Play interactive tour

Edit tour

Windows Analysis Report 3pO1282Kpx.dll

Overview

General Information

Sample Name:	3pO1282Kpx.dll
Analysis ID:	532438
MD5:	173345845a2a7d0d99c17bdc5445df90
SHA1:	35ed97b5ac5a3ed0fdc00eabff20f3bfcdfc8a7c
SHA256:	9ed58848f0a7b354a32d4ef67ea9ff70ba75f9238c39d9f1af88fae6811cb504
Tags:	32dllexetrojan
Infos:
Most interesting Screenshot:

Detection

Emotet

Score:	68
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected Emotet

Hides that the sample has been downloaded from the Internet (zone.identifier)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

One or more processes crash

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Deletes files inside the Windows folder

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Creates files inside the system directory

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Contains functionality to dynamically determine API calls

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Abnormal high CPU Usage

AV process strings found (often used to terminate AV products)

Contains functionality to read the PEB

Drops PE files to the windows directory (C:\Windows)

Checks if the current process is being debugged

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries disk information (often used to detect virtual machines)

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

System is w10x64

loaddll32.exe (PID: 6544 cmdline: loaddll32.exe "C:\Users\user\Desktop\3pO1282Kpx.dll" MD5: 72FCD8FB0ADC38ED9050569AD673650E)

cmd.exe (PID: 4652 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\3pO1282Kpx.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)

rundll32.exe (PID: 6256 cmdline: rundll32.exe "C:\Users\user\Desktop\3pO1282Kpx.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 6040 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\3pO1282Kpx.dll",Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 6088 cmdline: rundll32.exe C:\Users\user\Desktop\3pO1282Kpx.dll,Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 5280 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Tbiyedppjzsf\xswipktkmrv.drt",WgszfYRBINQe MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 4532 cmdline: rundll32.exe C:\Users\user\Desktop\3pO1282Kpx.dll,ajkaibu MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 4112 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\3pO1282Kpx.dll",Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 6612 cmdline: rundll32.exe C:\Users\user\Desktop\3pO1282Kpx.dll,akyncbgollmj MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 1508 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\3pO1282Kpx.dll",Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

WerFault.exe (PID: 3520 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6544 -s 324 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

WerFault.exe (PID: 3424 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6544 -s 332 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

svchost.exe (PID: 6920 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 7160 cmdline: C:\Windows\System32\svchost.exe -k WerSvcGroup MD5: 32569E403279B3FD2EDB7EBD036273FA)

WerFault.exe (PID: 6936 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 6544 -ip 6544 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

WerFault.exe (PID: 6800 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 6544 -ip 6544 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

svchost.exe (PID: 5636 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 1040 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 6264 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000001.00000002.693163248.0000000001210000.00000040.00000010.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000001.00000002.693163248.0000000001210000.00000040.00000010.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000001.00000000.638369835.000000000131B000.00000004.00000020.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000001.00000000.638310393.0000000001210000.00000040.00000010.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000001.00000000.638310393.0000000001210000.00000040.00000010.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000007.00000002.634927199.0000000002E0A000.00000004.00000020.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000005.00000002.636690720.00000000032EA000.00000004.00000020.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000001.00000000.662291713.0000000001210000.00000040.00000010.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000001.00000000.662291713.0000000001210000.00000040.00000010.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000001.00000000.663123528.0000000001210000.00000040.00000010.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000001.00000000.663123528.0000000001210000.00000040.00000010.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000006.00000002.638357953.0000000000650000.00000040.00000010.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000006.00000002.638357953.0000000000650000.00000040.00000010.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000004.00000002.637148475.0000000003200000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000004.00000002.637148475.0000000003200000.00000040.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000001.00000002.693214956.000000000131B000.00000004.00000020.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000004.00000003.597595639.0000000003259000.00000004.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000004.00000003.597595639.0000000003259000.00000004.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000001.00000000.641147134.000000000131B000.00000004.00000020.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000006.00000002.638392292.00000000006FA000.00000004.00000020.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000001.00000000.663179674.000000000131B000.00000004.00000020.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000001.00000000.662403503.000000000131B000.00000004.00000020.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000007.00000002.634790004.0000000000B90000.00000040.00000010.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000007.00000002.634790004.0000000000B90000.00000040.00000010.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000005.00000002.636271952.0000000003100000.00000040.00000010.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000005.00000002.636271952.0000000003100000.00000040.00000010.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000001.00000000.640836289.0000000001210000.00000040.00000010.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000001.00000000.640836289.0000000001210000.00000040.00000010.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
Click to see the 23 entries

Unpacked PEs

Source	Rule	Description	Author
7.2.rundll32.exe.2e221e0.1.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
7.2.rundll32.exe.2e221e0.1.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
1.0.loaddll32.exe.1210000.3.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
1.0.loaddll32.exe.1210000.3.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
1.2.loaddll32.exe.1333540.1.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
1.2.loaddll32.exe.1333540.1.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
4.2.rundll32.exe.3200000.0.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
4.2.rundll32.exe.3200000.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
5.2.rundll32.exe.3100000.0.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
5.2.rundll32.exe.3100000.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
4.2.rundll32.exe.3200000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
4.2.rundll32.exe.3200000.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
1.0.loaddll32.exe.1210000.9.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
1.0.loaddll32.exe.1210000.9.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
6.2.rundll32.exe.713568.1.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
6.2.rundll32.exe.713568.1.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
1.0.loaddll32.exe.1210000.3.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
1.0.loaddll32.exe.1210000.3.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
6.2.rundll32.exe.650000.0.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
6.2.rundll32.exe.650000.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
1.0.loaddll32.exe.1210000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
1.0.loaddll32.exe.1210000.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
1.0.loaddll32.exe.1333540.4.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
1.0.loaddll32.exe.1333540.4.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
1.0.loaddll32.exe.1333540.10.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
1.0.loaddll32.exe.1333540.10.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
5.2.rundll32.exe.3100000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
5.2.rundll32.exe.3100000.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
1.0.loaddll32.exe.1210000.6.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
1.0.loaddll32.exe.1210000.6.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
1.0.loaddll32.exe.1210000.0.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
1.0.loaddll32.exe.1210000.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
1.0.loaddll32.exe.1333540.1.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
1.0.loaddll32.exe.1333540.1.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
6.2.rundll32.exe.713568.1.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
6.2.rundll32.exe.713568.1.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
1.0.loaddll32.exe.1333540.7.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
1.0.loaddll32.exe.1333540.7.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
1.0.loaddll32.exe.1333540.4.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
1.0.loaddll32.exe.1333540.4.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
7.2.rundll32.exe.2e221e0.1.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
7.2.rundll32.exe.2e221e0.1.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
7.2.rundll32.exe.b90000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
7.2.rundll32.exe.b90000.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
6.2.rundll32.exe.650000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
6.2.rundll32.exe.650000.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
1.0.loaddll32.exe.1333540.7.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
1.0.loaddll32.exe.1333540.7.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
1.2.loaddll32.exe.1210000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
1.2.loaddll32.exe.1210000.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
1.2.loaddll32.exe.1333540.1.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
1.2.loaddll32.exe.1333540.1.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
5.2.rundll32.exe.3303590.1.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
5.2.rundll32.exe.3303590.1.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
1.0.loaddll32.exe.1210000.6.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
1.0.loaddll32.exe.1210000.6.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
1.2.loaddll32.exe.1210000.0.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
1.2.loaddll32.exe.1210000.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
7.2.rundll32.exe.b90000.0.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
7.2.rundll32.exe.b90000.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
1.0.loaddll32.exe.1210000.9.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
1.0.loaddll32.exe.1210000.9.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
5.2.rundll32.exe.3303590.1.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
5.2.rundll32.exe.3303590.1.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
1.0.loaddll32.exe.1333540.1.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
1.0.loaddll32.exe.1333540.1.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
1.0.loaddll32.exe.1333540.10.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
1.0.loaddll32.exe.1333540.10.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
Click to see the 63 entries

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for submitted file

Show sources

Source: 3pO1282Kpx.dll	Virustotal: Detection: 23%			Perma Link
Source: 3pO1282Kpx.dll	ReversingLabs: Detection: 18%

Source: 3pO1282Kpx.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LARGE_ADDRESS_AWARE

Source: 3pO1282Kpx.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 00000013.00000003.652692590.0000000004BB1000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.671414191.0000000004A51000.00000004.00000001.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 00000013.00000003.652692590.0000000004BB1000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.671414191.0000000004A51000.00000004.00000001.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 00000013.00000003.652692590.0000000004BB1000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.650010447.0000000004329000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.671414191.0000000004A51000.00000004.00000001.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 00000013.00000003.652692590.0000000004BB1000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.671414191.0000000004A51000.00000004.00000001.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 00000013.00000003.652692590.0000000004BB1000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.671414191.0000000004A51000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 00000013.00000003.652692590.0000000004BB1000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.671414191.0000000004A51000.00000004.00000001.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 00000013.00000003.652692590.0000000004BB1000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.671414191.0000000004A51000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 00000013.00000003.652692590.0000000004BB1000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.671414191.0000000004A51000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.666367575.0000000000A2C000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.666826708.0000000000A2C000.00000004.00000001.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 00000013.00000003.652692590.0000000004BB1000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.671414191.0000000004A51000.00000004.00000001.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 00000013.00000003.652692590.0000000004BB1000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.671414191.0000000004A51000.00000004.00000001.sdmp
Source:	Binary string: a4pjr7pCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 00000013.00000002.659568546.00000000004A2000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdbk source: WerFault.exe, 00000013.00000003.652692590.0000000004BB1000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.671414191.0000000004A51000.00000004.00000001.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 00000013.00000003.652692590.0000000004BB1000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.671414191.0000000004A51000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb( source: WerFault.exe, 00000016.00000003.666367575.0000000000A2C000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.666826708.0000000000A2C000.00000004.00000001.sdmp

Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6F250AA5 FindFirstFileExW,FindNextFileW,FindClose,FindClose,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6F250AA5 FindFirstFileExW,FindNextFileW,FindClose,FindClose,

Source: svchost.exe, 0000000A.00000002.744676034.0000020495E61000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.689793778.00000000047AB000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.689756060.000000000479B000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000002.692147175.00000000047AC000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: svchost.exe, 0000000A.00000002.744484037.0000020495E12000.00000004.00000001.sdmp	String found in binary or memory: http://crl.ver)
Source: svchost.exe, 0000000A.00000002.742753085.00000204906AF000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlso
Source: Amcache.hve.19.dr	String found in binary or memory: http://upx.sf.net
Source: WerFault.exe, 00000016.00000003.689793778.00000000047AB000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.689756060.000000000479B000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000002.692147175.00000000047AC000.00000004.00000001.sdmp	String found in binary or memory: http://www.microsoft.

E-Banking Fraud:

Yara detected Emotet

Show sources

Source: Yara match	File source: 7.2.rundll32.exe.2e221e0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.loaddll32.exe.1210000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.loaddll32.exe.1333540.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.3200000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.3100000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.3200000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.loaddll32.exe.1210000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.713568.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.loaddll32.exe.1210000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.650000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.loaddll32.exe.1210000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.loaddll32.exe.1333540.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.loaddll32.exe.1333540.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.3100000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.loaddll32.exe.1210000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.loaddll32.exe.1210000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.loaddll32.exe.1333540.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.713568.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.loaddll32.exe.1333540.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.loaddll32.exe.1333540.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.2e221e0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.b90000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.650000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.loaddll32.exe.1333540.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.loaddll32.exe.1210000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.loaddll32.exe.1333540.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.3303590.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.loaddll32.exe.1210000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.loaddll32.exe.1210000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.b90000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.loaddll32.exe.1210000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.3303590.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.loaddll32.exe.1333540.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.loaddll32.exe.1333540.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.693163248.0000000001210000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.638369835.000000000131B000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.638310393.0000000001210000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.634927199.0000000002E0A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.636690720.00000000032EA000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.662291713.0000000001210000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.663123528.0000000001210000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.638357953.0000000000650000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.637148475.0000000003200000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.693214956.000000000131B000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.597595639.0000000003259000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.641147134.000000000131B000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.638392292.00000000006FA000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.663179674.000000000131B000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.662403503.000000000131B000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.634790004.0000000000B90000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.636271952.0000000003100000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.640836289.0000000001210000.00000040.00000010.sdmp, type: MEMORY

Source: 3pO1282Kpx.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LARGE_ADDRESS_AWARE

Source: C:\Windows\System32\svchost.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 6544 -ip 6544

Source: C:\Windows\SysWOW64\rundll32.exe

File deleted: C:\Windows\SysWOW64\Tbiyedppjzsf\xswipktkmrv.drt:Zone.Identifier

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

File created: C:\Windows\SysWOW64\Tbiyedppjzsf\

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_01231291
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_01229124
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_0121A92F
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_0122CD35
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_0121F73B
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_0122970A
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_0122E10A
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_0122590E
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_01223D0C
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_0122BF0C
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_0121CB13
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_01214D1E
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_0121BD61
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_0121CF6E
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_01230370
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_01226540
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_012289A2
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_0122E5A7
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_01220BA4
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_0122DDA5
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_0122E3B5
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_012285B8
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_0122D7BE
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_012159BF
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_012143BE
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_01214B81
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_01223782
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_01218D80
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_0122DB87
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_0121358B
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_0121B191
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_01221591
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_01217795
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_0121A3E7
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_012151EC
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_0122EDED
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_012119C0
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_012175D2
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_01219824
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_01213228
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_0122282D
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_01213432
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_0121243F
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_0122C205
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_0121800A
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_0123261E
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_0121B464
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_01216869
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_01213A6C
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_0122B677
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_0121FA78
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_0121387F
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_01223043
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_0121AE43
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_01227445
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_0121544C
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_0121AA4E
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_01216453
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_0122EA55
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_0121CE5A
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_0121A083
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_0121F48A
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_01220A93
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_0122CE90
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_01220E97
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_0122009A
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_0122A29B
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_0122E899
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_0121FE9D
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_012140E2
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_0121F0E9
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_0121C0EA
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_012256E9
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_012184F0
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_012262F5
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_01224CF5
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_01211EFB
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_012146FA
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_012240FE
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_012192C1
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_01212CC2
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_012320CE
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_012210CD
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_012252D1
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_012190D4
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_012228D5
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_01231CDB
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6F239F10
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6F2377B4
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6F23D530
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6F231DE0
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6F24E3A1
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6F240380
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6F233A90
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6F236070
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6F2368B0
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6F23A890
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6F23E890
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6F2410C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6F239F10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6F2377B4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6F23D530
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6F231DE0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6F24E3A1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6F240380
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6F233A90
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6F236070
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6F2368B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6F23A890
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6F23E890
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6F2410C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00BB1291
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00BAEA55
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00BA009A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00BAA29B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00BAE899
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00B9FE9D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00BA0A93
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00BACE90
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00BA0E97
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00B9F48A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00B9A083
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00B91EFB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00B946FA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00BA40FE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00B984F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00BA62F5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00BA4CF5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00B9F0E9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00B9C0EA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00BA56E9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00B940E2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00BB1CDB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00BA52D1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00B990D4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00BA28D5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00BB20CE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00BA10CD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00B992C1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00B92CC2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00B9243F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00B93432
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00B93228
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00BA282D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00B99824
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00BB261E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00B9800A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00BAC205
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00B9FA78
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00B9387F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00BAB677
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00B96869
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00B93A6C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00B9B464
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00B9CE5A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00B96453
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00B9544C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00B9AA4E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00BA3043
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00B9AE43
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00BA7445
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00BA85B8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00BAD7BE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00B959BF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00B943BE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00BAE3B5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00BA89A2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00BAE5A7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00BA0BA4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00BADDA5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00B9B191
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00BA1591
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00B97795
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00B9358B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00B94B81
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00BA3782
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00B98D80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00BADB87
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00B951EC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00BAEDED
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00B9A3E7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00B975D2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00B919C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00B9F73B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00BACD35
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00B9A92F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00BA9124
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00B94D1E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00B9CB13
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00BA970A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00BAE10A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00BA590E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00BA3D0C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00BABF0C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00BB0370
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00B9CF6E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00B9BD61
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00BA6540

Source: C:\Windows\System32\loaddll32.exe	Code function: String function: 6F24AC90 appears 33 times
Source: C:\Windows\System32\loaddll32.exe	Code function: String function: 6F231DE0 appears 97 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6F24AC90 appears 33 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6F231DE0 appears 97 times

Source: C:\Windows\SysWOW64\rundll32.exe

Process Stats: CPU usage > 98%

Source: 3pO1282Kpx.dll	Virustotal: Detection: 23%
Source: 3pO1282Kpx.dll	ReversingLabs: Detection: 18%

Source: 3pO1282Kpx.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\3pO1282Kpx.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\3pO1282Kpx.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\3pO1282Kpx.dll,Control_RunDLL
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\3pO1282Kpx.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\3pO1282Kpx.dll,ajkaibu
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\3pO1282Kpx.dll,akyncbgollmj
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\3pO1282Kpx.dll",Control_RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Tbiyedppjzsf\xswipktkmrv.drt",WgszfYRBINQe
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\3pO1282Kpx.dll",Control_RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\3pO1282Kpx.dll",Control_RunDLL
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 6544 -ip 6544
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6544 -s 324
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 6544 -ip 6544
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6544 -s 332
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\3pO1282Kpx.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\3pO1282Kpx.dll,Control_RunDLL
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\3pO1282Kpx.dll,ajkaibu
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\3pO1282Kpx.dll,akyncbgollmj
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\3pO1282Kpx.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Tbiyedppjzsf\xswipktkmrv.drt",WgszfYRBINQe
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\3pO1282Kpx.dll",Control_RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\3pO1282Kpx.dll",Control_RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\3pO1282Kpx.dll",Control_RunDLL
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 6544 -ip 6544
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6544 -s 324
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 6544 -ip 6544
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6544 -s 332
Source: C:\Windows\SysWOW64\WerFault.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\WerFault.exe	Process created: unknown unknown

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Source: C:\Windows\System32\svchost.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER7A6E.tmp

Jump to behavior

Source: classification engine

Classification label: mal68.troj.evad.winDLL@34/18@0/1

Source: C:\Windows\SysWOW64\rundll32.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\3pO1282Kpx.dll,Control_RunDLL

Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \BaseNamedObjects\Local\SM0:6800:64:WilError_01
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \BaseNamedObjects\Local\SM0:6936:64:WilError_01
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6544

Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK

Source: 3pO1282Kpx.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: 3pO1282Kpx.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 00000013.00000003.652692590.0000000004BB1000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.671414191.0000000004A51000.00000004.00000001.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 00000013.00000003.652692590.0000000004BB1000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.671414191.0000000004A51000.00000004.00000001.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 00000013.00000003.652692590.0000000004BB1000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.650010447.0000000004329000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.671414191.0000000004A51000.00000004.00000001.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 00000013.00000003.652692590.0000000004BB1000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.671414191.0000000004A51000.00000004.00000001.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 00000013.00000003.652692590.0000000004BB1000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.671414191.0000000004A51000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 00000013.00000003.652692590.0000000004BB1000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.671414191.0000000004A51000.00000004.00000001.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 00000013.00000003.652692590.0000000004BB1000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.671414191.0000000004A51000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 00000013.00000003.652692590.0000000004BB1000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.671414191.0000000004A51000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.666367575.0000000000A2C000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.666826708.0000000000A2C000.00000004.00000001.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 00000013.00000003.652692590.0000000004BB1000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.671414191.0000000004A51000.00000004.00000001.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 00000013.00000003.652692590.0000000004BB1000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.671414191.0000000004A51000.00000004.00000001.sdmp
Source:	Binary string: a4pjr7pCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 00000013.00000002.659568546.00000000004A2000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdbk source: WerFault.exe, 00000013.00000003.652692590.0000000004BB1000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.671414191.0000000004A51000.00000004.00000001.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 00000013.00000003.652692590.0000000004BB1000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.671414191.0000000004A51000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb( source: WerFault.exe, 00000016.00000003.666367575.0000000000A2C000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.666826708.0000000000A2C000.00000004.00000001.sdmp

Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_012113E7 push esi; retf
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6F256A93 push ecx; ret
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6F256A93 push ecx; ret
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00B913E7 push esi; retf

Source: C:\Windows\System32\loaddll32.exe

Code function: 1_2_6F23E690 WaitForSingleObjectEx,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetCurrentProcess,CreateMutexA,CloseHandle,ReleaseMutex,

Source: C:\Windows\SysWOW64\rundll32.exe

PE file moved: C:\Windows\SysWOW64\Tbiyedppjzsf\xswipktkmrv.drt

Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Windows\SysWOW64\rundll32.exe

File opened: C:\Windows\SysWOW64\Tbiyedppjzsf\xswipktkmrv.drt:Zone.Identifier read attributes | delete

Source: C:\Windows\SysWOW64\WerFault.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Windows\System32\svchost.exe TID: 6960

Thread sleep time: -30000s >= -30000s

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Source: C:\Windows\System32\svchost.exe

Process information queried: ProcessInformation

Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6F250AA5 FindFirstFileExW,FindNextFileW,FindClose,FindClose,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6F250AA5 FindFirstFileExW,FindNextFileW,FindClose,FindClose,

Source: C:\Windows\SysWOW64\rundll32.exe

File Volume queried: C:\ FullSizeInformation

Source: Amcache.hve.19.dr	Binary or memory string: VMware
Source: Amcache.hve.19.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
Source: Amcache.hve.19.dr	Binary or memory string: VMware-42 35 34 13 2a 07 0a 9c-ee 7f dd c3 60 c7 b9 af
Source: Amcache.hve.19.dr	Binary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.19.dr	Binary or memory string: VMware Virtual USB Mouse
Source: WerFault.exe, 00000016.00000003.684751731.0000000004764000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll\|
Source: Amcache.hve.19.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.19.dr	Binary or memory string: VMware Virtual disk SCSI Disk Devicehbin
Source: Amcache.hve.19.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.19.dr	Binary or memory string: VMware7,1
Source: Amcache.hve.19.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.19.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: svchost.exe, 0000000A.00000002.744653763.0000020495E54000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.689833815.0000000004765000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000002.692036428.0000000004765000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.689756060.000000000479B000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000002.692127501.00000000047A2000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.19.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.19.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.19.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.13989454.B64.1906190538,BiosReleaseDate:06/19/2019,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1x
Source: Amcache.hve.19.dr	Binary or memory string: VMware, Inc.me
Source: svchost.exe, 0000000A.00000002.741934037.0000020490629000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW=
Source: svchost.exe, 0000000A.00000002.744676034.0000020495E61000.00000004.00000001.sdmp	Binary or memory string: "@Hyper-V RAWal\BFE_Notify_Event_{58328348-e77b-4df9-863b-dd539c6cd7d7}LMEM
Source: WerFault.exe, 00000016.00000003.689756060.000000000479B000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000002.692127501.00000000047A2000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW_
Source: Amcache.hve.19.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.19.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000

Source: C:\Windows\System32\loaddll32.exe

Code function: 1_2_6F250326 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

Source: C:\Windows\System32\loaddll32.exe

Code function: 1_2_6F23E690 WaitForSingleObjectEx,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetCurrentProcess,CreateMutexA,CloseHandle,ReleaseMutex,

Source: C:\Windows\System32\loaddll32.exe

Code function: 1_2_6F231290 GetProcessHeap,HeapAlloc,RtlAllocateHeap,HeapFree,

Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_012207D2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6F249990 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6F24EC0B mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6F2502CC mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6F249920 mov esi, dword ptr fs:[00000030h]
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6F249920 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6F249990 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6F24EC0B mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6F2502CC mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6F249920 mov esi, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6F249920 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00BA07D2 mov eax, dword ptr fs:[00000030h]

Source: C:\Windows\System32\loaddll32.exe	Process queried: DebugPort
Source: C:\Windows\System32\loaddll32.exe	Process queried: DebugPort

Source: C:\Windows\System32\loaddll32.exe

Code function: 1_2_012289A2 LdrInitializeThunk,

Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6F24A462 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6F250326 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6F24AB0C IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6F24A462 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6F250326 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6F24AB0C IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\3pO1282Kpx.dll",#1
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 6544 -ip 6544
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6544 -s 324
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 6544 -ip 6544
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6544 -s 332

Source: loaddll32.exe, 00000001.00000000.663256244.0000000001970000.00000002.00020000.sdmp, loaddll32.exe, 00000001.00000000.662492009.0000000001970000.00000002.00020000.sdmp, loaddll32.exe, 00000001.00000000.638431605.0000000001970000.00000002.00020000.sdmp, loaddll32.exe, 00000001.00000000.641347944.0000000001970000.00000002.00020000.sdmp, rundll32.exe, 0000000E.00000002.742335301.00000000036A0000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: loaddll32.exe, 00000001.00000000.663256244.0000000001970000.00000002.00020000.sdmp, loaddll32.exe, 00000001.00000000.662492009.0000000001970000.00000002.00020000.sdmp, loaddll32.exe, 00000001.00000000.638431605.0000000001970000.00000002.00020000.sdmp, loaddll32.exe, 00000001.00000000.641347944.0000000001970000.00000002.00020000.sdmp, rundll32.exe, 0000000E.00000002.742335301.00000000036A0000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: loaddll32.exe, 00000001.00000000.663256244.0000000001970000.00000002.00020000.sdmp, loaddll32.exe, 00000001.00000000.662492009.0000000001970000.00000002.00020000.sdmp, loaddll32.exe, 00000001.00000000.638431605.0000000001970000.00000002.00020000.sdmp, loaddll32.exe, 00000001.00000000.641347944.0000000001970000.00000002.00020000.sdmp, rundll32.exe, 0000000E.00000002.742335301.00000000036A0000.00000002.00020000.sdmp	Binary or memory string: &Program Manager
Source: loaddll32.exe, 00000001.00000000.663256244.0000000001970000.00000002.00020000.sdmp, loaddll32.exe, 00000001.00000000.662492009.0000000001970000.00000002.00020000.sdmp, loaddll32.exe, 00000001.00000000.638431605.0000000001970000.00000002.00020000.sdmp, loaddll32.exe, 00000001.00000000.641347944.0000000001970000.00000002.00020000.sdmp, rundll32.exe, 0000000E.00000002.742335301.00000000036A0000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Windows\System32\loaddll32.exe

Code function: 1_2_6F24A584 cpuid

Source: C:\Windows\System32\loaddll32.exe

Code function: 1_2_6F24A755 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

Source: Amcache.hve.19.dr

Binary or memory string: c:\program files\windows defender\msmpeng.exe

Stealing of Sensitive Information:

Yara detected Emotet

Show sources

Source: Yara match	File source: 7.2.rundll32.exe.2e221e0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.loaddll32.exe.1210000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.loaddll32.exe.1333540.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.3200000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.3100000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.3200000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.loaddll32.exe.1210000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.713568.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.loaddll32.exe.1210000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.650000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.loaddll32.exe.1210000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.loaddll32.exe.1333540.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.loaddll32.exe.1333540.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.3100000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.loaddll32.exe.1210000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.loaddll32.exe.1210000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.loaddll32.exe.1333540.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.713568.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.loaddll32.exe.1333540.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.loaddll32.exe.1333540.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.2e221e0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.b90000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.650000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.loaddll32.exe.1333540.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.loaddll32.exe.1210000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.loaddll32.exe.1333540.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.3303590.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.loaddll32.exe.1210000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.loaddll32.exe.1210000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.b90000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.loaddll32.exe.1210000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.3303590.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.loaddll32.exe.1333540.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.loaddll32.exe.1333540.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.693163248.0000000001210000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.638369835.000000000131B000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.638310393.0000000001210000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.634927199.0000000002E0A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.636690720.00000000032EA000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.662291713.0000000001210000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.663123528.0000000001210000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.638357953.0000000000650000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.637148475.0000000003200000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.693214956.000000000131B000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.597595639.0000000003259000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.641147134.000000000131B000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.638392292.00000000006FA000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.663179674.000000000131B000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.662403503.000000000131B000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.634790004.0000000000B90000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.636271952.0000000003100000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.640836289.0000000001210000.00000040.00000010.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Native API1	Path Interception	Process Injection12	Masquerading2	OS Credential Dumping	System Time Discovery1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Virtualization/Sandbox Evasion3	LSASS Memory	Query Registry1	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Process Injection12	Security Account Manager	Security Software Discovery51	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Deobfuscate/Decode Files or Information1	NTDS	Virtualization/Sandbox Evasion3	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Hidden Files and Directories1	LSA Secrets	Process Discovery2	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Obfuscated Files or Information2	Cached Domain Credentials	Remote System Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Rundll321	DCSync	File and Directory Discovery2	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	File Deletion1	Proc Filesystem	System Information Discovery33	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
3pO1282Kpx.dll	23%	Virustotal		Browse
3pO1282Kpx.dll	18%	ReversingLabs	Win32.Trojan.Phonzy

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
1.0.loaddll32.exe.1210000.0.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
6.2.rundll32.exe.650000.0.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
4.2.rundll32.exe.3200000.0.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
7.2.rundll32.exe.b90000.0.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
1.0.loaddll32.exe.1210000.3.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
5.2.rundll32.exe.3100000.0.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
1.2.loaddll32.exe.1210000.0.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
1.0.loaddll32.exe.1210000.9.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
1.0.loaddll32.exe.1210000.6.unpack	100%	Avira	HEUR/AGEN.1110387	Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://crl.ver)	0%	Avira URL Cloud	safe
http://www.microsoft.	0%	URL Reputation	safe
http://schemas.xmlso	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://crl.ver)	svchost.exe, 0000000A.00000002.744484037.0000020495E12000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://upx.sf.net	Amcache.hve.19.dr	false		high
http://www.microsoft.	WerFault.exe, 00000016.00000003.689793778.00000000047AB000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.689756060.000000000479B000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000002.692147175.00000000047AC000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlso	svchost.exe, 0000000A.00000002.742753085.00000204906AF000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious

Private

IP
127.0.0.1

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	532438
Start date:	02.12.2021
Start time:	09:46:35
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 10m 3s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	3pO1282Kpx.dll
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	27
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal68.troj.evad.winDLL@34/18@0/1
EGA Information:	Failed
HDC Information:	Successful, ratio: 15.8% (good quality ratio 14.6%) Quality average: 73.1% Quality standard deviation: 27.6%
HCA Information:	Successful, ratio: 66% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Sleeps bigger than 120000ms are automatically reduced to 1000ms Found application associated with file extension: .dll
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, conhost.exe, backgroundTaskHost.exe Excluded IPs from analysis (whitelisted): 23.211.6.115, 23.35.236.56, 20.42.73.29, 80.67.82.235, 80.67.82.211 Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net, e1723.g.akamaiedge.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, e12564.dspb.akamaiedge.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net Not all processes where analyzed, report is missing behavior information Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
09:48:56	API Interceptor	1x Sleep call for process: svchost.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\ProgramData\Microsoft\Network\Downloader\edb.log Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	MPEG-4 LOAS
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	0.2486016457556919
Encrypted:	false
SSDEEP:	1536:BJiRdfVzkZm3lyf49uyc0ga04PdHS9LrM/oVMUdSRU4j:BJiRdwfu2SRU4j
MD5:	18B070EFED14C96073A9B936EFE79913
SHA1:	821E818F84ABA70502A904DB87FC94D6510B820F
SHA-256:	5DAA0308D33857351BC3D7337291607FAE447F85786CFED7948A1A5D538FE49E
SHA-512:	EEBE8099FB1AE0AD891A59281E791EA3B783983FE68145E1E655BF4B41FA00327C7328DDFC48E4C1100ED948F7AE15B44A2A6C4F629943C01E6C779025559E70
Malicious:	false
Preview:	V.d.........@..@.3...w...........................3...w..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@.........................................d#.................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	Extensible storage user DataBase, version 0x620, checksum 0x1e63e422, page size 16384, DirtyShutdown, Windows version 10.0
Category:	dropped
Size (bytes):	786432
Entropy (8bit):	0.25071093797838945
Encrypted:	false
SSDEEP:	384:s+W0StseCJ48EApW0StseCJ48E2rTSjlK/ebmLerYSRSY1J2:zSB2nSB2RSjlK/+mLesOj1J2
MD5:	3B35ECABDA4B6946E7118FC8CFE61520
SHA1:	BF8ABDD5A198CBAF0B7BE0A9C403DC732E3A84F2
SHA-256:	6CB5F094A3B162EA38B7C1B3E0FC0111B82A44F9BB0D953AE613614A26E0F58E
SHA-512:	D7CFFF816D976ACF7AF992837F81917EA176DAC20FBCAD523F01E7E30ABB8B00B4FDBB1DF5834FE7AA82362A13FE7D05D802840685A6C274248ED0650DE56F8C
Malicious:	false
Preview:	.c."... ................e.f.3...w........................&..........w..80...y..h.(..............................3...w...........................................................................................................B...........@...................................................................................................... ........3...w..........................................................................................................................................................................................................................................80...y.y.................i.f80...y..........................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	0.07728180241167973
Encrypted:	false
SSDEEP:	3:dPlTEvden4t+j8l/bJdAtiGeltoll3Vkttlmlnl:dYX+j8t4wlG3
MD5:	092DF1FAA6DB821C33C9BBF01F73FDCF
SHA1:	35D7F10F684DA4913402E647E3342CD5313BAC76
SHA-256:	CF3D5794FFC0B16C33F0C77BABDF860EA8930679E0593BA1E4E51D1CD855C0F5
SHA-512:	46A1EBF84DF5725FBC3D109980AE232725694583CE5FCDD3883FC2F2F4552FD8CCCB7057E39436761DA3D3989684A891EC61AC88B9221CA09EAE766AA08775E3
Malicious:	false
Preview:	.1......................................3...w..80...y.......w...............w.......w....:O.....w...................i.f80...y..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_loaddll32.exe_3fb87a191e6babfe54825d1747bdca62202fdccd_d70d8aa6_0ce3f3fd\Report.wer Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.6753133274689476
Encrypted:	false
SSDEEP:	96:WmcePpSZqymy9hkoyt7JfHpXIQcQ5c6A2cE2cw33+a+z+HbHg0VG4rmMOyWZAXGD:WBBaHnM28jjIq/u7slS274ItW
MD5:	EC4AD4206ADB820AA65890173145C0DE
SHA1:	244049840822C83C1555922E9C079698D2A6A462
SHA-256:	59D0B88DC3EE09B85F98B87B6F80EF0909857B148E649C5BAA85AF909ACBDA72
SHA-512:	4412E3FB67648A3A82F605DA9C4101C8788DE89322F7B6214BEF25DE500BCBC5C3CD1F8A99AD395548292950E60722BF74B01ACA3F4CC71568094C5B9AA9CE18
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.8.2.9.4.0.9.9.6.8.6.6.0.8.9.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.0.0.1.b.9.4.e.-.8.6.5.c.-.4.a.4.c.-.8.d.2.e.-.9.9.c.6.e.5.f.6.9.e.b.0.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.6.f.3.9.f.b.4.-.e.8.5.1.-.4.f.9.2.-.9.c.6.8.-.2.e.f.8.a.f.a.6.b.a.7.2.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.l.o.a.d.d.l.l.3.2...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.9.9.0.-.0.0.0.1.-.0.0.1.7.-.9.a.0.6.-.b.3.a.e.a.4.e.7.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.d.a.3.9.a.3.e.e.5.e.6.b.4.b.0.d.3.2.5.5.b.f.e.f.9.5.6.0.1.8.9.0.a.f.d.8.0.7.0.9.!.0.0.0.0.d.a.3.9.a.3.e.e.5.e.6.b.4.b.0.d.3.2.5.5.b.f.e.f.9.5.6.0.1.8.9.0.a.f.d.8.0.7.0.9.!.l.o.a.d.d.l.l.3.2...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.1././.0.9././.2.8.:.1.1.:.5.3.:.0.5.!.0.!.l.o.a.d.d.l.l.3.2...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_loaddll32.exe_d71d33d652a62c864cb684e881f783bcee8c2df7_d70d8aa6_0c442de9\Report.wer Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.678619951881378
Encrypted:	false
SSDEEP:	96:gVF6qdpSZqyty9hk1Dg3fWpXIQcQxc6VcEzcw3VR+a+z+HbHg0VG4rmMOyWZAXGp:oQ7B9HPRZvjIq/u7slS274ItW
MD5:	2314D313E55933A1C818394150FC79E4
SHA1:	D3136EB940E73470078AB3BCACA65B5BD880CFD9
SHA-256:	98A940EC0D96CE6C7AFED935B3F6328FA74809CCE0A5E065C8B346AF5C627809
SHA-512:	9A4C52AB66D4694A98F44DFFBFF83628167420BD2953706A0D470F44C46C3153F48421ED450EA7CC52F81B104A6B5761C705154179D8F20D280841916AA74269
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.8.2.9.4.1.0.0.4.5.5.2.3.0.7.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.8.2.9.4.1.0.1.0.5.9.9.1.4.2.2.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.c.5.2.4.9.6.3.-.5.0.8.6.-.4.3.7.8.-.a.a.d.e.-.5.0.7.c.3.c.c.a.5.5.0.1.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.7.e.a.6.7.3.e.-.a.d.3.c.-.4.1.4.a.-.b.6.c.1.-.5.3.5.d.6.4.4.2.1.3.3.8.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.l.o.a.d.d.l.l.3.2...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.9.9.0.-.0.0.0.1.-.0.0.1.7.-.9.a.0.6.-.b.3.a.e.a.4.e.7.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.d.a.3.9.a.3.e.e.5.e.6.b.4.b.0.d.3.2.5.5.b.f.e.f.9.5.6.0.1.8.9.0.a.f.d.8.0.7.0.9.!.0.0.0.0.d.a.3.9.a.3.e.e.5.e.6.b.4.b.0.d.3.2.5.5.b.f.e.f.9.5.6.0.1.8.9.0.a.f.d.8.0.7.0.9.!.l.o.a.d.d.l.l.3.2...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER581.tmp.dmp Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Thu Dec 2 17:50:05 2021, 0x1205a4 type
Category:	dropped
Size (bytes):	1059068
Entropy (8bit):	1.3679296955934206
Encrypted:	false
SSDEEP:	1536:dILzfDvWSJtpmlrUHpOAzih5uVCPAtJdKo5X37kK5xTmnRGe72Ut1yQB:dqrp2rUHp4hoVCI77DmR/2Ut8QB
MD5:	2B3BB1E73F5417CBBA94BAB5F9A23BE0
SHA1:	8989F49B15E937D37902F99BE2D5F66DD8BF16FF
SHA-256:	28B33D4BC476E6C48894EA4319D920D6FAB817FB200950E82BD8A335D30C4B38
SHA-512:	A5940083CD8666F0929A2DF36148FAA949C3E9515236F5A9356A1DAC88E15ABBBF9E136DDE15E5CB86F958A26E799745A07BBB8F98435A54EF0C7DAF851836B2
Malicious:	false
Preview:	MDMP....... .......M..a............4...............H.......$...........................`.......8...........T...........@................................................................................................U...........B......p.......GenuineIntelW...........T..............a-............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7A6E.tmp.csv Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	49808
Entropy (8bit):	3.07751871746348
Encrypted:	false
SSDEEP:	1536:DuHSxfEFmVPNlZAHxHULSmK5GIZ4y9Tjt7:DuHSxfEFmVPNlZAHxHULSmK5GU4y9TjJ
MD5:	F995B8EA53E910527A1E58DA26B8284A
SHA1:	3CB5A70A02ACE3EFA7BC1D70EA3E3E2B3E1EA470
SHA-256:	E2AFA4CA5DFF1D395E8D79430BE0C470BEEA612038C2C46EA1D5D1229BEE2E85
SHA-512:	ABEB857B348000653131BC1ECC6265B53580437DA6C707A2DECACB02D862FD24B2B0BAB9130BF0A4C32B2EB81D1CB169A63A17F26B81EC3086AFD919B303F16B
Malicious:	false
Preview:	I.m.a.g.e.N.a.m.e.,.U.n.i.q.u.e.P.r.o.c.e.s.s.I.d.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.,.W.o.r.k.i.n.g.S.e.t.P.r.i.v.a.t.e.S.i.z.e.,.H.a.r.d.F.a.u.l.t.C.o.u.n.t.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.H.i.g.h.W.a.t.e.r.m.a.r.k.,.C.y.c.l.e.T.i.m.e.,.C.r.e.a.t.e.T.i.m.e.,.U.s.e.r.T.i.m.e.,.K.e.r.n.e.l.T.i.m.e.,.B.a.s.e.P.r.i.o.r.i.t.y.,.P.e.a.k.V.i.r.t.u.a.l.S.i.z.e.,.V.i.r.t.u.a.l.S.i.z.e.,.P.a.g.e.F.a.u.l.t.C.o.u.n.t.,.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.P.e.a.k.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.Q.u.o.t.a.P.e.a.k.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.e.a.k.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.e.a.k.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.r.i.v.a.t.e.P.a.g.e.C.o.u.n.t.,.R.e.a.d.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.W.r.i.t.e.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.O.t.h.e.r.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.R.e.a.d.T.r.a.n.s.f.e.r.C.o.u.n.t.,.W.r.i.t.e.T.r.a.n.s.f.e.r.C.o.u.n.t.,.O.t.h.e.r.T.r.a.n.s.f.e.r.C.o.u.n.t.,.H.a.n.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7E86.tmp.txt Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	13340
Entropy (8bit):	2.6957528855021784
Encrypted:	false
SSDEEP:	96:9GiZYWG0RCqDYGYU9WgH5YEZYytriFFF+yww0GsKY+ar+JVA3zIPN3:9jZDGQRStLBar+JVAsPN3
MD5:	AA12A49C17735F575F9DE21252764DD4
SHA1:	CC9A6030CAE13BF2C329A62F31AAE3AD4A0B4B52
SHA-256:	34E73D5BD3E9374D110BEBB17FD76F1765FFF38F0436A0296F3F5DD8FC83C7BC
SHA-512:	30F9766C5B52315532B11F453BF7246228B0A182726913959ED68815B6F9011363AC5FD5688D6955955D95E7F1A43A8A1EF6B89BD2B121121B1079516D5026F5
Malicious:	false
Preview:	B...T.i.m.e.r.R.e.s.o.l.u.t.i.o.n. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.5.6.2.5.0.....B...P.a.g.e.S.i.z.e. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4.0.9.6.....B...N.u.m.b.e.r.O.f.P.h.y.s.i.c.a.l.P.a.g.e.s. . . . . . . . . . . . . . . . . . . . . . . . . . .1.0.4.8.3.1.5.....B...L.o.w.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.....B...H.i.g.h.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . .1.3.1.0.7.1.9.....B...A.l.l.o.c.a.t.i.o.n.G.r.a.n.u.l.a.r.i.t.y. . . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.i.n.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.a.x.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . .1.4.0.7.3.7.4.8.8.2.8.9.7.9.1.....B...A.c.t.i.v.e.P.r.o.c.e.s.s.o.r.s.A.f.f.i.n.i.t.y.M.a.s.k. . . . . . .

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9C9E.tmp.csv Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	49396
Entropy (8bit):	3.078326445297238
Encrypted:	false
SSDEEP:	1536:FHHXB0lKQAoKQl/A8vmR/KLRKZZyaTvVza:FHHXB0lKQAoKQl/A8vmR/KLRyZyaTvVe
MD5:	FD378F80D58B8AAD5C6F5E84D1F2DFAF
SHA1:	B56A8068AD34286D1F1215CBDE79712C24E1D61F
SHA-256:	8B9F7F03D85C396CE636EB03979233641431E06BE003AD1AE5DF0283BDB133C6
SHA-512:	5F4E95869BE4D3C486600EBCE62035BE11AC4F9DFEE97A56D010841E5B5402EF4D88A47869F46DD92DBFEC89107BD73D785319D32F1E4B2182F2A53C61F06924
Malicious:	false
Preview:	I.m.a.g.e.N.a.m.e.,.U.n.i.q.u.e.P.r.o.c.e.s.s.I.d.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.,.W.o.r.k.i.n.g.S.e.t.P.r.i.v.a.t.e.S.i.z.e.,.H.a.r.d.F.a.u.l.t.C.o.u.n.t.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.H.i.g.h.W.a.t.e.r.m.a.r.k.,.C.y.c.l.e.T.i.m.e.,.C.r.e.a.t.e.T.i.m.e.,.U.s.e.r.T.i.m.e.,.K.e.r.n.e.l.T.i.m.e.,.B.a.s.e.P.r.i.o.r.i.t.y.,.P.e.a.k.V.i.r.t.u.a.l.S.i.z.e.,.V.i.r.t.u.a.l.S.i.z.e.,.P.a.g.e.F.a.u.l.t.C.o.u.n.t.,.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.P.e.a.k.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.Q.u.o.t.a.P.e.a.k.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.e.a.k.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.e.a.k.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.r.i.v.a.t.e.P.a.g.e.C.o.u.n.t.,.R.e.a.d.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.W.r.i.t.e.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.O.t.h.e.r.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.R.e.a.d.T.r.a.n.s.f.e.r.C.o.u.n.t.,.W.r.i.t.e.T.r.a.n.s.f.e.r.C.o.u.n.t.,.O.t.h.e.r.T.r.a.n.s.f.e.r.C.o.u.n.t.,.H.a.n.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA058.tmp.txt Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	13340
Entropy (8bit):	2.6964294121392984
Encrypted:	false
SSDEEP:	96:9GiZYWTL0Yje6Y6YosW2uH3QYEZ9SetrilFL+7wpTBGOLa4LLEO38I6h3:9jZDfu6tWSBoSa4LLEOr6h3
MD5:	F69960077705207D0A27B349E85CFFA3
SHA1:	BFB7F1A8F40A243569D3F6443E29ABC42398790F
SHA-256:	BE84D114B0306040AA411393E07A0267AEFAC81126EA2F8D17E22816BE964E00
SHA-512:	58DD60608487332D74A69C08E8FF47F3415EFFB0719874B03E52E15D8637DE5095004179FC55C29798727E9034BC23FC3EBD03464C69D07E4C9659E7B2BEAB80
Malicious:	false
Preview:	B...T.i.m.e.r.R.e.s.o.l.u.t.i.o.n. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.5.6.2.5.0.....B...P.a.g.e.S.i.z.e. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4.0.9.6.....B...N.u.m.b.e.r.O.f.P.h.y.s.i.c.a.l.P.a.g.e.s. . . . . . . . . . . . . . . . . . . . . . . . . . .1.0.4.8.3.1.5.....B...L.o.w.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.....B...H.i.g.h.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . .1.3.1.0.7.1.9.....B...A.l.l.o.c.a.t.i.o.n.G.r.a.n.u.l.a.r.i.t.y. . . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.i.n.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.a.x.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . .1.4.0.7.3.7.4.8.8.2.8.9.7.9.1.....B...A.c.t.i.v.e.P.r.o.c.e.s.s.o.r.s.A.f.f.i.n.i.t.y.M.a.s.k. . . . . . .

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD24.tmp.WERInternalMetadata.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8300
Entropy (8bit):	3.6932020895656654
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNipE6G6YJxSUqlkgmfL8GSICpD589bXmsfC9m:RrlsNiK6G6YvSUukgmfLrSeXFfB
MD5:	AE14C04A846BA9F8E1A399D339973C09
SHA1:	C4AF4168EA0A92659C8AB476A2AC61D27F5B3383
SHA-256:	85A4D174D37F8F1FD6087BBAD159C3033B63ED686EFFE5EFB3979005CF101985
SHA-512:	7E589FB4B8476C667DEE5BFC9625EB22B86D5AC9DD7A82874F80B8944DF49D89305E5209F5FB12EB77EBD7210EA76AB11A391D7EC5232315A9A565984F2CD493
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.5.4.4.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE74B.tmp.dmp Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Thu Dec 2 17:49:57 2021, 0x1205a4 type
Category:	dropped
Size (bytes):	26052
Entropy (8bit):	2.557444551215252
Encrypted:	false
SSDEEP:	192:O0MutBHlO1YHOeR/cxmlCKCxKhe3Sa7NQ+ebAoIef7:C2BFZueaMlCKCxKY3SgNQ+uR
MD5:	313E5A54D53DE9B03EA81A0DC6C74362
SHA1:	226871018B652C200572A17376C02D68140F3D8F
SHA-256:	7A358BAFF2720D68857BBDABFCBF8D5375E8BF2108F8B286C3875FD07C2F32BC
SHA-512:	6C82D6EE04F562E25E979082723EA220DF18D5CF64A8FD64B08FAF168B31961B613D2328773A6166573859248607F47FD8A6006632EA68BDA84B529DF70DEAAC
Malicious:	false
Preview:	MDMP....... .......E..a............4...............H.......$...........................`.......8...........T...........h...\Y...........................................................................................U...........B......p.......GenuineIntelW...........T..............a-............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WEREAC7.tmp.WERInternalMetadata.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8340
Entropy (8bit):	3.702994961193325
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNip269F6YJ1SUH2wgmfzSzDCpBT89b8msfk0m:RrlsNio6v6Y7SUWwgmfzSz98Ffu
MD5:	94E36D19C7B1AE8116E13D87D0BFA46C
SHA1:	CF3550788F302BA4168344F47860F3BDEAA8C889
SHA-256:	7073CE4D5B84FF2971A510C01AF94BE96330772E25CC6332A85049F99EDD9E43
SHA-512:	FA1156B10F425670F64477585ECAB84E9A4DDFF7D3EA465C534425AB51242A3270191B6F6F611EC8AA4A2616C5FDED8A74DC5397E8854173B8292A0A39314B5C
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.5.4.4.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WEREDB6.tmp.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4598
Entropy (8bit):	4.474652743364087
Encrypted:	false
SSDEEP:	48:cvIwSD8zsiJgtWI98HSWSC8BR8fm8M4J2ygZFqz+q84WU00KcQIcQwQhdd:uITfw3TSNAJ22znDKkwQhdd
MD5:	D8D4EAEA78C61107B59A2731E1EE8DD5
SHA1:	4EAA41A60968B9446ADA7C564928A740EA0518BC
SHA-256:	5909AF7589AE7395E8554A2BD08C7EC7BA3FB7CF47F6DBC0E529EB689976C1DB
SHA-512:	CFDA51D901B98EB7A2A42C92E066D57EB818EB7B13AF5F0A856B300CE314B856EE87F4922DBC37C1C73E8412332612166928451DB67B4F0C731B09A338C23672
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1280340" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\ProgramData\Microsoft\Windows\WER\Temp\WERFA5.tmp.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4558
Entropy (8bit):	4.428374721600115
Encrypted:	false
SSDEEP:	48:cvIwSD8zsiJgtWI98HSWSC8Bv8fm8M4J2yGtF13+q84tjY0KcQIcQwQhdd:uITfw3TSNOJElx/KkwQhdd
MD5:	C912B85A3294A83B66C998EAEF5693A0
SHA1:	3C0C3D52C71CF8E552B6BBC76CEE9F29B024B851
SHA-256:	AAD01C9659E9AD7DF5FC5C7CF0B64D8F968DEA6AA2751CD19A45EC580D2119F1
SHA-512:	7A4B84231764DC7EFDA9FFE31B4DC74B28A8D05722509A0DAEDBED7D2FD0A972ABFE50B43D4CAA41A3B081ACEC819D648D9D9CF5F0031E8D6789FB7DB6C190C2
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1280340" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	55
Entropy (8bit):	4.306461250274409
Encrypted:	false
SSDEEP:	3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
MD5:	DCA83F08D448911A14C22EBCACC5AD57
SHA1:	91270525521B7FE0D986DB19747F47D34B6318AD
SHA-256:	2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
SHA-512:	96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
Malicious:	false
Preview:	{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

C:\Windows\appcompat\Programs\Amcache.hve Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1572864
Entropy (8bit):	4.215262851555234
Encrypted:	false
SSDEEP:	12288:fMHzwKQAANrn2YHLBqf4xZfjaISv7xwJioCNkiA5NazzSllYdILIw6:UHzwKQAANr2YHL9CEi/+
MD5:	8E4C33C4642BF7E0D2C0E86932998446
SHA1:	B8759064BC4BFE3972DD22F341907C32DF19CF23
SHA-256:	6B7B0DB45FCBA932A140E79DA8EEDF54A2DEDF9014B318E4637354B6579BE839
SHA-512:	2E3AE18E24E3906DF07657D3BEEBD27F355B3137F376294E78EE9E6FA0AF621649045027B93A36E68C28BF5D1BB3BACB553523B53D9FBE399B39311834E34261
Malicious:	false
Preview:	regfW...W...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm..D...................................................................................................................................................................................................................................................................................................................................................@Y........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve.LOG1 Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	2.8943954365148468
Encrypted:	false
SSDEEP:	192:kXU1SQpUxo8Y85FSETpq/bDIpn8h8K1ZV6nGoak:or5dAIpn88KTVgGVk
MD5:	F4C44BE066D026642C5F33588EA97DF9
SHA1:	A19D74170090798C8E753ABC9C47926ABDB8CAD5
SHA-256:	3F9D6E489C50FC1A73184DE11C8ACFBF04080A640B678D5943332021D74F4061
SHA-512:	8D8AC751389A229ADC649226B2F812B91C63E34360D93FE51FC338178C97A1CDA04BA0118CB29ABFDB69857AFCDF0A20CCF31B67DA58BEE2A00CAD633533999D
Malicious:	false
Preview:	regfV...V...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm..D...................................................................................................................................................................................................................................................................................................................................................@YHvLE.>......V............g...C....F..0_..................p......hbin................p.\..,..........nk,.RLG..................................... ...........................&...{ad79c032-a2ea-f756-e377-72fb9332c3ae}......nk .RLG......... ........................... .......Z.......................Root........lf......Root....nk .RLG......................}.............. ...............*...............DeviceCensus........................vk..................WritePermissionsCheck.......p...

Static File Info

General
File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.067331172246508
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	3pO1282Kpx.dll
File size:	372736
MD5:	173345845a2a7d0d99c17bdc5445df90
SHA1:	35ed97b5ac5a3ed0fdc00eabff20f3bfcdfc8a7c
SHA256:	9ed58848f0a7b354a32d4ef67ea9ff70ba75f9238c39d9f1af88fae6811cb504
SHA512:	c67f4a25b4538ea45291636f4eb1c845bbe5ab68ae3297132f2e4bbde7f941a11eb276d5bdebe8179f412fd2e63a5346d53890c1e6aeacca88c7a84bde35bda4
SSDEEP:	6144:qRsMh9YQWtcgA70wgF7nJyt6CQK+kIVDRjudJMrt32fFcRmXIeJXjWMmAD:cvm9Y0HFLQRQKqV4epRmxAvAD
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........0...Q...Q...Q..E#...Q..E#...Q..E#...Q../$...Q...$...Q...$...Q...$...Q..E#...Q...Q...Q...Q...Q../$...Q../$...Q..Rich.Q.........

File Icon


Icon Hash:	74f0e4ecccdce0e4

Static PE Info

General
Entrypoint:	0x1001a401
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x10000000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LARGE_ADDRESS_AWARE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x61A7100E [Wed Dec 1 06:02:54 2021 UTC]
TLS Callbacks:	0x1000c500
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	609402ef170a35cc0e660d7d95ac10ce

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
cmp dword ptr [ebp+0Ch], 01h
jne 00007F04C0B74847h
call 00007F04C0B74BD8h
push dword ptr [ebp+10h]
push dword ptr [ebp+0Ch]
push dword ptr [ebp+08h]
call 00007F04C0B746F3h
add esp, 0Ch
pop ebp
retn 000Ch
push ebp
mov ebp, esp
push dword ptr [ebp+08h]
call 00007F04C0B750EEh
pop ecx
pop ebp
ret
push ebp
mov ebp, esp
jmp 00007F04C0B7484Fh
push dword ptr [ebp+08h]
call 00007F04C0B78BD4h
pop ecx
test eax, eax
je 00007F04C0B74851h
push dword ptr [ebp+08h]
call 00007F04C0B78C50h
pop ecx
test eax, eax
je 00007F04C0B74828h
pop ebp
ret
cmp dword ptr [ebp+08h], FFFFFFFFh
je 00007F04C0B751B3h
jmp 00007F04C0B75190h
push ebp
mov ebp, esp
push 00000000h
call dword ptr [1002808Ch]
push dword ptr [ebp+08h]
call dword ptr [10028088h]
push C0000409h
call dword ptr [10028040h]
push eax
call dword ptr [10028090h]
pop ebp
ret
push ebp
mov ebp, esp
sub esp, 00000324h
push 00000017h
call dword ptr [10028094h]
test eax, eax
je 00007F04C0B74847h
push 00000002h
pop ecx
int 29h
mov dword ptr [1005AF18h], eax
mov dword ptr [1005AF14h], ecx
mov dword ptr [1005AF10h], edx
mov dword ptr [1005AF0Ch], ebx
mov dword ptr [1005AF08h], esi
mov dword ptr [1005AF04h], edi
mov word ptr [eax], es

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x58390	0x8ac	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x58c3c	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x5d000	0x1bb0	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x56fdc	0x54	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x57100	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x57030	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x28000	0x154	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x264f4	0x26600	False	0.546620521173	data	6.29652715831	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x28000	0x313fa	0x31400	False	0.822468868972	data	7.43227371512	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x5a000	0x1844	0xe00	False	0.270647321429	data	2.60881097454	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.pdata	0x5c000	0x66c	0x800	False	0.3583984375	data	2.21689595795	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.reloc	0x5d000	0x1bb0	0x1c00	False	0.784598214286	data	6.62358237634	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLL

Import

KERNEL32.dll

HeapFree, HeapReAlloc, GetProcessHeap, HeapAlloc, GetModuleHandleA, GetProcAddress, TlsGetValue, TlsSetValue, AcquireSRWLockExclusive, ReleaseSRWLockExclusive, AcquireSRWLockShared, ReleaseSRWLockShared, SetLastError, GetEnvironmentVariableW, GetLastError, GetCurrentDirectoryW, GetCurrentProcess, GetCurrentThread, RtlCaptureContext, ReleaseMutex, WaitForSingleObjectEx, LoadLibraryA, CreateMutexA, CloseHandle, GetStdHandle, GetConsoleMode, WriteFile, WriteConsoleW, TlsAlloc, GetCommandLineW, CreateFileA, GetTickCount64, CreateFileW, SetFilePointerEx, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, GetModuleHandleW, RaiseException, RtlUnwind, InterlockedFlushSList, EncodePointer, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsFree, FreeLibrary, LoadLibraryExW, ExitProcess, GetModuleHandleExW, GetModuleFileNameW, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, GetCommandLineA, MultiByteToWideChar, WideCharToMultiByte, GetEnvironmentStringsW, FreeEnvironmentStringsW, LCMapStringW, GetFileType, GetStringTypeW, HeapSize, SetStdHandle, FlushFileBuffers, GetConsoleOutputCP, DecodePointer

USER32.dll

GetDC, ReleaseDC, GetWindowRect

Exports

Name	Ordinal	Address
Control_RunDLL	1	0x100010a0
ajkaibu	2	0x100016c0
akyncbgollmj	3	0x10001480
alrcidxljxybdggs	4	0x10001860
bgmotrriehds	5	0x10001820
bojkfvynhhupnooyb	6	0x100019f0
bujuoqldqlzaod	7	0x10001800
bunsahctogxzts	8	0x100019e0
cjogbtafwukesw	9	0x10001830
csbbcaopuok	10	0x100016a0
cyqrjpaeorjur	11	0x100015f0
dlrzuyaeqj	12	0x10001840
egiimrq	13	0x10001850
evhgyts	14	0x100014f0
fdqpjjjyuw	15	0x100017e0
finabzjyxhxnnuuv	16	0x10001510
fkeacqpbbfw	17	0x10001910
fuwsgzf	18	0x10001790
fzbmpailk	19	0x10001980
gamsrhauvgl	20	0x10001810
gjfqgtgk	21	0x10001a10
gwsmfxfmekkyr	22	0x100018b0
haymuvtatadeydqmk	23	0x10001530
hqruohhkvpdalhq	24	0x10001620
htdaydfvtjlujwcaj	25	0x10001660
hzyrvjtx	26	0x100017c0
ifnsupqhxkwj	27	0x10001870
ijhgowlpmypocg	28	0x10001720
ispjhrqaxnyflnn	29	0x100015a0
iszvcqv	30	0x100017a0
ixgucop	31	0x100018d0
jcdvrhrguqtjpkc	32	0x100016b0
jkfyadsdpoks	33	0x100019c0
kfzgxmljkwaqy	34	0x10001730
kzfvroxozxufciczm	35	0x10001740
lpstjqa	36	0x10001900
ltkoyvzovzkqemyw	37	0x10001630
mdigcwjymnzvgaql	38	0x100014d0
mefathlzguuhqodfx	39	0x10001950
mgsrmfbja	40	0x10001500
mrxhcceopg	41	0x100014a0
nafhmuoq	42	0x100018f0
nefxgpc	43	0x100018a0
nrehxpiznrppeu	44	0x10001690
nucocnvjyqp	45	0x100018e0
obxoxtcbntaxofr	46	0x10001890
ofrzojd	47	0x100016e0
oofbctfc	48	0x10001550
opzpazspbecyjojf	49	0x100015b0
oqoigff	50	0x10001a00
oujlzhzvhjh	51	0x100016f0
ovpsanbypajv	52	0x100015e0
pblpcaadqbdxyb	53	0x10001680
ragwdgnyohftj	54	0x100017d0
rfosmac	55	0x10001710
rgymbuetvifqjqdlo	56	0x10001930
rmoxbxbbgidnbds	57	0x10001970
rxnkmfbycdcc	58	0x10001560
sefltbc	59	0x10001880
sgieprcsphl	60	0x100019a0
shpcmnqzvyltgdt	61	0x100016d0
slktbekupvmdbt	62	0x100015c0
sormivnk	63	0x10001570
tdblkstlyin	64	0x10001600
tkllyrc	65	0x10001650
tkwpnvfqnbpbdqe	66	0x10001a20
tnhtgnjrabqakgeke	67	0x10001700
tzpmcwwig	68	0x10001520
uceklmggjof	69	0x10001610
ukwdddyj	70	0x10001640
uwnaptydgur	71	0x10001940
vjusqoeo	72	0x10001580
vnyufpq	73	0x10001590
vsrwmkhzkrtlexxb	74	0x100014e0
wermsdfzb	75	0x10001770
wkhpfdjkypy	76	0x100014c0
wksndtayhfm	77	0x100015d0
wnjvxspilxpchq	78	0x10001670
wuqwfssiddrcl	79	0x10001570
wyyhtqptznbrknitg	80	0x100017f0
wzkcijdvadq	81	0x10001540
wzxlvxuyy	82	0x100019b0
xhtxeilfgsghxik	83	0x10001780
xvdijhconoukll	84	0x100014b0
ybbwnezvxfafm	85	0x10001750
yeylpreasnzamgac	86	0x100019d0
ypkidshxgzkkehc	87	0x100018c0
ypzvmpfbgai	88	0x10001760
zbrzizodycg	89	0x10001990
zdiuqcnzg	90	0x10001920
zfkwwtxd	91	0x10001490
zktykfwmaehxg	92	0x10001600
zmkbqvofdhermov	93	0x10001960
zvtqmkitgmzgo	94	0x100017b0

Network Behavior

No network behavior found

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: loaddll32.exe PID: 6544 Parent PID: 5616

General

Start time:	09:47:32
Start date:	02/12/2021
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe "C:\Users\user\Desktop\3pO1282Kpx.dll"
Imagebase:	0xd50000
File size:	893440 bytes
MD5 hash:	72FCD8FB0ADC38ED9050569AD673650E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000001.00000002.693163248.0000000001210000.00000040.00000010.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000001.00000002.693163248.0000000001210000.00000040.00000010.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000001.00000000.638369835.000000000131B000.00000004.00000020.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000001.00000000.638310393.0000000001210000.00000040.00000010.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000001.00000000.638310393.0000000001210000.00000040.00000010.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000001.00000000.662291713.0000000001210000.00000040.00000010.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000001.00000000.662291713.0000000001210000.00000040.00000010.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000001.00000000.663123528.0000000001210000.00000040.00000010.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000001.00000000.663123528.0000000001210000.00000040.00000010.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000001.00000002.693214956.000000000131B000.00000004.00000020.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000001.00000000.641147134.000000000131B000.00000004.00000020.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000001.00000000.663179674.000000000131B000.00000004.00000020.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000001.00000000.662403503.000000000131B000.00000004.00000020.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000001.00000000.640836289.0000000001210000.00000040.00000010.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000001.00000000.640836289.0000000001210000.00000040.00000010.sdmp, Author: Joe Security
Reputation:	high

Analysis Process: cmd.exe PID: 4652 Parent PID: 6544

General

Start time:	09:47:32
Start date:	02/12/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\3pO1282Kpx.dll",#1
Imagebase:	0x2a0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: rundll32.exe PID: 6088 Parent PID: 6544

General

Start time:	09:47:33
Start date:	02/12/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\3pO1282Kpx.dll,Control_RunDLL
Imagebase:	0xc60000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000004.00000002.637148475.0000000003200000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000002.637148475.0000000003200000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000004.00000003.597595639.0000000003259000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000003.597595639.0000000003259000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	high

Analysis Process: rundll32.exe PID: 6256 Parent PID: 4652

General

Start time:	09:47:33
Start date:	02/12/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\3pO1282Kpx.dll",#1
Imagebase:	0xc60000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000005.00000002.636690720.00000000032EA000.00000004.00000020.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000005.00000002.636271952.0000000003100000.00000040.00000010.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000005.00000002.636271952.0000000003100000.00000040.00000010.sdmp, Author: Joe Security
Reputation:	high

Analysis Process: rundll32.exe PID: 4532 Parent PID: 6544

General

Start time:	09:47:37
Start date:	02/12/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\3pO1282Kpx.dll,ajkaibu
Imagebase:	0xc60000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000006.00000002.638357953.0000000000650000.00000040.00000010.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000006.00000002.638357953.0000000000650000.00000040.00000010.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000006.00000002.638392292.00000000006FA000.00000004.00000020.sdmp, Author: Joe Security
Reputation:	high

Analysis Process: rundll32.exe PID: 6612 Parent PID: 6544

General

Start time:	09:47:41
Start date:	02/12/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\3pO1282Kpx.dll,akyncbgollmj
Imagebase:	0xc60000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000007.00000002.634927199.0000000002E0A000.00000004.00000020.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000007.00000002.634790004.0000000000B90000.00000040.00000010.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000007.00000002.634790004.0000000000B90000.00000040.00000010.sdmp, Author: Joe Security
Reputation:	high

Analysis Process: svchost.exe PID: 6920 Parent PID: 560

General

Start time:	09:48:54
Start date:	02/12/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Imagebase:	0x7ff6b7590000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: rundll32.exe PID: 6040 Parent PID: 6256

General

Start time:	09:49:32
Start date:	02/12/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\3pO1282Kpx.dll",Control_RunDLL
Imagebase:	0xc60000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: rundll32.exe PID: 5280 Parent PID: 6088

General

Start time:	09:49:32
Start date:	02/12/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Tbiyedppjzsf\xswipktkmrv.drt",WgszfYRBINQe
Imagebase:	0xc60000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: rundll32.exe PID: 4112 Parent PID: 4532

General

Start time:	09:49:43
Start date:	02/12/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\3pO1282Kpx.dll",Control_RunDLL
Imagebase:	0xc60000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: rundll32.exe PID: 1508 Parent PID: 6612

General

Start time:	09:49:47
Start date:	02/12/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\3pO1282Kpx.dll",Control_RunDLL
Imagebase:	0xc60000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: svchost.exe PID: 7160 Parent PID: 560

General

Start time:	09:49:49
Start date:	02/12/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k WerSvcGroup
Imagebase:	0x7ff6b7590000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: WerFault.exe PID: 6936 Parent PID: 7160

General

Start time:	09:49:50
Start date:	02/12/2021
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 6544 -ip 6544
Imagebase:	0xea0000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: WerFault.exe PID: 3520 Parent PID: 6544

General

Start time:	09:49:52
Start date:	02/12/2021
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 6544 -s 324
Imagebase:	0xea0000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: WerFault.exe PID: 6800 Parent PID: 7160

General

Start time:	09:50:01
Start date:	02/12/2021
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 6544 -ip 6544
Imagebase:	0xea0000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: svchost.exe PID: 5636 Parent PID: 560

General

Start time:	09:50:02
Start date:	02/12/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff6b7590000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: WerFault.exe PID: 3424 Parent PID: 6544

General

Start time:	09:50:02
Start date:	02/12/2021
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 6544 -s 332
Imagebase:	0xea0000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: svchost.exe PID: 1040 Parent PID: 560

General

Start time:	09:50:27
Start date:	02/12/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff6b7590000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: svchost.exe PID: 6264 Parent PID: 560

General

Start time:	09:50:35
Start date:	02/12/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff6b7590000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report 3pO1282Kpx.dll

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Jbx Signature Overview

AV Detection:

Compliance:

Spreading:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

Private

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Imports

Exports

Network Behavior

Code Manipulations

Statistics

Behavior

System Behavior

Analysis Process: loaddll32.exe PID: 6544 Parent PID: 5616

General

Analysis Process: cmd.exe PID: 4652 Parent PID: 6544

General