Loading ...

Play interactive tourEdit tour

Windows Analysis Report Pv3ZsGsdfS.dll

Overview

General Information

Sample Name:Pv3ZsGsdfS.dll
Analysis ID:544850
MD5:63c22ce32346e029fa5a1ec1ae619d0f
SHA1:222cf86c3b59f466292bb734be308cda77c3ddff
SHA256:efbd76616dc1cd8210a8c54611f4ffa88e635f0f6ded2f8ff48311737635edda
Tags:dll
Infos:

Most interesting Screenshot:

Detection

Dridex
Score:76
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Yara detected Dridex unpacked file
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Call by Ordinal
Tries to delay execution (extensive OutputDebugStringW loop)
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
AV process strings found (often used to terminate AV products)
Sample file is different than original file name gathered from version info
One or more processes crash
Contains functionality to query locales information (e.g. system language)
Uses code obfuscation techniques (call, push, ret)
Checks if the current process is being debugged
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to call native functions
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)
IP address seen in connection with other malware
Entry point lies outside standard sections
Abnormal high CPU Usage

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 6836 cmdline: loaddll32.exe "C:\Users\user\Desktop\Pv3ZsGsdfS.dll" MD5: 7DEB5DB86C0AC789123DEC286286B938)
    • cmd.exe (PID: 6852 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\Pv3ZsGsdfS.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 6900 cmdline: rundll32.exe "C:\Users\user\Desktop\Pv3ZsGsdfS.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
        • WerFault.exe (PID: 7008 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6900 -s 684 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • cleanup

Malware Configuration

Threatname: Dridex

{"Version": 22201, "C2 list": ["144.91.122.102:443", "85.10.248.28:593", "185.4.135.27:5228", "80.211.3.13:8116"], "RC4 keys": ["3IC8sFlUX9XZuoBQY9u5LhcZnHsV7E5r", "hnk63OiMfIbUqQnY7gkPwplwC0Ue5ZkZBYMCTYTjntqX7zsy9OvtNUlthJZXRtFF6P52Zbz6R5"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.749937166.000000006F4B1000.00000020.00020000.sdmpJoeSecurity_Dridex_1Yara detected Dridex unpacked fileJoe Security
    00000003.00000000.360348773.000000006F4B1000.00000020.00020000.sdmpJoeSecurity_Dridex_1Yara detected Dridex unpacked fileJoe Security
      00000003.00000000.358630922.000000006F4B1000.00000020.00020000.sdmpJoeSecurity_Dridex_1Yara detected Dridex unpacked fileJoe Security
        00000003.00000002.401542049.000000006F4B1000.00000020.00020000.sdmpJoeSecurity_Dridex_1Yara detected Dridex unpacked fileJoe Security

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          3.0.rundll32.exe.6f4b0000.5.unpackJoeSecurity_Dridex_1Yara detected Dridex unpacked fileJoe Security
            3.2.rundll32.exe.6f4b0000.2.unpackJoeSecurity_Dridex_1Yara detected Dridex unpacked fileJoe Security
              0.2.loaddll32.exe.6f4b0000.2.unpackJoeSecurity_Dridex_1Yara detected Dridex unpacked fileJoe Security
                3.0.rundll32.exe.6f4b0000.2.unpackJoeSecurity_Dridex_1Yara detected Dridex unpacked fileJoe Security

                  Sigma Overview

                  System Summary:

                  barindex
                  Sigma detected: Suspicious Call by OrdinalShow sources
                  Source: Process startedAuthor: Florian Roth: Data: Command: rundll32.exe "C:\Users\user\Desktop\Pv3ZsGsdfS.dll",#1, CommandLine: rundll32.exe "C:\Users\user\Desktop\Pv3ZsGsdfS.dll",#1, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\Pv3ZsGsdfS.dll",#1, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 6852, ProcessCommandLine: rundll32.exe "C:\Users\user\Desktop\Pv3ZsGsdfS.dll",#1, ProcessId: 6900

                  Jbx Signature Overview

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection:

                  barindex
                  Found malware configurationShow sources
                  Source: 3.0.rundll32.exe.6f4b0000.2.unpackMalware Configuration Extractor: Dridex {"Version": 22201, "C2 list": ["144.91.122.102:443", "85.10.248.28:593", "185.4.135.27:5228", "80.211.3.13:8116"], "RC4 keys": ["3IC8sFlUX9XZuoBQY9u5LhcZnHsV7E5r", "hnk63OiMfIbUqQnY7gkPwplwC0Ue5ZkZBYMCTYTjntqX7zsy9OvtNUlthJZXRtFF6P52Zbz6R5"]}
                  Multi AV Scanner detection for submitted fileShow sources
                  Source: Pv3ZsGsdfS.dllReversingLabs: Detection: 34%
                  Source: Pv3ZsGsdfS.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                  Source: Pv3ZsGsdfS.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
                  Source: Binary string: combase.pdb? source: WerFault.exe, 00000006.00000003.370420682.00000000057C6000.00000004.00000040.sdmp
                  Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000006.00000003.364549220.0000000003526000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.370409238.0000000005691000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.364159227.00000000053D0000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.364216480.0000000003526000.00000004.00000001.sdmp
                  Source: Binary string: bcrypt.pdb source: WerFault.exe, 00000006.00000003.370420682.00000000057C6000.00000004.00000040.sdmp
                  Source: Binary string: sfc_os.pdb source: WerFault.exe, 00000006.00000003.370420682.00000000057C6000.00000004.00000040.sdmp
                  Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000006.00000003.370414831.00000000057C0000.00000004.00000040.sdmp
                  Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000006.00000003.370409238.0000000005691000.00000004.00000001.sdmp
                  Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 00000006.00000003.370414831.00000000057C0000.00000004.00000040.sdmp
                  Source: Binary string: wntdll.pdb source: loaddll32.exe, 00000000.00000003.363070783.000000004B280000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.364211441.0000000003520000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.370409238.0000000005691000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.365235764.0000000003520000.00000004.00000001.sdmp
                  Source: Binary string: sfc.pdb|Q source: WerFault.exe, 00000006.00000003.370420682.00000000057C6000.00000004.00000040.sdmp
                  Source: Binary string: shcore.pdb source: WerFault.exe, 00000006.00000003.370414831.00000000057C0000.00000004.00000040.sdmp
                  Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000006.00000003.370409238.0000000005691000.00000004.00000001.sdmp
                  Source: Binary string: fltLib.pdb source: WerFault.exe, 00000006.00000003.370420682.00000000057C6000.00000004.00000040.sdmp
                  Source: Binary string: advapi32.pdb source: WerFault.exe, 00000006.00000003.370420682.00000000057C6000.00000004.00000040.sdmp
                  Source: Binary string: wsspicli.pdb source: WerFault.exe, 00000006.00000003.370420682.00000000057C6000.00000004.00000040.sdmp
                  Source: Binary string: shell32.pdb source: WerFault.exe, 00000006.00000003.370414831.00000000057C0000.00000004.00000040.sdmp
                  Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000006.00000003.370409238.0000000005691000.00000004.00000001.sdmp
                  Source: Binary string: powrprof.pdb' source: WerFault.exe, 00000006.00000003.370420682.00000000057C6000.00000004.00000040.sdmp
                  Source: Binary string: bcrypt.pdb1 source: WerFault.exe, 00000006.00000003.370420682.00000000057C6000.00000004.00000040.sdmp
                  Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000006.00000003.364221379.000000000352C000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.365022950.000000000352C000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.364554917.000000000352C000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.370409238.0000000005691000.00000004.00000001.sdmp
                  Source: Binary string: wimm32.pdb source: WerFault.exe, 00000006.00000003.370420682.00000000057C6000.00000004.00000040.sdmp
                  Source: Binary string: mpr.pdb source: WerFault.exe, 00000006.00000003.370414831.00000000057C0000.00000004.00000040.sdmp
                  Source: Binary string: shlwapi.pdb source: WerFault.exe, 00000006.00000003.370420682.00000000057C6000.00000004.00000040.sdmp
                  Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000006.00000003.370409238.0000000005691000.00000004.00000001.sdmp
                  Source: Binary string: setupapi.pdb source: WerFault.exe, 00000006.00000003.370420682.00000000057C6000.00000004.00000040.sdmp
                  Source: Binary string: wUxTheme.pdb source: WerFault.exe, 00000006.00000003.370420682.00000000057C6000.00000004.00000040.sdmp
                  Source: Binary string: imagehlp.pdb source: WerFault.exe, 00000006.00000003.370420682.00000000057C6000.00000004.00000040.sdmp
                  Source: Binary string: dwmapi.pdb source: WerFault.exe, 00000006.00000003.370420682.00000000057C6000.00000004.00000040.sdmp
                  Source: Binary string: RFFGTEQ.pdb source: Pv3ZsGsdfS.dll
                  Source: Binary string: wntdll.pdb( source: WerFault.exe, 00000006.00000003.364211441.0000000003520000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.365235764.0000000003520000.00000004.00000001.sdmp
                  Source: Binary string: shcore.pdbk source: WerFault.exe, 00000006.00000003.370414831.00000000057C0000.00000004.00000040.sdmp
                  Source: Binary string: profapi.pdb source: WerFault.exe, 00000006.00000003.370420682.00000000057C6000.00000004.00000040.sdmp
                  Source: Binary string: ws2_32.pdb source: WerFault.exe, 00000006.00000003.370420682.00000000057C6000.00000004.00000040.sdmp
                  Source: Binary string: winspool.pdb source: WerFault.exe, 00000006.00000003.370420682.00000000057C6000.00000004.00000040.sdmp
                  Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000006.00000003.370409238.0000000005691000.00000004.00000001.sdmp
                  Source: Binary string: shell32.pdbk source: WerFault.exe, 00000006.00000003.370414831.00000000057C0000.00000004.00000040.sdmp
                  Source: Binary string: setupapi.pdb+ source: WerFault.exe, 00000006.00000003.370420682.00000000057C6000.00000004.00000040.sdmp
                  Source: Binary string: sechost.pdb source: WerFault.exe, 00000006.00000003.370420682.00000000057C6000.00000004.00000040.sdmp
                  Source: Binary string: iphlpapi.pdb source: WerFault.exe, 00000006.00000003.370420682.00000000057C6000.00000004.00000040.sdmp
                  Source: Binary string: propsys.pdb source: WerFault.exe, 00000006.00000003.370420682.00000000057C6000.00000004.00000040.sdmp
                  Source: Binary string: wntdll.pdbUGP source: loaddll32.exe, 00000000.00000003.363070783.000000004B280000.00000004.00000001.sdmp
                  Source: Binary string: cfgmgr32.pdbk source: WerFault.exe, 00000006.00000003.370414831.00000000057C0000.00000004.00000040.sdmp
                  Source: Binary string: ucrtbase.pdbk source: WerFault.exe, 00000006.00000003.370414831.00000000057C0000.00000004.00000040.sdmp
                  Source: Binary string: powrprof.pdb source: WerFault.exe, 00000006.00000003.370420682.00000000057C6000.00000004.00000040.sdmp
                  Source: Binary string: msctf.pdb source: WerFault.exe, 00000006.00000003.370420682.00000000057C6000.00000004.00000040.sdmp
                  Source: Binary string: AcLayers.pdb source: WerFault.exe, 00000006.00000003.370409238.0000000005691000.00000004.00000001.sdmp
                  Source: Binary string: sechost.pdb} source: WerFault.exe, 00000006.00000003.370420682.00000000057C6000.00000004.00000040.sdmp
                  Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000006.00000003.370414831.00000000057C0000.00000004.00000040.sdmp
                  Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000006.00000003.370420682.00000000057C6000.00000004.00000040.sdmp
                  Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 00000006.00000003.370414831.00000000057C0000.00000004.00000040.sdmp
                  Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000006.00000003.370414831.00000000057C0000.00000004.00000040.sdmp
                  Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 00000006.00000003.364221379.000000000352C000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.365022950.000000000352C000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.364554917.000000000352C000.00000004.00000001.sdmp
                  Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 00000006.00000003.370414831.00000000057C0000.00000004.00000040.sdmp
                  Source: Binary string: combase.pdb source: WerFault.exe, 00000006.00000003.370420682.00000000057C6000.00000004.00000040.sdmp
                  Source: Binary string: wUxTheme.pdb- source: WerFault.exe, 00000006.00000003.370420682.00000000057C6000.00000004.00000040.sdmp
                  Source: Binary string: rundll32.pdb source: WerFault.exe, 00000006.00000003.370409238.0000000005691000.00000004.00000001.sdmp
                  Source: Binary string: wkernel32.pdb( source: WerFault.exe, 00000006.00000003.364549220.0000000003526000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.364216480.0000000003526000.00000004.00000001.sdmp
                  Source: Binary string: oleaut32.pdb source: WerFault.exe, 00000006.00000003.370420682.00000000057C6000.00000004.00000040.sdmp
                  Source: Binary string: sfc.pdb source: WerFault.exe, 00000006.00000003.370420682.00000000057C6000.00000004.00000040.sdmp
                  Source: Binary string: apphelp.pdb source: WerFault.exe, 00000006.00000003.370409238.0000000005691000.00000004.00000001.sdmp
                  Source: Binary string: wuser32.pdb source: WerFault.exe, 00000006.00000003.370409238.0000000005691000.00000004.00000001.sdmp
                  Source: Binary string: fltLib.pdb{ source: WerFault.exe, 00000006.00000003.370420682.00000000057C6000.00000004.00000040.sdmp

                  Networking:

                  barindex
                  C2 URLs / IPs found in malware configurationShow sources
                  Source: Malware configuration extractorIPs: 144.91.122.102:443
                  Source: Malware configuration extractorIPs: 85.10.248.28:593
                  Source: Malware configuration extractorIPs: 185.4.135.27:5228
                  Source: Malware configuration extractorIPs: 80.211.3.13:8116
                  Source: Joe Sandbox ViewASN Name: TOPHOSTGR TOPHOSTGR
                  Source: Joe Sandbox ViewASN Name: HETZNER-ASDE HETZNER-ASDE
                  Source: Joe Sandbox ViewIP Address: 185.4.135.27 185.4.135.27
                  Source: Joe Sandbox ViewIP Address: 85.10.248.28 85.10.248.28
                  Source: WerFault.exe, 00000006.00000002.398420518.000000000532D000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                  Source: Amcache.hve.6.drString found in binary or memory: http://upx.sf.net
                  Source: loaddll32.exe, 00000000.00000002.750012504.000000006F4CF000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000000.358686733.000000006F4CF000.00000002.00020000.sdmpString found in binary or memory: http://www.baxleystamps.comDVarFileInfo$

                  E-Banking Fraud:

                  barindex
                  Yara detected Dridex unpacked fileShow sources
                  Source: Yara matchFile source: 3.0.rundll32.exe.6f4b0000.5.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.rundll32.exe.6f4b0000.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.loaddll32.exe.6f4b0000.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.0.rundll32.exe.6f4b0000.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000002.749937166.000000006F4B1000.00000020.00020000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000000.360348773.000000006F4B1000.00000020.00020000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000000.358630922.000000006F4B1000.00000020.00020000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.401542049.000000006F4B1000.00000020.00020000.sdmp, type: MEMORY

                  System Summary:

                  barindex
                  Source: Pv3ZsGsdfS.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                  Source: Pv3ZsGsdfS.dllBinary or memory string: OriginalFilenameShi.dllD vs Pv3ZsGsdfS.dll
                  Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6900 -s 684
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6F4C0730
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6F4C9370
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6F4B8428
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6F4C143C
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6F4BA4E8
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6F4B1494
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6F4C2234 NtDelayExecution,
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6F4C2820 NtAllocateVirtualMemory,
                  Source: C:\Windows\System32\loaddll32.exeProcess Stats: CPU usage > 98%
                  Source: Pv3ZsGsdfS.dllReversingLabs: Detection: 34%
                  Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Pv3ZsGsdfS.dll",#1
                  Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\Pv3ZsGsdfS.dll"
                  Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\Pv3ZsGsdfS.dll",#1
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Pv3ZsGsdfS.dll",#1
                  Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6900 -s 684
                  Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\Pv3ZsGsdfS.dll",#1
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Pv3ZsGsdfS.dll",#1
                  Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6900
                  Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERA8BF.tmpJump to behavior
                  Source: classification engineClassification label: mal76.troj.evad.winDLL@6/6@0/4
                  Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: Pv3ZsGsdfS.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
                  Source: Pv3ZsGsdfS.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: Binary string: combase.pdb? source: WerFault.exe, 00000006.00000003.370420682.00000000057C6000.00000004.00000040.sdmp
                  Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000006.00000003.364549220.0000000003526000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.370409238.0000000005691000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.364159227.00000000053D0000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.364216480.0000000003526000.00000004.00000001.sdmp
                  Source: Binary string: bcrypt.pdb source: WerFault.exe, 00000006.00000003.370420682.00000000057C6000.00000004.00000040.sdmp
                  Source: Binary string: sfc_os.pdb source: WerFault.exe, 00000006.00000003.370420682.00000000057C6000.00000004.00000040.sdmp
                  Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000006.00000003.370414831.00000000057C0000.00000004.00000040.sdmp
                  Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000006.00000003.370409238.0000000005691000.00000004.00000001.sdmp
                  Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 00000006.00000003.370414831.00000000057C0000.00000004.00000040.sdmp
                  Source: Binary string: wntdll.pdb source: loaddll32.exe, 00000000.00000003.363070783.000000004B280000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.364211441.0000000003520000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.370409238.0000000005691000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.365235764.0000000003520000.00000004.00000001.sdmp
                  Source: Binary string: sfc.pdb|Q source: WerFault.exe, 00000006.00000003.370420682.00000000057C6000.00000004.00000040.sdmp
                  Source: Binary string: shcore.pdb source: WerFault.exe, 00000006.00000003.370414831.00000000057C0000.00000004.00000040.sdmp
                  Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000006.00000003.370409238.0000000005691000.00000004.00000001.sdmp
                  Source: Binary string: fltLib.pdb source: WerFault.exe, 00000006.00000003.370420682.00000000057C6000.00000004.00000040.sdmp
                  Source: Binary string: advapi32.pdb source: WerFault.exe, 00000006.00000003.370420682.00000000057C6000.00000004.00000040.sdmp
                  Source: Binary string: wsspicli.pdb source: WerFault.exe, 00000006.00000003.370420682.00000000057C6000.00000004.00000040.sdmp
                  Source: Binary string: shell32.pdb source: WerFault.exe, 00000006.00000003.370414831.00000000057C0000.00000004.00000040.sdmp
                  Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000006.00000003.370409238.0000000005691000.00000004.00000001.sdmp
                  Source: Binary string: powrprof.pdb' source: WerFault.exe, 00000006.00000003.370420682.00000000057C6000.00000004.00000040.sdmp
                  Source: Binary string: bcrypt.pdb1 source: WerFault.exe, 00000006.00000003.370420682.00000000057C6000.00000004.00000040.sdmp
                  Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000006.00000003.364221379.000000000352C000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.365022950.000000000352C000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.364554917.000000000352C000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.370409238.0000000005691000.00000004.00000001.sdmp
                  Source: Binary string: wimm32.pdb source: WerFault.exe, 00000006.00000003.370420682.00000000057C6000.00000004.00000040.sdmp
                  Source: Binary string: mpr.pdb source: WerFault.exe, 00000006.00000003.370414831.00000000057C0000.00000004.00000040.sdmp
                  Source: Binary string: shlwapi.pdb source: WerFault.exe, 00000006.00000003.370420682.00000000057C6000.00000004.00000040.sdmp
                  Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000006.00000003.370409238.0000000005691000.00000004.00000001.sdmp
                  Source: Binary string: setupapi.pdb source: WerFault.exe, 00000006.00000003.370420682.00000000057C6000.00000004.00000040.sdmp
                  Source: Binary string: wUxTheme.pdb source: WerFault.exe, 00000006.00000003.370420682.00000000057C6000.00000004.00000040.sdmp
                  Source: Binary string: imagehlp.pdb source: WerFault.exe, 00000006.00000003.370420682.00000000057C6000.00000004.00000040.sdmp
                  Source: Binary string: dwmapi.pdb source: WerFault.exe, 00000006.00000003.370420682.00000000057C6000.00000004.00000040.sdmp
                  Source: Binary string: RFFGTEQ.pdb source: Pv3ZsGsdfS.dll
                  Source: Binary string: wntdll.pdb( source: WerFault.exe, 00000006.00000003.364211441.0000000003520000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.365235764.0000000003520000.00000004.00000001.sdmp
                  Source: Binary string: shcore.pdbk source: WerFault.exe, 00000006.00000003.370414831.00000000057C0000.00000004.00000040.sdmp
                  Source: Binary string: profapi.pdb source: WerFault.exe, 00000006.00000003.370420682.00000000057C6000.00000004.00000040.sdmp
                  Source: Binary string: ws2_32.pdb source: WerFault.exe, 00000006.00000003.370420682.00000000057C6000.00000004.00000040.sdmp
                  Source: Binary string: winspool.pdb source: WerFault.exe, 00000006.00000003.370420682.00000000057C6000.00000004.00000040.sdmp
                  Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000006.00000003.370409238.0000000005691000.00000004.00000001.sdmp
                  Source: Binary string: shell32.pdbk source: WerFault.exe, 00000006.00000003.370414831.00000000057C0000.00000004.00000040.sdmp
                  Source: Binary string: setupapi.pdb+ source: WerFault.exe, 00000006.00000003.370420682.00000000057C6000.00000004.00000040.sdmp
                  Source: Binary string: sechost.pdb source: WerFault.exe, 00000006.00000003.370420682.00000000057C6000.00000004.00000040.sdmp
                  Source: Binary string: iphlpapi.pdb source: WerFault.exe, 00000006.00000003.370420682.00000000057C6000.00000004.00000040.sdmp
                  Source: Binary string: propsys.pdb source: WerFault.exe, 00000006.00000003.370420682.00000000057C6000.00000004.00000040.sdmp
                  Source: Binary string: wntdll.pdbUGP source: loaddll32.exe, 00000000.00000003.363070783.000000004B280000.00000004.00000001.sdmp
                  Source: Binary string: cfgmgr32.pdbk source: WerFault.exe, 00000006.00000003.370414831.00000000057C0000.00000004.00000040.sdmp
                  Source: Binary string: ucrtbase.pdbk source: WerFault.exe, 00000006.00000003.370414831.00000000057C0000.00000004.00000040.sdmp
                  Source: Binary string: powrprof.pdb source: WerFault.exe, 00000006.00000003.370420682.00000000057C6000.00000004.00000040.sdmp
                  Source: Binary string: msctf.pdb source: WerFault.exe, 00000006.00000003.370420682.00000000057C6000.00000004.00000040.sdmp
                  Source: Binary string: AcLayers.pdb source: WerFault.exe, 00000006.00000003.370409238.0000000005691000.00000004.00000001.sdmp
                  Source: Binary string: sechost.pdb} source: WerFault.exe, 00000006.00000003.370420682.00000000057C6000.00000004.00000040.sdmp
                  Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000006.00000003.370414831.00000000057C0000.00000004.00000040.sdmp
                  Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000006.00000003.370420682.00000000057C6000.00000004.00000040.sdmp
                  Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 00000006.00000003.370414831.00000000057C0000.00000004.00000040.sdmp
                  Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000006.00000003.370414831.00000000057C0000.00000004.00000040.sdmp
                  Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 00000006.00000003.364221379.000000000352C000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.365022950.000000000352C000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.364554917.000000000352C000.00000004.00000001.sdmp
                  Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 00000006.00000003.370414831.00000000057C0000.00000004.00000040.sdmp
                  Source: Binary string: combase.pdb source: WerFault.exe, 00000006.00000003.370420682.00000000057C6000.00000004.00000040.sdmp
                  Source: Binary string: wUxTheme.pdb- source: WerFault.exe, 00000006.00000003.370420682.00000000057C6000.00000004.00000040.sdmp
                  Source: Binary string: rundll32.pdb source: WerFault.exe, 00000006.00000003.370409238.0000000005691000.00000004.00000001.sdmp
                  Source: Binary string: wkernel32.pdb( source: WerFault.exe, 00000006.00000003.364549220.0000000003526000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.364216480.0000000003526000.00000004.00000001.sdmp
                  Source: Binary string: oleaut32.pdb source: WerFault.exe, 00000006.00000003.370420682.00000000057C6000.00000004.00000040.sdmp
                  Source: Binary string: sfc.pdb source: WerFault.exe, 00000006.00000003.370420682.00000000057C6000.00000004.00000040.sdmp
                  Source: Binary string: apphelp.pdb source: WerFault.exe, 00000006.00000003.370409238.0000000005691000.00000004.00000001.sdmp
                  Source: Binary string: wuser32.pdb source: WerFault.exe, 00000006.00000003.370409238.0000000005691000.00000004.00000001.sdmp
                  Source: Binary string: fltLib.pdb{ source: WerFault.exe, 00000006.00000003.370420682.00000000057C6000.00000004.00000040.sdmp
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6F4BF6A8 push esi; mov dword ptr [esp], 00000000h
                  Source: initial sampleStatic PE information: section where entry point is pointing to: .rdata
                  Source: C:\Windows\SysWOW64\WerFault.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX

                  Malware Analysis System Evasion:

                  barindex
                  Tries to delay execution (extensive OutputDebugStringW loop)Show sources
                  Source: C:\Windows\System32\loaddll32.exeSection loaded: OutputDebugStringW count: 1174
                  Source: C:\Windows\System32\loaddll32.exeWindow / User API: threadDelayed 1173
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6F4C0730 GetTokenInformation,GetSystemInfo,GetTokenInformation,
                  Source: Amcache.hve.6.drBinary or memory string: VMware
                  Source: Amcache.hve.6.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
                  Source: Amcache.hve.6.drBinary or memory string: VMware-42 35 34 13 2a 07 0a 9c-ee 7f dd c3 60 c7 b9 af
                  Source: Amcache.hve.6.drBinary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
                  Source: Amcache.hve.6.drBinary or memory string: VMware Virtual USB Mouse
                  Source: Amcache.hve.6.drBinary or memory string: VMware, Inc.
                  Source: Amcache.hve.6.drBinary or memory string: VMware Virtual disk SCSI Disk Devicehbin
                  Source: Amcache.hve.6.drBinary or memory string: Microsoft Hyper-V Generation Counter
                  Source: Amcache.hve.6.drBinary or memory string: VMware7,1
                  Source: Amcache.hve.6.drBinary or memory string: NECVMWar VMware SATA CD00
                  Source: Amcache.hve.6.drBinary or memory string: VMware Virtual disk SCSI Disk Device
                  Source: WerFault.exe, 00000006.00000003.395942096.00000000053E0000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000002.398401488.0000000005323000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000002.398369091.000000000530E000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000002.398560453.00000000053E0000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
                  Source: Amcache.hve.6.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
                  Source: Amcache.hve.6.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
                  Source: Amcache.hve.6.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.13989454.B64.1906190538,BiosReleaseDate:06/19/2019,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1x
                  Source: Amcache.hve.6.drBinary or memory string: VMware, Inc.me
                  Source: Amcache.hve.6.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
                  Source: Amcache.hve.6.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
                  Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
                  Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6F4B6D0C GetUserNameW,MessageBoxW,GetLastError,CreateFileA,DebugBreak,FlushFileBuffers,FreeEnvironmentStringsA,GetConsoleOutputCP,GetEnvironmentStrings,GetLocaleInfoA,GetStartupInfoA,GetStringTypeA,HeapValidate,IsBadReadPtr,LCMapStringA,LoadLibraryA,OutputDebugStringA,
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6F4C3138 RtlAddVectoredExceptionHandler,
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Pv3ZsGsdfS.dll",#1
                  Source: loaddll32.exe, 00000000.00000002.749454473.00000000012A0000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000000.358315172.0000000003020000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000000.360143274.0000000003020000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
                  Source: loaddll32.exe, 00000000.00000002.749454473.00000000012A0000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000000.358315172.0000000003020000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000000.360143274.0000000003020000.00000002.00020000.sdmpBinary or memory string: Progman
                  Source: loaddll32.exe, 00000000.00000002.749454473.00000000012A0000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000000.358315172.0000000003020000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000000.360143274.0000000003020000.00000002.00020000.sdmpBinary or memory string: &Program Manager
                  Source: loaddll32.exe, 00000000.00000002.749454473.00000000012A0000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000000.358315172.0000000003020000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000000.360143274.0000000003020000.00000002.00020000.sdmpBinary or memory string: Progmanlock
                  Source: C:\Windows\System32\loaddll32.exeCode function: GetUserNameW,MessageBoxW,GetLastError,CreateFileA,DebugBreak,FlushFileBuffers,FreeEnvironmentStringsA,GetConsoleOutputCP,GetEnvironmentStrings,GetLocaleInfoA,GetStartupInfoA,GetStringTypeA,HeapValidate,IsBadReadPtr,LCMapStringA,LoadLibraryA,OutputDebugStringA,
                  Source: C:\Windows\System32\loaddll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6F4B6D0C GetUserNameW,MessageBoxW,GetLastError,CreateFileA,DebugBreak,FlushFileBuffers,FreeEnvironmentStringsA,GetConsoleOutputCP,GetEnvironmentStrings,GetLocaleInfoA,GetStartupInfoA,GetStringTypeA,HeapValidate,IsBadReadPtr,LCMapStringA,LoadLibraryA,OutputDebugStringA,
                  Source: Amcache.hve.6.drBinary or memory string: c:\program files\windows defender\msmpeng.exe

                  Mitre Att&ck Matrix

                  Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                  Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection12Virtualization/Sandbox Evasion11OS Credential DumpingQuery Registry1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                  Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection12LSASS MemorySecurity Software Discovery31Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothApplication Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                  Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or Information1Security Account ManagerVirtualization/Sandbox Evasion11SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                  Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Rundll321NTDSProcess Discovery1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
                  Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA SecretsApplication Window Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                  Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain CredentialsAccount Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                  External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSyncSystem Owner/User Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                  Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc FilesystemRemote System Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                  Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Masquerading/etc/passwd and /etc/shadowSystem Information Discovery13Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 544850 Sample: Pv3ZsGsdfS.dll Startdate: 24/12/2021 Architecture: WINDOWS Score: 76 18 185.4.135.27 TOPHOSTGR Greece 2->18 20 85.10.248.28 HETZNER-ASDE Germany 2->20 22 2 other IPs or domains 2->22 24 Found malware configuration 2->24 26 Multi AV Scanner detection for submitted file 2->26 28 Yara detected Dridex unpacked file 2->28 30 2 other signatures 2->30 9 loaddll32.exe 1 2->9         started        signatures3 process4 signatures5 32 Tries to delay execution (extensive OutputDebugStringW loop) 9->32 12 cmd.exe 1 9->12         started        process6 process7 14 rundll32.exe 12->14         started        process8 16 WerFault.exe 23 9 14->16         started       

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  Pv3ZsGsdfS.dll35%ReversingLabsWin32.Trojan.BotX

                  Dropped Files

                  No Antivirus matches

                  Unpacked PE Files

                  SourceDetectionScannerLabelLinkDownload
                  3.2.rundll32.exe.930000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                  3.0.rundll32.exe.6f4b0000.2.unpack100%AviraHEUR/AGEN.1144420Download File
                  3.0.rundll32.exe.6f4b0000.5.unpack100%AviraHEUR/AGEN.1144420Download File
                  0.2.loaddll32.exe.1030000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                  0.2.loaddll32.exe.6f4b0000.2.unpack100%AviraHEUR/AGEN.1144420Download File
                  3.2.rundll32.exe.6f4b0000.2.unpack100%AviraHEUR/AGEN.1144420Download File
                  3.0.rundll32.exe.930000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                  3.0.rundll32.exe.930000.3.unpack100%AviraTR/Crypt.XPACK.GenDownload File

                  Domains

                  No Antivirus matches

                  URLs

                  SourceDetectionScannerLabelLink
                  http://www.baxleystamps.comDVarFileInfo$0%Avira URL Cloudsafe

                  Domains and IPs

                  Contacted Domains

                  No contacted domains info

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  http://upx.sf.netAmcache.hve.6.drfalse
                    high
                    http://www.baxleystamps.comDVarFileInfo$loaddll32.exe, 00000000.00000002.750012504.000000006F4CF000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000000.358686733.000000006F4CF000.00000002.00020000.sdmpfalse
                    • Avira URL Cloud: safe
                    low

                    Contacted IPs

                    • No. of IPs < 25%
                    • 25% < No. of IPs < 50%
                    • 50% < No. of IPs < 75%
                    • 75% < No. of IPs

                    Public

                    IPDomainCountryFlagASNASN NameMalicious
                    185.4.135.27
                    unknownGreece
                    199246TOPHOSTGRtrue
                    85.10.248.28
                    unknownGermany
                    24940HETZNER-ASDEtrue
                    80.211.3.13
                    unknownItaly
                    31034ARUBA-ASNITtrue
                    144.91.122.102
                    unknownGermany
                    51167CONTABODEtrue

                    General Information

                    Joe Sandbox Version:34.0.0 Boulder Opal
                    Analysis ID:544850
                    Start date:24.12.2021
                    Start time:09:22:41
                    Joe Sandbox Product:CloudBasic
                    Overall analysis duration:0h 7m 17s
                    Hypervisor based Inspection enabled:false
                    Report type:light
                    Sample file name:Pv3ZsGsdfS.dll
                    Cookbook file name:default.jbs
                    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                    Run name:Run with higher sleep bypass
                    Number of analysed new started processes analysed:25
                    Number of new started drivers analysed:0
                    Number of existing processes analysed:0
                    Number of existing drivers analysed:0
                    Number of injected processes analysed:0
                    Technologies:
                    • HCA enabled
                    • EGA enabled
                    • HDC enabled
                    • AMSI enabled
                    Analysis Mode:default
                    Analysis stop reason:Timeout
                    Detection:MAL
                    Classification:mal76.troj.evad.winDLL@6/6@0/4
                    EGA Information:Failed
                    HDC Information:
                    • Successful, ratio: 52.3% (good quality ratio 50.4%)
                    • Quality average: 79.2%
                    • Quality standard deviation: 27%
                    HCA Information:Failed
                    Cookbook Comments:
                    • Adjust boot time
                    • Enable AMSI
                    • Sleeps bigger than 120000ms are automatically reduced to 1000ms
                    • Found application associated with file extension: .dll
                    Warnings:
                    Show All
                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WerFault.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
                    • Excluded IPs from analysis (whitelisted): 23.54.113.53, 52.182.143.212
                    • Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net, arc.msn.com, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, onedsblobprdcus15.centralus.cloudapp.azure.com, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, watson.telemetry.microsoft.com
                    • Not all processes where analyzed, report is missing behavior information
                    • VT rate limit hit for: Pv3ZsGsdfS.dll

                    Simulations

                    Behavior and APIs

                    No simulations

                    Joe Sandbox View / Context

                    IPs

                    No context

                    Domains

                    No context

                    ASN

                    No context

                    JA3 Fingerprints

                    No context

                    Dropped Files

                    No context

                    Created / dropped Files

                    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_20f54535b4fc1ad4777e2f126bb0718bcd6544b5_82810a17_1a7fdfcd\Report.wer
                    Process:C:\Windows\SysWOW64\WerFault.exe
                    File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):65536
                    Entropy (8bit):0.9131746768123783
                    Encrypted:false
                    SSDEEP:192:64siW0oXG/HBUZMX4jed+O/u7svS274ItWc:DsiQXG/BUZMX4jeL/u7svX4ItWc
                    MD5:29579360B22432DFC0550492B810C2AD
                    SHA1:8F3695C341FABAE6CB0488C2E19838F3D67CBD61
                    SHA-256:448388426C2B1369CC525FC7649B835A8AC698E0612F88C1CDCA61984EDBE6B3
                    SHA-512:4292836993B8AA7E138E24E3C1AE025FCA31C0D31BB21A6F8E303ABFB4606FBDDA9AB619F53E47A0C883F2C98FFFD5EC97680E8400CF275A65322D89FCF9DD14
                    Malicious:false
                    Reputation:low
                    Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.8.4.8.4.0.2.2.9.7.6.4.5.6.6.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.8.4.8.4.0.2.4.1.8.5.8.2.5.9.1.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.f.c.4.9.9.2.b.-.c.1.4.b.-.4.9.b.5.-.8.f.c.9.-.8.5.c.1.f.2.d.f.e.9.6.7.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.f.8.7.0.c.a.a.-.5.1.c.6.-.4.d.8.0.-.9.8.0.e.-.e.2.3.c.6.c.8.5.3.6.d.8.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.a.f.4.-.0.0.0.1.-.0.0.1.7.-.d.9.3.e.-.5.a.0.0.e.b.f.8.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.b.c.c.5.d.c.3.2.2.2.0.3.4.d.3.f.2.5.7.f.1.f.d.3.5.8.8.9.e.5.b.e.9.0.f.0.9.
                    C:\ProgramData\Microsoft\Windows\WER\Temp\WERA8BF.tmp.dmp
                    Process:C:\Windows\SysWOW64\WerFault.exe
                    File Type:Mini DuMP crash report, 14 streams, Fri Dec 24 17:23:51 2021, 0x1205a4 type
                    Category:dropped
                    Size (bytes):45808
                    Entropy (8bit):2.063465092606408
                    Encrypted:false
                    SSDEEP:192:lga6E0btUK302icO5SkbfC+O679tHT1Q3achcgGg7nET:GXXtUKJiT5LbBj79tHS3ach1
                    MD5:6BA962499491EF50D34753FC43E70E78
                    SHA1:FCDD29E7C70650CDEF5AAF15D6D1F65A6FB6D2AA
                    SHA-256:2BE1C84338A24B862508C72D428D18E0FBE77006CD10C163FF81F8DB9633FFD0
                    SHA-512:E810D101F784AE1FE327F359F7ABFBD756E4DE4EF7E842A6103EA4ADE6A9D60088660A46F1A516E304924D731847E6C8B311B62A393C85D89AAB51226FBE1BE9
                    Malicious:false
                    Reputation:low
                    Preview: MDMP....... .......'..a........................................n-..........T.......8...........T...........@................................................................................................U...........B...... .......GenuineIntelW...........T..............a.............................0..=...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................
                    C:\ProgramData\Microsoft\Windows\WER\Temp\WERB1E8.tmp.WERInternalMetadata.xml
                    Process:C:\Windows\SysWOW64\WerFault.exe
                    File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):8258
                    Entropy (8bit):3.694780832129531
                    Encrypted:false
                    SSDEEP:192:Rrl7r3GLNi6jd67z/6Yau62gmfT6mSkCpr6q89bOGsfC6m:RrlsNic6X6YT62gmfT6mSCOlfW
                    MD5:C2C685B0F4C57BF14EC69949014FC9E7
                    SHA1:58ED607D8DEC974687FDB441B0957783BF57B567
                    SHA-256:DEDB1C1CC0FEE5C433A3F484A0568AA349701325FCB48CB71348FF473B16DE7B
                    SHA-512:A72C828DC593DE6CB08DE4E2BCB43FCD43441CCD4B7ADDFD21C75222B43CF28CDCE01178936630BA1FAF29CF1D31C45A1E7EA195FDFE01B34671C00AB2E23D29
                    Malicious:false
                    Reputation:low
                    Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.9.0.0.<./.P.i.d.>.......
                    C:\ProgramData\Microsoft\Windows\WER\Temp\WERB515.tmp.xml
                    Process:C:\Windows\SysWOW64\WerFault.exe
                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):4630
                    Entropy (8bit):4.459592349014678
                    Encrypted:false
                    SSDEEP:48:cvIwSD8zsaJgtWI9u4WSC8Bg8fm8M4JCdsfi2hFD+q8/08KBLc4SrS8d:uITfotxSNDJpiM58scDW8d
                    MD5:A06DCD0393D3DE548D82518693742FB5
                    SHA1:5BC6EE3EBF65DDFED1D0FFF8EB7BFE783D3805C3
                    SHA-256:E7F298466D4C663D368F7DB05BF9F8FF076694B9BED76FFE750D46D37284BB31
                    SHA-512:CB76A09686246456CD8CA5CF98CB2906E0D1ABB663474A7A2E4F9B428AB926998F063C68C07D1A5C51381C84FBE914F3A02F188F3BBF7D21F49D35665D1D3FB0
                    Malicious:false
                    Reputation:low
                    Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1311994" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
                    C:\Windows\appcompat\Programs\Amcache.hve
                    Process:C:\Windows\SysWOW64\WerFault.exe
                    File Type:MS Windows registry file, NT/2000 or above
                    Category:dropped
                    Size (bytes):1572864
                    Entropy (8bit):4.21783413807694
                    Encrypted:false
                    SSDEEP:12288:8Ci1aMWKiXr/IW87DN0bvHJsjDUhRzu3dKkzF7ZNq9kS+gab7KV+Ss:Vi1aMWKiXrgW87G+37XX
                    MD5:D72F427F707F671A84F3C7CC3E4E3041
                    SHA1:87173A87D9B1CDE0B1A53029D30AA52223C94363
                    SHA-256:191CEA16D005286BDA625C0F12DDCC07C9DF3F7025F9236F11B2858604A1B167
                    SHA-512:83FD8E1167696E4EC59C36F3A744AB15D50A8A70245490D8CC7D8494F9E662F906F427416114B5A0055896659FDD638A5C5848868547D2E4A86C5047E6A1F762
                    Malicious:false
                    Reputation:low
                    Preview: regfV...V...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm....................................................................................................................................................................................................................................................................................................................................................1.._........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                    C:\Windows\appcompat\Programs\Amcache.hve.LOG1
                    Process:C:\Windows\SysWOW64\WerFault.exe
                    File Type:MS Windows registry file, NT/2000 or above
                    Category:dropped
                    Size (bytes):20480
                    Entropy (8bit):3.5165609308437173
                    Encrypted:false
                    SSDEEP:384:JSb5VnIrnc82TVgG9K0XOmnQMR9ovOgl5:wlpAc8UVgGs0XVnQMEvP
                    MD5:4A5692F77C142A5C921951F412C73996
                    SHA1:118246C8365CADD57FCF448B9D491BAD688E70E8
                    SHA-256:84058CF94519C692DCBC143DCB31998D33CFC649A143071E5373984EA6CD7468
                    SHA-512:BC4DD6F71ABDA3C55F285B47B9264228A15098507D827C38880ABF840EB265A63220C1F99C021019C85034D1B2B5B85AEFAD2A8B1F80264B5CE754BD750B4219
                    Malicious:false
                    Reputation:low
                    Preview: regfU...U...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm....................................................................................................................................................................................................................................................................................................................................................7.._HvLE.N......U...........N..............................`... ..hbin................p.\..,..........nk,..L..........@........................... ...........................&...{ad79c032-a2ea-f756-e377-72fb9332c3ae}......nk ..L.......... ........................... .......Z.......................Root........lf......Root....nk ..L.......................}.............. ...............*...............DeviceCensus........................vk..................WritePermissionsCheck.......p...

                    Static File Info

                    General

                    File type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Entropy (8bit):7.341894166997632
                    TrID:
                    • Win32 Dynamic Link Library (generic) (1002004/3) 99.60%
                    • Generic Win/DOS Executable (2004/3) 0.20%
                    • DOS Executable Generic (2002/1) 0.20%
                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                    File name:Pv3ZsGsdfS.dll
                    File size:565248
                    MD5:63c22ce32346e029fa5a1ec1ae619d0f
                    SHA1:222cf86c3b59f466292bb734be308cda77c3ddff
                    SHA256:efbd76616dc1cd8210a8c54611f4ffa88e635f0f6ded2f8ff48311737635edda
                    SHA512:413efdf48b13d8cd6cb9f799215a7c34588995ba5f48c4db855ad332c3b4b6b7c753ff361d0cd850a728ec68c76b47e96aaac604f3bdb069920d930c422bd0f4
                    SSDEEP:12288:jGBK1zWlDqhPUVpqF9q9FAfPWvF+r3qTFCX1za7EV8RgfQOOvDC93:jNkIu2KAGIOwZ+v
                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........R...<...<...<..k....<...=.S.<.=.....<.......<.......<.t.?...<.t.=.4.<.L.9...<.t...0.<..k....<..0..x.<.......<..1....<..k....<

                    File Icon

                    Icon Hash:74f0e4ecccdce0e4

                    Static PE Info

                    General

                    Entrypoint:0x10005a80
                    Entrypoint Section:.rdata
                    Digitally signed:false
                    Imagebase:0x10000000
                    Subsystem:windows gui
                    Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                    DLL Characteristics:DYNAMIC_BASE, NX_COMPAT
                    Time Stamp:0x61C43E40 [Thu Dec 23 09:15:44 2021 UTC]
                    TLS Callbacks:
                    CLR (.Net) Version:
                    OS Version Major:5
                    OS Version Minor:0
                    File Version Major:5
                    File Version Minor:0
                    Subsystem Version Major:5
                    Subsystem Version Minor:0
                    Import Hash:7119acbff3b38a52756367cf5bfb78f2

                    Entrypoint Preview

                    Instruction
                    inc eax
                    mov edx, 00000003h
                    cmpps xmm1, xmm0, 02h
                    jmp 00007F39491594D6h
                    add edx, 04h
                    add edx, 04h
                    add edx, 04h
                    add edx, 04h
                    add edx, 04h
                    add edx, 04h
                    add edx, 04h
                    add edx, 04h
                    add edx, 04h
                    add edx, 04h
                    add edx, 04h
                    add edx, 04h
                    add edx, 04h
                    add edx, 04h
                    add edx, 04h
                    add edx, 04h
                    add edx, 04h
                    add edx, 04h
                    add edx, 04h
                    add edx, 04h
                    add edx, 04h
                    add edx, 04h
                    add edx, 04h
                    int3
                    int3
                    int3
                    int3
                    int3
                    int3
                    int3
                    int3
                    int3
                    int3
                    int3
                    int3
                    push ebp
                    mov ebp, esp
                    push esi
                    push ebx
                    push edi
                    and esp, FFFFFFF8h
                    sub esp, 000000E8h
                    lea eax, dword ptr [esp+00000084h]
                    lea ecx, dword ptr [esp+23h]
                    mov word ptr [esp+000000D4h], 0F55h
                    mov edx, dword ptr [esp+000000CCh]
                    mov esi, edx
                    or esi, esi
                    mov dword ptr [esp+000000CCh], esi
                    mov byte ptr [esp+000000CBh], 0000000Eh
                    mov word ptr [esp+000000D2h], EED6h
                    mov dword ptr [esp+000000C4h], 00440CD0h
                    mov word ptr [esp+66h], C76Dh
                    mov bl, byte ptr [esp+000000D7h]
                    mov di, word ptr [esp+66h]
                    mov byte ptr [eax+eax+00000000h], bl

                    Rich Headers

                    Programming Language:
                    • [IMP] VS2015 UPD1 build 23506
                    • [C++] VS2012 UPD1 build 51106
                    • [ASM] VS2012 build 50727
                    • [ASM] VS2012 UPD2 build 60315
                    • [LNK] VS2010 SP1 build 40219
                    • [EXP] VS2010 SP1 build 40219
                    • [RES] VS2015 UPD1 build 23506
                    • [IMP] VS2010 build 30319
                    • [ASM] VS2015 UPD1 build 23506
                    • [C++] VS2017 v15.5.4 build 25834
                    • [EXP] VS2012 UPD4 build 61030
                    • [C++] VS2008 build 21022
                    • [ASM] VS2010 SP1 build 40219

                    Data Directories

                    NameVirtual AddressVirtual Size Is in Section
                    IMAGE_DIRECTORY_ENTRY_EXPORT0x810790x60.rdata
                    IMAGE_DIRECTORY_ENTRY_IMPORT0x810dc0x78.rdata
                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x890000x2f0.rsrc
                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x8a0000x1138.reloc
                    IMAGE_DIRECTORY_ENTRY_DEBUG0x60300x38.rdata
                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_IAT0x80000x44.rdata
                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                    Sections

                    NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                    .rdata0x10000x699e0x7000False0.390206473214data4.46675995806IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                    .rdata0x80000x79ed00x7a000False0.303953076972data7.45734301056IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                    .data0x820000x61780x5000False0.246435546875data5.05789801748IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                    .rsrc0x890000x2f00x1000False0.090087890625data0.791740378228IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                    .reloc0x8a0000x11380x2000False0.242065429688data4.12259394173IMAGE_SCN_TYPE_COPY, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                    Resources

                    NameRVASizeTypeLanguageCountry
                    RT_VERSION0x890600x290MS Windows COFF PA-RISC object fileEnglishUnited States

                    Imports

                    DLLImport
                    KERNEL32.dllGetModuleHandleW, CloseHandle, IsDebuggerPresent, OutputDebugStringA, GetModuleFileNameW, GetFileSize
                    ADVAPI32.dllAccessCheck, RegCloseKey, QueryServiceStatus
                    USER32.dllGetWindowTextA
                    WINSPOOL.DRVEnumFormsW
                    WS2_32.dllWSACleanup

                    Version Infos

                    DescriptionData
                    OriginalFilenameShi.dll
                    FileDescriptionOracle Call Interface
                    FileVersion2.9.9.7.0
                    Legal CopyrightCopyright Oracle Corporation 1979, 2001. All rights reserved.
                    CompanyNameOracle Corporation
                    Translation0x0409 0x04b0

                    Possible Origin

                    Language of compilation systemCountry where language is spokenMap
                    EnglishUnited States

                    Network Behavior

                    No network behavior found

                    Code Manipulations

                    Statistics

                    Behavior

                    Click to jump to process

                    System Behavior

                    General

                    Start time:09:23:42
                    Start date:24/12/2021
                    Path:C:\Windows\System32\loaddll32.exe
                    Wow64 process (32bit):true
                    Commandline:loaddll32.exe "C:\Users\user\Desktop\Pv3ZsGsdfS.dll"
                    Imagebase:0xb90000
                    File size:116736 bytes
                    MD5 hash:7DEB5DB86C0AC789123DEC286286B938
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Yara matches:
                    • Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 00000000.00000002.749937166.000000006F4B1000.00000020.00020000.sdmp, Author: Joe Security
                    Reputation:moderate

                    General

                    Start time:09:23:43
                    Start date:24/12/2021
                    Path:C:\Windows\SysWOW64\cmd.exe
                    Wow64 process (32bit):true
                    Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\Pv3ZsGsdfS.dll",#1
                    Imagebase:0x2a0000
                    File size:232960 bytes
                    MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high

                    General

                    Start time:09:23:43
                    Start date:24/12/2021
                    Path:C:\Windows\SysWOW64\rundll32.exe
                    Wow64 process (32bit):true
                    Commandline:rundll32.exe "C:\Users\user\Desktop\Pv3ZsGsdfS.dll",#1
                    Imagebase:0xe70000
                    File size:61952 bytes
                    MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Yara matches:
                    • Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 00000003.00000000.360348773.000000006F4B1000.00000020.00020000.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 00000003.00000000.358630922.000000006F4B1000.00000020.00020000.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 00000003.00000002.401542049.000000006F4B1000.00000020.00020000.sdmp, Author: Joe Security
                    Reputation:high

                    General

                    Start time:09:23:47
                    Start date:24/12/2021
                    Path:C:\Windows\SysWOW64\WerFault.exe
                    Wow64 process (32bit):true
                    Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6900 -s 684
                    Imagebase:0xa20000
                    File size:434592 bytes
                    MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high

                    Disassembly

                    Code Analysis

                    Reset < >