Windows Analysis Report ZBvNS77A7a.dll

Overview

General Information

Sample Name:	ZBvNS77A7a.dll
Analysis ID:	490262
MD5:	6484d8ffd4a6de7947534571e9907b4e
SHA1:	41e1cbd037698c3329db4edfe4e6b28b0654e94c
SHA256:	64a6039b2b3a347312f56170b5eb7deebe6d37ef6fb414fb929e84be4799dfa5
Tags:	dllSquirrelwaffle
Infos:
Most interesting Screenshot:

Detection

Score:	92
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Sigma detected: Schedule system process

Maps a DLL or memory area into another process

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Writes to foreign memory regions

Machine Learning detection for sample

Allocates memory in foreign processes

Injects code into the Windows Explorer (explorer.exe)

Sigma detected: Regsvr32 Command Line Without DLL

Machine Learning detection for dropped file

Uses schtasks.exe or at.exe to add and modify task schedules

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

One or more processes crash

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Creates files inside the system directory

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

PE file does not import any functions

Sample file is different than original file name gathered from version info

Drops PE files

Tries to load missing DLLs

Checks if the current process is being debugged

Registers a DLL

Creates a process in suspended mode (likely to inject code)

Classification

Signatures

AV Detection:

Multi AV Scanner detection for submitted file

Source: ZBvNS77A7a.dll	Virustotal: Detection: 46%			Perma Link
Source: ZBvNS77A7a.dll	ReversingLabs: Detection: 60%

Machine Learning detection for sample

Source: ZBvNS77A7a.dll

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\Users\user\Desktop\ZBvNS77A7a.dll

Joe Sandbox ML: detected

Compliance:

Uses 32bit PE files

Source: ZBvNS77A7a.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source:	Binary string: ole32.pdb# source: WerFault.exe, 00000019.00000003.932307324.0000000003D36000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 0000000D.00000003.728766829.0000000003AC1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.932275167.0000000003D61000.00000004.00000001.sdmp
Source:	Binary string: sfc_os.pdb source: WerFault.exe, 0000000D.00000003.737356835.0000000003DB6000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.932307324.0000000003D36000.00000004.00000040.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 0000000D.00000003.737356835.0000000003DB6000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.932307324.0000000003D36000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 0000000D.00000003.737117016.0000000003DE1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.932275167.0000000003D61000.00000004.00000001.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 0000000D.00000003.737117016.0000000003DE1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.932275167.0000000003D61000.00000004.00000001.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000D.00000003.737253466.0000000003DB0000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.932298953.0000000003D30000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 0000000D.00000003.737117016.0000000003DE1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.932275167.0000000003D61000.00000004.00000001.sdmp
Source:	Binary string: propsys.pdb$ source: WerFault.exe, 00000019.00000003.932307324.0000000003D36000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 0000000D.00000003.737253466.0000000003DB0000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.932298953.0000000003D30000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdbBa source: WerFault.exe, 0000000D.00000003.737356835.0000000003DB6000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdb) source: WerFault.exe, 00000019.00000003.932307324.0000000003D36000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 0000000D.00000003.737117016.0000000003DE1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.932275167.0000000003D61000.00000004.00000001.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 0000000D.00000003.737356835.0000000003DB6000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.932307324.0000000003D36000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdb source: WerFault.exe, 0000000D.00000003.737356835.0000000003DB6000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.932307324.0000000003D36000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 0000000D.00000003.737356835.0000000003DB6000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.932307324.0000000003D36000.00000004.00000040.sdmp
Source:	Binary string: regsvr32.pdbk source: WerFault.exe, 0000000D.00000003.737117016.0000000003DE1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.932275167.0000000003D61000.00000004.00000001.sdmp
Source:	Binary string: shell32.pdb source: WerFault.exe, 0000000D.00000003.737117016.0000000003DE1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.932275167.0000000003D61000.00000004.00000001.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 0000000D.00000003.737117016.0000000003DE1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.932275167.0000000003D61000.00000004.00000001.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 0000000D.00000003.737117016.0000000003DE1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.932275167.0000000003D61000.00000004.00000001.sdmp
Source:	Binary string: mpr.pdb source: WerFault.exe, 0000000D.00000003.737253466.0000000003DB0000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.932298953.0000000003D30000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 0000000D.00000003.737356835.0000000003DB6000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.932307324.0000000003D36000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 0000000D.00000003.737117016.0000000003DE1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.932275167.0000000003D61000.00000004.00000001.sdmp
Source:	Binary string: setupapi.pdb source: WerFault.exe, 0000000D.00000003.737356835.0000000003DB6000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.932307324.0000000003D36000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb\|g source: WerFault.exe, 0000000D.00000003.737356835.0000000003DB6000.00000004.00000040.sdmp
Source:	Binary string: regsvr32.pdb source: WerFault.exe, 0000000D.00000003.737117016.0000000003DE1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.932275167.0000000003D61000.00000004.00000001.sdmp
Source:	Binary string: mpr.pdb7 source: WerFault.exe, 0000000D.00000003.737253466.0000000003DB0000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdbk source: WerFault.exe, 0000000D.00000003.737253466.0000000003DB0000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.932298953.0000000003D30000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdb source: WerFault.exe, 0000000D.00000003.737356835.0000000003DB6000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.932307324.0000000003D36000.00000004.00000040.sdmp
Source:	Binary string: winspool.pdb source: WerFault.exe, 0000000D.00000003.737356835.0000000003DB6000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.932307324.0000000003D36000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 0000000D.00000003.737117016.0000000003DE1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.932275167.0000000003D61000.00000004.00000001.sdmp
Source:	Binary string: fltLib.pdbd_ source: WerFault.exe, 0000000D.00000003.737356835.0000000003DB6000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 0000000D.00000003.737356835.0000000003DB6000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.932307324.0000000003D36000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdb source: WerFault.exe, 0000000D.00000003.737356835.0000000003DB6000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.932307324.0000000003D36000.00000004.00000040.sdmp
Source:	Binary string: amstream.pdb source: explorer.exe, 00000004.00000003.702172421.0000000005361000.00000004.00000001.sdmp, explorer.exe, 00000005.00000003.702205579.0000000004F11000.00000004.00000001.sdmp, regsvr32.exe, 00000009.00000000.716853295.0000000010001000.00000020.00020000.sdmp, regsvr32.exe, 00000017.00000000.923266428.0000000010001000.00000020.00020000.sdmp, ZBvNS77A7a.dll.5.dr
Source:	Binary string: propsys.pdb source: WerFault.exe, 0000000D.00000003.737356835.0000000003DB6000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.932307324.0000000003D36000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdbk source: WerFault.exe, 0000000D.00000003.737253466.0000000003DB0000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.932298953.0000000003D30000.00000004.00000040.sdmp
Source:	Binary string: sfc_os.pdb5 source: WerFault.exe, 00000019.00000003.932307324.0000000003D36000.00000004.00000040.sdmp
Source:	Binary string: sfc.pdbK source: WerFault.exe, 0000000D.00000003.737356835.0000000003DB6000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.932307324.0000000003D36000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb source: WerFault.exe, 0000000D.00000003.737356835.0000000003DB6000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.932307324.0000000003D36000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdb source: WerFault.exe, 0000000D.00000003.737356835.0000000003DB6000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.932307324.0000000003D36000.00000004.00000040.sdmp
Source:	Binary string: AcLayers.pdb source: WerFault.exe, 0000000D.00000003.737117016.0000000003DE1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.932275167.0000000003D61000.00000004.00000001.sdmp
Source:	Binary string: amstream.pdbGCTL source: explorer.exe, 00000004.00000003.702172421.0000000005361000.00000004.00000001.sdmp, explorer.exe, 00000005.00000003.702205579.0000000004F11000.00000004.00000001.sdmp, regsvr32.exe, 00000009.00000000.716853295.0000000010001000.00000020.00020000.sdmp, regsvr32.exe, 00000017.00000000.923266428.0000000010001000.00000020.00020000.sdmp, ZBvNS77A7a.dll.5.dr
Source:	Binary string: annjrqnCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 0000000D.00000002.764287027.0000000002C32000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000002.938813664.0000000002962000.00000004.00000001.sdmp
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000000D.00000003.737253466.0000000003DB0000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.932298953.0000000003D30000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdbvm source: WerFault.exe, 0000000D.00000003.737356835.0000000003DB6000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 0000000D.00000003.737356835.0000000003DB6000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.932307324.0000000003D36000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 0000000D.00000003.737253466.0000000003DB0000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.932298953.0000000003D30000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000D.00000003.737253466.0000000003DB0000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.932298953.0000000003D30000.00000004.00000040.sdmp
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 0000000D.00000003.737253466.0000000003DB0000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.932298953.0000000003D30000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 0000000D.00000003.737356835.0000000003DB6000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.932307324.0000000003D36000.00000004.00000040.sdmp
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 0000000D.00000003.737356835.0000000003DB6000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.932307324.0000000003D36000.00000004.00000040.sdmp
Source:	Binary string: sfc.pdb source: WerFault.exe, 0000000D.00000003.737356835.0000000003DB6000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.932307324.0000000003D36000.00000004.00000040.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 0000000D.00000003.737117016.0000000003DE1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.932275167.0000000003D61000.00000004.00000001.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 0000000D.00000003.737117016.0000000003DE1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.932275167.0000000003D61000.00000004.00000001.sdmp
Source:	Binary string: powrprof.pdbH{ source: WerFault.exe, 0000000D.00000003.737356835.0000000003DB6000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdbk source: WerFault.exe, 0000000D.00000003.737117016.0000000003DE1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.932275167.0000000003D61000.00000004.00000001.sdmp

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1000AE9A FindFirstFileW,FindNextFileW,	0_2_1000AE9A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_1000AE9A FindFirstFileW,FindNextFileW,	2_2_1000AE9A
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_0360AE9A FindFirstFileW,FindNextFileW,	4_2_0360AE9A
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 5_2_00E5AE9A FindFirstFileW,FindNextFileW,	5_2_00E5AE9A

System Summary:

Uses 32bit PE files

Source: ZBvNS77A7a.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

One or more processes crash

Source: C:\Windows\SysWOW64\regsvr32.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5944 -s 660

Creates files inside the system directory

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\DBG

Jump to behavior

Detected potential crypto function

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_030919A1	0_2_030919A1
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10016EC0	0_2_10016EC0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10012351	0_2_10012351
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10011763	0_2_10011763
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1001538F	0_2_1001538F
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10014FD0	0_2_10014FD0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_045819A1	2_2_045819A1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_10016EC0	2_2_10016EC0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_10012351	2_2_10012351
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_10011763	2_2_10011763
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_1001538F	2_2_1001538F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_10014FD0	2_2_10014FD0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_03611763	4_2_03611763
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_03612351	4_2_03612351
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_03614FD0	4_2_03614FD0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_0361538F	4_2_0361538F
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_03616EC0	4_2_03616EC0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 5_2_00E66EC0	5_2_00E66EC0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 5_2_00E64FD0	5_2_00E64FD0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 5_2_00E6538F	5_2_00E6538F
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 5_2_00E61763	5_2_00E61763
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 5_2_00E62351	5_2_00E62351

Contains functionality to call native functions

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1000C6CB NtCreateSection,DefWindowProcA,RegisterClassExA,CreateWindowExA,DestroyWindow,UnregisterClassA,GetCurrentProcess,NtMapViewOfSection,NtMapViewOfSection,VirtualAllocEx,WriteProcessMemory,GetCurrentProcess,NtUnmapViewOfSection,NtClose,	0_2_1000C6CB
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1000CB82 memset,GetThreadContext,NtProtectVirtualMemory,NtWriteVirtualMemory,NtProtectVirtualMemory,FreeLibrary,	0_2_1000CB82
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_1000C6CB NtCreateSection,DefWindowProcA,RegisterClassExA,CreateWindowExA,DestroyWindow,UnregisterClassA,GetCurrentProcess,NtMapViewOfSection,NtMapViewOfSection,VirtualAllocEx,WriteProcessMemory,GetCurrentProcess,NtUnmapViewOfSection,NtClose,	2_2_1000C6CB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_1000CB82 memset,GetThreadContext,NtProtectVirtualMemory,NtWriteVirtualMemory,NtProtectVirtualMemory,FreeLibrary,	2_2_1000CB82

PE file does not import any functions

Source: ZBvNS77A7a.dll.5.dr	Static PE information: No import functions for PE file found
Source: ZBvNS77A7a.dll.4.dr	Static PE information: No import functions for PE file found

Sample file is different than original file name gathered from version info

Source: ZBvNS77A7a.dll.5.dr

Binary or memory string: OriginalFilenameAMStream.dllj% vs ZBvNS77A7a.dll

Tries to load missing DLLs

Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: sfc.dll	Jump to behavior

Source: ZBvNS77A7a.dll	Virustotal: Detection: 46%
Source: ZBvNS77A7a.dll	ReversingLabs: Detection: 60%

Source: ZBvNS77A7a.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\ZBvNS77A7a.dll'
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\ZBvNS77A7a.dll',#1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\ZBvNS77A7a.dll',#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\SysWOW64\explorer.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn payuhfp /tr 'regsvr32.exe -s \'C:\Users\user\Desktop\ZBvNS77A7a.dll\'' /SC ONCE /Z /ST 10:25 /ET 10:37
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe -s 'C:\Users\user\Desktop\ZBvNS77A7a.dll'
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe -s 'C:\Users\user\Desktop\ZBvNS77A7a.dll'
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5944 -s 660
Source: unknown	Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe -s 'C:\Users\user\Desktop\ZBvNS77A7a.dll'
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe -s 'C:\Users\user\Desktop\ZBvNS77A7a.dll'
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5576 -s 652
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\ZBvNS77A7a.dll',#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\ZBvNS77A7a.dll',#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn payuhfp /tr 'regsvr32.exe -s \'C:\Users\user\Desktop\ZBvNS77A7a.dll\'' /SC ONCE /Z /ST 10:25 /ET 10:37	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe -s 'C:\Users\user\Desktop\ZBvNS77A7a.dll'	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe -s 'C:\Users\user\Desktop\ZBvNS77A7a.dll'	Jump to behavior

Source: C:\Windows\SysWOW64\explorer.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Pzjqjshjoy

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERF241.tmp

Jump to behavior

Source: classification engine

Classification label: mal92.evad.winDLL@20/10@0/0

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_1000D52E CoInitializeEx,CoInitializeSecurity,CoCreateInstance,SysAllocString,CoSetProxyBlanket,

0_2_1000D52E

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_1000AB89 CreateToolhelp32Snapshot,memset,Process32First,Process32Next,CloseHandle,

0_2_1000AB89

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\ZBvNS77A7a.dll',#1

Source: C:\Windows\SysWOW64\explorer.exe	Mutant created: \Sessions\1\BaseNamedObjects\{9A57D251-8185-479A-AC5F-1814AF591876}
Source: C:\Windows\SysWOW64\explorer.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{62D2F15B-1C9B-4191-87B4-71874D8982FF}
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \BaseNamedObjects\Local\WERReportingForProcess5944
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \BaseNamedObjects\Local\WERReportingForProcess5576
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6624:120:WilError_01
Source: C:\Windows\SysWOW64\explorer.exe	Mutant created: \Sessions\1\BaseNamedObjects\{62D2F15B-1C9B-4191-87B4-71874D8982FF}

Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\explorer.exe	Jump to behavior

Source:	Binary string: ole32.pdb# source: WerFault.exe, 00000019.00000003.932307324.0000000003D36000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 0000000D.00000003.728766829.0000000003AC1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.932275167.0000000003D61000.00000004.00000001.sdmp
Source:	Binary string: sfc_os.pdb source: WerFault.exe, 0000000D.00000003.737356835.0000000003DB6000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.932307324.0000000003D36000.00000004.00000040.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 0000000D.00000003.737356835.0000000003DB6000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.932307324.0000000003D36000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 0000000D.00000003.737117016.0000000003DE1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.932275167.0000000003D61000.00000004.00000001.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 0000000D.00000003.737117016.0000000003DE1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.932275167.0000000003D61000.00000004.00000001.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000D.00000003.737253466.0000000003DB0000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.932298953.0000000003D30000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 0000000D.00000003.737117016.0000000003DE1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.932275167.0000000003D61000.00000004.00000001.sdmp
Source:	Binary string: propsys.pdb$ source: WerFault.exe, 00000019.00000003.932307324.0000000003D36000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 0000000D.00000003.737253466.0000000003DB0000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.932298953.0000000003D30000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdbBa source: WerFault.exe, 0000000D.00000003.737356835.0000000003DB6000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdb) source: WerFault.exe, 00000019.00000003.932307324.0000000003D36000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 0000000D.00000003.737117016.0000000003DE1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.932275167.0000000003D61000.00000004.00000001.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 0000000D.00000003.737356835.0000000003DB6000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.932307324.0000000003D36000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdb source: WerFault.exe, 0000000D.00000003.737356835.0000000003DB6000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.932307324.0000000003D36000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 0000000D.00000003.737356835.0000000003DB6000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.932307324.0000000003D36000.00000004.00000040.sdmp
Source:	Binary string: regsvr32.pdbk source: WerFault.exe, 0000000D.00000003.737117016.0000000003DE1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.932275167.0000000003D61000.00000004.00000001.sdmp
Source:	Binary string: shell32.pdb source: WerFault.exe, 0000000D.00000003.737117016.0000000003DE1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.932275167.0000000003D61000.00000004.00000001.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 0000000D.00000003.737117016.0000000003DE1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.932275167.0000000003D61000.00000004.00000001.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 0000000D.00000003.737117016.0000000003DE1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.932275167.0000000003D61000.00000004.00000001.sdmp
Source:	Binary string: mpr.pdb source: WerFault.exe, 0000000D.00000003.737253466.0000000003DB0000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.932298953.0000000003D30000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 0000000D.00000003.737356835.0000000003DB6000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.932307324.0000000003D36000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 0000000D.00000003.737117016.0000000003DE1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.932275167.0000000003D61000.00000004.00000001.sdmp
Source:	Binary string: setupapi.pdb source: WerFault.exe, 0000000D.00000003.737356835.0000000003DB6000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.932307324.0000000003D36000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb\|g source: WerFault.exe, 0000000D.00000003.737356835.0000000003DB6000.00000004.00000040.sdmp
Source:	Binary string: regsvr32.pdb source: WerFault.exe, 0000000D.00000003.737117016.0000000003DE1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.932275167.0000000003D61000.00000004.00000001.sdmp
Source:	Binary string: mpr.pdb7 source: WerFault.exe, 0000000D.00000003.737253466.0000000003DB0000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdbk source: WerFault.exe, 0000000D.00000003.737253466.0000000003DB0000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.932298953.0000000003D30000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdb source: WerFault.exe, 0000000D.00000003.737356835.0000000003DB6000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.932307324.0000000003D36000.00000004.00000040.sdmp
Source:	Binary string: winspool.pdb source: WerFault.exe, 0000000D.00000003.737356835.0000000003DB6000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.932307324.0000000003D36000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 0000000D.00000003.737117016.0000000003DE1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.932275167.0000000003D61000.00000004.00000001.sdmp
Source:	Binary string: fltLib.pdbd_ source: WerFault.exe, 0000000D.00000003.737356835.0000000003DB6000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 0000000D.00000003.737356835.0000000003DB6000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.932307324.0000000003D36000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdb source: WerFault.exe, 0000000D.00000003.737356835.0000000003DB6000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.932307324.0000000003D36000.00000004.00000040.sdmp
Source:	Binary string: amstream.pdb source: explorer.exe, 00000004.00000003.702172421.0000000005361000.00000004.00000001.sdmp, explorer.exe, 00000005.00000003.702205579.0000000004F11000.00000004.00000001.sdmp, regsvr32.exe, 00000009.00000000.716853295.0000000010001000.00000020.00020000.sdmp, regsvr32.exe, 00000017.00000000.923266428.0000000010001000.00000020.00020000.sdmp, ZBvNS77A7a.dll.5.dr
Source:	Binary string: propsys.pdb source: WerFault.exe, 0000000D.00000003.737356835.0000000003DB6000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.932307324.0000000003D36000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdbk source: WerFault.exe, 0000000D.00000003.737253466.0000000003DB0000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.932298953.0000000003D30000.00000004.00000040.sdmp
Source:	Binary string: sfc_os.pdb5 source: WerFault.exe, 00000019.00000003.932307324.0000000003D36000.00000004.00000040.sdmp
Source:	Binary string: sfc.pdbK source: WerFault.exe, 0000000D.00000003.737356835.0000000003DB6000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.932307324.0000000003D36000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb source: WerFault.exe, 0000000D.00000003.737356835.0000000003DB6000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.932307324.0000000003D36000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdb source: WerFault.exe, 0000000D.00000003.737356835.0000000003DB6000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.932307324.0000000003D36000.00000004.00000040.sdmp
Source:	Binary string: AcLayers.pdb source: WerFault.exe, 0000000D.00000003.737117016.0000000003DE1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.932275167.0000000003D61000.00000004.00000001.sdmp
Source:	Binary string: amstream.pdbGCTL source: explorer.exe, 00000004.00000003.702172421.0000000005361000.00000004.00000001.sdmp, explorer.exe, 00000005.00000003.702205579.0000000004F11000.00000004.00000001.sdmp, regsvr32.exe, 00000009.00000000.716853295.0000000010001000.00000020.00020000.sdmp, regsvr32.exe, 00000017.00000000.923266428.0000000010001000.00000020.00020000.sdmp, ZBvNS77A7a.dll.5.dr
Source:	Binary string: annjrqnCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 0000000D.00000002.764287027.0000000002C32000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000002.938813664.0000000002962000.00000004.00000001.sdmp
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000000D.00000003.737253466.0000000003DB0000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.932298953.0000000003D30000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdbvm source: WerFault.exe, 0000000D.00000003.737356835.0000000003DB6000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 0000000D.00000003.737356835.0000000003DB6000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.932307324.0000000003D36000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 0000000D.00000003.737253466.0000000003DB0000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.932298953.0000000003D30000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000D.00000003.737253466.0000000003DB0000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.932298953.0000000003D30000.00000004.00000040.sdmp
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 0000000D.00000003.737253466.0000000003DB0000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.932298953.0000000003D30000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 0000000D.00000003.737356835.0000000003DB6000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.932307324.0000000003D36000.00000004.00000040.sdmp
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 0000000D.00000003.737356835.0000000003DB6000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.932307324.0000000003D36000.00000004.00000040.sdmp
Source:	Binary string: sfc.pdb source: WerFault.exe, 0000000D.00000003.737356835.0000000003DB6000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.932307324.0000000003D36000.00000004.00000040.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 0000000D.00000003.737117016.0000000003DE1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.932275167.0000000003D61000.00000004.00000001.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 0000000D.00000003.737117016.0000000003DE1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.932275167.0000000003D61000.00000004.00000001.sdmp
Source:	Binary string: powrprof.pdbH{ source: WerFault.exe, 0000000D.00000003.737356835.0000000003DB6000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdbk source: WerFault.exe, 0000000D.00000003.737117016.0000000003DE1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.932275167.0000000003D61000.00000004.00000001.sdmp

Data Obfuscation:

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_030944AB push edi; mov dword ptr [esp], 00000003h	0_2_030944FE
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_030944AB push edx; mov dword ptr [esp], 00F00000h	0_2_03094507
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_030919A1 push 00000000h; mov dword ptr [esp], eax	0_2_03091C63
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_030919A1 push 00000000h; mov dword ptr [esp], edx	0_2_03091C89
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_030919A1 push 00000000h; mov dword ptr [esp], ecx	0_2_03091D27
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_030919A1 push ebp; mov dword ptr [esp], 000FFFFFh	0_2_03091EE2
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1001A006 push ebx; ret	0_2_1001A007
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1001D485 push FFFFFF8Ah; iretd	0_2_1001D50E
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1001D4B6 push FFFFFF8Ah; iretd	0_2_1001D50E
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10019D54 push cs; iretd	0_2_10019E2A
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10019E56 push cs; iretd	0_2_10019E2A
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1001BB21 push esi; iretd	0_2_1001BB26
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_045844AB push edi; mov dword ptr [esp], 00000003h	2_2_045844FE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_045844AB push edx; mov dword ptr [esp], 00F00000h	2_2_04584507
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_045819A1 push 00000000h; mov dword ptr [esp], eax	2_2_04581C63
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_045819A1 push 00000000h; mov dword ptr [esp], edx	2_2_04581C89
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_045819A1 push 00000000h; mov dword ptr [esp], ecx	2_2_04581D27
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_045819A1 push ebp; mov dword ptr [esp], 000FFFFFh	2_2_04581EE2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_1001A006 push ebx; ret	2_2_1001A007
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_1001D485 push FFFFFF8Ah; iretd	2_2_1001D50E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_1001D4B6 push FFFFFF8Ah; iretd	2_2_1001D50E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_10019D54 push cs; iretd	2_2_10019E2A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_10019E56 push cs; iretd	2_2_10019E2A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_1001BB21 push esi; iretd	2_2_1001BB26
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_0361BB21 push esi; iretd	4_2_0361BB26
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_03619E56 push cs; iretd	4_2_03619E2A
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_03619D54 push cs; iretd	4_2_03619E2A
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_0361A006 push ebx; ret	4_2_0361A007
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_0361D4B6 push FFFFFF8Ah; iretd	4_2_0361D50E
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_0361D485 push FFFFFF8Ah; iretd	4_2_0361D50E
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 5_2_00E6D4B6 push FFFFFF8Ah; iretd	5_2_00E6D50E

Contains functionality to dynamically determine API calls

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_1000DFB8 LoadLibraryA,GetProcAddress,

0_2_1000DFB8

Registers a DLL

Source: unknown

Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe -s 'C:\Users\user\Desktop\ZBvNS77A7a.dll'

Persistence and Installation Behavior:

Drops PE files

Source: C:\Windows\SysWOW64\explorer.exe

File created: C:\Users\user\Desktop\ZBvNS77A7a.dll

Jump to dropped file

Boot Survival:

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Windows\SysWOW64\explorer.exe

Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn payuhfp /tr 'regsvr32.exe -s \'C:\Users\user\Desktop\ZBvNS77A7a.dll\'' /SC ONCE /Z /ST 10:25 /ET 10:37

Hooking and other Techniques for Hiding and Protection:

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Source: C:\Windows\System32\loaddll32.exe	Memory written: PID: 5616 base: 10DF380 value: E9 4F 69 52 02			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 5620 base: 10DF380 value: E9 4F 69 D7 FF			Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\SysWOW64\explorer.exe TID: 4676	Thread sleep time: -100000s >= -30000s			Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe TID: 6616	Thread sleep count: 90 > 30			Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\SysWOW64\explorer.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\System32\loaddll32.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_1000D02A GetCurrentProcessId,GetModuleFileNameW,GetCurrentProcess,GetCurrentProcess,GetLastError,GetLastError,GetSystemMetrics,GetModuleFileNameW,GetLastError,MultiByteToWideChar,GetCurrentProcess,memset,GetVersionExA,GetCurrentProcess,GetSystemInfo,GetWindowsDirectoryW,

0_2_1000D02A

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1000AE9A FindFirstFileW,FindNextFileW,	0_2_1000AE9A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_1000AE9A FindFirstFileW,FindNextFileW,	2_2_1000AE9A
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_0360AE9A FindFirstFileW,FindNextFileW,	4_2_0360AE9A
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 5_2_00E5AE9A FindFirstFileW,FindNextFileW,	5_2_00E5AE9A

Anti Debugging:

Contains functionality to dynamically determine API calls

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_1000DFB8 LoadLibraryA,GetProcAddress,

0_2_1000DFB8

Checks if the current process is being debugged

Source: C:\Windows\SysWOW64\regsvr32.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 4_2_03605A49 RtlAddVectoredExceptionHandler,

4_2_03605A49

HIPS / PFW / Operating System Protection Evasion:

Maps a DLL or memory area into another process

Source: C:\Windows\System32\loaddll32.exe	Section loaded: unknown target: C:\Windows\SysWOW64\explorer.exe protection: execute and read and write			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Section loaded: unknown target: C:\Windows\SysWOW64\explorer.exe protection: execute and read and write			Jump to behavior

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: E80000			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 10DF380			Jump to behavior

Allocates memory in foreign processes

Source: C:\Windows\SysWOW64\rundll32.exe

Memory allocated: C:\Windows\SysWOW64\explorer.exe base: E80000 protect: page read and write

Jump to behavior

Injects code into the Windows Explorer (explorer.exe)

Source: C:\Windows\System32\loaddll32.exe	Memory written: PID: 5616 base: 33E0000 value: B8	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Memory written: PID: 5616 base: 347A2D8 value: 00	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Memory written: PID: 5616 base: 347B1E8 value: 00	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Memory written: PID: 5616 base: 33F0000 value: 9C	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Memory written: PID: 5616 base: 10DF380 value: E9	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 5620 base: E80000 value: 9C	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 5620 base: 10DF380 value: E9	Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\ZBvNS77A7a.dll',#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe	Jump to behavior

Source: explorer.exe, 00000004.00000002.951903725.0000000003E50000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 00000004.00000002.951903725.0000000003E50000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000004.00000002.951903725.0000000003E50000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000004.00000002.951903725.0000000003E50000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\loaddll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 4_2_036031C2 CreateNamedPipeA,

4_2_036031C2

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_100097F2 GetSystemTimeAsFileTime,

0_2_100097F2

Source: C:\Windows\System32\loaddll32.exe

0_2_1000D02A

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No contacted IP infos

AV Detection:

Multi AV Scanner detection for submitted file

Source: ZBvNS77A7a.dll	Virustotal: Detection: 46%			Perma Link
Source: ZBvNS77A7a.dll	ReversingLabs: Detection: 60%

Machine Learning detection for sample

Source: ZBvNS77A7a.dll

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\Users\user\Desktop\ZBvNS77A7a.dll

Joe Sandbox ML: detected

Compliance:

Uses 32bit PE files

Source: ZBvNS77A7a.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source:	Binary string: ole32.pdb# source: WerFault.exe, 00000019.00000003.932307324.0000000003D36000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 0000000D.00000003.728766829.0000000003AC1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.932275167.0000000003D61000.00000004.00000001.sdmp
Source:	Binary string: sfc_os.pdb source: WerFault.exe, 0000000D.00000003.737356835.0000000003DB6000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.932307324.0000000003D36000.00000004.00000040.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 0000000D.00000003.737356835.0000000003DB6000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.932307324.0000000003D36000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 0000000D.00000003.737117016.0000000003DE1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.932275167.0000000003D61000.00000004.00000001.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 0000000D.00000003.737117016.0000000003DE1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.932275167.0000000003D61000.00000004.00000001.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000D.00000003.737253466.0000000003DB0000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.932298953.0000000003D30000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 0000000D.00000003.737117016.0000000003DE1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.932275167.0000000003D61000.00000004.00000001.sdmp
Source:	Binary string: propsys.pdb$ source: WerFault.exe, 00000019.00000003.932307324.0000000003D36000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 0000000D.00000003.737253466.0000000003DB0000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.932298953.0000000003D30000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdbBa source: WerFault.exe, 0000000D.00000003.737356835.0000000003DB6000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdb) source: WerFault.exe, 00000019.00000003.932307324.0000000003D36000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 0000000D.00000003.737117016.0000000003DE1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.932275167.0000000003D61000.00000004.00000001.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 0000000D.00000003.737356835.0000000003DB6000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.932307324.0000000003D36000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdb source: WerFault.exe, 0000000D.00000003.737356835.0000000003DB6000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.932307324.0000000003D36000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 0000000D.00000003.737356835.0000000003DB6000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.932307324.0000000003D36000.00000004.00000040.sdmp
Source:	Binary string: regsvr32.pdbk source: WerFault.exe, 0000000D.00000003.737117016.0000000003DE1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.932275167.0000000003D61000.00000004.00000001.sdmp
Source:	Binary string: shell32.pdb source: WerFault.exe, 0000000D.00000003.737117016.0000000003DE1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.932275167.0000000003D61000.00000004.00000001.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 0000000D.00000003.737117016.0000000003DE1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.932275167.0000000003D61000.00000004.00000001.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 0000000D.00000003.737117016.0000000003DE1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.932275167.0000000003D61000.00000004.00000001.sdmp
Source:	Binary string: mpr.pdb source: WerFault.exe, 0000000D.00000003.737253466.0000000003DB0000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.932298953.0000000003D30000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 0000000D.00000003.737356835.0000000003DB6000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.932307324.0000000003D36000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 0000000D.00000003.737117016.0000000003DE1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.932275167.0000000003D61000.00000004.00000001.sdmp
Source:	Binary string: setupapi.pdb source: WerFault.exe, 0000000D.00000003.737356835.0000000003DB6000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.932307324.0000000003D36000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb\|g source: WerFault.exe, 0000000D.00000003.737356835.0000000003DB6000.00000004.00000040.sdmp
Source:	Binary string: regsvr32.pdb source: WerFault.exe, 0000000D.00000003.737117016.0000000003DE1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.932275167.0000000003D61000.00000004.00000001.sdmp
Source:	Binary string: mpr.pdb7 source: WerFault.exe, 0000000D.00000003.737253466.0000000003DB0000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdbk source: WerFault.exe, 0000000D.00000003.737253466.0000000003DB0000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.932298953.0000000003D30000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdb source: WerFault.exe, 0000000D.00000003.737356835.0000000003DB6000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.932307324.0000000003D36000.00000004.00000040.sdmp
Source:	Binary string: winspool.pdb source: WerFault.exe, 0000000D.00000003.737356835.0000000003DB6000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.932307324.0000000003D36000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 0000000D.00000003.737117016.0000000003DE1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.932275167.0000000003D61000.00000004.00000001.sdmp
Source:	Binary string: fltLib.pdbd_ source: WerFault.exe, 0000000D.00000003.737356835.0000000003DB6000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 0000000D.00000003.737356835.0000000003DB6000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.932307324.0000000003D36000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdb source: WerFault.exe, 0000000D.00000003.737356835.0000000003DB6000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.932307324.0000000003D36000.00000004.00000040.sdmp
Source:	Binary string: amstream.pdb source: explorer.exe, 00000004.00000003.702172421.0000000005361000.00000004.00000001.sdmp, explorer.exe, 00000005.00000003.702205579.0000000004F11000.00000004.00000001.sdmp, regsvr32.exe, 00000009.00000000.716853295.0000000010001000.00000020.00020000.sdmp, regsvr32.exe, 00000017.00000000.923266428.0000000010001000.00000020.00020000.sdmp, ZBvNS77A7a.dll.5.dr
Source:	Binary string: propsys.pdb source: WerFault.exe, 0000000D.00000003.737356835.0000000003DB6000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.932307324.0000000003D36000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdbk source: WerFault.exe, 0000000D.00000003.737253466.0000000003DB0000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.932298953.0000000003D30000.00000004.00000040.sdmp
Source:	Binary string: sfc_os.pdb5 source: WerFault.exe, 00000019.00000003.932307324.0000000003D36000.00000004.00000040.sdmp
Source:	Binary string: sfc.pdbK source: WerFault.exe, 0000000D.00000003.737356835.0000000003DB6000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.932307324.0000000003D36000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb source: WerFault.exe, 0000000D.00000003.737356835.0000000003DB6000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.932307324.0000000003D36000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdb source: WerFault.exe, 0000000D.00000003.737356835.0000000003DB6000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.932307324.0000000003D36000.00000004.00000040.sdmp
Source:	Binary string: AcLayers.pdb source: WerFault.exe, 0000000D.00000003.737117016.0000000003DE1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.932275167.0000000003D61000.00000004.00000001.sdmp
Source:	Binary string: amstream.pdbGCTL source: explorer.exe, 00000004.00000003.702172421.0000000005361000.00000004.00000001.sdmp, explorer.exe, 00000005.00000003.702205579.0000000004F11000.00000004.00000001.sdmp, regsvr32.exe, 00000009.00000000.716853295.0000000010001000.00000020.00020000.sdmp, regsvr32.exe, 00000017.00000000.923266428.0000000010001000.00000020.00020000.sdmp, ZBvNS77A7a.dll.5.dr
Source:	Binary string: annjrqnCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 0000000D.00000002.764287027.0000000002C32000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000002.938813664.0000000002962000.00000004.00000001.sdmp
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000000D.00000003.737253466.0000000003DB0000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.932298953.0000000003D30000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdbvm source: WerFault.exe, 0000000D.00000003.737356835.0000000003DB6000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 0000000D.00000003.737356835.0000000003DB6000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.932307324.0000000003D36000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 0000000D.00000003.737253466.0000000003DB0000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.932298953.0000000003D30000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000D.00000003.737253466.0000000003DB0000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.932298953.0000000003D30000.00000004.00000040.sdmp
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 0000000D.00000003.737253466.0000000003DB0000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.932298953.0000000003D30000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 0000000D.00000003.737356835.0000000003DB6000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.932307324.0000000003D36000.00000004.00000040.sdmp
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 0000000D.00000003.737356835.0000000003DB6000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.932307324.0000000003D36000.00000004.00000040.sdmp
Source:	Binary string: sfc.pdb source: WerFault.exe, 0000000D.00000003.737356835.0000000003DB6000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.932307324.0000000003D36000.00000004.00000040.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 0000000D.00000003.737117016.0000000003DE1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.932275167.0000000003D61000.00000004.00000001.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 0000000D.00000003.737117016.0000000003DE1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.932275167.0000000003D61000.00000004.00000001.sdmp
Source:	Binary string: powrprof.pdbH{ source: WerFault.exe, 0000000D.00000003.737356835.0000000003DB6000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdbk source: WerFault.exe, 0000000D.00000003.737117016.0000000003DE1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.932275167.0000000003D61000.00000004.00000001.sdmp

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1000AE9A FindFirstFileW,FindNextFileW,	0_2_1000AE9A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_1000AE9A FindFirstFileW,FindNextFileW,	2_2_1000AE9A
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_0360AE9A FindFirstFileW,FindNextFileW,	4_2_0360AE9A
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 5_2_00E5AE9A FindFirstFileW,FindNextFileW,	5_2_00E5AE9A

System Summary:

Uses 32bit PE files

Source: ZBvNS77A7a.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

One or more processes crash

Source: C:\Windows\SysWOW64\regsvr32.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5944 -s 660

Creates files inside the system directory

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\DBG

Jump to behavior

Detected potential crypto function

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_030919A1	0_2_030919A1
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10016EC0	0_2_10016EC0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10012351	0_2_10012351
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10011763	0_2_10011763
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1001538F	0_2_1001538F
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10014FD0	0_2_10014FD0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_045819A1	2_2_045819A1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_10016EC0	2_2_10016EC0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_10012351	2_2_10012351
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_10011763	2_2_10011763
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_1001538F	2_2_1001538F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_10014FD0	2_2_10014FD0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_03611763	4_2_03611763
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_03612351	4_2_03612351
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_03614FD0	4_2_03614FD0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_0361538F	4_2_0361538F
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_03616EC0	4_2_03616EC0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 5_2_00E66EC0	5_2_00E66EC0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 5_2_00E64FD0	5_2_00E64FD0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 5_2_00E6538F	5_2_00E6538F
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 5_2_00E61763	5_2_00E61763
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 5_2_00E62351	5_2_00E62351

Contains functionality to call native functions

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1000C6CB NtCreateSection,DefWindowProcA,RegisterClassExA,CreateWindowExA,DestroyWindow,UnregisterClassA,GetCurrentProcess,NtMapViewOfSection,NtMapViewOfSection,VirtualAllocEx,WriteProcessMemory,GetCurrentProcess,NtUnmapViewOfSection,NtClose,	0_2_1000C6CB
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1000CB82 memset,GetThreadContext,NtProtectVirtualMemory,NtWriteVirtualMemory,NtProtectVirtualMemory,FreeLibrary,	0_2_1000CB82
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_1000C6CB NtCreateSection,DefWindowProcA,RegisterClassExA,CreateWindowExA,DestroyWindow,UnregisterClassA,GetCurrentProcess,NtMapViewOfSection,NtMapViewOfSection,VirtualAllocEx,WriteProcessMemory,GetCurrentProcess,NtUnmapViewOfSection,NtClose,	2_2_1000C6CB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_1000CB82 memset,GetThreadContext,NtProtectVirtualMemory,NtWriteVirtualMemory,NtProtectVirtualMemory,FreeLibrary,	2_2_1000CB82

PE file does not import any functions

Source: ZBvNS77A7a.dll.5.dr	Static PE information: No import functions for PE file found
Source: ZBvNS77A7a.dll.4.dr	Static PE information: No import functions for PE file found

Sample file is different than original file name gathered from version info

Source: ZBvNS77A7a.dll.5.dr

Binary or memory string: OriginalFilenameAMStream.dllj% vs ZBvNS77A7a.dll

Tries to load missing DLLs

Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: sfc.dll	Jump to behavior

Source: ZBvNS77A7a.dll	Virustotal: Detection: 46%
Source: ZBvNS77A7a.dll	ReversingLabs: Detection: 60%

Source: ZBvNS77A7a.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\ZBvNS77A7a.dll'
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\ZBvNS77A7a.dll',#1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\ZBvNS77A7a.dll',#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\SysWOW64\explorer.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn payuhfp /tr 'regsvr32.exe -s \'C:\Users\user\Desktop\ZBvNS77A7a.dll\'' /SC ONCE /Z /ST 10:25 /ET 10:37
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe -s 'C:\Users\user\Desktop\ZBvNS77A7a.dll'
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe -s 'C:\Users\user\Desktop\ZBvNS77A7a.dll'
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5944 -s 660
Source: unknown	Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe -s 'C:\Users\user\Desktop\ZBvNS77A7a.dll'
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe -s 'C:\Users\user\Desktop\ZBvNS77A7a.dll'
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5576 -s 652
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\ZBvNS77A7a.dll',#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\ZBvNS77A7a.dll',#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn payuhfp /tr 'regsvr32.exe -s \'C:\Users\user\Desktop\ZBvNS77A7a.dll\'' /SC ONCE /Z /ST 10:25 /ET 10:37	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe -s 'C:\Users\user\Desktop\ZBvNS77A7a.dll'	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe -s 'C:\Users\user\Desktop\ZBvNS77A7a.dll'	Jump to behavior

Source: C:\Windows\SysWOW64\explorer.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Pzjqjshjoy

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERF241.tmp

Jump to behavior

Source: classification engine

Classification label: mal92.evad.winDLL@20/10@0/0

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_1000D52E CoInitializeEx,CoInitializeSecurity,CoCreateInstance,SysAllocString,CoSetProxyBlanket,

0_2_1000D52E

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_1000AB89 CreateToolhelp32Snapshot,memset,Process32First,Process32Next,CloseHandle,

0_2_1000AB89

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\ZBvNS77A7a.dll',#1

Source: C:\Windows\SysWOW64\explorer.exe	Mutant created: \Sessions\1\BaseNamedObjects\{9A57D251-8185-479A-AC5F-1814AF591876}
Source: C:\Windows\SysWOW64\explorer.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{62D2F15B-1C9B-4191-87B4-71874D8982FF}
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \BaseNamedObjects\Local\WERReportingForProcess5944
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \BaseNamedObjects\Local\WERReportingForProcess5576
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6624:120:WilError_01
Source: C:\Windows\SysWOW64\explorer.exe	Mutant created: \Sessions\1\BaseNamedObjects\{62D2F15B-1C9B-4191-87B4-71874D8982FF}

Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\explorer.exe	Jump to behavior

Source:	Binary string: ole32.pdb# source: WerFault.exe, 00000019.00000003.932307324.0000000003D36000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 0000000D.00000003.728766829.0000000003AC1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.932275167.0000000003D61000.00000004.00000001.sdmp
Source:	Binary string: sfc_os.pdb source: WerFault.exe, 0000000D.00000003.737356835.0000000003DB6000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.932307324.0000000003D36000.00000004.00000040.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 0000000D.00000003.737356835.0000000003DB6000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.932307324.0000000003D36000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 0000000D.00000003.737117016.0000000003DE1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.932275167.0000000003D61000.00000004.00000001.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 0000000D.00000003.737117016.0000000003DE1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.932275167.0000000003D61000.00000004.00000001.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000D.00000003.737253466.0000000003DB0000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.932298953.0000000003D30000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 0000000D.00000003.737117016.0000000003DE1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.932275167.0000000003D61000.00000004.00000001.sdmp
Source:	Binary string: propsys.pdb$ source: WerFault.exe, 00000019.00000003.932307324.0000000003D36000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 0000000D.00000003.737253466.0000000003DB0000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.932298953.0000000003D30000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdbBa source: WerFault.exe, 0000000D.00000003.737356835.0000000003DB6000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdb) source: WerFault.exe, 00000019.00000003.932307324.0000000003D36000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 0000000D.00000003.737117016.0000000003DE1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.932275167.0000000003D61000.00000004.00000001.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 0000000D.00000003.737356835.0000000003DB6000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.932307324.0000000003D36000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdb source: WerFault.exe, 0000000D.00000003.737356835.0000000003DB6000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.932307324.0000000003D36000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 0000000D.00000003.737356835.0000000003DB6000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.932307324.0000000003D36000.00000004.00000040.sdmp
Source:	Binary string: regsvr32.pdbk source: WerFault.exe, 0000000D.00000003.737117016.0000000003DE1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.932275167.0000000003D61000.00000004.00000001.sdmp
Source:	Binary string: shell32.pdb source: WerFault.exe, 0000000D.00000003.737117016.0000000003DE1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.932275167.0000000003D61000.00000004.00000001.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 0000000D.00000003.737117016.0000000003DE1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.932275167.0000000003D61000.00000004.00000001.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 0000000D.00000003.737117016.0000000003DE1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.932275167.0000000003D61000.00000004.00000001.sdmp
Source:	Binary string: mpr.pdb source: WerFault.exe, 0000000D.00000003.737253466.0000000003DB0000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.932298953.0000000003D30000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 0000000D.00000003.737356835.0000000003DB6000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.932307324.0000000003D36000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 0000000D.00000003.737117016.0000000003DE1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.932275167.0000000003D61000.00000004.00000001.sdmp
Source:	Binary string: setupapi.pdb source: WerFault.exe, 0000000D.00000003.737356835.0000000003DB6000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.932307324.0000000003D36000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb\|g source: WerFault.exe, 0000000D.00000003.737356835.0000000003DB6000.00000004.00000040.sdmp
Source:	Binary string: regsvr32.pdb source: WerFault.exe, 0000000D.00000003.737117016.0000000003DE1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.932275167.0000000003D61000.00000004.00000001.sdmp
Source:	Binary string: mpr.pdb7 source: WerFault.exe, 0000000D.00000003.737253466.0000000003DB0000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdbk source: WerFault.exe, 0000000D.00000003.737253466.0000000003DB0000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.932298953.0000000003D30000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdb source: WerFault.exe, 0000000D.00000003.737356835.0000000003DB6000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.932307324.0000000003D36000.00000004.00000040.sdmp
Source:	Binary string: winspool.pdb source: WerFault.exe, 0000000D.00000003.737356835.0000000003DB6000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.932307324.0000000003D36000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 0000000D.00000003.737117016.0000000003DE1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.932275167.0000000003D61000.00000004.00000001.sdmp
Source:	Binary string: fltLib.pdbd_ source: WerFault.exe, 0000000D.00000003.737356835.0000000003DB6000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 0000000D.00000003.737356835.0000000003DB6000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.932307324.0000000003D36000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdb source: WerFault.exe, 0000000D.00000003.737356835.0000000003DB6000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.932307324.0000000003D36000.00000004.00000040.sdmp
Source:	Binary string: amstream.pdb source: explorer.exe, 00000004.00000003.702172421.0000000005361000.00000004.00000001.sdmp, explorer.exe, 00000005.00000003.702205579.0000000004F11000.00000004.00000001.sdmp, regsvr32.exe, 00000009.00000000.716853295.0000000010001000.00000020.00020000.sdmp, regsvr32.exe, 00000017.00000000.923266428.0000000010001000.00000020.00020000.sdmp, ZBvNS77A7a.dll.5.dr
Source:	Binary string: propsys.pdb source: WerFault.exe, 0000000D.00000003.737356835.0000000003DB6000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.932307324.0000000003D36000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdbk source: WerFault.exe, 0000000D.00000003.737253466.0000000003DB0000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.932298953.0000000003D30000.00000004.00000040.sdmp
Source:	Binary string: sfc_os.pdb5 source: WerFault.exe, 00000019.00000003.932307324.0000000003D36000.00000004.00000040.sdmp
Source:	Binary string: sfc.pdbK source: WerFault.exe, 0000000D.00000003.737356835.0000000003DB6000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.932307324.0000000003D36000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb source: WerFault.exe, 0000000D.00000003.737356835.0000000003DB6000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.932307324.0000000003D36000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdb source: WerFault.exe, 0000000D.00000003.737356835.0000000003DB6000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.932307324.0000000003D36000.00000004.00000040.sdmp
Source:	Binary string: AcLayers.pdb source: WerFault.exe, 0000000D.00000003.737117016.0000000003DE1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.932275167.0000000003D61000.00000004.00000001.sdmp
Source:	Binary string: amstream.pdbGCTL source: explorer.exe, 00000004.00000003.702172421.0000000005361000.00000004.00000001.sdmp, explorer.exe, 00000005.00000003.702205579.0000000004F11000.00000004.00000001.sdmp, regsvr32.exe, 00000009.00000000.716853295.0000000010001000.00000020.00020000.sdmp, regsvr32.exe, 00000017.00000000.923266428.0000000010001000.00000020.00020000.sdmp, ZBvNS77A7a.dll.5.dr
Source:	Binary string: annjrqnCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 0000000D.00000002.764287027.0000000002C32000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000002.938813664.0000000002962000.00000004.00000001.sdmp
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000000D.00000003.737253466.0000000003DB0000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.932298953.0000000003D30000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdbvm source: WerFault.exe, 0000000D.00000003.737356835.0000000003DB6000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 0000000D.00000003.737356835.0000000003DB6000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.932307324.0000000003D36000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 0000000D.00000003.737253466.0000000003DB0000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.932298953.0000000003D30000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000D.00000003.737253466.0000000003DB0000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.932298953.0000000003D30000.00000004.00000040.sdmp
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 0000000D.00000003.737253466.0000000003DB0000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.932298953.0000000003D30000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 0000000D.00000003.737356835.0000000003DB6000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.932307324.0000000003D36000.00000004.00000040.sdmp
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 0000000D.00000003.737356835.0000000003DB6000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.932307324.0000000003D36000.00000004.00000040.sdmp
Source:	Binary string: sfc.pdb source: WerFault.exe, 0000000D.00000003.737356835.0000000003DB6000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.932307324.0000000003D36000.00000004.00000040.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 0000000D.00000003.737117016.0000000003DE1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.932275167.0000000003D61000.00000004.00000001.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 0000000D.00000003.737117016.0000000003DE1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.932275167.0000000003D61000.00000004.00000001.sdmp
Source:	Binary string: powrprof.pdbH{ source: WerFault.exe, 0000000D.00000003.737356835.0000000003DB6000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdbk source: WerFault.exe, 0000000D.00000003.737117016.0000000003DE1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.932275167.0000000003D61000.00000004.00000001.sdmp

Data Obfuscation:

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_030944AB push edi; mov dword ptr [esp], 00000003h	0_2_030944FE
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_030944AB push edx; mov dword ptr [esp], 00F00000h	0_2_03094507
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_030919A1 push 00000000h; mov dword ptr [esp], eax	0_2_03091C63
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_030919A1 push 00000000h; mov dword ptr [esp], edx	0_2_03091C89
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_030919A1 push 00000000h; mov dword ptr [esp], ecx	0_2_03091D27
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_030919A1 push ebp; mov dword ptr [esp], 000FFFFFh	0_2_03091EE2
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1001A006 push ebx; ret	0_2_1001A007
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1001D485 push FFFFFF8Ah; iretd	0_2_1001D50E
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1001D4B6 push FFFFFF8Ah; iretd	0_2_1001D50E
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10019D54 push cs; iretd	0_2_10019E2A
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10019E56 push cs; iretd	0_2_10019E2A
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1001BB21 push esi; iretd	0_2_1001BB26
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_045844AB push edi; mov dword ptr [esp], 00000003h	2_2_045844FE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_045844AB push edx; mov dword ptr [esp], 00F00000h	2_2_04584507
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_045819A1 push 00000000h; mov dword ptr [esp], eax	2_2_04581C63
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_045819A1 push 00000000h; mov dword ptr [esp], edx	2_2_04581C89
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_045819A1 push 00000000h; mov dword ptr [esp], ecx	2_2_04581D27
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_045819A1 push ebp; mov dword ptr [esp], 000FFFFFh	2_2_04581EE2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_1001A006 push ebx; ret	2_2_1001A007
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_1001D485 push FFFFFF8Ah; iretd	2_2_1001D50E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_1001D4B6 push FFFFFF8Ah; iretd	2_2_1001D50E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_10019D54 push cs; iretd	2_2_10019E2A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_10019E56 push cs; iretd	2_2_10019E2A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_1001BB21 push esi; iretd	2_2_1001BB26
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_0361BB21 push esi; iretd	4_2_0361BB26
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_03619E56 push cs; iretd	4_2_03619E2A
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_03619D54 push cs; iretd	4_2_03619E2A
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_0361A006 push ebx; ret	4_2_0361A007
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_0361D4B6 push FFFFFF8Ah; iretd	4_2_0361D50E
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_0361D485 push FFFFFF8Ah; iretd	4_2_0361D50E
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 5_2_00E6D4B6 push FFFFFF8Ah; iretd	5_2_00E6D50E

Contains functionality to dynamically determine API calls

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_1000DFB8 LoadLibraryA,GetProcAddress,

0_2_1000DFB8

Registers a DLL

Source: unknown

Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe -s 'C:\Users\user\Desktop\ZBvNS77A7a.dll'

Persistence and Installation Behavior:

Drops PE files

Source: C:\Windows\SysWOW64\explorer.exe

File created: C:\Users\user\Desktop\ZBvNS77A7a.dll

Jump to dropped file

Boot Survival:

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Windows\SysWOW64\explorer.exe

Hooking and other Techniques for Hiding and Protection:

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Source: C:\Windows\System32\loaddll32.exe	Memory written: PID: 5616 base: 10DF380 value: E9 4F 69 52 02			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 5620 base: 10DF380 value: E9 4F 69 D7 FF			Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\SysWOW64\explorer.exe TID: 4676	Thread sleep time: -100000s >= -30000s			Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe TID: 6616	Thread sleep count: 90 > 30			Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\SysWOW64\explorer.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\System32\loaddll32.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

0_2_1000D02A

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1000AE9A FindFirstFileW,FindNextFileW,	0_2_1000AE9A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_1000AE9A FindFirstFileW,FindNextFileW,	2_2_1000AE9A
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_0360AE9A FindFirstFileW,FindNextFileW,	4_2_0360AE9A
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 5_2_00E5AE9A FindFirstFileW,FindNextFileW,	5_2_00E5AE9A

Anti Debugging:

Contains functionality to dynamically determine API calls

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_1000DFB8 LoadLibraryA,GetProcAddress,

0_2_1000DFB8

Checks if the current process is being debugged

Source: C:\Windows\SysWOW64\regsvr32.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 4_2_03605A49 RtlAddVectoredExceptionHandler,

4_2_03605A49

HIPS / PFW / Operating System Protection Evasion:

Maps a DLL or memory area into another process

Source: C:\Windows\System32\loaddll32.exe	Section loaded: unknown target: C:\Windows\SysWOW64\explorer.exe protection: execute and read and write			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Section loaded: unknown target: C:\Windows\SysWOW64\explorer.exe protection: execute and read and write			Jump to behavior

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: E80000			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 10DF380			Jump to behavior

Allocates memory in foreign processes

Source: C:\Windows\SysWOW64\rundll32.exe

Memory allocated: C:\Windows\SysWOW64\explorer.exe base: E80000 protect: page read and write

Jump to behavior

Injects code into the Windows Explorer (explorer.exe)

Source: C:\Windows\System32\loaddll32.exe	Memory written: PID: 5616 base: 33E0000 value: B8	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Memory written: PID: 5616 base: 347A2D8 value: 00	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Memory written: PID: 5616 base: 347B1E8 value: 00	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Memory written: PID: 5616 base: 33F0000 value: 9C	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Memory written: PID: 5616 base: 10DF380 value: E9	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 5620 base: E80000 value: 9C	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 5620 base: 10DF380 value: E9	Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\ZBvNS77A7a.dll',#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe	Jump to behavior

Source: explorer.exe, 00000004.00000002.951903725.0000000003E50000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 00000004.00000002.951903725.0000000003E50000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000004.00000002.951903725.0000000003E50000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000004.00000002.951903725.0000000003E50000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\loaddll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 4_2_036031C2 CreateNamedPipeA,

4_2_036031C2

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_100097F2 GetSystemTimeAsFileTime,

0_2_100097F2

Source: C:\Windows\System32\loaddll32.exe

0_2_1000D02A

ID:	490262
Product:	CloudBasic
Start time:	10:22:02
Start date:	25.09.2021
Sample:	ZBvNS77A7a.dll
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	6484d8ffd4a6de7947534571e9907b4e
SHA1:	41e1cbd037698c3329db4edfe4e6b28b0654e94c
SHA256:	64a6039b2b3a347312f56170b5eb7deebe6d37ef6fb414fb929e84be4799dfa5
Filetype:	Win32 Dynamic Link Library (generic) (1002004/3) 99.40%

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_regsvr32.exe_e9a58211ba4d9ba1b3cadfec684f66ac60801b0_7a325c51_04ce1181\Report.wer	Little-endian UTF-16 Unicode text, with CRLF line terminators	463A67AC9E7EC8B0B962C5386749B5EB	9932B716AE52E8D904602F53D26727C9DA8F8CB2	50C6047B7D3199121C82DF91533E16362CE4E85BBE34308E8F3A91643E419B65
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_regsvr32.exe_e9a58211ba4d9ba1b3cadfec684f66ac60801b0_7a325c51_1b176866\Report.wer	Little-endian UTF-16 Unicode text, with CRLF line terminators	5A8B6D5D1EA2CD3F25FCB3E2EAC13AA0	238C25DC1680448F8C61684641FDBDB6B330C23A	90162554559683001CCA548AF5C6D07754B326EED7F428389958A764AB53DEC1
C:\ProgramData\Microsoft\Windows\WER\Temp\WER5C6F.tmp.dmp	Mini DuMP crash report, 14 streams, Sat Sep 25 08:25:06 2021, 0x1205a4 type	5D31475311D93231DDBCD9BA6BD5BA55	7BDFAB76DF8E9B510E25F314B3609C9590004992	B64A5890E8F04D4A6BA99601781CC64D9C6B1536A0781143CBD3DD9F052A3346
C:\ProgramData\Microsoft\Windows\WER\Temp\WER62E9.tmp.WERInternalMetadata.xml	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators	F94634BA3AA7A1D7A0BC36B4676D37F4	57D96DFC0FB1DF4004A3984443F4D3A1BEB37A00	99BCE543BB148DE22D98A4DA12C00494DE1851984C579314CF178C85E3DB0B39
C:\ProgramData\Microsoft\Windows\WER\Temp\WER653B.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	A22317ACAD0A7881DEEFD578FD331502	8D81BFD8496A4591D9E65D9E59A7D1099C9D94AC	7B5623B3AC94AFF4431845877E8372C08FEEF5FAC00C5577C2BFE54E42711D2A
C:\ProgramData\Microsoft\Windows\WER\Temp\WER955.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	C3F41612D9BFFE36894E5765A49D50E3	0B38B318423E6242D3F1F55779B7B2089B88F192	073E01EF57E9934CE18E57CBD7B3404B4C8F347D29703EBD80C87B9DBC74CDD1
C:\ProgramData\Microsoft\Windows\WER\Temp\WERF241.tmp.dmp	Mini DuMP crash report, 14 streams, Sat Sep 25 08:23:34 2021, 0x1205a4 type	91DF5FF5B9BC1DA3D1644ECA8FBB2F8E	E49D85C5C4A9D110B3DE839FE920C877893BB7F2	5430CB813F7DB685ECEB2F6FD30264D0A7396769BB6A96CD302773ABC871D819
C:\ProgramData\Microsoft\Windows\WER\Temp\WERFFEE.tmp.WERInternalMetadata.xml	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators	7E717EA850E4710974F964DA9347D310	80858E5218A190A1BD271098947A15BF1422A4FA	2843D9EBCCD91B310DE9C2661F45278B4EED0DC5A83A18B5FCC791577EBE84F0
C:\Users\user\Desktop\ZBvNS77A7a.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	9147A4BB8EFF884F129AAD7E0C68D1C5	BA7E1C01F60E38FA8E0C420332BEAA82B647400D	31682BA44B1B11AC8C4F9FDE98E63AFCF32D7AD143587FA631496E83464FF7C3

Windows Analysis Report ZBvNS77A7a.dll

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Spreading:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Screenshots

Behavior Graph

Network Map