Play interactive tour

Edit tour

Windows Analysis Report 6zAcNlJXo7

Overview

General Information

Sample Name:	6zAcNlJXo7 (renamed file extension from none to dll)
Analysis ID:	532221
MD5:	c7e23f2764d6ed9b59b0fed69a4488b0
SHA1:	67f31b13485f91be7952b3df5628f14ef1c86a38
SHA256:	d048f196a39fc7dae500b057fa000ebbb81ae2e6c18b4ddff445e8d7163f20ab
Tags:	32dllexetrojan
Infos:
Most interesting Screenshot:

Detection

Emotet

Score:	80
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected Emotet

Sigma detected: Emotet RunDLL32 Process Creation

C2 URLs / IPs found in malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Uses 32bit PE files

One or more processes crash

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Deletes files inside the Windows folder

Uses code obfuscation techniques (call, push, ret)

Creates files inside the system directory

Internet Provider seen in connection with other malware

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Contains functionality to dynamically determine API calls

Contains functionality which may be used to detect a debugger (GetProcessHeap)

IP address seen in connection with other malware

Abnormal high CPU Usage

Creates a DirectInput object (often for capturing keystrokes)

AV process strings found (often used to terminate AV products)

Contains functionality to read the PEB

Drops PE files to the windows directory (C:\Windows)

Checks if the current process is being debugged

Connects to several IPs in different countries

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

System is w10x64

loaddll32.exe (PID: 4600 cmdline: loaddll32.exe "C:\Users\user\Desktop\6zAcNlJXo7.dll" MD5: 72FCD8FB0ADC38ED9050569AD673650E)

cmd.exe (PID: 6692 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\6zAcNlJXo7.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)

rundll32.exe (PID: 4352 cmdline: rundll32.exe "C:\Users\user\Desktop\6zAcNlJXo7.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 6712 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\6zAcNlJXo7.dll",Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 4520 cmdline: rundll32.exe C:\Users\user\Desktop\6zAcNlJXo7.dll,Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 5696 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Vxxnweikxwymx\qsgm.ruf",Yyhhzevh MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 6104 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Vxxnweikxwymx\qsgm.ruf",Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 6324 cmdline: rundll32.exe C:\Users\user\Desktop\6zAcNlJXo7.dll,axamexdrqyrgb MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 1304 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\6zAcNlJXo7.dll",Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 160 cmdline: rundll32.exe C:\Users\user\Desktop\6zAcNlJXo7.dll,bhramccfbdd MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 5712 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\6zAcNlJXo7.dll",Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

WerFault.exe (PID: 4412 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4600 -s 316 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

WerFault.exe (PID: 2932 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4600 -s 324 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

svchost.exe (PID: 5816 cmdline: C:\Windows\System32\svchost.exe -k WerSvcGroup MD5: 32569E403279B3FD2EDB7EBD036273FA)

WerFault.exe (PID: 2984 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4600 -ip 4600 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

WerFault.exe (PID: 4764 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4600 -ip 4600 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

cleanup

Malware Configuration

Threatname: Emotet

{"C2 list": ["46.55.222.11:443", "104.245.52.73:8080", "41.76.108.46:8080", "103.8.26.103:8080", "185.184.25.237:8080", "103.8.26.102:8080", "203.114.109.124:443", "45.118.115.99:8080", "178.79.147.66:8080", "58.227.42.236:80", "45.118.135.203:7080", "103.75.201.2:443", "195.154.133.20:443", "45.142.114.231:8080", "212.237.5.209:443", "207.38.84.195:8080", "104.251.214.46:8080", "212.237.17.99:8080", "212.237.56.116:7080", "216.158.226.206:443", "110.232.117.186:8080", "158.69.222.101:443", "107.182.225.142:8080", "176.104.106.96:8080", "81.0.236.90:443", "50.116.54.215:443", "138.185.72.26:8080", "51.68.175.8:8080", "210.57.217.132:8080"], "Public Key": ["RUNLMSAAAADzozW1Di4r9DVWzQpMKT588RDdy7BPILP6AiDOTLYMHkSWvrQO5slbmr1OvZ2Pz+AQWzRMggQmAtO6rPH7nyx2", "RUNTMSAAAABAX3S2xNjcDD0fBno33Ln5t71eii+mofIPoXkNFOX1MeiwCh48iz97kB0mJjGGZXwardnDXKxI8GCHGNl0PFj5"]}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000003.00000003.573611715.0000000000835000.00000004.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000005.00000002.633116457.0000000003380000.00000040.00000010.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000000.00000000.643248675.0000000000BB0000.00000040.00000010.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000C.00000002.770251757.0000000000A1A000.00000004.00000020.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000000.00000000.662542522.0000000000BB0000.00000040.00000010.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000000.00000000.642444707.00000000013AC000.00000004.00000020.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000C.00000002.770145294.00000000007A0000.00000040.00000010.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000004.00000002.610590191.00000000006DA000.00000004.00000020.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000000.00000002.695566646.00000000013AC000.00000004.00000020.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000006.00000002.642741548.00000000031EA000.00000004.00000020.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000000.00000000.663733322.00000000013AC000.00000004.00000020.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000003.00000002.620846196.0000000000610000.00000040.00000010.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000006.00000002.642650507.0000000003180000.00000040.00000010.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000005.00000002.633278452.00000000035DA000.00000004.00000020.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000000.00000002.695194843.0000000000BB0000.00000040.00000010.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000000.00000000.662941579.00000000013AC000.00000004.00000020.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000004.00000002.610563535.0000000000630000.00000040.00000010.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000000.00000000.643478517.00000000013AC000.00000004.00000020.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000000.00000000.641938795.0000000000BB0000.00000040.00000010.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000000.00000000.663509938.0000000000BB0000.00000040.00000010.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
Click to see the 15 entries

Unpacked PEs

Source	Rule	Description	Author
6.2.rundll32.exe.3202148.1.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0.0.loaddll32.exe.bb0000.9.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
4.2.rundll32.exe.630000.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0.2.loaddll32.exe.13b3b30.1.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0.0.loaddll32.exe.bb0000.9.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
5.2.rundll32.exe.3380000.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0.0.loaddll32.exe.bb0000.6.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
12.2.rundll32.exe.7a0000.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
4.2.rundll32.exe.6f2160.1.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0.0.loaddll32.exe.13b3b30.4.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
6.2.rundll32.exe.3202148.1.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0.0.loaddll32.exe.13b3b30.7.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0.0.loaddll32.exe.13b3b30.7.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
12.2.rundll32.exe.a33628.1.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
6.2.rundll32.exe.3180000.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0.2.loaddll32.exe.13b3b30.1.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0.0.loaddll32.exe.13b3b30.1.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
3.2.rundll32.exe.610000.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0.0.loaddll32.exe.bb0000.6.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
4.2.rundll32.exe.630000.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
12.2.rundll32.exe.7a0000.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0.0.loaddll32.exe.13b3b30.1.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0.2.loaddll32.exe.bb0000.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0.2.loaddll32.exe.bb0000.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0.0.loaddll32.exe.13b3b30.10.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
6.2.rundll32.exe.3180000.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
12.2.rundll32.exe.a33628.1.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0.0.loaddll32.exe.bb0000.3.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
5.2.rundll32.exe.3380000.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
4.2.rundll32.exe.6f2160.1.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0.0.loaddll32.exe.13b3b30.10.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0.0.loaddll32.exe.bb0000.3.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0.0.loaddll32.exe.bb0000.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0.0.loaddll32.exe.13b3b30.4.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0.0.loaddll32.exe.bb0000.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
5.2.rundll32.exe.35f42a0.1.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
3.2.rundll32.exe.610000.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
5.2.rundll32.exe.35f42a0.1.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
Click to see the 33 entries

Sigma Overview

System Summary:

Sigma detected: Emotet RunDLL32 Process Creation

Show sources

Source: Process started

Author: FPT.EagleEye: Data: Command: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Vxxnweikxwymx\qsgm.ruf",Control_RunDLL, CommandLine: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Vxxnweikxwymx\qsgm.ruf",Control_RunDLL, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Vxxnweikxwymx\qsgm.ruf",Yyhhzevh, ParentImage: C:\Windows\SysWOW64\rundll32.exe, ParentProcessId: 5696, ProcessCommandLine: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Vxxnweikxwymx\qsgm.ruf",Control_RunDLL, ProcessId: 6104

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 0.0.loaddll32.exe.bb0000.9.unpack

Malware Configuration Extractor: Emotet {"C2 list": ["46.55.222.11:443", "104.245.52.73:8080", "41.76.108.46:8080", "103.8.26.103:8080", "185.184.25.237:8080", "103.8.26.102:8080", "203.114.109.124:443", "45.118.115.99:8080", "178.79.147.66:8080", "58.227.42.236:80", "45.118.135.203:7080", "103.75.201.2:443", "195.154.133.20:443", "45.142.114.231:8080", "212.237.5.209:443", "207.38.84.195:8080", "104.251.214.46:8080", "212.237.17.99:8080", "212.237.56.116:7080", "216.158.226.206:443", "110.232.117.186:8080", "158.69.222.101:443", "107.182.225.142:8080", "176.104.106.96:8080", "81.0.236.90:443", "50.116.54.215:443", "138.185.72.26:8080", "51.68.175.8:8080", "210.57.217.132:8080"], "Public Key": ["RUNLMSAAAADzozW1Di4r9DVWzQpMKT588RDdy7BPILP6AiDOTLYMHkSWvrQO5slbmr1OvZ2Pz+AQWzRMggQmAtO6rPH7nyx2", "RUNTMSAAAABAX3S2xNjcDD0fBno33Ln5t71eii+mofIPoXkNFOX1MeiwCh48iz97kB0mJjGGZXwardnDXKxI8GCHGNl0PFj5"]}

Multi AV Scanner detection for submitted file

Show sources

Source: 6zAcNlJXo7.dll

Virustotal: Detection: 23%

Perma Link

Source: 6zAcNlJXo7.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LARGE_ADDRESS_AWARE

Source: 6zAcNlJXo7.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 00000012.00000003.652558525.0000000004A11000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.677352599.0000000005681000.00000004.00000001.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 00000012.00000003.652558525.0000000004A11000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.677352599.0000000005681000.00000004.00000001.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 00000012.00000003.652558525.0000000004A11000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.649095483.000000000467A000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.677352599.0000000005681000.00000004.00000001.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 00000012.00000003.652558525.0000000004A11000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.677352599.0000000005681000.00000004.00000001.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 00000012.00000003.652558525.0000000004A11000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.677352599.0000000005681000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 00000012.00000003.652558525.0000000004A11000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.677352599.0000000005681000.00000004.00000001.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 00000012.00000003.652558525.0000000004A11000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.677352599.0000000005681000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 00000012.00000003.652558525.0000000004A11000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.677352599.0000000005681000.00000004.00000001.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 00000012.00000003.652558525.0000000004A11000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.677352599.0000000005681000.00000004.00000001.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 00000012.00000003.652558525.0000000004A11000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.677352599.0000000005681000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdbk source: WerFault.exe, 00000012.00000003.652558525.0000000004A11000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.677352599.0000000005681000.00000004.00000001.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 00000012.00000003.652558525.0000000004A11000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.677352599.0000000005681000.00000004.00000001.sdmp
Source:	Binary string: oCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 00000012.00000002.659957517.0000000000832000.00000004.00000001.sdmp

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6ED32FE7 FindFirstFileExW,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6ED32FE7 FindFirstFileExW,

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor	IPs: 46.55.222.11:443
Source: Malware configuration extractor	IPs: 104.245.52.73:8080
Source: Malware configuration extractor	IPs: 41.76.108.46:8080
Source: Malware configuration extractor	IPs: 103.8.26.103:8080
Source: Malware configuration extractor	IPs: 185.184.25.237:8080
Source: Malware configuration extractor	IPs: 103.8.26.102:8080
Source: Malware configuration extractor	IPs: 203.114.109.124:443
Source: Malware configuration extractor	IPs: 45.118.115.99:8080
Source: Malware configuration extractor	IPs: 178.79.147.66:8080
Source: Malware configuration extractor	IPs: 58.227.42.236:80
Source: Malware configuration extractor	IPs: 45.118.135.203:7080
Source: Malware configuration extractor	IPs: 103.75.201.2:443
Source: Malware configuration extractor	IPs: 195.154.133.20:443
Source: Malware configuration extractor	IPs: 45.142.114.231:8080
Source: Malware configuration extractor	IPs: 212.237.5.209:443
Source: Malware configuration extractor	IPs: 207.38.84.195:8080
Source: Malware configuration extractor	IPs: 104.251.214.46:8080
Source: Malware configuration extractor	IPs: 212.237.17.99:8080
Source: Malware configuration extractor	IPs: 212.237.56.116:7080
Source: Malware configuration extractor	IPs: 216.158.226.206:443
Source: Malware configuration extractor	IPs: 110.232.117.186:8080
Source: Malware configuration extractor	IPs: 158.69.222.101:443
Source: Malware configuration extractor	IPs: 107.182.225.142:8080
Source: Malware configuration extractor	IPs: 176.104.106.96:8080
Source: Malware configuration extractor	IPs: 81.0.236.90:443
Source: Malware configuration extractor	IPs: 50.116.54.215:443
Source: Malware configuration extractor	IPs: 138.185.72.26:8080
Source: Malware configuration extractor	IPs: 51.68.175.8:8080
Source: Malware configuration extractor	IPs: 210.57.217.132:8080

Source: Joe Sandbox View	ASN Name: OnlineSASFR OnlineSASFR
Source: Joe Sandbox View	ASN Name: ARUBA-ASNIT ARUBA-ASNIT

Source: Joe Sandbox View	IP Address: 195.154.133.20 195.154.133.20
Source: Joe Sandbox View	IP Address: 212.237.17.99 212.237.17.99

Source: unknown

Network traffic detected: IP country count 19

Source: WerFault.exe, 00000014.00000003.690493466.0000000005241000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000002.693988608.0000000005241000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: Amcache.hve.18.dr	String found in binary or memory: http://upx.sf.net

Source: loaddll32.exe, 00000000.00000002.695541549.000000000139B000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

Yara detected Emotet

Show sources

Source: Yara match	File source: 6.2.rundll32.exe.3202148.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.bb0000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.630000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.13b3b30.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.bb0000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.3380000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.bb0000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.7a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.6f2160.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.13b3b30.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.3202148.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.13b3b30.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.13b3b30.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.a33628.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.3180000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.13b3b30.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.13b3b30.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.610000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.bb0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.630000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.7a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.13b3b30.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.bb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.bb0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.13b3b30.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.3180000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.a33628.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.bb0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.3380000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.6f2160.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.13b3b30.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.bb0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.bb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.13b3b30.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.bb0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.35f42a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.610000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.35f42a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000003.573611715.0000000000835000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.633116457.0000000003380000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.643248675.0000000000BB0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.770251757.0000000000A1A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.662542522.0000000000BB0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.642444707.00000000013AC000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.770145294.00000000007A0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.610590191.00000000006DA000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.695566646.00000000013AC000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.642741548.00000000031EA000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.663733322.00000000013AC000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.620846196.0000000000610000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.642650507.0000000003180000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.633278452.00000000035DA000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.695194843.0000000000BB0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.662941579.00000000013AC000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.610563535.0000000000630000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.643478517.00000000013AC000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.641938795.0000000000BB0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.663509938.0000000000BB0000.00000040.00000010.sdmp, type: MEMORY

System Summary:

Source: 6zAcNlJXo7.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LARGE_ADDRESS_AWARE

Source: C:\Windows\System32\svchost.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4600 -ip 4600

Source: C:\Windows\SysWOW64\rundll32.exe

File deleted: C:\Windows\SysWOW64\Vxxnweikxwymx\qsgm.ruf:Zone.Identifier

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

File created: C:\Windows\SysWOW64\Vxxnweikxwymx\

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00BCED95
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00BC3ABE
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00BBAEB9
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00BCB0BA
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00BC56A9
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00BB68AD
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00BC04A4
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00BBF4A5
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00BBC69B
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00BBF699
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00BBD899
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00BB3085
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00BD20F8
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00BBE6FD
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00BBBEF5
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00BD06EF
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00BBA8E8
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00BC7EDD
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00BD0AD3
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00BB54C0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00BB3E3B
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00BCCC3F
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00BC0A37
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00BC0824
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00BCBA18
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00BD2C16
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00BC1C12
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00BBF20D
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00BCE478
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00BD1C71
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00BD0C66
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00BC645F
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00BC604E
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00BB33A9
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00BC77A7
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00BCBFA1
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00BC6B91
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00BB938F
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00BD1987
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00BB7D87
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00BBF984
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00BB1DF9
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00BCD5FE
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00BB6BFE
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00BC91F7
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00BBFBEF
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00BBB7EC
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00BD35E3
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00BCE7DA
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00BC89DA
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00BC13DB
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00BB5DC3
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00BB39C3
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00BC4DC5
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00BC0FC5
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00BB2DC5
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00BB7739
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00BC473A
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00BC3130
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00BBE336
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00BCCF2C
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00BBB12E
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00BB6125
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00BC8518
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00BB8112
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00BB4716
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00BB5314
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00BC710D
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00BCD10B
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00BD3306
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00BC5B7C
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00BB597D
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00BB2B7C
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00BB2176
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00BCC772
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00BB2575
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00BB196D
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00BB996C
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00BCF561
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00BB5166
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00BBDD66
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00BD2560
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00BB9565
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00BB8D59
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00BB635F
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00BD2D4F
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00BD314A
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00BB4F42
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00BCC145
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6ED1A6D0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6ED1E6E0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6ED166E0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6ED15EA0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6ED20F10
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6ED11C10
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6ED175F4
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6ED19D50
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6ED30A61
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6ED1D380
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6ED138C0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6ED201D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6ED1A6D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6ED1E6E0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6ED166E0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6ED15EA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6ED20F10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6ED11C10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6ED175F4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6ED19D50
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6ED30A61
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6ED1D380
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6ED138C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6ED201D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007C06EF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007BED95
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007BE478
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007C1C71
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007C0C66
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007B645F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007B604E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007A3E3B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007BCC3F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007B0A37
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007B0824
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007BBA18
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007B1C12
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007C2C16
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007AF20D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007C20F8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007AE6FD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007ABEF5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007AA8E8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007B7EDD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007C0AD3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007A54C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007BB0BA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007AAEB9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007B3ABE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007B56A9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007A68AD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007B04A4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007AF4A5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007AC69B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007AF699
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007AD899
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007A3085
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007A2B7C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007B5B7C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007A597D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007BC772
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007A2176
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007A2575
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007A996C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007A196D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007BF561
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007A5166
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007ADD66
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007C2560
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007A9565
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007A8D59
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007A635F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007C2D4F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007C314A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007A4F42
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007BC145
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007B473A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007A7739
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007B3130
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007AE336
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007AB12E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007BCF2C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007A6125
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007B8518
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007A8112
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007A4716
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007A5314
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007BD10B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007B710D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007C3306
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007A1DF9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007A6BFE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007BD5FE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007B91F7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007AFBEF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007AB7EC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007C35E3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007B13DB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007BE7DA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007B89DA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007A5DC3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007A39C3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007B4DC5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007B0FC5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007A2DC5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007A33A9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007BBFA1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007B77A7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007A938F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007C1987
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007A7D87
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007AF984

Source: C:\Windows\System32\loaddll32.exe	Code function: String function: 6ED11C10 appears 97 times
Source: C:\Windows\System32\loaddll32.exe	Code function: String function: 6ED2D350 appears 33 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6ED11C10 appears 97 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6ED2D350 appears 33 times

Source: C:\Windows\SysWOW64\rundll32.exe

Process Stats: CPU usage > 98%

Source: 6zAcNlJXo7.dll

Virustotal: Detection: 23%

Source: 6zAcNlJXo7.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\6zAcNlJXo7.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\6zAcNlJXo7.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\6zAcNlJXo7.dll,Control_RunDLL
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\6zAcNlJXo7.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\6zAcNlJXo7.dll,axamexdrqyrgb
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\6zAcNlJXo7.dll,bhramccfbdd
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\6zAcNlJXo7.dll",Control_RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Vxxnweikxwymx\qsgm.ruf",Yyhhzevh
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\6zAcNlJXo7.dll",Control_RunDLL
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\6zAcNlJXo7.dll",Control_RunDLL
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4600 -ip 4600
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4600 -s 316
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4600 -ip 4600
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4600 -s 324
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Vxxnweikxwymx\qsgm.ruf",Control_RunDLL
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\6zAcNlJXo7.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\6zAcNlJXo7.dll,Control_RunDLL
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\6zAcNlJXo7.dll,axamexdrqyrgb
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\6zAcNlJXo7.dll,bhramccfbdd
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\6zAcNlJXo7.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Vxxnweikxwymx\qsgm.ruf",Yyhhzevh
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\6zAcNlJXo7.dll",Control_RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\6zAcNlJXo7.dll",Control_RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\6zAcNlJXo7.dll",Control_RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Vxxnweikxwymx\qsgm.ruf",Control_RunDLL
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4600 -ip 4600
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4600 -s 316
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4600 -ip 4600
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4600 -s 324
Source: C:\Windows\SysWOW64\WerFault.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\WerFault.exe	Process created: unknown unknown

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Source: C:\Windows\System32\svchost.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER2F19.tmp

Jump to behavior

Source: classification engine

Classification label: mal80.troj.evad.winDLL@32/14@0/30

Source: C:\Windows\SysWOW64\rundll32.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\6zAcNlJXo7.dll,Control_RunDLL

Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \BaseNamedObjects\Local\SM0:2984:64:WilError_01
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \BaseNamedObjects\Local\SM0:4764:64:WilError_01
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4600

Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK

Source: 6zAcNlJXo7.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: 6zAcNlJXo7.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 00000012.00000003.652558525.0000000004A11000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.677352599.0000000005681000.00000004.00000001.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 00000012.00000003.652558525.0000000004A11000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.677352599.0000000005681000.00000004.00000001.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 00000012.00000003.652558525.0000000004A11000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.649095483.000000000467A000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.677352599.0000000005681000.00000004.00000001.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 00000012.00000003.652558525.0000000004A11000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.677352599.0000000005681000.00000004.00000001.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 00000012.00000003.652558525.0000000004A11000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.677352599.0000000005681000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 00000012.00000003.652558525.0000000004A11000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.677352599.0000000005681000.00000004.00000001.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 00000012.00000003.652558525.0000000004A11000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.677352599.0000000005681000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 00000012.00000003.652558525.0000000004A11000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.677352599.0000000005681000.00000004.00000001.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 00000012.00000003.652558525.0000000004A11000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.677352599.0000000005681000.00000004.00000001.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 00000012.00000003.652558525.0000000004A11000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.677352599.0000000005681000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdbk source: WerFault.exe, 00000012.00000003.652558525.0000000004A11000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.677352599.0000000005681000.00000004.00000001.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 00000012.00000003.652558525.0000000004A11000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.677352599.0000000005681000.00000004.00000001.sdmp
Source:	Binary string: oCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 00000012.00000002.659957517.0000000000832000.00000004.00000001.sdmp

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00BB005E push esp; iretd
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00BB151C push ds; ret
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00BB150F push ds; ret
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6ED39153 push ecx; ret
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6ED39153 push ecx; ret
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007A005E push esp; iretd
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007A151C push ds; ret
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007A150F push ds; ret

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6ED1E4E0 WaitForSingleObjectEx,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetCurrentProcess,CreateMutexA,CloseHandle,ReleaseMutex,

Source: C:\Windows\SysWOW64\rundll32.exe

PE file moved: C:\Windows\SysWOW64\Vxxnweikxwymx\qsgm.ruf

Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Windows\SysWOW64\rundll32.exe

File opened: C:\Windows\SysWOW64\Vxxnweikxwymx\qsgm.ruf:Zone.Identifier read attributes | delete

Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Windows\System32\svchost.exe

Process information queried: ProcessInformation

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6ED32FE7 FindFirstFileExW,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6ED32FE7 FindFirstFileExW,

Source: C:\Windows\SysWOW64\rundll32.exe

File Volume queried: C:\ FullSizeInformation

Source: Amcache.hve.18.dr	Binary or memory string: VMware
Source: Amcache.hve.18.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
Source: Amcache.hve.18.dr	Binary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.18.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.18.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.18.dr	Binary or memory string: VMware Virtual disk SCSI Disk Devicehbin
Source: Amcache.hve.18.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.18.dr	Binary or memory string: VMware7,1
Source: Amcache.hve.18.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.18.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.18.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.13989454.B64.1906190538,BiosReleaseDate:06/19/2019,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: WerFault.exe, 00000014.00000002.693957427.0000000005230000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.690547761.0000000005229000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.690564207.000000000522F000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000002.693828376.0000000005200000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.690533952.0000000005226000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.18.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.18.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.18.dr	Binary or memory string: VMware, Inc.me
Source: Amcache.hve.18.dr	Binary or memory string: VMware-42 35 d8 20 48 cb c7 ff-aa 5e d0 37 a0 49 53 d7
Source: WerFault.exe, 00000014.00000002.693957427.0000000005230000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.690547761.0000000005229000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.690564207.000000000522F000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.690533952.0000000005226000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAWk
Source: Amcache.hve.18.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.18.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6ED2D1CC IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6ED1E4E0 WaitForSingleObjectEx,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetCurrentProcess,CreateMutexA,CloseHandle,ReleaseMutex,

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6ED11290 GetProcessHeap,HeapAlloc,HeapFree,

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00BC4315 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6ED2C050 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6ED2BFE0 mov esi, dword ptr fs:[00000030h]
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6ED2BFE0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6ED312CB mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6ED3298C mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6ED2C050 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6ED2BFE0 mov esi, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6ED2BFE0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6ED312CB mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6ED3298C mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007B4315 mov eax, dword ptr fs:[00000030h]

Source: C:\Windows\System32\loaddll32.exe	Process queried: DebugPort
Source: C:\Windows\System32\loaddll32.exe	Process queried: DebugPort

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_00BBE259 LdrInitializeThunk,

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6ED2CB22 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6ED2D1CC IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6ED329E6 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6ED2CB22 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6ED2D1CC IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6ED329E6 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\6zAcNlJXo7.dll",#1
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4600 -ip 4600
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4600 -s 316
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4600 -ip 4600
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4600 -s 324

Source: loaddll32.exe, 00000000.00000000.642609511.0000000001820000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.643813100.0000000001820000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.663012293.0000000001820000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.663784404.0000000001820000.00000002.00020000.sdmp, rundll32.exe, 00000015.00000002.819758478.0000000003020000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: loaddll32.exe, 00000000.00000000.642609511.0000000001820000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.643813100.0000000001820000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.663012293.0000000001820000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.663784404.0000000001820000.00000002.00020000.sdmp, rundll32.exe, 00000015.00000002.819758478.0000000003020000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: loaddll32.exe, 00000000.00000000.642609511.0000000001820000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.643813100.0000000001820000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.663012293.0000000001820000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.663784404.0000000001820000.00000002.00020000.sdmp, rundll32.exe, 00000015.00000002.819758478.0000000003020000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: loaddll32.exe, 00000000.00000000.642609511.0000000001820000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.643813100.0000000001820000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.663012293.0000000001820000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.663784404.0000000001820000.00000002.00020000.sdmp, rundll32.exe, 00000015.00000002.819758478.0000000003020000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6ED2CC44 cpuid

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6ED2CE15 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

Source: Amcache.hve.LOG1.18.dr, Amcache.hve.18.dr	Binary or memory string: c:\users\user\desktop\procexp.exe
Source: Amcache.hve.18.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.LOG1.18.dr, Amcache.hve.18.dr	Binary or memory string: procexp.exe

Stealing of Sensitive Information:

Yara detected Emotet

Show sources

Source: Yara match	File source: 6.2.rundll32.exe.3202148.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.bb0000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.630000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.13b3b30.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.bb0000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.3380000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.bb0000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.7a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.6f2160.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.13b3b30.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.3202148.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.13b3b30.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.13b3b30.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.a33628.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.3180000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.13b3b30.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.13b3b30.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.610000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.bb0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.630000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.7a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.13b3b30.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.bb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.bb0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.13b3b30.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.3180000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.a33628.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.bb0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.3380000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.6f2160.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.13b3b30.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.bb0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.bb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.13b3b30.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.bb0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.35f42a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.610000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.35f42a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000003.573611715.0000000000835000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.633116457.0000000003380000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.643248675.0000000000BB0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.770251757.0000000000A1A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.662542522.0000000000BB0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.642444707.00000000013AC000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.770145294.00000000007A0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.610590191.00000000006DA000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.695566646.00000000013AC000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.642741548.00000000031EA000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.663733322.00000000013AC000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.620846196.0000000000610000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.642650507.0000000003180000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.633278452.00000000035DA000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.695194843.0000000000BB0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.662941579.00000000013AC000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.610563535.0000000000630000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.643478517.00000000013AC000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.641938795.0000000000BB0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.663509938.0000000000BB0000.00000040.00000010.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Native API1	Path Interception	Process Injection12	Masquerading2	Input Capture1	System Time Discovery1	Remote Services	Input Capture1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Virtualization/Sandbox Evasion1	LSASS Memory	Security Software Discovery41	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Process Injection12	Security Account Manager	Virtualization/Sandbox Evasion1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Deobfuscate/Decode Files or Information1	NTDS	Process Discovery2	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Hidden Files and Directories1	LSA Secrets	Remote System Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Obfuscated Files or Information2	Cached Domain Credentials	File and Directory Discovery2	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Rundll321	DCSync	System Information Discovery13	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	File Deletion1	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
6zAcNlJXo7.dll	23%	Virustotal		Browse

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
0.0.loaddll32.exe.bb0000.9.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
0.0.loaddll32.exe.bb0000.6.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
5.2.rundll32.exe.3380000.0.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
6.2.rundll32.exe.3180000.0.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
4.2.rundll32.exe.630000.0.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
12.2.rundll32.exe.7a0000.0.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
0.2.loaddll32.exe.bb0000.0.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
0.0.loaddll32.exe.bb0000.3.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
0.0.loaddll32.exe.bb0000.0.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
3.2.rundll32.exe.610000.0.unpack	100%	Avira	HEUR/AGEN.1110387	Download File

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://upx.sf.net	Amcache.hve.18.dr	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
195.154.133.20	unknown	France	12876	OnlineSASFR	true
212.237.17.99	unknown	Italy	31034	ARUBA-ASNIT	true
110.232.117.186	unknown	Australia	56038	RACKCORP-APRackCorpAU	true
104.245.52.73	unknown	United States	63251	METRO-WIRELESSUS	true
138.185.72.26	unknown	Brazil	264343	EmpasoftLtdaMeBR	true
81.0.236.90	unknown	Czech Republic	15685	CASABLANCA-ASInternetCollocationProviderCZ	true
45.118.115.99	unknown	Indonesia	131717	IDNIC-CIFO-AS-IDPTCitraJelajahInformatikaID	true
103.75.201.2	unknown	Thailand	133496	CDNPLUSCOLTD-AS-APCDNPLUSCOLTDTH	true
216.158.226.206	unknown	United States	19318	IS-AS-1US	true
107.182.225.142	unknown	United States	32780	HOSTINGSERVICES-INCUS	true
45.118.135.203	unknown	Japan	63949	LINODE-APLinodeLLCUS	true
50.116.54.215	unknown	United States	63949	LINODE-APLinodeLLCUS	true
51.68.175.8	unknown	France	16276	OVHFR	true
103.8.26.102	unknown	Malaysia	132241	SKSATECH1-MYSKSATECHNOLOGYSDNBHDMY	true
46.55.222.11	unknown	Bulgaria	34841	BALCHIKNETBG	true
41.76.108.46	unknown	South Africa	327979	DIAMATRIXZA	true
103.8.26.103	unknown	Malaysia	132241	SKSATECH1-MYSKSATECHNOLOGYSDNBHDMY	true
178.79.147.66	unknown	United Kingdom	63949	LINODE-APLinodeLLCUS	true
212.237.5.209	unknown	Italy	31034	ARUBA-ASNIT	true
176.104.106.96	unknown	Serbia	198371	NINETRS	true
207.38.84.195	unknown	United States	30083	AS-30083-GO-DADDY-COM-LLCUS	true
212.237.56.116	unknown	Italy	31034	ARUBA-ASNIT	true
45.142.114.231	unknown	Germany	44066	DE-FIRSTCOLOwwwfirst-colonetDE	true
203.114.109.124	unknown	Thailand	131293	TOT-LLI-AS-APTOTPublicCompanyLimitedTH	true
210.57.217.132	unknown	Indonesia	38142	UNAIR-AS-IDUniversitasAirlanggaID	true
58.227.42.236	unknown	Korea Republic of	9318	SKB-ASSKBroadbandCoLtdKR	true
185.184.25.237	unknown	Turkey	209711	MUVHOSTTR	true
158.69.222.101	unknown	Canada	16276	OVHFR	true
104.251.214.46	unknown	United States	54540	INCERO-HVVCUS	true

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	532221
Start date:	01.12.2021
Start time:	20:45:33
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 11m 36s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	6zAcNlJXo7 (renamed file extension from none to dll)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	22
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal80.troj.evad.winDLL@32/14@0/30
EGA Information:	Failed
HDC Information:	Successful, ratio: 15.4% (good quality ratio 14.5%) Quality average: 75.1% Quality standard deviation: 26.2%
HCA Information:	Successful, ratio: 68% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Override analysis time to 240s for rundll32
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe Excluded IPs from analysis (whitelisted): 23.54.113.53, 52.182.143.212 Excluded domains from analysis (whitelisted): e12564.dspb.akamaiedge.net, client.wns.windows.com, onedsblobprdcus15.centralus.cloudapp.azure.com, login.live.com, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net, watson.telemetry.microsoft.com Not all processes where analyzed, report is missing behavior information Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
20:49:37	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
195.154.133.20	mal.dll	Get hash	malicious	Browse
	mal2.dll	Get hash	malicious	Browse
	mal.dll	Get hash	malicious	Browse
	mal2.dll	Get hash	malicious	Browse
	2gyA5uNl6VPQUA.dll	Get hash	malicious	Browse
	2gyA5uNl6VPQUA.dll	Get hash	malicious	Browse
	9sQccNfqAR.dll	Get hash	malicious	Browse
	FILE_464863409880121918.xlsm	Get hash	malicious	Browse
	9sQccNfqAR.dll	Get hash	malicious	Browse
	t3XtgyQEoe.dll	Get hash	malicious	Browse
	t3XtgyQEoe.dll	Get hash	malicious	Browse
	SCAN_35292280954166786.xlsm	Get hash	malicious	Browse
	U4pi8WRxNJ.dll	Get hash	malicious	Browse
	oERkAQeB4d.dll	Get hash	malicious	Browse
	FC9fpZrma1.dll	Get hash	malicious	Browse
	Z4HpRSQD6I.dll	Get hash	malicious	Browse
	uLCt7sc5se.dll	Get hash	malicious	Browse
	rGF1Xgw9Il.dll	Get hash	malicious	Browse
	nBtjFS1D08.dll	Get hash	malicious	Browse
	q8HPR8Yypk.dll	Get hash	malicious	Browse
212.237.17.99	mal.dll	Get hash	malicious	Browse
	mal2.dll	Get hash	malicious	Browse
	mal.dll	Get hash	malicious	Browse
	mal2.dll	Get hash	malicious	Browse
	2gyA5uNl6VPQUA.dll	Get hash	malicious	Browse
	2gyA5uNl6VPQUA.dll	Get hash	malicious	Browse
	9sQccNfqAR.dll	Get hash	malicious	Browse
	FILE_464863409880121918.xlsm	Get hash	malicious	Browse
	9sQccNfqAR.dll	Get hash	malicious	Browse
	t3XtgyQEoe.dll	Get hash	malicious	Browse
	t3XtgyQEoe.dll	Get hash	malicious	Browse
	SCAN_35292280954166786.xlsm	Get hash	malicious	Browse
	U4pi8WRxNJ.dll	Get hash	malicious	Browse
	oERkAQeB4d.dll	Get hash	malicious	Browse
	FC9fpZrma1.dll	Get hash	malicious	Browse
	Z4HpRSQD6I.dll	Get hash	malicious	Browse
	uLCt7sc5se.dll	Get hash	malicious	Browse
	rGF1Xgw9Il.dll	Get hash	malicious	Browse
	nBtjFS1D08.dll	Get hash	malicious	Browse
	q8HPR8Yypk.dll	Get hash	malicious	Browse

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
ARUBA-ASNIT	DHL DOCUMENT FOR #504.exe	Get hash	malicious	Browse	62.149.128.40
	RqgAGRvHNwhoreniggagay.dll	Get hash	malicious	Browse	94.177.217.88
	RqgAGRvHNwhoreniggagay.dll	Get hash	malicious	Browse	94.177.217.88
	dFUOuTxFQrXAwhoreniggagay.dll	Get hash	malicious	Browse	94.177.217.88
	RbrKCqqjDPUwhoreniggagay.dll	Get hash	malicious	Browse	94.177.217.88
	dFUOuTxFQrXAwhoreniggagay.dll	Get hash	malicious	Browse	94.177.217.88
	RbrKCqqjDPUwhoreniggagay.dll	Get hash	malicious	Browse	94.177.217.88
	mal.dll	Get hash	malicious	Browse	212.237.56.116
	mal2.dll	Get hash	malicious	Browse	212.237.56.116
	mal.dll	Get hash	malicious	Browse	212.237.56.116
	GYRxsMXKtvwSwhoreniggagay.dll	Get hash	malicious	Browse	94.177.217.88
	KsXtuXmxoZvgudVwhoreniggagay.dll	Get hash	malicious	Browse	94.177.217.88
	xTpcaEZvwmHqwhoreniggagay.dll	Get hash	malicious	Browse	94.177.217.88
	mal2.dll	Get hash	malicious	Browse	212.237.56.116
	GYRxsMXKtvwSwhoreniggagay.dll	Get hash	malicious	Browse	94.177.217.88
	KsXtuXmxoZvgudVwhoreniggagay.dll	Get hash	malicious	Browse	94.177.217.88
	xTpcaEZvwmHqwhoreniggagay.dll	Get hash	malicious	Browse	94.177.217.88
	invoice template 33142738819.docx	Get hash	malicious	Browse	94.177.217.88
	2gyA5uNl6VPQUA.dll	Get hash	malicious	Browse	212.237.56.116
	2gyA5uNl6VPQUA.dll	Get hash	malicious	Browse	212.237.56.116
OnlineSASFR	mal.dll	Get hash	malicious	Browse	195.154.133.20
	mal2.dll	Get hash	malicious	Browse	195.154.133.20
	mal.dll	Get hash	malicious	Browse	195.154.133.20
	mal2.dll	Get hash	malicious	Browse	195.154.133.20
	2gyA5uNl6VPQUA.dll	Get hash	malicious	Browse	195.154.133.20
	2gyA5uNl6VPQUA.dll	Get hash	malicious	Browse	195.154.133.20
	spZRMihlrkFGqYq1f.dll	Get hash	malicious	Browse	195.154.146.35
	spZRMihlrkFGqYq1f.dll	Get hash	malicious	Browse	195.154.146.35
	AtlanticareINV25-67431254.htm	Get hash	malicious	Browse	51.15.17.195
	9sQccNfqAR.dll	Get hash	malicious	Browse	195.154.133.20
	FILE_464863409880121918.xlsm	Get hash	malicious	Browse	195.154.133.20
	9sQccNfqAR.dll	Get hash	malicious	Browse	195.154.133.20
	t3XtgyQEoe.dll	Get hash	malicious	Browse	195.154.133.20
	t3XtgyQEoe.dll	Get hash	malicious	Browse	195.154.133.20
	67MPsax8fd.exe	Get hash	malicious	Browse	163.172.208.8
	Linux_x86	Get hash	malicious	Browse	212.83.174.79
	184285013-044310-Factura pendiente (2).exe	Get hash	malicious	Browse	212.83.130.20
	MTjXit7IJn	Get hash	malicious	Browse	51.158.219.54
	SCAN_35292280954166786.xlsm	Get hash	malicious	Browse	195.154.133.20
	gvtdsqavfej.dll	Get hash	malicious	Browse	195.154.146.35

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_loaddll32.exe_8c5962cbbdb13a8671f1f3c3793157e73bd5d897_d70d8aa6_108aca62\Report.wer Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.6753013994270348
Encrypted:	false
SSDEEP:	96:7v0oRgZqyDy9hkoyt7JfapXIQcQ5c6A2cE2cw33+a+z+HbHgbEVG4rmMOyWZAXGT:onBSHnM28jjKfq/u7snS274ItW
MD5:	A04197D8171DB35605555768A51CE760
SHA1:	9E69A23ECBE745613436AABE071D6FFE7B5B1009
SHA-256:	40E5391063796C6232D0B738EEC994D9D385C45A554F38FD4E68AE7AB6CF8DB5
SHA-512:	D6D0DFD7D0FD812987E71DF25D98700734B90D454F9DDDCC6402AC303773631A829242D639991BB6457652C5EC48532D05C347356113466C92C044F34A015C85
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.8.2.8.9.4.1.5.8.3.5.6.2.0.8.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.4.5.f.a.d.8.9.-.e.a.6.c.-.4.c.6.0.-.9.a.9.4.-.4.6.a.e.2.8.9.3.0.0.2.3.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.b.b.d.0.3.1.2.-.a.3.6.4.-.4.c.c.b.-.a.2.5.4.-.7.e.8.7.2.9.c.f.f.f.e.b.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.l.o.a.d.d.l.l.3.2...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.1.f.8.-.0.0.0.1.-.0.0.1.c.-.f.a.6.f.-.7.2.9.4.3.7.e.7.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.d.a.3.9.a.3.e.e.5.e.6.b.4.b.0.d.3.2.5.5.b.f.e.f.9.5.6.0.1.8.9.0.a.f.d.8.0.7.0.9.!.0.0.0.0.d.a.3.9.a.3.e.e.5.e.6.b.4.b.0.d.3.2.5.5.b.f.e.f.9.5.6.0.1.8.9.0.a.f.d.8.0.7.0.9.!.l.o.a.d.d.l.l.3.2...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.1././.0.9././.2.8.:.1.1.:.5.3.:.0.5.!.0.!.l.o.a.d.d.l.l.3.2...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_loaddll32.exe_d71d33d652a62c864cb684e881f783bcee8c2df7_d70d8aa6_0ac3046d\Report.wer Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.6791738172948202
Encrypted:	false
SSDEEP:	96:v4F/nRRgZqy1y9hk1Dg3fWpXIQcQmc6W6hcEPcw3f+a+z+HbHgbEVG4rmMOyWZA6:AdnCBVH45FLjKfq/u7snS274ItW
MD5:	2EDD6CFCCA5567F4DAF7568B3A611460
SHA1:	428380B6711881E57504013CA111133A801FBEFA
SHA-256:	E7C7F843273CB0EEFFDEA280155FF63D9642BFFB29C841E83692644CC22E12A9
SHA-512:	51B1A6032A9854FBAC7645547390CFD8C14FB02EE8D7788B2A0E4C92CAB62216FDA983EFBF9F1839E27AF786F60238DDBC522C98C9A3039DB54C497BC95000B4
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.8.2.8.9.4.1.6.7.2.6.8.7.7.6.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.8.2.8.9.4.1.7.5.7.6.8.7.3.1.8.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.6.6.1.8.1.2.3.-.1.f.b.2.-.4.c.8.e.-.b.0.3.c.-.c.2.b.c.a.7.5.1.7.d.d.8.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.2.4.a.9.6.a.8.-.8.1.8.c.-.4.d.7.8.-.a.9.c.a.-.6.3.9.5.d.f.7.d.8.c.9.b.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.l.o.a.d.d.l.l.3.2...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.1.f.8.-.0.0.0.1.-.0.0.1.c.-.f.a.6.f.-.7.2.9.4.3.7.e.7.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.d.a.3.9.a.3.e.e.5.e.6.b.4.b.0.d.3.2.5.5.b.f.e.f.9.5.6.0.1.8.9.0.a.f.d.8.0.7.0.9.!.0.0.0.0.d.a.3.9.a.3.e.e.5.e.6.b.4.b.0.d.3.2.5.5.b.f.e.f.9.5.6.0.1.8.9.0.a.f.d.8.0.7.0.9.!.l.o.a.d.d.l.l.3.2...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2F19.tmp.csv Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	51788
Entropy (8bit):	3.080081923801942
Encrypted:	false
SSDEEP:	1536:u+Hx0zJNqjV8P+RnQd0FeWNik9TzuBV4t+5ylSjaFP1vL0Z6y8nlP98cufm:u+Hx0zJNqjV8P+RnQd0Fe6ik9TzuBV41
MD5:	9A4DBB47295518EE4D393F88424041FC
SHA1:	F0F8C8449E588ECFBDC5F024C6F76663E8A83429
SHA-256:	687E9AF350F22D9DF3E10DB9986D51D08E95E838F5AF88F6B388AF08E135ED9B
SHA-512:	072D69A12C12F16F994B13A9E0AC297882096FD2F102B126118850422A5539C844EA6ADAE51B2E01438B329D58210B525A8C5C7C82AEDD9CE203B1CD645C85EA
Malicious:	false
Preview:	I.m.a.g.e.N.a.m.e.,.U.n.i.q.u.e.P.r.o.c.e.s.s.I.d.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.,.W.o.r.k.i.n.g.S.e.t.P.r.i.v.a.t.e.S.i.z.e.,.H.a.r.d.F.a.u.l.t.C.o.u.n.t.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.H.i.g.h.W.a.t.e.r.m.a.r.k.,.C.y.c.l.e.T.i.m.e.,.C.r.e.a.t.e.T.i.m.e.,.U.s.e.r.T.i.m.e.,.K.e.r.n.e.l.T.i.m.e.,.B.a.s.e.P.r.i.o.r.i.t.y.,.P.e.a.k.V.i.r.t.u.a.l.S.i.z.e.,.V.i.r.t.u.a.l.S.i.z.e.,.P.a.g.e.F.a.u.l.t.C.o.u.n.t.,.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.P.e.a.k.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.Q.u.o.t.a.P.e.a.k.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.e.a.k.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.e.a.k.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.r.i.v.a.t.e.P.a.g.e.C.o.u.n.t.,.R.e.a.d.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.W.r.i.t.e.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.O.t.h.e.r.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.R.e.a.d.T.r.a.n.s.f.e.r.C.o.u.n.t.,.W.r.i.t.e.T.r.a.n.s.f.e.r.C.o.u.n.t.,.O.t.h.e.r.T.r.a.n.s.f.e.r.C.o.u.n.t.,.H.a.n.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3534.tmp.txt Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	13340
Entropy (8bit):	2.6949640027342316
Encrypted:	false
SSDEEP:	96:9GiZYWBbIG2dY+Y4dWI7HrUYEZGKtk0iUOVj4VwSlPQa8cUrlRo9I6h3:9jZDOp15LZUSa8cU5RoC6h3
MD5:	F65DE600063E97CDD599CD2CFB2F8273
SHA1:	8694016237B85B60D705CC24C4CA5CF959FD460C
SHA-256:	D94A0392D96A6C0275FCC302399155680441C2F163920E7F99A8EEA53129266D
SHA-512:	D2F80A72CC082D92CAF875A01C9DB5C01799C4DF14BBA22FC42E7F50BD816418FE8C9294FEC29B3A435B3152A7B77CD3209E8BAC111B2EEBD9600436A0D628B7
Malicious:	false
Preview:	B...T.i.m.e.r.R.e.s.o.l.u.t.i.o.n. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.5.6.2.5.0.....B...P.a.g.e.S.i.z.e. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4.0.9.6.....B...N.u.m.b.e.r.O.f.P.h.y.s.i.c.a.l.P.a.g.e.s. . . . . . . . . . . . . . . . . . . . . . . . . . .1.0.4.8.3.1.5.....B...L.o.w.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.....B...H.i.g.h.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . .1.3.1.0.7.1.9.....B...A.l.l.o.c.a.t.i.o.n.G.r.a.n.u.l.a.r.i.t.y. . . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.i.n.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.a.x.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . .1.4.0.7.3.7.4.8.8.2.8.9.7.9.1.....B...A.c.t.i.v.e.P.r.o.c.e.s.s.o.r.s.A.f.f.i.n.i.t.y.M.a.s.k. . . . . . .

C:\ProgramData\Microsoft\Windows\WER\Temp\WER64A2.tmp.csv Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	51408
Entropy (8bit):	3.0808206673061047
Encrypted:	false
SSDEEP:	1536:OjHz0NRRNxJzsFQ+HPXn2sYd6cUib5T/NVVptP0yeTl6B94oeqnyMhl6dF7q:OjHz0NRRNxJzsFQ+HPXn2sYd6Fib5T/t
MD5:	C2B998504BF85E9484A10E370E9B9DC8
SHA1:	BF52B033A37AE019F62E6170AD44F218766AB395
SHA-256:	94C5E2905D9F8C1CC1DD9C0922C0F42941CEEBFD9B3459E8557C5CF49A54B620
SHA-512:	CEC2F4E2636511C5F9C1A1D5B262EBB4E4DB6DDEF3C4DA1A18C875136506883D117E13FADDB41F199223DBD55B3120F3470DE2A4140AC7F7F20A9832C9027DA2
Malicious:	false
Preview:	I.m.a.g.e.N.a.m.e.,.U.n.i.q.u.e.P.r.o.c.e.s.s.I.d.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.,.W.o.r.k.i.n.g.S.e.t.P.r.i.v.a.t.e.S.i.z.e.,.H.a.r.d.F.a.u.l.t.C.o.u.n.t.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.H.i.g.h.W.a.t.e.r.m.a.r.k.,.C.y.c.l.e.T.i.m.e.,.C.r.e.a.t.e.T.i.m.e.,.U.s.e.r.T.i.m.e.,.K.e.r.n.e.l.T.i.m.e.,.B.a.s.e.P.r.i.o.r.i.t.y.,.P.e.a.k.V.i.r.t.u.a.l.S.i.z.e.,.V.i.r.t.u.a.l.S.i.z.e.,.P.a.g.e.F.a.u.l.t.C.o.u.n.t.,.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.P.e.a.k.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.Q.u.o.t.a.P.e.a.k.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.e.a.k.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.e.a.k.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.r.i.v.a.t.e.P.a.g.e.C.o.u.n.t.,.R.e.a.d.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.W.r.i.t.e.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.O.t.h.e.r.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.R.e.a.d.T.r.a.n.s.f.e.r.C.o.u.n.t.,.W.r.i.t.e.T.r.a.n.s.f.e.r.C.o.u.n.t.,.O.t.h.e.r.T.r.a.n.s.f.e.r.C.o.u.n.t.,.H.a.n.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER68BA.tmp.txt Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	13340
Entropy (8bit):	2.6950402063171075
Encrypted:	false
SSDEEP:	96:9GiZYWbgvdYaaYRYFWIBMHtUYEZ5DItk0ioOQ4DwL+ea0QWyjoQIOy3:9jZDb7mcBhDcRa0QWyjonOy3
MD5:	B22D566D42CDEBEF28E25F164671622A
SHA1:	104BBE3CB4B5D6C14181C60418B522DEB3C86A16
SHA-256:	5E0370AFD624E8F88CA7E4B0D1A171399212EC6BEE68D34C57FD4D6C9926DC84
SHA-512:	D65DF634FCCC1F3E57B8AB0D162E337523B3DAD7BC6B7ADC84EA460551413BE0EE49A946A167DDEC2AF6750A5B3A9DE5C332D4516C8CADD399811349C06B199C
Malicious:	false
Preview:	B...T.i.m.e.r.R.e.s.o.l.u.t.i.o.n. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.5.6.2.5.0.....B...P.a.g.e.S.i.z.e. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4.0.9.6.....B...N.u.m.b.e.r.O.f.P.h.y.s.i.c.a.l.P.a.g.e.s. . . . . . . . . . . . . . . . . . . . . . . . . . .1.0.4.8.3.1.5.....B...L.o.w.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.....B...H.i.g.h.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . .1.3.1.0.7.1.9.....B...A.l.l.o.c.a.t.i.o.n.G.r.a.n.u.l.a.r.i.t.y. . . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.i.n.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.a.x.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . .1.4.0.7.3.7.4.8.8.2.8.9.7.9.1.....B...A.c.t.i.v.e.P.r.o.c.e.s.s.o.r.s.A.f.f.i.n.i.t.y.M.a.s.k. . . . . . .

C:\ProgramData\Microsoft\Windows\WER\Temp\WERBAC2.tmp.dmp Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Thu Dec 2 04:49:19 2021, 0x1205a4 type
Category:	dropped
Size (bytes):	26336
Entropy (8bit):	2.515829097380295
Encrypted:	false
SSDEEP:	192:0ubyVdiGCkOlrqHNmuUSf65+dLm8JpmBhJnPObbyuuqS8Hrmew:ob4lrqLaKmVnPsbyuuqk9
MD5:	56B3C85DBF7845346109FF161270FF5C
SHA1:	F14E90E6F207D64A69824A124F982E6685F361C9
SHA-256:	23AE9A861AA5D6C87B35C6B1B3D67E8B90072D9D464A7D8732B007ABF898062F
SHA-512:	F2A95F07430CA1ECE95C5699A2E69F4D5494E4E05DA43CCC8200478B9EDF07BEA7B50E9B57B64FA7B95BD635840813BB8BA5BA9DF30CA9DE32D74774A531D0E7
Malicious:	false
Preview:	MDMP....... .......OP.a............4...............H.......$...........................`.......8...........T...........h...xZ...........................................................................................U...........B......p.......GenuineIntelW...........T............O.a5............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERBFE3.tmp.WERInternalMetadata.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8342
Entropy (8bit):	3.6996052692968955
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNiYs6WBXF6YFKSUGp+gmfsSzRCpBI89brYsfpZm:RrlsNij6a6YISUGggmfsSzerLfG
MD5:	258B4B551ED9B8BD517B2A00864D0FD5
SHA1:	14093629D217375354BBD062667E3EA234728568
SHA-256:	22DDA5F6440A81183E660AC7EFF995AD5754D9D4313549B04EC7C50D655F280C
SHA-512:	9B4589560F94F24159E9FFA5E2E8FE167DE6737B7A6C3279ED70E872EAFD51638ED42DFA84CEAA4928639CF9EDD489DC913AD2EFABB1AA6560FC587654911249
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.6.0.0.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC265.tmp.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4598
Entropy (8bit):	4.477906873124645
Encrypted:	false
SSDEEP:	48:cvIwSD8zsGJgtWI95lWSC8B68fm8M4J2yzZFV+q84WvtKcQIcQwQUd:uITfc2USNlJJRgtKkwQUd
MD5:	66815A17FF61A397001E78C0174C0FBC
SHA1:	47A94A29B19B6CFB7F3A6DA71B1B59AA43D446CA
SHA-256:	DFA32D0F7898E6C0297C32D2701D524935161FBFC0A90B297BFB724026A028B3
SHA-512:	71114D2584D13E43C8A87D9294FCF83C35143A51BF501FF5530341CBF5119E7F42023F6B10CF7719B1AFA18147B143261E9188CC09BFD29D8D3210578602F794
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1279559" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\ProgramData\Microsoft\Windows\WER\Temp\WERDD8C.tmp.dmp Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Thu Dec 2 04:49:28 2021, 0x1205a4 type
Category:	dropped
Size (bytes):	1059352
Entropy (8bit):	1.3588583314157108
Encrypted:	false
SSDEEP:	1536:lSuZlIU8Sb8oZl4pr/pjQasKJpY5g3o60obdMOQeub+JTUq:wOl7+x/53d/S2bdMOQBq
MD5:	6E32ABF681704B6F1B5E4285D3965238
SHA1:	9103EE43F5F37AA2E02E3AD125FA65B1972BD36C
SHA-256:	6895D9D49A84C91F1DAC5321B3B55008B457FA2584ED10642CE4FA490EAE4637
SHA-512:	8F7B6D7838D56AD9C322B599E773A3522F336BC3D0E5B49B38B05AC8872A0A600D7AD49910590C6D0A387A880A909FE9688D010A8BA08EF9A5DE1A3793333EE3
Malicious:	false
Preview:	MDMP....... .......XP.a............4...............H.......$...........................`.......8...........T...........@................................................................................................U...........B......p.......GenuineIntelW...........T............O.a5............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF470.tmp.WERInternalMetadata.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8302
Entropy (8bit):	3.6937495262771307
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNiYG6eB6YFPSUZvzvYgmfL8GSFCpDc89bzYsfCRRm:RrlsNip6g6YtSUhzQgmfLrSszLfC2
MD5:	E7787FE4AD76CF7BFC11A2F71CDBF514
SHA1:	7A330087A1D749AB5231B847EACCC12D29128CC5
SHA-256:	9E91EB6D12CD9BFB03B903A332593745E347A646F2ECF66A959EA8A09189F4C3
SHA-512:	4C13F833DF7C5BFCAD4686C1C8BFDA9BCBE90931F59AD115BCD4277D5DFA6F5B091D8BAB51F47C15F6C5BBE0C0C2B901B28FF95171E9D4CD89C9ABEFE8DB2935
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.6.0.0.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF7EC.tmp.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4558
Entropy (8bit):	4.43323153844137
Encrypted:	false
SSDEEP:	48:cvIwSD8zs6JgtWI95lWSC8Ba8fm8M4J2yGtFdAo+q84tjhKcQIcQwQUd:uITfI2USNRJEVAoxhKkwQUd
MD5:	8BBF39B2A89D619397327A2E60A60953
SHA1:	FD745102E02BC303AD054DE1EF8A46DF80DFC1CE
SHA-256:	1E7BD9401AC227DF593C760F181386523FD7067A762F53266024BBBCA7CB1D34
SHA-512:	63027E2227DFA5827CC41C2530328D26C814CF381D63BBE94D1B64406BAAF700207D296A3148A33DD824BA1EEF9329279418699D6C92F01F335E5CC1FDD65F4F
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1279560" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\Windows\appcompat\Programs\Amcache.hve Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1572864
Entropy (8bit):	4.271262820355482
Encrypted:	false
SSDEEP:	12288:zUgsDNYix9xAgG9z7VhMLQyKhevdwNnBtxGawapXXii4hJdkEpgD+:wgsDNYix9xAgG9gU
MD5:	B489DEF7D70B07066828670FAA276F31
SHA1:	1A0915DC698FCFB1E62A5440685815852AF78120
SHA-256:	EFB419732C122958CC9AA6B0E9507B2B0F5849AFC95D868E58D02D834D8DEFC6
SHA-512:	613F301EEAFB8FE7B86925B976B18D58AF38873FC2810896E8B62C1BF7C6679D94921284C7BB7BA9B65D78E5FE54EDF32ACDBF5C1313BE987FA2575D3BBA040E
Malicious:	false
Preview:	regf[...[...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm.wB.7................................................................................................................................................................................................................................................................................................................................................#F.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve.LOG1 Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	3.3969616120920665
Encrypted:	false
SSDEEP:	192:vp50I8i1Zynhu29GCYI5FSEsWftx1YxgoJ4XPaJNSdkyFn6yvRrsfGdWfYjdsiD3:/rM5Rftx1YPJ4XP7FFn7XZd1DoXzCz
MD5:	B4403645932E719748C42ED4B39083EF
SHA1:	CC150B5083BB44E264F7585E2B49CAE962313959
SHA-256:	E24CD789B01869D6D6EFA1EB2E04990791EB811433FDE90665A08014D86ADB8E
SHA-512:	B4CDF911F406337159FFCCA5C7211B22E5E05388BDE104E424085AFA815FB1A86AD6A155A338867207B1713BFEFA5AD942970D2014DC5F67F76B7DAB0338783D
Malicious:	false
Preview:	regfZ...Z...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm.wB.7................................................................................................................................................................................................................................................................................................................................................#F.HvLE.>......Z.............-..E..H>.T...A.........0..............hbin................p.\..,..........nk,.E.D.7................................... ...........................&...{ad79c032-a2ea-f756-e377-72fb9332c3ae}......nk .E.D.7....... ........................... .......Z.......................Root........lf......Root....nk .E.D.7....................}.............. ...............*...............DeviceCensus.......................vk..................WritePermissionsCheck.......p...

Static File Info

General
File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.970978880732997
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	6zAcNlJXo7.dll
File size:	387072
MD5:	c7e23f2764d6ed9b59b0fed69a4488b0
SHA1:	67f31b13485f91be7952b3df5628f14ef1c86a38
SHA256:	d048f196a39fc7dae500b057fa000ebbb81ae2e6c18b4ddff445e8d7163f20ab
SHA512:	1184f739b241155c46fda5c005af5010de100dd50f406965ae39701029a8304810359cc85e589eefc3afa494c3204fb467691b3f0b23c74eb32be26f3a4ca927
SSDEEP:	6144:zBYrPMTsY8GR3j4fubnY6Zs/Bv6yGM6aSTsfA2qL6jpXNcc6CEteuQJPIgtlpZ5L:yhmT4GbnYks/BJGNWo2LjpScDEteuOIi
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........0...Q...Q...Q..E#...Q..E#...Q..E#...Q../$...Q...$...Q...$...Q...$...Q..E#...Q...Q...Q...Q...Q../$...Q../$...Q..Rich.Q.........

File Icon


Icon Hash:	74f0e4ecccdce0e4

Static PE Info

General
Entrypoint:	0x1001cac1
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x10000000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LARGE_ADDRESS_AWARE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x61A73B52 [Wed Dec 1 09:07:30 2021 UTC]
TLS Callbacks:	0x1000c340
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	609402ef170a35cc0e660d7d95ac10ce

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
cmp dword ptr [ebp+0Ch], 01h
jne 00007F8E50B13BC7h
call 00007F8E50B13F58h
push dword ptr [ebp+10h]
push dword ptr [ebp+0Ch]
push dword ptr [ebp+08h]
call 00007F8E50B13A73h
add esp, 0Ch
pop ebp
retn 000Ch
push ebp
mov ebp, esp
push dword ptr [ebp+08h]
call 00007F8E50B1446Eh
pop ecx
pop ebp
ret
push ebp
mov ebp, esp
jmp 00007F8E50B13BCFh
push dword ptr [ebp+08h]
call 00007F8E50B17F54h
pop ecx
test eax, eax
je 00007F8E50B13BD1h
push dword ptr [ebp+08h]
call 00007F8E50B17FD0h
pop ecx
test eax, eax
je 00007F8E50B13BA8h
pop ebp
ret
cmp dword ptr [ebp+08h], FFFFFFFFh
je 00007F8E50B14533h
jmp 00007F8E50B14510h
push ebp
mov ebp, esp
push 00000000h
call dword ptr [1002A08Ch]
push dword ptr [ebp+08h]
call dword ptr [1002A088h]
push C0000409h
call dword ptr [1002A040h]
push eax
call dword ptr [1002A090h]
pop ebp
ret
push ebp
mov ebp, esp
sub esp, 00000324h
push 00000017h
call dword ptr [1002A094h]
test eax, eax
je 00007F8E50B13BC7h
push 00000002h
pop ecx
int 29h
mov dword ptr [1005E278h], eax
mov dword ptr [1005E274h], ecx
mov dword ptr [1005E270h], edx
mov dword ptr [1005E26Ch], ebx
mov dword ptr [1005E268h], esi
mov dword ptr [1005E264h], edi
mov word ptr [eax], es

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x5b590	0x614	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x5bba4	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x60000	0x1bc0	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x5a1dc	0x54	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x5a300	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x5a230	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2a000	0x154	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x28bb4	0x28c00	False	0.53924822661	data	6.1540438823	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x2a000	0x32362	0x32400	False	0.817810362251	data	7.40645886779	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x5d000	0x1ba4	0x1200	False	0.287109375	data	2.60484752417	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.pdata	0x5f000	0x4c4	0x600	False	0.360677083333	AmigaOS bitmap font	2.17228109861	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.reloc	0x60000	0x1bc0	0x1c00	False	0.7880859375	data	6.62631718459	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLL

Import

KERNEL32.dll

HeapFree, HeapReAlloc, GetProcessHeap, HeapAlloc, GetModuleHandleA, GetProcAddress, TlsGetValue, TlsSetValue, AcquireSRWLockExclusive, ReleaseSRWLockExclusive, AcquireSRWLockShared, ReleaseSRWLockShared, SetLastError, GetEnvironmentVariableW, GetLastError, GetCurrentDirectoryW, GetCurrentProcess, GetCurrentThread, RtlCaptureContext, ReleaseMutex, WaitForSingleObjectEx, LoadLibraryA, CreateMutexA, CloseHandle, GetStdHandle, GetConsoleMode, WriteFile, WriteConsoleW, TlsAlloc, GetCommandLineW, CreateFileA, GetTickCount64, CreateFileW, SetFilePointerEx, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, GetModuleHandleW, RaiseException, RtlUnwind, InterlockedFlushSList, EncodePointer, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsFree, FreeLibrary, LoadLibraryExW, ExitProcess, GetModuleHandleExW, GetModuleFileNameW, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, GetCommandLineA, MultiByteToWideChar, WideCharToMultiByte, GetEnvironmentStringsW, FreeEnvironmentStringsW, LCMapStringW, GetFileType, GetStringTypeW, HeapSize, SetStdHandle, FlushFileBuffers, GetConsoleOutputCP, DecodePointer

USER32.dll

GetDC, ReleaseDC, GetWindowRect

Exports

Name	Ordinal	Address
Control_RunDLL	1	0x100010a0
axamexdrqyrgb	2	0x100017b0
bhramccfbdd	3	0x10001690
bptyjtyr	4	0x10001640
bxoqrnuua	5	0x100016c0
cegjceivzmgdcffk	6	0x100014e0
cgxpyqfkocm	7	0x10001480
chjbtsnqmvl	8	0x10001540
crfsijq	9	0x10001730
empxfws	10	0x10001590
fbgcvvbrlowsjsj	11	0x10001550
fjhmprw	12	0x10001660
gfqdajfucnxrv	13	0x10001850
hcloldazhuvj	14	0x10001790
idcumrbybo	15	0x10001500
ihvpwdsfllpvrzy	16	0x10001750
iuzqizpdhxqkmf	17	0x100014c0
jaarlqsruhrwpipt	18	0x100016e0
jndshbhgxdkvvtj	19	0x10001600
jniijdleqsyajeis	20	0x10001650
jtjqgma	21	0x100016f0
kffxtbzhfgbqlu	22	0x10001630
kwxkzdhqe	23	0x100016d0
lidhnvsukgiuabh	24	0x100016b0
ltcrkednwfkup	25	0x10001820
lvrmqgtvhsegpbvmq	26	0x10001770
mxvwvnerswyylp	27	0x10001520
ndlmbjceavqdintmv	28	0x100017d0
nvnriipkwrmxwsu	29	0x10001510
oafxfavxmi	30	0x10001570
ocwutlohg	31	0x100014b0
olcklbdvo	32	0x10001680
pawvqfmiz	33	0x100015e0
pdmomnjmmryopqza	34	0x10001560
plzkvjcbz	35	0x10001710
poasqvltrkgvepng	36	0x10001840
psjoyjhsrkg	37	0x100015b0
qdimtzieldbl	38	0x10001620
qzvngjfyuxpjag	39	0x10001580
relsounb	40	0x100016a0
rykebhcisi	41	0x10001670
snrvgvzpjh	42	0x100017c0
sqnfcfmocgbg	43	0x10001740
sxgllzweihxqxi	44	0x10001760
tgagxhhcfj	45	0x10001780
thjyvtvttwpah	46	0x10001830
uvypobslemtipv	47	0x10001640
vgidwtjsbwpxkdxj	48	0x100017a0
wahhdker	49	0x100014a0
wamqmispvbxt	50	0x100015f0
witvsjavqyw	51	0x10001720
wopabadcwdizvwlgk	52	0x10001490
wpzyecljz	53	0x10001800
wukgfirfwilhu	54	0x100015d0
xntbmrrxs	55	0x100017f0
xsxwxreryufxwuhh	56	0x10001700
xvgdevijtw	57	0x10001610
ydvqidso	58	0x100015c0
yggdjrsewuw	59	0x100015a0
zaeqdmhaky	60	0x100017e0
zakvwkjnk	61	0x10001700
zqbggkzy	62	0x100014f0
zqtdpertk	63	0x100014d0
zshfybkvzv	64	0x10001810
zxxopqyvfoesyhmup	65	0x10001530

Network Behavior

No network behavior found

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: loaddll32.exe PID: 4600 Parent PID: 4000

General

Start time:	20:46:33
Start date:	01/12/2021
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe "C:\Users\user\Desktop\6zAcNlJXo7.dll"
Imagebase:	0x1160000
File size:	893440 bytes
MD5 hash:	72FCD8FB0ADC38ED9050569AD673650E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000000.00000000.643248675.0000000000BB0000.00000040.00000010.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000000.00000000.662542522.0000000000BB0000.00000040.00000010.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000000.00000000.642444707.00000000013AC000.00000004.00000020.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000000.00000002.695566646.00000000013AC000.00000004.00000020.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000000.00000000.663733322.00000000013AC000.00000004.00000020.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000000.00000002.695194843.0000000000BB0000.00000040.00000010.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000000.00000000.662941579.00000000013AC000.00000004.00000020.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000000.00000000.643478517.00000000013AC000.00000004.00000020.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000000.00000000.641938795.0000000000BB0000.00000040.00000010.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000000.00000000.663509938.0000000000BB0000.00000040.00000010.sdmp, Author: Joe Security
Reputation:	high

Analysis Process: cmd.exe PID: 6692 Parent PID: 4600

General

Start time:	20:46:33
Start date:	01/12/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\6zAcNlJXo7.dll",#1
Imagebase:	0xd80000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: rundll32.exe PID: 4520 Parent PID: 4600

General

Start time:	20:46:34
Start date:	01/12/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\6zAcNlJXo7.dll,Control_RunDLL
Imagebase:	0xc20000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000003.00000003.573611715.0000000000835000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000003.00000002.620846196.0000000000610000.00000040.00000010.sdmp, Author: Joe Security
Reputation:	high

Analysis Process: rundll32.exe PID: 4352 Parent PID: 6692

General

Start time:	20:46:34
Start date:	01/12/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\6zAcNlJXo7.dll",#1
Imagebase:	0xc20000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000002.610590191.00000000006DA000.00000004.00000020.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000002.610563535.0000000000630000.00000040.00000010.sdmp, Author: Joe Security
Reputation:	high

Analysis Process: rundll32.exe PID: 6324 Parent PID: 4600

General

Start time:	20:46:38
Start date:	01/12/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\6zAcNlJXo7.dll,axamexdrqyrgb
Imagebase:	0xc20000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000005.00000002.633116457.0000000003380000.00000040.00000010.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000005.00000002.633278452.00000000035DA000.00000004.00000020.sdmp, Author: Joe Security
Reputation:	high

Analysis Process: rundll32.exe PID: 160 Parent PID: 4600

General

Start time:	20:46:46
Start date:	01/12/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\6zAcNlJXo7.dll,bhramccfbdd
Imagebase:	0xc20000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000006.00000002.642741548.00000000031EA000.00000004.00000020.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000006.00000002.642650507.0000000003180000.00000040.00000010.sdmp, Author: Joe Security
Reputation:	high

Analysis Process: rundll32.exe PID: 6712 Parent PID: 4352

General

Start time:	20:48:43
Start date:	01/12/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\6zAcNlJXo7.dll",Control_RunDLL
Imagebase:	0xc20000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: rundll32.exe PID: 5696 Parent PID: 4520

General

Start time:	20:48:44
Start date:	01/12/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Vxxnweikxwymx\qsgm.ruf",Yyhhzevh
Imagebase:	0xc20000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000C.00000002.770251757.0000000000A1A000.00000004.00000020.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000C.00000002.770145294.00000000007A0000.00000040.00000010.sdmp, Author: Joe Security
Reputation:	high

Analysis Process: rundll32.exe PID: 1304 Parent PID: 6324

General

Start time:	20:49:01
Start date:	01/12/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\6zAcNlJXo7.dll",Control_RunDLL
Imagebase:	0xc20000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: svchost.exe PID: 5816 Parent PID: 572

General

Start time:	20:49:10
Start date:	01/12/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k WerSvcGroup
Imagebase:	0x7ff70d6e0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: rundll32.exe PID: 5712 Parent PID: 160

General

Start time:	20:49:10
Start date:	01/12/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\6zAcNlJXo7.dll",Control_RunDLL
Imagebase:	0xc20000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: WerFault.exe PID: 2984 Parent PID: 5816

General

Start time:	20:49:11
Start date:	01/12/2021
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4600 -ip 4600
Imagebase:	0xa80000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: WerFault.exe PID: 4412 Parent PID: 4600

General

Start time:	20:49:16
Start date:	01/12/2021
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 4600 -s 316
Imagebase:	0xa80000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: WerFault.exe PID: 4764 Parent PID: 5816

General

Start time:	20:49:23
Start date:	01/12/2021
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4600 -ip 4600
Imagebase:	0xa80000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: WerFault.exe PID: 2932 Parent PID: 4600

General

Start time:	20:49:25
Start date:	01/12/2021
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 4600 -s 324
Imagebase:	0xa80000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: rundll32.exe PID: 6104 Parent PID: 5696

General

Start time:	20:50:13
Start date:	01/12/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Vxxnweikxwymx\qsgm.ruf",Control_RunDLL
Imagebase:	0xc20000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report 6zAcNlJXo7

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Emotet

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Jbx Signature Overview

AV Detection:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

Private

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Imports

Exports

Network Behavior

Code Manipulations

Statistics

Behavior

System Behavior

Analysis Process: loaddll32.exe PID: 4600 Parent PID: 4000