Play interactive tour

Edit tour

Windows Analysis Report 0G0AO3HYEI

Overview

General Information

Sample Name:	0G0AO3HYEI (renamed file extension from none to dll)
Analysis ID:	492188
MD5:	c50f692a715db805e68e9655ff6a9ab2
SHA1:	229b257301ed99d518364afd22c4276daa5b3d20
SHA256:	ff3aa75e4d4637599d3e97fb8b42ce8a1254425f856671ae56377df2676b1033
Tags:	Dridexexe
Infos:
Most interesting Screenshot:

Detection

Dridex

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected Dridex unpacked file

Multi AV Scanner detection for submitted file

Queues an APC in another process (thread injection)

PE file has nameless sections

Potential time zone aware malware

Uses Windows timers to delay execution

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

PE file contains sections with non-standard names

Queries the installation date of Windows

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to call native functions

PE file contains executable resources (Code or Archives)

Program does not show much activity (idle)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

PE file contains an invalid checksum

PE file contains strange resources

PE file contains more sections than normal

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

System is w10x64

loaddll64.exe (PID: 6488 cmdline: loaddll64.exe 'C:\Users\user\Desktop\0G0AO3HYEI.dll' MD5: A84133CCB118CF35D49A423CD836D0EF)

cmd.exe (PID: 6512 cmdline: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\0G0AO3HYEI.dll',#1 MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

rundll32.exe (PID: 6532 cmdline: rundll32.exe 'C:\Users\user\Desktop\0G0AO3HYEI.dll',#1 MD5: 73C519F050C20580F8A62C849D49215A)

explorer.exe (PID: 3292 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)

rundll32.exe (PID: 6520 cmdline: rundll32.exe C:\Users\user\Desktop\0G0AO3HYEI.dll,CheckDriverSoftwareDependenciesSatisfied MD5: 73C519F050C20580F8A62C849D49215A)

rundll32.exe (PID: 6864 cmdline: rundll32.exe C:\Users\user\Desktop\0G0AO3HYEI.dll,DeviceInternetSettingUiW MD5: 73C519F050C20580F8A62C849D49215A)

rundll32.exe (PID: 6924 cmdline: rundll32.exe C:\Users\user\Desktop\0G0AO3HYEI.dll,DiInstallDevice MD5: 73C519F050C20580F8A62C849D49215A)

rundll32.exe (PID: 6940 cmdline: rundll32.exe C:\Users\user\Desktop\0G0AO3HYEI.dll,DiInstallDriverA MD5: 73C519F050C20580F8A62C849D49215A)

rundll32.exe (PID: 7116 cmdline: rundll32.exe C:\Users\user\Desktop\0G0AO3HYEI.dll,DiInstallDriverW MD5: 73C519F050C20580F8A62C849D49215A)

rundll32.exe (PID: 4604 cmdline: rundll32.exe C:\Users\user\Desktop\0G0AO3HYEI.dll,DiRollbackDriver MD5: 73C519F050C20580F8A62C849D49215A)

rundll32.exe (PID: 5392 cmdline: rundll32.exe C:\Users\user\Desktop\0G0AO3HYEI.dll,DiShowUpdateDevice MD5: 73C519F050C20580F8A62C849D49215A)

rundll32.exe (PID: 6508 cmdline: rundll32.exe C:\Users\user\Desktop\0G0AO3HYEI.dll,DiShowUpdateDriver MD5: 73C519F050C20580F8A62C849D49215A)

rundll32.exe (PID: 6656 cmdline: rundll32.exe C:\Users\user\Desktop\0G0AO3HYEI.dll,DiUninstallDevice MD5: 73C519F050C20580F8A62C849D49215A)

rundll32.exe (PID: 5636 cmdline: rundll32.exe C:\Users\user\Desktop\0G0AO3HYEI.dll,DiUninstallDriverA MD5: 73C519F050C20580F8A62C849D49215A)

rundll32.exe (PID: 4516 cmdline: rundll32.exe C:\Users\user\Desktop\0G0AO3HYEI.dll,DiUninstallDriverW MD5: 73C519F050C20580F8A62C849D49215A)

rundll32.exe (PID: 3324 cmdline: rundll32.exe C:\Users\user\Desktop\0G0AO3HYEI.dll,GetInternetPolicies MD5: 73C519F050C20580F8A62C849D49215A)

rundll32.exe (PID: 3604 cmdline: rundll32.exe C:\Users\user\Desktop\0G0AO3HYEI.dll,InstallNewDevice MD5: 73C519F050C20580F8A62C849D49215A)

rundll32.exe (PID: 4912 cmdline: rundll32.exe C:\Users\user\Desktop\0G0AO3HYEI.dll,InstallSelectedDriver MD5: 73C519F050C20580F8A62C849D49215A)

rundll32.exe (PID: 3864 cmdline: rundll32.exe C:\Users\user\Desktop\0G0AO3HYEI.dll,InstallWindowsUpdateDriver MD5: 73C519F050C20580F8A62C849D49215A)

rundll32.exe (PID: 1392 cmdline: rundll32.exe C:\Users\user\Desktop\0G0AO3HYEI.dll,InstallWindowsUpdateDriverEx MD5: 73C519F050C20580F8A62C849D49215A)

rundll32.exe (PID: 6568 cmdline: rundll32.exe C:\Users\user\Desktop\0G0AO3HYEI.dll,InstallWindowsUpdateDrivers MD5: 73C519F050C20580F8A62C849D49215A)

explorer.exe (PID: 7024 cmdline: explorer.exe MD5: AD5296B280E8F522A8A897C96BAB0E1D)

explorer.exe (PID: 4932 cmdline: explorer.exe MD5: AD5296B280E8F522A8A897C96BAB0E1D)

explorer.exe (PID: 4628 cmdline: explorer.exe MD5: AD5296B280E8F522A8A897C96BAB0E1D)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000011.00000002.531717710.0000000140001000.00000020.00020000.sdmp	JoeSecurity_Dridex_2	Yara detected Dridex unpacked file	Joe Security
00000025.00000002.532357019.0000000140001000.00000020.00020000.sdmp	JoeSecurity_Dridex_2	Yara detected Dridex unpacked file	Joe Security
00000015.00000002.531718093.0000000140001000.00000020.00020000.sdmp	JoeSecurity_Dridex_2	Yara detected Dridex unpacked file	Joe Security
00000009.00000002.531527593.0000000140001000.00000020.00020000.sdmp	JoeSecurity_Dridex_2	Yara detected Dridex unpacked file	Joe Security
00000014.00000002.531894805.0000000140001000.00000020.00020000.sdmp	JoeSecurity_Dridex_2	Yara detected Dridex unpacked file	Joe Security
00000022.00000002.533238918.0000000140001000.00000020.00020000.sdmp	JoeSecurity_Dridex_2	Yara detected Dridex unpacked file	Joe Security
00000004.00000002.531244676.0000000140001000.00000020.00020000.sdmp	JoeSecurity_Dridex_2	Yara detected Dridex unpacked file	Joe Security
0000001C.00000002.532059437.0000000140001000.00000020.00020000.sdmp	JoeSecurity_Dridex_2	Yara detected Dridex unpacked file	Joe Security
00000008.00000002.531418646.0000000140001000.00000020.00020000.sdmp	JoeSecurity_Dridex_2	Yara detected Dridex unpacked file	Joe Security
00000021.00000002.532290767.0000000140001000.00000020.00020000.sdmp	JoeSecurity_Dridex_2	Yara detected Dridex unpacked file	Joe Security
0000000E.00000002.531716160.0000000140001000.00000020.00020000.sdmp	JoeSecurity_Dridex_2	Yara detected Dridex unpacked file	Joe Security
0000001E.00000002.532228237.0000000140001000.00000020.00020000.sdmp	JoeSecurity_Dridex_2	Yara detected Dridex unpacked file	Joe Security
00000003.00000002.531206986.0000000140001000.00000020.00020000.sdmp	JoeSecurity_Dridex_2	Yara detected Dridex unpacked file	Joe Security
00000001.00000002.531295536.0000000140001000.00000020.00020000.sdmp	JoeSecurity_Dridex_2	Yara detected Dridex unpacked file	Joe Security
0000000A.00000002.531585014.0000000140001000.00000020.00020000.sdmp	JoeSecurity_Dridex_2	Yara detected Dridex unpacked file	Joe Security
00000028.00000002.532418928.0000000140001000.00000020.00020000.sdmp	JoeSecurity_Dridex_2	Yara detected Dridex unpacked file	Joe Security
00000018.00000002.531937010.0000000140001000.00000020.00020000.sdmp	JoeSecurity_Dridex_2	Yara detected Dridex unpacked file	Joe Security
0000001A.00000002.531718874.0000000140001000.00000020.00020000.sdmp	JoeSecurity_Dridex_2	Yara detected Dridex unpacked file	Joe Security
0000001F.00000002.532276672.0000000140001000.00000020.00020000.sdmp	JoeSecurity_Dridex_2	Yara detected Dridex unpacked file	Joe Security
Click to see the 14 entries

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for submitted file

Show sources

Source: 0G0AO3HYEI.dll	Virustotal: Detection: 58%			Perma Link
Source: 0G0AO3HYEI.dll	ReversingLabs: Detection: 62%

Source: 0G0AO3HYEI.dll

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

Source:	Binary string: ntdll.pdb source: loaddll64.exe, 00000001.00000003.411800362.0000000180000000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.256715020.0000000180000000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.256417536.0000000180000000.00000004.00000001.sdmp, rundll32.exe, 00000008.00000003.263803630.0000000180000000.00000004.00000001.sdmp, rundll32.exe, 00000009.00000003.271733095.0000000180000000.00000004.00000001.sdmp, rundll32.exe, 0000000A.00000003.279171463.0000000180000000.00000004.00000001.sdmp, rundll32.exe, 0000000E.00000003.288178811.0000000180000000.00000004.00000001.sdmp, rundll32.exe, 00000011.00000003.295451294.0000000180000000.00000004.00000001.sdmp, rundll32.exe, 00000014.00000003.303409299.0000000180000000.00000004.00000001.sdmp, rundll32.exe, 00000015.00000003.310728417.0000000180000000.00000004.00000001.sdmp, rundll32.exe, 00000018.00000003.318939594.0000000180000000.00000004.00000001.sdmp, rundll32.exe, 0000001A.00000003.328403002.0000000180000000.00000004.00000001.sdmp, rundll32.exe, 0000001C.00000003.335755306.0000000180000000.00000004.00000001.sdmp, rundll32.exe, 0000001E.00000003.343665130.0000000180000000.00000004.00000001.sdmp, rundll32.exe, 0000001F.00000003.352054462.0000000180000000.00000004.00000001.sdmp, rundll32.exe, 00000021.00000003.359110630.0000000180000000.00000004.00000001.sdmp
Source:	Binary string: ntdll.pdbUGP source: loaddll64.exe, 00000001.00000003.411800362.0000000180000000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.256715020.0000000180000000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.256417536.0000000180000000.00000004.00000001.sdmp, rundll32.exe, 00000008.00000003.263803630.0000000180000000.00000004.00000001.sdmp, rundll32.exe, 00000009.00000003.271733095.0000000180000000.00000004.00000001.sdmp, rundll32.exe, 0000000A.00000003.279171463.0000000180000000.00000004.00000001.sdmp, rundll32.exe, 0000000E.00000003.288178811.0000000180000000.00000004.00000001.sdmp, rundll32.exe, 00000011.00000003.295451294.0000000180000000.00000004.00000001.sdmp, rundll32.exe, 00000014.00000003.303409299.0000000180000000.00000004.00000001.sdmp, rundll32.exe, 00000015.00000003.310728417.0000000180000000.00000004.00000001.sdmp, rundll32.exe, 00000018.00000003.318939594.0000000180000000.00000004.00000001.sdmp, rundll32.exe, 0000001A.00000003.328403002.0000000180000000.00000004.00000001.sdmp, rundll32.exe, 0000001C.00000003.335755306.0000000180000000.00000004.00000001.sdmp, rundll32.exe, 0000001E.00000003.343665130.0000000180000000.00000004.00000001.sdmp, rundll32.exe, 0000001F.00000003.352054462.0000000180000000.00000004.00000001.sdmp, rundll32.exe, 00000021.00000003.359110630.0000000180000000.00000004.00000001.sdmp

Source: C:\Windows\System32\loaddll64.exe

Code function: 1_2_000000014004FBF8 FindFirstFileExW,

Source: explorer.exe, 00000006.00000000.280007192.0000000006870000.00000004.00000001.sdmp

String found in binary or memory: http://www.autoitscript.com/autoit3/J

E-Banking Fraud:

Yara detected Dridex unpacked file

Show sources

Source: Yara match	File source: 00000011.00000002.531717710.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000002.532357019.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.531718093.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.531527593.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.531894805.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.533238918.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.531244676.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.532059437.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.531418646.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.532290767.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.531716160.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.532228237.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.531206986.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.531295536.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.531585014.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000002.532418928.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.531937010.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.531718874.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.532276672.0000000140001000.00000020.00020000.sdmp, type: MEMORY

System Summary:

PE file has nameless sections

Show sources

Source: 0G0AO3HYEI.dll	Static PE information: section name:
Source: 0G0AO3HYEI.dll	Static PE information: section name:
Source: 0G0AO3HYEI.dll	Static PE information: section name:
Source: 0G0AO3HYEI.dll	Static PE information: section name:
Source: 0G0AO3HYEI.dll	Static PE information: section name:
Source: 0G0AO3HYEI.dll	Static PE information: section name:
Source: 0G0AO3HYEI.dll	Static PE information: section name:
Source: 0G0AO3HYEI.dll	Static PE information: section name:
Source: 0G0AO3HYEI.dll	Static PE information: section name:
Source: 0G0AO3HYEI.dll	Static PE information: section name:
Source: 0G0AO3HYEI.dll	Static PE information: section name:
Source: 0G0AO3HYEI.dll	Static PE information: section name:
Source: 0G0AO3HYEI.dll	Static PE information: section name:
Source: 0G0AO3HYEI.dll	Static PE information: section name:
Source: 0G0AO3HYEI.dll	Static PE information: section name:
Source: 0G0AO3HYEI.dll	Static PE information: section name:
Source: 0G0AO3HYEI.dll	Static PE information: section name:
Source: 0G0AO3HYEI.dll	Static PE information: section name:
Source: 0G0AO3HYEI.dll	Static PE information: section name:
Source: 0G0AO3HYEI.dll	Static PE information: section name:
Source: 0G0AO3HYEI.dll	Static PE information: section name:
Source: 0G0AO3HYEI.dll	Static PE information: section name:

Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_00000001400421C8
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_00000001400431CC
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_00000001400504E4
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014003A688
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014004271C
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_00000001400447B8
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140027954
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140053AF0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140045BE0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014004ED58
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140026FF0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140019054
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014001C05C
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140005078
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140053094
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_00000001400330C4
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014003B0C8
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_00000001400380D0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014003F0FC
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140063102
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140052110
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014001311C
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140001154
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_00000001400311B0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_00000001400021C8
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_00000001400231DC
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014006D1F0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140032214
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014002A214
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014002E228
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140035268
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140046264
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140069278
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014002F278
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014004B288
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140068292
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_00000001400362A0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_00000001400172A8
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014001E2E4
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140029320
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014000732C
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014002C348
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140038424
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014006B428
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014005343C
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014005B470
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014004F4C8
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014001B52C
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140026540
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140044584
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140061598
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014004759C
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_00000001400215FC
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140051620
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140032648
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140053644
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140067663
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014001A66C
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014003C6B0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014001D6C4
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_00000001400356F4
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014004F708
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140024718
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014001276C
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014000F76C
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140056790
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_00000001400557DC
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140057820
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014003E8E0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_00000001400258FC
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014005C8FC
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014006D904
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140005918
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140020924
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140068928
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140031928
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140019928
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140024940
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014002D95C
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140032964
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014005497C
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140033984
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_00000001400479E0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014002CA14
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014006BA1C
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140002A20
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140026A24
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014002AA90
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140005AB8
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014001CAC8
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014006AAD8
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140024AEC
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140041AF4
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014002BB18
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014000EB3C
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140014B68
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140001B74
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014002AB7A
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014002AB7F
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014002AB84
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140006B88
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014002AB89
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014002AB8E
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014002AB93
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014002AB98
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014002AB9D
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014002ABA2
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014002ABA7
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014001DBB8
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014000BBC4
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140003BE0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140034BF8
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140050BF4
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140016BFC
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014005ABFC
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140036C08
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140029C1C
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140026C30
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014003CC38
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140035C80
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140022C84
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140032CC8
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014004CCD4
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014003BCE4
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140015D04
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014001AD0C
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140037D24
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014001CD24
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014005CD24
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014001FD44
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140052D60
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014000AD5C
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014003DDA4
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140050DA8
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014005CDAB
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140030DC0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140051DE4
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140018DE8
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014006BE28
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140006E34
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014002AE48
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140068E58
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014001EE68
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140004E68
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014000CEAC
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140011EB4
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140014EBC
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140013ED4
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140057FA8
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014005CFCA
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140047FCC
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140025FD4

Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_00000001400455F8 NtAllocateVirtualMemory,
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140059688 NtTerminateProcess,
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014004386C NtDelayExecution,
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140049CF8 NtClose,

Source: 0G0AO3HYEI.dll

Static PE information: Resource name: RT_VERSION type: COM executable for DOS

Source: 0G0AO3HYEI.dll	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 0G0AO3HYEI.dll	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: 0G0AO3HYEI.dll

Static PE information: Number of sections : 28 > 10

Source: 0G0AO3HYEI.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: 0G0AO3HYEI.dll	Virustotal: Detection: 58%
Source: 0G0AO3HYEI.dll	ReversingLabs: Detection: 62%

Source: 0G0AO3HYEI.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll64.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe 'C:\Users\user\Desktop\0G0AO3HYEI.dll'
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\0G0AO3HYEI.dll',#1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\0G0AO3HYEI.dll,CheckDriverSoftwareDependenciesSatisfied
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\0G0AO3HYEI.dll',#1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\0G0AO3HYEI.dll,DeviceInternetSettingUiW
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\0G0AO3HYEI.dll,DiInstallDevice
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\0G0AO3HYEI.dll,DiInstallDriverA
Source: unknown	Process created: C:\Windows\explorer.exe explorer.exe
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\0G0AO3HYEI.dll,DiInstallDriverW
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\0G0AO3HYEI.dll,DiRollbackDriver
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\0G0AO3HYEI.dll,DiShowUpdateDevice
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\0G0AO3HYEI.dll,DiShowUpdateDriver
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\0G0AO3HYEI.dll,DiUninstallDevice
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\0G0AO3HYEI.dll,DiUninstallDriverA
Source: unknown	Process created: C:\Windows\explorer.exe explorer.exe
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\0G0AO3HYEI.dll,DiUninstallDriverW
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\0G0AO3HYEI.dll,GetInternetPolicies
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\0G0AO3HYEI.dll,InstallNewDevice
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\0G0AO3HYEI.dll,InstallSelectedDriver
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\0G0AO3HYEI.dll,InstallWindowsUpdateDriver
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\0G0AO3HYEI.dll,InstallWindowsUpdateDriverEx
Source: unknown	Process created: C:\Windows\explorer.exe explorer.exe
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\0G0AO3HYEI.dll,InstallWindowsUpdateDrivers
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\0G0AO3HYEI.dll',#1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\0G0AO3HYEI.dll,CheckDriverSoftwareDependenciesSatisfied
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\0G0AO3HYEI.dll,DeviceInternetSettingUiW
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\0G0AO3HYEI.dll,DiInstallDevice
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\0G0AO3HYEI.dll,DiInstallDriverA
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\0G0AO3HYEI.dll,DiInstallDriverW
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\0G0AO3HYEI.dll,DiRollbackDriver
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\0G0AO3HYEI.dll,DiShowUpdateDevice
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\0G0AO3HYEI.dll,DiShowUpdateDriver
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\0G0AO3HYEI.dll,DiUninstallDevice
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\0G0AO3HYEI.dll,DiUninstallDriverA
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\0G0AO3HYEI.dll,DiUninstallDriverW
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\0G0AO3HYEI.dll,GetInternetPolicies
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\0G0AO3HYEI.dll,InstallNewDevice
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\0G0AO3HYEI.dll,InstallSelectedDriver
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\0G0AO3HYEI.dll,InstallWindowsUpdateDriver
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\0G0AO3HYEI.dll,InstallWindowsUpdateDriverEx
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\0G0AO3HYEI.dll,InstallWindowsUpdateDrivers
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\0G0AO3HYEI.dll',#1

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{660b90c8-73a9-4b58-8cae-355b7f55341b}\InProcServer32

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000015.db

Jump to behavior

Source: classification engine

Classification label: mal72.troj.evad.winDLL@45/0@0/0

Source: C:\Windows\explorer.exe

File read: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini

Jump to behavior

Source: C:\Windows\System32\loaddll64.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\0G0AO3HYEI.dll,CheckDriverSoftwareDependenciesSatisfied

Source: unknown	Process created: C:\Windows\explorer.exe
Source: unknown	Process created: C:\Windows\explorer.exe
Source: unknown	Process created: C:\Windows\explorer.exe

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: 0G0AO3HYEI.dll

Static PE information: Image base 0x140000000 > 0x60000000

Source: 0G0AO3HYEI.dll

Static file information: File size 1110016 > 1048576

Source: 0G0AO3HYEI.dll	Static PE information: section name: RT_CURSOR
Source: 0G0AO3HYEI.dll	Static PE information: section name: RT_BITMAP
Source: 0G0AO3HYEI.dll	Static PE information: section name: RT_ICON
Source: 0G0AO3HYEI.dll	Static PE information: section name: RT_MENU
Source: 0G0AO3HYEI.dll	Static PE information: section name: RT_DIALOG
Source: 0G0AO3HYEI.dll	Static PE information: section name: RT_STRING
Source: 0G0AO3HYEI.dll	Static PE information: section name: RT_ACCELERATOR
Source: 0G0AO3HYEI.dll	Static PE information: section name: RT_GROUP_ICON

Source: 0G0AO3HYEI.dll

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

Source: 0G0AO3HYEI.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: ntdll.pdb source: loaddll64.exe, 00000001.00000003.411800362.0000000180000000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.256715020.0000000180000000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.256417536.0000000180000000.00000004.00000001.sdmp, rundll32.exe, 00000008.00000003.263803630.0000000180000000.00000004.00000001.sdmp, rundll32.exe, 00000009.00000003.271733095.0000000180000000.00000004.00000001.sdmp, rundll32.exe, 0000000A.00000003.279171463.0000000180000000.00000004.00000001.sdmp, rundll32.exe, 0000000E.00000003.288178811.0000000180000000.00000004.00000001.sdmp, rundll32.exe, 00000011.00000003.295451294.0000000180000000.00000004.00000001.sdmp, rundll32.exe, 00000014.00000003.303409299.0000000180000000.00000004.00000001.sdmp, rundll32.exe, 00000015.00000003.310728417.0000000180000000.00000004.00000001.sdmp, rundll32.exe, 00000018.00000003.318939594.0000000180000000.00000004.00000001.sdmp, rundll32.exe, 0000001A.00000003.328403002.0000000180000000.00000004.00000001.sdmp, rundll32.exe, 0000001C.00000003.335755306.0000000180000000.00000004.00000001.sdmp, rundll32.exe, 0000001E.00000003.343665130.0000000180000000.00000004.00000001.sdmp, rundll32.exe, 0000001F.00000003.352054462.0000000180000000.00000004.00000001.sdmp, rundll32.exe, 00000021.00000003.359110630.0000000180000000.00000004.00000001.sdmp
Source:	Binary string: ntdll.pdbUGP source: loaddll64.exe, 00000001.00000003.411800362.0000000180000000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.256715020.0000000180000000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.256417536.0000000180000000.00000004.00000001.sdmp, rundll32.exe, 00000008.00000003.263803630.0000000180000000.00000004.00000001.sdmp, rundll32.exe, 00000009.00000003.271733095.0000000180000000.00000004.00000001.sdmp, rundll32.exe, 0000000A.00000003.279171463.0000000180000000.00000004.00000001.sdmp, rundll32.exe, 0000000E.00000003.288178811.0000000180000000.00000004.00000001.sdmp, rundll32.exe, 00000011.00000003.295451294.0000000180000000.00000004.00000001.sdmp, rundll32.exe, 00000014.00000003.303409299.0000000180000000.00000004.00000001.sdmp, rundll32.exe, 00000015.00000003.310728417.0000000180000000.00000004.00000001.sdmp, rundll32.exe, 00000018.00000003.318939594.0000000180000000.00000004.00000001.sdmp, rundll32.exe, 0000001A.00000003.328403002.0000000180000000.00000004.00000001.sdmp, rundll32.exe, 0000001C.00000003.335755306.0000000180000000.00000004.00000001.sdmp, rundll32.exe, 0000001E.00000003.343665130.0000000180000000.00000004.00000001.sdmp, rundll32.exe, 0000001F.00000003.352054462.0000000180000000.00000004.00000001.sdmp, rundll32.exe, 00000021.00000003.359110630.0000000180000000.00000004.00000001.sdmp

Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014006E5C9 push 00000031h; retf
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014006E6A4 push rsp; retf

Source: 0G0AO3HYEI.dll	Static PE information: section name:
Source: 0G0AO3HYEI.dll	Static PE information: section name:
Source: 0G0AO3HYEI.dll	Static PE information: section name:
Source: 0G0AO3HYEI.dll	Static PE information: section name:
Source: 0G0AO3HYEI.dll	Static PE information: section name:
Source: 0G0AO3HYEI.dll	Static PE information: section name:
Source: 0G0AO3HYEI.dll	Static PE information: section name:
Source: 0G0AO3HYEI.dll	Static PE information: section name:
Source: 0G0AO3HYEI.dll	Static PE information: section name:
Source: 0G0AO3HYEI.dll	Static PE information: section name:
Source: 0G0AO3HYEI.dll	Static PE information: section name:
Source: 0G0AO3HYEI.dll	Static PE information: section name:
Source: 0G0AO3HYEI.dll	Static PE information: section name:
Source: 0G0AO3HYEI.dll	Static PE information: section name:
Source: 0G0AO3HYEI.dll	Static PE information: section name:
Source: 0G0AO3HYEI.dll	Static PE information: section name:
Source: 0G0AO3HYEI.dll	Static PE information: section name:
Source: 0G0AO3HYEI.dll	Static PE information: section name:
Source: 0G0AO3HYEI.dll	Static PE information: section name:
Source: 0G0AO3HYEI.dll	Static PE information: section name:
Source: 0G0AO3HYEI.dll	Static PE information: section name:
Source: 0G0AO3HYEI.dll	Static PE information: section name:

Source: 0G0AO3HYEI.dll

Static PE information: real checksum: 0x70461819 should be: 0x11e8a9

Source: initial sample

Static PE information: section name: .text entropy: 7.84727441246

Source: C:\Windows\explorer.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Potential time zone aware malware

Show sources

Source: C:\Windows\explorer.exe	System information queried: CurrentTimeZoneInformation
Source: C:\Windows\explorer.exe	System information queried: CurrentTimeZoneInformation
Source: C:\Windows\explorer.exe	System information queried: CurrentTimeZoneInformation

Uses Windows timers to delay execution

Show sources

Source: C:\Windows\explorer.exe

User Timer Set: Timeout: 500ms

Source: C:\Windows\System32\loaddll64.exe TID: 6492	Thread sleep time: -60000s >= -30000s
Source: C:\Windows\System32\loaddll64.exe TID: 6492	Thread sleep count: 232 > 30

Source: C:\Windows\System32\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\System32\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\System32\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\System32\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\System32\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\System32\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\System32\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\System32\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\System32\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\System32\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\System32\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\System32\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\System32\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\System32\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\System32\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\System32\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\System32\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\System32\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\System32\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\System32\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\System32\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\System32\rundll32.exe	Last function: Thread delayed

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Windows\System32\rundll32.exe	Window / User API: threadDelayed 648
Source: C:\Windows\System32\rundll32.exe	Window / User API: threadDelayed 412
Source: C:\Windows\System32\rundll32.exe	Window / User API: threadDelayed 388
Source: C:\Windows\System32\rundll32.exe	Window / User API: threadDelayed 599
Source: C:\Windows\System32\rundll32.exe	Window / User API: threadDelayed 633
Source: C:\Windows\System32\rundll32.exe	Window / User API: threadDelayed 585
Source: C:\Windows\System32\rundll32.exe	Window / User API: threadDelayed 566
Source: C:\Windows\System32\rundll32.exe	Window / User API: threadDelayed 400
Source: C:\Windows\System32\rundll32.exe	Window / User API: threadDelayed 490
Source: C:\Windows\System32\rundll32.exe	Window / User API: threadDelayed 390
Source: C:\Windows\System32\rundll32.exe	Window / User API: threadDelayed 399

Source: C:\Windows\System32\loaddll64.exe

Process information queried: ProcessInformation

Source: C:\Windows\System32\loaddll64.exe

Code function: 1_2_00000001400447B8 GetTokenInformation,GetTokenInformation,GetSystemInfo,

Source: C:\Windows\System32\loaddll64.exe

Code function: 1_2_000000014004FBF8 FindFirstFileExW,

Source: explorer.exe, 00000006.00000000.266283482.0000000008A32000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00dRom0
Source: explorer.exe, 00000006.00000000.266283482.0000000008A32000.00000004.00000001.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 0000000C.00000000.307251989.000000000054D000.00000004.00000020.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000V
Source: explorer.exe, 00000006.00000000.269976007.000000000EE70000.00000004.00000001.sdmp	Binary or memory string: 0000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000006.00000000.266555490.0000000008B88000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000006.00000000.266555490.0000000008B88000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}e
Source: explorer.exe, 00000006.00000000.261140112.00000000048E0000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000006.00000000.266971589.0000000008C73000.00000004.00000001.sdmp	Binary or memory string: 0ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&
Source: explorer.exe, 00000006.00000000.266399504.0000000008ACF000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000Datc
Source: explorer.exe, 00000006.00000000.266555490.0000000008B88000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}C
Source: explorer.exe, 00000006.00000000.269976007.000000000EE70000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\|\|
Source: explorer.exe, 0000001B.00000000.343461857.00000000010A9000.00000004.00000020.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 0000001B.00000000.343461857.00000000010A9000.00000004.00000020.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}_3
Source: explorer.exe, 00000006.00000000.280701146.00000000069DA000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD002
Source: explorer.exe, 0000000C.00000000.307214159.0000000000538000.00000004.00000020.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}k

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Windows\System32\loaddll64.exe

Code function: 1_2_00000001400421C8 LdrLoadDll,

Source: C:\Windows\System32\loaddll64.exe

Code function: 1_2_0000000140045800 RtlAddVectoredExceptionHandler,

HIPS / PFW / Operating System Protection Evasion:

Queues an APC in another process (thread injection)

Show sources

Source: C:\Windows\System32\rundll32.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\0G0AO3HYEI.dll',#1

Source: explorer.exe, 00000006.00000000.260396404.0000000001400000.00000002.00020000.sdmp	Binary or memory string: uProgram Manager
Source: rundll32.exe, 00000004.00000002.537719544.0000028680000000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.279867449.0000000005F40000.00000004.00000001.sdmp, explorer.exe, 0000000C.00000000.307798770.0000000000BD0000.00000002.00020000.sdmp, explorer.exe, 0000001B.00000000.352492281.0000000004A10000.00000004.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: rundll32.exe, 00000004.00000002.537719544.0000028680000000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.260396404.0000000001400000.00000002.00020000.sdmp, explorer.exe, 0000000C.00000000.307798770.0000000000BD0000.00000002.00020000.sdmp, explorer.exe, 0000001B.00000000.354870844.0000000005570000.00000004.00000001.sdmp	Binary or memory string: Progman
Source: rundll32.exe, 00000004.00000002.537719544.0000028680000000.00000002.00020000.sdmp	Binary or memory string: Program Manager"
Source: explorer.exe, 0000001B.00000000.347528150.00000000017E0000.00000002.00020000.sdmp	Binary or memory string: Program Manager/
Source: explorer.exe, 0000000C.00000000.307251989.000000000054D000.00000004.00000020.sdmp	Binary or memory string: ProgmanG
Source: explorer.exe, 0000001B.00000000.343461857.00000000010A9000.00000004.00000020.sdmp	Binary or memory string: Progman~D
Source: rundll32.exe, 00000004.00000002.537719544.0000028680000000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWndStart
Source: rundll32.exe, 00000004.00000002.537719544.0000028680000000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.260396404.0000000001400000.00000002.00020000.sdmp, explorer.exe, 0000000C.00000000.307798770.0000000000BD0000.00000002.00020000.sdmp, explorer.exe, 0000001B.00000000.347528150.00000000017E0000.00000002.00020000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000006.00000000.259975951.0000000000EB8000.00000004.00000020.sdmp	Binary or memory string: ProgmanX
Source: explorer.exe, 0000000C.00000000.307798770.0000000000BD0000.00000002.00020000.sdmp	Binary or memory string: OProgram Manager
Source: explorer.exe, 00000006.00000000.266399504.0000000008ACF000.00000004.00000001.sdmp	Binary or memory string: Shell_TrayWndAj
Source: explorer.exe, 0000001B.00000003.350412249.0000000004AD4000.00000004.00000001.sdmp	Binary or memory string: Progman#Y
Source: explorer.exe, 0000000C.00000000.309606315.0000000004677000.00000004.00000001.sdmp	Binary or memory string: Progmanllw{v

Source: C:\Windows\System32\loaddll64.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate

Source: C:\Windows\System32\loaddll64.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Source: C:\Windows\System32\loaddll64.exe

Code function: 1_2_0000000140043FF0 GetUserNameW,

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Process Injection112	Masquerading1	OS Credential Dumping	System Time Discovery1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Virtualization/Sandbox Evasion11	LSASS Memory	Query Registry1	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Process Injection112	Security Account Manager	Security Software Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Obfuscated Files or Information2	NTDS	Virtualization/Sandbox Evasion11	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Rundll321	LSA Secrets	Process Discovery2	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Software Packing2	Cached Domain Credentials	Application Window Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	Account Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	System Owner/User Discovery1	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Masquerading	/etc/passwd and /etc/shadow	File and Directory Discovery2	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	Invalid Code Signature	Network Sniffing	System Information Discovery13	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
0G0AO3HYEI.dll	59%	Virustotal		Browse
0G0AO3HYEI.dll	62%	ReversingLabs	Win64.Trojan.Injexa

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.autoitscript.com/autoit3/J	explorer.exe, 00000006.00000000.280007192.0000000006870000.00000004.00000001.sdmp	false		high

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	492188
Start date:	28.09.2021
Start time:	13:03:29
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 12m 36s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	0G0AO3HYEI (renamed file extension from none to dll)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	40
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal72.troj.evad.winDLL@45/0@0/0
EGA Information:	Failed
HDC Information:	Successful, ratio: 17.7% (good quality ratio 15.7%) Quality average: 82.8% Quality standard deviation: 33.1%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI
Warnings:	Show All Exclude process from analysis (whitelisted): SearchUI.exe, BackgroundTransferHost.exe, ShellExperienceHost.exe, SgrmBroker.exe, backgroundTaskHost.exe, svchost.exe Excluded IPs from analysis (whitelisted): 23.211.6.115, 23.211.4.86, 20.50.102.62, 173.222.108.210, 173.222.108.226, 20.199.120.85, 20.199.120.151, 80.67.82.235, 80.67.82.211, 204.79.197.200, 13.107.21.200, 20.54.110.249, 40.112.88.60, 131.253.33.200, 13.107.22.200 Excluded domains from analysis (whitelisted): store-images.s-microsoft.com-c.edgekey.net, a767.dspw65.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, e12564.dspb.akamaiedge.net, wns.notify.trafficmanager.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, www-bing-com.dual-a-0001.a-msedge.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, www.bing.com, client.wns.windows.com, fs.microsoft.com, dual-a-0001.a-msedge.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, wu-shim.trafficmanager.net, neu-displaycatalogrp.useroor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, download.windowsupdate.com.edgesuite.net, ris.api.iris.microsoft.com, dual-a-0001.dc-msedge.net, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, displaycatalog-rp.md.mp.microsoft.com.akadns.net Not all processes where analyzed, report is missing behavior information Report size exceeded maximum capacity and may have missing behavior information. Report size exceeded maximum capacity and may have missing disassembly code. Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtEnumerateKey calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryAttributesFile calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
13:04:51	API Interceptor	118x Sleep call for process: explorer.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General
File type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Entropy (8bit):	5.0210157653928675
TrID:	Win64 Dynamic Link Library (generic) (102004/3) 86.43% Win64 Executable (generic) (12005/4) 10.17% Generic Win/DOS Executable (2004/3) 1.70% DOS Executable Generic (2002/1) 1.70% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.01%
File name:	0G0AO3HYEI.dll
File size:	1110016
MD5:	c50f692a715db805e68e9655ff6a9ab2
SHA1:	229b257301ed99d518364afd22c4276daa5b3d20
SHA256:	ff3aa75e4d4637599d3e97fb8b42ce8a1254425f856671ae56377df2676b1033
SHA512:	ad74f556ccef1f8fd4a3c18a18c27adcafd2f552025bf7f83864261c6944db5423c719ea161c341e593800499c6e01aba846031e79caf1e771b2b16e7d6e33d1
SSDEEP:	12288:4dMIwS97wJs6tSKDXEabXaC+jhc1S8XXk7CZzHsZH9dq0T:SMIJxSDX3bqjhcfHk7MzH6z
File Content Preview:	MZ......................@........................................[.r.:.!.:.!.:.!..[!n;.!.:.!d:.!..8!.:.!.Br!j:.!...!N:.!.hL!>:.!(d. \|;.!x.^!.:.!-d. .;.!.g. .;.!P^. .:.!.BN!.:.!.._!.;.!.._!.;.!..Y!v;.!!._!M;.!Rich.:.!....................................PE.

File Icon


Icon Hash:	54b26869f8c8cc00

Static PE Info

General
Entrypoint:	0x140078760
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, DLL, LARGE_ADDRESS_AWARE
DLL Characteristics:	TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Time Stamp:	0x60ADEC84 [Wed May 26 06:36:52 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	c6b4c2eec8a93016c63563421e15f011

Entrypoint Preview

Instruction
xor eax, edx
jmp 00007F0A7CCDD11Ah
inc ecx
pop ecx
dec ecx
add ecx, 08h
call edi
push edi
dec eax
mov edi, dword ptr [00014784h]
dec esp
xor dword ptr [0001476Dh], ecx
jmp 00007F0A7CCDD0F9h
xor eax, edx
xor eax, edx
xor eax, edx
xor eax, edx
xor eax, edx
xor eax, edx
xor eax, edx
xor eax, edx
xor eax, edx
xor eax, edx
xor eax, edx
xor eax, edx
xor eax, edx
xor eax, edx
xor eax, edx
xor eax, edx
xor eax, edx
xor eax, edx
xor eax, edx
xor eax, edx
xor eax, edx
xor eax, edx
xor eax, edx
xor eax, edx
ud2
int3
push ebx
push edi
push esi
dec eax
sub esp, 000000D0h
mov eax, 919AD45Fh
inc ecx
mov eax, eax
mov eax, 1F739ECFh
mov word ptr [esp+000000CEh], 804Dh
inc esp
mov ecx, dword ptr [esp+000000C8h]
inc esp
sub eax, ecx
mov dword ptr [esp+000000C8h], eax
dec eax
mov dword ptr [esp+000000B0h], 0074A7F1h
inc sp
mov edx, dword ptr [esp+000000C4h]
inc sp
mov dword ptr [esp+000000C4h], edx
dec esp
mov ebx, dword ptr [esp+000000B0h]
dec ebp
sub eax, ebx
dec esp
mov dword ptr [esp+000000A8h], eax
dec eax
mov dword ptr [esp+70h], ecx
dec eax
mov ecx, edx
dec eax
mov dword ptr [esp+68h], edx
inc sp
mov dword ptr [esp+66h], edx

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x10e010	0x35d
IMAGE_DIRECTORY_ENTRY_IMPORT	0x891b0	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x99000	0x2f98	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x9c000	0x244	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x7d010	0x38	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x7d000	0x10	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x7bb10	0x7c000	False	0.803878291961	data	7.84727441246	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x7d000	0xc210	0xd000	False	0.772648737981	data	7.6188975428	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x8a000	0xd218	0xe000	False	0.125104631696	data	1.89187623617	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.pdata	0x98000	0x138	0x1000	False	0.060791015625	data	0.590508203574	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x99000	0x2f98	0x3000	False	0.302408854167	data	3.73793039709	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x9c000	0x244	0x1000	False	0.076171875	data	1.23641369386	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
	0x9d000	0x6cd0	0x7000	False	0.00177873883929	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
	0xa4000	0x1f2a	0x2000	False	0.0037841796875	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
	0xa6000	0x13e	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
	0xa7000	0x6cd0	0x7000	False	0.00177873883929	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
	0xae000	0x7fd	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
	0xaf000	0x13e	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
	0xb0000	0x1f7	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
	0xb1000	0x23b	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
	0xb2000	0x1278	0x2000	False	0.0037841796875	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
	0xb4000	0x13e	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
	0xb5000	0x9cd	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
	0xb6000	0x1124	0x2000	False	0.0037841796875	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
	0xb8000	0x23b	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
	0xb9000	0x896	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
	0xba000	0x6cd0	0x7000	False	0.00177873883929	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
	0xc1000	0x13e	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
	0xc2000	0x1af	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
	0xc3000	0x45174	0x46000	False	0.0010498046875	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
	0x109000	0x197d	0x2000	False	0.0037841796875	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
	0x10b000	0x197d	0x2000	False	0.0037841796875	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
	0x10d000	0x1ee	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
	0x10e000	0x36d	0x1000	False	0.1259765625	data	1.6701021982	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_CURSOR	0x99640	0x134	data	English	United States
RT_BITMAP	0x99778	0x3e8	data	Hebrew	Israel
RT_BITMAP	0x99b60	0xd8	data	English	United States
RT_BITMAP	0x99c38	0xd8	data	English	United States
RT_ICON	0x99d10	0x2e8	data	Hebrew	Israel
RT_ICON	0x99ff8	0x128	GLS_BINARY_LSB_FIRST	Hebrew	Israel
RT_ICON	0x9a120	0x128	GLS_BINARY_LSB_FIRST	Hebrew	Israel
RT_MENU	0x9a248	0x430	data	English	United States
RT_MENU	0x9a678	0x1a0	data	English	United States
RT_DIALOG	0x9a818	0xa2	data	Hebrew	Israel
RT_DIALOG	0x9a8c0	0x296	data	Hebrew	Israel
RT_DIALOG	0x9ab58	0x99a	data	Hebrew	Israel
RT_DIALOG	0x9b4f8	0xfa	data	Hebrew	Israel
RT_STRING	0x9b5f8	0x230	data	English	United States
RT_STRING	0x9b828	0x116	data	English	United States
RT_STRING	0x9b940	0x4c	data	English	United States
RT_STRING	0x9b990	0x50	data	English	United States
RT_STRING	0x9b9e0	0xd6	data	English	United States
RT_STRING	0x9bab8	0x2e	data	English	United States
RT_STRING	0x9bae8	0x42	data	English	United States
RT_STRING	0x9bb30	0x6a	data	English	United States
RT_STRING	0x9bba0	0x34	data	English	United States
RT_STRING	0x9bbd8	0x62	data	English	United States
RT_ACCELERATOR	0x9bc40	0x48	data	Hebrew	Israel
RT_GROUP_CURSOR	0x9bc88	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_ICON	0x9bca0	0x22	data	Hebrew	Israel
RT_GROUP_ICON	0x9bcc8	0x14	data	Hebrew	Israel
RT_VERSION	0x9bce0	0x2b8	COM executable for DOS	Hebrew	Israel

Imports

DLL	Import
CRYPT32.dll	CryptImportPublicKeyInfo

Exports

Name	Ordinal	Address
CheckDriverSoftwareDependenciesSatisfied	1	0x1400296ac
DeviceInternetSettingUiW	2	0x14004a758
DiInstallDevice	3	0x14006f114
DiInstallDriverA	4	0x1400097c8
DiInstallDriverW	5	0x1400430c8
DiRollbackDriver	6	0x140046938
DiShowUpdateDevice	7	0x14000d420
DiShowUpdateDriver	8	0x140043b6c
DiUninstallDevice	9	0x14002b514
DiUninstallDriverA	10	0x14001b7c0
DiUninstallDriverW	11	0x140059c8c
GetInternetPolicies	12	0x14004b8a4
InstallNewDevice	13	0x140038e68
InstallSelectedDriver	14	0x140045cac
InstallWindowsUpdateDriver	15	0x14002e854
InstallWindowsUpdateDriverEx	16	0x14005c290
InstallWindowsUpdateDrivers	17	0x1400116a8
QueryWindowsUpdateDriverStatus	18	0x1400782d0
SetInternetPolicies	19	0x14002bb64
UpdateDriverForPlugAndPlayDevicesA	20	0x140005c30
UpdateDriverForPlugAndPlayDevicesW	21	0x1400558a0
pDiDoDeviceInstallAsAdmin	22	0x14004f77c
pDiDoNullDriverInstall	23	0x140052f18
pDiRunFinishInstallOperations	24	0x1400669bc

Version Infos

Description	Data
LegalCopyright	Copyright 2005 - 2009 Nir Sofer
InternalName	TeltwFoo
FileVersion	9.74
CompanyName	NirSoft
ProductName	TeltwFoo
ProductVersion	9.74
FileDescription	ProduKey
OriginalFilename	TeltwFoo.exe
Translation	0x0409 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States
Hebrew	Israel

Network Behavior

Network Port Distribution

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 28, 2021 13:04:23.505140066 CEST	60338	53	192.168.2.7	8.8.8.8
Sep 28, 2021 13:04:23.573188066 CEST	53	60338	8.8.8.8	192.168.2.7
Sep 28, 2021 13:04:35.846666098 CEST	58717	53	192.168.2.7	8.8.8.8
Sep 28, 2021 13:04:35.866933107 CEST	53	58717	8.8.8.8	192.168.2.7
Sep 28, 2021 13:04:58.577305079 CEST	59762	53	192.168.2.7	8.8.8.8
Sep 28, 2021 13:04:58.607346058 CEST	53	59762	8.8.8.8	192.168.2.7
Sep 28, 2021 13:05:14.241303921 CEST	54329	53	192.168.2.7	8.8.8.8
Sep 28, 2021 13:05:14.268682957 CEST	53	54329	8.8.8.8	192.168.2.7
Sep 28, 2021 13:05:16.395365953 CEST	58052	53	192.168.2.7	8.8.8.8
Sep 28, 2021 13:05:16.415195942 CEST	53	58052	8.8.8.8	192.168.2.7
Sep 28, 2021 13:05:20.938812971 CEST	54008	53	192.168.2.7	8.8.8.8
Sep 28, 2021 13:05:20.958224058 CEST	53	54008	8.8.8.8	192.168.2.7
Sep 28, 2021 13:05:31.310127020 CEST	59451	53	192.168.2.7	8.8.8.8
Sep 28, 2021 13:05:31.331723928 CEST	53	59451	8.8.8.8	192.168.2.7
Sep 28, 2021 13:05:34.285274029 CEST	52914	53	192.168.2.7	8.8.8.8
Sep 28, 2021 13:05:34.303147078 CEST	53	52914	8.8.8.8	192.168.2.7
Sep 28, 2021 13:05:49.886737108 CEST	64569	53	192.168.2.7	8.8.8.8
Sep 28, 2021 13:05:49.907191992 CEST	53	64569	8.8.8.8	192.168.2.7
Sep 28, 2021 13:05:50.044132948 CEST	52816	53	192.168.2.7	8.8.8.8
Sep 28, 2021 13:05:50.080962896 CEST	53	52816	8.8.8.8	192.168.2.7
Sep 28, 2021 13:05:53.422394037 CEST	50781	53	192.168.2.7	8.8.8.8
Sep 28, 2021 13:05:53.460597038 CEST	53	50781	8.8.8.8	192.168.2.7
Sep 28, 2021 13:05:55.004934072 CEST	54230	53	192.168.2.7	8.8.8.8
Sep 28, 2021 13:05:55.050369978 CEST	53	54230	8.8.8.8	192.168.2.7
Sep 28, 2021 13:05:55.806480885 CEST	54911	53	192.168.2.7	8.8.8.8
Sep 28, 2021 13:05:55.853698015 CEST	53	54911	8.8.8.8	192.168.2.7
Sep 28, 2021 13:05:56.173832893 CEST	49958	53	192.168.2.7	8.8.8.8
Sep 28, 2021 13:05:56.190999031 CEST	53	49958	8.8.8.8	192.168.2.7
Sep 28, 2021 13:05:57.309151888 CEST	50860	53	192.168.2.7	8.8.8.8
Sep 28, 2021 13:05:57.326709986 CEST	53	50860	8.8.8.8	192.168.2.7
Sep 28, 2021 13:05:57.678658962 CEST	50452	53	192.168.2.7	8.8.8.8
Sep 28, 2021 13:05:57.743607998 CEST	53	50452	8.8.8.8	192.168.2.7
Sep 28, 2021 13:05:58.000309944 CEST	59730	53	192.168.2.7	8.8.8.8
Sep 28, 2021 13:05:58.027781963 CEST	53	59730	8.8.8.8	192.168.2.7
Sep 28, 2021 13:05:58.076576948 CEST	59310	53	192.168.2.7	8.8.8.8
Sep 28, 2021 13:05:58.095819950 CEST	53	59310	8.8.8.8	192.168.2.7
Sep 28, 2021 13:05:58.562820911 CEST	51919	53	192.168.2.7	8.8.8.8
Sep 28, 2021 13:05:58.582771063 CEST	53	51919	8.8.8.8	192.168.2.7
Sep 28, 2021 13:05:59.083587885 CEST	64296	53	192.168.2.7	8.8.8.8
Sep 28, 2021 13:05:59.116796970 CEST	53	64296	8.8.8.8	192.168.2.7
Sep 28, 2021 13:05:59.438103914 CEST	56680	53	192.168.2.7	8.8.8.8
Sep 28, 2021 13:05:59.457645893 CEST	53	56680	8.8.8.8	192.168.2.7
Sep 28, 2021 13:06:04.194844007 CEST	58820	53	192.168.2.7	8.8.8.8
Sep 28, 2021 13:06:04.230432987 CEST	53	58820	8.8.8.8	192.168.2.7
Sep 28, 2021 13:06:14.306551933 CEST	60983	53	192.168.2.7	8.8.8.8
Sep 28, 2021 13:06:14.340621948 CEST	53	60983	8.8.8.8	192.168.2.7
Sep 28, 2021 13:06:19.166496038 CEST	49247	53	192.168.2.7	8.8.8.8
Sep 28, 2021 13:06:19.405267000 CEST	53	49247	8.8.8.8	192.168.2.7
Sep 28, 2021 13:06:38.931651115 CEST	52286	53	192.168.2.7	8.8.8.8
Sep 28, 2021 13:06:38.951231956 CEST	53	52286	8.8.8.8	192.168.2.7
Sep 28, 2021 13:06:39.978004932 CEST	56064	53	192.168.2.7	8.8.8.8
Sep 28, 2021 13:06:39.997354031 CEST	53	56064	8.8.8.8	192.168.2.7
Sep 28, 2021 13:06:55.767621040 CEST	63744	53	192.168.2.7	8.8.8.8
Sep 28, 2021 13:06:55.802818060 CEST	53	63744	8.8.8.8	192.168.2.7

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: loaddll64.exe PID: 6488 Parent PID: 4744

General

Start time:	13:04:28
Start date:	28/09/2021
Path:	C:\Windows\System32\loaddll64.exe
Wow64 process (32bit):	false
Commandline:	loaddll64.exe 'C:\Users\user\Desktop\0G0AO3HYEI.dll'
Imagebase:	0x7ff65ceb0000
File size:	140288 bytes
MD5 hash:	A84133CCB118CF35D49A423CD836D0EF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000001.00000002.531295536.0000000140001000.00000020.00020000.sdmp, Author: Joe Security
Reputation:	high

Analysis Process: cmd.exe PID: 6512 Parent PID: 6488

General

Start time:	13:04:29
Start date:	28/09/2021
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\0G0AO3HYEI.dll',#1
Imagebase:	0x7ff7bf140000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: rundll32.exe PID: 6520 Parent PID: 6488

General

Start time:	13:04:30
Start date:	28/09/2021
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe C:\Users\user\Desktop\0G0AO3HYEI.dll,CheckDriverSoftwareDependenciesSatisfied
Imagebase:	0x7ff687d70000
File size:	69632 bytes
MD5 hash:	73C519F050C20580F8A62C849D49215A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000003.00000002.531206986.0000000140001000.00000020.00020000.sdmp, Author: Joe Security
Reputation:	high

Analysis Process: rundll32.exe PID: 6532 Parent PID: 6512

General

Start time:	13:04:30
Start date:	28/09/2021
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe 'C:\Users\user\Desktop\0G0AO3HYEI.dll',#1
Imagebase:	0x7ff687d70000
File size:	69632 bytes
MD5 hash:	73C519F050C20580F8A62C849D49215A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000004.00000002.531244676.0000000140001000.00000020.00020000.sdmp, Author: Joe Security
Reputation:	high

Analysis Process: explorer.exe PID: 3292 Parent PID: 6532

General

Start time:	13:04:31
Start date:	28/09/2021
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff662bf0000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: rundll32.exe PID: 6864 Parent PID: 6488

General

Start time:	13:04:33
Start date:	28/09/2021
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe C:\Users\user\Desktop\0G0AO3HYEI.dll,DeviceInternetSettingUiW
Imagebase:	0x7ff687d70000
File size:	69632 bytes
MD5 hash:	73C519F050C20580F8A62C849D49215A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000008.00000002.531418646.0000000140001000.00000020.00020000.sdmp, Author: Joe Security
Reputation:	high

Analysis Process: rundll32.exe PID: 6924 Parent PID: 6488

General

Start time:	13:04:37
Start date:	28/09/2021
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe C:\Users\user\Desktop\0G0AO3HYEI.dll,DiInstallDevice
Imagebase:	0x7ff687d70000
File size:	69632 bytes
MD5 hash:	73C519F050C20580F8A62C849D49215A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000009.00000002.531527593.0000000140001000.00000020.00020000.sdmp, Author: Joe Security
Reputation:	high

Analysis Process: rundll32.exe PID: 6940 Parent PID: 6488

General

Start time:	13:04:40
Start date:	28/09/2021
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe C:\Users\user\Desktop\0G0AO3HYEI.dll,DiInstallDriverA
Imagebase:	0x7ff687d70000
File size:	69632 bytes
MD5 hash:	73C519F050C20580F8A62C849D49215A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 0000000A.00000002.531585014.0000000140001000.00000020.00020000.sdmp, Author: Joe Security

Analysis Process: explorer.exe PID: 7024 Parent PID: 568

General

Start time:	13:04:42
Start date:	28/09/2021
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	explorer.exe
Imagebase:	0x7ff662bf0000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: rundll32.exe PID: 7116 Parent PID: 6488

General

Start time:	13:04:44
Start date:	28/09/2021
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe C:\Users\user\Desktop\0G0AO3HYEI.dll,DiInstallDriverW
Imagebase:	0x7ff687d70000
File size:	69632 bytes
MD5 hash:	73C519F050C20580F8A62C849D49215A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 0000000E.00000002.531716160.0000000140001000.00000020.00020000.sdmp, Author: Joe Security

Analysis Process: rundll32.exe PID: 4604 Parent PID: 6488

General

Start time:	13:04:48
Start date:	28/09/2021
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe C:\Users\user\Desktop\0G0AO3HYEI.dll,DiRollbackDriver
Imagebase:	0x7ff687d70000
File size:	69632 bytes
MD5 hash:	73C519F050C20580F8A62C849D49215A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000011.00000002.531717710.0000000140001000.00000020.00020000.sdmp, Author: Joe Security

Analysis Process: rundll32.exe PID: 5392 Parent PID: 6488

General

Start time:	13:04:51
Start date:	28/09/2021
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe C:\Users\user\Desktop\0G0AO3HYEI.dll,DiShowUpdateDevice
Imagebase:	0x7ff687d70000
File size:	69632 bytes
MD5 hash:	73C519F050C20580F8A62C849D49215A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000014.00000002.531894805.0000000140001000.00000020.00020000.sdmp, Author: Joe Security

Analysis Process: rundll32.exe PID: 6508 Parent PID: 6488

General

Start time:	13:04:55
Start date:	28/09/2021
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe C:\Users\user\Desktop\0G0AO3HYEI.dll,DiShowUpdateDriver
Imagebase:	0x7ff687d70000
File size:	69632 bytes
MD5 hash:	73C519F050C20580F8A62C849D49215A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000015.00000002.531718093.0000000140001000.00000020.00020000.sdmp, Author: Joe Security

Analysis Process: rundll32.exe PID: 6656 Parent PID: 6488

General

Start time:	13:04:58
Start date:	28/09/2021
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe C:\Users\user\Desktop\0G0AO3HYEI.dll,DiUninstallDevice
Imagebase:	0x7ff687d70000
File size:	69632 bytes
MD5 hash:	73C519F050C20580F8A62C849D49215A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000018.00000002.531937010.0000000140001000.00000020.00020000.sdmp, Author: Joe Security

Analysis Process: rundll32.exe PID: 5636 Parent PID: 6488

General

Start time:	13:05:02
Start date:	28/09/2021
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe C:\Users\user\Desktop\0G0AO3HYEI.dll,DiUninstallDriverA
Imagebase:	0x7ff687d70000
File size:	69632 bytes
MD5 hash:	73C519F050C20580F8A62C849D49215A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 0000001A.00000002.531718874.0000000140001000.00000020.00020000.sdmp, Author: Joe Security

Analysis Process: explorer.exe PID: 4932 Parent PID: 568

General

Start time:	13:05:05
Start date:	28/09/2021
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	explorer.exe
Imagebase:	0x7ff662bf0000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: rundll32.exe PID: 4516 Parent PID: 6488

General

Start time:	13:05:06
Start date:	28/09/2021
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe C:\Users\user\Desktop\0G0AO3HYEI.dll,DiUninstallDriverW
Imagebase:	0x7ff687d70000
File size:	69632 bytes
MD5 hash:	73C519F050C20580F8A62C849D49215A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 0000001C.00000002.532059437.0000000140001000.00000020.00020000.sdmp, Author: Joe Security

Analysis Process: rundll32.exe PID: 3324 Parent PID: 6488

General

Start time:	13:05:10
Start date:	28/09/2021
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe C:\Users\user\Desktop\0G0AO3HYEI.dll,GetInternetPolicies
Imagebase:	0x7ff687d70000
File size:	69632 bytes
MD5 hash:	73C519F050C20580F8A62C849D49215A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 0000001E.00000002.532228237.0000000140001000.00000020.00020000.sdmp, Author: Joe Security

Analysis Process: rundll32.exe PID: 3604 Parent PID: 6488

General

Start time:	13:05:14
Start date:	28/09/2021
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe C:\Users\user\Desktop\0G0AO3HYEI.dll,InstallNewDevice
Imagebase:	0x7ff687d70000
File size:	69632 bytes
MD5 hash:	73C519F050C20580F8A62C849D49215A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 0000001F.00000002.532276672.0000000140001000.00000020.00020000.sdmp, Author: Joe Security

Analysis Process: rundll32.exe PID: 4912 Parent PID: 6488

General

Start time:	13:05:17
Start date:	28/09/2021
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe C:\Users\user\Desktop\0G0AO3HYEI.dll,InstallSelectedDriver
Imagebase:	0x7ff687d70000
File size:	69632 bytes
MD5 hash:	73C519F050C20580F8A62C849D49215A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000021.00000002.532290767.0000000140001000.00000020.00020000.sdmp, Author: Joe Security

Analysis Process: rundll32.exe PID: 3864 Parent PID: 6488

General

Start time:	13:05:21
Start date:	28/09/2021
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe C:\Users\user\Desktop\0G0AO3HYEI.dll,InstallWindowsUpdateDriver
Imagebase:	0x7ff687d70000
File size:	69632 bytes
MD5 hash:	73C519F050C20580F8A62C849D49215A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000022.00000002.533238918.0000000140001000.00000020.00020000.sdmp, Author: Joe Security

Analysis Process: rundll32.exe PID: 1392 Parent PID: 6488

General

Start time:	13:05:25
Start date:	28/09/2021
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe C:\Users\user\Desktop\0G0AO3HYEI.dll,InstallWindowsUpdateDriverEx
Imagebase:	0x7ff687d70000
File size:	69632 bytes
MD5 hash:	73C519F050C20580F8A62C849D49215A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000025.00000002.532357019.0000000140001000.00000020.00020000.sdmp, Author: Joe Security

Analysis Process: explorer.exe PID: 4628 Parent PID: 568

General

Start time:	13:05:26
Start date:	28/09/2021
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	explorer.exe
Imagebase:	0x7ff772bb0000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: rundll32.exe PID: 6568 Parent PID: 6488

General

Start time:	13:05:29
Start date:	28/09/2021
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe C:\Users\user\Desktop\0G0AO3HYEI.dll,InstallWindowsUpdateDrivers
Imagebase:	0x7ff687d70000
File size:	69632 bytes
MD5 hash:	73C519F050C20580F8A62C849D49215A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000028.00000002.532418928.0000000140001000.00000020.00020000.sdmp, Author: Joe Security

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report 0G0AO3HYEI

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Overview

Memory Dumps

Sigma Overview

Jbx Signature Overview

AV Detection:

Compliance:

Spreading:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Exports

Version Infos

Possible Origin

Network Behavior

Network Port Distribution

UDP Packets

Code Manipulations

Statistics

Behavior

System Behavior

Analysis Process: loaddll64.exe PID: 6488 Parent PID: 4744

General

Analysis Process: cmd.exe PID: 6512 Parent PID: 6488

General

Analysis Process: rundll32.exe PID: 6520 Parent PID: 6488