00000001.sdmp, WerFault.exe, 0000001E.00000003.836463723.0000000003D21000.00000004.00000001.sdmp
                    Source: Binary string: wntdll.pdbk source: WerFault.exe, 0000000C.00000003.656910480.0000000003B01000.00000004.00000001.sdmp
                    Source: C:\Windows\SysWOW64\explorer.exeCode function: 4_2_00CBAD24 FindFirstFileW,FindNextFileW,4_2_00CBAD24
                    Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_0086AD24 FindFirstFileW,FindNextFileW,5_2_0086AD24
                    Source: fff572167e03d2446c.dllString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
                    Source: fff572167e03d2446c.dllString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
                    Source: fff572167e03d2446c.dllString found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
                    Source: fff572167e03d2446c.dllString found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
                    Source: fff572167e03d2446c.dllString found in binary or memory: http://ocsp.comodoca.com0
                    Source: fff572167e03d2446c.dllString found in binary or memory: http://ocsp.sectigo.com0
                    Source: fff572167e03d2446c.dllString found in binary or memory: https://sectigo.com/CPS0
                    Source: loaddll32.exe, 00000000.00000002.644348233.00000000015EB000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

                    System Summary:

                    barindex
                    Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\DBGJump to behavior
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_03512E0A3_2_03512E0A
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_035117263_2_03511726
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_03513C543_2_03513C54
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0351365D3_2_0351365D
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0351455F3_2_0351455F
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_035125163_2_03512516
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_035131373_2_03513137
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_035156293_2_03515629
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_03512BC93_2_03512BC9
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_035110F23_2_035110F2
                    Source: C:\Windows\SysWOW64\explorer.exeCode function: 4_2_00CC00834_2_00CC0083
                    Source: C:\Windows\SysWOW64\explorer.exeCode function: 4_2_00CBF4BA4_2_00CBF4BA
                    Source: C:\Windows\SysWOW64\explorer.exeCode function: 4_2_00CC0C734_2_00CC0C73
                    Source: C:\Windows\SysWOW64\explorer.exeCode function: 4_2_00CC45C94_2_00CC45C9
                    Source: C:\Windows\SysWOW64\explorer.exeCode function: 4_2_00CC4D924_2_00CC4D92
                    Source: C:\Windows\SysWOW64\explorer.exeCode function: 4_2_00CC037D4_2_00CC037D
                    Source: C:\Windows\SysWOW64\explorer.exeCode function: 4_2_00CC572F4_2_00CC572F
                    Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_008700835_2_00870083
                    Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_0086F4BA5_2_0086F4BA
                    Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_00870C735_2_00870C73
                    Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_00874D925_2_00874D92
                    Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_008745C95_2_008745C9
                    Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_0087572F5_2_0087572F
                    Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6288 -s 652
                    Source: fff572167e03d2446c.dllStatic PE information: invalid certificate
                    Source: fff572167e03d2446c.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                    Source: fff572167e03d2446c.dll.5.drStatic PE information: No import functions for PE file found
                    Source: fff572167e03d2446c.dll.4.drStatic PE information: No import functions for PE file found
                    Source: C:\Windows\System32\regsvr32.exeSection loaded: sfc.dllJump to behavior
                    Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dllJump to behavior
                    Source: C:\Windows\System32\regsvr32.exeSection loaded: sfc.dllJump to behavior
                    Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dllJump to behavior
                    Source: fff572167e03d2446c.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                    Source: classification engineClassification label: mal100.troj.evad.winDLL@20/10@0/0
                    Source: C:\Windows\SysWOW64\explorer.exeCode function: 4_2_00CBD05E CoInitializeEx,CoInitializeSecurity,CoCreateInstance,SysAllocString,CoSetProxyBlanket,4_2_00CBD05E
                    Source: C:\Windows\SysWOW64\explorer.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\NpkzqznnocvqJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{05821E1F-F40A-42CA-8653-232B51809585}
                    Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \BaseNamedObjects\Local\WERReportingForProcess3064
                    Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \BaseNamedObjects\Local\WERReportingForProcess6288
                    Source: C:\Windows\SysWOW64\explorer.exeMutant created: \Sessions\1\BaseNamedObjects\{07EB6417-87E1-46B5-958B-97EB69A21D59}
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:660:120:WilError_01
                    Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER2871.tmpJump to behavior
                    Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\explorer.exe
                    Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\explorer.exe
                    Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\explorer.exeJump to behavior
                    Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\explorer.exeJump to behavior
                    Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\fff572167e03d2446c.dll',#1
                    Source: fff572167e03d2446c.dllVirustotal: Detection: 46%
                    Source: fff572167e03d2446c.dllMetadefender: Detection: 43%
                    Source: fff572167e03d2446c.dllReversingLabs: Detection: 80%
                    Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\fff572167e03d2446c.dll'
                    Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\fff572167e03d2446c.dll',#1
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\fff572167e03d2446c.dll',#1
                    Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
                    Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
                    Source: C:\Windows\SysWOW64\explorer.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn vdvoloyt /tr 'regsvr32.exe -s \'C:\Users\user\Desktop\fff572167e03d2446c.dll\'' /SC ONCE /Z /ST 05:52 /ET 06:04
                    Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: unknownProcess created: C:\Windows\System32\regsvr32.exe regsvr32.exe -s 'C:\Users\user\Desktop\fff572167e03d2446c.dll'
                    Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe -s 'C:\Users\user\Desktop\fff572167e03d2446c.dll'
                    Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6288 -s 652
                    Source: unknownProcess created: C:\Windows\System32\regsvr32.exe regsvr32.exe -s 'C:\Users\user\Desktop\fff572167e03d2446c.dll'
                    Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe -s 'C:\Users\user\Desktop\fff572167e03d2446c.dll'
                    Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3064 -s 652
                    Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\fff572167e03d2446c.dll',#1Jump to behavior
                    Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exeJump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\fff572167e03d2446c.dll',#1Jump to behavior
                    Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exeJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn vdvoloyt /tr 'regsvr32.exe -s \'C:\Users\user\Desktop\fff572167e03d2446c.dll\'' /SC ONCE /Z /ST 05:52 /ET 06:04Jump to behavior
                    Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe -s 'C:\Users\user\Desktop\fff572167e03d2446c.dll'Jump to behavior
                    Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe -s 'C:\Users\user\Desktop\fff572167e03d2446c.dll'Jump to behavior
                    Source: Binary string: ole32.pdb source: WerFault.exe, 0000001E.00000003.836494873.0000000003EA6000.00000004.00000040.sdmp
                    Source: Binary string: wkernel32.pdb source: WerFault.exe, 0000000C.00000003.653639644.0000000003791000.00000004.00000001.sdmp, WerFault.exe, 0000001E.00000003.831194728.0000000002FB4000.00000004.00000001.sdmp
                    Source: Binary string: sfc_os.pdb source: WerFault.exe, 0000000C.00000003.656927376.0000000003AD6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.836494873.0000000003EA6000.00000004.00000040.sdmp
                    Source: Binary string: bcrypt.pdb source: WerFault.exe, 0000000C.00000003.656927376.0000000003AD6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.836494873.0000000003EA6000.00000004.00000040.sdmp
                    Source: Binary string: combase.pdb2 source: WerFault.exe, 0000001E.00000003.836494873.0000000003EA6000.00000004.00000040.sdmp
                    Source: Binary string: ucrtbase.pdb source: WerFault.exe, 0000000C.00000003.656910480.0000000003B01000.00000004.00000001.sdmp, WerFault.exe, 0000001E.00000003.836463723.0000000003D21000.00000004.00000001.sdmp
                    Source: Binary string: msvcrt.pdb source: WerFault.exe, 0000000C.00000003.656910480.0000000003B01000.00000004.00000001.sdmp, WerFault.exe, 0000001E.00000003.836463723.0000000003D21000.00000004.00000001.sdmp
                    Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000C.00000003.656921901.0000000003AD0000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.836482936.0000000003EA0000.00000004.00000040.sdmp
                    Source: Binary string: wntdll.pdb source: WerFault.exe, 0000000C.00000003.656910480.0000000003B01000.00000004.00000001.sdmp, WerFault.exe, 0000001E.00000003.836463723.0000000003D21000.00000004.00000001.sdmp
                    Source: Binary string: shcore.pdb source: WerFault.exe, 0000000C.00000003.656921901.0000000003AD0000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.836482936.0000000003EA0000.00000004.00000040.sdmp
                    Source: Binary string: setupapi.pdb?I source: WerFault.exe, 0000000C.00000003.656927376.0000000003AD6000.00000004.00000040.sdmp
                    Source: Binary string: wgdi32.pdb source: WerFault.exe, 0000000C.00000003.656910480.0000000003B01000.00000004.00000001.sdmp, WerFault.exe, 0000001E.00000003.836463723.0000000003D21000.00000004.00000001.sdmp
                    Source: Binary string: fltLib.pdb source: WerFault.exe, 0000000C.00000003.656927376.0000000003AD6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.836494873.0000000003EA6000.00000004.00000040.sdmp
                    Source: Binary string: advapi32.pdb source: WerFault.exe, 0000000C.00000003.656927376.0000000003AD6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.836494873.0000000003EA6000.00000004.00000040.sdmp
                    Source: Binary string: wsspicli.pdb source: WerFault.exe, 0000000C.00000003.656927376.0000000003AD6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.836494873.0000000003EA6000.00000004.00000040.sdmp
                    Source: Binary string: aCojrFoCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 0000001E.00000002.845082772.0000000002972000.00000004.00000001.sdmp
                    Source: Binary string: regsvr32.pdbk source: WerFault.exe, 0000000C.00000003.656910480.0000000003B01000.00000004.00000001.sdmp, WerFault.exe, 0000001E.00000003.836463723.0000000003D21000.00000004.00000001.sdmp
                    Source: Binary string: shell32.pdb source: WerFault.exe, 0000000C.00000003.656910480.0000000003B01000.00000004.00000001.sdmp, WerFault.exe, 0000001E.00000003.836482936.0000000003EA0000.00000004.00000040.sdmp
                    Source: Binary string: fltLib.pdbO source: WerFault.exe, 0000001E.00000003.836494873.0000000003EA6000.00000004.00000040.sdmp
                    Source: Binary string: msvcp_win.pdb source: WerFault.exe, 0000000C.00000003.656910480.0000000003B01000.00000004.00000001.sdmp, WerFault.exe, 0000001E.00000003.836463723.0000000003D21000.00000004.00000001.sdmp
                    Source: Binary string: wkernelbase.pdb source: WerFault.exe, 0000000C.00000003.656910480.0000000003B01000.00000004.00000001.sdmp, WerFault.exe, 0000001E.00000003.836463723.0000000003D21000.00000004.00000001.sdmp
                    Source: Binary string: mpr.pdb source: WerFault.exe, 0000000C.00000003.656921901.0000000003AD0000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.836482936.0000000003EA0000.00000004.00000040.sdmp
                    Source: Binary string: shlwapi.pdb source: WerFault.exe, 0000000C.00000003.656927376.0000000003AD6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.836494873.0000000003EA6000.00000004.00000040.sdmp
                    Source: Binary string: wwin32u.pdb source: WerFault.exe, 0000000C.00000003.656910480.0000000003B01000.00000004.00000001.sdmp, WerFault.exe, 0000001E.00000003.836463723.0000000003D21000.00000004.00000001.sdmp
                    Source: Binary string: setupapi.pdb source: WerFault.exe, 0000000C.00000003.656927376.0000000003AD6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.836494873.0000000003EA6000.00000004.00000040.sdmp
                    Source: Binary string: regsvr32.pdb source: WerFault.exe, 0000000C.00000003.656910480.0000000003B01000.00000004.00000001.sdmp, WerFault.exe, 0000001E.00000003.836463723.0000000003D21000.00000004.00000001.sdmp
                    Source: Binary string: advapi32.pdb3I source: WerFault.exe, 0000000C.00000003.656927376.0000000003AD6000.00000004.00000040.sdmp
                    Source: Binary string: shcore.pdbk source: WerFault.exe, 0000000C.00000003.656921901.0000000003AD0000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.836482936.0000000003EA0000.00000004.00000040.sdmp
                    Source: Binary string: wntdll.pdb( source: WerFault.exe, 0000001E.00000003.831186942.0000000002FAE000.00000004.00000001.sdmp
                    Source: Binary string: regsvr32.pdb( source: WerFault.exe, 0000001E.00000003.831055788.0000000002FA8000.00000004.00000001.sdmp
                    Source: Binary string: profapi.pdb source: WerFault.exe, 0000000C.00000003.656927376.0000000003AD6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.836494873.0000000003EA6000.00000004.00000040.sdmp
                    Source: Binary string: winspool.pdb source: WerFault.exe, 0000000C.00000003.656927376.0000000003AD6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.836494873.0000000003EA6000.00000004.00000040.sdmp
                    Source: Binary string: wgdi32full.pdb source: WerFault.exe, 0000000C.00000003.656910480.0000000003B01000.00000004.00000001.sdmp, WerFault.exe, 0000001E.00000003.836463723.0000000003D21000.00000004.00000001.sdmp
                    Source: Binary string: shell32.pdbk source: WerFault.exe, 0000001E.00000003.836482936.0000000003EA0000.00000004.00000040.sdmp
                    Source: Binary string: advapi32.pdb, source: WerFault.exe, 0000001E.00000003.836494873.0000000003EA6000.00000004.00000040.sdmp
                    Source: Binary string: sechost.pdb source: WerFault.exe, 0000000C.00000003.656927376.0000000003AD6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.836494873.0000000003EA6000.00000004.00000040.sdmp
                    Source: Binary string: shlwapi.pdbMI source: WerFault.exe, 0000000C.00000003.656927376.0000000003AD6000.00000004.00000040.sdmp
                    Source: Binary string: iphlpapi.pdb source: WerFault.exe, 0000000C.00000003.656927376.0000000003AD6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.836494873.0000000003EA6000.00000004.00000040.sdmp
                    Source: Binary string: propsys.pdb source: WerFault.exe, 0000000C.00000003.656927376.0000000003AD6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.836494873.0000000003EA6000.00000004.00000040.sdmp
                    Source: Binary string: cfgmgr32.pdbk source: WerFault.exe, 0000000C.00000003.656921901.0000000003AD0000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.836482936.0000000003EA0000.00000004.00000040.sdmp
                    Source: Binary string: lCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 0000000C.00000002.660821803.00000000026E2000.00000004.00000001.sdmp
                    Source: Binary string: sfc.pdbK source: WerFault.exe, 0000000C.00000003.656927376.0000000003AD6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.836494873.0000000003EA6000.00000004.00000040.sdmp
                    Source: Binary string: powrprof.pdb source: WerFault.exe, 0000000C.00000003.656927376.0000000003AD6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.836494873.0000000003EA6000.00000004.00000040.sdmp
                    Source: Binary string: ole32.pdb source: WerFault.exe, 0000000C.00000003.656927376.0000000003AD6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.836494873.0000000003EA6000.00000004.00000040.sdmp
                    Source: Binary string: AcLayers.pdb source: WerFault.exe, 0000000C.00000003.656910480.0000000003B01000.00000004.00000001.sdmp, WerFault.exe, 0000001E.00000003.836463723.0000000003D21000.00000004.00000001.sdmp
                    Source: Binary string: mpr.pdbW[= source: WerFault.exe, 0000000C.00000003.656921901.0000000003AD0000.00000004.00000040.sdmp
                    Source: Binary string: powrprof.pdb%I source: WerFault.exe, 0000000C.00000003.656927376.0000000003AD6000.00000004.00000040.sdmp
                    Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000000C.00000003.656921901.0000000003AD0000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.836482936.0000000003EA0000.00000004.00000040.sdmp
                    Source: Binary string: bcrypt.pdb+I source: WerFault.exe, 0000000C.00000003.656927376.0000000003AD6000.00000004.00000040.sdmp
                    Source: Binary string: cryptbase.pdb source: WerFault.exe, 0000000C.00000003.656927376.0000000003AD6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.836494873.0000000003EA6000.00000004.00000040.sdmp
                    Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 0000000C.00000003.656921901.0000000003AD0000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.836482936.0000000003EA0000.00000004.00000040.sdmp
                    Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000C.00000003.656921901.0000000003AD0000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.836482936.0000000003EA0000.00000004.00000040.sdmp
                    Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 0000001E.00000003.831730206.0000000002FBA000.00000004.00000001.sdmp
                    Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 0000000C.00000003.656921901.0000000003AD0000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.836482936.0000000003EA0000.00000004.00000040.sdmp
                    Source: Binary string: combase.pdb source: WerFault.exe, 0000000C.00000003.656927376.0000000003AD6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.836494873.0000000003EA6000.00000004.00000040.sdmp
                    Source: Binary string: wkernel32.pdb( source: WerFault.exe, 0000001E.00000003.831194728.0000000002FB4000.00000004.00000001.sdmp
                    Source: Binary string: oleaut32.pdb source: WerFault.exe, 0000000C.00000003.656927376.0000000003AD6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.836494873.0000000003EA6000.00000004.00000040.sdmp
                    Source: Binary string: sfc.pdb source: WerFault.exe, 0000000C.00000003.656927376.0000000003AD6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.836494873.0000000003EA6000.00000004.00000040.sdmp
                    Source: Binary string: apphelp.pdb source: WerFault.exe, 0000000C.00000003.656910480.0000000003B01000.00000004.00000001.sdmp, WerFault.exe, 0000001E.00000003.836463723.0000000003D21000.00000004.00000001.sdmp
                    Source: Binary string: ole32.pdbI source: WerFault.exe, 0000000C.00000003.656927376.0000000003AD6000.00000004.00000040.sdmp
                    Source: Binary string: wuser32.pdb source: WerFault.exe, 0000000C.00000003.656910480.0000000003B01000.00000004.00000001.sdmp, WerFault.exe, 0000001E.00000003.836463723.0000000003D21000.00000004.00000001.sdmp
                    Source: Binary string: wntdll.pdbk source: WerFault.exe, 0000000C.00000003.656910480.0000000003B01000.00000004.00000001.sdmp
                    Source: C:\Windows\SysWOW64\explorer.exeCode function: 4_2_00CBDA9D lstrlenA,LoadLibraryA,GetProcAddress,4_2_00CBDA9D
                    Source: fff572167e03d2446c.dll.5.drStatic PE information: real checksum: 0x5ed7d should be: 0x5a4fc
                    Source: fff572167e03d2446c.dll.4.drStatic PE information: real checksum: 0x5ed7d should be: 0x5a4fc
                    Source: fff572167e03d2446c.dllStatic PE information: section name: .code
                    Source: fff572167e03d2446c.dllStatic PE information: section name: .rdatau
                    Source: fff572167e03d2446c.dll.4.drStatic PE information: section name: .code
                    Source: fff572167e03d2446c.dll.4.drStatic PE information: section name: .rdatau
                    Source: fff572167e03d2446c.dll.5.drStatic PE information: section name: .code
                    Source: fff572167e03d2446c.dll.5.drStatic PE information: section name: .rdatau
                    Source: unknownProcess created: C:\Windows\System32\regsvr32.exe regsvr32.exe -s 'C:\Users\user\Desktop\fff572167e03d2446c.dll'
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_03512E0A push dword ptr [ebp-10h]; mov dword ptr [esp], ecx3_2_03512E23
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_03512E0A push dword ptr [ebp-08h]; mov dword ptr [esp], edi3_2_03512EC3
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_03512E0A push 00000000h; mov dword ptr [esp], edx3_2_03512EE9
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_03512E0A push edi; mov dword ptr [esp], 00000040h3_2_03512F1D
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_03512E0A push 00000000h; mov dword ptr [esp], ecx3_2_03512F7B
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_03512E0A push 00000000h; mov dword ptr [esp], ecx3_2_03512FF5
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_03511726 push dword ptr [ebp-10h]; mov dword ptr [esp], esi3_2_03511759
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_03511726 push ebp; mov dword ptr [esp], 00000004h3_2_035118DA
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_03515883 push dword ptr [ebp-04h]; mov dword ptr [esp], eax3_2_035158AC
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_03515883 push ebp; mov dword ptr [esp], 00000002h3_2_035158B6
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_03515883 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax3_2_035158ED
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_03513C54 push 00000000h; mov dword ptr [esp], esi3_2_03513D10
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_03513C54 push eax; mov dword ptr [esp], 0000F000h3_2_03513DB5
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_03513C54 push 00000000h; mov dword ptr [esp], ebx3_2_03513DE3
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0351365D push esi; mov dword ptr [esp], 00000001h3_2_0351368F
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0351365D push dword ptr [ebp-1Ch]; mov dword ptr [esp], eax3_2_035136BE
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0351365D push ebx; mov dword ptr [esp], 00000003h3_2_035136E6
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0351365D push edi; mov dword ptr [esp], 00000011h3_2_035136F1
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0351365D push ecx; mov dword ptr [esp], 00000002h3_2_03513713
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0351365D push 00000000h; mov dword ptr [esp], edi3_2_0351373A
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0351365D push dword ptr [ebp-20h]; mov dword ptr [esp], ebx3_2_03513762
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_03514D7A push dword ptr [ebp-04h]; mov dword ptr [esp], ebx3_2_03514D83
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_03514D7A push dword ptr [ebp-04h]; mov dword ptr [esp], edi3_2_03514D91
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_03514D7A push dword ptr [ebp-04h]; mov dword ptr [esp], edx3_2_03514D97
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_03514D7A push dword ptr [ebp-04h]; mov dword ptr [esp], esi3_2_03514DE0
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_03514D7A push 00000000h; mov dword ptr [esp], ecx3_2_03514DF6
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_03513137 push dword ptr [ebp-04h]; mov dword ptr [esp], edx3_2_03513150
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_03513137 push 00000000h; mov dword ptr [esp], ecx3_2_035131A3
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_03513137 push 00000000h; mov dword ptr [esp], ebp3_2_0351323E
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_03515629 push dword ptr [ebp-04h]; mov dword ptr [esp], eax3_2_0351567B
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_03515629 push dword ptr [ebp-04h]; mov dword ptr [esp], eax3_2_035156A6
                    Source: C:\Windows\SysWOW64\explorer.exeFile created: C:\Users\user\Desktop\fff572167e03d2446c.dllJump to dropped file

                    Boot Survival:

                    barindex
                    Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
                    Source: C:\Windows\SysWOW64\explorer.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn vdvoloyt /tr 'regsvr32.exe -s \'C:\Users\user\Desktop\fff572167e03d2446c.dll\'' /SC ONCE /Z /ST 05:52 /ET 06:04

                    Hooking and other Techniques for Hiding and Protection:

                    barindex
                    Overwrites code with unconditional jumps - possibly settings hooks in foreign processShow sources
                    Source: C:\Windows\System32\loaddll32.exeMemory written: PID: 3492 base: 145F380 value: E9 8F 6B 85 FF Jump to behavior
                    Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5160 base: 145F380 value: E9 8F 6B 40 FF Jump to behavior
                    Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_4-12948
                    Source: C:\Windows\SysWOW64\explorer.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_4-9902
                    Source: C:\Windows\SysWOW64\explorer.exe TID: 4168Thread sleep time: -180000s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\SysWOW64\explorer.exeCode function: 4_2_00CBAD24 FindFirstFileW,FindNextFileW,4_2_00CBAD24
                    Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_0086AD24 FindFirstFileW,FindNextFileW,5_2_0086AD24
                    Source: C:\Windows\SysWOW64\explorer.exeCode function: 4_2_00CBCC43 GetCurrentProcessId,GetTickCount,GetModuleFileNameW,GetModuleFileNameW,GetCurrentProcess,LookupAccountSidW,GetLastError,GetSystemMetrics,GetModuleFileNameW,MultiByteToWideChar,lstrlenA,GetCurrentProcess,GetCurrentProcess,memset,GetVersionExA,GetCurrentProcess,GetSystemInfo,GetWindowsDirectoryW,lstrlenA,4_2_00CBCC43
                    Source: C:\Windows\System32\loaddll32.exeThread delayed: delay time: 120000Jump to behavior
                    Source: WerFault.exe, 0000000C.00000002.662168543.0000000003BF0000.00000002.00000001.sdmp, WerFault.exe, 0000001E.00000002.846423515.0000000003EC0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
                    Source: WerFault.exe, 0000000C.00000002.662168543.0000000003BF0000.00000002.00000001.sdmp, WerFault.exe, 0000001E.00000002.846423515.0000000003EC0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
                    Source: WerFault.exe, 0000000C.00000002.662168543.0000000003BF0000.00000002.00000001.sdmp, WerFault.exe, 0000001E.00000002.846423515.0000000003EC0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
                    Source: WerFault.exe, 0000000C.00000002.662168543.0000000003BF0000.00000002.00000001.sdmp, WerFault.exe, 0000001E.00000002.846423515.0000000003EC0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
                    Source: C:\Windows\System32\loaddll32.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Windows\SysWOW64\regsvr32.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Windows\SysWOW64\regsvr32.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeCode function: 4_2_00CBDA9D lstrlenA,LoadLibraryA,GetProcAddress,4_2_00CBDA9D
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_03513137 xor ecx, dword ptr fs:[00000030h]3_2_03513137
                    Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_00865D6B RtlAddVectoredExceptionHandler,5_2_00865D6B

                    HIPS / PFW / Operating System Protection Evasion:

                    barindex
                    Allocates memory in foreign processesShow sources
                    Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 890000 protect: page read and writeJump to behavior
                    Injects code into the Windows Explorer (explorer.exe)Show sources
                    Source: C:\Windows\System32\loaddll32.exeMemory written: PID: 3492 base: CA0000 value: B8Jump to behavior
                    Source: C:\Windows\System32\loaddll32.exeMemory written: PID: 3492 base: BCD2D8 value: 00Jump to behavior
                    Source: C:\Windows\System32\loaddll32.exeMemory written: PID: 3492 base: BCE1E8 value: 00Jump to behavior
                    Source: C:\Windows\System32\loaddll32.exeMemory written: PID: 3492 base: CE0000 value: 9CJump to behavior
                    Source: C:\Windows\System32\loaddll32.exeMemory written: PID: 3492 base: 145F380 value: E9Jump to behavior
                    Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5160 base: 890000 value: 9CJump to behavior
                    Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5160 base: 145F380 value: E9Jump to behavior
                    Maps a DLL or memory area into another processShow sources
                    Source: C:\Windows\System32\loaddll32.exeSection loaded: unknown target: C:\Windows\SysWOW64\explorer.exe protection: execute and read and writeJump to behavior
                    Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: unknown target: C:\Windows\SysWOW64\explorer.exe protection: execute and read and writeJump to behavior
                    Writes to foreign memory regionsShow sources
                    Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 890000Jump to behavior
                    Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 145F380Jump to behavior
                    Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exeJump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\fff572167e03d2446c.dll',#1Jump to behavior
                    Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exeJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeCode function: 4_2_00CBBF33 LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,4_2_00CBBF33
                    Source: explorer.exe, 00000005.00000002.1072586325.0000000003710000.00000002.00000001.sdmpBinary or memory string: Program Manager
                    Source: explorer.exe, 00000005.00000002.1072586325.0000000003710000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                    Source: explorer.exe, 00000005.00000002.1072586325.0000000003710000.00000002.00000001.sdmpBinary or memory string: Progman
                    Source: explorer.exe, 00000005.00000002.1072586325.0000000003710000.00000002.00000001.sdmpBinary or memory string: Progmanlock
                    Source: C:\Windows\System32\loaddll32.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeCode function: 4_2_00CB9D9F GetSystemTimeAsFileTime,4_2_00CB9D9F
                    Source: C:\Windows\SysWOW64\explorer.exeCode function: 4_2_00CB449F LookupAccountNameW,4_2_00CB449F
                    Source: C:\Windows\SysWOW64\explorer.exeCode function: 4_2_00CBCBA4 GetCurrentProcess,GetModuleFileNameW,memset,GetVersionExA,GetCurrentProcessId,4_2_00CBCBA4

                    Stealing of Sensitive Information:

                    barindex
                    Yara detected QbotShow sources
                    Source: Yara matchFile source: 00000005.00000002.1071463160.0000000000860000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.644313278.0000000001570000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.644491126.00000000012D0000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.644518920.0000000000CB0000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 3.2.rundll32.exe.12d0000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.explorer.exe.cb0000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.loaddll32.exe.1570000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.loaddll32.exe.1570000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.explorer.exe.cb0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.explorer.exe.860000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.rundll32.exe.12d0000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.explorer.exe.860000.0.raw.unpack, type: UNPACKEDPE

                    Remote Access Functionality:

                    barindex
                    Yara detected QbotShow sources
                    Source: Yara matchFile source: 00000005.00000002.1071463160.0000000000860000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.644313278.0000000001570000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.644491126.00000000012D0000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.644518920.0000000000CB0000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 3.2.rundll32.exe.12d0000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.explorer.exe.cb0000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.loaddll32.exe.1570000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.loaddll32.exe.1570000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.explorer.exe.cb0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.explorer.exe.860000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.rundll32.exe.12d0000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.explorer.exe.860000.0.raw.unpack, type: UNPACKEDPE

                    Mitre Att&ck Matrix

                    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                    Valid AccountsScheduled Task/Job1Scheduled Task/Job1Process Injection412Masquerading11Credential API Hooking1System Time Discovery1Remote ServicesCredential API Hooking1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                    Default AccountsNative API3DLL Side-Loading1Scheduled Task/Job1Virtualization/Sandbox Evasion21Input Capture1Security Software Discovery11Remote Desktop ProtocolInput Capture1Exfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                    Domain AccountsAt (Linux)Logon Script (Windows)DLL Side-Loading1Process Injection412Security Account ManagerProcess Discovery2SMB/Windows Admin SharesArchive Collected Data1Automated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information1NTDSVirtualization/Sandbox Evasion21Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
                    Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptRegsvr321LSA SecretsAccount Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                    Replication Through Removable MediaLaunchdRc.commonRc.commonRundll321Cached Domain CredentialsSystem Owner/User Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                    External Remote ServicesScheduled TaskStartup ItemsStartup ItemsSoftware Packing1DCSyncFile and Directory Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                    Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobDLL Side-Loading1Proc FilesystemSystem Information Discovery14Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet