Play interactive tour

Edit tour

Windows Analysis Report SAWHipN3nS.dll

Overview

General Information

Sample Name:	SAWHipN3nS.dll
Analysis ID:	490253
MD5:	1ff17ce907ce2d98867ec9c78998518e
SHA1:	91818954ba50a5c63b73461af867a8c68958e20e
SHA256:	2dca3e9494cc2b34e8e1d53d1c9b78830ef35cda9473c5a0b8d84ef9bf4ea330
Tags:	dllSquirrelwaffle
Infos:
Most interesting Screenshot:

Detection

Score:	92
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Sigma detected: Schedule system process

Maps a DLL or memory area into another process

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Writes to foreign memory regions

Machine Learning detection for sample

Allocates memory in foreign processes

Injects code into the Windows Explorer (explorer.exe)

Sigma detected: Regsvr32 Command Line Without DLL

Machine Learning detection for dropped file

Uses schtasks.exe or at.exe to add and modify task schedules

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

One or more processes crash

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Creates files inside the system directory

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

PE file does not import any functions

Sample file is different than original file name gathered from version info

Drops PE files

Tries to load missing DLLs

Checks if the current process is being debugged

Registers a DLL

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

loaddll32.exe (PID: 6652 cmdline: loaddll32.exe 'C:\Users\user\Desktop\SAWHipN3nS.dll' MD5: 542795ADF7CC08EFCF675D65310596E8)

cmd.exe (PID: 6664 cmdline: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\SAWHipN3nS.dll',#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)

rundll32.exe (PID: 6684 cmdline: rundll32.exe 'C:\Users\user\Desktop\SAWHipN3nS.dll',#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

explorer.exe (PID: 6752 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: 166AB1B9462E5C1D6D18EC5EC0B6A5F7)

explorer.exe (PID: 6732 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: 166AB1B9462E5C1D6D18EC5EC0B6A5F7)

schtasks.exe (PID: 6832 cmdline: 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn yyhcsfwg /tr 'regsvr32.exe -s \'C:\Users\user\Desktop\SAWHipN3nS.dll\'' /SC ONCE /Z /ST 10:15 /ET 10:27 MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 6840 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

regsvr32.exe (PID: 6888 cmdline: regsvr32.exe -s 'C:\Users\user\Desktop\SAWHipN3nS.dll' MD5: D78B75FC68247E8A63ACBA846182740E)

regsvr32.exe (PID: 6896 cmdline: -s 'C:\Users\user\Desktop\SAWHipN3nS.dll' MD5: 426E7499F6A7346F0410DEAD0805586B)

WerFault.exe (PID: 6960 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6896 -s 644 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

regsvr32.exe (PID: 6264 cmdline: regsvr32.exe -s 'C:\Users\user\Desktop\SAWHipN3nS.dll' MD5: D78B75FC68247E8A63ACBA846182740E)

regsvr32.exe (PID: 6324 cmdline: -s 'C:\Users\user\Desktop\SAWHipN3nS.dll' MD5: 426E7499F6A7346F0410DEAD0805586B)

WerFault.exe (PID: 4388 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6324 -s 652 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

System Summary:

Sigma detected: Regsvr32 Command Line Without DLL

Show sources

Source: Process started

Author: Florian Roth: Data: Command: C:\Windows\SysWOW64\WerFault.exe -u -p 6896 -s 644, CommandLine: C:\Windows\SysWOW64\WerFault.exe -u -p 6896 -s 644, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WerFault.exe, NewProcessName: C:\Windows\SysWOW64\WerFault.exe, OriginalFileName: C:\Windows\SysWOW64\WerFault.exe, ParentCommandLine: -s 'C:\Users\user\Desktop\SAWHipN3nS.dll', ParentImage: C:\Windows\SysWOW64\regsvr32.exe, ParentProcessId: 6896, ProcessCommandLine: C:\Windows\SysWOW64\WerFault.exe -u -p 6896 -s 644, ProcessId: 6960

Persistence and Installation Behavior:

Sigma detected: Schedule system process

Show sources

Source: Process started

Author: Joe Security: Data: Command: 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn yyhcsfwg /tr 'regsvr32.exe -s \'C:\Users\user\Desktop\SAWHipN3nS.dll\'' /SC ONCE /Z /ST 10:15 /ET 10:27, CommandLine: 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn yyhcsfwg /tr 'regsvr32.exe -s \'C:\Users\user\Desktop\SAWHipN3nS.dll\'' /SC ONCE /Z /ST 10:15 /ET 10:27, CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Windows\SysWOW64\explorer.exe, ParentImage: C:\Windows\SysWOW64\explorer.exe, ParentProcessId: 6732, ProcessCommandLine: 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn yyhcsfwg /tr 'regsvr32.exe -s \'C:\Users\user\Desktop\SAWHipN3nS.dll\'' /SC ONCE /Z /ST 10:15 /ET 10:27, ProcessId: 6832

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for submitted file

Show sources

Source: SAWHipN3nS.dll

ReversingLabs: Detection: 51%

Machine Learning detection for sample

Show sources

Source: SAWHipN3nS.dll

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\Desktop\SAWHipN3nS.dll

Joe Sandbox ML: detected

Source: SAWHipN3nS.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source:	Binary string: winspool.pdbxW source: WerFault.exe, 0000000D.00000003.386279399.00000000037E6000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 0000000D.00000003.375176370.00000000007F5000.00000004.00000001.sdmp, WerFault.exe, 00000021.00000003.577706381.00000000040B1000.00000004.00000001.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 0000000D.00000003.386279399.00000000037E6000.00000004.00000040.sdmp, WerFault.exe, 00000021.00000003.577738305.0000000004086000.00000004.00000040.sdmp
Source:	Binary string: sfc_os.pdb source: WerFault.exe, 0000000D.00000003.386279399.00000000037E6000.00000004.00000040.sdmp, WerFault.exe, 00000021.00000003.577738305.0000000004086000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdbTW source: WerFault.exe, 0000000D.00000003.386279399.00000000037E6000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 0000000D.00000003.386168716.0000000003681000.00000004.00000001.sdmp, WerFault.exe, 00000021.00000003.577706381.00000000040B1000.00000004.00000001.sdmp
Source:	Binary string: powrprof.pdbQ source: WerFault.exe, 00000021.00000003.577738305.0000000004086000.00000004.00000040.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 0000000D.00000003.386168716.0000000003681000.00000004.00000001.sdmp, WerFault.exe, 00000021.00000003.577706381.00000000040B1000.00000004.00000001.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000D.00000003.386268708.00000000037E0000.00000004.00000040.sdmp, WerFault.exe, 00000021.00000003.577726861.0000000004080000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 0000000D.00000003.375740594.00000000007EF000.00000004.00000001.sdmp, WerFault.exe, 00000021.00000003.572693362.00000000030BD000.00000004.00000001.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 0000000D.00000003.386268708.00000000037E0000.00000004.00000040.sdmp, WerFault.exe, 00000021.00000003.577726861.0000000004080000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 0000000D.00000003.386168716.0000000003681000.00000004.00000001.sdmp, WerFault.exe, 00000021.00000003.577706381.00000000040B1000.00000004.00000001.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 0000000D.00000003.386279399.00000000037E6000.00000004.00000040.sdmp, WerFault.exe, 00000021.00000003.577738305.0000000004086000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdb source: WerFault.exe, 0000000D.00000003.386279399.00000000037E6000.00000004.00000040.sdmp, WerFault.exe, 00000021.00000003.577738305.0000000004086000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 0000000D.00000003.386279399.00000000037E6000.00000004.00000040.sdmp, WerFault.exe, 00000021.00000003.577738305.0000000004086000.00000004.00000040.sdmp
Source:	Binary string: regsvr32.pdbk source: WerFault.exe, 0000000D.00000003.386168716.0000000003681000.00000004.00000001.sdmp, WerFault.exe, 00000021.00000003.577706381.00000000040B1000.00000004.00000001.sdmp
Source:	Binary string: shell32.pdb source: WerFault.exe, 0000000D.00000003.386168716.0000000003681000.00000004.00000001.sdmp, WerFault.exe, 00000021.00000003.577706381.00000000040B1000.00000004.00000001.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 0000000D.00000003.386168716.0000000003681000.00000004.00000001.sdmp, WerFault.exe, 00000021.00000003.577706381.00000000040B1000.00000004.00000001.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 0000000D.00000003.375280310.00000000007FB000.00000004.00000001.sdmp, WerFault.exe, 00000021.00000003.577706381.00000000040B1000.00000004.00000001.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 0000000D.00000003.386279399.00000000037E6000.00000004.00000040.sdmp, WerFault.exe, 00000021.00000003.577738305.0000000004086000.00000004.00000040.sdmp
Source:	Binary string: mpr.pdb source: WerFault.exe, 0000000D.00000003.386268708.00000000037E0000.00000004.00000040.sdmp, WerFault.exe, 00000021.00000003.577726861.0000000004080000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdbG source: WerFault.exe, 00000021.00000003.577738305.0000000004086000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 0000000D.00000003.386168716.0000000003681000.00000004.00000001.sdmp, WerFault.exe, 00000021.00000003.577706381.00000000040B1000.00000004.00000001.sdmp
Source:	Binary string: setupapi.pdb source: WerFault.exe, 0000000D.00000003.386279399.00000000037E6000.00000004.00000040.sdmp, WerFault.exe, 00000021.00000003.577738305.0000000004086000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdbe source: WerFault.exe, 00000021.00000003.577738305.0000000004086000.00000004.00000040.sdmp
Source:	Binary string: regsvr32.pdb source: WerFault.exe, 0000000D.00000003.375158454.00000000007EA000.00000004.00000001.sdmp, WerFault.exe, 00000021.00000003.577706381.00000000040B1000.00000004.00000001.sdmp
Source:	Binary string: oleaut32.pdbI source: WerFault.exe, 00000021.00000003.577738305.0000000004086000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdbk source: WerFault.exe, 0000000D.00000003.386268708.00000000037E0000.00000004.00000040.sdmp, WerFault.exe, 00000021.00000003.577726861.0000000004080000.00000004.00000040.sdmp
Source:	Binary string: regsvr32.pdb( source: WerFault.exe, 0000000D.00000003.375158454.00000000007EA000.00000004.00000001.sdmp
Source:	Binary string: profapi.pdb source: WerFault.exe, 0000000D.00000003.386279399.00000000037E6000.00000004.00000040.sdmp, WerFault.exe, 00000021.00000003.577738305.0000000004086000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdbZW source: WerFault.exe, 0000000D.00000003.386279399.00000000037E6000.00000004.00000040.sdmp
Source:	Binary string: winspool.pdb source: WerFault.exe, 0000000D.00000003.386279399.00000000037E6000.00000004.00000040.sdmp, WerFault.exe, 00000021.00000003.577738305.0000000004086000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 0000000D.00000003.386168716.0000000003681000.00000004.00000001.sdmp, WerFault.exe, 00000021.00000003.577706381.00000000040B1000.00000004.00000001.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 0000000D.00000003.386279399.00000000037E6000.00000004.00000040.sdmp, WerFault.exe, 00000021.00000003.577738305.0000000004086000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdb source: WerFault.exe, 0000000D.00000003.386279399.00000000037E6000.00000004.00000040.sdmp, WerFault.exe, 00000021.00000003.577738305.0000000004086000.00000004.00000040.sdmp
Source:	Binary string: amstream.pdb source: explorer.exe, 00000004.00000003.360596035.0000000004491000.00000004.00000001.sdmp, explorer.exe, 00000005.00000003.360628617.00000000043E1000.00000004.00000001.sdmp, regsvr32.exe, 0000000A.00000000.370275460.0000000010001000.00000020.00020000.sdmp, regsvr32.exe, 0000001F.00000002.583080769.0000000010001000.00000020.00020000.sdmp, SAWHipN3nS.dll.5.dr
Source:	Binary string: propsys.pdb source: WerFault.exe, 0000000D.00000003.386279399.00000000037E6000.00000004.00000040.sdmp, WerFault.exe, 00000021.00000003.577738305.0000000004086000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdb] source: WerFault.exe, 00000021.00000003.577738305.0000000004086000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdbk source: WerFault.exe, 0000000D.00000003.386268708.00000000037E0000.00000004.00000040.sdmp, WerFault.exe, 00000021.00000003.577726861.0000000004080000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdbo source: WerFault.exe, 00000021.00000003.577738305.0000000004086000.00000004.00000040.sdmp
Source:	Binary string: sfc.pdbK source: WerFault.exe, 0000000D.00000003.386279399.00000000037E6000.00000004.00000040.sdmp, WerFault.exe, 00000021.00000003.577738305.0000000004086000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb source: WerFault.exe, 0000000D.00000003.386279399.00000000037E6000.00000004.00000040.sdmp, WerFault.exe, 00000021.00000003.577738305.0000000004086000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdb source: WerFault.exe, 0000000D.00000003.386279399.00000000037E6000.00000004.00000040.sdmp, WerFault.exe, 00000021.00000003.577738305.0000000004086000.00000004.00000040.sdmp
Source:	Binary string: amstream.pdbGCTL source: explorer.exe, 00000004.00000003.360596035.0000000004491000.00000004.00000001.sdmp, explorer.exe, 00000005.00000003.360628617.00000000043E1000.00000004.00000001.sdmp, regsvr32.exe, 0000000A.00000000.370275460.0000000010001000.00000020.00020000.sdmp, regsvr32.exe, 0000001F.00000002.583080769.0000000010001000.00000020.00020000.sdmp, SAWHipN3nS.dll.5.dr
Source:	Binary string: powrprof.pdb<W source: WerFault.exe, 0000000D.00000003.386279399.00000000037E6000.00000004.00000040.sdmp
Source:	Binary string: AcLayers.pdb source: WerFault.exe, 0000000D.00000003.386168716.0000000003681000.00000004.00000001.sdmp, WerFault.exe, 00000021.00000003.577706381.00000000040B1000.00000004.00000001.sdmp
Source:	Binary string: bcrypt.pdbrW source: WerFault.exe, 0000000D.00000003.386279399.00000000037E6000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb~W source: WerFault.exe, 0000000D.00000003.386279399.00000000037E6000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb[ source: WerFault.exe, 00000021.00000003.577738305.0000000004086000.00000004.00000040.sdmp
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000000D.00000003.386268708.00000000037E0000.00000004.00000040.sdmp, WerFault.exe, 00000021.00000003.577726861.0000000004080000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 0000000D.00000003.386279399.00000000037E6000.00000004.00000040.sdmp, WerFault.exe, 00000021.00000003.577738305.0000000004086000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 0000000D.00000003.386268708.00000000037E0000.00000004.00000040.sdmp, WerFault.exe, 00000021.00000003.577726861.0000000004080000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000D.00000003.386268708.00000000037E0000.00000004.00000040.sdmp, WerFault.exe, 00000021.00000003.577726861.0000000004080000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdb`W source: WerFault.exe, 0000000D.00000003.386279399.00000000037E6000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb( source: WerFault.exe, 0000000D.00000003.375189057.00000000007FB000.00000004.00000001.sdmp, WerFault.exe, 00000021.00000003.566824953.00000000030C9000.00000004.00000001.sdmp
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 0000000D.00000003.386268708.00000000037E0000.00000004.00000040.sdmp, WerFault.exe, 00000021.00000003.577726861.0000000004080000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 0000000D.00000003.386279399.00000000037E6000.00000004.00000040.sdmp, WerFault.exe, 00000021.00000003.577738305.0000000004086000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdbNW source: WerFault.exe, 0000000D.00000003.386279399.00000000037E6000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb( source: WerFault.exe, 00000021.00000003.566808703.00000000030C3000.00000004.00000001.sdmp
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 0000000D.00000003.386279399.00000000037E6000.00000004.00000040.sdmp, WerFault.exe, 00000021.00000003.577738305.0000000004086000.00000004.00000040.sdmp
Source:	Binary string: sfc.pdb source: WerFault.exe, 0000000D.00000003.386279399.00000000037E6000.00000004.00000040.sdmp, WerFault.exe, 00000021.00000003.577738305.0000000004086000.00000004.00000040.sdmp
Source:	Binary string: propsys.pdbBW source: WerFault.exe, 0000000D.00000003.386279399.00000000037E6000.00000004.00000040.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 0000000D.00000003.386168716.0000000003681000.00000004.00000001.sdmp, WerFault.exe, 00000021.00000003.577706381.00000000040B1000.00000004.00000001.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 0000000D.00000003.386168716.0000000003681000.00000004.00000001.sdmp, WerFault.exe, 00000021.00000003.577706381.00000000040B1000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdbk source: WerFault.exe, 0000000D.00000003.386168716.0000000003681000.00000004.00000001.sdmp, WerFault.exe, 00000021.00000003.577706381.00000000040B1000.00000004.00000001.sdmp
Source:	Binary string: a/pjr2pCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 0000000D.00000002.393309522.0000000000432000.00000004.00000001.sdmp, WerFault.exe, 00000021.00000002.584600011.0000000002D52000.00000004.00000001.sdmp
Source:	Binary string: sfc_os.pdbHW source: WerFault.exe, 0000000D.00000003.386279399.00000000037E6000.00000004.00000040.sdmp
Source:	Binary string: mpr.pdbp source: WerFault.exe, 0000000D.00000003.386268708.00000000037E0000.00000004.00000040.sdmp

Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_1000AE9A FindFirstFileW,FindNextFileW,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1000AE9A FindFirstFileW,FindNextFileW,
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_026EAE9A FindFirstFileW,FindNextFileW,
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 5_2_026EAE9A FindFirstFileW,FindNextFileW,

System Summary:

Source: SAWHipN3nS.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: C:\Windows\SysWOW64\regsvr32.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6896 -s 644

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\DBG

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_025E19A1
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_10016EC0
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_10012351
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_10011763
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_1001538F
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_10014FD0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_045A19A1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10016EC0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10012351
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10011763
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1001538F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10014FD0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_026F6EC0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_026F1763
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_026F2351
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_026F4FD0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_026F538F
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 5_2_026F6EC0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 5_2_026F1763
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 5_2_026F2351
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 5_2_026F4FD0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 5_2_026F538F

Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_1000C6CB NtCreateSection,DefWindowProcA,RegisterClassExA,CreateWindowExA,DestroyWindow,UnregisterClassA,GetCurrentProcess,NtMapViewOfSection,NtMapViewOfSection,VirtualAllocEx,WriteProcessMemory,GetCurrentProcess,NtUnmapViewOfSection,NtClose,
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_1000CB82 memset,GetThreadContext,NtProtectVirtualMemory,NtWriteVirtualMemory,NtProtectVirtualMemory,FreeLibrary,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1000C6CB NtCreateSection,DefWindowProcA,RegisterClassExA,CreateWindowExA,DestroyWindow,UnregisterClassA,GetCurrentProcess,NtMapViewOfSection,NtMapViewOfSection,VirtualAllocEx,WriteProcessMemory,GetCurrentProcess,NtUnmapViewOfSection,NtClose,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1000CB82 memset,GetThreadContext,NtProtectVirtualMemory,NtWriteVirtualMemory,NtProtectVirtualMemory,FreeLibrary,

Source: SAWHipN3nS.dll.5.dr	Static PE information: No import functions for PE file found
Source: SAWHipN3nS.dll.4.dr	Static PE information: No import functions for PE file found

Source: SAWHipN3nS.dll.5.dr

Binary or memory string: OriginalFilenameAMStream.dllj% vs SAWHipN3nS.dll

Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: sfc.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: sfc.dll

Source: SAWHipN3nS.dll

ReversingLabs: Detection: 51%

Source: SAWHipN3nS.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\SAWHipN3nS.dll'
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\SAWHipN3nS.dll',#1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SAWHipN3nS.dll',#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\SysWOW64\explorer.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn yyhcsfwg /tr 'regsvr32.exe -s \'C:\Users\user\Desktop\SAWHipN3nS.dll\'' /SC ONCE /Z /ST 10:15 /ET 10:27
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe -s 'C:\Users\user\Desktop\SAWHipN3nS.dll'
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe -s 'C:\Users\user\Desktop\SAWHipN3nS.dll'
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6896 -s 644
Source: unknown	Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe -s 'C:\Users\user\Desktop\SAWHipN3nS.dll'
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe -s 'C:\Users\user\Desktop\SAWHipN3nS.dll'
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6324 -s 652
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\SAWHipN3nS.dll',#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SAWHipN3nS.dll',#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\SysWOW64\explorer.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn yyhcsfwg /tr 'regsvr32.exe -s \'C:\Users\user\Desktop\SAWHipN3nS.dll\'' /SC ONCE /Z /ST 10:15 /ET 10:27
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe -s 'C:\Users\user\Desktop\SAWHipN3nS.dll'
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe -s 'C:\Users\user\Desktop\SAWHipN3nS.dll'

Source: C:\Windows\SysWOW64\explorer.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Pavbnst

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERCE23.tmp

Jump to behavior

Source: classification engine

Classification label: mal92.evad.winDLL@20/10@0/0

Source: C:\Windows\System32\loaddll32.exe

Code function: 1_2_1000D52E CoInitializeEx,CoInitializeSecurity,CoCreateInstance,SysAllocString,CoSetProxyBlanket,

Source: C:\Windows\System32\loaddll32.exe

Code function: 1_2_1000AB89 CreateToolhelp32Snapshot,memset,Process32First,Process32Next,CloseHandle,

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SAWHipN3nS.dll',#1

Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \BaseNamedObjects\Local\WERReportingForProcess6896
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \BaseNamedObjects\Local\WERReportingForProcess6324
Source: C:\Windows\SysWOW64\explorer.exe	Mutant created: \Sessions\1\BaseNamedObjects\{07AEAA9B-1A91-47DC-972F-5BF5DFBCBD50}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6840:120:WilError_01
Source: C:\Windows\SysWOW64\explorer.exe	Mutant created: \Sessions\1\BaseNamedObjects\{A5687C0D-CE45-44A3-9FC0-6E0686595B4B}
Source: C:\Windows\SysWOW64\explorer.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{07AEAA9B-1A91-47DC-972F-5BF5DFBCBD50}

Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\explorer.exe

Source:	Binary string: winspool.pdbxW source: WerFault.exe, 0000000D.00000003.386279399.00000000037E6000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 0000000D.00000003.375176370.00000000007F5000.00000004.00000001.sdmp, WerFault.exe, 00000021.00000003.577706381.00000000040B1000.00000004.00000001.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 0000000D.00000003.386279399.00000000037E6000.00000004.00000040.sdmp, WerFault.exe, 00000021.00000003.577738305.0000000004086000.00000004.00000040.sdmp
Source:	Binary string: sfc_os.pdb source: WerFault.exe, 0000000D.00000003.386279399.00000000037E6000.00000004.00000040.sdmp, WerFault.exe, 00000021.00000003.577738305.0000000004086000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdbTW source: WerFault.exe, 0000000D.00000003.386279399.00000000037E6000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 0000000D.00000003.386168716.0000000003681000.00000004.00000001.sdmp, WerFault.exe, 00000021.00000003.577706381.00000000040B1000.00000004.00000001.sdmp
Source:	Binary string: powrprof.pdbQ source: WerFault.exe, 00000021.00000003.577738305.0000000004086000.00000004.00000040.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 0000000D.00000003.386168716.0000000003681000.00000004.00000001.sdmp, WerFault.exe, 00000021.00000003.577706381.00000000040B1000.00000004.00000001.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000D.00000003.386268708.00000000037E0000.00000004.00000040.sdmp, WerFault.exe, 00000021.00000003.577726861.0000000004080000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 0000000D.00000003.375740594.00000000007EF000.00000004.00000001.sdmp, WerFault.exe, 00000021.00000003.572693362.00000000030BD000.00000004.00000001.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 0000000D.00000003.386268708.00000000037E0000.00000004.00000040.sdmp, WerFault.exe, 00000021.00000003.577726861.0000000004080000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 0000000D.00000003.386168716.0000000003681000.00000004.00000001.sdmp, WerFault.exe, 00000021.00000003.577706381.00000000040B1000.00000004.00000001.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 0000000D.00000003.386279399.00000000037E6000.00000004.00000040.sdmp, WerFault.exe, 00000021.00000003.577738305.0000000004086000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdb source: WerFault.exe, 0000000D.00000003.386279399.00000000037E6000.00000004.00000040.sdmp, WerFault.exe, 00000021.00000003.577738305.0000000004086000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 0000000D.00000003.386279399.00000000037E6000.00000004.00000040.sdmp, WerFault.exe, 00000021.00000003.577738305.0000000004086000.00000004.00000040.sdmp
Source:	Binary string: regsvr32.pdbk source: WerFault.exe, 0000000D.00000003.386168716.0000000003681000.00000004.00000001.sdmp, WerFault.exe, 00000021.00000003.577706381.00000000040B1000.00000004.00000001.sdmp
Source:	Binary string: shell32.pdb source: WerFault.exe, 0000000D.00000003.386168716.0000000003681000.00000004.00000001.sdmp, WerFault.exe, 00000021.00000003.577706381.00000000040B1000.00000004.00000001.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 0000000D.00000003.386168716.0000000003681000.00000004.00000001.sdmp, WerFault.exe, 00000021.00000003.577706381.00000000040B1000.00000004.00000001.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 0000000D.00000003.375280310.00000000007FB000.00000004.00000001.sdmp, WerFault.exe, 00000021.00000003.577706381.00000000040B1000.00000004.00000001.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 0000000D.00000003.386279399.00000000037E6000.00000004.00000040.sdmp, WerFault.exe, 00000021.00000003.577738305.0000000004086000.00000004.00000040.sdmp
Source:	Binary string: mpr.pdb source: WerFault.exe, 0000000D.00000003.386268708.00000000037E0000.00000004.00000040.sdmp, WerFault.exe, 00000021.00000003.577726861.0000000004080000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdbG source: WerFault.exe, 00000021.00000003.577738305.0000000004086000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 0000000D.00000003.386168716.0000000003681000.00000004.00000001.sdmp, WerFault.exe, 00000021.00000003.577706381.00000000040B1000.00000004.00000001.sdmp
Source:	Binary string: setupapi.pdb source: WerFault.exe, 0000000D.00000003.386279399.00000000037E6000.00000004.00000040.sdmp, WerFault.exe, 00000021.00000003.577738305.0000000004086000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdbe source: WerFault.exe, 00000021.00000003.577738305.0000000004086000.00000004.00000040.sdmp
Source:	Binary string: regsvr32.pdb source: WerFault.exe, 0000000D.00000003.375158454.00000000007EA000.00000004.00000001.sdmp, WerFault.exe, 00000021.00000003.577706381.00000000040B1000.00000004.00000001.sdmp
Source:	Binary string: oleaut32.pdbI source: WerFault.exe, 00000021.00000003.577738305.0000000004086000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdbk source: WerFault.exe, 0000000D.00000003.386268708.00000000037E0000.00000004.00000040.sdmp, WerFault.exe, 00000021.00000003.577726861.0000000004080000.00000004.00000040.sdmp
Source:	Binary string: regsvr32.pdb( source: WerFault.exe, 0000000D.00000003.375158454.00000000007EA000.00000004.00000001.sdmp
Source:	Binary string: profapi.pdb source: WerFault.exe, 0000000D.00000003.386279399.00000000037E6000.00000004.00000040.sdmp, WerFault.exe, 00000021.00000003.577738305.0000000004086000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdbZW source: WerFault.exe, 0000000D.00000003.386279399.00000000037E6000.00000004.00000040.sdmp
Source:	Binary string: winspool.pdb source: WerFault.exe, 0000000D.00000003.386279399.00000000037E6000.00000004.00000040.sdmp, WerFault.exe, 00000021.00000003.577738305.0000000004086000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 0000000D.00000003.386168716.0000000003681000.00000004.00000001.sdmp, WerFault.exe, 00000021.00000003.577706381.00000000040B1000.00000004.00000001.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 0000000D.00000003.386279399.00000000037E6000.00000004.00000040.sdmp, WerFault.exe, 00000021.00000003.577738305.0000000004086000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdb source: WerFault.exe, 0000000D.00000003.386279399.00000000037E6000.00000004.00000040.sdmp, WerFault.exe, 00000021.00000003.577738305.0000000004086000.00000004.00000040.sdmp
Source:	Binary string: amstream.pdb source: explorer.exe, 00000004.00000003.360596035.0000000004491000.00000004.00000001.sdmp, explorer.exe, 00000005.00000003.360628617.00000000043E1000.00000004.00000001.sdmp, regsvr32.exe, 0000000A.00000000.370275460.0000000010001000.00000020.00020000.sdmp, regsvr32.exe, 0000001F.00000002.583080769.0000000010001000.00000020.00020000.sdmp, SAWHipN3nS.dll.5.dr
Source:	Binary string: propsys.pdb source: WerFault.exe, 0000000D.00000003.386279399.00000000037E6000.00000004.00000040.sdmp, WerFault.exe, 00000021.00000003.577738305.0000000004086000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdb] source: WerFault.exe, 00000021.00000003.577738305.0000000004086000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdbk source: WerFault.exe, 0000000D.00000003.386268708.00000000037E0000.00000004.00000040.sdmp, WerFault.exe, 00000021.00000003.577726861.0000000004080000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdbo source: WerFault.exe, 00000021.00000003.577738305.0000000004086000.00000004.00000040.sdmp
Source:	Binary string: sfc.pdbK source: WerFault.exe, 0000000D.00000003.386279399.00000000037E6000.00000004.00000040.sdmp, WerFault.exe, 00000021.00000003.577738305.0000000004086000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb source: WerFault.exe, 0000000D.00000003.386279399.00000000037E6000.00000004.00000040.sdmp, WerFault.exe, 00000021.00000003.577738305.0000000004086000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdb source: WerFault.exe, 0000000D.00000003.386279399.00000000037E6000.00000004.00000040.sdmp, WerFault.exe, 00000021.00000003.577738305.0000000004086000.00000004.00000040.sdmp
Source:	Binary string: amstream.pdbGCTL source: explorer.exe, 00000004.00000003.360596035.0000000004491000.00000004.00000001.sdmp, explorer.exe, 00000005.00000003.360628617.00000000043E1000.00000004.00000001.sdmp, regsvr32.exe, 0000000A.00000000.370275460.0000000010001000.00000020.00020000.sdmp, regsvr32.exe, 0000001F.00000002.583080769.0000000010001000.00000020.00020000.sdmp, SAWHipN3nS.dll.5.dr
Source:	Binary string: powrprof.pdb<W source: WerFault.exe, 0000000D.00000003.386279399.00000000037E6000.00000004.00000040.sdmp
Source:	Binary string: AcLayers.pdb source: WerFault.exe, 0000000D.00000003.386168716.0000000003681000.00000004.00000001.sdmp, WerFault.exe, 00000021.00000003.577706381.00000000040B1000.00000004.00000001.sdmp
Source:	Binary string: bcrypt.pdbrW source: WerFault.exe, 0000000D.00000003.386279399.00000000037E6000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb~W source: WerFault.exe, 0000000D.00000003.386279399.00000000037E6000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb[ source: WerFault.exe, 00000021.00000003.577738305.0000000004086000.00000004.00000040.sdmp
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000000D.00000003.386268708.00000000037E0000.00000004.00000040.sdmp, WerFault.exe, 00000021.00000003.577726861.0000000004080000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 0000000D.00000003.386279399.00000000037E6000.00000004.00000040.sdmp, WerFault.exe, 00000021.00000003.577738305.0000000004086000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 0000000D.00000003.386268708.00000000037E0000.00000004.00000040.sdmp, WerFault.exe, 00000021.00000003.577726861.0000000004080000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000D.00000003.386268708.00000000037E0000.00000004.00000040.sdmp, WerFault.exe, 00000021.00000003.577726861.0000000004080000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdb`W source: WerFault.exe, 0000000D.00000003.386279399.00000000037E6000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb( source: WerFault.exe, 0000000D.00000003.375189057.00000000007FB000.00000004.00000001.sdmp, WerFault.exe, 00000021.00000003.566824953.00000000030C9000.00000004.00000001.sdmp
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 0000000D.00000003.386268708.00000000037E0000.00000004.00000040.sdmp, WerFault.exe, 00000021.00000003.577726861.0000000004080000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 0000000D.00000003.386279399.00000000037E6000.00000004.00000040.sdmp, WerFault.exe, 00000021.00000003.577738305.0000000004086000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdbNW source: WerFault.exe, 0000000D.00000003.386279399.00000000037E6000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb( source: WerFault.exe, 00000021.00000003.566808703.00000000030C3000.00000004.00000001.sdmp
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 0000000D.00000003.386279399.00000000037E6000.00000004.00000040.sdmp, WerFault.exe, 00000021.00000003.577738305.0000000004086000.00000004.00000040.sdmp
Source:	Binary string: sfc.pdb source: WerFault.exe, 0000000D.00000003.386279399.00000000037E6000.00000004.00000040.sdmp, WerFault.exe, 00000021.00000003.577738305.0000000004086000.00000004.00000040.sdmp
Source:	Binary string: propsys.pdbBW source: WerFault.exe, 0000000D.00000003.386279399.00000000037E6000.00000004.00000040.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 0000000D.00000003.386168716.0000000003681000.00000004.00000001.sdmp, WerFault.exe, 00000021.00000003.577706381.00000000040B1000.00000004.00000001.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 0000000D.00000003.386168716.0000000003681000.00000004.00000001.sdmp, WerFault.exe, 00000021.00000003.577706381.00000000040B1000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdbk source: WerFault.exe, 0000000D.00000003.386168716.0000000003681000.00000004.00000001.sdmp, WerFault.exe, 00000021.00000003.577706381.00000000040B1000.00000004.00000001.sdmp
Source:	Binary string: a/pjr2pCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 0000000D.00000002.393309522.0000000000432000.00000004.00000001.sdmp, WerFault.exe, 00000021.00000002.584600011.0000000002D52000.00000004.00000001.sdmp
Source:	Binary string: sfc_os.pdbHW source: WerFault.exe, 0000000D.00000003.386279399.00000000037E6000.00000004.00000040.sdmp
Source:	Binary string: mpr.pdbp source: WerFault.exe, 0000000D.00000003.386268708.00000000037E0000.00000004.00000040.sdmp

Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_025E44AB push edi; mov dword ptr [esp], 00000003h
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_025E44AB push edx; mov dword ptr [esp], 00F00000h
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_025E19A1 push 00000000h; mov dword ptr [esp], eax
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_025E19A1 push 00000000h; mov dword ptr [esp], edx
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_025E19A1 push 00000000h; mov dword ptr [esp], ecx
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_025E19A1 push ebp; mov dword ptr [esp], 000FFFFFh
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_1001A006 push ebx; ret
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_1001D485 push FFFFFF8Ah; iretd
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_1001D4B6 push FFFFFF8Ah; iretd
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_10019D54 push cs; iretd
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_10019E56 push cs; iretd
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_1001BB21 push esi; iretd
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_045A44AB push edi; mov dword ptr [esp], 00000003h
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_045A44AB push edx; mov dword ptr [esp], 00F00000h
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_045A19A1 push 00000000h; mov dword ptr [esp], eax
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_045A19A1 push 00000000h; mov dword ptr [esp], edx
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_045A19A1 push 00000000h; mov dword ptr [esp], ecx
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_045A19A1 push ebp; mov dword ptr [esp], 000FFFFFh
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1001A006 push ebx; ret
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1001D485 push FFFFFF8Ah; iretd
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1001D4B6 push FFFFFF8Ah; iretd
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10019D54 push cs; iretd
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10019E56 push cs; iretd
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1001BB21 push esi; iretd
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_026F9E56 push cs; iretd
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_026FBB21 push esi; iretd
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_026FA006 push ebx; ret
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_026FD4B6 push FFFFFF8Ah; iretd
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_026FD485 push FFFFFF8Ah; iretd
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_026F9D54 push cs; iretd
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 5_2_026F9E56 push cs; iretd

Source: C:\Windows\System32\loaddll32.exe

Code function: 1_2_1000DFB8 LoadLibraryA,GetProcAddress,

Source: unknown

Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe -s 'C:\Users\user\Desktop\SAWHipN3nS.dll'

Persistence and Installation Behavior:

Source: C:\Windows\SysWOW64\explorer.exe

File created: C:\Users\user\Desktop\SAWHipN3nS.dll

Jump to dropped file

Boot Survival:

Uses schtasks.exe or at.exe to add and modify task schedules

Show sources

Source: C:\Windows\SysWOW64\explorer.exe

Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn yyhcsfwg /tr 'regsvr32.exe -s \'C:\Users\user\Desktop\SAWHipN3nS.dll\'' /SC ONCE /Z /ST 10:15 /ET 10:27

Hooking and other Techniques for Hiding and Protection:

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Show sources

Source: C:\Windows\System32\loaddll32.exe	Memory written: PID: 6732 base: 12F380 value: E9 4F 69 5B 02
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 6752 base: 12F380 value: E9 4F 69 5B 02

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Windows\SysWOW64\explorer.exe TID: 6736	Thread sleep time: -100000s >= -30000s
Source: C:\Windows\SysWOW64\explorer.exe TID: 6756	Thread sleep count: 67 > 30

Source: C:\Windows\SysWOW64\explorer.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\System32\loaddll32.exe

Process information queried: ProcessInformation

Source: C:\Windows\System32\loaddll32.exe

Code function: 1_2_1000D02A GetCurrentProcessId,GetModuleFileNameW,GetCurrentProcess,GetCurrentProcess,GetLastError,GetLastError,GetSystemMetrics,GetModuleFileNameW,GetLastError,MultiByteToWideChar,GetCurrentProcess,memset,GetVersionExA,GetCurrentProcess,GetSystemInfo,GetWindowsDirectoryW,

Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_1000AE9A FindFirstFileW,FindNextFileW,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1000AE9A FindFirstFileW,FindNextFileW,
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_026EAE9A FindFirstFileW,FindNextFileW,
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 5_2_026EAE9A FindFirstFileW,FindNextFileW,

Source: C:\Windows\System32\loaddll32.exe

Code function: 1_2_1000DFB8 LoadLibraryA,GetProcAddress,

Source: C:\Windows\SysWOW64\regsvr32.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\regsvr32.exe	Process queried: DebugPort

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 4_2_026E5A49 RtlAddVectoredExceptionHandler,

HIPS / PFW / Operating System Protection Evasion:

Maps a DLL or memory area into another process

Show sources

Source: C:\Windows\System32\loaddll32.exe	Section loaded: unknown target: C:\Windows\SysWOW64\explorer.exe protection: execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exe	Section loaded: unknown target: C:\Windows\SysWOW64\explorer.exe protection: execute and read and write

Writes to foreign memory regions

Show sources

Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 2710000
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 12F380

Allocates memory in foreign processes

Show sources

Source: C:\Windows\SysWOW64\rundll32.exe

Memory allocated: C:\Windows\SysWOW64\explorer.exe base: 2710000 protect: page read and write

Injects code into the Windows Explorer (explorer.exe)

Show sources

Source: C:\Windows\System32\loaddll32.exe	Memory written: PID: 6732 base: 26D0000 value: B8
Source: C:\Windows\System32\loaddll32.exe	Memory written: PID: 6732 base: 25FB2D8 value: 00
Source: C:\Windows\System32\loaddll32.exe	Memory written: PID: 6732 base: 25FC1E8 value: 00
Source: C:\Windows\System32\loaddll32.exe	Memory written: PID: 6732 base: 2710000 value: 9C
Source: C:\Windows\System32\loaddll32.exe	Memory written: PID: 6732 base: 12F380 value: E9
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 6752 base: 2710000 value: 9C
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 6752 base: 12F380 value: E9

Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SAWHipN3nS.dll',#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe

Source: explorer.exe, 00000004.00000002.616005670.0000000002FA0000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000004.00000002.616005670.0000000002FA0000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000004.00000002.616005670.0000000002FA0000.00000002.00020000.sdmp	Binary or memory string: &Program Manager
Source: explorer.exe, 00000004.00000002.616005670.0000000002FA0000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\System32\loaddll32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\explorer.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\explorer.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 4_2_026E31C2 CreateNamedPipeA,

Source: C:\Windows\System32\loaddll32.exe

Code function: 1_2_100097F2 GetSystemTimeAsFileTime,

Source: C:\Windows\System32\loaddll32.exe

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 4_2_026EE2D1 LookupAccountNameW,Sleep,

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Scheduled Task/Job1	Scheduled Task/Job1	Process Injection413	Masquerading11	Credential API Hooking1	System Time Discovery1	Remote Services	Credential API Hooking1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Native API1	DLL Side-Loading1	Scheduled Task/Job1	Virtualization/Sandbox Evasion2	LSASS Memory	Security Software Discovery1	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	DLL Side-Loading1	Process Injection413	Security Account Manager	Virtualization/Sandbox Evasion2	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Obfuscated Files or Information1	NTDS	Process Discovery3	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Regsvr321	LSA Secrets	Account Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Rundll321	Cached Domain Credentials	System Owner/User Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	DLL Side-Loading1	DCSync	File and Directory Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	System Information Discovery14	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
SAWHipN3nS.dll	51%	ReversingLabs	Win32.Backdoor.Quakbot
SAWHipN3nS.dll	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\Desktop\SAWHipN3nS.dll	100%	Joe Sandbox ML

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	490253
Start date:	25.09.2021
Start time:	10:12:22
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 11m 56s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	SAWHipN3nS.dll
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	34
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal92.evad.winDLL@20/10@0/0
EGA Information:	Failed
HDC Information:	Successful, ratio: 22.2% (good quality ratio 21.3%) Quality average: 77% Quality standard deviation: 26.4%
HCA Information:	Successful, ratio: 74% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .dll
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WerFault.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 20.82.209.183, 20.54.110.249, 40.112.88.60, 93.184.221.240, 20.50.102.62, 80.67.82.211, 80.67.82.235, 23.211.4.86 Excluded domains from analysis (whitelisted): a1449.dscg2.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, wu.azureedge.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, wu.wpc.apr-52dd2.edgecastdns.net, prod.fs.microsoft.com.akadns.net, iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, wu.ec.azureedge.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, wu-shim.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, ctldl.windowsupdate.com, e1723.g.akamaiedge.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, ris.api.iris.microsoft.com, displaycatalog-rp.md.mp.microsoft.com.akadns.net Not all processes where analyzed, report is missing behavior information Report size exceeded maximum capacity and may have missing behavior information.

Simulations

Behavior and APIs

Time	Type	Description
10:13:29	Task Scheduler	Run new task: yyhcsfwg path: regsvr32.exe s>-s "C:\Users\user\Desktop\SAWHipN3nS.dll"

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_regsvr32.exe_2e23c0425775ca197e9a9eceef723eb776aaa0c_7a325c51_11c343eb\Report.wer Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	11508
Entropy (8bit):	3.7751782567220458
Encrypted:	false
SSDEEP:	192:Ur75YqzcKb6VZXkH/RS5uGXx3RjetpO/u7slS274ItUP:VEcc6VS/RS5n3jei/u7slX4ItUP
MD5:	8979C3D25F44E2F23B3D5BC5A0E7621E
SHA1:	544CB7C9962FA0070443C7A9AF8804BB6619D74B
SHA-256:	AC7369923A54B4A06BE560740C56C5A44794FCA7010F637E5E31B7BDE2FE3908
SHA-512:	87AD0034BD79D56ECCDD616A9B8305FE123D787BA4DF2DE446439367333E303B0A4297C46FFD4EBBDD58078FE46A7493D7E79D373E0C09637A18846D6F481B30
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.7.7.0.6.3.7.0.7.7.6.4.9.2.1.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.c.1.f.6.d.d.f.-.5.1.0.4.-.4.6.c.3.-.b.e.9.8.-.d.0.b.3.4.1.9.4.7.4.6.c.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.3.0.1.e.d.b.d.-.8.c.b.4.-.4.0.5.0.-.b.f.f.6.-.7.5.4.4.4.9.a.d.e.0.1.e.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.e.g.s.v.r.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.E.G.S.V.R.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.8.b.4.-.0.0.0.0.-.0.0.1.7.-.7.4.0.6.-.4.6.d.f.3.0.b.2.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.8.8.6.3.0.f.6.0.e.7.3.4.5.4.6.7.0.a.7.d.9.b.6.4.c.9.8.b.4.7.9.8.d.1.d.e.8.8.7.2.!.r.e.g.s.v.r.3.2...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.1.9.7.1././.0.4././.0.9.:.1.7.:.2.8.:.2.3.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_regsvr32.exe_2e23c0425775ca197e9a9eceef723eb776aaa0c_7a325c51_1bd5e91d\Report.wer Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	11506
Entropy (8bit):	3.775045540054189
Encrypted:	false
SSDEEP:	192:ySUzc1b6VtXkH/RS5uGXx3RjetpO/u7sKS274ItUa:yFcx6VG/RS5n3jei/u7sKX4ItUa
MD5:	D3D4DDDB9C374254664A7E4F67BAAC89
SHA1:	D6C94E93DCC92B6F8EC2AF9DFD191228B6D2426B
SHA-256:	4F124219A322A45C4519EF06DE254DD25FE7F25982B4002979346E345D7C1EA8
SHA-512:	4E58F9EC996DDCE00A8892FB1B8EA7218249854638A28950E6EBF6B9FE12314D403ABA8356EE4B0BE41718AB4146E387777152559A4895F4AE630C555F4901E5
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.7.7.0.6.3.6.1.5.5.6.8.2.6.0.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.6.3.9.3.b.6.4.-.e.d.5.1.-.4.5.6.5.-.8.1.f.b.-.4.1.2.8.a.6.0.5.f.a.c.4.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.1.8.4.0.d.b.8.-.1.a.c.4.-.4.e.0.9.-.8.8.b.3.-.3.3.f.a.7.e.0.a.f.0.8.5.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.e.g.s.v.r.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.E.G.S.V.R.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.a.f.0.-.0.0.0.0.-.0.0.1.7.-.1.7.2.d.-.a.2.a.9.3.0.b.2.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.8.8.6.3.0.f.6.0.e.7.3.4.5.4.6.7.0.a.7.d.9.b.6.4.c.9.8.b.4.7.9.8.d.1.d.e.8.8.7.2.!.r.e.g.s.v.r.3.2...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.1.9.7.1././.0.4././.0.9.:.1.7.:.2.8.:.2.3.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER363F.tmp.dmp Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Sat Sep 25 17:15:09 2021, 0x1205a4 type
Category:	dropped
Size (bytes):	35498
Entropy (8bit):	2.5986676342993458
Encrypted:	false
SSDEEP:	192:2oIfr8oWOb+SJlzZQdooE11qfBwOWud8n3gMWi/px7lZr6pPnG:CooWOb+lKoE1ZM2RWi/j6pG
MD5:	E274944E21CB841F8724BBE241255F1C
SHA1:	73F60C163D8317D9CE4AD0E7CC7D0DB127ECC64F
SHA-256:	43EBE48EA596BE6491D120A0FC26390CE967C93EABC75096B52FAB6034BCDF1F
SHA-512:	81F1BE2F2438563D8821C085B85BFFAFABA81749867AE7667DED172B99D2F8A1F76AF8CAEE09CFD9AEB04D345E1CF1732F601AF2885B21B69390F7A6F05F3E73
Malicious:	false
Preview:	MDMP....... ........YOa...................U...........B..............GenuineIntelW...........T............YOa.............................@..1...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3D45.tmp.WERInternalMetadata.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8276
Entropy (8bit):	3.6968320838087996
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNiqfV69uMW6YJFSUigmfJRVSzCpBB89bWhZqBsf0er75jym:RrlsNiqN6o6YbSUigmfJTSHWhZq6ft
MD5:	E1930806C8189D35BFEBCB8822DDF790
SHA1:	2CC8F40EAC341018EDD4653B78E4BC4CF2325E27
SHA-256:	C05DF347002FC437317CD5B7603664D0548CBF2B5BD7C56A013628F53A18B2BB
SHA-512:	4F2C0FB213513135145B003BC8E4A5684B403239CAEB8E9BBCC53DAF54C2C8B6AF0BD38F9CC4283126C79ABD042E0AE0CE2B1206C839F3C0CE5A2BF72A884898
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.3.2.4.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3FD6.tmp.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4630
Entropy (8bit):	4.462360287417202
Encrypted:	false
SSDEEP:	48:cvIwSD8zs0JgtWI9IuWSC8BeI8fm8M4JkNWFeM+q8XdwWKJY1gd:uITfyfPSNYlJ+MBWqY1gd
MD5:	F20AE3EDACACD672BCDC724F570EA65A
SHA1:	9CE5EC0C0C900FA85EB1BE5A1541064F83C8B82A
SHA-256:	87C0B2C1EC2A62EE84EC105BFCD24AEB667C7D76E39C424B37914596E1D61A89
SHA-512:	0EFF417E26D042766262DBE6625C28C8ADF7BF7D4192BC2F3257882A40CBA18A0AA05483B4BAF41FAE574B163E84388917DABABD438E58A1FA3A9AD1E1FC0A46
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1182385" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\ProgramData\Microsoft\Windows\WER\Temp\WERCE23.tmp.dmp Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Sat Sep 25 17:13:38 2021, 0x1205a4 type
Category:	dropped
Size (bytes):	34890
Entropy (8bit):	2.6351852705018484
Encrypted:	false
SSDEEP:	192:WP8FryeYptE5M/7ZIs7Wud8n3gMWi/N5OrnHFmcnZ:4eYQ5Mzuw2RWi/argcZ
MD5:	97A5CCD8530E124C2F8760DAA1529F45
SHA1:	DC2025701CFB554399910B68894EB9CF6C776A5B
SHA-256:	B71101F7990761C70C693B4A8351C0DC0347FC4ABD115385ABEF9D157D951E31
SHA-512:	50B0B58BD27386BD0194AE10C604583AE71321D45CDA805AE1A26A58D04BA5A635CFC49986E5B9CFA520B28866D9FA09E92D1F269A61320151613956DA9E4AFD
Malicious:	false
Preview:	MDMP....... ........XOa...................U...........B..............GenuineIntelW...........T............XOa.............................@..1...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE054.tmp.WERInternalMetadata.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8278
Entropy (8bit):	3.6980257589495324
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNiey61d6YRQPSUGgmfJRVSzCpBB89bV7sfqbnm:RrlsNir6P6YCPSUGgmfJTSHVAfqy
MD5:	0F44DE58B9B79EE7D3968774FB1E0874
SHA1:	E75C8525522241351FD3EFA31BF9C66E05BEFE65
SHA-256:	DC5823CC6DF3860EFDFEBF49C961701F9C1F96CCCDA865563ADB67E41C5A656D
SHA-512:	6C48C5BC5B733A5119AE5EA494F6EB87C5FC81958A40477E0F2E971017B865183B1C613531245AB15C733687A61E2F13933DE37A4F5D507DEC4B7F5924992C6E
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.8.9.6.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE4CA.tmp.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4630
Entropy (8bit):	4.459804142176998
Encrypted:	false
SSDEEP:	48:cvIwSD8zsbJgtWI9IuWSC8Bx28fm8M4JkNWFv1+q8XdYKJYugd:uITf1fPSNLJdPqYugd
MD5:	16EBBA7C00B171217B49B3443B4F518A
SHA1:	3DDFB683EF469177816168DC4B31526F6A3C70B8
SHA-256:	7E92C57006DDFDDDB7954708A5DCBC723EFF366BB8AD2732C112F720592EAC07
SHA-512:	BDC639AEBF5C17DE53B12E79DEC35342634B3ADA1505671B625DD4017B943C4EFC75C07D9E6B444C5B9938EA8C385573EDE29758F90EBCF228C38F58516733A7
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1182384" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\Users\user\Desktop\SAWHipN3nS.dll Download File
Process:	C:\Windows\SysWOW64\explorer.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	336237
Entropy (8bit):	2.1754659343483365
Encrypted:	false
SSDEEP:	1536:/IUtVWns2GwmzYSbbz1j+xEXnQud+3VLuoXBYjPYH+ryO3O:/ZVWsP/sSb1ax0A3tDXBYjPYH+ryyO
MD5:	A4387E8ACBEBC6DC20B370617D8DB669
SHA1:	950EA012E5EBFA8AE895B24B74B3A5D138E992FD
SHA-256:	947A5556F8F1891D82666DF499B7C9621511EB5020CFB593DB37ABE198345EB4
SHA-512:	D6BBCE60073A44A9FE8FE6F82E83F8EDD5D8CF510CA8C16E25B422B8C0374B29D3AB346C84441274DB8B73B0185B46B37C258A7079169135947B0B177C7A6097
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....;a...........!......................... ..............................................................................lZ..x....@...b...........................................................................Z..l............................text...t........................... ..`.data........ ......................@....data...d....0...0..................@....rsrc....b...@...d...F..............@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General
File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	5.500423540479897
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.40% Win16/32 Executable Delphi generic (2074/23) 0.21% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	SAWHipN3nS.dll
File size:	336237
MD5:	1ff17ce907ce2d98867ec9c78998518e
SHA1:	91818954ba50a5c63b73461af867a8c68958e20e
SHA256:	2dca3e9494cc2b34e8e1d53d1c9b78830ef35cda9473c5a0b8d84ef9bf4ea330
SHA512:	624127ba3261050966a54965542e4dcee2674e171a307e3df48c569eaaed578e883e785b1915960084910c255716d2a3190f8392ef0e47367e9ab93730492514
SSDEEP:	6144:9/st+16ZWiobj+n5QZRO0Xj/Ee+aRLvccAOPyI:A+QoOaEFA7RD
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....;a...........!......................... .............................................................................

File Icon


Icon Hash:	aca9a8acaca6a888

Static PE Info

General
Entrypoint:	0x100019a1
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x10000000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
DLL Characteristics:
Time Stamp:	0x613B8C85 [Fri Sep 10 16:49:09 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	6527345f9aee9363b094aad01304de88

Entrypoint Preview

Instruction
push 00000000h
push ebp
mov ebp, esp
add esp, FFFFFFF4h
call 00007F9498ACCDA2h
cmp ebx, eax
je 00007F9498ACA549h
pushad
add edi, ebx
inc ecx
add ecx, eax
push eax
push ecx
push 00000025h
cmp dword ptr [ebx+00433230h], 00000000h
jne 00007F9498ACA2BEh
push 00000000h
call dword ptr [ebx+00435A3Ch]
push ecx
and ecx, 00000000h
xor ecx, eax
and dword ptr [ebx+00433230h], 00000000h
or dword ptr [ebx+00433230h], ecx
pop ecx
cmp dword ptr [ebx+004333D8h], 00000000h
jne 00007F9498ACA342h
cmp dword ptr [ebx+0043384Ch], 00000000h
jne 00007F9498ACA2C0h
call dword ptr [ebx+00435A38h]
mov dword ptr [ebp-04h], ecx
xor ecx, dword ptr [ebp-04h]
xor ecx, eax
and dword ptr [ebx+0043384Ch], 00000000h
or dword ptr [ebx+0043384Ch], ecx
mov ecx, dword ptr [ebp-04h]
push dword ptr [ebx+00433490h]
cmp dword ptr [ebx+0043342Ch], 00000000h
jne 00007F9498ACA2C3h
lea eax, dword ptr [ebx+0043325Ch]
push eax
call dword ptr [ebx+00435A24h]
push edi
xor edi, dword ptr [esp]
xor edi, eax
and dword ptr [ebx+0043342Ch], 00000000h
xor dword ptr [ebx+0043342Ch], edi
pop edi
push FFFFFFDEh
cmp dword ptr [ebx+004332F8h], 00000000h
jne 00007F9498ACA2BCh
call dword ptr [ebx+00435A34h]
push edx
and edx, 00000000h
xor edx, eax
and dword ptr [ebx+004332F8h], 00000000h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x35a6c	0x78	.data
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x4034000	0x162e0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x35a00	0x6c	.data
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x30974	0x30a00	False	0.564327602828	data	6.10041951577	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0x32000	0x1000	0x800	False	0.01123046875	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.data	0x33000	0x4000c64	0x3000	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x4034000	0x162e0	0x16400	False	0.151454968399	data	4.89622756249	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x40343d0	0x10828	dBase III DBT, version number 0, next free block index 40	English	United States
RT_ICON	0x4044bf8	0x25a8	dBase III DBT, version number 0, next free block index 40	English	United States
RT_ICON	0x40471a0	0x10a8	data	English	United States
RT_ICON	0x4048248	0x988	data	English	United States
RT_MENU	0x4048bd0	0x2d4	data	English	United States
RT_MENU	0x4048ea4	0x196	data	English	United States
RT_MENU	0x404903c	0x1a6	data	English	United States
RT_MENU	0x40491e4	0xb8	data	English	United States
RT_STRING	0x404929c	0x934	data	English	United States
RT_STRING	0x4049bd0	0x4a8	data	English	United States
RT_RCDATA	0x404a078	0x23	data	English	United States
RT_RCDATA	0x404a09c	0xc	data	English	United States
RT_RCDATA	0x404a0a8	0xf	data	English	United States
RT_RCDATA	0x404a0b8	0x24	data	English	United States
RT_RCDATA	0x404a0dc	0x2d	data	English	United States
RT_GROUP_ICON	0x404a10c	0x46	data	English	United States
RT_MANIFEST	0x404a154	0x18a	XML 1.0 document, ASCII text	English	United States

Imports

DLL	Import
kernel32.dll	GetProcAddress, LoadLibraryA, VirtualAlloc, VirtualProtect, GetCurrentThread
user32.dll	CheckDlgButton, GetCursorInfo, CheckMenuRadioItem, GetCaretBlinkTime, CheckRadioButton, GetCapture, CheckMenuItem
ole32.dll	CoCreateGuid, CoGetCurrentLogicalThreadId, CoFileTimeNow, OleUninitialize, CoGetContextToken, CoFreeUnusedLibraries, CoGetCurrentProcess, OleInitialize
advapi32.dll	LsaOpenTrustedDomain

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Network Port Distribution

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 25, 2021 10:13:46.007720947 CEST	54513	53	192.168.2.6	8.8.8.8
Sep 25, 2021 10:13:46.030085087 CEST	53	54513	8.8.8.8	192.168.2.6
Sep 25, 2021 10:14:06.105314016 CEST	62044	53	192.168.2.6	8.8.8.8
Sep 25, 2021 10:14:06.124686003 CEST	53	62044	8.8.8.8	192.168.2.6
Sep 25, 2021 10:14:06.192544937 CEST	63791	53	192.168.2.6	8.8.8.8
Sep 25, 2021 10:14:06.219953060 CEST	53	63791	8.8.8.8	192.168.2.6
Sep 25, 2021 10:14:06.953224897 CEST	64267	53	192.168.2.6	8.8.8.8
Sep 25, 2021 10:14:06.971004963 CEST	53	64267	8.8.8.8	192.168.2.6
Sep 25, 2021 10:14:07.110591888 CEST	49448	53	192.168.2.6	8.8.8.8
Sep 25, 2021 10:14:07.129722118 CEST	53	49448	8.8.8.8	192.168.2.6
Sep 25, 2021 10:14:07.591691017 CEST	60342	53	192.168.2.6	8.8.8.8
Sep 25, 2021 10:14:07.611550093 CEST	53	60342	8.8.8.8	192.168.2.6
Sep 25, 2021 10:14:07.960711956 CEST	61346	53	192.168.2.6	8.8.8.8
Sep 25, 2021 10:14:08.013912916 CEST	53	61346	8.8.8.8	192.168.2.6
Sep 25, 2021 10:14:08.522381067 CEST	51774	53	192.168.2.6	8.8.8.8
Sep 25, 2021 10:14:08.653244972 CEST	53	51774	8.8.8.8	192.168.2.6
Sep 25, 2021 10:14:09.565783978 CEST	56023	53	192.168.2.6	8.8.8.8
Sep 25, 2021 10:14:09.585549116 CEST	53	56023	8.8.8.8	192.168.2.6
Sep 25, 2021 10:14:10.116297007 CEST	58384	53	192.168.2.6	8.8.8.8
Sep 25, 2021 10:14:10.137151957 CEST	53	58384	8.8.8.8	192.168.2.6
Sep 25, 2021 10:14:10.911505938 CEST	60261	53	192.168.2.6	8.8.8.8
Sep 25, 2021 10:14:10.930983067 CEST	53	60261	8.8.8.8	192.168.2.6
Sep 25, 2021 10:14:12.055686951 CEST	56061	53	192.168.2.6	8.8.8.8
Sep 25, 2021 10:14:12.074328899 CEST	53	56061	8.8.8.8	192.168.2.6
Sep 25, 2021 10:14:13.360107899 CEST	58336	53	192.168.2.6	8.8.8.8
Sep 25, 2021 10:14:13.379592896 CEST	53	58336	8.8.8.8	192.168.2.6
Sep 25, 2021 10:14:20.894797087 CEST	53781	53	192.168.2.6	8.8.8.8
Sep 25, 2021 10:14:20.922849894 CEST	53	53781	8.8.8.8	192.168.2.6
Sep 25, 2021 10:14:20.934362888 CEST	54064	53	192.168.2.6	8.8.8.8
Sep 25, 2021 10:14:20.955288887 CEST	53	54064	8.8.8.8	192.168.2.6
Sep 25, 2021 10:14:23.502917051 CEST	52811	53	192.168.2.6	8.8.8.8
Sep 25, 2021 10:14:23.524343967 CEST	53	52811	8.8.8.8	192.168.2.6
Sep 25, 2021 10:14:44.086471081 CEST	55299	53	192.168.2.6	8.8.8.8
Sep 25, 2021 10:14:44.107433081 CEST	53	55299	8.8.8.8	192.168.2.6
Sep 25, 2021 10:14:58.559047937 CEST	63745	53	192.168.2.6	8.8.8.8
Sep 25, 2021 10:14:58.585380077 CEST	53	63745	8.8.8.8	192.168.2.6
Sep 25, 2021 10:14:59.525274038 CEST	50055	53	192.168.2.6	8.8.8.8
Sep 25, 2021 10:14:59.560244083 CEST	53	50055	8.8.8.8	192.168.2.6
Sep 25, 2021 10:15:31.574388981 CEST	61374	53	192.168.2.6	8.8.8.8
Sep 25, 2021 10:15:31.603276968 CEST	53	61374	8.8.8.8	192.168.2.6

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: loaddll32.exe PID: 6652 Parent PID: 5344

General

Start time:	10:13:21
Start date:	25/09/2021
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe 'C:\Users\user\Desktop\SAWHipN3nS.dll'
Imagebase:	0x170000
File size:	116736 bytes
MD5 hash:	542795ADF7CC08EFCF675D65310596E8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: cmd.exe PID: 6664 Parent PID: 6652

General

Start time:	10:13:22
Start date:	25/09/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\SAWHipN3nS.dll',#1
Imagebase:	0x2a0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: rundll32.exe PID: 6684 Parent PID: 6664

General

Start time:	10:13:22
Start date:	25/09/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe 'C:\Users\user\Desktop\SAWHipN3nS.dll',#1
Imagebase:	0x1170000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: explorer.exe PID: 6732 Parent PID: 6652

General

Start time:	10:13:26
Start date:	25/09/2021
Path:	C:\Windows\SysWOW64\explorer.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\explorer.exe
Imagebase:	0x70000
File size:	3611360 bytes
MD5 hash:	166AB1B9462E5C1D6D18EC5EC0B6A5F7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: explorer.exe PID: 6752 Parent PID: 6684

General

Start time:	10:13:26
Start date:	25/09/2021
Path:	C:\Windows\SysWOW64\explorer.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\explorer.exe
Imagebase:	0x70000
File size:	3611360 bytes
MD5 hash:	166AB1B9462E5C1D6D18EC5EC0B6A5F7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: schtasks.exe PID: 6832 Parent PID: 6732

General

Start time:	10:13:28
Start date:	25/09/2021
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn yyhcsfwg /tr 'regsvr32.exe -s \'C:\Users\user\Desktop\SAWHipN3nS.dll\'' /SC ONCE /Z /ST 10:15 /ET 10:27
Imagebase:	0xc30000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: conhost.exe PID: 6840 Parent PID: 6832

General

Start time:	10:13:28
Start date:	25/09/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff61de10000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: regsvr32.exe PID: 6888 Parent PID: 936

General

Start time:	10:13:29
Start date:	25/09/2021
Path:	C:\Windows\System32\regsvr32.exe
Wow64 process (32bit):	false
Commandline:	regsvr32.exe -s 'C:\Users\user\Desktop\SAWHipN3nS.dll'
Imagebase:	0x7ff771460000
File size:	24064 bytes
MD5 hash:	D78B75FC68247E8A63ACBA846182740E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: regsvr32.exe PID: 6896 Parent PID: 6888

General

Start time:	10:13:30
Start date:	25/09/2021
Path:	C:\Windows\SysWOW64\regsvr32.exe
Wow64 process (32bit):	true
Commandline:	-s 'C:\Users\user\Desktop\SAWHipN3nS.dll'
Imagebase:	0xc30000
File size:	20992 bytes
MD5 hash:	426E7499F6A7346F0410DEAD0805586B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: WerFault.exe PID: 6960 Parent PID: 6896

General

Start time:	10:13:33
Start date:	25/09/2021
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 6896 -s 644
Imagebase:	0xb00000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: regsvr32.exe PID: 6264 Parent PID: 936

General

Start time:	10:15:00
Start date:	25/09/2021
Path:	C:\Windows\System32\regsvr32.exe
Wow64 process (32bit):	false
Commandline:	regsvr32.exe -s 'C:\Users\user\Desktop\SAWHipN3nS.dll'
Imagebase:	0x7ff771460000
File size:	24064 bytes
MD5 hash:	D78B75FC68247E8A63ACBA846182740E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: regsvr32.exe PID: 6324 Parent PID: 6264

General

Start time:	10:15:00
Start date:	25/09/2021
Path:	C:\Windows\SysWOW64\regsvr32.exe
Wow64 process (32bit):	true
Commandline:	-s 'C:\Users\user\Desktop\SAWHipN3nS.dll'
Imagebase:	0xc30000
File size:	20992 bytes
MD5 hash:	426E7499F6A7346F0410DEAD0805586B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: WerFault.exe PID: 4388 Parent PID: 6324

General

Start time:	10:15:02
Start date:	25/09/2021
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 6324 -s 652
Imagebase:	0xb00000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Regsvr32.exe to proxy execution of malicious code. Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including dynamic link libraries (DLLs), on Windows systems. Regsvr32.exe is also a Microsoft signed binary.
Tactics:	Defense Evasion
Data Sources:	Loaded DLLs, Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Loaded DLLs, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report SAWHipN3nS.dll

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Overview

Sigma Overview

System Summary:

Persistence and Installation Behavior:

Jbx Signature Overview

AV Detection:

Compliance:

Spreading:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Network Port Distribution

UDP Packets

Code Manipulations

Statistics

Behavior

System Behavior

Analysis Process: loaddll32.exe PID: 6652 Parent PID: 5344

General

Analysis Process: cmd.exe PID: 6664 Parent PID: 6652

General

Analysis Process: rundll32.exe PID: 6684 Parent PID: 6664

General

Analysis Process: explorer.exe PID: 6732 Parent PID: 6652