Edit tour

Windows Analysis Report
W3XqCWvDWC

Overview

General Information

Sample Name:	W3XqCWvDWC (renamed file extension from none to dll)
Analysis ID:	631906
MD5:	661a35a77c56679722f7180fc4add7ba
SHA1:	81041189ebf61ed4220f4cea933465cc28d48f57
SHA256:	1abc2d91d10d8a44bcc6ce69334f992e5304f3dcb48fe8328d888a25f3228c8d
Tags:	exetrojan
Infos:

Detection

Emotet

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected Emotet

System process connects to network (likely due to code injection or exploit)

Machine Learning detection for sample

Hides that the sample has been downloaded from the Internet (zone.identifier)

Queries the volume information (name, serial number etc) of a device

One or more processes crash

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Deletes files inside the Windows folder

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Creates files inside the system directory

Internet Provider seen in connection with other malware

Detected potential crypto function

Found potential string decryption / allocating functions

Found evasive API chain (may stop execution after checking a module file name)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to dynamically determine API calls

IP address seen in connection with other malware

PE file contains an invalid checksum

Tries to load missing DLLs

Drops PE files to the windows directory (C:\Windows)

Detected TCP or UDP traffic on non-standard ports

Checks if the current process is being debugged

Registers a DLL

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries disk information (often used to detect virtual machines)

Found large amount of non-executed APIs

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

loaddll64.exe (PID: 7136 cmdline: loaddll64.exe "C:\Users\user\Desktop\W3XqCWvDWC.dll" MD5: 4E8A40CAD6CCC047914E3A7830A2D8AA)

cmd.exe (PID: 7152 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\W3XqCWvDWC.dll",#1 MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

rundll32.exe (PID: 5116 cmdline: rundll32.exe "C:\Users\user\Desktop\W3XqCWvDWC.dll",#1 MD5: 73C519F050C20580F8A62C849D49215A)

WerFault.exe (PID: 6520 cmdline: C:\Windows\system32\WerFault.exe -u -p 5116 -s 336 MD5: 2AFFE478D86272288BBEF5A00BBEF6A0)

regsvr32.exe (PID: 7164 cmdline: regsvr32.exe /s C:\Users\user\Desktop\W3XqCWvDWC.dll MD5: D78B75FC68247E8A63ACBA846182740E)

regsvr32.exe (PID: 6176 cmdline: C:\Windows\system32\regsvr32.exe "C:\Windows\system32\KYnbMwv\FkmMqbieZ.dll" MD5: D78B75FC68247E8A63ACBA846182740E)

rundll32.exe (PID: 3628 cmdline: rundll32.exe C:\Users\user\Desktop\W3XqCWvDWC.dll,AddIn_FileTime MD5: 73C519F050C20580F8A62C849D49215A)

WerFault.exe (PID: 6360 cmdline: C:\Windows\system32\WerFault.exe -u -p 3628 -s 328 MD5: 2AFFE478D86272288BBEF5A00BBEF6A0)

rundll32.exe (PID: 5852 cmdline: rundll32.exe C:\Users\user\Desktop\W3XqCWvDWC.dll,AddIn_SystemTime MD5: 73C519F050C20580F8A62C849D49215A)

rundll32.exe (PID: 6532 cmdline: rundll32.exe C:\Users\user\Desktop\W3XqCWvDWC.dll,DllRegisterServer MD5: 73C519F050C20580F8A62C849D49215A)

svchost.exe (PID: 4744 cmdline: C:\Windows\System32\svchost.exe -k WerSvcGroup MD5: 32569E403279B3FD2EDB7EBD036273FA)

WerFault.exe (PID: 6440 cmdline: C:\Windows\system32\WerFault.exe -pss -s 428 -p 5116 -ip 5116 MD5: 2AFFE478D86272288BBEF5A00BBEF6A0)

WerFault.exe (PID: 6468 cmdline: C:\Windows\system32\WerFault.exe -pss -s 492 -p 3628 -ip 3628 MD5: 2AFFE478D86272288BBEF5A00BBEF6A0)

svchost.exe (PID: 1388 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 5268 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 4028 cmdline: c:\windows\system32\svchost.exe -k netsvcs -p -s BITS MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 5832 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 3264 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 5528 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000003.00000000.385599828.0000021F07620000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000004.00000002.423121816.0000029D0DC80000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000004.00000002.422408365.0000000180001000.00000020.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000004.00000000.385750200.0000029D0DC80000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000007.00000002.884802021.0000000180001000.00000020.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000003.00000002.420849209.0000021F07620000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000003.00000000.385379226.0000000180001000.00000020.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000007.00000002.884543740.0000000001F20000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000003.00000000.383190699.0000000180001000.00000020.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000002.00000002.383775836.0000000180001000.00000020.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000004.00000000.384165191.0000000180001000.00000020.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000003.00000000.383957079.0000021F07620000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000004.00000000.385421793.0000000180001000.00000020.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000003.00000002.420695494.0000000180001000.00000020.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000004.00000000.384837851.0000029D0DC80000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000002.00000002.383431733.0000000000CF0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
Click to see the 11 entries

Unpacked PEs

Source	Rule	Description	Author
3.2.rundll32.exe.21f07620000.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
4.0.rundll32.exe.29d0dc80000.2.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
3.0.rundll32.exe.21f07620000.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
3.0.rundll32.exe.21f07620000.2.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
2.2.regsvr32.exe.cf0000.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
2.2.regsvr32.exe.cf0000.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
4.0.rundll32.exe.29d0dc80000.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
4.2.rundll32.exe.29d0dc80000.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
4.0.rundll32.exe.29d0dc80000.2.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
4.2.rundll32.exe.29d0dc80000.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
7.2.regsvr32.exe.1f20000.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
3.0.rundll32.exe.21f07620000.2.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
3.0.rundll32.exe.21f07620000.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
4.0.rundll32.exe.29d0dc80000.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
7.2.regsvr32.exe.1f20000.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
3.2.rundll32.exe.21f07620000.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
Click to see the 11 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: W3XqCWvDWC.dll

ReversingLabs: Detection: 58%

Machine Learning detection for sample

Source: W3XqCWvDWC.dll

Joe Sandbox ML: detected

Source: W3XqCWvDWC.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: C:\Windows\System32\regsvr32.exe

Code function: 7_2_000000018000BEF0 FindFirstFileW,FindNextFileW,FindClose,

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\regsvr32.exe

Network Connect: 165.22.73.229 8080

Source: Joe Sandbox View

ASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS

Source: Joe Sandbox View

IP Address: 165.22.73.229 165.22.73.229

Source: global traffic

TCP traffic: 192.168.2.7:49757 -> 165.22.73.229:8080

Source: unknown	TCP traffic detected without corresponding DNS query: 165.22.73.229
Source: unknown	TCP traffic detected without corresponding DNS query: 165.22.73.229
Source: unknown	TCP traffic detected without corresponding DNS query: 165.22.73.229
Source: unknown	TCP traffic detected without corresponding DNS query: 165.22.73.229
Source: unknown	TCP traffic detected without corresponding DNS query: 165.22.73.229
Source: unknown	TCP traffic detected without corresponding DNS query: 165.22.73.229
Source: unknown	TCP traffic detected without corresponding DNS query: 165.22.73.229
Source: unknown	TCP traffic detected without corresponding DNS query: 165.22.73.229
Source: unknown	TCP traffic detected without corresponding DNS query: 165.22.73.229
Source: unknown	TCP traffic detected without corresponding DNS query: 165.22.73.229
Source: unknown	TCP traffic detected without corresponding DNS query: 165.22.73.229

Source: regsvr32.exe, 00000007.00000003.680911546.000000000068C000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000002.884396963.000000000068C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000019.00000002.885256549.00000194FAC60000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001D.00000002.726705919.000001F138F00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: svchost.exe, 00000019.00000002.885098836.00000194FAC00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001D.00000002.726705919.000001F138F00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ver)
Source: regsvr32.exe, 00000007.00000003.681201624.000000000065B000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000002.884354736.000000000065C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: regsvr32.exe, 00000007.00000003.680911546.000000000068C000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.681248144.00000000006BB000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.681118030.00000000006B7000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000002.884396963.000000000068C000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000002.884440208.00000000006BC000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.7.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: svchost.exe, 0000001D.00000003.699848849.000001F138F9E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://help.disneyplus.com.
Source: svchost.exe, 00000019.00000002.884582548.00000194F54AF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressin
Source: regsvr32.exe, 00000007.00000003.681201624.000000000065B000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000002.884354736.000000000065C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://165.22.73.229/
Source: regsvr32.exe, 00000007.00000003.681201624.000000000065B000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.681285538.0000000000642000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000002.884301913.000000000062B000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000002.884354736.000000000065C000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000002.884330143.0000000000643000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.681151375.0000000000633000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://165.22.73.229:8080/
Source: regsvr32.exe, 00000007.00000003.681285538.0000000000642000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000002.884330143.0000000000643000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.681151375.0000000000633000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://165.22.73.229:8080/temD
Source: svchost.exe, 0000001D.00000003.699848849.000001F138F9E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://disneyplus.com/legal.
Source: svchost.exe, 0000001D.00000003.695210547.000001F139402000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001D.00000003.695235903.000001F138FA7000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001D.00000003.695226327.000001F138F96000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001D.00000003.695254149.000001F139402000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.hotspotshield.com/
Source: svchost.exe, 0000001D.00000003.699848849.000001F138F9E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.disneyplus.com/legal/privacy-policy
Source: svchost.exe, 0000001D.00000003.699848849.000001F138F9E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.disneyplus.com/legal/your-california-privacy-rights
Source: svchost.exe, 0000001D.00000003.695210547.000001F139402000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001D.00000003.695235903.000001F138FA7000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001D.00000003.695226327.000001F138F96000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001D.00000003.695254149.000001F139402000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.hotspotshield.com/terms/
Source: svchost.exe, 0000001D.00000003.695210547.000001F139402000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001D.00000003.695235903.000001F138FA7000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001D.00000003.695226327.000001F138F96000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001D.00000003.695254149.000001F139402000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.pango.co/privacy
Source: svchost.exe, 0000001D.00000003.704245305.000001F139402000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001D.00000003.704223588.000001F138F9E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.tiktok.com/legal/report/feedback

Source: C:\Windows\System32\regsvr32.exe

Code function: 7_2_0000000180017C8C InternetReadFile,

E-Banking Fraud

Yara detected Emotet

Source: Yara match	File source: 3.2.rundll32.exe.21f07620000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.rundll32.exe.29d0dc80000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.rundll32.exe.21f07620000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.rundll32.exe.21f07620000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.cf0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.cf0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.rundll32.exe.29d0dc80000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.29d0dc80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.rundll32.exe.29d0dc80000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.29d0dc80000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.regsvr32.exe.1f20000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.rundll32.exe.21f07620000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.rundll32.exe.21f07620000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.rundll32.exe.29d0dc80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.regsvr32.exe.1f20000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.21f07620000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000000.385599828.0000021F07620000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.423121816.0000029D0DC80000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.422408365.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.385750200.0000029D0DC80000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.884802021.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.420849209.0000021F07620000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.385379226.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.884543740.0000000001F20000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.383190699.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.383775836.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.384165191.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.383957079.0000021F07620000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.385421793.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.420695494.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.384837851.0000029D0DC80000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.383431733.0000000000CF0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Source: C:\Windows\System32\svchost.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 428 -p 5116 -ip 5116

Source: C:\Windows\System32\regsvr32.exe

File deleted: C:\Windows\System32\KYnbMwv\FkmMqbieZ.dll:Zone.Identifier

Jump to behavior

Source: C:\Windows\System32\regsvr32.exe

File created: C:\Windows\system32\KYnbMwv\

Jump to behavior

Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00007FF8BE5812B0
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00007FF8BE58443C
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00007FF8BE586850
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00007FF8BE5853FB
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00007FF8BE585CAD
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00007FF8BE584A70
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00007FF8BE585E01
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00CE0000
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180026410
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180025C30
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180011CCC
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018001D510
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180001D58
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180011E5C
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018002C6C8
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018002C2C8
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180026F14
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180016320
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180001378
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180018FE8
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018001ABE8
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00000001800243F4
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00000001800083F8
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00000001800247FC
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018001DBFC
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018001100C
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180027C28
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018002143C
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018001303C
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018002A840
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180003840
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018000B444
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018000F048
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018002AC4C
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180010050
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180003050
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018000445C
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018000C85C
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180003460
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180029C6C
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018001586C
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018000406C
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018000E06C
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018000BC70
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018001447C
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180026C80
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180010C84
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180016088
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180002888
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180017C8C
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018000FC8C
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018002D098
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00000001800154B8
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00000001800064D0
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00000001800180D4
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00000001800054D8
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018002CCE0
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00000001800254E4
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00000001800184E8
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00000001800010E8
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018000E8F0
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018002A0F8
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180019900
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180011904
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018001F908
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018002490C
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018001890C
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180003D18
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018002191C
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018001D128
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018000D12C
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180014930
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180008534
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018001CD44
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018000B948
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018000796C
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180010590
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180028D94
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00000001800091A8
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00000001800171B8
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180018DBC
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00000001800141C8
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018002B1D4
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180023DDC
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00000001800165E4
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180029DF0
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180015DF4
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00000001800011F4
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018000FE08
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180027E14
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018000B618
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180023220
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180020A34
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180007634
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180022E38
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018000E638
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180010250
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180026A64
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180004264
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180013674
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018000F678
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018000E278
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180005E7C
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180025E88
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018002868C
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180014E98
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180014AA4
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00000001800126A8
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00000001800036A8
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018002A6BC
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018001CABC
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018000EAC0
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018001B6D4
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018000F2DC
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00000001800202E0
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00000001800226E0
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180019AF0
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018000BEF0
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180012EF8
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180029710
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180017710
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018000C740
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180020F44
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180023B48
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180023748
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180021754
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180022358
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180029F5C
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018002B368
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018001BF70
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180025374
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180007F74
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180021F7C
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180019788
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180001B8C
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180028394
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180013B94
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018001479C
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018000E7A0
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00000001800087A4
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180017BA8
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018000EBAC
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018001B3B8
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180012BB8
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00000001800257C0
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180008BC0
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00000001800117C4
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00000001800227E0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FF8BE5812B0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FF8BE58443C
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FF8BE586850
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FF8BE5853FB
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FF8BE585CAD
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FF8BE584A70
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FF8BE585E01
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000021F07610000
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000029D0C390000
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_00730000
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_0000000180026410
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_000000018000680F
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_0000000180025C30
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_0000000180013674
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_0000000180017C8C
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_000000018000A48C
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_000000018000BEF0
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_0000000180029710
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_000000018001D510
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_0000000180026F14
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_0000000180001D58
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_000000018002B368
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_0000000180001378
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_0000000180010590
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_00000001800091A8
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_0000000180018DBC
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_00000001800165E4
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_0000000180018FE8
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_000000018001ABE8
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_0000000180029DF0
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_00000001800243F4
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_0000000180015DF4
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_00000001800011F4
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_00000001800083F8
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_00000001800247FC
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_000000018001DBFC
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_000000018000FE08
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_000000018001100C
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_0000000180027E14
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_000000018000B618
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_0000000180023220
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_0000000180027C28
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_0000000180020A34
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_0000000180007634
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_0000000180022E38
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_000000018000E638
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_000000018002143C
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_000000018001303C
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_000000018002A840
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_0000000180003840
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_000000018000B444
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_000000018000F048
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_000000018002AC4C
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_0000000180010050
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_0000000180010250
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_0000000180003050
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_0000000180011E5C
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_000000018000445C
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_000000018000C85C
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_0000000180003460
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_0000000180026A64
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_0000000180004264
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_0000000180029C6C
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_000000018001586C
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_000000018000406C
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_000000018000E06C
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_000000018000BC70
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_000000018000F678
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_000000018000E278
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_000000018001447C
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_0000000180005E7C
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_0000000180026C80
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_0000000180010C84
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_0000000180025E88
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_0000000180016088
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_0000000180002888
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_000000018002868C
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_000000018000FC8C
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_000000018002D098
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_0000000180014E98
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_0000000180014AA4
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_00000001800126A8
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_00000001800036A8
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_00000001800154B8
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_000000018002A6BC
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_000000018001CABC
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_000000018000EAC0
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_000000018002C6C8
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_000000018002C2C8
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_0000000180011CCC
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_00000001800064D0
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_000000018001B6D4
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_00000001800180D4
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_00000001800054D8
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_000000018000F2DC
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_00000001800202E0
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_000000018002CCE0
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_00000001800226E0
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_00000001800254E4
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_00000001800184E8
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_00000001800010E8
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_0000000180019AF0
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_000000018000E8F0
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_000000018002A0F8
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_0000000180012EF8
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_0000000180019900
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_0000000180011904
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_000000018001F908
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_000000018002490C
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_000000018001890C
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_0000000180017710
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_0000000180003D18
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_000000018002191C
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_0000000180016320
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_000000018001D128
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_000000018000D12C
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_0000000180014930
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_0000000180008534
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_000000018000C740
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_0000000180020F44
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_000000018001CD44
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_0000000180023B48
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_0000000180023748
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_000000018000B948
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_0000000180021754
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_0000000180022358
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_0000000180029F5C
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_000000018000796C
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_000000018001BF70
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_0000000180025374
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_0000000180007F74
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_0000000180021F7C
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_0000000180019788
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_0000000180001B8C
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_0000000180028D94
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_0000000180028394
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_0000000180013B94
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_000000018001479C
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_000000018000E7A0
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_00000001800087A4
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_0000000180017BA8
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_000000018000EBAC
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_0000000180012BB8
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_000000018001B3B8
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_00000001800171B8
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_00000001800257C0
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_0000000180008BC0
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_00000001800117C4
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_00000001800141C8
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_000000018002B1D4
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_0000000180023DDC
Source: C:\Windows\System32\regsvr32.exe	Code function: 7_2_00000001800227E0

Source: C:\Windows\System32\rundll32.exe	Code function: String function: 00007FF8BE587FF0 appears 31 times
Source: C:\Windows\System32\rundll32.exe	Code function: String function: 00007FF8BE58B3B0 appears 148 times
Source: C:\Windows\System32\rundll32.exe	Code function: String function: 00007FF8BE58BD70 appears 113 times
Source: C:\Windows\System32\regsvr32.exe	Code function: String function: 00007FF8BE587FF0 appears 31 times
Source: C:\Windows\System32\regsvr32.exe	Code function: String function: 00007FF8BE58B3B0 appears 148 times
Source: C:\Windows\System32\regsvr32.exe	Code function: String function: 00007FF8BE58BD70 appears 113 times

Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc.dll

Source: W3XqCWvDWC.dll

ReversingLabs: Detection: 58%

Source: W3XqCWvDWC.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll64.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\W3XqCWvDWC.dll"
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\W3XqCWvDWC.dll",#1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\W3XqCWvDWC.dll
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\W3XqCWvDWC.dll",#1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\W3XqCWvDWC.dll,AddIn_FileTime
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\W3XqCWvDWC.dll,AddIn_SystemTime
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\KYnbMwv\FkmMqbieZ.dll"
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 428 -p 5116 -ip 5116
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 492 -p 3628 -ip 3628
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\W3XqCWvDWC.dll,DllRegisterServer
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 5116 -s 336
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 3628 -s 328
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k netsvcs -p -s BITS
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\W3XqCWvDWC.dll",#1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\W3XqCWvDWC.dll
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\W3XqCWvDWC.dll,AddIn_FileTime
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\W3XqCWvDWC.dll,AddIn_SystemTime
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\W3XqCWvDWC.dll,DllRegisterServer
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\W3XqCWvDWC.dll",#1
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\KYnbMwv\FkmMqbieZ.dll"
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 428 -p 5116 -ip 5116
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 492 -p 3628 -ip 3628
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 5116 -s 336
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 3628 -s 328
Source: C:\Windows\System32\WerFault.exe	Process created: unknown unknown
Source: C:\Windows\System32\WerFault.exe	Process created: unknown unknown

Source: C:\Windows\System32\regsvr32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D105A4D4-344C-48EB-9866-EE378D90658B}\InProcServer32

Source: C:\Windows\System32\svchost.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERD544.tmp

Jump to behavior

Source: classification engine

Classification label: mal72.troj.evad.winDLL@32/16@0/3

Source: C:\Windows\System32\regsvr32.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\regsvr32.exe

Code function: 7_2_0000000180029710 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,FindCloseChangeNotification,

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\W3XqCWvDWC.dll",#1

Source: C:\Windows\System32\WerFault.exe	Mutant created: \BaseNamedObjects\Local\SM0:6468:120:WilError_01
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3628
Source: C:\Windows\System32\WerFault.exe	Mutant created: \BaseNamedObjects\Local\SM0:6440:120:WilError_01
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5116

Source: C:\Windows\System32\regsvr32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: C:\Windows\System32\rundll32.exe	Automated click: OK
Source: C:\Windows\System32\rundll32.exe	Automated click: OK
Source: C:\Windows\System32\rundll32.exe	Automated click: OK

Source: W3XqCWvDWC.dll

Static PE information: Image base 0x180000000 > 0x60000000

Source: W3XqCWvDWC.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: C:\Windows\System32\regsvr32.exe

Code function: 2_2_0000000180006951 pushad ; retf

Source: C:\Windows\System32\regsvr32.exe

Code function: 2_2_00007FF8BE590CC0 LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

Source: W3XqCWvDWC.dll

Static PE information: real checksum: 0x61dc7 should be: 0x5eec3

Source: C:\Windows\System32\loaddll64.exe

Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\W3XqCWvDWC.dll

Source: C:\Windows\System32\regsvr32.exe

PE file moved: C:\Windows\System32\KYnbMwv\FkmMqbieZ.dll

Jump to behavior

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Windows\System32\regsvr32.exe

File opened: C:\Windows\system32\KYnbMwv\FkmMqbieZ.dll:Zone.Identifier read attributes | delete

Source: C:\Windows\System32\regsvr32.exe

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Windows\System32\svchost.exe TID: 2240	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 5408	Thread sleep time: -60000s >= -30000s

Source: C:\Windows\System32\rundll32.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Source: C:\Windows\System32\regsvr32.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Source: C:\Windows\System32\regsvr32.exe	API coverage: 9.9 %
Source: C:\Windows\System32\rundll32.exe	API coverage: 9.5 %

Source: C:\Windows\System32\svchost.exe

Process information queried: ProcessInformation

Source: C:\Windows\System32\regsvr32.exe

Code function: 7_2_000000018000BEF0 FindFirstFileW,FindNextFileW,FindClose,

Source: C:\Windows\System32\regsvr32.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\System32\regsvr32.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\System32\rundll32.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\System32\rundll32.exe	API call chain: ExitProcess graph end node

Source: C:\Windows\System32\regsvr32.exe

File Volume queried: C:\ FullSizeInformation

Source: svchost.exe, 00000019.00000002.884401657.00000194F5429000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW@`
Source: svchost.exe, 0000001D.00000002.726404893.000001F13848B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWp
Source: regsvr32.exe, 00000007.00000003.681201624.000000000065B000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.681285538.0000000000642000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000002.884354736.000000000065C000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000002.884330143.0000000000643000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.681151375.0000000000633000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000019.00000002.885256549.00000194FAC60000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000019.00000002.885239072.00000194FAC4A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001D.00000002.726480754.000001F1384ED000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: svchost.exe, 00000010.00000002.884288009.0000016CA9802000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcDsSvcfhsvcWPDBusEnumsvsvcwlansvcEmbeddedModeirmonSensorServicevmicvssNgcSvcsysmainDevQueryBrokerStorSvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionNcbServiceNetmanDeviceAssociationServiceTabletInputServicePcaSvcIPxlatCfgSvcCscServiceUmRdpService
Source: regsvr32.exe, 00000007.00000003.681201624.000000000065B000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000002.884354736.000000000065C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW@,.
Source: svchost.exe, 00000010.00000002.884331383.0000016CA9828000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\System32\regsvr32.exe

Code function: 2_2_00007FF8BE58BE50 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

Source: C:\Windows\System32\regsvr32.exe

Code function: 2_2_00007FF8BE590215 _itow_s,_invoke_watson_if_error,OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,_wcsftime_l,_invoke_watson_if_oneof,_invoke_watson_if_error,_invoke_watson_if_error,_invoke_watson_if_error,_invoke_watson_if_error,_invoke_watson_if_error,_snwprintf_s,_invoke_watson_if_oneof,_invoke_watson_if_error,_invoke_watson_if_oneof,_invoke_watson_if_error,_unlock,GetFileType,WriteConsoleW,GetLastError,_invoke_watson_if_oneof,WriteFile,WriteFile,OutputDebugStringW,_itow_s,_invoke_watson_if_error,

Source: C:\Windows\System32\regsvr32.exe

Source: C:\Windows\System32\loaddll64.exe	Process queried: DebugPort
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort

Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00007FF8BE58BE50 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00007FF8BE583280 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FF8BE58BE50 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FF8BE583280 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\regsvr32.exe

Network Connect: 165.22.73.229 8080

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\W3XqCWvDWC.dll",#1
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 428 -p 5116 -ip 5116
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 492 -p 3628 -ip 3628
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 5116 -s 336
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 3628 -s 328

Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Windows\System32\regsvr32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Source: C:\Windows\System32\regsvr32.exe

Code function: 2_2_00007FF8BE588900 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

Source: C:\Windows\System32\regsvr32.exe

Code function: 2_2_00007FF8BE588860 HeapCreate,GetVersion,HeapSetInformation,

Stealing of Sensitive Information

Yara detected Emotet

Source: Yara match	File source: 3.2.rundll32.exe.21f07620000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.rundll32.exe.29d0dc80000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.rundll32.exe.21f07620000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.rundll32.exe.21f07620000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.cf0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.cf0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.rundll32.exe.29d0dc80000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.29d0dc80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.rundll32.exe.29d0dc80000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.29d0dc80000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.regsvr32.exe.1f20000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.rundll32.exe.21f07620000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.rundll32.exe.21f07620000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.rundll32.exe.29d0dc80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.regsvr32.exe.1f20000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.21f07620000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000000.385599828.0000021F07620000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.423121816.0000029D0DC80000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.422408365.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.385750200.0000029D0DC80000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.884802021.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.420849209.0000021F07620000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.385379226.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.884543740.0000000001F20000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.383190699.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.383775836.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.384165191.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.383957079.0000021F07620000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.385421793.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.420695494.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.384837851.0000029D0DC80000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.383431733.0000000000CF0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	2 Native API	1 DLL Side-Loading	111 Process Injection	2 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	3 Virtualization/Sandbox Evasion	LSASS Memory	1 Query Registry	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	1 Non-Standard Port	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	111 Process Injection	Security Account Manager	41 Security Software Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	1 Ingress Tool Transfer	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	1 Deobfuscate/Decode Files or Information	NTDS	3 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Hidden Files and Directories	LSA Secrets	2 Process Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	2 Obfuscated Files or Information	Cached Domain Credentials	1 Remote System Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	1 Regsvr32	DCSync	2 File and Directory Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	1 Rundll32	Proc Filesystem	25 System Information Discovery	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	1 DLL Side-Loading	/etc/passwd and /etc/shadow	System Network Connections Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	1 File Deletion	Network Sniffing	Process Discovery	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
W3XqCWvDWC.dll	59%	ReversingLabs	Win64.Trojan.Emotet
W3XqCWvDWC.dll	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
7.2.regsvr32.exe.1f20000.0.unpack	100%	Avira	HEUR/AGEN.1215461	Download File
4.2.rundll32.exe.29d0dc80000.0.unpack	100%	Avira	HEUR/AGEN.1215461	Download File
3.0.rundll32.exe.21f07620000.0.unpack	100%	Avira	HEUR/AGEN.1215461	Download File
2.2.regsvr32.exe.cf0000.0.unpack	100%	Avira	HEUR/AGEN.1215461	Download File
4.0.rundll32.exe.29d0dc80000.2.unpack	100%	Avira	HEUR/AGEN.1215461	Download File
4.0.rundll32.exe.29d0dc80000.0.unpack	100%	Avira	HEUR/AGEN.1215461	Download File
3.0.rundll32.exe.21f07620000.2.unpack	100%	Avira	HEUR/AGEN.1215461	Download File
3.2.rundll32.exe.21f07620000.0.unpack	100%	Avira	HEUR/AGEN.1215461	Download File

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
https://www.disneyplus.com/legal/your-california-privacy-rights	0%	URL Reputation	safe
https://www.disneyplus.com/legal/privacy-policy	0%	URL Reputation	safe
https://165.22.73.229:8080/	0%	Avira URL Cloud	safe
https://www.pango.co/privacy	0%	URL Reputation	safe
https://disneyplus.com/legal.	0%	URL Reputation	safe
https://165.22.73.229/	0%	Avira URL Cloud	safe
https://165.22.73.229:8080/temD	0%	Avira URL Cloud	safe
http://crl.ver)	0%	Avira URL Cloud	safe
https://www.tiktok.com/legal/report/feedback	0%	URL Reputation	safe
http://help.disneyplus.com.	0%	URL Reputation	safe

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.disneyplus.com/legal/your-california-privacy-rights	svchost.exe, 0000001D.00000003.699848849.000001F138F9E000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.disneyplus.com/legal/privacy-policy	svchost.exe, 0000001D.00000003.699848849.000001F138F9E000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://165.22.73.229:8080/	regsvr32.exe, 00000007.00000003.681201624.000000000065B000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.681285538.0000000000642000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000002.884301913.000000000062B000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000002.884354736.000000000065C000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000002.884330143.0000000000643000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.681151375.0000000000633000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.hotspotshield.com/terms/	svchost.exe, 0000001D.00000003.695210547.000001F139402000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001D.00000003.695235903.000001F138FA7000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001D.00000003.695226327.000001F138F96000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001D.00000003.695254149.000001F139402000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.pango.co/privacy	svchost.exe, 0000001D.00000003.695210547.000001F139402000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001D.00000003.695235903.000001F138FA7000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001D.00000003.695226327.000001F138F96000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001D.00000003.695254149.000001F139402000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://disneyplus.com/legal.	svchost.exe, 0000001D.00000003.699848849.000001F138F9E000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://165.22.73.229/	regsvr32.exe, 00000007.00000003.681201624.000000000065B000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000002.884354736.000000000065C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://165.22.73.229:8080/temD	regsvr32.exe, 00000007.00000003.681285538.0000000000642000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000002.884330143.0000000000643000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.681151375.0000000000633000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.ver)	svchost.exe, 00000019.00000002.885098836.00000194FAC00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001D.00000002.726705919.000001F138F00000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
https://www.tiktok.com/legal/report/feedback	svchost.exe, 0000001D.00000003.704245305.000001F139402000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001D.00000003.704223588.000001F138F9E000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://help.disneyplus.com.	svchost.exe, 0000001D.00000003.699848849.000001F138F9E000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/08/addressin	svchost.exe, 00000019.00000002.884582548.00000194F54AF000.00000004.00000020.00020000.00000000.sdmp	false		high
https://support.hotspotshield.com/	svchost.exe, 0000001D.00000003.695210547.000001F139402000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001D.00000003.695235903.000001F138FA7000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001D.00000003.695226327.000001F138F96000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001D.00000003.695254149.000001F139402000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
165.22.73.229	unknown	United States		14061	DIGITALOCEAN-ASNUS	true

Private

IP
192.168.2.1
127.0.0.1

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	631906
Start date and time: 22/05/202222:28:12	2022-05-22 22:28:12 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 11m 17s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	W3XqCWvDWC (renamed file extension from none to dll)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	31
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal72.troj.evad.winDLL@32/16@0/3
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 73% (good quality ratio 38.9%) Quality average: 32.7% Quality standard deviation: 37.6%
HCA Information:	Successful, ratio: 93% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Override analysis time to 240s for rundll32

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, wuapihost.exe
Excluded IPs from analysis (whitelisted): 13.89.179.12, 20.189.173.22, 173.222.108.210, 173.222.108.226, 93.184.221.240, 69.192.160.56, 20.223.24.244
Excluded domains from analysis (whitelisted): onedsblobprdwus17.westus.cloudapp.azure.com, onedsblobprdcus17.centralus.cloudapp.azure.com, a767.dspw65.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, wu.azureedge.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, login.live.com, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, sls.update.microsoft.com, hlb.apr-52dd2-0.edgecastdns.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, watson.telemetry.microsoft.com, prod.fs.microsoft.com.akadns.net, client.wns.windows.com, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, wu.ec.azureedge.net, neu-displaycatalogrp.useroor.bigcatalog.commerce.microsoft.com, ctldl.windowsupdate.com, e1723.g.akamaiedge.net, wu-bg-shim.trafficmanager.net, download.windowsupdate.com.edgesuite.net, ris.api.iris.microsoft.com, store-images.s-microsoft.com, blobcollector.even
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: W3XqCWvDWC.dll

Simulations

Behavior and APIs

Time	Type	Description
22:29:56	API Interceptor	2x Sleep call for process: WerFault.exe modified
22:31:07	API Interceptor	10x Sleep call for process: svchost.exe modified

Process:	C:\Windows\System32\svchost.exe
File Type:	Extensible storage engine DataBase, version 0x620, checksum 0xd1c7ce56, page size 16384, DirtyShutdown, Windows version 10.0
Category:	dropped
Size (bytes):	786432
Entropy (8bit):	0.25074921083906204
Encrypted:	false
SSDEEP:	384:U+W0StseCJ48EApW0StseCJ48E2rTSjlK/ebmLerYSRSY1J2:rSB2nSB2RSjlK/+mLesOj1J2
MD5:	655EF77631B804E811F945211D0860EC
SHA1:	15878DB9A86EDB93C7FC9D382E3298F69A914105
SHA-256:	406019DA88D19D1184B21C19CB8E0B0B928BB9E9092DD2557368BD08A48ACADB
SHA-512:	D8302FE347B93AC0E11397930015B9D6BA09EF8EAD51FD5FE5D64ED6548A820FD2DAA13CA9E3F8B8A7B2A7EAB5925AF97060F4927D043078DC3E5B5D071F44D0
Malicious:	false
Preview:	...V... ................e.f.3...w........................&..........w.......z..h.(..............................3...w...........................................................................................................B...........@...................................................................................................... ........3...w......................................................................................................................................................................................................................................V........z...................?.......z..........................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_W3X_4b2923b72b8cb92cc1b5f136816e1b8388c8c88_11952a33_188de68a\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.7861290894240726
Encrypted:	false
SSDEEP:	96:qDF9UivJPnySjv55od7Rt6tpXIQcQac6FcEocw3ZXaXz+HbHgSQgJPbwqIDV9w8j:MMivJKgHkBy9jJ9/u7sYS274lt+l
MD5:	93245C6EC22D32CE8F51441732DEF5C0
SHA1:	754BD6C0F4767B3DE819B860F0938DAAF865FB81
SHA-256:	04F12EC43F8F211B0CC6E02860BFD7ED7C3414860EA480A3A0A43F7A47EF5D72
SHA-512:	F6C7FCC1997E5179AED4FE4763CFDF5496CB19CEF90281F33CCB1C10757718BDAD42D3FAACEF64D77E2986EBF883B3568DCDA64DAD5964956D8054FC8C4E2B81
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.6.4.....E.v.e.n.t.T.i.m.e.=.1.3.2.9.7.7.5.7.3.8.9.1.8.3.6.4.8.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.9.7.7.5.7.3.9.5.0.8.9.8.5.1.0.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.a.5.4.8.0.8.3.-.4.b.3.e.-.4.5.0.e.-.9.2.1.2.-.7.2.9.1.0.a.9.e.f.8.8.4.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.f.d.2.2.1.7.b.-.1.0.3.3.-.4.b.5.d.-.8.3.3.6.-.9.3.c.5.6.d.c.4.8.b.f.3.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e._.W.3.X.q.C.W.v.D.W.C...d.l.l.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.e.2.c.-.0.0.0.1.-.0.0.1.8.-.b.e.2.b.-.1.9.1.4.6.6.6.e.d.8.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.2.f.3.4.c.c.f.d.d.8.1.4.1.a.e.e.e.2.e.8.9.f.f.b.0.7.0.c.e.2.3.9.c.7.d.0.0.7.0.6.!.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_W3X_4b2923b72b8cb92cc1b5f136816e1b8388c8c88_11952a33_192de409\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.785280213024148
Encrypted:	false
SSDEEP:	96:18F6YcFUiD2JPnyLjv55od7Rt6tpXIQcQac6FcEocw3ZXaXz+HbHgSQgJPbwqIDP:i//iD2JKhHkBy9jJ9/u7sYS274lt+l
MD5:	80B2294DA5AA05766AB50AA915D7891E
SHA1:	F6E866D499EF299403F071710D3AC41DC9251588
SHA-256:	FC36EA83A7AF34E6CA9FE238A523AE2060AF9D16200F8FE87F291A0159E877BC
SHA-512:	2636F604D6C4B1F908C93F6378C17332A8C389DF85EC7FAB1CF55F2C9017636C64865FC40B913AA3FBFAA8B55D9858D56FF28EDE54094FB2042FD3B93291E9DA
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.6.4.....E.v.e.n.t.T.i.m.e.=.1.3.2.9.7.7.5.7.3.8.8.0.3.8.5.1.3.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.9.7.7.5.7.3.9.4.4.9.1.5.9.0.1.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.4.6.6.5.7.9.3.-.d.0.c.9.-.4.9.b.0.-.a.2.a.f.-.7.e.9.0.c.c.3.c.e.7.c.c.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.f.b.c.b.1.6.b.-.6.8.4.9.-.4.7.7.b.-.b.f.c.4.-.2.b.9.9.2.2.1.5.d.d.1.c.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e._.W.3.X.q.C.W.v.D.W.C...d.l.l.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.3.f.c.-.0.0.0.1.-.0.0.1.8.-.a.3.b.f.-.9.a.1.3.6.6.6.e.d.8.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.2.f.3.4.c.c.f.d.d.8.1.4.1.a.e.e.e.2.e.8.9.f.f.b.0.7.0.c.e.2.3.9.c.7.d.0.0.7.0.6.!.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC3CF.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Mon May 23 05:29:49 2022, 0x1205a4 type
Category:	dropped
Size (bytes):	62524
Entropy (8bit):	2.368950805352583
Encrypted:	false
SSDEEP:	384:MA04cSe2YqH2jC2s4V3kMcldYncnfD5zJ+3y:pfMqH2jCj4xz+RfDrKy
MD5:	DA3AB356F2B46AAD9C8F0FDF9E53B268
SHA1:	2454B3D70D79519F53CCB060D13A111491AEF099
SHA-256:	B8A8C6BF0E4777E5DA3BC1291C38FAC4976EEFD888964C5E9F28D2C269D19946
SHA-512:	4595A8F4080186B5E243A5B1179C62A4DA64C1F6A6D0BE9625C96229B4F6F479C43761900667A6F926829C1D0DB7A7B1DC279A52561D94F68ECFA438D977FD54
Malicious:	false
Preview:	MDMP....... ..........b........................................8.......$...d;..........`.......8...........T............................"...........$...................................................................U...........B......P%......Lw..................Y...T..............b.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC844.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Mon May 23 05:29:50 2022, 0x1205a4 type
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	2.27560589422894
Encrypted:	false
SSDEEP:	192:aV4ISFa04cqPyowuCSrMV/qkm+s494cuBOC5Ic6wHXdOYXqf1XItVSqv7awIl+mf:YL04cSe2YqH2pC2crcldYnYTlG
MD5:	40723BED99C639BDBCECCB9C93712EA7
SHA1:	04DDBEAFF0D58083313E19E289E7FEDEDBB8D551
SHA-256:	09DF41903027B5537B9E65985974A84C93B4C782A58393490F33D671EE61F353
SHA-512:	683FB76E4342B3DE71016F3644304C4A301568797A27335E4CEAAB539E0328634B372EEBCC33D1C5FF1605BEC9EA716C06EAB6CE74A39877293062A10FF19E14
Malicious:	false
Preview:	MDMP....... ..........b........................................8.......$...d;..........`.......8...........T...........X................"...........$...................................................................U...........B......P%......Lw......................T.......,......b.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERCDD3.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8654
Entropy (8bit):	3.6977082844769855
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNimCRH+PzA6YqjCgmf8uSkCprf89b/xKfmZVm:RrlsNiTRH+bA6YuCgmf8uS8/8fN
MD5:	C5846E0BCC037A8A65264DCC3278F594
SHA1:	8DEF6CCCE22677DBBD4571919477854C8905F420
SHA-256:	31A25ECBB877C672C188FB63C59AEBB7CB5625C096DB9857AE1E6A546F49F3C5
SHA-512:	D20553FACFD18FBF1A20A408FBFCB15CFF8AA64D50BFFF19C2F9349235C4BA3E266B0E03109A1D36EAE0EA5FB718CF5F0C182268A5218B23BC68513B5999035D
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.1.1.6.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD0C2.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4892
Entropy (8bit):	4.508316787911904
Encrypted:	false
SSDEEP:	48:cvIwSD8zsXJgtBI9fnWgc8sqYjmFa8fm8M4JCqC9fwnF4Fyq8vh9fwV0ZESC5SLd:uITf55WgrsqYCRJ2FWFVvLd
MD5:	AFBA7F16C9005E8C855248ABC1D2F8CD
SHA1:	CE060E98EE3A5807B6316DCC05210D78F33A59EF
SHA-256:	5ECE0E0F46041834E4A5F9184FF89B53D88161276839AB42C38FC5C8ACCCD403
SHA-512:	F59A3E961A3B405B3258C2F533F0C7E520845BABC23230FD484504C6951CB262F00AEB5DEBDEBC26620826F3435E7C4CC34DFB866FF39BB190B3A8347E4F9E9F
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1527280" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD17C.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	6862
Entropy (8bit):	3.7235885574018686
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNiiCQfc+xuY8uSkCpri89b2U+feSm:RrlsNiYfc+xuY8uSH2Nfy
MD5:	3599DA8B34D1693CE09BD96799977A41
SHA1:	9E9B79CCC5FFA070DFDEF7C8F82F7B67B64C2E05
SHA-256:	B6E677966A3FF82F0EF52B40578E7F18D872732AC1B82F2522267F151DC9641C
SHA-512:	0D50A17C725B44E5AAC5E57B871EF6DCD1C8BF6156719BA55498D4DBB39C80F6F092510F2BED680342C47CC428F333B82DCBAEF8BF011FF55EE74479238960EE
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.3.6.2.8.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD544.tmp.csv

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	54318
Entropy (8bit):	3.0561636569688413
Encrypted:	false
SSDEEP:	1536:9bHI2UZ/nfGgSu40/v9BiWf/0xk29kAuy6KyM:9bHI2UZ/nfGgSu4039BiWf/0xk29kAuk
MD5:	C16FA7D7DD76E81D9F75A377422A40E5
SHA1:	CC322D768197C5E65010DC6AB51C4675A3180879
SHA-256:	133C390D6338F019FA3DED9D1BED7601C0566569D371ADA0DBD6EEF262288BE1
SHA-512:	7308C35D649F0B2F3896338482B4DFCC21DB3B98698FB802663EC6E1D5AEEB9FCE0B26D02CB4307F34AF256399D5A2FFE09205B0AF757D73209FE5FE604086C4
Malicious:	false
Preview:	I.m.a.g.e.N.a.m.e.,.U.n.i.q.u.e.P.r.o.c.e.s.s.I.d.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.,.W.o.r.k.i.n.g.S.e.t.P.r.i.v.a.t.e.S.i.z.e.,.H.a.r.d.F.a.u.l.t.C.o.u.n.t.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.H.i.g.h.W.a.t.e.r.m.a.r.k.,.C.y.c.l.e.T.i.m.e.,.C.r.e.a.t.e.T.i.m.e.,.U.s.e.r.T.i.m.e.,.K.e.r.n.e.l.T.i.m.e.,.B.a.s.e.P.r.i.o.r.i.t.y.,.P.e.a.k.V.i.r.t.u.a.l.S.i.z.e.,.V.i.r.t.u.a.l.S.i.z.e.,.P.a.g.e.F.a.u.l.t.C.o.u.n.t.,.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.P.e.a.k.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.Q.u.o.t.a.P.e.a.k.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.e.a.k.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.e.a.k.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.r.i.v.a.t.e.P.a.g.e.C.o.u.n.t.,.R.e.a.d.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.W.r.i.t.e.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.O.t.h.e.r.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.R.e.a.d.T.r.a.n.s.f.e.r.C.o.u.n.t.,.W.r.i.t.e.T.r.a.n.s.f.e.r.C.o.u.n.t.,.O.t.h.e.r.T.r.a.n.s.f.e.r.C.o.u.n.t.,.H.a.n.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD882.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4892
Entropy (8bit):	4.508597638922555
Encrypted:	false
SSDEEP:	48:cvIwSD8zsXJgtBI9fnWgc8sqYjf8fm8M4JCqC9fwnFRIUyq8vh9fwW0ZESC5SAd:uITf55WgrsqYgJ3pW4VvAd
MD5:	D0FC83B05EB92CE4D87C84057BE2B115
SHA1:	D61BD274F91D89C5258086D8D0EEBDC1DEEE927F
SHA-256:	6E0D93A6FA8AF71EA7A89934F69C64FFDF63954F6E3A9835EEFC2A64B127A1D7
SHA-512:	6744B25A44AA3F4393ED56D5CB2919516467C588B41EF90D02BDE321A90B66F27B212104CDA5CDB70B2D961E94D6A5ADA8FF6906604AA3C6DE597F618DDBAE1A
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1527280" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD95C.tmp.csv

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	54334
Entropy (8bit):	3.056249879577972
Encrypted:	false
SSDEEP:	1536:2CHPIOQnfiTu40/vYoYWf/sxt8JqAuVH2yD:2CHPIOQnfiTu403YoYWf/sxt8JqAuVHf
MD5:	4ED04F837989BC6C4C2B298FAE9D6B8D
SHA1:	EE7BBDA8D2E7DC62055926CF23DC8BD1487C5BB7
SHA-256:	86527C3AB8041506EFB5934F542D4ED464CFBABABD67C23491D4EC535739DA15
SHA-512:	53CE10FDED9BE6FCCE86D5ED524EC0FE44F3578CCF58C58FDCCFA6C1F32B90EA0F9B162FBD87DC62BE3CC42954AA4182C81868E1E59B9BC698589C5221E02B1F
Malicious:	false
Preview:	I.m.a.g.e.N.a.m.e.,.U.n.i.q.u.e.P.r.o.c.e.s.s.I.d.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.,.W.o.r.k.i.n.g.S.e.t.P.r.i.v.a.t.e.S.i.z.e.,.H.a.r.d.F.a.u.l.t.C.o.u.n.t.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.H.i.g.h.W.a.t.e.r.m.a.r.k.,.C.y.c.l.e.T.i.m.e.,.C.r.e.a.t.e.T.i.m.e.,.U.s.e.r.T.i.m.e.,.K.e.r.n.e.l.T.i.m.e.,.B.a.s.e.P.r.i.o.r.i.t.y.,.P.e.a.k.V.i.r.t.u.a.l.S.i.z.e.,.V.i.r.t.u.a.l.S.i.z.e.,.P.a.g.e.F.a.u.l.t.C.o.u.n.t.,.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.P.e.a.k.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.Q.u.o.t.a.P.e.a.k.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.e.a.k.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.e.a.k.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.r.i.v.a.t.e.P.a.g.e.C.o.u.n.t.,.R.e.a.d.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.W.r.i.t.e.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.O.t.h.e.r.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.R.e.a.d.T.r.a.n.s.f.e.r.C.o.u.n.t.,.W.r.i.t.e.T.r.a.n.s.f.e.r.C.o.u.n.t.,.O.t.h.e.r.T.r.a.n.s.f.e.r.C.o.u.n.t.,.H.a.n.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERDA57.tmp.txt

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	13340
Entropy (8bit):	2.697454980773062
Encrypted:	false
SSDEEP:	96:kiZYWXl+2ohmYQYUWoNHqYEZ4Mt8iKLOf8ywIkwa+EJ/SIIf23:hZDXl/H952Za+EJ/Svf23
MD5:	641B834246796078E459F1290191AF59
SHA1:	F326AD099635D3F0B95513EE82C4E7DB14B6A6EB
SHA-256:	A3A5222E604078C7CADA19AAFF53D4AF81354C7DB9FAC48149D0F7B883D4330D
SHA-512:	68A6F05D9B66A2659345CAAB9DD0805A72338B29280D76A577B615FE1ABDAB5A36D2E0BE9A160B288897DB4DD66F9BF3029AC026691BD22322D7184138B9C082
Malicious:	false
Preview:	B...T.i.m.e.r.R.e.s.o.l.u.t.i.o.n. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.5.6.2.5.0.....B...P.a.g.e.S.i.z.e. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4.0.9.6.....B...N.u.m.b.e.r.O.f.P.h.y.s.i.c.a.l.P.a.g.e.s. . . . . . . . . . . . . . . . . . . . . . . . . . .1.0.4.8.3.2.6.....B...L.o.w.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.....B...H.i.g.h.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . .1.3.1.0.7.1.9.....B...A.l.l.o.c.a.t.i.o.n.G.r.a.n.u.l.a.r.i.t.y. . . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.i.n.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.a.x.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . .1.4.0.7.3.7.4.8.8.2.8.9.7.9.1.....B...A.c.t.i.v.e.P.r.o.c.e.s.s.o.r.s.A.f.f.i.n.i.t.y.M.a.s.k. . . . . . .

C:\ProgramData\Microsoft\Windows\WER\Temp\WERDD17.tmp.txt

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	13340
Entropy (8bit):	2.697780492905745
Encrypted:	false
SSDEEP:	96:kiZYWGjZLRXYoYyWQHqYEZ8Nt8iKLOk8ywm1izLazEqGSIIB23:hZD2PhS4zLazEqGSvB23
MD5:	D63DD4C4EA9E1107F0D97535D2829F7F
SHA1:	7486551A9A93294C1B76A467C7DC46102792CD1F
SHA-256:	31AEE2D8CB178F469BDB1507972D8F4B3881DF1DB6EBB86B1ABA5CB6B6598174
SHA-512:	57CC8814B7DEB16EFED8440A7DF9FA888F21276E346FC207B9A46AB76844197895B42407DFD6E509F77C90FA9AF856A598241391DC5A95641200BC990A3AE18D
Malicious:	false
Preview:	B...T.i.m.e.r.R.e.s.o.l.u.t.i.o.n. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.5.6.2.5.0.....B...P.a.g.e.S.i.z.e. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4.0.9.6.....B...N.u.m.b.e.r.O.f.P.h.y.s.i.c.a.l.P.a.g.e.s. . . . . . . . . . . . . . . . . . . . . . . . . . .1.0.4.8.3.2.6.....B...L.o.w.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.....B...H.i.g.h.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . .1.3.1.0.7.1.9.....B...A.l.l.o.c.a.t.i.o.n.G.r.a.n.u.l.a.r.i.t.y. . . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.i.n.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.a.x.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . .1.4.0.7.3.7.4.8.8.2.8.9.7.9.1.....B...A.c.t.i.v.e.P.r.o.c.e.s.s.o.r.s.A.f.f.i.n.i.t.y.M.a.s.k. . . . . . .

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

Download File

Process:	C:\Windows\System32\regsvr32.exe
File Type:	Microsoft Cabinet archive data, 61480 bytes, 1 file
Category:	dropped
Size (bytes):	61480
Entropy (8bit):	7.9951219482618905
Encrypted:	true
SSDEEP:	1536:kmu7iDG/SCACih0/8uIGantJdjFpTE8lTeNjiXKGgUN:CeGf5gKsG4vdjFpjlYeX9gUN
MD5:	B9F21D8DB36E88831E5352BB82C438B3
SHA1:	4A3C330954F9F65A2F5FD7E55800E46CE228A3E2
SHA-256:	998E0209690A48ED33B79AF30FC13851E3E3416BED97E3679B6030C10CAB361E
SHA-512:	D4A2AC7C14227FBAF8B532398FB69053F0A0D913273F6917027C8CADBBA80113FDBEC20C2A7EB31B7BB57C99F9FDECCF8576BE5F39346D8B564FC72FB1699476
Malicious:	false
Preview:	MSCF....(.......,...................I........y.........Tbr .authroot.stl..$..4..CK..<Tk...c_.d....A.K.....Y.f....!.))$7I.....e..eKT..k....n.3.......S..9.s.....3H.Mh......qV.=M6.=.4.F.....V:F..]......B`....Q...c"U.0.n....J.....4.....i7s..:.27....._...+).lE..he.4\|.?,...h....7..PA..b.,. .....#1+..o...g.....2n1m...=.......Dp.;..f..ljX.Dx..r<'.1RI3B0<w.D.z..)D\|..8<..c+..'XH..K,.Y..d.j.<.A.......l_lVb[w..rDp...'.....nL....!G.F....f.fX..r.. ?.....v(...L..<.\.Z..g;.>.0v...P ......\|...A..(..x...T0.`g...c..7.U?...9.p..a..&..9......sV..l0..D..fhi..h.F....q...y.....Mq].4..Z.....={L....AS..9.....:.:.........+..P.N....EAQ.V. sr.....y.B.`.Efe..8../....$...y-.q.J.......nP...2.Q8...O........M.@\.>=X....V..z.4.=.@...ws.N.M3.S.c?.....C4]?..\.K.9......^...CU......O....X.`........._.gU.....V.{V6..m..D.-\|.Q.t.7.....9.~....[...I.<e...~$..>......s.I.S....~1..IV.2Ri:..]R!8...q...l.X.%.)@......2.gb,t...}..;...@.Z..<q..y..:...e3..cY.we.$....z..\| .#.......I...

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Download File

Process:	C:\Windows\System32\regsvr32.exe
File Type:	data
Category:	modified
Size (bytes):	330
Entropy (8bit):	3.120848828934212
Encrypted:	false
SSDEEP:	6:kK5ooJN+SkQlPlEGYRMY9z+4KlDA3RUesJ21:BakPlE99SNxAhUesE1
MD5:	603C5F0CEFFCB07D2BC7E3B0921C6F69
SHA1:	FC148E38295C25F1BF82E1E17A6C6ECD40496293
SHA-256:	D8D2F8840CB2F29FCEFFF4A572756C4D212872DAA04332629187833D28CDAC1D
SHA-512:	29EFA296659770BDC21A4A3325E03345E75D59ED906730D5236853C3770896D9F9C67F54DC0922B14F29E90DD3FC29E7E016458B83461EA9BDE86DBC9D3D3E94
Malicious:	false
Preview:	p...... .........K+fn..(....................................................... ........3k/"[......(...........(...h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".8.0.3.3.6.b.2.f.2.2.5.b.d.8.1.:.0."...

C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	55
Entropy (8bit):	4.306461250274409
Encrypted:	false
SSDEEP:	3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
MD5:	DCA83F08D448911A14C22EBCACC5AD57
SHA1:	91270525521B7FE0D986DB19747F47D34B6318AD
SHA-256:	2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
SHA-512:	96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
Malicious:	false
Preview:	{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

Static File Info

General

File type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Entropy (8bit):	7.152712651608759
TrID:	Win64 Dynamic Link Library (generic) (102004/3) 86.43% Win64 Executable (generic) (12005/4) 10.17% Generic Win/DOS Executable (2004/3) 1.70% DOS Executable Generic (2002/1) 1.70% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.01%
File name:	W3XqCWvDWC.dll
File size:	371200
MD5:	661a35a77c56679722f7180fc4add7ba
SHA1:	81041189ebf61ed4220f4cea933465cc28d48f57
SHA256:	1abc2d91d10d8a44bcc6ce69334f992e5304f3dcb48fe8328d888a25f3228c8d
SHA512:	94a66112e36647502419843e4f577b454c4f341616a580f029cb5c3e8decd9b07077ed16e158b0c029eaf04bb7fcbb7218120af76033749ba93203548235646f
SSDEEP:	6144:hlNuuXQASByX7/xoJcXy16qFHJ7wwD1w3pq6jTK/V9OT0u:hlNu9ASByX7Fy/BJ7rGTK/V3
TLSH:	C1848E46F7F551E5E8F7C13889A23267F9317C948B38A7CB8A44466A4F70BA0E93D701
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........8..ik..ik..ik...k..ik...k..ik...k..ik..hk..ik...k..ik...k..ik...k..ik...k..ikRich..ik................PE..d....{.b.........."

File Icon


Icon Hash:	74f0e4ecccdce0e4

Static PE Info

General

Entrypoint:	0x180003580
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x180000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, DLL, LARGE_ADDRESS_AWARE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x62877BF5 [Fri May 20 11:31:01 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	2
File Version Major:	5
File Version Minor:	2
Subsystem Version Major:	5
Subsystem Version Minor:	2
Import Hash:	ad5c5b0f3e2e211c551f3b5059e614d7

Entrypoint Preview

Instruction
dec esp
mov dword ptr [esp+18h], eax
mov dword ptr [esp+10h], edx
dec eax
mov dword ptr [esp+08h], ecx
dec eax
sub esp, 28h
cmp dword ptr [esp+38h], 01h
jne 00007FB938BBE1C7h
call 00007FB938BC3527h
dec esp
mov eax, dword ptr [esp+40h]
mov edx, dword ptr [esp+38h]
dec eax
mov ecx, dword ptr [esp+30h]
call 00007FB938BBE1D4h
dec eax
add esp, 28h
ret
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
dec esp
mov dword ptr [esp+18h], eax
mov dword ptr [esp+10h], edx
dec eax
mov dword ptr [esp+08h], ecx
dec eax
sub esp, 48h
mov dword ptr [esp+20h], 00000001h
cmp dword ptr [esp+58h], 00000000h
jne 00007FB938BBE1D2h
cmp dword ptr [00028DE8h], 00000000h
jne 00007FB938BBE1C9h
xor eax, eax
jmp 00007FB938BBE2E4h
cmp dword ptr [esp+58h], 01h
je 00007FB938BBE1C9h
cmp dword ptr [esp+58h], 02h
jne 00007FB938BBE210h
dec eax
cmp dword ptr [0001ED99h], 00000000h
je 00007FB938BBE1DAh
dec esp
mov eax, dword ptr [esp+60h]
mov edx, dword ptr [esp+58h]
dec eax
mov ecx, dword ptr [esp+50h]
call dword ptr [0001ED83h]
mov dword ptr [esp+20h], eax
cmp dword ptr [esp+20h], 00000000h
je 00007FB938BBE1D9h
dec esp
mov eax, dword ptr [esp+60h]
mov edx, dword ptr [esp+58h]
dec eax
mov ecx, dword ptr [esp+50h]
call 00007FB938BBDF2Ah
mov dword ptr [esp+20h], eax
cmp dword ptr [esp+20h], 00000000h
jne 00007FB938BBE1C9h
xor eax, eax

Rich Headers

Programming Language:

[LNK] VS2010 build 30319
[ASM] VS2010 build 30319
[ C ] VS2010 build 30319
[C++] VS2010 build 30319
[EXP] VS2010 build 30319
[RES] VS2010 build 30319
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x2aab0	0x84	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x2a1e4	0x50	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x30000	0x2e9fc	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x2f000	0xfcc	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x5f000	0x294	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x22000	0x298	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x203fa	0x20400	False	0.405439983043	zlib compressed data	5.75409030586	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x22000	0x8b34	0x8c00	False	0.275474330357	data	4.41581052225	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x2b000	0x3798	0x1400	False	0.161328125	data	2.21550179132	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.pdata	0x2f000	0xfcc	0x1000	False	0.5048828125	data	5.08183440168	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x30000	0x2e9fc	0x2ea00	False	0.887011980563	data	7.85049584102	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x5f000	0x6fc	0x800	False	0.21435546875	data	2.34217115221	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_FONTDIR	0x300a0	0x2e800	data	English	United States
RT_MANIFEST	0x5e8a0	0x15a	ASCII text, with CRLF line terminators	English	United States

Imports

DLL	Import
KERNEL32.dll	GetTimeFormatA, GetDateFormatA, GetThreadLocale, FileTimeToSystemTime, VirtualAlloc, ExitProcess, CloseHandle, CreateFileW, SetStdHandle, GetCurrentThreadId, FlsSetValue, GetCommandLineA, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, RtlVirtualUnwind, RtlLookupFunctionEntry, RtlCaptureContext, RtlUnwindEx, EncodePointer, FlsGetValue, FlsAlloc, FlsFree, SetLastError, GetLastError, HeapSize, HeapValidate, IsBadReadPtr, DecodePointer, GetProcAddress, GetModuleHandleW, SetHandleCount, GetStdHandle, InitializeCriticalSectionAndSpinCount, GetFileType, GetStartupInfoW, DeleteCriticalSection, GetModuleFileNameA, FreeEnvironmentStringsW, WideCharToMultiByte, GetEnvironmentStringsW, HeapSetInformation, GetVersion, HeapCreate, HeapDestroy, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, EnterCriticalSection, LeaveCriticalSection, GetACP, GetOEMCP, GetCPInfo, IsValidCodePage, HeapAlloc, GetModuleFileNameW, HeapReAlloc, HeapQueryInformation, HeapFree, WriteFile, LoadLibraryW, LCMapStringW, MultiByteToWideChar, GetStringTypeW, OutputDebugStringA, WriteConsoleW, OutputDebugStringW, RaiseException, RtlPcToFileHeader, SetFilePointer, GetConsoleCP, GetConsoleMode, FlushFileBuffers
USER32.dll	MessageBoxA
ole32.dll	CoTaskMemFree, CoTaskMemAlloc, CoLoadLibrary

Exports

Name	Ordinal	Address
AddIn_FileTime	1	0x180001140
AddIn_SystemTime	2	0x1800010b0
DllRegisterServer	3	0x180003110

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 22, 2022 22:30:09.205770016 CEST	49757	8080	192.168.2.7	165.22.73.229
May 22, 2022 22:30:09.248379946 CEST	8080	49757	165.22.73.229	192.168.2.7
May 22, 2022 22:30:09.248512030 CEST	49757	8080	192.168.2.7	165.22.73.229
May 22, 2022 22:30:09.315850973 CEST	49757	8080	192.168.2.7	165.22.73.229
May 22, 2022 22:30:09.358282089 CEST	8080	49757	165.22.73.229	192.168.2.7
May 22, 2022 22:30:09.368135929 CEST	8080	49757	165.22.73.229	192.168.2.7
May 22, 2022 22:30:09.368191957 CEST	8080	49757	165.22.73.229	192.168.2.7
May 22, 2022 22:30:09.368587017 CEST	49757	8080	192.168.2.7	165.22.73.229
May 22, 2022 22:30:12.461575031 CEST	49757	8080	192.168.2.7	165.22.73.229
May 22, 2022 22:30:12.505445957 CEST	8080	49757	165.22.73.229	192.168.2.7
May 22, 2022 22:30:12.505577087 CEST	49757	8080	192.168.2.7	165.22.73.229
May 22, 2022 22:30:12.512813091 CEST	49757	8080	192.168.2.7	165.22.73.229
May 22, 2022 22:30:12.596580982 CEST	8080	49757	165.22.73.229	192.168.2.7
May 22, 2022 22:30:12.764410019 CEST	8080	49757	165.22.73.229	192.168.2.7
May 22, 2022 22:30:12.764496088 CEST	49757	8080	192.168.2.7	165.22.73.229
May 22, 2022 22:30:15.768646002 CEST	8080	49757	165.22.73.229	192.168.2.7
May 22, 2022 22:30:15.768675089 CEST	8080	49757	165.22.73.229	192.168.2.7
May 22, 2022 22:30:15.768793106 CEST	49757	8080	192.168.2.7	165.22.73.229
May 22, 2022 22:31:59.324021101 CEST	49757	8080	192.168.2.7	165.22.73.229
May 22, 2022 22:31:59.324043989 CEST	49757	8080	192.168.2.7	165.22.73.229

Target ID:	0
Start time:	22:29:28
Start date:	22/05/2022
Path:	C:\Windows\System32\loaddll64.exe
Wow64 process (32bit):	false
Commandline:	loaddll64.exe "C:\Users\user\Desktop\W3XqCWvDWC.dll"
Imagebase:	0x7ff77d910000
File size:	140288 bytes
MD5 hash:	4E8A40CAD6CCC047914E3A7830A2D8AA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: cmd.exePID: 7152, Parent PID: 7136

General

Target ID:	1
Start time:	22:29:29
Start date:	22/05/2022
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\W3XqCWvDWC.dll",#1
Imagebase:	0x7ff6a6590000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: regsvr32.exePID: 7164, Parent PID: 7136

General

Target ID:	2
Start time:	22:29:30
Start date:	22/05/2022
Path:	C:\Windows\System32\regsvr32.exe
Wow64 process (32bit):	false
Commandline:	regsvr32.exe /s C:\Users\user\Desktop\W3XqCWvDWC.dll
Imagebase:	0x7ff799140000
File size:	24064 bytes
MD5 hash:	D78B75FC68247E8A63ACBA846182740E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000002.00000002.383775836.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000002.00000002.383431733.0000000000CF0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high

Analysis Process: rundll32.exePID: 5116, Parent PID: 7152

General

Target ID:	3
Start time:	22:29:30
Start date:	22/05/2022
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe "C:\Users\user\Desktop\W3XqCWvDWC.dll",#1
Imagebase:	0x7ff728e80000
File size:	69632 bytes
MD5 hash:	73C519F050C20580F8A62C849D49215A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000003.00000000.385599828.0000021F07620000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000003.00000002.420849209.0000021F07620000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000003.00000000.385379226.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000003.00000000.383190699.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000003.00000000.383957079.0000021F07620000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000003.00000002.420695494.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high

Analysis Process: rundll32.exePID: 3628, Parent PID: 7136

General

Target ID:	4
Start time:	22:29:31
Start date:	22/05/2022
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe C:\Users\user\Desktop\W3XqCWvDWC.dll,AddIn_FileTime
Imagebase:	0x7ff728e80000
File size:	69632 bytes
MD5 hash:	73C519F050C20580F8A62C849D49215A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000002.423121816.0000029D0DC80000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000002.422408365.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000000.385750200.0000029D0DC80000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000000.384165191.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000000.385421793.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000000.384837851.0000029D0DC80000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high

Analysis Process: rundll32.exePID: 5852, Parent PID: 7136

General

Target ID:	5
Start time:	22:29:37
Start date:	22/05/2022
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe C:\Users\user\Desktop\W3XqCWvDWC.dll,AddIn_SystemTime
Imagebase:	0x7ff728e80000
File size:	69632 bytes
MD5 hash:	73C519F050C20580F8A62C849D49215A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: svchost.exePID: 4744, Parent PID: 604

General

Target ID:	6
Start time:	22:29:37
Start date:	22/05/2022
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k WerSvcGroup
Imagebase:	0x7ff7e8070000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: regsvr32.exePID: 6176, Parent PID: 7164

General

Target ID:	7
Start time:	22:29:38
Start date:	22/05/2022
Path:	C:\Windows\System32\regsvr32.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\regsvr32.exe "C:\Windows\system32\KYnbMwv\FkmMqbieZ.dll"
Imagebase:	0x7ff799140000
File size:	24064 bytes
MD5 hash:	D78B75FC68247E8A63ACBA846182740E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000007.00000002.884802021.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000007.00000002.884543740.0000000001F20000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high

Analysis Process: WerFault.exePID: 6440, Parent PID: 4744

General

Target ID:	8
Start time:	22:29:38
Start date:	22/05/2022
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -pss -s 428 -p 5116 -ip 5116
Imagebase:	0x7ff7e8070000
File size:	494488 bytes
MD5 hash:	2AFFE478D86272288BBEF5A00BBEF6A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: WerFault.exePID: 6468, Parent PID: 4744

General

Target ID:	9
Start time:	22:29:38
Start date:	22/05/2022
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -pss -s 492 -p 3628 -ip 3628
Imagebase:	0x7ff684030000
File size:	494488 bytes
MD5 hash:	2AFFE478D86272288BBEF5A00BBEF6A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: rundll32.exePID: 6532, Parent PID: 7136

General

Target ID:	10
Start time:	22:29:40
Start date:	22/05/2022
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe C:\Users\user\Desktop\W3XqCWvDWC.dll,DllRegisterServer
Imagebase:	0x7ff728e80000
File size:	69632 bytes
MD5 hash:	73C519F050C20580F8A62C849D49215A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: WerFault.exePID: 6520, Parent PID: 5116

General

Target ID:	11
Start time:	22:29:42
Start date:	22/05/2022
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 5116 -s 336
Imagebase:	0x7ff684030000
File size:	494488 bytes
MD5 hash:	2AFFE478D86272288BBEF5A00BBEF6A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: WerFault.exePID: 6360, Parent PID: 3628

General

Target ID:	12
Start time:	22:29:42
Start date:	22/05/2022
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 3628 -s 328
Imagebase:	0x7ff684030000
File size:	494488 bytes
MD5 hash:	2AFFE478D86272288BBEF5A00BBEF6A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: svchost.exePID: 1388, Parent PID: 604

General

Target ID:	16
Start time:	22:30:11
Start date:	22/05/2022
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
Imagebase:	0x7ff7e8070000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: svchost.exePID: 5268, Parent PID: 604

General

Target ID:	18
Start time:	22:30:35
Start date:	22/05/2022
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff7e8070000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: svchost.exePID: 4028, Parent PID: 604

General

Target ID:	25
Start time:	22:31:06
Start date:	22/05/2022
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	c:\windows\system32\svchost.exe -k netsvcs -p -s BITS
Imagebase:	0x7ff7e8070000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: svchost.exePID: 5832, Parent PID: 604

General

Target ID:	26
Start time:	22:31:10
Start date:	22/05/2022
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff7e8070000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: svchost.exePID: 3264, Parent PID: 604

General

Target ID:	27
Start time:	22:31:34
Start date:	22/05/2022
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff7e8070000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: svchost.exePID: 5528, Parent PID: 604

General

Target ID:	29
Start time:	22:31:50
Start date:	22/05/2022
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff7e8070000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Disassembly

⊘No disassembly

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Regsvr32.exe to proxy execution of malicious code. Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including dynamic link libraries (DLLs), on Windows systems. Regsvr32.exe is also a Microsoft signed binary.
Tactics:	Defense Evasion
Data Sources:	Loaded DLLs, Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report W3XqCWvDWC

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_W3X_4b2923b72b8cb92cc1b5f136816e1b8388c8c88_11952a33_188de68a\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_W3X_4b2923b72b8cb92cc1b5f136816e1b8388c8c88_11952a33_192de409\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC3CF.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC844.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERCDD3.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD0C2.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD17C.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD544.tmp.csv

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD882.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD95C.tmp.csv

C:\ProgramData\Microsoft\Windows\WER\Temp\WERDA57.tmp.txt

C:\ProgramData\Microsoft\Windows\WER\Temp\WERDD17.tmp.txt

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Static File Info

General

Windows Analysis Report
W3XqCWvDWC

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre