Joe Sandbox Cloud Basic Analysis Report
Edit tour

Windows Analysis Report
EMP.dll

Overview

General Information

Sample Name:EMP.dll
Analysis ID:1314161
MD5:db26ef4c084770c461977b805e039312
SHA1:2ad4a4f89a75adcb4e79dd9e8115deed8e428cc2
SHA256:e87b0f184c717ac6c3338861c892363c4981d8a01b52a4cdb30df22cd549bb06
Infos:

Detection

Score:52
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
AV process strings found (often used to terminate AV products)
One or more processes crash
Tries to load missing DLLs
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Sample execution stops while process was sleeping (likely an evasion)
PE / OLE file has an invalid certificate
PE file contains more sections than normal
Creates a process in suspended mode (likely to inject code)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

Process Tree

  • System is w10x64
  • loaddll64.exe (PID: 3924 cmdline: loaddll64.exe "C:\Users\user\Desktop\EMP.dll" MD5: 763455F9DCB24DFEECC2B9D9F8D46D52)
    • conhost.exe (PID: 5572 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • cmd.exe (PID: 5588 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\EMP.dll",#1 MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
      • rundll32.exe (PID: 5464 cmdline: rundll32.exe "C:\Users\user\Desktop\EMP.dll",#1 MD5: 73C519F050C20580F8A62C849D49215A)
        • WerFault.exe (PID: 5896 cmdline: C:\Windows\system32\WerFault.exe -u -p 5464 -s 428 MD5: 2AFFE478D86272288BBEF5A00BBEF6A0)
    • rundll32.exe (PID: 5568 cmdline: rundll32.exe C:\Users\user\Desktop\EMP.dll,EMP MD5: 73C519F050C20580F8A62C849D49215A)
      • WerFault.exe (PID: 4212 cmdline: C:\Windows\system32\WerFault.exe -u -p 5568 -s 428 MD5: 2AFFE478D86272288BBEF5A00BBEF6A0)
    • WerFault.exe (PID: 7296 cmdline: C:\Windows\system32\WerFault.exe -u -p 3924 -s 472 MD5: 2AFFE478D86272288BBEF5A00BBEF6A0)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

  • AV Detection
  • Networking
  • System Summary
  • Data Obfuscation
  • Hooking and other Techniques for Hiding and Protection
  • Malware Analysis System Evasion
  • Anti Debugging
  • HIPS / PFW / Operating System Protection Evasion
  • Language, Device and Operating System Detection
  • Lowering of HIPS / PFW / Operating System Security Settings

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: EMP.dllReversingLabs: Detection: 36%
Source: Amcache.hve.8.drString found in binary or memory: http://upx.sf.net
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 5568 -s 428
Source: C:\Windows\System32\loaddll64.exeSection loaded: getmodulehandlea.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: virtualprotect.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: addvectoredexceptionhandler.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: virtualalloc.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: createthread.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: resumethread.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: openthread.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: setthreadcontext.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: getthreadcontext.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: closehandle.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: createfilea.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: readfile.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: writefile.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: sleep.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: exitprocess.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: getmodulefilenamew.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: createfilew.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: getfilesize.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: readfile.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: pathfileexistsw.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: shgetfolderpatha.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: createdirectorya.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: messageboxa.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: _itoa.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: createprocessa.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: getmodulefilenamea.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: allocconsole.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: setconsoletitlea.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: createconsolescreenbuffer.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: writeconsolea.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: setconsolemode.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: getstdhandle.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: deletefilea.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: freeconsole.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: zwreadfile.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: getwindowsdirectoryw.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: getvolumeinformationw.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: getcomputernamew.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: virtualfree.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: ntterminateprocess.dllJump to behavior
Source: EMP.dllStatic PE information: invalid certificate
Source: EMP.dllStatic PE information: Number of sections : 11 > 10
Source: EMP.dllStatic PE information: Section: .EMP0 ZLIB complexity 1.021484375
Source: EMP.dllReversingLabs: Detection: 36%
Source: C:\Windows\System32\loaddll64.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\EMP.dll,EMP
Source: unknownProcess created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\EMP.dll"
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\EMP.dll",#1
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\EMP.dll,EMP
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\EMP.dll",#1
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 5568 -s 428
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 5464 -s 428
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 3924 -s 472
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\EMP.dll",#1Jump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\EMP.dll,EMPJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\EMP.dll",#1Jump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5572:120:WilError_01
Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3924
Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5464
Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5568
Source: C:\Windows\System32\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WEREF43.tmpJump to behavior
Source: classification engineClassification label: mal52.evad.winDLL@11/14@0/0
Source: C:\Windows\System32\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\System32\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\System32\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\System32\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\System32\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\System32\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: EMP.dllStatic file information: File size 2381096 > 1048576
Source: EMP.dllStatic PE information: Raw size of .EMP1 is bigger than: 0x100000 < 0x15ea00
Source: EMP.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: EMP.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: EMP.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: EMP.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: EMP.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_130EB9CD push rbx; iretd 0_2_130EB9D4
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_130EB9CD push rbx; iretd 0_2_130EB9D4
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_130EABC1 push r13; iretd 0_2_130EABCE
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_130EABC1 push r13; iretd 0_2_130EABCE
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_130E941E push rbx; iretd 0_2_130E941F
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_130E941E push rbx; iretd 0_2_130E941F
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_130EBA19 push rsi; iretd 0_2_130EBA1A
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_130EBA19 push rsi; iretd 0_2_130EBA1A
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_130E9E6E push rcx; iretd 0_2_130E9E6F
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_130E9E6E push rcx; iretd 0_2_130E9E6F
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_130EBE99 push 0000007Dh; ret 0_2_130EBE9C
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_130EBE99 push 0000007Dh; ret 0_2_130EBE9C
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_130EB6BC push rcx; retf 0_2_130EB6CF
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_130EB6BC push rcx; retf 0_2_130EB6CF
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_130EB9CD push rbx; iretd 0_2_130EB9D4
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_130EB9CD push rbx; iretd 0_2_130EB9D4
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_130EABC1 push r13; iretd 0_2_130EABCE
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_130EABC1 push r13; iretd 0_2_130EABCE
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_130E941E push rbx; iretd 0_2_130E941F
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_130E941E push rbx; iretd 0_2_130E941F
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_130EBA19 push rsi; iretd 0_2_130EBA1A
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_130EBA19 push rsi; iretd 0_2_130EBA1A
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_130E9E6E push rcx; iretd 0_2_130E9E6F
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_130E9E6E push rcx; iretd 0_2_130E9E6F
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_130EBE99 push 0000007Dh; ret 0_2_130EBE9C
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_130EBE99 push 0000007Dh; ret 0_2_130EBE9C
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_130EB6BC push rcx; retf 0_2_130EB6CF
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_130EB6BC push rcx; retf 0_2_130EB6CF
Source: C:\Windows\System32\rundll32.exeCode function: 3_2_130EB9CD push rbx; iretd 3_2_130EB9D4
Source: C:\Windows\System32\rundll32.exeCode function: 3_2_130EABC1 push r13; iretd 3_2_130EABCE
Source: C:\Windows\System32\rundll32.exeCode function: 3_2_130E941E push rbx; iretd 3_2_130E941F
Source: EMP.dllStatic PE information: section name: .EMP0
Source: EMP.dllStatic PE information: section name: .data2
Source: EMP.dllStatic PE information: section name: .EMP
Source: EMP.dllStatic PE information: section name: .data3
Source: EMP.dllStatic PE information: section name: .EMP1
Source: initial sampleStatic PE information: section name: .EMP1 entropy: 7.313338667858036
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Source: loaddll64.exe, 00000000.00000002.890148688.0000000013006000.00000040.00000001.01000000.00000003.sdmp, rundll32.exe, 00000003.00000002.884892155.0000000013006000.00000040.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.884884589.0000000013006000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: DXGI.DLLCREATEDXGIFACTORYISOLDFREEZEKERNEL32.DLLWINE_GET_UNIX_FILE_NAMENTDLL.DLLRTLIMAGENTHEADEREXSAVE
Source: loaddll64.exe, loaddll64.exe, 00000000.00000002.890148688.0000000013006000.00000040.00000001.01000000.00000003.sdmp, rundll32.exe, rundll32.exe, 00000003.00000002.884892155.0000000013006000.00000040.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.884884589.0000000013006000.00000040.00000001.01000000.00000003.sdmp, EMP.dllBinary or memory string: WINE_GET_UNIX_FILE_NAME
Source: EMP.dllBinary or memory string: FKERNEL32.DLLGETMODULEHANDLEAVIRTUALPROTECTADDVECTOREDEXCEPTIONHANDLERVIRTUALALLOCCREATETHREADRESUMETHREADOPENTHREADSETTHREADCONTEXTGETTHREADCONTEXTCLOSEHANDLECREATEFILEAREADFILEWRITEFILESLEEPEXITPROCESSGETMODULEFILENAMEWCREATEFILEWGETFILESIZEREADFILESHLWAPI.DLLPATHFILEEXISTSWSHELL32.DLLSHGETFOLDERPATHAKERNEL32.DLLCREATEDIRECTORYAUSER32.DLLMESSAGEBOXAMEOUTAMSVCRT.DLL_ITOA_ITOAKERNEL32.DLLCREATEPROCESSAGETMODULEFILENAMEAALLOCCONSOLEATHFILSETCONSOLETITLEACREATECONSOLESCREENBUFFERWRITECONSOLEASETCONSOLEMODEGETSTDHANDLEDELETEFILEAFREECONSOLENTDLL.DLLZWREADFILEEADEXKERNEL32.DLLGETWINDOWSDIRECTORYWGETVOLUMEINFORMATIONWGETCOMPUTERNAMEWVIRTUALFREENTDLL.DLLNTTERMINATEPROCESSDXGI.DLLCREATEDXGIFACTORYISOLDFREEZEKERNEL32.DLLWINE_GET_UNIX_FILE_NAMENTDLL.DLLRTLIMAGENTHEADEREXSAVE
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: Amcache.hve.8.drBinary or memory string: VMware
Source: Amcache.hve.8.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
Source: Amcache.hve.8.drBinary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.8.drBinary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.8.drBinary or memory string: VMware, Inc.
Source: Amcache.hve.8.drBinary or memory string: VMware Virtual disk SCSI Disk Devicehbin
Source: Amcache.hve.8.drBinary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.8.drBinary or memory string: VMware7,1
Source: Amcache.hve.8.drBinary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.8.drBinary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.8.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.8.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.8.drBinary or memory string: VMware, Inc.me
Source: Amcache.hve.8.drBinary or memory string: VMware-42 35 d8 20 48 cb c7 ff-aa 5e d0 37 a0 49 53 d7
Source: Amcache.hve.8.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.8.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.18227214.B64.2106252220,BiosReleaseDate:06/25/2021,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.8.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_130017A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,LoadLibraryA,UnhandledExceptionFilter,0_2_130017A4
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\EMP.dll",#1Jump to behavior
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_13001374 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,GetProcAddress,0_2_13001374
Source: Amcache.hve.8.drBinary or memory string: c:\users\user\desktop\procexp.exe
Source: Amcache.hve.8.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.8.drBinary or memory string: procexp.exe

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsWindows Management Instrumentation1
DLL Side-Loading		11
Process Injection		1
Rundll32		OS Credential Dumping1
System Time Discovery		Remote ServicesData from Local SystemExfiltration Over Other Network MediumData ObfuscationEavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		2
Software Packing		LSASS Memory121
Security Software Discovery		Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)11
Process Injection		Security Account Manager2
System Information Discovery		SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
DLL Side-Loading		NTDS1
Remote System Discovery		Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script2
Obfuscated Files or Information		LSA SecretsRemote System DiscoverySSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1314161 Sample: EMP.dll Startdate: 25/09/2023 Architecture: WINDOWS Score: 52 25 Multi AV Scanner detection for submitted file 2->25 27 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 2->27 8 loaddll64.exe 1 2->8         started        process3 signatures4 29 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 8->29 11 cmd.exe 1 8->11         started        13 rundll32.exe 8->13         started        15 WerFault.exe 17 9 8->15         started        17 conhost.exe 8->17         started        process5 process6 19 rundll32.exe 11->19         started        21 WerFault.exe 17 9 13->21         started        process7 23 WerFault.exe 3 11 19->23         started       

Screenshots

Download Video

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
EMP.dll36%ReversingLabsWin64.Adware.SbYinYing

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info
NameSourceMaliciousAntivirus DetectionReputation
http://upx.sf.netAmcache.hve.8.drfalse
    		high

    World Map of Contacted IPs

    No contacted IP infos

    General Information

    Joe Sandbox Version:38.0.0 Beryl
    Analysis ID:1314161
    Start date and time:2023-09-25 23:03:20 +02:00
    Joe Sandbox Product:CloudBasic
    Overall analysis duration:0h 5m 15s
    Hypervisor based Inspection enabled:false
    Report type:full
    Cookbook file name:default.jbs
    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
    Number of analysed new started processes analysed:27
    Number of new started drivers analysed:0
    Number of existing processes analysed:0
    Number of existing drivers analysed:0
    Number of injected processes analysed:0
    Technologies:
    • HCA enabled
    • EGA enabled
    • AMSI enabled
    Analysis Mode:default
    Analysis stop reason:Timeout
    Sample file name:EMP.dll
    Detection:MAL
    Classification:mal52.evad.winDLL@11/14@0/0
    EGA Information:Failed
    HCA Information:Failed
    Cookbook Comments:
    • Found application associated with file extension: .dll
    • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, WerFault.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
    • Excluded IPs from analysis (whitelisted): 20.189.173.21, 52.182.143.212, 20.189.173.20
    • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, onedsblobprdcus15.centralus.cloudapp.azure.com, login.live.com, blobcollector.events.data.trafficmanager.net, onedsblobprdwus16.westus.cloudapp.azure.com, onedsblobprdwus15.westus.cloudapp.azure.com, tse1.mm.bing.net, ctldl.windowsupdate.com, displaycatalog.mp.microsoft.com, g.bing.com, watson.telemetry.microsoft.com, arc.msn.com
    • Execution Graph export aborted for target loaddll64.exe, PID 3924 because there are no executed function
    • Execution Graph export aborted for target rundll32.exe, PID 5568 because there are no executed function
    • Not all processes where analyzed, report is missing behavior information
    • VT rate limit hit for: EMP.dll

    Simulations

    Behavior and APIs

    TimeTypeDescription
    23:04:07API Interceptor3x Sleep call for process: WerFault.exe modified

    Joe Sandbox View / Context

    IPs

    No context

    Domains

    No context

    ASNs

    No context

    JA3 Fingerprints

    No context

    Dropped Files

    No context

    Created / dropped Files

    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_loaddll64.exe_b36f99e715a616a2a6e58ca767bca6ab868bb2_606702e6_1cc9028d\Report.wer

    Download File
    Process:C:\Windows\System32\WerFault.exe
    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
    Category:dropped
    Size (bytes):65536
    Entropy (8bit):0.7912283210789232
    Encrypted:false
    SSDEEP:96:pxFNMPCap6JthNL7+f9pXIQcQgc6ObcEbcw372v+HbHgmksn3eZFDPCFYOyPdTxv:f/kC66iH+Kbh/jzR/u7s6S274lt+
    MD5:702277A0E2536F3A5CB7C965593A383A
    SHA1:CE3E23170B814303EF732360A64CBA0F4EABAE43
    SHA-256:1A477275BE39BEEE69E79030948CA58AA909F2472C0C18B79E2952F7D82829C2
    SHA-512:4720A242ECE439B73C5EF953ADD72558BB9F3259FE07DE8055EC7325202AD2E54BE4A700254AA95E8446ABD348356C98E56A5DE11363889D56DCB6764E16564C
    Malicious:false
    Reputation:low
    Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.4.0.1.4.9.4.4.7.6.2.3.6.7.2.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.4.0.1.4.9.4.4.7.9.8.3.0.4.9.2.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.c.f.1.4.4.e.1.-.8.7.b.a.-.4.d.a.1.-.b.c.6.9.-.a.b.e.2.5.0.8.7.9.f.9.4.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.3.2.2.4.c.b.0.-.7.a.5.8.-.4.9.3.3.-.b.0.3.5.-.c.1.6.4.0.0.f.9.c.4.6.6.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.l.o.a.d.d.l.l.6.4...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.f.5.4.-.0.0.0.1.-.0.0.2.8.-.1.7.9.0.-.a.0.d.0.f.3.e.f.d.9.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.5.f.e.1.f.7.3.2.2.5.e.8.c.2.3.3.1.b.8.d.3.7.3.d.3.f.9.1.a.c.4.2.0.0.0.0.f.f.f.f.!.0.0.0.0.f.2.3.2.e.0.d.e.c.d.5.4.8.8.5.2.f.a.6.0.8.9.e.1.9.5.4.3.1.b.7.3.e.9.4.e.d.0.b.d.!.l.o.a.d.d.l.l.6.4...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.3././.0.9././.1.5.:.0.

    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_EMP_d7d52438fc4eeec3d5fb46f26751f55c4ff9f1_3f3ed4d9_103cf8e8\Report.wer

    Download File
    Process:C:\Windows\System32\WerFault.exe
    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
    Category:dropped
    Size (bytes):65536
    Entropy (8bit):0.797512079560428
    Encrypted:false
    SSDEEP:96:3SFv9Ri1yJPnyJjA55L7+f9pXIQcQgc6ObcEbcw37XaXz+HbHgSQgJPb9kp8WpsX:CFLiYJKPH+KbhnjUF/u7s6S274ltG3
    MD5:EDF4C6D3A614E8F89D9ED7119F6E3E40
    SHA1:937CBE15A4A841AA1154ABD8F4D9047E6BEA274D
    SHA-256:0231545B9BD4F0E34154E311285EF7FD43430744F4A4CAE2BEF482D708D245D6
    SHA-512:23EF7E23C335153814A3A9E76F51F0BB7132CD4FA196C3BDD7F8FF83740D024FCDE115187FFF32AED0E29FFA196A8444E547332776774F97A37B70089FBE2525
    Malicious:false
    Reputation:low
    Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.4.0.1.4.9.4.4.4.8.1.5.9.9.9.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.4.0.1.4.9.4.4.5.3.0.0.3.7.3.6.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.4.3.8.e.4.1.c.-.4.5.8.9.-.4.7.1.3.-.9.e.2.f.-.e.a.0.c.4.c.f.8.0.e.c.3.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.a.c.b.3.5.c.b.-.7.d.d.a.-.4.4.6.1.-.8.b.b.9.-.e.3.8.5.7.3.d.9.9.b.0.d.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e._.E.M.P...d.l.l.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.5.c.0.-.0.0.0.1.-.0.0.2.8.-.3.d.6.e.-.c.2.d.0.f.3.e.f.d.9.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.2.f.3.4.c.c.f.d.d.8.1.4.1.a.e.e.e.2.e.8.9.f.f.b.0.7.0.c.e.2.3.9.c.7.d.0.0.7.0.6.!.r.u.n.d.

    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_EMP_d7d52438fc4eeec3d5fb46f26751f55c4ff9f1_3f3ed4d9_1740f8d8\Report.wer

    Download File
    Process:C:\Windows\System32\WerFault.exe
    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
    Category:dropped
    Size (bytes):65536
    Entropy (8bit):0.7978512197171237
    Encrypted:false
    SSDEEP:96:j5SFyVoRiRJPnyQjA55L7+f9pXIQcQgc6ObcEbcw37XaXz+HbHgSQgJPb9kp8WpS:jYRiRJKWH+KbhnjUF/u7s6S274ltG3
    MD5:D2B223B4EE43BCA9279C47159EC33BAF
    SHA1:BD5309114D451621AE59566284392257787D59FB
    SHA-256:5BDF35B2D75BA9FBE8F7175331E0FA9AA0A61F9B30119C249BD70DBCABC82F29
    SHA-512:0596AF36A3F74ADBD740BAB6C3567FCD34FEC1CFB3953338FF87F39EE31EA930718345DB386B5D48FE56B0800C566F08E4E97B89F795A970004EBAE1DB31EF03
    Malicious:false
    Reputation:low
    Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.4.0.1.4.9.4.4.4.8.1.2.7.3.1.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.4.0.1.4.9.4.4.5.4.0.6.4.8.1.5.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.0.2.9.6.1.9.3.-.8.c.f.5.-.4.a.b.8.-.8.1.f.5.-.8.9.4.f.f.c.2.0.5.3.5.0.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.c.8.6.7.8.a.7.-.a.9.b.b.-.4.c.a.9.-.a.4.4.7.-.1.7.c.8.0.2.c.8.c.5.c.f.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e._.E.M.P...d.l.l.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.5.5.8.-.0.0.0.1.-.0.0.2.8.-.7.1.3.0.-.c.4.d.0.f.3.e.f.d.9.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.2.f.3.4.c.c.f.d.d.8.1.4.1.a.e.e.e.2.e.8.9.f.f.b.0.7.0.c.e.2.3.9.c.7.d.0.0.7.0.6.!.r.u.n.d.

    C:\ProgramData\Microsoft\Windows\WER\Temp\WEREF34.tmp.dmp

    Download File
    Process:C:\Windows\System32\WerFault.exe
    File Type:Mini DuMP crash report, 14 streams, Mon Sep 25 21:04:04 2023, 0x1205a4 type
    Category:dropped
    Size (bytes):55166
    Entropy (8bit):1.6147248087794916
    Encrypted:false
    SSDEEP:96:5x8L8NG8RA6bKDN+Qttdl1oi7C51mts9M1Zd2TgzRR9GZdj3PnPXZ9JE9+LOdy39:kwR2DwwhCOC5G1lUb3PB9Q+i43JCJMM6
    MD5:67B7CD3F4647ECE62C5D93A4EAE6C8D3
    SHA1:90F2CAB2861F14E3A0C41AAF2B90D49B9B7928A5
    SHA-256:6F478F144CB8628188518095AAB66C00E498CF8DFDD698509711CDBF6E2787F4
    SHA-512:DBBD1605569318D6615E5810A35D420C001B5E452DBBDD73477842CF66C0189BA1D3D5D0C43512910DC5C3B722C2561C257BDB64C5634A9C869DBD5BA593E2D1
    Malicious:false
    Reputation:low
    Preview:MDMP....... ..........e........................@................,..........T.......8...........T............................................................................................................U...........B......`.......Lw.................l....T.......X......e.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .D.a.y.l.i.g.h.t. .T.i.m.e.......................................1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.................................................................................................................................................................................................................................................................................................................................................................................................................................................

    C:\ProgramData\Microsoft\Windows\WER\Temp\WEREF43.tmp.dmp

    Download File
    Process:C:\Windows\System32\WerFault.exe
    File Type:Mini DuMP crash report, 14 streams, Mon Sep 25 21:04:04 2023, 0x1205a4 type
    Category:dropped
    Size (bytes):54642
    Entropy (8bit):1.6171142072158011
    Encrypted:false
    SSDEEP:96:5x80I8NG8HdiAbKDN+2qt2lx9oi7C51mts9MO/Jgzb3VVG2TBQFxGWU72L2Hbcsj:kkWDwlIKOC5G+wkywsd6DVvRC
    MD5:516579226433EC7D3989ACB88DEB942E
    SHA1:004843AA873C7DA9E6C0C87C9B44E5B6BDC69CF2
    SHA-256:AA9CD063EDA6A56E4D38D70DE01D0EA62CC38779EDCD8EB22242B5D1C311978B
    SHA-512:78ABF86CBF1821DDC87818847AFFDCBD152A4B9AE9B1C634B6D109AE9E1B8ACC3EBE8A103CBF86B63E8FEB7A2B3DA240723E86516D874659715B5B2C05B58B72
    Malicious:false
    Reputation:low
    Preview:MDMP....... ..........e........................@................,..........T.......8...........T............................................................................................................U...........B......`.......Lw..................D...T..............e.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .D.a.y.l.i.g.h.t. .T.i.m.e.......................................1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.................................................................................................................................................................................................................................................................................................................................................................................................................................................

    C:\ProgramData\Microsoft\Windows\WER\Temp\WEREFC1.tmp.WERInternalMetadata.xml

    Download File
    Process:C:\Windows\System32\WerFault.exe
    File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
    Category:dropped
    Size (bytes):8664
    Entropy (8bit):3.692663772965566
    Encrypted:false
    SSDEEP:192:Rrl7r3GLNibGQk6Y1v9gmfc2S/+pD989b8+ZfTUm:RrlsNiaz6Y99gmfc2SR8QfF
    MD5:6D6601235AE9A857A0CE120EBABD3977
    SHA1:A7C2BFBBCBF2321DFD9C00CA6E0E9DBC04D37125
    SHA-256:4C391B88978BBE2A4FAF398784265FE0810648DC2E86E0B9FE297BA7C8189539
    SHA-512:067F9CA087CA79E3250EE07D37F78565323E2CF86BF3E27DDB69531B04CA4B9C838EC846C0E7335EC32751AF2E8F8882463687D8989938D25F9CB3ACE3F9AEAD
    Malicious:false
    Reputation:low
    Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.5.6.8.<./.P.i.d.>.......

    C:\ProgramData\Microsoft\Windows\WER\Temp\WERF001.tmp.xml

    Download File
    Process:C:\Windows\System32\WerFault.exe
    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
    Category:dropped
    Size (bytes):4698
    Entropy (8bit):4.458593073805062
    Encrypted:false
    SSDEEP:48:cvIwSD8zsVJgtBI9BMyWgc8sqYj18fm8M4JCZCQPFwbjyq85mpHZESC5Sdd:uITfvHMTgrsqYGJljfVvdd
    MD5:6FB41D59E6D9651461C9FDA7581932FA
    SHA1:C878608A865B05A14D71E60CCA7773EFD4965F89
    SHA-256:5CCAFD2EC49D2BA42A2C786572DE0B49B102A0905481E494032FC77BAC6A0CF0
    SHA-512:A5D3170EA31539C9BD3718C6A6537D789C2924555EA600B6A8EF46EA3037129660BDE7140EEEA3BDB0EB47D848E6EF4CA024A1899557BD85B6EA4788008C9280
    Malicious:false
    Reputation:low
    Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="2233814" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

    C:\ProgramData\Microsoft\Windows\WER\Temp\WERF03F.tmp.WERInternalMetadata.xml

    Download File
    Process:C:\Windows\System32\WerFault.exe
    File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
    Category:dropped
    Size (bytes):8476
    Entropy (8bit):3.6910901221512806
    Encrypted:false
    SSDEEP:192:Rrl7r3GLNiepOz6YTLvgmfc2S/+pDT89bFCQfc/Xm:RrlsNiga6Y/vgmfc2SvFVfcO
    MD5:B253114767C789AC9179F225FCA40842
    SHA1:4CF8E70C208059469662DD4C8F19406045ED05A2
    SHA-256:ED202735DFE6CE88415DA60A21D0D121B94AF6D46324442A0E247B348D6850E4
    SHA-512:D8735823CF1BDDE2E6E6F712513FF70F83081090CDE9B1DCE491D029EC9F1DAA56713B162A9D0F5E5867D9B415D757F0E177C5B20F328F972AB3B45948F0750F
    Malicious:false
    Reputation:low
    Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.4.6.4.<./.P.i.d.>.......

    C:\ProgramData\Microsoft\Windows\WER\Temp\WERF08E.tmp.xml

    Download File
    Process:C:\Windows\System32\WerFault.exe
    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
    Category:dropped
    Size (bytes):4698
    Entropy (8bit):4.458529432385507
    Encrypted:false
    SSDEEP:48:cvIwSD8zsVJgtBI9BMyWgc8sqYjm8fm8M4JCZCQPFLTyq85mpgDZESC5SKd:uITfvHMTgrsqYnJkYDVvKd
    MD5:9C4F14A0D441931737FDC72A101F7E60
    SHA1:C945ABC3BDE46C8D3D34BBF5321B4A610039B3F4
    SHA-256:D0A7D009503EB49AA05F74B4CC7396E10BEF059609CDA5EF8494D4242EAE822C
    SHA-512:67248382A4912A302A652DBEF47CDF6CDA0984FAC5555496C470FBBD269590AEA4AE95D6B42A6AB6C0C71801892E3313EF3A337CAF2D2EC5C8EADCB39BF1D790
    Malicious:false
    Reputation:low
    Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="2233814" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

    C:\ProgramData\Microsoft\Windows\WER\Temp\WERFA30.tmp.dmp

    Download File
    Process:C:\Windows\System32\WerFault.exe
    File Type:Mini DuMP crash report, 15 streams, Mon Sep 25 21:04:07 2023, 0x1205a4 type
    Category:dropped
    Size (bytes):55748
    Entropy (8bit):1.638596220244389
    Encrypted:false
    SSDEEP:96:5H8g38NG8LBUPGL+txA89i767Ycts9MWBkYhgVQx8hj2Tpa7PhExWIHDI4iUGLJP:CHLWaqxL9O2YWWTgVbgfiUMJjXuios
    MD5:57A75AD75E41E7A650F174F28689E41B
    SHA1:BFFA75FB4B6BC767CC26BF999F0C948026C573A5
    SHA-256:83ABB7BFD20DE8FB0744B69ECB007A34045811D8ADEC867095D4C96C0491398B
    SHA-512:CC68E237526036D4FD1813A7315DC7CE22518F183E56F385D4F780F08067220755F942B4EB8A6AB987D1A009BB7C87ED5BF01163F36967DA37017AB1A6719F8B
    Malicious:false
    Reputation:low
    Preview:MDMP....... ..........e........................@...........$...............<-..........`.......8...........T............................................................................................................U...........B..............Lw................; ....T.......T......e.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .D.a.y.l.i.g.h.t. .T.i.m.e.......................................1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................

    C:\ProgramData\Microsoft\Windows\WER\Temp\WERFAAE.tmp.WERInternalMetadata.xml

    Download File
    Process:C:\Windows\System32\WerFault.exe
    File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
    Category:dropped
    Size (bytes):8492
    Entropy (8bit):3.6913673668163995
    Encrypted:false
    SSDEEP:192:Rrl7r3GLNiFZP6Yp1WfpnVGgmfyS/+pDT89bDb8Qf8+pjm:RrlsNiLP6YrWfqgmfySvDbLf806
    MD5:C53804C66072BB9C12F68B0ED577E7A5
    SHA1:CAE70721C3F5E38F3E4D945568E49BD0A8808313
    SHA-256:FCFBABC71B4E45B969A9E8D94D18593FF453021CBBD60B13FB952BF9A4B3CA1D
    SHA-512:FDF579601EE9B5D4D54280058E5B577A53D0747BD9D13F4A88A15FCC88D3CA53A99B03CC06D009EBBB5DBC2ACBACC36D62980171D609A12A4C6F94F62A87DA05
    Malicious:false
    Reputation:low
    Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.3.9.2.4.<./.P.i.d.>.......

    C:\ProgramData\Microsoft\Windows\WER\Temp\WERFADE.tmp.xml

    Download File
    Process:C:\Windows\System32\WerFault.exe
    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
    Category:dropped
    Size (bytes):4602
    Entropy (8bit):4.426041675089467
    Encrypted:false
    SSDEEP:48:cvIwSD8zsVJgtBI9BMyWgc8sqYjd8fm8M4J8PFf5yq853liFV1xid:uITfvHMTgrsqY2JK5miF7xid
    MD5:8B0BC330F05EF9E7987E009E5D2443FB
    SHA1:7CAB28685A9806D4F74A95034E6E7C0AA8A3EA97
    SHA-256:9C65DAC06A87E5043E67210C28027AA4CB491A8D65F4CABA7A5C00B87E8669FC
    SHA-512:57E16F53B4313BE53EF650CA341E84F8DA426C6A011F11EEF1485AF44CD549496BF437E0B0C46AF3C9C2DB1D4E71E8107BC23C6777977DFF1D50E31EB86A4CA3
    Malicious:false
    Reputation:low
    Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="2233814" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

    C:\Windows\appcompat\Programs\Amcache.hve

    Download File
    Process:C:\Windows\System32\WerFault.exe
    File Type:MS Windows registry file, NT/2000 or above
    Category:dropped
    Size (bytes):1572864
    Entropy (8bit):4.405400609408144
    Encrypted:false
    SSDEEP:12288:H95ZG0ubj7ybGLGqoM50UgAExAjeQGV1n1SYNnvRMkqGHrLTqqPGn8:d5ZG0ubj7ybGLGYR8
    MD5:1869D3B73A0622F5DDE5FBE42A90F648
    SHA1:13D2B521EAE2D413F86CED788E3273D83A8EDEBE
    SHA-256:AE27FA732BB925D1566E9187D41803356E6CBF284F88F0ABA0B4810B01CF805B
    SHA-512:FF81BB1095CA6002AD39B384231F374E0A9AD942CE9CC5E3F6C23770CD2265113ED1AB8928CD69D96DE96AB56A6B9C91A010D7C16FF634B09BA6294531F805C9
    Malicious:false
    Reputation:low
    Preview:regf........p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

    C:\Windows\appcompat\Programs\Amcache.hve.LOG1

    Download File
    Process:C:\Windows\System32\WerFault.exe
    File Type:MS Windows registry file, NT/2000 or above
    Category:dropped
    Size (bytes):32768
    Entropy (8bit):4.210114944342245
    Encrypted:false
    SSDEEP:768:xHbfXN+Bi+dYLRftdgFfiYWzgwS1Noe0eqniPTDv6kHF7mupUReJ2c2V:t9CiFLJplyokPRm
    MD5:8F25648C9E3A73C882F4D2C34267FE24
    SHA1:68F9562CB59E167C6CFB6FA72201954ACE738B87
    SHA-256:03FB82C54DC9CBBF862225F7828BBDDF98AF00F541AFF8AE547F8937EC11ED8A
    SHA-512:A01813A81E6CD5660C404F151A08B6C0991327F506B10A08ECBA953E38F7F28B3E381252B44E589BC26551FCE51EADEBE2268EB6FE2CBB8A94FF42CF5944745A
    Malicious:false
    Reputation:low
    Preview:regf........p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm.......................................................................................................................................................................................................................................................................................................................................................HvLE.~...................Z.T=a..\.[J.............`.......@.......`................... ..hbin................p.\..,..........nk,.|.9N........P........................... ...........................&...{ad79c032-a2ea-f756-e377-72fb9332c3ae}......nk .|.9N........ ........................... .......Z.......................Root........lf......Root....nk .........................}.............. ...............*...............DeviceCensus.......................vk..................WritePer

    Static File Info

    General

    File type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
    Entropy (8bit):5.3965188506585315
    TrID:
    • Win64 Dynamic Link Library (generic) (102004/3) 86.41%
    • Win64 Executable (generic) (12005/4) 10.17%
    • Generic Win/DOS Executable (2004/3) 1.70%
    • DOS Executable Generic (2002/1) 1.70%
    • VXD Driver (31/22) 0.03%
    File name:EMP.dll
    File size:2'381'096 bytes
    MD5:db26ef4c084770c461977b805e039312
    SHA1:2ad4a4f89a75adcb4e79dd9e8115deed8e428cc2
    SHA256:e87b0f184c717ac6c3338861c892363c4981d8a01b52a4cdb30df22cd549bb06
    SHA512:7ec95c75a74f112e7f4a0b79e3ce91794e8e8b809a8e777bf1db135d48d5263648f4248d8c077e12eb32cd98324d1c4771275f3d9b10de57e8fe444e326d2b86
    SSDEEP:49152:nHdluR2wA7Ebw12yeTewalYCZ0L1I/DMIyjqD3HlB2Rnud:HPu9AEBi5fy7R0
    TLSH:5FB5D0AD625C335CC45E84F48133FD1AB1B5571E0AE998FA70DB7BA037EB024EA45B42
    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...r.._..........# ................4.........................................$......H%... ................................

    File Icon

    Icon Hash:7ae282899bbab082

    Static PE Info

    General

    Entrypoint:0x13001334
    Entrypoint Section:.text
    Digitally signed:true
    Imagebase:0x13000000
    Subsystem:windows gui
    Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, DLL
    DLL Characteristics:HIGH_ENTROPY_VA
    Time Stamp:0x5F12FD72 [Sat Jul 18 13:47:30 2020 UTC]
    TLS Callbacks:
    CLR (.Net) Version:
    OS Version Major:6
    OS Version Minor:0
    File Version Major:6
    File Version Minor:0
    Subsystem Version Major:6
    Subsystem Version Minor:0
    Import Hash:fc7124d57387852c0a6a634e9130bf57

    Authenticode Signature

    Signature Valid:false
    Signature Issuer:CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
    Signature Validation Error:A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file
    Error Number:-2146762495
    Not Before, Not After
    • 5/5/2014 5:00:00 PM 5/6/2015 4:59:59 PM
    Subject Chain
    • CN="Shenzhen Luyoudashi Technology Co., Ltd.", OU=Digital ID Class 3 - Microsoft Software Validation v2, O="Shenzhen Luyoudashi Technology Co., Ltd.", L=Shenzhen, S=Guangdong, C=CN
    Version:3
    Thumbprint MD5:222DFEBC887259F885FE13977610F5DA
    Thumbprint SHA-1:D715230B535C8937B469632EC6158761FD18AD21
    Thumbprint SHA-256:2F514022B216F43435225B25821A21AC3EF821E357AFE25DCE02E32473713140
    Serial:5F9E06262D2EED425C886A4709350426
    Instruction
    jmp 00007F2D64BBD216h
    int3
    int3
    int3
    int3
    int3
    int3
    int3
    int3
    int3
    int3
    int3
    int3
    int3
    int3
    int3
    int3
    int3
    int3
    int3
    int3
    int3
    int3
    int3
    int3
    int3
    int3
    int3
    int3
    int3
    int3
    int3
    int3
    int3
    int3
    int3
    int3
    int3
    int3
    int3
    int3
    int3
    int3
    int3
    int3
    int3
    int3
    int3
    int3
    int3
    int3
    int3
    int3
    int3
    int3
    int3
    int3
    int3
    int3
    int3
    dec eax
    mov dword ptr [esp+20h], ebx
    push ebp
    dec eax
    mov ebp, esp
    dec eax
    sub esp, 20h
    dec eax
    mov eax, dword ptr [00001C88h]
    dec eax
    mov ebx, 2DDFA232h
    cdq
    sub eax, dword ptr [eax]
    add byte ptr [eax+3Bh], cl
    ret
    jne 00007F2D64976F76h
    dec eax
    and dword ptr [ebp+18h], 00000000h
    dec eax
    lea ecx, dword ptr [ebp+18h]
    call dword ptr [00000C72h]
    dec eax
    mov eax, dword ptr [ebp+18h]
    dec eax
    mov dword ptr [ebp+10h], eax
    call dword ptr [00000C5Ch]
    mov eax, eax
    dec eax
    xor dword ptr [ebp+10h], eax
    call dword ptr [00000C48h]
    mov eax, eax
    dec eax
    lea ecx, dword ptr [ebp+20h]
    dec eax
    xor dword ptr [ebp+10h], eax
    call dword ptr [00000C70h]
    mov eax, dword ptr [ebp+20h]
    dec eax
    lea ecx, dword ptr [ebp+10h]
    dec eax
    shl eax, 20h
    dec eax
    xor eax, dword ptr [ebp+20h]
    dec eax
    xor eax, dword ptr [ebp+10h]
    dec eax
    xor eax, ecx
    dec eax
    mov ecx, FFFFFFFFh
    NameVirtual AddressVirtual Size Is in Section
    IMAGE_DIRECTORY_ENTRY_EXPORT0x26a00x48.rdata
    IMAGE_DIRECTORY_ENTRY_IMPORT0x26e80x50.rdata
    IMAGE_DIRECTORY_ENTRY_RESOURCE0x2490000xe9.rsrc
    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x2476700x1a4.EMP1
    IMAGE_DIRECTORY_ENTRY_SECURITY0x2442000x1328.EMP1
    IMAGE_DIRECTORY_ENTRY_BASERELOC0x2480000x90.reloc
    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x21a00x130.rdata
    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_IAT0x20000xd0.rdata
    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

    Sections

    NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
    .text0x10000x10000xe00False0.5248325892857143COM executable for DOS5.346418402387276IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
    .rdata0x20000x10000xc00False0.5003255208333334data4.601490532139524IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
    .data0x30000x10000x200False0.09765625DOS executable (block device driver \322f\324\377\3772)0.449785945830048IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
    .pdata0x40000x10000x200False0.771484375data5.9356907934372565IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
    .EMP00x50000x10000x200False1.021484375data7.445405146578605IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
    .data20x60000x170000x17000False0.10210385529891304data1.4747587984180186IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
    .EMP0x1d0000x330000x33000False0.10063859528186274DOS executable (COM)1.6187273480022606IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
    .data30x500000x990000x99000False0.001003689236111111data0.0IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
    .EMP10xe90000x15e8140x15ea00False0.8115028966131907data7.313338667858036IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
    .reloc0x2480000x900x200False0.232421875data1.3813315586181503IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
    .rsrc0x2490000xe90x200False0.333984375data2.5312981004807127IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
    NameRVASizeTypeLanguageCountryZLIB Complexity
    RT_MANIFEST0x2490580x91XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.8689655172413793
    DLLImport
    KERNEL32.dllIsDebuggerPresent, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsProcessorFeaturePresent, LoadLibraryA, UnhandledExceptionFilter, GetProcAddress, RtlVirtualUnwind, RtlLookupFunctionEntry, RtlCaptureContext
    NameOrdinalAddress
    EMP10x13001010

    Possible Origin

    Language of compilation systemCountry where language is spokenMap
    EnglishUnited States

    Network Behavior

    No network behavior found

    Statistics

    CPU Usage

    Click to jump to process

    Memory Usage

    Click to jump to process

    High Level Behavior Distribution

    • File
    • Registry

    Click to dive into process behavior distribution

    Behavior

    Click to jump to process

    System Behavior

    General

    Target ID:0
    Start time:23:04:04
    Start date:25/09/2023
    Path:C:\Windows\System32\loaddll64.exe
    Wow64 process (32bit):false
    Commandline:loaddll64.exe "C:\Users\user\Desktop\EMP.dll"
    Imagebase:0x7ff614fa0000
    File size:165'888 bytes
    MD5 hash:763455F9DCB24DFEECC2B9D9F8D46D52
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:low
    Has exited:true
    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
    Show Windows behavior

    Section Activities

    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
    Show Windows behavior

    Process Activities

    Show Windows behavior

    Thread Activities

    Show Windows behavior

    Memory Activities

    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

    General

    Target ID:1
    Start time:23:04:04
    Start date:25/09/2023
    Path:C:\Windows\System32\conhost.exe
    Wow64 process (32bit):false
    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Imagebase:0x7ff7e86d0000
    File size:625'664 bytes
    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:low
    Has exited:true
    Show Windows behavior

    File Activities

    Show Windows behavior

    Section Activities

    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
    Show Windows behavior

    Mutex Activities

    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
    Show Windows behavior

    Thread Activities

    Show Windows behavior

    Memory Activities

    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
    Show Windows behavior

    Windows UI Activities

    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

    General

    Target ID:2
    Start time:23:04:04
    Start date:25/09/2023
    Path:C:\Windows\System32\cmd.exe
    Wow64 process (32bit):false
    Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\EMP.dll",#1
    Imagebase:0x7ff7e86d0000
    File size:273'920 bytes
    MD5 hash:4E2ACF4F8A396486AB4268C94A6A245F
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:low
    Has exited:true
    Show Windows behavior

    File Activities

    Show Windows behavior

    Section Activities

    Show Windows behavior

    Process Activities

    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
    Show Windows behavior

    Memory Activities

    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

    General

    Target ID:3
    Start time:23:04:04
    Start date:25/09/2023
    Path:C:\Windows\System32\rundll32.exe
    Wow64 process (32bit):false
    Commandline:rundll32.exe C:\Users\user\Desktop\EMP.dll,EMP
    Imagebase:0x7ff7a1950000
    File size:69'632 bytes
    MD5 hash:73C519F050C20580F8A62C849D49215A
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:low
    Has exited:true
    Show Windows behavior

    File Activities

    Show Windows behavior

    Section Activities

    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
    Show Windows behavior

    Process Activities

    Show Windows behavior

    Memory Activities

    Show Windows behavior

    System Activities

    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

    General

    Target ID:4
    Start time:23:04:04
    Start date:25/09/2023
    Path:C:\Windows\System32\rundll32.exe
    Wow64 process (32bit):false
    Commandline:rundll32.exe "C:\Users\user\Desktop\EMP.dll",#1
    Imagebase:0x7ff7a1950000
    File size:69'632 bytes
    MD5 hash:73C519F050C20580F8A62C849D49215A
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:low
    Has exited:true
    Show Windows behavior

    File Activities

    Show Windows behavior

    Section Activities

    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
    Show Windows behavior

    Process Activities

    Show Windows behavior

    Memory Activities

    Show Windows behavior

    System Activities

    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

    General

    Target ID:8
    Start time:23:04:04
    Start date:25/09/2023
    Path:C:\Windows\System32\WerFault.exe
    Wow64 process (32bit):false
    Commandline:C:\Windows\system32\WerFault.exe -u -p 5568 -s 428
    Imagebase:0x7ff702890000
    File size:494'488 bytes
    MD5 hash:2AFFE478D86272288BBEF5A00BBEF6A0
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:low
    Has exited:true
    Show Windows behavior

    File Activities

    Show Windows behavior

    Section Activities

    Show Windows behavior

    Registry Activities

    Show Windows behavior

    Mutex Activities

    Show Windows behavior

    Process Activities

    Show Windows behavior

    Thread Activities

    Show Windows behavior

    Memory Activities

    Show Windows behavior

    System Activities

    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
    Show Windows behavior

    Windows UI Activities

    Process Token Activities

    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

    General

    Target ID:9
    Start time:23:04:04
    Start date:25/09/2023
    Path:C:\Windows\System32\WerFault.exe
    Wow64 process (32bit):false
    Commandline:C:\Windows\system32\WerFault.exe -u -p 5464 -s 428
    Imagebase:0x7ff702890000
    File size:494'488 bytes
    MD5 hash:2AFFE478D86272288BBEF5A00BBEF6A0
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:low
    Has exited:true
    Show Windows behavior

    File Activities

    Show Windows behavior

    Section Activities

    Show Windows behavior

    Registry Activities

    Show Windows behavior

    Mutex Activities

    Show Windows behavior

    Process Activities

    Show Windows behavior

    Thread Activities

    Show Windows behavior

    Memory Activities

    Show Windows behavior

    System Activities

    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
    Show Windows behavior

    Windows UI Activities

    Process Token Activities

    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

    General

    Target ID:11
    Start time:23:04:07
    Start date:25/09/2023
    Path:C:\Windows\System32\WerFault.exe
    Wow64 process (32bit):false
    Commandline:C:\Windows\system32\WerFault.exe -u -p 3924 -s 472
    Imagebase:0x7ff702890000
    File size:494'488 bytes
    MD5 hash:2AFFE478D86272288BBEF5A00BBEF6A0
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:low
    Has exited:true
    Show Windows behavior

    File Activities

    Show Windows behavior

    Section Activities

    Show Windows behavior

    Registry Activities

    Show Windows behavior

    Mutex Activities

    Show Windows behavior

    Process Activities

    Show Windows behavior

    Thread Activities

    Show Windows behavior

    Memory Activities

    Show Windows behavior

    System Activities

    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
    Show Windows behavior

    Windows UI Activities

    Process Token Activities

    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

    Disassembly

    Non-executed Functions

    APIs
    • __scrt_initialize_crt.LIBCMT ref: 13001081
    • __scrt_acquire_startup_lock.LIBCMT ref: 1300108E
    • _RTC_Initialize.LIBCMT ref: 130010BC
    • __scrt_dllmain_after_initialize_c.LIBCMT ref: 130010E2
    • __scrt_release_startup_lock.LIBCMT ref: 1300110D
    • __scrt_fastfail.LIBCMT ref: 13001173
    • __scrt_acquire_startup_lock.LIBCMT ref: 130011A8
    • _RTC_Initialize.LIBCMT ref: 130011C6
    • __scrt_release_startup_lock.LIBCMT ref: 130011D4
    • __scrt_fastfail.LIBCMT ref: 130011F8
    Memory Dump Source
    • Source File: 00000000.00000002.890135128.0000000013001000.00000020.00000001.01000000.00000003.sdmp, Offset: 13000000, based on PE: true
    • Associated: 00000000.00000002.890130053.0000000013000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.890139490.0000000013002000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.890144438.0000000013004000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.890148688.0000000013006000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.890151747.0000000013007000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.890151747.000000001300A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.890151747.000000001300C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.890151747.000000001301D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.890151747.0000000013030000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.890151747.0000000013036000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.890151747.000000001303E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.890179912.00000000130E9000.00000020.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.890208630.0000000013248000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_13000000_loaddll64.jbxd
    Similarity
    • API ID: Initialize__scrt_acquire_startup_lock__scrt_fastfail__scrt_release_startup_lock$__scrt_dllmain_after_initialize_c__scrt_initialize_crt
    • String ID:
    • API String ID: 1237536219-0
    • Opcode ID: 7b42906c0ec058c10555e24d7a23a9149e4c311bab67acff7c6e0a15737b23e2
    • Instruction ID: 9a8d3cadc8823628b6a3905facecbaa61de054281fd34f43cda52f10a8f9e5a4
    • Opcode Fuzzy Hash: 7b42906c0ec058c10555e24d7a23a9149e4c311bab67acff7c6e0a15737b23e2
    • Instruction Fuzzy Hash: 3B41CC3CA0574086FB1DDB69E9203DA23E5BB897C8F884535EA8947765CB7CE286C701
    Uniqueness

    Uniqueness Score: -1.00%

    Non-executed Functions

    APIs
    • __scrt_initialize_crt.LIBCMT ref: 13001081
    • __scrt_acquire_startup_lock.LIBCMT ref: 1300108E
    • _RTC_Initialize.LIBCMT ref: 130010BC
    • __scrt_dllmain_after_initialize_c.LIBCMT ref: 130010E2
    • __scrt_release_startup_lock.LIBCMT ref: 1300110D
    • __scrt_fastfail.LIBCMT ref: 13001173
    • __scrt_acquire_startup_lock.LIBCMT ref: 130011A8
    • _RTC_Initialize.LIBCMT ref: 130011C6
    • __scrt_release_startup_lock.LIBCMT ref: 130011D4
    • __scrt_fastfail.LIBCMT ref: 130011F8
    Memory Dump Source
    • Source File: 00000003.00000002.884880225.0000000013001000.00000020.00000001.01000000.00000003.sdmp, Offset: 13000000, based on PE: true
    • Associated: 00000003.00000002.884876395.0000000013000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.884884326.0000000013002000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.884888337.0000000013004000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.884892155.0000000013006000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.884895582.0000000013007000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.884895582.000000001300A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.884895582.000000001300C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.884895582.000000001301D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.884895582.0000000013030000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.884895582.0000000013036000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.884895582.000000001303E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.884931933.00000000130E9000.00000020.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.884958417.0000000013248000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_13000000_rundll32.jbxd
    Similarity
    • API ID: Initialize__scrt_acquire_startup_lock__scrt_fastfail__scrt_release_startup_lock$__scrt_dllmain_after_initialize_c__scrt_initialize_crt
    • String ID:
    • API String ID: 1237536219-0
    • Opcode ID: 7b42906c0ec058c10555e24d7a23a9149e4c311bab67acff7c6e0a15737b23e2
    • Instruction ID: 9a8d3cadc8823628b6a3905facecbaa61de054281fd34f43cda52f10a8f9e5a4
    • Opcode Fuzzy Hash: 7b42906c0ec058c10555e24d7a23a9149e4c311bab67acff7c6e0a15737b23e2
    • Instruction Fuzzy Hash: 3B41CC3CA0574086FB1DDB69E9203DA23E5BB897C8F884535EA8947765CB7CE286C701
    Uniqueness

    Uniqueness Score: -1.00%