Edit tour

Windows Analysis Report
Scan.dll

Overview

General Information

Sample Name:	Scan.dll
Analysis ID:	612084
MD5:	997e64e4d24d881dd5905f7271976fff
SHA1:	fd2aadd2aa4089f4cb471b28fc9a17bf13eda4e3
SHA256:	2f09f817d6663b7ca96959e0ef136751099f53047535a99b4eb0cd6347a422d5
Infos:

Detection

Score:	25
Range:	0 - 100
Whitelisted:	false
Confidence:	60%

Signatures

Sigma detected: Suspicious Call by Ordinal

Uses 32bit PE files

Sample file is different than original file name gathered from version info

One or more processes crash

Tries to load missing DLLs

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Checks if the current process is being debugged

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Registers a DLL

Found large amount of non-executed APIs

Creates a process in suspended mode (likely to inject code)

Classification

Analysis Advice

Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior

Sample crashes during execution, try analyze it on another analysis machine

Process Tree

System is w10x64

loaddll32.exe (PID: 6180 cmdline: loaddll32.exe "C:\Users\user\Desktop\Scan.dll" MD5: 7DEB5DB86C0AC789123DEC286286B938)

cmd.exe (PID: 2912 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\Scan.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)

rundll32.exe (PID: 5520 cmdline: rundll32.exe "C:\Users\user\Desktop\Scan.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

regsvr32.exe (PID: 4852 cmdline: regsvr32.exe /s C:\Users\user\Desktop\Scan.dll MD5: 426E7499F6A7346F0410DEAD0805586B)

rundll32.exe (PID: 4916 cmdline: rundll32.exe C:\Users\user\Desktop\Scan.dll,DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 6616 cmdline: rundll32.exe C:\Users\user\Desktop\Scan.dll,DllUnregisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 6136 cmdline: rundll32.exe C:\Users\user\Desktop\Scan.dll,PlugInMain MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

WerFault.exe (PID: 2356 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6136 -s 680 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

cleanup

Sigma Signatures

System Summary

Sigma detected: Suspicious Call by Ordinal

Source: Process started

Author: Florian Roth: Data: Command: rundll32.exe "C:\Users\user\Desktop\Scan.dll",#1, CommandLine: rundll32.exe "C:\Users\user\Desktop\Scan.dll",#1, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\Scan.dll",#1, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 2912, ParentProcessName: cmd.exe, ProcessCommandLine: rundll32.exe "C:\Users\user\Desktop\Scan.dll",#1, ProcessId: 5520, ProcessName: rundll32.exe

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Source: Scan.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LARGE_ADDRESS_AWARE

Source: Scan.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source:

Binary string: scan.pdb source: rundll32.exe, 00000007.00000000.372133858.000000006DFE8000.00000002.00000001.01000000.00000003.sdmp, Scan.dll

Source: rundll32.exe, 00000007.00000000.372301661.000000006E05B000.00000002.00000001.01000000.00000003.sdmp, Scan.dll	String found in binary or memory: http://www.aiim.org/pdfa/ns/extension/
Source: Scan.dll	String found in binary or memory: http://www.aiim.org/pdfa/ns/id/
Source: rundll32.exe, 00000007.00000000.372133858.000000006DFE8000.00000002.00000001.01000000.00000003.sdmp, Scan.dll	String found in binary or memory: http://www.aiim.org/pdfa/ns/id/partconformanceAIDS_LearnMoreScan_EventGTS_PDFA1sRGBIEC
Source: rundll32.exe, 00000007.00000000.372301661.000000006E05B000.00000002.00000001.01000000.00000003.sdmp, Scan.dll	String found in binary or memory: http://www.aiim.org/pdfa/ns/property#
Source: rundll32.exe, 00000007.00000000.372301661.000000006E05B000.00000002.00000001.01000000.00000003.sdmp, Scan.dll	String found in binary or memory: http://www.aiim.org/pdfa/ns/schema#
Source: rundll32.exe, 00000007.00000000.372133858.000000006DFE8000.00000002.00000001.01000000.00000003.sdmp, Scan.dll	String found in binary or memory: http://www.color.org
Source: rundll32.exe, 00000007.00000000.372133858.000000006DFE8000.00000002.00000001.01000000.00000003.sdmp, Scan.dll	String found in binary or memory: http://www.color.orgOutputIntentsSOutputConditionOutputConditionIdentifierRegistryNameFilterNDestOut

Source: Scan.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LARGE_ADDRESS_AWARE

Source: Scan.dll

Binary or memory string: OriginalFilenameScan.apiD vs Scan.dll

Source: C:\Windows\SysWOW64\rundll32.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6136 -s 680

Source: C:\Windows\SysWOW64\regsvr32.exe

Section loaded: sfc.dll

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_6DF7CDD0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_6DFD79D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_6DFADDA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_6DFA8D40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_6DFA18E0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_6DFA04C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_6DFB4C40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_6DFB0040
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_6DF32BE0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_6DF3EFC0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_6DF9EBB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_6DFA47A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_6DFA7F90
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_6DF9CB80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_6DFAFB50
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_6DFAB330
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_6DFAD700
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_6DF7FEE0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_6DF9DED0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_6DF9BA80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_6DF9D670
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_6DFA4A60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_6DFA2230

Source: Scan.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Scan.dll",#1

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\Scan.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\Scan.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\Scan.dll
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Scan.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Scan.dll,DllRegisterServer
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Scan.dll,DllUnregisterServer
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Scan.dll,PlugInMain
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6136 -s 680
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\Scan.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\Scan.dll
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Scan.dll,DllRegisterServer
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Scan.dll,DllUnregisterServer
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Scan.dll,PlugInMain
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Scan.dll",#1

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6136

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER6047.tmp

Jump to behavior

Source: classification engine

Classification label: sus25.winDLL@14/4@0/0

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 7_2_6DF96D00 CoCreateInstance,StringFromGUID2,WideCharToMultiByte,strcpy_s,strcat_s,strcat_s,strcat_s,RegOpenKeyExA,RegQueryInfoKeyA,RegCloseKey,strcpy_s,strcat_s,strcat_s,strcat_s,RegOpenKeyExA,RegCloseKey,RegCloseKey,RegQueryInfoKeyA,RegCloseKey,RegCloseKey,RegCloseKey,free,free,

Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: Scan.dll

Static file information: File size 1282659 > 1048576

Source: Scan.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: Scan.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: Scan.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: Scan.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Scan.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: Scan.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: Scan.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: Scan.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: scan.pdb source: rundll32.exe, 00000007.00000000.372133858.000000006DFE8000.00000002.00000001.01000000.00000003.sdmp, Scan.dll

Source: Scan.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Scan.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Scan.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Scan.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Scan.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\Scan.dll

Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Windows\SysWOW64\rundll32.exe

API coverage: 0.9 %

Source: C:\Windows\System32\loaddll32.exe

Thread delayed: delay time: 120000

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 7_2_6DFE1CA2 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_6DFE1CA2 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_6DFE145D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Scan.dll",#1

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 7_2_6DF4AA67 cpuid

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 7_2_6DFE1E2B GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	11 Process Injection	1 Regsvr32	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Rundll32	LSASS Memory	2 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	11 Virtualization/Sandbox Evasion	Security Account Manager	11 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	11 Process Injection	NTDS	12 System Information Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	1 Remote System Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
http://www.color.orgOutputIntentsSOutputConditionOutputConditionIdentifierRegistryNameFilterNDestOut	0%	Avira URL Cloud	safe
http://www.color.org	0%	URL Reputation	safe

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.aiim.org/pdfa/ns/property#	rundll32.exe, 00000007.00000000.372301661.000000006E05B000.00000002.00000001.01000000.00000003.sdmp, Scan.dll	false		high
http://www.aiim.org/pdfa/ns/extension/	rundll32.exe, 00000007.00000000.372301661.000000006E05B000.00000002.00000001.01000000.00000003.sdmp, Scan.dll	false		high
http://www.aiim.org/pdfa/ns/id/partconformanceAIDS_LearnMoreScan_EventGTS_PDFA1sRGBIEC	rundll32.exe, 00000007.00000000.372133858.000000006DFE8000.00000002.00000001.01000000.00000003.sdmp, Scan.dll	false		high
http://www.color.orgOutputIntentsSOutputConditionOutputConditionIdentifierRegistryNameFilterNDestOut	rundll32.exe, 00000007.00000000.372133858.000000006DFE8000.00000002.00000001.01000000.00000003.sdmp, Scan.dll	false	Avira URL Cloud: safe	unknown
http://www.aiim.org/pdfa/ns/id/	Scan.dll	false		high
http://www.color.org	rundll32.exe, 00000007.00000000.372133858.000000006DFE8000.00000002.00000001.01000000.00000003.sdmp, Scan.dll	false	URL Reputation: safe	unknown
http://www.aiim.org/pdfa/ns/schema#	rundll32.exe, 00000007.00000000.372301661.000000006E05B000.00000002.00000001.01000000.00000003.sdmp, Scan.dll	false		high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	612084
Start date and time: 20/04/202215:03:23	2022-04-20 15:03:23 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 8m 3s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	Scan.dll
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	26
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	SUS
Classification:	sus25.winDLL@14/4@0/0
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 100% (good quality ratio 82.7%) Quality average: 62.2% Quality standard deviation: 37.1%
HCA Information:	Successful, ratio: 80% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .dll Adjust boot time Enable AMSI Sleeps bigger than 120000ms are automatically reduced to 1000ms

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WerFault.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
Excluded IPs from analysis (whitelisted): 20.42.73.29
Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, client.wns.windows.com, fs.microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, sls.update.microsoft.com, ctldl.windowsupdate.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, watson.telemetry.microsoft.com, arc.msn.com
Not all processes where analyzed, report is missing behavior information

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_857268874fb81feb3bb95a5bbe71d6fa48e6822_82810a17_09097fb6\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9274815221163117
Encrypted:	false
SSDEEP:	192:jvEfiv0oXVHBUZMX4jed+3n/u7srS274ItWc:7EfiRXFBUZMX4jeS/u7srX4ItWc
MD5:	77B2468461629231907F828F0D24D40F
SHA1:	3BEBFBB9C9417F81F7C90220267A6B096505DE8E
SHA-256:	26685C4506AB85D229774025EA2BB35F0B52A38E77AC4D0FA65D8BD3AE29E71A
SHA-512:	F8B0043AC95679415E0AD71712497D42F42A4126717EE6664B9AD65DE73FAFE3409EF566EBAE0684A7E6F31D61E730611B8A825976E666A7F74898F8234761D9
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.9.4.9.6.5.8.8.6.7.9.6.5.7.0.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.9.4.9.6.5.8.9.3.3.4.3.3.8.1.0.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.7.7.8.f.f.b.9.-.6.3.6.e.-.4.b.a.f.-.8.4.b.c.-.5.c.b.e.1.2.0.0.8.c.0.9.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.8.c.b.6.8.0.c.-.4.a.7.3.-.4.e.f.a.-.a.2.f.5.-.1.7.6.2.b.5.3.d.0.e.b.2.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.7.f.8.-.0.0.0.1.-.0.0.1.8.-.5.3.7.a.-.4.a.a.3.0.2.5.5.d.8.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.b.c.c.5.d.c.3.2.2.2.0.3.4.d.3.f.2.5.7.f.1.f.d.3.5.8.8.9.e.5.b.e.9.0.f.0.9.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6047.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Wed Apr 20 22:04:47 2022, 0x1205a4 type
Category:	dropped
Size (bytes):	51226
Entropy (8bit):	2.010910473628768
Encrypted:	false
SSDEEP:	192:tM+64SW972lwBO5Skbp8PiIsEziph0nSbxU1QzhDiGaAZaXU/MG4rOWJbpns:7Ky05LbKPXs2iph0nSbSQVObAtWOMJ
MD5:	685B2B4D8E1EFCAEBFB4C9F7233D66D4
SHA1:	4648F6B3F65CCD718803E5E2AD45DB0EF8FED813
SHA-256:	F3BAA968656EAB289A4B868D323D2AF2BCAD50C1F32E8921108DAAFF629C55B7
SHA-512:	AED669365DE9D9C444AB19961346C1AD4D8B8C8EFF86972246684271B1C52F52FD6643E9F285FF57B55B7C433E1C4C9A12FB75E6836C2EF08799DAE114E99C79
Malicious:	false
Preview:	MDMP....... .........`b....................................$...x1..........T.......8...........T............................................................................................................U...........B......(.......GenuineIntelW...........T...........z.`b.............................0..=...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER63D3.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8276
Entropy (8bit):	3.6922283824903093
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNiX56Lel76YFr6F5pGgmfTFSwCprq89b50Fsf0+Tm:RrlsNip6Le56Y560gmfTFSb50efe
MD5:	91861666C1EB1967AFAF2A0F09A293BB
SHA1:	0B4C5E865120F67E6494615683C75752FB0ABDA0
SHA-256:	D3308241D477CF8185C81F4D8C4BC1E20753B9A308B35CBEE16AEE15D2EF08C4
SHA-512:	035FA71B0E88BE311C2ADD982F64E3CAA4A5F3A84326F2976DAAA311544AA68522CD92B4141D38DFD4D9E7BA3577B3D392684042CCC051445BAD267FAC11796F
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.1.3.6.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6589.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4638
Entropy (8bit):	4.459099232012371
Encrypted:	false
SSDEEP:	48:cvIwSD8zs2JgtWI9SEWgc8sqYjd8fm8M4JCdsIEFJ+q8/nXC4SrSDd:uITfMFdgrsqYOJK86yDWDd
MD5:	EF2D6487C0E44992FE0A0827C62CB076
SHA1:	7AD46F19B16CDB5AF23F6ADBF72A8B53B34EACBA
SHA-256:	BFF215ECDED5398EA0AE28DE7FF3C0608C32DB274262881C3A8F6B3773A044C7
SHA-512:	66649566880A22285565CAB1E0D649847E812BA0F3DA13B48623DB688A0BB02CED4F4318B184B234EF8234D742B72F40B589283D037402081E01BAD37CACB38F
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1480755" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

Static File Info

General

File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.978679045996824
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Scan.dll
File size:	1282659
MD5:	997e64e4d24d881dd5905f7271976fff
SHA1:	fd2aadd2aa4089f4cb471b28fc9a17bf13eda4e3
SHA256:	2f09f817d6663b7ca96959e0ef136751099f53047535a99b4eb0cd6347a422d5
SHA512:	74f7dd59160564f01c8d6182b1aa75f5a52ac46b81bbd6c7655e0bd3cc9f2de206dd35bffdefb296074285b7a5bf3a07ff404132a523c6767cc7be6b01e8859d
SSDEEP:	24576:JKwEn0T01c19yckPIcRzAPaC3DHzgBAyjK+1FyjpOU:rEn0T01eKIKzAPaCgWSK+1FSL
TLSH:	B3557B11FA55C42AE6E05970EA3DA7EF45797D300B2140EBF3C43A99A934BE31A32753
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........@1..!_..!_..!_..Y...!_.L[..!_.L\..!_.LZ..!_.L^..!_..!_..!_..I[..!_..I^..!_..!^.. _.cOZ..!_.cO_..!_.cO...!_.cO]..!_.Rich.!_

File Icon


Icon Hash:	92b1b39b9e9e9ad9

Static PE Info

General

Entrypoint:	0x2f91a9c0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x2f900000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LARGE_ADDRESS_AWARE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x6251F67F [Sat Apr 9 21:11:27 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	089ca559e81ce694a096450dedbe28a2

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
cmp dword ptr [ebp+0Ch], 01h
jne 00007FE0E0C351E7h
call 00007FE0E0C351FAh
push dword ptr [ebp+10h]
push dword ptr [ebp+0Ch]
push dword ptr [ebp+08h]
call 00007FE0E0CCC2BFh
add esp, 0Ch
pop ebp
retn 000Ch
mov ecx, dword ptr [2FA123E4h]
push esi
push edi
mov edi, BB40E64Eh
mov esi, FFFF0000h
cmp ecx, edi
je 00007FE0E0C351E6h
test esi, ecx
jne 00007FE0E0C35208h
call 00007FE0E0CCC60Eh
mov ecx, eax
cmp ecx, edi
jne 00007FE0E0C351E9h
mov ecx, BB40E64Fh
jmp 00007FE0E0C351F0h
test esi, ecx
jne 00007FE0E0C351ECh
or eax, 00004711h
shl eax, 10h
or ecx, eax
mov dword ptr [2FA123E4h], ecx
not ecx
pop edi
mov dword ptr [2FA123E0h], ecx
pop esi
ret
push ebp
mov ebp, esp
cmp dword ptr [ebp+08h], 00000000h
jne 00007FE0E0C351E9h
mov byte ptr [2FA2A304h], 00000001h
call 00007FE0E0C35209h
call 00007FE0E0C353DDh
test al, al
jne 00007FE0E0C351E6h
xor al, al
pop ebp
ret
call 00007FE0E0C353D0h
test al, al
jne 00007FE0E0C351ECh
push 00000000h
call 00007FE0E0C353C5h
pop ecx
jmp 00007FE0E0C351CBh
mov al, 01h
pop ebp
ret
push ebp
mov ebp, esp
and dword ptr [2FA2A670h], 00000000h
sub esp, 24h
or dword ptr [2FA123F0h], 01h
push 0000000Ah
call 00007FE0E0C3539Ah
test eax, eax
je 00007FE0E0C3538Fh

Rich Headers

Programming Language:

[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0xdf830	0x80	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0xdf8b0	0x1a4	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x12b000	0x1bce0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x147000	0xaab4	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xd4110	0x54	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xd420c	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xd4168	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xb8000	0x4f8	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xb6ff6	0xb7000	False	0.446019573941	data	6.55578943265	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0xb8000	0x29db2	0x29e00	False	0.253078358209	data	6.3401647093	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xe2000	0x486c8	0x31400	False	0.781854774746	data	7.43382146663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x12b000	0x1bce0	0x1be00	False	0.33248668722	data	6.22052692507	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x147000	0xaab4	0xac00	False	0.733148619186	data	6.74199501615	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
EVEF	0x131068	0xc5c	ASCII text, with CRLF line terminators	English	United States
EVEF	0x12f608	0x82b	ASCII text, with CRLF line terminators	English	United States
EVEF	0x131cc8	0x4bb	ASCII text, with CRLF line terminators	English	United States
EVEF	0x1328d8	0xa4	ASCII text, with CRLF line terminators	English	United States
EXTSCHEMA_XMP	0x12c940	0x948	ASCII text, with CRLF line terminators	English	United States
EXVW	0x12e160	0x385	ASCII text, with CRLF line terminators	English	United States
EXVW	0x12f258	0x3aa	ASCII text, with CRLF line terminators	English	United States
EXVW	0x12fe38	0xcd	ASCII text, with CRLF line terminators	English	United States
EXVW	0x12ff08	0x3a7	ASCII text, with CRLF line terminators	English	United States
EXVW	0x1338c0	0xfe4	ASCII text, with CRLF line terminators	English	United States
EXVW	0x1302b0	0x3a3	ASCII text, with CRLF line terminators	English	United States
EXVW	0x130658	0x5a6	ASCII text, with CRLF line terminators	English	United States
EXVW	0x12e4e8	0xd6d	ASCII text, with CRLF line terminators	English	United States
EXVW	0x130c00	0x467	ASCII text, with CRLF line terminators	English	United States
EXVW	0x12df28	0x232	ASCII text, with CRLF line terminators	English	United States
EXVW	0x132188	0x5ed	ASCII text, with CRLF line terminators	English	United States
EXVW	0x132778	0x15d	ASCII text, with CRLF line terminators	English	United States
EXVW	0x132980	0xf3d	ASCII text, with CRLF line terminators	English	United States
EXVW	0x1348a8	0xd70	ASCII text, with CRLF line terminators	English	United States
PNGI	0x145cd8	0xe46	PNG image data, 18 x 17, 8-bit/color RGBA, non-interlaced	English	United States
PNGI	0x1417c8	0xdbb	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced	English	United States
PNGI	0x142588	0xc9e	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced	English	United States
PNGI	0x143228	0x357	PNG image data, 30 x 30, 8-bit/color RGBA, non-interlaced	English	United States
PNGI	0x143580	0x408	PNG image data, 30 x 30, 8-bit/color RGBA, non-interlaced	English	United States
PNGI	0x143988	0x5da	PNG image data, 30 x 30, 8-bit/color RGBA, non-interlaced	English	United States
PNGI	0x143f68	0x4e5	PNG image data, 30 x 30, 8-bit/color RGBA, non-interlaced	English	United States
PNGI	0x144bc8	0x110f	PNG image data, 30 x 30, 8-bit/color RGBA, non-interlaced	English	United States
PNGI	0x140a90	0x643	PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced	English	United States
PNGI	0x1410d8	0x367	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced	English	United States
PNGI	0x141440	0x386	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced	English	United States
PNGI	0x144450	0x773	PNG image data, 30 x 30, 8-bit/color RGBA, non-interlaced	English	United States
REGISTRY	0x12d288	0x222	ASCII text, with CRLF line terminators	English	United States
TYPELIB	0x12d4b0	0x708	data	English	United States
ZDCT	0x135618	0xe5	data	English	United States
ZDCT	0x135700	0xb38a	data	English	United States
RT_ICON	0x12bd40	0x2e8	dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 4294964223, next used block 4043309055	English	United States
RT_ICON	0x12c040	0x2e8	dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 2147516416, next used block 126386176	English	United States
RT_ICON	0x12c340	0x2e8	dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 2566914048, next used block 2576980377	English	United States
RT_ICON	0x12c640	0x2e8	dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 8452095, next used block 4043308807	English	United States
RT_RCDATA	0x146b20	0x80	data	English	United States
RT_RCDATA	0x146ba0	0x40	data	English	United States
RT_RCDATA	0x146be0	0x80	data	English	United States
RT_RCDATA	0x146c60	0x80	data	English	United States
RT_GROUP_ICON	0x12c928	0x14	data	English	United States
RT_GROUP_ICON	0x12c028	0x14	data	English	United States
RT_GROUP_ICON	0x12c628	0x14	data	English	United States
RT_GROUP_ICON	0x12c328	0x14	data	English	United States
RT_VERSION	0x12dbb8	0x36c	data	English	United States

Imports

DLL	Import
USER32.dll	SetActiveWindow, SendMessageA, FindWindowA, CharNextW, CharNextA, SetForegroundWindow, UnregisterClassA, GetPropW, GetFocus, GetWindowRect, TranslateMessage, DispatchMessageA, PeekMessageA, ShowWindow, MoveWindow, SetFocus, MsgWaitForMultipleObjects, PostThreadMessageA, ValidateRgn, ValidateRect, EndPaint, BeginPaint, DestroyWindow, CreateWindowExA, RegisterClassA, DefWindowProcA, GetMessageA, SetPropW
GDI32.dll	CreateDIBSection, SelectObject, DeleteObject, EnumFontsA, DeleteDC, CreateCompatibleDC
ADVAPI32.dll	RegQueryValueExW, RegSetValueExA, RegQueryInfoKeyW, RegQueryInfoKeyA, RegOpenKeyExA, RegEnumKeyExA, RegDeleteValueA, RegDeleteKeyA, RegCreateKeyExA, RegQueryValueExA, RegCreateKeyA, RegOpenKeyExW, RegCloseKey
KERNEL32.dll	CreateFileA, GlobalFree, GlobalLock, GlobalUnlock, GlobalAlloc, LoadLibraryA, WaitForSingleObject, SleepConditionVariableCS, InitializeCriticalSection, WakeAllConditionVariable, CloseHandle, WaitForSingleObjectEx, InitOnceExecuteOnce, QueryPerformanceCounter, IsDBCSLeadByte, WideCharToMultiByte, MultiByteToWideChar, lstrcmpiA, LoadLibraryExA, FreeLibrary, LeaveCriticalSection, GetWindowsDirectoryA, GlobalSize, GetDiskFreeSpaceExW, GetTempFileNameW, SetEvent, ResetEvent, ReleaseMutex, CreateMutexA, CreateEventA, CreateThread, OpenEventA, CreateEventW, UnhandledExceptionFilter, OutputDebugStringW, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, IsProcessorFeaturePresent, IsDebuggerPresent, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, InitializeConditionVariable, GetLongPathNameA, IsValidLocale, DeleteFileW, GetTempPathW, GetLongPathNameW, LoadResource, LockResource, SizeofResource, FindResourceA, Sleep, lstrcatA, GetModuleFileNameA, OutputDebugStringA, FreeResource, GetACP, lstrcpyA, lstrlenA, GetTickCount, DisableThreadLibraryCalls, FindAtomW, DecodePointer, RaiseException, GetLastError, SetLastError, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, GetModuleFileNameW, GetModuleHandleA, GetModuleHandleW, GetProcAddress, LoadLibraryW, EnterCriticalSection
SHELL32.dll	ShellExecuteExA
ole32.dll	CLSIDFromProgID, CoRegisterClassObject, CoRevokeClassObject, CoResumeClassObjects, CoCreateInstanceEx, StringFromGUID2, CoTaskMemAlloc, CoTaskMemRealloc, CoTaskMemFree, CoCreateInstance
OLEAUT32.dll	UnRegisterTypeLib, RegisterTypeLib, LoadRegTypeLib, LoadTypeLib, VarUI4FromStr, SysStringLen, SysAllocString, SysFreeString
MSVCP140.dll	?id@?$codecvt@DDU_Mbstatet@@@std@@2V0locale@2@A, ?_Fiopen@std@@YAPAU_iobuf@@PBDHH@Z, ?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAEXPAPAD0PAH001@Z, ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAVios_base@1@AAV21@@Z@Z, ?setprecision@std@@YA?AU?$_Smanip@_J@1@_J@Z, ?_Fiopen@std@@YAPAU_iobuf@@PBGHH@Z, ??1?$basic_iostream@DU?$char_traits@D@std@@@std@@UAE@XZ, ??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QAE@PAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z, ?put@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@D@Z, ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@J@Z, ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z, ?widen@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEDD@Z, ?clear@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N@Z, ?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAEXXZ, ?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QBE?AVlocale@2@XZ, ?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SAIPAPBVfacet@locale@2@PBV42@@Z, ?unshift@?$codecvt@DDU_Mbstatet@@@std@@QBEHAAU_Mbstatet@@PAD1AAPAD@Z, ?out@?$codecvt@DDU_Mbstatet@@@std@@QBEHAAU_Mbstatet@@PBD1AAPBDPAD3AAPAD@Z, ?in@?$codecvt@DDU_Mbstatet@@@std@@QBEHAAU_Mbstatet@@PBD1AAPBDPAD3AAPAD@Z, ?always_noconv@codecvt_base@std@@QBE_NXZ, ?_Getgloballocale@locale@std@@CAPAV_Locimp@12@XZ, ??Bid@locale@std@@QAEIXZ, ??1_Lockit@std@@QAE@XZ, ??0_Lockit@std@@QAE@H@Z, ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@XZ, ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@G@Z, ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEXXZ, ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N@Z, ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAE_JPBD_J@Z, ?_Xlength_error@std@@YAXPBD@Z, ?_Xout_of_range@std@@YAXPBD@Z, ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAE@XZ, ??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UAE@XZ, ?_Pninc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAEPADXZ, ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UAE@XZ, ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IAE@XZ, ??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QAE@PAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z, ??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UAE@XZ, ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@I@Z, ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@N@Z, ?_Lock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UAEXXZ, ?_Unlock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UAEXXZ, ?imbue@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAEXABVlocale@2@@Z, ?setbuf@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAEPAV12@PAD_J@Z, ?showmanyc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAE_JXZ, ?sync@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAEHXZ, ?uflow@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAEHXZ, ?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAE_JPAD_J@Z, ?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAE_JPBD_J@Z, ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@H@Z, _Thrd_join, _Thrd_hardware_concurrency, _Thrd_id, _Cnd_do_broadcast_at_thread_exit, ?_Throw_Cpp_error@std@@YAXH@Z, ?uncaught_exception@std@@YA_NXZ, ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHD@Z
VCRUNTIME140.dll	_purecall, __std_terminate, __std_exception_copy, __std_exception_destroy, _CxxThrowException, __CxxFrameHandler3, memset, _except_handler4_common, memmove, memcpy, __std_type_info_destroy_list, __current_exception_context, memchr, strchr, strrchr, strstr, __RTDynamicCast, __current_exception
api-ms-win-crt-runtime-l1-1-0.dll	_beginthreadex, abort, terminate, _invalid_parameter_noinfo_noreturn, _errno, _initterm_e, _invalid_parameter_noinfo, _resetstkoflw, _initterm, _seh_filter_dll, _configure_narrow_argv, _initialize_narrow_environment, _initialize_onexit_table, _register_onexit_function, _execute_onexit_table, _crt_atexit, _cexit, _set_invalid_parameter_handler
api-ms-win-crt-string-l1-1-0.dll	wcsncpy_s, _strnicmp, wcscpy_s, strtok, isalnum, strpbrk, strlen, tolower, isdigit, strcat_s, isalpha, strncmp, strcpy_s, _stricmp, wcscat_s
api-ms-win-crt-stdio-l1-1-0.dll	ungetc, fwrite, putc, setvbuf, _fseeki64, fread, fsetpos, fgetpos, fflush, _get_stream_buffer_pointers, _wfopen_s, __stdio_common_vfprintf, fopen, fclose, fgetc, __stdio_common_vsprintf, fputc, _write, _open, _close, __stdio_common_vsprintf_s, __stdio_common_vfscanf
api-ms-win-crt-math-l1-1-0.dll	floor, ceil, _libm_sse2_cos_precise, _libm_sse2_sin_precise, lround, _libm_sse2_log10_precise, _libm_sse2_sqrt_precise, _libm_sse2_pow_precise
api-ms-win-crt-convert-l1-1-0.dll	mbstowcs, wcstombs_s, atof, wcstombs, atoi, _itoa
api-ms-win-crt-time-l1-1-0.dll	clock
api-ms-win-crt-heap-l1-1-0.dll	free, malloc, _recalloc, _callnewh
api-ms-win-crt-multibyte-l1-1-0.dll	_mbsstr, _mbsnbcpy_s
api-ms-win-crt-filesystem-l1-1-0.dll	_lock_file, _unlock_file
api-ms-win-crt-environment-l1-1-0.dll	getenv
api-ms-win-crt-utility-l1-1-0.dll	rand

Exports

Name	Ordinal	Address
DllRegisterServer	6	0x2f96aa30
DllUnregisterServer	7	0x2f96aae0
PlugInMain	5	0x2f91af80

Version Infos

Description	Data
LegalCopyright	Copyright 1984-2021 Adobe Systems Incorporated and its licensors. All rights reserved.
FileVersion	17.12.30229.10229
CompanyName	Adobe Systems Incorporated
ProductName	Adobe Acrobat
ProductVersion	17.12.30229.10229
FileDescription	Adobe Acrobat Scan Plug-in
OriginalFilename	Scan.api
Translation	0x0409 0x04e4

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Target ID:	0
Start time:	15:04:34
Start date:	20/04/2022
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe "C:\Users\user\Desktop\Scan.dll"
Imagebase:	0xe20000
File size:	116736 bytes
MD5 hash:	7DEB5DB86C0AC789123DEC286286B938
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: cmd.exePID: 2912, Parent PID: 6180

General

Target ID:	1
Start time:	15:04:34
Start date:	20/04/2022
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\Scan.dll",#1
Imagebase:	0xdd0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: regsvr32.exePID: 4852, Parent PID: 6180

General

Target ID:	2
Start time:	15:04:35
Start date:	20/04/2022
Path:	C:\Windows\SysWOW64\regsvr32.exe
Wow64 process (32bit):	true
Commandline:	regsvr32.exe /s C:\Users\user\Desktop\Scan.dll
Imagebase:	0x10000
File size:	20992 bytes
MD5 hash:	426E7499F6A7346F0410DEAD0805586B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: rundll32.exePID: 5520, Parent PID: 2912

General

Target ID:	3
Start time:	15:04:35
Start date:	20/04/2022
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\Scan.dll",#1
Imagebase:	0x10e0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: rundll32.exePID: 4916, Parent PID: 6180

General

Target ID:	4
Start time:	15:04:35
Start date:	20/04/2022
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\Scan.dll,DllRegisterServer
Imagebase:	0x10e0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: rundll32.exePID: 6616, Parent PID: 6180

General

Target ID:	5
Start time:	15:04:39
Start date:	20/04/2022
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\Scan.dll,DllUnregisterServer
Imagebase:	0x10e0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: rundll32.exePID: 6136, Parent PID: 6180

General

Target ID:	7
Start time:	15:04:42
Start date:	20/04/2022
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\Scan.dll,PlugInMain
Imagebase:	0x10e0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: WerFault.exePID: 2356, Parent PID: 6136

General

Target ID:	10
Start time:	15:04:45
Start date:	20/04/2022
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 6136 -s 680
Imagebase:	0xf10000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Disassembly

⊘No disassembly

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Regsvr32.exe to proxy execution of malicious code. Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including dynamic link libraries (DLLs), on Windows systems. Regsvr32.exe is also a Microsoft signed binary.
Tactics:	Defense Evasion
Data Sources:	Loaded DLLs, Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Scan.dll

Overview

General Information

Detection

Signatures

Classification

Analysis Advice

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_857268874fb81feb3bb95a5bbe71d6fa48e6822_82810a17_09097fb6\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6047.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER63D3.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6589.tmp.xml

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Exports

Version Infos

Possible Origin

Network Behavior

Statistics

Behavior

System Behavior

Analysis Process: loaddll32.exePID: 6180, Parent PID: 3168

General

Analysis Process: cmd.exePID: 2912, Parent PID: 6180

Windows Analysis Report
Scan.dll