Play interactive tour

Edit tour

Windows Analysis Report 0G0AO3HYEI.dll

Overview

General Information

Sample Name:	0G0AO3HYEI.dll
Analysis ID:	492188
MD5:	c50f692a715db805e68e9655ff6a9ab2
SHA1:	229b257301ed99d518364afd22c4276daa5b3d20
SHA256:	ff3aa75e4d4637599d3e97fb8b42ce8a1254425f856671ae56377df2676b1033
Tags:	Dridexexe
Infos:
Most interesting Screenshot:

Detection

Dridex

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected Dridex unpacked file

Multi AV Scanner detection for submitted file

Queues an APC in another process (thread injection)

PE file has nameless sections

Potential time zone aware malware

Uses Windows timers to delay execution

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

PE file contains sections with non-standard names

Queries the installation date of Windows

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to call native functions

PE file contains executable resources (Code or Archives)

Program does not show much activity (idle)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

PE file contains an invalid checksum

PE file contains strange resources

Contains capabilities to detect virtual machines

PE file contains more sections than normal

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

System is w10x64

loaddll64.exe (PID: 396 cmdline: loaddll64.exe 'C:\Users\user\Desktop\0G0AO3HYEI.dll' MD5: A84133CCB118CF35D49A423CD836D0EF)

cmd.exe (PID: 5468 cmdline: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\0G0AO3HYEI.dll',#1 MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

rundll32.exe (PID: 4716 cmdline: rundll32.exe 'C:\Users\user\Desktop\0G0AO3HYEI.dll',#1 MD5: 73C519F050C20580F8A62C849D49215A)

rundll32.exe (PID: 5612 cmdline: rundll32.exe C:\Users\user\Desktop\0G0AO3HYEI.dll,CheckDriverSoftwareDependenciesSatisfied MD5: 73C519F050C20580F8A62C849D49215A)

explorer.exe (PID: 3440 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)

rundll32.exe (PID: 7056 cmdline: rundll32.exe C:\Users\user\Desktop\0G0AO3HYEI.dll,DeviceInternetSettingUiW MD5: 73C519F050C20580F8A62C849D49215A)

rundll32.exe (PID: 5184 cmdline: rundll32.exe C:\Users\user\Desktop\0G0AO3HYEI.dll,DiInstallDevice MD5: 73C519F050C20580F8A62C849D49215A)

rundll32.exe (PID: 1360 cmdline: rundll32.exe C:\Users\user\Desktop\0G0AO3HYEI.dll,DiInstallDriverA MD5: 73C519F050C20580F8A62C849D49215A)

rundll32.exe (PID: 1520 cmdline: rundll32.exe C:\Users\user\Desktop\0G0AO3HYEI.dll,DiInstallDriverW MD5: 73C519F050C20580F8A62C849D49215A)

rundll32.exe (PID: 3912 cmdline: rundll32.exe C:\Users\user\Desktop\0G0AO3HYEI.dll,DiRollbackDriver MD5: 73C519F050C20580F8A62C849D49215A)

rundll32.exe (PID: 5624 cmdline: rundll32.exe C:\Users\user\Desktop\0G0AO3HYEI.dll,DiShowUpdateDevice MD5: 73C519F050C20580F8A62C849D49215A)

rundll32.exe (PID: 6764 cmdline: rundll32.exe C:\Users\user\Desktop\0G0AO3HYEI.dll,DiShowUpdateDriver MD5: 73C519F050C20580F8A62C849D49215A)

rundll32.exe (PID: 2892 cmdline: rundll32.exe C:\Users\user\Desktop\0G0AO3HYEI.dll,DiUninstallDevice MD5: 73C519F050C20580F8A62C849D49215A)

rundll32.exe (PID: 3444 cmdline: rundll32.exe C:\Users\user\Desktop\0G0AO3HYEI.dll,DiUninstallDriverA MD5: 73C519F050C20580F8A62C849D49215A)

rundll32.exe (PID: 784 cmdline: rundll32.exe C:\Users\user\Desktop\0G0AO3HYEI.dll,DiUninstallDriverW MD5: 73C519F050C20580F8A62C849D49215A)

rundll32.exe (PID: 3692 cmdline: rundll32.exe C:\Users\user\Desktop\0G0AO3HYEI.dll,GetInternetPolicies MD5: 73C519F050C20580F8A62C849D49215A)

rundll32.exe (PID: 348 cmdline: rundll32.exe C:\Users\user\Desktop\0G0AO3HYEI.dll,InstallNewDevice MD5: 73C519F050C20580F8A62C849D49215A)

rundll32.exe (PID: 6296 cmdline: rundll32.exe C:\Users\user\Desktop\0G0AO3HYEI.dll,InstallSelectedDriver MD5: 73C519F050C20580F8A62C849D49215A)

rundll32.exe (PID: 3440 cmdline: rundll32.exe C:\Users\user\Desktop\0G0AO3HYEI.dll,InstallWindowsUpdateDriver MD5: 73C519F050C20580F8A62C849D49215A)

rundll32.exe (PID: 2384 cmdline: rundll32.exe C:\Users\user\Desktop\0G0AO3HYEI.dll,InstallWindowsUpdateDriverEx MD5: 73C519F050C20580F8A62C849D49215A)

rundll32.exe (PID: 2152 cmdline: rundll32.exe C:\Users\user\Desktop\0G0AO3HYEI.dll,InstallWindowsUpdateDrivers MD5: 73C519F050C20580F8A62C849D49215A)

rundll32.exe (PID: 1148 cmdline: rundll32.exe C:\Users\user\Desktop\0G0AO3HYEI.dll,QueryWindowsUpdateDriverStatus MD5: 73C519F050C20580F8A62C849D49215A)

rundll32.exe (PID: 4224 cmdline: rundll32.exe C:\Users\user\Desktop\0G0AO3HYEI.dll,SetInternetPolicies MD5: 73C519F050C20580F8A62C849D49215A)

rundll32.exe (PID: 1432 cmdline: rundll32.exe C:\Users\user\Desktop\0G0AO3HYEI.dll,UpdateDriverForPlugAndPlayDevicesA MD5: 73C519F050C20580F8A62C849D49215A)

explorer.exe (PID: 7080 cmdline: explorer.exe MD5: AD5296B280E8F522A8A897C96BAB0E1D)

explorer.exe (PID: 3208 cmdline: explorer.exe MD5: AD5296B280E8F522A8A897C96BAB0E1D)

explorer.exe (PID: 5252 cmdline: explorer.exe MD5: AD5296B280E8F522A8A897C96BAB0E1D)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000024.00000002.750032138.0000000140001000.00000020.00020000.sdmp	JoeSecurity_Dridex_2	Yara detected Dridex unpacked file	Joe Security
0000001B.00000002.749674160.0000000140001000.00000020.00020000.sdmp	JoeSecurity_Dridex_2	Yara detected Dridex unpacked file	Joe Security
00000008.00000002.748754528.0000000140001000.00000020.00020000.sdmp	JoeSecurity_Dridex_2	Yara detected Dridex unpacked file	Joe Security
0000000B.00000002.749145318.0000000140001000.00000020.00020000.sdmp	JoeSecurity_Dridex_2	Yara detected Dridex unpacked file	Joe Security
00000029.00000002.750110395.0000000140001000.00000020.00020000.sdmp	JoeSecurity_Dridex_2	Yara detected Dridex unpacked file	Joe Security
0000000C.00000002.749353008.0000000140001000.00000020.00020000.sdmp	JoeSecurity_Dridex_2	Yara detected Dridex unpacked file	Joe Security
0000000E.00000002.748916641.0000000140001000.00000020.00020000.sdmp	JoeSecurity_Dridex_2	Yara detected Dridex unpacked file	Joe Security
00000028.00000002.750108429.0000000140001000.00000020.00020000.sdmp	JoeSecurity_Dridex_2	Yara detected Dridex unpacked file	Joe Security
0000001D.00000002.749906681.0000000140001000.00000020.00020000.sdmp	JoeSecurity_Dridex_2	Yara detected Dridex unpacked file	Joe Security
00000003.00000002.748525341.0000000140001000.00000020.00020000.sdmp	JoeSecurity_Dridex_2	Yara detected Dridex unpacked file	Joe Security
00000007.00000002.748435609.0000000140001000.00000020.00020000.sdmp	JoeSecurity_Dridex_2	Yara detected Dridex unpacked file	Joe Security
Click to see the 6 entries

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for submitted file

Show sources

Source: 0G0AO3HYEI.dll	Virustotal: Detection: 58%			Perma Link
Source: 0G0AO3HYEI.dll	ReversingLabs: Detection: 62%

Source: 0G0AO3HYEI.dll

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

Source:	Binary string: ntdll.pdb source: loaddll64.exe, 00000001.00000003.509139941.0000000180000000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.351019675.0000000180000000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.351451557.0000000180000000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.358591483.0000000180000000.00000004.00000001.sdmp, rundll32.exe, 00000008.00000003.366205997.0000000180000000.00000004.00000001.sdmp, rundll32.exe, 00000009.00000003.372920749.0000000180000000.00000004.00000001.sdmp, rundll32.exe, 0000000B.00000003.380853578.0000000180000000.00000004.00000001.sdmp, rundll32.exe, 0000000C.00000003.387914054.0000000180000000.00000004.00000001.sdmp, rundll32.exe, 0000000E.00000003.398049744.0000000180000000.00000004.00000001.sdmp, rundll32.exe, 00000012.00000003.405753737.0000000180000000.00000004.00000001.sdmp, rundll32.exe, 00000013.00000003.412564987.0000000180000000.00000004.00000001.sdmp, rundll32.exe, 00000017.00000003.424643088.0000000180000000.00000004.00000001.sdmp
Source:	Binary string: ntdll.pdbUGP source: loaddll64.exe, 00000001.00000003.509139941.0000000180000000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.351019675.0000000180000000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.351451557.0000000180000000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.358591483.0000000180000000.00000004.00000001.sdmp, rundll32.exe, 00000008.00000003.366205997.0000000180000000.00000004.00000001.sdmp, rundll32.exe, 00000009.00000003.372920749.0000000180000000.00000004.00000001.sdmp, rundll32.exe, 0000000B.00000003.380853578.0000000180000000.00000004.00000001.sdmp, rundll32.exe, 0000000C.00000003.387914054.0000000180000000.00000004.00000001.sdmp, rundll32.exe, 0000000E.00000003.398049744.0000000180000000.00000004.00000001.sdmp, rundll32.exe, 00000012.00000003.405753737.0000000180000000.00000004.00000001.sdmp, rundll32.exe, 00000013.00000003.412564987.0000000180000000.00000004.00000001.sdmp, rundll32.exe, 00000017.00000003.424643088.0000000180000000.00000004.00000001.sdmp

Source: C:\Windows\System32\loaddll64.exe

Code function: 1_2_000000014004FBF8 FindFirstFileExW,

Source: explorer.exe, 0000000A.00000000.431707527.0000000004DEC000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: explorer.exe, 00000005.00000000.370340780.000000000095C000.00000004.00000020.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3/J

E-Banking Fraud:

Yara detected Dridex unpacked file

Show sources

Source: Yara match	File source: 00000024.00000002.750032138.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.749674160.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.748754528.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.749145318.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000002.750110395.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.749353008.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.748916641.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000002.750108429.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.749906681.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.748525341.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.748435609.0000000140001000.00000020.00020000.sdmp, type: MEMORY

System Summary:

PE file has nameless sections

Show sources

Source: 0G0AO3HYEI.dll	Static PE information: section name:
Source: 0G0AO3HYEI.dll	Static PE information: section name:
Source: 0G0AO3HYEI.dll	Static PE information: section name:
Source: 0G0AO3HYEI.dll	Static PE information: section name:
Source: 0G0AO3HYEI.dll	Static PE information: section name:
Source: 0G0AO3HYEI.dll	Static PE information: section name:
Source: 0G0AO3HYEI.dll	Static PE information: section name:
Source: 0G0AO3HYEI.dll	Static PE information: section name:
Source: 0G0AO3HYEI.dll	Static PE information: section name:
Source: 0G0AO3HYEI.dll	Static PE information: section name:
Source: 0G0AO3HYEI.dll	Static PE information: section name:
Source: 0G0AO3HYEI.dll	Static PE information: section name:
Source: 0G0AO3HYEI.dll	Static PE information: section name:
Source: 0G0AO3HYEI.dll	Static PE information: section name:
Source: 0G0AO3HYEI.dll	Static PE information: section name:
Source: 0G0AO3HYEI.dll	Static PE information: section name:
Source: 0G0AO3HYEI.dll	Static PE information: section name:
Source: 0G0AO3HYEI.dll	Static PE information: section name:
Source: 0G0AO3HYEI.dll	Static PE information: section name:
Source: 0G0AO3HYEI.dll	Static PE information: section name:
Source: 0G0AO3HYEI.dll	Static PE information: section name:
Source: 0G0AO3HYEI.dll	Static PE information: section name:

Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_00000001400421C8
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_00000001400431CC
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_00000001400504E4
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014003A688
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014004271C
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_00000001400447B8
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140027954
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140053AF0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140045BE0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014004ED58
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140026FF0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140019054
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014001C05C
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140005078
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140053094
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_00000001400330C4
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014003B0C8
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_00000001400380D0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014003F0FC
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140063102
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140052110
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014001311C
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140001154
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_00000001400311B0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_00000001400021C8
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_00000001400231DC
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014006D1F0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140032214
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014002A214
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014002E228
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140035268
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140046264
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140069278
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014002F278
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014004B288
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140068292
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_00000001400362A0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_00000001400172A8
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014001E2E4
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140029320
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014000732C
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014002C348
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140038424
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014006B428
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014005343C
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014005B470
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014004F4C8
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014001B52C
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140026540
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140044584
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140061598
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014004759C
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_00000001400215FC
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140051620
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140032648
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140053644
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140067663
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014001A66C
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014003C6B0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014001D6C4
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_00000001400356F4
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014004F708
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140024718
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014001276C
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014000F76C
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140056790
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_00000001400557DC
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140057820
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014003E8E0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_00000001400258FC
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014005C8FC
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014006D904
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140005918
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140020924
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140068928
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140031928
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140019928
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140024940
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014002D95C
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140032964
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014005497C
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140033984
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_00000001400479E0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014002CA14
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014006BA1C
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140002A20
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140026A24
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014002AA90
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140005AB8
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014001CAC8
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014006AAD8
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140024AEC
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140041AF4
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014002BB18
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014000EB3C
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140014B68
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140001B74
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014002AB7A
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014002AB7F
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014002AB84
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140006B88
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014002AB89
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014002AB8E
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014002AB93
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014002AB98
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014002AB9D
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014002ABA2
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014002ABA7
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014001DBB8
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014000BBC4
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140003BE0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140034BF8
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140050BF4
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140016BFC
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014005ABFC
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140036C08
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140029C1C
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140026C30
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014003CC38
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140035C80
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140022C84
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140032CC8
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014004CCD4
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014003BCE4
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140015D04
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014001AD0C
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140037D24
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014001CD24
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014005CD24
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014001FD44
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140052D60
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014000AD5C
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014003DDA4
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140050DA8
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014005CDAB
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140030DC0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140051DE4
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140018DE8
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014006BE28
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140006E34
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014002AE48
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140068E58
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014001EE68
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140004E68
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014000CEAC
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140011EB4
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140014EBC
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140013ED4
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140057FA8
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014005CFCA
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140047FCC
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140025FD4

Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_00000001400455F8 NtAllocateVirtualMemory,
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140059688 NtTerminateProcess,
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014004386C NtDelayExecution,
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140049CF8 NtClose,

Source: 0G0AO3HYEI.dll

Static PE information: Resource name: RT_VERSION type: COM executable for DOS

Source: 0G0AO3HYEI.dll	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 0G0AO3HYEI.dll	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: 0G0AO3HYEI.dll

Static PE information: Number of sections : 28 > 10

Source: 0G0AO3HYEI.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: 0G0AO3HYEI.dll	Virustotal: Detection: 58%
Source: 0G0AO3HYEI.dll	ReversingLabs: Detection: 62%

Source: 0G0AO3HYEI.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll64.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe 'C:\Users\user\Desktop\0G0AO3HYEI.dll'
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\0G0AO3HYEI.dll',#1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\0G0AO3HYEI.dll,CheckDriverSoftwareDependenciesSatisfied
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\0G0AO3HYEI.dll',#1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\0G0AO3HYEI.dll,DeviceInternetSettingUiW
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\0G0AO3HYEI.dll,DiInstallDevice
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\0G0AO3HYEI.dll,DiInstallDriverA
Source: unknown	Process created: C:\Windows\explorer.exe explorer.exe
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\0G0AO3HYEI.dll,DiInstallDriverW
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\0G0AO3HYEI.dll,DiRollbackDriver
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\0G0AO3HYEI.dll,DiShowUpdateDevice
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\0G0AO3HYEI.dll,DiShowUpdateDriver
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\0G0AO3HYEI.dll,DiUninstallDevice
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\0G0AO3HYEI.dll,DiUninstallDriverA
Source: unknown	Process created: C:\Windows\explorer.exe explorer.exe
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\0G0AO3HYEI.dll,DiUninstallDriverW
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\0G0AO3HYEI.dll,GetInternetPolicies
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\0G0AO3HYEI.dll,InstallNewDevice
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\0G0AO3HYEI.dll,InstallSelectedDriver
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\0G0AO3HYEI.dll,InstallWindowsUpdateDriver
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\0G0AO3HYEI.dll,InstallWindowsUpdateDriverEx
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\0G0AO3HYEI.dll,InstallWindowsUpdateDrivers
Source: unknown	Process created: C:\Windows\explorer.exe explorer.exe
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\0G0AO3HYEI.dll,QueryWindowsUpdateDriverStatus
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\0G0AO3HYEI.dll,SetInternetPolicies
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\0G0AO3HYEI.dll,UpdateDriverForPlugAndPlayDevicesA
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\0G0AO3HYEI.dll',#1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\0G0AO3HYEI.dll,CheckDriverSoftwareDependenciesSatisfied
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\0G0AO3HYEI.dll,DeviceInternetSettingUiW
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\0G0AO3HYEI.dll,DiInstallDevice
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\0G0AO3HYEI.dll,DiInstallDriverA
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\0G0AO3HYEI.dll,DiInstallDriverW
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\0G0AO3HYEI.dll,DiRollbackDriver
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\0G0AO3HYEI.dll,DiShowUpdateDevice
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\0G0AO3HYEI.dll,DiShowUpdateDriver
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\0G0AO3HYEI.dll,DiUninstallDevice
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\0G0AO3HYEI.dll,DiUninstallDriverA
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\0G0AO3HYEI.dll,DiUninstallDriverW
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\0G0AO3HYEI.dll,GetInternetPolicies
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\0G0AO3HYEI.dll,InstallNewDevice
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\0G0AO3HYEI.dll,InstallSelectedDriver
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\explorer.exe C:\Windows\Explorer.EXE
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\0G0AO3HYEI.dll,InstallWindowsUpdateDriverEx
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\0G0AO3HYEI.dll,InstallWindowsUpdateDrivers
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\0G0AO3HYEI.dll,QueryWindowsUpdateDriverStatus
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\0G0AO3HYEI.dll,SetInternetPolicies
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\0G0AO3HYEI.dll,UpdateDriverForPlugAndPlayDevicesA
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\0G0AO3HYEI.dll',#1

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{660b90c8-73a9-4b58-8cae-355b7f55341b}\InProcServer32

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000016.db

Jump to behavior

Source: classification engine

Classification label: mal72.troj.evad.winDLL@48/0@0/0

Source: C:\Windows\explorer.exe

File read: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini

Jump to behavior

Source: C:\Windows\System32\loaddll64.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\0G0AO3HYEI.dll,CheckDriverSoftwareDependenciesSatisfied

Source: unknown	Process created: C:\Windows\explorer.exe
Source: unknown	Process created: C:\Windows\explorer.exe
Source: unknown	Process created: C:\Windows\explorer.exe
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\explorer.exe

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: 0G0AO3HYEI.dll

Static PE information: Image base 0x140000000 > 0x60000000

Source: 0G0AO3HYEI.dll

Static file information: File size 1110016 > 1048576

Source: 0G0AO3HYEI.dll	Static PE information: section name: RT_CURSOR
Source: 0G0AO3HYEI.dll	Static PE information: section name: RT_BITMAP
Source: 0G0AO3HYEI.dll	Static PE information: section name: RT_ICON
Source: 0G0AO3HYEI.dll	Static PE information: section name: RT_MENU
Source: 0G0AO3HYEI.dll	Static PE information: section name: RT_DIALOG
Source: 0G0AO3HYEI.dll	Static PE information: section name: RT_STRING
Source: 0G0AO3HYEI.dll	Static PE information: section name: RT_ACCELERATOR
Source: 0G0AO3HYEI.dll	Static PE information: section name: RT_GROUP_ICON

Source: 0G0AO3HYEI.dll

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

Source: 0G0AO3HYEI.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: ntdll.pdb source: loaddll64.exe, 00000001.00000003.509139941.0000000180000000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.351019675.0000000180000000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.351451557.0000000180000000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.358591483.0000000180000000.00000004.00000001.sdmp, rundll32.exe, 00000008.00000003.366205997.0000000180000000.00000004.00000001.sdmp, rundll32.exe, 00000009.00000003.372920749.0000000180000000.00000004.00000001.sdmp, rundll32.exe, 0000000B.00000003.380853578.0000000180000000.00000004.00000001.sdmp, rundll32.exe, 0000000C.00000003.387914054.0000000180000000.00000004.00000001.sdmp, rundll32.exe, 0000000E.00000003.398049744.0000000180000000.00000004.00000001.sdmp, rundll32.exe, 00000012.00000003.405753737.0000000180000000.00000004.00000001.sdmp, rundll32.exe, 00000013.00000003.412564987.0000000180000000.00000004.00000001.sdmp, rundll32.exe, 00000017.00000003.424643088.0000000180000000.00000004.00000001.sdmp
Source:	Binary string: ntdll.pdbUGP source: loaddll64.exe, 00000001.00000003.509139941.0000000180000000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.351019675.0000000180000000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.351451557.0000000180000000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000003.358591483.0000000180000000.00000004.00000001.sdmp, rundll32.exe, 00000008.00000003.366205997.0000000180000000.00000004.00000001.sdmp, rundll32.exe, 00000009.00000003.372920749.0000000180000000.00000004.00000001.sdmp, rundll32.exe, 0000000B.00000003.380853578.0000000180000000.00000004.00000001.sdmp, rundll32.exe, 0000000C.00000003.387914054.0000000180000000.00000004.00000001.sdmp, rundll32.exe, 0000000E.00000003.398049744.0000000180000000.00000004.00000001.sdmp, rundll32.exe, 00000012.00000003.405753737.0000000180000000.00000004.00000001.sdmp, rundll32.exe, 00000013.00000003.412564987.0000000180000000.00000004.00000001.sdmp, rundll32.exe, 00000017.00000003.424643088.0000000180000000.00000004.00000001.sdmp

Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014006E5C9 push 00000031h; retf
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014006E6A4 push rsp; retf

Source: 0G0AO3HYEI.dll	Static PE information: section name:
Source: 0G0AO3HYEI.dll	Static PE information: section name:
Source: 0G0AO3HYEI.dll	Static PE information: section name:
Source: 0G0AO3HYEI.dll	Static PE information: section name:
Source: 0G0AO3HYEI.dll	Static PE information: section name:
Source: 0G0AO3HYEI.dll	Static PE information: section name:
Source: 0G0AO3HYEI.dll	Static PE information: section name:
Source: 0G0AO3HYEI.dll	Static PE information: section name:
Source: 0G0AO3HYEI.dll	Static PE information: section name:
Source: 0G0AO3HYEI.dll	Static PE information: section name:
Source: 0G0AO3HYEI.dll	Static PE information: section name:
Source: 0G0AO3HYEI.dll	Static PE information: section name:
Source: 0G0AO3HYEI.dll	Static PE information: section name:
Source: 0G0AO3HYEI.dll	Static PE information: section name:
Source: 0G0AO3HYEI.dll	Static PE information: section name:
Source: 0G0AO3HYEI.dll	Static PE information: section name:
Source: 0G0AO3HYEI.dll	Static PE information: section name:
Source: 0G0AO3HYEI.dll	Static PE information: section name:
Source: 0G0AO3HYEI.dll	Static PE information: section name:
Source: 0G0AO3HYEI.dll	Static PE information: section name:
Source: 0G0AO3HYEI.dll	Static PE information: section name:
Source: 0G0AO3HYEI.dll	Static PE information: section name:

Source: 0G0AO3HYEI.dll

Static PE information: real checksum: 0x70461819 should be: 0x11e8a9

Source: initial sample

Static PE information: section name: .text entropy: 7.84727441246

Source: C:\Windows\explorer.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Potential time zone aware malware

Show sources

Source: C:\Windows\explorer.exe	System information queried: CurrentTimeZoneInformation
Source: C:\Windows\explorer.exe	System information queried: CurrentTimeZoneInformation
Source: C:\Windows\explorer.exe	System information queried: CurrentTimeZoneInformation

Uses Windows timers to delay execution

Show sources

Source: C:\Windows\explorer.exe

User Timer Set: Timeout: 100ms

Source: C:\Windows\System32\loaddll64.exe TID: 6008	Thread sleep time: -60000s >= -30000s
Source: C:\Windows\System32\loaddll64.exe TID: 6008	Thread sleep count: 340 > 30
Source: C:\Windows\System32\loaddll64.exe TID: 6008	Thread sleep time: -34000s >= -30000s

Source: C:\Windows\System32\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\System32\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\System32\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\System32\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\System32\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\System32\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\System32\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\System32\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\System32\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\System32\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\System32\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\System32\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\System32\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\System32\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\System32\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\System32\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\System32\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\System32\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\System32\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\System32\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\System32\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\System32\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\System32\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\System32\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\System32\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\System32\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\System32\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\System32\rundll32.exe	Last function: Thread delayed

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Windows\System32\rundll32.exe	Window / User API: threadDelayed 599
Source: C:\Windows\System32\rundll32.exe	Window / User API: threadDelayed 921
Source: C:\Windows\System32\rundll32.exe	Window / User API: threadDelayed 709
Source: C:\Windows\System32\rundll32.exe	Window / User API: threadDelayed 500
Source: C:\Windows\System32\rundll32.exe	Window / User API: threadDelayed 776
Source: C:\Windows\System32\rundll32.exe	Window / User API: threadDelayed 818
Source: C:\Windows\System32\rundll32.exe	Window / User API: threadDelayed 838
Source: C:\Windows\System32\rundll32.exe	Window / User API: threadDelayed 697
Source: C:\Windows\System32\rundll32.exe	Window / User API: threadDelayed 546
Source: C:\Windows\System32\rundll32.exe	Window / User API: threadDelayed 477
Source: C:\Windows\System32\rundll32.exe	Window / User API: threadDelayed 700
Source: C:\Windows\System32\rundll32.exe	Window / User API: threadDelayed 500
Source: C:\Windows\System32\rundll32.exe	Window / User API: threadDelayed 540
Source: C:\Windows\System32\rundll32.exe	Window / User API: threadDelayed 417
Source: C:\Windows\System32\rundll32.exe	Window / User API: threadDelayed 618
Source: C:\Windows\System32\rundll32.exe	Window / User API: threadDelayed 400
Source: C:\Windows\System32\rundll32.exe	Window / User API: threadDelayed 400

Source: C:\Windows\explorer.exe

File opened / queried: SCSI#Disk&Ven_VMware&Prod_Virtual_disk#5&1ec51bf7&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Windows\System32\loaddll64.exe

Process information queried: ProcessInformation

Source: C:\Windows\System32\loaddll64.exe

Code function: 1_2_00000001400447B8 GetTokenInformation,GetTokenInformation,GetSystemInfo,

Source: C:\Windows\System32\loaddll64.exe

Code function: 1_2_000000014004FBF8 FindFirstFileExW,

Source: explorer.exe, 00000005.00000000.377450572.0000000008430000.00000004.00000001.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 0000000A.00000000.428112330.0000000004B40000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00dRom0
Source: explorer.exe, 0000000A.00000000.431707527.0000000004DEC000.00000004.00000001.sdmp	Binary or memory string: NECVMWarVMware SATA CD001.00
Source: explorer.exe, 0000000A.00000000.429107747.0000000004BFE000.00000004.00000001.sdmp	Binary or memory string: NECVMWarVMware SATA CD001.00WB
Source: explorer.exe, 00000005.00000000.363182861.00000000082E2000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000000A.00000000.431358780.0000000004D1A000.00000004.00000001.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000rif
Source: explorer.exe, 00000005.00000000.357133797.00000000062E0000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000000A.00000000.429107747.0000000004BFE000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00
Source: explorer.exe, 0000000A.00000000.431707527.0000000004DEC000.00000004.00000001.sdmp	Binary or memory string: NECVMWarVMware SATA CD001.00h
Source: explorer.exe, 0000000A.00000000.391394548.00000000011F9000.00000004.00000020.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 0000000A.00000000.431812055.0000000004E01000.00000004.00000001.sdmp	Binary or memory string: war&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c9yJq
Source: explorer.exe, 0000000A.00000000.431670144.0000000004DDD000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}exe
Source: explorer.exe, 0000000A.00000000.431812055.0000000004E01000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b
Source: explorer.exe, 00000005.00000000.356192320.00000000045BE000.00000004.00000001.sdmp	Binary or memory string: AGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000018.00000000.460496296.00000000013C7000.00000004.00000020.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000s
Source: explorer.exe, 0000000A.00000000.431670144.0000000004DDD000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000000A.00000000.430192039.0000000004CA6000.00000004.00000001.sdmp	Binary or memory string: 9Tm\Device\HarddiskVolume2\??\Volume{ef47ea26-ec76-4a6e-8680-9e53b539546d}\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{e6e9dfd8-98f2-11e9-90ce-806e6f6e6963}\DosDevices\D: @@@@````
Source: explorer.exe, 00000005.00000000.363394723.00000000083EB000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00
Source: explorer.exe, 00000018.00000000.460496296.00000000013C7000.00000004.00000020.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000000A.00000003.393331278.00000000071D8000.00000004.00000001.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\b8b}
Source: explorer.exe, 00000018.00000003.472927955.0000000004DE3000.00000004.00000001.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}m
Source: explorer.exe, 0000000A.00000000.431670144.0000000004DDD000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}B
Source: explorer.exe, 00000005.00000000.363182861.00000000082E2000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}>
Source: explorer.exe, 0000000A.00000000.428112330.0000000004B40000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000mberK6C
Source: explorer.exe, 00000005.00000000.363182861.00000000082E2000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Source: explorer.exe, 00000005.00000000.377450572.0000000008430000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000-;
Source: explorer.exe, 00000005.00000000.370340780.000000000095C000.00000004.00000020.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}G

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Windows\System32\loaddll64.exe

Code function: 1_2_00000001400421C8 LdrLoadDll,

Source: C:\Windows\System32\loaddll64.exe

Code function: 1_2_0000000140045800 RtlAddVectoredExceptionHandler,

HIPS / PFW / Operating System Protection Evasion:

Queues an APC in another process (thread injection)

Show sources

Source: C:\Windows\System32\rundll32.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\0G0AO3HYEI.dll',#1

Source: explorer.exe, 0000000A.00000000.391913129.00000000017D0000.00000002.00020000.sdmp, explorer.exe, 00000018.00000000.462105202.0000000001950000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 00000005.00000000.370797161.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 0000000A.00000000.393659763.0000000005560000.00000004.00000001.sdmp, rundll32.exe, 00000017.00000002.782810021.0000020E68820000.00000002.00020000.sdmp, explorer.exe, 00000018.00000000.462105202.0000000001950000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000005.00000000.370797161.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 0000000A.00000000.393659763.0000000005560000.00000004.00000001.sdmp, rundll32.exe, 00000017.00000002.782810021.0000020E68820000.00000002.00020000.sdmp, explorer.exe, 00000018.00000000.462105202.0000000001950000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000018.00000000.460496296.00000000013C7000.00000004.00000020.sdmp	Binary or memory string: ProgmanI/
Source: rundll32.exe, 00000017.00000002.782810021.0000020E68820000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWndearch
Source: explorer.exe, 00000005.00000000.370797161.0000000000EE0000.00000002.00020000.sdmp	Binary or memory string: &Program Manager
Source: rundll32.exe, 00000017.00000002.782810021.0000020E68820000.00000002.00020000.sdmp	Binary or memory string: bProgram Manager\
Source: explorer.exe, 00000005.00000000.370797161.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 0000000A.00000000.391913129.00000000017D0000.00000002.00020000.sdmp, rundll32.exe, 00000017.00000002.782810021.0000020E68820000.00000002.00020000.sdmp, explorer.exe, 00000018.00000000.462105202.0000000001950000.00000002.00020000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000018.00000000.462105202.0000000001950000.00000002.00020000.sdmp	Binary or memory string: KProgram Manager
Source: explorer.exe, 00000018.00000000.467158553.0000000005477000.00000004.00000001.sdmp	Binary or memory string: ProgmanI@
Source: explorer.exe, 0000000A.00000000.391394548.00000000011F9000.00000004.00000020.sdmp	Binary or memory string: Progman0

Source: C:\Windows\System32\loaddll64.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate

Source: C:\Windows\System32\loaddll64.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Source: C:\Windows\System32\loaddll64.exe

Code function: 1_2_0000000140043FF0 GetUserNameW,

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Process Injection112	Masquerading1	OS Credential Dumping	System Time Discovery1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Virtualization/Sandbox Evasion12	LSASS Memory	Query Registry1	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Process Injection112	Security Account Manager	Security Software Discovery11	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Obfuscated Files or Information2	NTDS	Virtualization/Sandbox Evasion12	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Rundll321	LSA Secrets	Process Discovery2	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Software Packing2	Cached Domain Credentials	Application Window Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	Account Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	System Owner/User Discovery1	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Masquerading	/etc/passwd and /etc/shadow	File and Directory Discovery2	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	Invalid Code Signature	Network Sniffing	System Information Discovery13	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
0G0AO3HYEI.dll	59%	Virustotal		Browse
0G0AO3HYEI.dll	62%	ReversingLabs	Win64.Trojan.Injexa

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.autoitscript.com/autoit3/J	explorer.exe, 00000005.00000000.370340780.000000000095C000.00000004.00000020.sdmp	false		high

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	492188
Start date:	28.09.2021
Start time:	13:17:48
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 14m 37s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	0G0AO3HYEI.dll
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	41
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal72.troj.evad.winDLL@48/0@0/0
EGA Information:	Failed
HDC Information:	Successful, ratio: 19.6% (good quality ratio 17.4%) Quality average: 82.8% Quality standard deviation: 33.2%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Sleeps bigger than 120000ms are automatically reduced to 1000ms Found application associated with file extension: .dll
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, SearchUI.exe, BackgroundTransferHost.exe, ShellExperienceHost.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe Excluded IPs from analysis (whitelisted): 23.211.6.115, 20.50.102.62, 131.253.33.200, 13.107.22.200, 80.67.82.235, 80.67.82.211, 40.112.88.60, 23.211.4.86, 20.54.110.249, 20.189.173.20, 204.79.197.200, 13.107.21.200 Excluded domains from analysis (whitelisted): store-images.s-microsoft.com-c.edgekey.net, a1449.dscg2.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, e12564.dspb.akamaiedge.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, www-bing-com.dual-a-0001.a-msedge.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, watson.telemetry.microsoft.com, prod.fs.microsoft.com.akadns.net, www.bing.com, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, dual-a-0001.a-msedge.net, ris-prod.trafficmanager.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, asf-ris-prod-neu.northeurope.cloudapp.azure.com, onedsblobprdwus15.westus.cloudapp.azure.com, e1723.g.akamaiedge.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, dual-a-0001.dc-msedge.net, ris.api.iris.microsoft.com, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net Not all processes where analyzed, report is missing behavior information Report size exceeded maximum capacity and may have missing behavior information. Report size exceeded maximum capacity and may have missing disassembly code. Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtCreateFile calls found. Report size getting too big, too many NtEnumerateKey calls found. Report size getting too big, too many NtEnumerateValueKey calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryAttributesFile calls found. Report size getting too big, too many NtQueryValueKey calls found. Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
13:19:08	API Interceptor	15x Sleep call for process: explorer.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General
File type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Entropy (8bit):	5.0210157653928675
TrID:	Win64 Dynamic Link Library (generic) (102004/3) 86.43% Win64 Executable (generic) (12005/4) 10.17% Generic Win/DOS Executable (2004/3) 1.70% DOS Executable Generic (2002/1) 1.70% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.01%
File name:	0G0AO3HYEI.dll
File size:	1110016
MD5:	c50f692a715db805e68e9655ff6a9ab2
SHA1:	229b257301ed99d518364afd22c4276daa5b3d20
SHA256:	ff3aa75e4d4637599d3e97fb8b42ce8a1254425f856671ae56377df2676b1033
SHA512:	ad74f556ccef1f8fd4a3c18a18c27adcafd2f552025bf7f83864261c6944db5423c719ea161c341e593800499c6e01aba846031e79caf1e771b2b16e7d6e33d1
SSDEEP:	12288:4dMIwS97wJs6tSKDXEabXaC+jhc1S8XXk7CZzHsZH9dq0T:SMIJxSDX3bqjhcfHk7MzH6z
File Content Preview:	MZ......................@........................................[.r.:.!.:.!.:.!..[!n;.!.:.!d:.!..8!.:.!.Br!j:.!...!N:.!.hL!>:.!(d. \|;.!x.^!.:.!-d. .;.!.g. .;.!P^. .:.!.BN!.:.!.._!.;.!.._!.;.!..Y!v;.!!._!M;.!Rich.:.!....................................PE.

File Icon


Icon Hash:	54b26869f8c8cc00

Static PE Info

General
Entrypoint:	0x140078760
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, DLL, LARGE_ADDRESS_AWARE
DLL Characteristics:	TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Time Stamp:	0x60ADEC84 [Wed May 26 06:36:52 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	c6b4c2eec8a93016c63563421e15f011

Entrypoint Preview

Instruction
xor eax, edx
jmp 00007FD1A0EE075Ah
inc ecx
pop ecx
dec ecx
add ecx, 08h
call edi
push edi
dec eax
mov edi, dword ptr [00014784h]
dec esp
xor dword ptr [0001476Dh], ecx
jmp 00007FD1A0EE0739h
xor eax, edx
xor eax, edx
xor eax, edx
xor eax, edx
xor eax, edx
xor eax, edx
xor eax, edx
xor eax, edx
xor eax, edx
xor eax, edx
xor eax, edx
xor eax, edx
xor eax, edx
xor eax, edx
xor eax, edx
xor eax, edx
xor eax, edx
xor eax, edx
xor eax, edx
xor eax, edx
xor eax, edx
xor eax, edx
xor eax, edx
xor eax, edx
ud2
int3
push ebx
push edi
push esi
dec eax
sub esp, 000000D0h
mov eax, 919AD45Fh
inc ecx
mov eax, eax
mov eax, 1F739ECFh
mov word ptr [esp+000000CEh], 804Dh
inc esp
mov ecx, dword ptr [esp+000000C8h]
inc esp
sub eax, ecx
mov dword ptr [esp+000000C8h], eax
dec eax
mov dword ptr [esp+000000B0h], 0074A7F1h
inc sp
mov edx, dword ptr [esp+000000C4h]
inc sp
mov dword ptr [esp+000000C4h], edx
dec esp
mov ebx, dword ptr [esp+000000B0h]
dec ebp
sub eax, ebx
dec esp
mov dword ptr [esp+000000A8h], eax
dec eax
mov dword ptr [esp+70h], ecx
dec eax
mov ecx, edx
dec eax
mov dword ptr [esp+68h], edx
inc sp
mov dword ptr [esp+66h], edx

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x10e010	0x35d
IMAGE_DIRECTORY_ENTRY_IMPORT	0x891b0	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x99000	0x2f98	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x9c000	0x244	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x7d010	0x38	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x7d000	0x10	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x7bb10	0x7c000	False	0.803878291961	data	7.84727441246	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x7d000	0xc210	0xd000	False	0.772648737981	data	7.6188975428	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x8a000	0xd218	0xe000	False	0.125104631696	data	1.89187623617	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.pdata	0x98000	0x138	0x1000	False	0.060791015625	data	0.590508203574	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x99000	0x2f98	0x3000	False	0.302408854167	data	3.73793039709	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x9c000	0x244	0x1000	False	0.076171875	data	1.23641369386	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
	0x9d000	0x6cd0	0x7000	False	0.00177873883929	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
	0xa4000	0x1f2a	0x2000	False	0.0037841796875	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
	0xa6000	0x13e	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
	0xa7000	0x6cd0	0x7000	False	0.00177873883929	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
	0xae000	0x7fd	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
	0xaf000	0x13e	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
	0xb0000	0x1f7	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
	0xb1000	0x23b	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
	0xb2000	0x1278	0x2000	False	0.0037841796875	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
	0xb4000	0x13e	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
	0xb5000	0x9cd	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
	0xb6000	0x1124	0x2000	False	0.0037841796875	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
	0xb8000	0x23b	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
	0xb9000	0x896	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
	0xba000	0x6cd0	0x7000	False	0.00177873883929	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
	0xc1000	0x13e	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
	0xc2000	0x1af	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
	0xc3000	0x45174	0x46000	False	0.0010498046875	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
	0x109000	0x197d	0x2000	False	0.0037841796875	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
	0x10b000	0x197d	0x2000	False	0.0037841796875	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
	0x10d000	0x1ee	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
	0x10e000	0x36d	0x1000	False	0.1259765625	data	1.6701021982	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_CURSOR	0x99640	0x134	data	English	United States
RT_BITMAP	0x99778	0x3e8	data	Hebrew	Israel
RT_BITMAP	0x99b60	0xd8	data	English	United States
RT_BITMAP	0x99c38	0xd8	data	English	United States
RT_ICON	0x99d10	0x2e8	data	Hebrew	Israel
RT_ICON	0x99ff8	0x128	GLS_BINARY_LSB_FIRST	Hebrew	Israel
RT_ICON	0x9a120	0x128	GLS_BINARY_LSB_FIRST	Hebrew	Israel
RT_MENU	0x9a248	0x430	data	English	United States
RT_MENU	0x9a678	0x1a0	data	English	United States
RT_DIALOG	0x9a818	0xa2	data	Hebrew	Israel
RT_DIALOG	0x9a8c0	0x296	data	Hebrew	Israel
RT_DIALOG	0x9ab58	0x99a	data	Hebrew	Israel
RT_DIALOG	0x9b4f8	0xfa	data	Hebrew	Israel
RT_STRING	0x9b5f8	0x230	data	English	United States
RT_STRING	0x9b828	0x116	data	English	United States
RT_STRING	0x9b940	0x4c	data	English	United States
RT_STRING	0x9b990	0x50	data	English	United States
RT_STRING	0x9b9e0	0xd6	data	English	United States
RT_STRING	0x9bab8	0x2e	data	English	United States
RT_STRING	0x9bae8	0x42	data	English	United States
RT_STRING	0x9bb30	0x6a	data	English	United States
RT_STRING	0x9bba0	0x34	data	English	United States
RT_STRING	0x9bbd8	0x62	data	English	United States
RT_ACCELERATOR	0x9bc40	0x48	data	Hebrew	Israel
RT_GROUP_CURSOR	0x9bc88	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_ICON	0x9bca0	0x22	data	Hebrew	Israel
RT_GROUP_ICON	0x9bcc8	0x14	data	Hebrew	Israel
RT_VERSION	0x9bce0	0x2b8	COM executable for DOS	Hebrew	Israel

Imports

DLL	Import
CRYPT32.dll	CryptImportPublicKeyInfo

Exports

Name	Ordinal	Address
CheckDriverSoftwareDependenciesSatisfied	1	0x1400296ac
DeviceInternetSettingUiW	2	0x14004a758
DiInstallDevice	3	0x14006f114
DiInstallDriverA	4	0x1400097c8
DiInstallDriverW	5	0x1400430c8
DiRollbackDriver	6	0x140046938
DiShowUpdateDevice	7	0x14000d420
DiShowUpdateDriver	8	0x140043b6c
DiUninstallDevice	9	0x14002b514
DiUninstallDriverA	10	0x14001b7c0
DiUninstallDriverW	11	0x140059c8c
GetInternetPolicies	12	0x14004b8a4
InstallNewDevice	13	0x140038e68
InstallSelectedDriver	14	0x140045cac
InstallWindowsUpdateDriver	15	0x14002e854
InstallWindowsUpdateDriverEx	16	0x14005c290
InstallWindowsUpdateDrivers	17	0x1400116a8
QueryWindowsUpdateDriverStatus	18	0x1400782d0
SetInternetPolicies	19	0x14002bb64
UpdateDriverForPlugAndPlayDevicesA	20	0x140005c30
UpdateDriverForPlugAndPlayDevicesW	21	0x1400558a0
pDiDoDeviceInstallAsAdmin	22	0x14004f77c
pDiDoNullDriverInstall	23	0x140052f18
pDiRunFinishInstallOperations	24	0x1400669bc

Version Infos

Description	Data
LegalCopyright	Copyright 2005 - 2009 Nir Sofer
InternalName	TeltwFoo
FileVersion	9.74
CompanyName	NirSoft
ProductName	TeltwFoo
ProductVersion	9.74
FileDescription	ProduKey
OriginalFilename	TeltwFoo.exe
Translation	0x0409 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States
Hebrew	Israel

Network Behavior

Network Port Distribution

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 28, 2021 13:18:43.583139896 CEST	58377	53	192.168.2.6	8.8.8.8
Sep 28, 2021 13:18:43.617150068 CEST	53	58377	8.8.8.8	192.168.2.6
Sep 28, 2021 13:19:18.947300911 CEST	55074	53	192.168.2.6	8.8.8.8
Sep 28, 2021 13:19:18.966747046 CEST	53	55074	8.8.8.8	192.168.2.6
Sep 28, 2021 13:19:31.537863016 CEST	54513	53	192.168.2.6	8.8.8.8
Sep 28, 2021 13:19:31.555735111 CEST	53	54513	8.8.8.8	192.168.2.6
Sep 28, 2021 13:19:37.554872036 CEST	62044	53	192.168.2.6	8.8.8.8
Sep 28, 2021 13:19:37.575942993 CEST	53	62044	8.8.8.8	192.168.2.6
Sep 28, 2021 13:19:58.386310101 CEST	63791	53	192.168.2.6	8.8.8.8
Sep 28, 2021 13:19:58.413980007 CEST	53	63791	8.8.8.8	192.168.2.6
Sep 28, 2021 13:20:09.479140043 CEST	64267	53	192.168.2.6	8.8.8.8
Sep 28, 2021 13:20:09.502712011 CEST	53	64267	8.8.8.8	192.168.2.6
Sep 28, 2021 13:20:19.340456963 CEST	49448	53	192.168.2.6	8.8.8.8
Sep 28, 2021 13:20:19.393934011 CEST	53	49448	8.8.8.8	192.168.2.6
Sep 28, 2021 13:20:19.764108896 CEST	60342	53	192.168.2.6	8.8.8.8
Sep 28, 2021 13:20:19.809118032 CEST	53	60342	8.8.8.8	192.168.2.6
Sep 28, 2021 13:20:20.315531969 CEST	61346	53	192.168.2.6	8.8.8.8
Sep 28, 2021 13:20:20.360470057 CEST	53	61346	8.8.8.8	192.168.2.6
Sep 28, 2021 13:20:20.680387020 CEST	51774	53	192.168.2.6	8.8.8.8
Sep 28, 2021 13:20:20.699815989 CEST	53	51774	8.8.8.8	192.168.2.6
Sep 28, 2021 13:20:21.044486046 CEST	56023	53	192.168.2.6	8.8.8.8
Sep 28, 2021 13:20:21.062028885 CEST	53	56023	8.8.8.8	192.168.2.6
Sep 28, 2021 13:20:21.455703020 CEST	58384	53	192.168.2.6	8.8.8.8
Sep 28, 2021 13:20:21.476475954 CEST	53	58384	8.8.8.8	192.168.2.6
Sep 28, 2021 13:20:21.906523943 CEST	60261	53	192.168.2.6	8.8.8.8
Sep 28, 2021 13:20:21.923650980 CEST	53	60261	8.8.8.8	192.168.2.6
Sep 28, 2021 13:20:22.561836958 CEST	56061	53	192.168.2.6	8.8.8.8
Sep 28, 2021 13:20:22.595350981 CEST	53	56061	8.8.8.8	192.168.2.6
Sep 28, 2021 13:20:23.126105070 CEST	58336	53	192.168.2.6	8.8.8.8
Sep 28, 2021 13:20:23.188782930 CEST	53	58336	8.8.8.8	192.168.2.6
Sep 28, 2021 13:20:23.626601934 CEST	53781	53	192.168.2.6	8.8.8.8
Sep 28, 2021 13:20:23.643975019 CEST	53	53781	8.8.8.8	192.168.2.6
Sep 28, 2021 13:20:32.126229048 CEST	54064	53	192.168.2.6	8.8.8.8
Sep 28, 2021 13:20:32.153063059 CEST	53	54064	8.8.8.8	192.168.2.6
Sep 28, 2021 13:20:46.831938982 CEST	52811	53	192.168.2.6	8.8.8.8
Sep 28, 2021 13:20:46.851619959 CEST	53	52811	8.8.8.8	192.168.2.6
Sep 28, 2021 13:20:49.211165905 CEST	55299	53	192.168.2.6	8.8.8.8
Sep 28, 2021 13:20:49.239561081 CEST	53	55299	8.8.8.8	192.168.2.6
Sep 28, 2021 13:21:10.138825893 CEST	63745	53	192.168.2.6	8.8.8.8
Sep 28, 2021 13:21:10.157629967 CEST	53	63745	8.8.8.8	192.168.2.6
Sep 28, 2021 13:21:30.378813028 CEST	50055	53	192.168.2.6	8.8.8.8
Sep 28, 2021 13:21:30.406480074 CEST	53	50055	8.8.8.8	192.168.2.6
Sep 28, 2021 13:21:48.490989923 CEST	61374	53	192.168.2.6	8.8.8.8
Sep 28, 2021 13:21:48.519038916 CEST	53	61374	8.8.8.8	192.168.2.6
Sep 28, 2021 13:22:08.021627903 CEST	50339	53	192.168.2.6	8.8.8.8
Sep 28, 2021 13:22:08.049892902 CEST	53	50339	8.8.8.8	192.168.2.6

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: loaddll64.exe PID: 396 Parent PID: 6692

General

Start time:	13:18:48
Start date:	28/09/2021
Path:	C:\Windows\System32\loaddll64.exe
Wow64 process (32bit):	false
Commandline:	loaddll64.exe 'C:\Users\user\Desktop\0G0AO3HYEI.dll'
Imagebase:	0x7ff770a50000
File size:	140288 bytes
MD5 hash:	A84133CCB118CF35D49A423CD836D0EF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: cmd.exe PID: 5468 Parent PID: 396

General

Start time:	13:18:49
Start date:	28/09/2021
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\0G0AO3HYEI.dll',#1
Imagebase:	0x7ff7180e0000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: rundll32.exe PID: 5612 Parent PID: 396

General

Start time:	13:18:49
Start date:	28/09/2021
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe C:\Users\user\Desktop\0G0AO3HYEI.dll,CheckDriverSoftwareDependenciesSatisfied
Imagebase:	0x7ff773d70000
File size:	69632 bytes
MD5 hash:	73C519F050C20580F8A62C849D49215A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000003.00000002.748525341.0000000140001000.00000020.00020000.sdmp, Author: Joe Security
Reputation:	high

Analysis Process: rundll32.exe PID: 4716 Parent PID: 5468

General

Start time:	13:18:49
Start date:	28/09/2021
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe 'C:\Users\user\Desktop\0G0AO3HYEI.dll',#1
Imagebase:	0x7ff773d70000
File size:	69632 bytes
MD5 hash:	73C519F050C20580F8A62C849D49215A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: explorer.exe PID: 3440 Parent PID: 5612

General

Start time:	13:18:50
Start date:	28/09/2021
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff6f22f0000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: rundll32.exe PID: 7056 Parent PID: 396

General

Start time:	13:18:52
Start date:	28/09/2021
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe C:\Users\user\Desktop\0G0AO3HYEI.dll,DeviceInternetSettingUiW
Imagebase:	0x7ff773d70000
File size:	69632 bytes
MD5 hash:	73C519F050C20580F8A62C849D49215A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000007.00000002.748435609.0000000140001000.00000020.00020000.sdmp, Author: Joe Security
Reputation:	high

Analysis Process: rundll32.exe PID: 5184 Parent PID: 396

General

Start time:	13:18:56
Start date:	28/09/2021
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe C:\Users\user\Desktop\0G0AO3HYEI.dll,DiInstallDevice
Imagebase:	0x7ff773d70000
File size:	69632 bytes
MD5 hash:	73C519F050C20580F8A62C849D49215A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000008.00000002.748754528.0000000140001000.00000020.00020000.sdmp, Author: Joe Security
Reputation:	high

Analysis Process: rundll32.exe PID: 1360 Parent PID: 396

General

Start time:	13:18:59
Start date:	28/09/2021
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe C:\Users\user\Desktop\0G0AO3HYEI.dll,DiInstallDriverA
Imagebase:	0x7ff773d70000
File size:	69632 bytes
MD5 hash:	73C519F050C20580F8A62C849D49215A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: explorer.exe PID: 7080 Parent PID: 568

General

Start time:	13:19:01
Start date:	28/09/2021
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	explorer.exe
Imagebase:	0x7ff6f22f0000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: rundll32.exe PID: 1520 Parent PID: 396

General

Start time:	13:19:03
Start date:	28/09/2021
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe C:\Users\user\Desktop\0G0AO3HYEI.dll,DiInstallDriverW
Imagebase:	0x7ff773d70000
File size:	69632 bytes
MD5 hash:	73C519F050C20580F8A62C849D49215A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 0000000B.00000002.749145318.0000000140001000.00000020.00020000.sdmp, Author: Joe Security

Analysis Process: rundll32.exe PID: 3912 Parent PID: 396

General

Start time:	13:19:06
Start date:	28/09/2021
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe C:\Users\user\Desktop\0G0AO3HYEI.dll,DiRollbackDriver
Imagebase:	0x7ff773d70000
File size:	69632 bytes
MD5 hash:	73C519F050C20580F8A62C849D49215A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 0000000C.00000002.749353008.0000000140001000.00000020.00020000.sdmp, Author: Joe Security

Analysis Process: rundll32.exe PID: 5624 Parent PID: 396

General

Start time:	13:19:10
Start date:	28/09/2021
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe C:\Users\user\Desktop\0G0AO3HYEI.dll,DiShowUpdateDevice
Imagebase:	0x7ff773d70000
File size:	69632 bytes
MD5 hash:	73C519F050C20580F8A62C849D49215A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 0000000E.00000002.748916641.0000000140001000.00000020.00020000.sdmp, Author: Joe Security

Analysis Process: rundll32.exe PID: 6764 Parent PID: 396

General

Start time:	13:19:13
Start date:	28/09/2021
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe C:\Users\user\Desktop\0G0AO3HYEI.dll,DiShowUpdateDriver
Imagebase:	0x7ff773d70000
File size:	69632 bytes
MD5 hash:	73C519F050C20580F8A62C849D49215A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: rundll32.exe PID: 2892 Parent PID: 396

General

Start time:	13:19:17
Start date:	28/09/2021
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe C:\Users\user\Desktop\0G0AO3HYEI.dll,DiUninstallDevice
Imagebase:	0x7ff773d70000
File size:	69632 bytes
MD5 hash:	73C519F050C20580F8A62C849D49215A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: rundll32.exe PID: 3444 Parent PID: 396

General

Start time:	13:19:21
Start date:	28/09/2021
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe C:\Users\user\Desktop\0G0AO3HYEI.dll,DiUninstallDriverA
Imagebase:	0x7ff773d70000
File size:	69632 bytes
MD5 hash:	73C519F050C20580F8A62C849D49215A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: explorer.exe PID: 3208 Parent PID: 568

General

Start time:	13:19:24
Start date:	28/09/2021
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	explorer.exe
Imagebase:	0x7ff6f22f0000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: rundll32.exe PID: 784 Parent PID: 396

General

Start time:	13:19:26
Start date:	28/09/2021
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe C:\Users\user\Desktop\0G0AO3HYEI.dll,DiUninstallDriverW
Imagebase:	0x7ff773d70000
File size:	69632 bytes
MD5 hash:	73C519F050C20580F8A62C849D49215A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: rundll32.exe PID: 3692 Parent PID: 396

General

Start time:	13:19:30
Start date:	28/09/2021
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe C:\Users\user\Desktop\0G0AO3HYEI.dll,GetInternetPolicies
Imagebase:	0x7ff773d70000
File size:	69632 bytes
MD5 hash:	73C519F050C20580F8A62C849D49215A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 0000001B.00000002.749674160.0000000140001000.00000020.00020000.sdmp, Author: Joe Security

Analysis Process: rundll32.exe PID: 348 Parent PID: 396

General

Start time:	13:19:34
Start date:	28/09/2021
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe C:\Users\user\Desktop\0G0AO3HYEI.dll,InstallNewDevice
Imagebase:	0x7ff773d70000
File size:	69632 bytes
MD5 hash:	73C519F050C20580F8A62C849D49215A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 0000001D.00000002.749906681.0000000140001000.00000020.00020000.sdmp, Author: Joe Security

Analysis Process: rundll32.exe PID: 6296 Parent PID: 396

General

Start time:	13:19:37
Start date:	28/09/2021
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe C:\Users\user\Desktop\0G0AO3HYEI.dll,InstallSelectedDriver
Imagebase:	0x7ff773d70000
File size:	69632 bytes
MD5 hash:	73C519F050C20580F8A62C849D49215A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: rundll32.exe PID: 3440 Parent PID: 396

General

Start time:	13:19:41
Start date:	28/09/2021
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe C:\Users\user\Desktop\0G0AO3HYEI.dll,InstallWindowsUpdateDriver
Imagebase:	0x7ff773d70000
File size:	69632 bytes
MD5 hash:	73C519F050C20580F8A62C849D49215A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: rundll32.exe PID: 2384 Parent PID: 396

General

Start time:	13:19:45
Start date:	28/09/2021
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe C:\Users\user\Desktop\0G0AO3HYEI.dll,InstallWindowsUpdateDriverEx
Imagebase:	0x7ff773d70000
File size:	69632 bytes
MD5 hash:	73C519F050C20580F8A62C849D49215A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: rundll32.exe PID: 2152 Parent PID: 396

General

Start time:	13:19:48
Start date:	28/09/2021
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe C:\Users\user\Desktop\0G0AO3HYEI.dll,InstallWindowsUpdateDrivers
Imagebase:	0x7ff773d70000
File size:	69632 bytes
MD5 hash:	73C519F050C20580F8A62C849D49215A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000024.00000002.750032138.0000000140001000.00000020.00020000.sdmp, Author: Joe Security

Analysis Process: explorer.exe PID: 5252 Parent PID: 568

General

Start time:	13:19:51
Start date:	28/09/2021
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	explorer.exe
Imagebase:	0x7ff6f22f0000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: rundll32.exe PID: 1148 Parent PID: 396

General

Start time:	13:19:52
Start date:	28/09/2021
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe C:\Users\user\Desktop\0G0AO3HYEI.dll,QueryWindowsUpdateDriverStatus
Imagebase:	0x7ff773d70000
File size:	69632 bytes
MD5 hash:	73C519F050C20580F8A62C849D49215A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: rundll32.exe PID: 4224 Parent PID: 396

General

Start time:	13:19:56
Start date:	28/09/2021
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe C:\Users\user\Desktop\0G0AO3HYEI.dll,SetInternetPolicies
Imagebase:	0x7ff773d70000
File size:	69632 bytes
MD5 hash:	73C519F050C20580F8A62C849D49215A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000028.00000002.750108429.0000000140001000.00000020.00020000.sdmp, Author: Joe Security

Analysis Process: rundll32.exe PID: 1432 Parent PID: 396

General

Start time:	13:19:59
Start date:	28/09/2021
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe C:\Users\user\Desktop\0G0AO3HYEI.dll,UpdateDriverForPlugAndPlayDevicesA
Imagebase:	0x7ff773d70000
File size:	69632 bytes
MD5 hash:	73C519F050C20580F8A62C849D49215A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000029.00000002.750110395.0000000140001000.00000020.00020000.sdmp, Author: Joe Security

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report 0G0AO3HYEI.dll

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Overview

Memory Dumps

Sigma Overview

Jbx Signature Overview

AV Detection:

Compliance:

Spreading:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Exports

Version Infos

Possible Origin

Network Behavior

Network Port Distribution

UDP Packets

Code Manipulations

Statistics

Behavior

System Behavior

Analysis Process: loaddll64.exe PID: 396 Parent PID: 6692

General

Analysis Process: cmd.exe PID: 5468 Parent PID: 396

General

Analysis Process: rundll32.exe PID: 5612 Parent PID: 396