Play interactive tour

Edit tour

Windows Analysis Report widevinecdm.dll

Overview

General Information

Sample Name:	widevinecdm.dll
Analysis ID:	440120
MD5:	7a59d939f28964955ac301db8518861c
SHA1:	e00c28f3490484cff2f27c0acea36791173e0a0f
SHA256:	787294fd7fe47f7fa7f735403928eaf96e04724207891fd6db727b2a5b58d340
Infos:
Most interesting Screenshot:

Detection

Score:	48
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to evade analysis by execution special instruction which cause usermode exception

Checks if the current process is being debugged

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to read the PEB

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found large amount of non-executed APIs

One or more processes crash

PE file contains sections with non-standard names

Uses 32bit PE files

Classification

Process Tree

System is w10x64

loaddll32.exe (PID: 7104 cmdline: loaddll32.exe 'C:\Users\user\Desktop\widevinecdm.dll' MD5: 542795ADF7CC08EFCF675D65310596E8)

cmd.exe (PID: 7144 cmdline: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\widevinecdm.dll',#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)

rundll32.exe (PID: 6164 cmdline: rundll32.exe 'C:\Users\user\Desktop\widevinecdm.dll',#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 6316 cmdline: rundll32.exe C:\Users\user\Desktop\widevinecdm.dll,CreateCdmInstance MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 6212 cmdline: rundll32.exe C:\Users\user\Desktop\widevinecdm.dll,DeinitializeCdmModule MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 1320 cmdline: rundll32.exe C:\Users\user\Desktop\widevinecdm.dll,GetCdmVersion MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 6560 cmdline: rundll32.exe C:\Users\user\Desktop\widevinecdm.dll,GetHandleVerifier MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 7024 cmdline: rundll32.exe C:\Users\user\Desktop\widevinecdm.dll,InitializeCdmModule_4 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 660 cmdline: rundll32.exe C:\Users\user\Desktop\widevinecdm.dll,VerifyCdmHost_0 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

WerFault.exe (PID: 6760 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 660 -s 712 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

rundll32.exe (PID: 6596 cmdline: rundll32.exe 'C:\Users\user\Desktop\widevinecdm.dll',CreateCdmInstance MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 6616 cmdline: rundll32.exe 'C:\Users\user\Desktop\widevinecdm.dll',DeinitializeCdmModule MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 7096 cmdline: rundll32.exe 'C:\Users\user\Desktop\widevinecdm.dll',GetCdmVersion MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 6736 cmdline: rundll32.exe 'C:\Users\user\Desktop\widevinecdm.dll',GetHandleVerifier MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 6732 cmdline: rundll32.exe 'C:\Users\user\Desktop\widevinecdm.dll',InitializeCdmModule_4 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

Source: widevinecdm.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LARGE_ADDRESS_AWARE

Source: widevinecdm.dll	Static PE information: certificate valid
Source: widevinecdm.dll	Static PE information: certificate valid

Source: widevinecdm.dll

Static PE information: GUARD_CF, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: wkernel32.pdb source: WerFault.exe, 00000013.00000003.685123755.000000000549C000.00000004.00000001.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 00000013.00000003.690625280.00000000058C6000.00000004.00000040.sdmp
Source:	Binary string: sfc_os.pdb source: WerFault.exe, 00000013.00000003.690625280.00000000058C6000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 00000013.00000003.690618666.00000000058C0000.00000004.00000040.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 00000013.00000003.690605732.0000000005751000.00000004.00000001.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 00000013.00000003.690618666.00000000058C0000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 00000013.00000003.686000163.0000000003521000.00000004.00000001.sdmp
Source:	Binary string: combase.pdbK source: WerFault.exe, 00000013.00000003.690625280.00000000058C6000.00000004.00000040.sdmp
Source:	Binary string: WINMMBASE.pdbG source: WerFault.exe, 00000013.00000003.690625280.00000000058C6000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 00000013.00000003.690618666.00000000058C0000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 00000013.00000003.690605732.0000000005751000.00000004.00000001.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 00000013.00000003.690625280.00000000058C6000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdb source: WerFault.exe, 00000013.00000003.690625280.00000000058C6000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 00000013.00000003.690625280.00000000058C6000.00000004.00000040.sdmp
Source:	Binary string: shell32.pdb source: WerFault.exe, 00000013.00000003.690618666.00000000058C0000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 00000013.00000003.690605732.0000000005751000.00000004.00000001.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 00000013.00000003.685476102.000000000352D000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 00000013.00000003.690625280.00000000058C6000.00000004.00000040.sdmp
Source:	Binary string: mpr.pdb source: WerFault.exe, 00000013.00000003.690618666.00000000058C0000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 00000013.00000003.690625280.00000000058C6000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 00000013.00000003.690605732.0000000005751000.00000004.00000001.sdmp
Source:	Binary string: setupapi.pdb source: WerFault.exe, 00000013.00000003.690625280.00000000058C6000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdbA source: WerFault.exe, 00000013.00000003.690625280.00000000058C6000.00000004.00000040.sdmp
Source:	Binary string: imagehlp.pdb source: WerFault.exe, 00000013.00000003.690625280.00000000058C6000.00000004.00000040.sdmp
Source:	Binary string: oleaut32.pdbU source: WerFault.exe, 00000013.00000003.690625280.00000000058C6000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdb source: WerFault.exe, 00000013.00000003.690625280.00000000058C6000.00000004.00000040.sdmp
Source:	Binary string: dwmapi.pdb source: WerFault.exe, 00000013.00000003.690625280.00000000058C6000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdbk source: WerFault.exe, 00000013.00000003.690618666.00000000058C0000.00000004.00000040.sdmp
Source:	Binary string: WINMMBASE.pdb source: WerFault.exe, 00000013.00000003.690625280.00000000058C6000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdb source: WerFault.exe, 00000013.00000003.690625280.00000000058C6000.00000004.00000040.sdmp
Source:	Binary string: widevinecdm.dll.pdbp? source: widevinecdm.dll
Source:	Binary string: winspool.pdb source: WerFault.exe, 00000013.00000003.690625280.00000000058C6000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 00000013.00000003.690605732.0000000005751000.00000004.00000001.sdmp
Source:	Binary string: shell32.pdbk source: WerFault.exe, 00000013.00000003.690618666.00000000058C0000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 00000013.00000003.690625280.00000000058C6000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdb source: WerFault.exe, 00000013.00000003.690625280.00000000058C6000.00000004.00000040.sdmp
Source:	Binary string: propsys.pdb source: WerFault.exe, 00000013.00000003.690625280.00000000058C6000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdbk source: WerFault.exe, 00000013.00000003.690618666.00000000058C0000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdbk source: WerFault.exe, 00000013.00000003.690618666.00000000058C0000.00000004.00000040.sdmp
Source:	Binary string: winmm.pdb source: WerFault.exe, 00000013.00000003.690625280.00000000058C6000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb source: WerFault.exe, 00000013.00000003.690625280.00000000058C6000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdbS source: WerFault.exe, 00000013.00000003.690625280.00000000058C6000.00000004.00000040.sdmp
Source:	Binary string: msctf.pdb source: WerFault.exe, 00000013.00000003.690625280.00000000058C6000.00000004.00000040.sdmp
Source:	Binary string: winmm.pdbi source: WerFault.exe, 00000013.00000003.690625280.00000000058C6000.00000004.00000040.sdmp
Source:	Binary string: msctf.pdb1 source: WerFault.exe, 00000013.00000003.690625280.00000000058C6000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdb source: WerFault.exe, 00000013.00000003.690625280.00000000058C6000.00000004.00000040.sdmp
Source:	Binary string: AcLayers.pdb source: WerFault.exe, 00000013.00000003.690605732.0000000005751000.00000004.00000001.sdmp
Source:	Binary string: profapi.pdb(9 source: WerFault.exe, 00000013.00000003.690625280.00000000058C6000.00000004.00000040.sdmp
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000013.00000003.690618666.00000000058C0000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdbM source: WerFault.exe, 00000013.00000003.690625280.00000000058C6000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 00000013.00000003.690625280.00000000058C6000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 00000013.00000003.690618666.00000000058C0000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000013.00000003.690618666.00000000058C0000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb( source: WerFault.exe, 00000013.00000003.685476102.000000000352D000.00000004.00000001.sdmp
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 00000013.00000003.690618666.00000000058C0000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 00000013.00000003.690625280.00000000058C6000.00000004.00000040.sdmp
Source:	Binary string: widevinecdm.dll.pdb source: WerFault.exe, 00000013.00000003.690625280.00000000058C6000.00000004.00000040.sdmp, widevinecdm.dll
Source:	Binary string: wimm32.pdb_ source: WerFault.exe, 00000013.00000003.690625280.00000000058C6000.00000004.00000040.sdmp
Source:	Binary string: rundll32.pdb source: WerFault.exe, 00000013.00000003.690605732.0000000005751000.00000004.00000001.sdmp
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 00000013.00000003.690625280.00000000058C6000.00000004.00000040.sdmp
Source:	Binary string: sfc.pdb source: WerFault.exe, 00000013.00000003.690625280.00000000058C6000.00000004.00000040.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 00000013.00000003.690605732.0000000005751000.00000004.00000001.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 00000013.00000003.690605732.0000000005751000.00000004.00000001.sdmp

Source: widevinecdm.dll	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: widevinecdm.dll	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: widevinecdm.dll	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: WerFault.exe, 00000013.00000003.700533403.0000000005410000.00000004.00000001.sdmp	String found in binary or memory: http://crl.micro
Source: widevinecdm.dll	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: widevinecdm.dll	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: widevinecdm.dll	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: widevinecdm.dll	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: widevinecdm.dll	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: widevinecdm.dll	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: widevinecdm.dll	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: widevinecdm.dll	String found in binary or memory: http://ocsp.digicert.com0C
Source: widevinecdm.dll	String found in binary or memory: http://ocsp.digicert.com0N
Source: widevinecdm.dll	String found in binary or memory: http://ocsp.digicert.com0O
Source: widevinecdm.dll	String found in binary or memory: http://www.digicert.com/CPS0
Source: widevinecdm.dll	String found in binary or memory: https://www.digicert.com/CPS0

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 11_2_6C376B60

11_2_6C376B60

Source: C:\Windows\SysWOW64\rundll32.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 660 -s 712

Source: widevinecdm.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LARGE_ADDRESS_AWARE

Source: classification engine

Classification label: mal48.evad.winDLL@28/4@0/0

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess660

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERB351.tmp

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\widevinecdm.dll,CreateCdmInstance

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\widevinecdm.dll'
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\widevinecdm.dll',#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\widevinecdm.dll,CreateCdmInstance
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\widevinecdm.dll',#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\widevinecdm.dll,DeinitializeCdmModule
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\widevinecdm.dll,GetCdmVersion
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\widevinecdm.dll,GetHandleVerifier
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\widevinecdm.dll,InitializeCdmModule_4
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\widevinecdm.dll,VerifyCdmHost_0
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\widevinecdm.dll',CreateCdmInstance
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\widevinecdm.dll',DeinitializeCdmModule
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\widevinecdm.dll',GetCdmVersion
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\widevinecdm.dll',GetHandleVerifier
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\widevinecdm.dll',InitializeCdmModule_4
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 660 -s 712
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\widevinecdm.dll',#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\widevinecdm.dll,CreateCdmInstance	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\widevinecdm.dll,DeinitializeCdmModule	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\widevinecdm.dll,GetCdmVersion	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\widevinecdm.dll,GetHandleVerifier	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\widevinecdm.dll,InitializeCdmModule_4	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\widevinecdm.dll,VerifyCdmHost_0	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\widevinecdm.dll',CreateCdmInstance	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\widevinecdm.dll',DeinitializeCdmModule	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\widevinecdm.dll',GetCdmVersion	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\widevinecdm.dll',GetHandleVerifier	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\widevinecdm.dll',InitializeCdmModule_4	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\widevinecdm.dll',#1	Jump to behavior

Source: widevinecdm.dll	Static PE information: certificate valid
Source: widevinecdm.dll	Static PE information: certificate valid

Source: widevinecdm.dll

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: widevinecdm.dll

Static file information: File size 9756272 > 1048576

Source: widevinecdm.dll	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x48e600
Source: widevinecdm.dll	Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x494600

Source: widevinecdm.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: widevinecdm.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: widevinecdm.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: widevinecdm.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: widevinecdm.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: widevinecdm.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: widevinecdm.dll

Static PE information: GUARD_CF, DYNAMIC_BASE, NX_COMPAT

Source: widevinecdm.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: wkernel32.pdb source: WerFault.exe, 00000013.00000003.685123755.000000000549C000.00000004.00000001.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 00000013.00000003.690625280.00000000058C6000.00000004.00000040.sdmp
Source:	Binary string: sfc_os.pdb source: WerFault.exe, 00000013.00000003.690625280.00000000058C6000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 00000013.00000003.690618666.00000000058C0000.00000004.00000040.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 00000013.00000003.690605732.0000000005751000.00000004.00000001.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 00000013.00000003.690618666.00000000058C0000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 00000013.00000003.686000163.0000000003521000.00000004.00000001.sdmp
Source:	Binary string: combase.pdbK source: WerFault.exe, 00000013.00000003.690625280.00000000058C6000.00000004.00000040.sdmp
Source:	Binary string: WINMMBASE.pdbG source: WerFault.exe, 00000013.00000003.690625280.00000000058C6000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 00000013.00000003.690618666.00000000058C0000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 00000013.00000003.690605732.0000000005751000.00000004.00000001.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 00000013.00000003.690625280.00000000058C6000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdb source: WerFault.exe, 00000013.00000003.690625280.00000000058C6000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 00000013.00000003.690625280.00000000058C6000.00000004.00000040.sdmp
Source:	Binary string: shell32.pdb source: WerFault.exe, 00000013.00000003.690618666.00000000058C0000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 00000013.00000003.690605732.0000000005751000.00000004.00000001.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 00000013.00000003.685476102.000000000352D000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 00000013.00000003.690625280.00000000058C6000.00000004.00000040.sdmp
Source:	Binary string: mpr.pdb source: WerFault.exe, 00000013.00000003.690618666.00000000058C0000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 00000013.00000003.690625280.00000000058C6000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 00000013.00000003.690605732.0000000005751000.00000004.00000001.sdmp
Source:	Binary string: setupapi.pdb source: WerFault.exe, 00000013.00000003.690625280.00000000058C6000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdbA source: WerFault.exe, 00000013.00000003.690625280.00000000058C6000.00000004.00000040.sdmp
Source:	Binary string: imagehlp.pdb source: WerFault.exe, 00000013.00000003.690625280.00000000058C6000.00000004.00000040.sdmp
Source:	Binary string: oleaut32.pdbU source: WerFault.exe, 00000013.00000003.690625280.00000000058C6000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdb source: WerFault.exe, 00000013.00000003.690625280.00000000058C6000.00000004.00000040.sdmp
Source:	Binary string: dwmapi.pdb source: WerFault.exe, 00000013.00000003.690625280.00000000058C6000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdbk source: WerFault.exe, 00000013.00000003.690618666.00000000058C0000.00000004.00000040.sdmp
Source:	Binary string: WINMMBASE.pdb source: WerFault.exe, 00000013.00000003.690625280.00000000058C6000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdb source: WerFault.exe, 00000013.00000003.690625280.00000000058C6000.00000004.00000040.sdmp
Source:	Binary string: widevinecdm.dll.pdbp? source: widevinecdm.dll
Source:	Binary string: winspool.pdb source: WerFault.exe, 00000013.00000003.690625280.00000000058C6000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 00000013.00000003.690605732.0000000005751000.00000004.00000001.sdmp
Source:	Binary string: shell32.pdbk source: WerFault.exe, 00000013.00000003.690618666.00000000058C0000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 00000013.00000003.690625280.00000000058C6000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdb source: WerFault.exe, 00000013.00000003.690625280.00000000058C6000.00000004.00000040.sdmp
Source:	Binary string: propsys.pdb source: WerFault.exe, 00000013.00000003.690625280.00000000058C6000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdbk source: WerFault.exe, 00000013.00000003.690618666.00000000058C0000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdbk source: WerFault.exe, 00000013.00000003.690618666.00000000058C0000.00000004.00000040.sdmp
Source:	Binary string: winmm.pdb source: WerFault.exe, 00000013.00000003.690625280.00000000058C6000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb source: WerFault.exe, 00000013.00000003.690625280.00000000058C6000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdbS source: WerFault.exe, 00000013.00000003.690625280.00000000058C6000.00000004.00000040.sdmp
Source:	Binary string: msctf.pdb source: WerFault.exe, 00000013.00000003.690625280.00000000058C6000.00000004.00000040.sdmp
Source:	Binary string: winmm.pdbi source: WerFault.exe, 00000013.00000003.690625280.00000000058C6000.00000004.00000040.sdmp
Source:	Binary string: msctf.pdb1 source: WerFault.exe, 00000013.00000003.690625280.00000000058C6000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdb source: WerFault.exe, 00000013.00000003.690625280.00000000058C6000.00000004.00000040.sdmp
Source:	Binary string: AcLayers.pdb source: WerFault.exe, 00000013.00000003.690605732.0000000005751000.00000004.00000001.sdmp
Source:	Binary string: profapi.pdb(9 source: WerFault.exe, 00000013.00000003.690625280.00000000058C6000.00000004.00000040.sdmp
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000013.00000003.690618666.00000000058C0000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdbM source: WerFault.exe, 00000013.00000003.690625280.00000000058C6000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 00000013.00000003.690625280.00000000058C6000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 00000013.00000003.690618666.00000000058C0000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000013.00000003.690618666.00000000058C0000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb( source: WerFault.exe, 00000013.00000003.685476102.000000000352D000.00000004.00000001.sdmp
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 00000013.00000003.690618666.00000000058C0000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 00000013.00000003.690625280.00000000058C6000.00000004.00000040.sdmp
Source:	Binary string: widevinecdm.dll.pdb source: WerFault.exe, 00000013.00000003.690625280.00000000058C6000.00000004.00000040.sdmp, widevinecdm.dll
Source:	Binary string: wimm32.pdb_ source: WerFault.exe, 00000013.00000003.690625280.00000000058C6000.00000004.00000040.sdmp
Source:	Binary string: rundll32.pdb source: WerFault.exe, 00000013.00000003.690605732.0000000005751000.00000004.00000001.sdmp
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 00000013.00000003.690625280.00000000058C6000.00000004.00000040.sdmp
Source:	Binary string: sfc.pdb source: WerFault.exe, 00000013.00000003.690625280.00000000058C6000.00000004.00000040.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 00000013.00000003.690605732.0000000005751000.00000004.00000001.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 00000013.00000003.690605732.0000000005751000.00000004.00000001.sdmp

Source: widevinecdm.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: widevinecdm.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: widevinecdm.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: widevinecdm.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: widevinecdm.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: widevinecdm.dll	Static PE information: section name: .00cfg
Source: widevinecdm.dll	Static PE information: section name: .rodata
Source: widevinecdm.dll	Static PE information: section name: .voltbl

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Tries to evade analysis by execution special instruction which cause usermode exception

Show sources

Source: C:\Windows\SysWOW64\WerFault.exe

Special instruction interceptor: First address: 000000006BB011EF instructions 0FC7C8 caused by: Known instruction #UD exception

Source: C:\Windows\SysWOW64\rundll32.exe

API coverage: 1.4 %

Source: C:\Windows\System32\loaddll32.exe

Thread delayed: delay time: 120000

Jump to behavior

Source: WerFault.exe, 00000013.00000002.704377959.00000000058E0000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: WerFault.exe, 00000013.00000002.703987662.00000000053EC000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: WerFault.exe, 00000013.00000002.704377959.00000000058E0000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: WerFault.exe, 00000013.00000002.704377959.00000000058E0000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: WerFault.exe, 00000013.00000002.704377959.00000000058E0000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Anti Debugging:

Tries to detect sandboxes and other dynamic analysis tools (window names)

Show sources

Source: C:\Windows\SysWOW64\rundll32.exe	Open window title or class name: ollydbg
Source: C:\Windows\SysWOW64\rundll32.exe	Open window title or class name: windbgframeclass

Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 11_2_6C4B82B6 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

11_2_6C4B82B6

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_6C4B4CF1 mov eax, dword ptr fs:[00000030h]		11_2_6C4B4CF1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_6C4C2B7F mov eax, dword ptr fs:[00000030h]		11_2_6C4C2B7F

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_6C4B82B6 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		11_2_6C4B82B6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_6C4A9178 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		11_2_6C4A9178

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\widevinecdm.dll',#1

Jump to behavior

Source: rundll32.exe, 0000000B.00000000.677885446.00000000030E0000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: rundll32.exe, 0000000B.00000000.677885446.00000000030E0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: rundll32.exe, 0000000B.00000000.677885446.00000000030E0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: rundll32.exe, 0000000B.00000000.677885446.00000000030E0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 11_2_6C4C6ECD GetTimeZoneInformation,

11_2_6C4C6ECD

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Process Injection12	Rundll321	OS Credential Dumping	System Time Discovery1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Virtualization/Sandbox Evasion111	LSASS Memory	Security Software Discovery221	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Process Injection12	Security Account Manager	Process Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Binary Padding	NTDS	Virtualization/Sandbox Evasion111	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	System Information Discovery11	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	Remote System Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Link
widevinecdm.dll	0%	Virustotal	Browse
widevinecdm.dll	0%	Metadefender	Browse
widevinecdm.dll	0%	ReversingLabs

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://crl.micro	0%	URL Reputation	safe
http://crl.micro	0%	URL Reputation	safe
http://crl.micro	0%	URL Reputation	safe
http://crl.micro	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://crl.micro	WerFault.exe, 00000013.00000003.700533403.0000000005410000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	32.0.0 Black Diamond
Analysis ID:	440120
Start date:	24.06.2021
Start time:	21:06:27
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 8m 26s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	widevinecdm.dll
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	33
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal48.evad.winDLL@28/4@0/0
EGA Information:	Successful, ratio: 33.3%
HDC Information:	Failed
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Sleeps bigger than 120000ms are automatically reduced to 1000ms Found application associated with file extension: .dll Stop behavior analysis, all processes terminated
Warnings:	Show All Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, WerFault.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 104.43.193.48, 52.147.198.201, 92.122.145.220, 20.50.102.62, 20.54.7.98, 40.112.88.60, 173.222.108.210, 173.222.108.226, 20.82.209.183, 80.67.82.211, 80.67.82.235 Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, store-images.s-microsoft.com-c.edgekey.net, a1449.dscg2.akamai.net, arc.msn.com, consumerrp-displaycatalog-aks2eap-europe.md.mp.microsoft.com.akadns.net, e12564.dspb.akamaiedge.net, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, au-bg-shim.trafficmanager.net, iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, ctldl.windowsupdate.com, a767.dscg3.akamai.net, consumerrp-displaycatalog-aks2aks-europe.md.mp.microsoft.com.akadns.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, skypedataprdcolcus15.cloudapp.net, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net, neu-consumerrp-displaycatalog-aks2aks-europe.md.mp.microsoft.com.akadns.net Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_rundll32.exe_efc06b9b572afcfde3440b06ab753df1d6f59e6_82810a17_1a31cc57\Report.wer Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	12046
Entropy (8bit):	3.767562030960362
Encrypted:	false
SSDEEP:	192:2pYi80oXpuHBUZMX4jed++/u7s0S274ItWcH:ziaXIBUZMX4jer/u7s0X4ItWcH
MD5:	F6AB0432BAF256EB7894FD7D04EB6155
SHA1:	2D7E1B3A3FDC38D26BBF967ED6BFF64314FFB4A6
SHA-256:	15CD93BAEC2F78CF3993A02D42816064F5B280D6616F19B9379D5E22920D1BDB
SHA-512:	93F109A3556B528B0C988A90EA588B6823C2D491856BB763599C401AA838053B4FDA138D4EA96F2F6569EA0CA3F6357280D938626A0B2BC61A044AEF6E037C94
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.6.9.0.3.5.2.5.3.9.9.4.7.3.5.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.6.9.0.3.5.2.5.8.6.9.7.8.4.7.3.....R.e.p.o.r.t.S.t.a.t.u.s.=.2.6.8.4.3.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.4.7.9.6.3.3.8.-.5.3.3.6.-.4.2.7.1.-.9.c.7.c.-.7.5.a.b.5.b.5.a.b.d.4.7.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.6.4.7.1.2.b.9.-.e.2.6.8.-.4.0.a.5.-.8.b.3.4.-.f.9.e.5.2.8.7.6.0.8.0.f.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.2.9.4.-.0.0.0.1.-.0.0.1.b.-.e.7.3.8.-.1.3.2.c.2.c.6.9.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.b.c.c.5.d.c.3.2.2.2.0.3.4.d.3.f.2.5.7.f.1.f.d.3.5.8.8.9.e.5.b.e.9.0.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB351.tmp.dmp Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Thu Jun 24 19:07:35 2021, 0x1205a4 type
Category:	dropped
Size (bytes):	47044
Entropy (8bit):	2.067694712004582
Encrypted:	false
SSDEEP:	192:u89I/0auKuY7cFdav1mLktv+XWNjJ/ro5C6ed7DOdj9MnjyZJEBSMOEOPnwa:GZuY3dmLkt6oNDo5CtVI9VESMO3wa
MD5:	8569DE8DC6DBC633F0A3C6D095A449AF
SHA1:	FD8815AF2337EA5C5DF9975BAD7F8CEEE67CCC19
SHA-256:	DCA574F672A954913E99AA0CEC6CCC9167C515F01C594BAF4397E7ADA698C6FF
SHA-512:	CE823AF26C771F712A833F4B38E207916AFF79A4A5F2243A051A9CA1A5669D79D04C64DB7797F2508CF2EFB89AE6E8C530DD071173FAD9CCD06DC8609C0FA1F8
Malicious:	false
Preview:	MDMP....... ..........`...................U...........B..............GenuineIntelW...........T..............`.............................0..=...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .D.a.y.l.i.g.h.t. .T.i.m.e.......................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERBA66.tmp.WERInternalMetadata.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8288
Entropy (8bit):	3.692938023600922
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNiFc6aT6Y8re6fgmfTnSp+prs89bw3nsfIGXm:RrlsNi+6+6Yx6fgmfTnSUw3sfV2
MD5:	DA4930CF5910D1F883B7CCB6CF37A88D
SHA1:	C96148E96E86EA599F6525B9EEB5BC10CAE18AAE
SHA-256:	0E56376879BEE0433544AF301C72B5C29BEE8ABF2F6F1F9D0F670EE110679643
SHA-512:	6098FC3ADC2C0246F250B9F9E2D36C6D515FBE659926DF2FF629F8FB4C8C78A66D2E3A3BEA318B933157487160F2C3E1BE5C0EE8E4CCB797708790E0F66E6A6A
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.6.0.<./.P.i.d.>.........

C:\ProgramData\Microsoft\Windows\WER\Temp\WERBC5B.tmp.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4640
Entropy (8bit):	4.458756920107761
Encrypted:	false
SSDEEP:	48:cvIwSD8zs3tJgtWI9MqakWSC8BIn8fm8M4JCdsQzaFdwq+q8/PKSYW4SrSUd:uITf3Hnt9SNGsJ/wqcDWUd
MD5:	2FDB109BB6E60D62155EDCD5205C4E6C
SHA1:	F7B21CA1399C6654124838CD9F065E7BEF5428CF
SHA-256:	0ECB580ABCD16F3496719208B63516D4CB5F04BBC448571D62DF8B7630441FE0
SHA-512:	A286E5B4B6AD485F7F9BCB655A42C1A04918C864791C7230E54A6A49A948B510E9567DB02E821DCC07AF0AE761536F191EA6D0D7ECD7657A2E65B76685860E6A
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1048578" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

Static File Info

General
File type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Entropy (8bit):	7.569873385904768
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	widevinecdm.dll
File size:	9756272
MD5:	7a59d939f28964955ac301db8518861c
SHA1:	e00c28f3490484cff2f27c0acea36791173e0a0f
SHA256:	787294fd7fe47f7fa7f735403928eaf96e04724207891fd6db727b2a5b58d340
SHA512:	4b44027d08b0990052cd9942e6b0d85a9be1b603fc36e65fad07a1df56e719efdefe16e70eda44d23e39ebf0e46a436d31139716895a3e5ceaa190286f193e0b
SSDEEP:	196608:SvzfCpdfdOiwEV525gxykVP5twd+FmYpcumk2s2s1M6vQ7QJxWuveJMjJ:SYxNBtwiJtmk2sH2oQ7QJxpeY
File Content Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...S~.`.........."!......H...K.......F.......................................@.....t.....@A....................................x..

File Icon


Icon Hash:	74f0e4ecccdce0e4

Static PE Info

General
Entrypoint:	0x1046a1d0
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x10000000
Subsystem:	windows cui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LARGE_ADDRESS_AWARE
DLL Characteristics:	GUARD_CF, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x60107E53 [Tue Jan 26 20:40:51 2021 UTC]
TLS Callbacks:	0x1039ff30, 0x102c33f0, 0x10468700
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	0b5d0e0a9e6cf85570f75da0455465ed

Authenticode Signature

Signature Valid:	true
Signature Issuer:	CN=DigiCert SHA2 Assured ID Code Signing CA, OU=www.digicert.com, O=DigiCert Inc, C=US
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	11/7/2018 1:00:00 AM 11/17/2021 1:00:00 PM
Subject Chain	CN=Google LLC, O=Google LLC, L=Mountain View, S=ca, C=US
Version:	3
Thumbprint MD5:	388E38D27B96846D61081CFBF5FF7DC2
Thumbprint SHA-1:	CB7E84887F3C6015FE7EDFB4F8F36DF7DC10590E
Thumbprint SHA-256:	3CA4FC0489E3E25B1A6A8514A9486B257FD8B80B9F3181AF20A34FA9EF5AB282
Serial:	0C15BE4A15BB0903C901B1D6C265302F

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
cmp dword ptr [ebp+0Ch], 01h
jne 00007F15D0CF1C17h
call 00007F15D0CF1C2Ah
push dword ptr [ebp+10h]
push dword ptr [ebp+0Ch]
push dword ptr [ebp+08h]
call 00007F15D0CF1AE7h
add esp, 0Ch
pop ebp
retn 000Ch
mov ecx, dword ptr [109263E8h]
push esi
push edi
mov edi, BB40E64Eh
mov esi, FFFF0000h
cmp ecx, edi
je 00007F15D0CF1C16h
test esi, ecx
jne 00007F15D0CF1C38h
call 00007F15D0CF1C41h
mov ecx, eax
cmp ecx, edi
jne 00007F15D0CF1C19h
mov ecx, BB40E64Fh
jmp 00007F15D0CF1C20h
test esi, ecx
jne 00007F15D0CF1C1Ch
or eax, 00004711h
shl eax, 10h
or ecx, eax
mov dword ptr [109263E8h], ecx
not ecx
pop edi
mov dword ptr [109263E4h], ecx
pop esi
ret
push ebp
mov ebp, esp
sub esp, 14h
and dword ptr [ebp-0Ch], 00000000h
lea eax, dword ptr [ebp-0Ch]
and dword ptr [ebp-08h], 00000000h
push eax
call dword ptr [109213DCh]
mov eax, dword ptr [ebp-08h]
xor eax, dword ptr [ebp-0Ch]
mov dword ptr [ebp-04h], eax
call dword ptr [10921378h]
xor dword ptr [ebp-04h], eax
call dword ptr [10921370h]
xor dword ptr [ebp-04h], eax
lea eax, dword ptr [ebp-14h]
push eax
call dword ptr [1092146Ch]
mov eax, dword ptr [ebp-10h]
lea ecx, dword ptr [ebp-04h]
xor eax, dword ptr [ebp-14h]
xor eax, dword ptr [ebp-04h]
xor eax, ecx
leave
ret
xor eax, eax
inc eax
retn 000Ch
push 113E3B58h
call dword ptr [00000000h]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x920f14	0xe6	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x920ffa	0x78	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x13e9000	0x488	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x94c400	0x1a70	.data
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x13ea000	0x24bc4	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x91d57c	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x91d480	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x90dc30	0xb8	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9212ec	0x278	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x48e49c	0x48e600	unknown	unknown	unknown	unknown	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x490000	0x4945bc	0x494600	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x925000	0xabf3b4	0x3400	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.00cfg	0x13e5000	0x4	0x200	False	0.033203125	data	0.0815394123432	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rodata	0x13e6000	0x740	0x800	False	0.15673828125	DOS executable (COM, 0x8C-variant)	4.22321300602	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.tls	0x13e7000	0xa9	0x200	False	0.04296875	data	0.136463791656	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.voltbl	0x13e8000	0xf0	0x200	False	0.498046875	data	3.73745911162
.rsrc	0x13e9000	0x488	0x600	False	0.313802083333	data	2.69675329032	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x13ea000	0x24bc4	0x24c00	False	0.405379730017	data	6.50319371904	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0x13e9060	0x428	data	English	United States

Imports

DLL	Import
KERNEL32.dll	AcquireSRWLockExclusive, AcquireSRWLockShared, AddVectoredExceptionHandler, CloseHandle, CompareStringW, CreateEventW, CreateFileW, CreateSemaphoreW, CreateThread, DecodePointer, DeleteCriticalSection, DuplicateHandle, EncodePointer, EnterCriticalSection, EnumSystemLocalesW, ExitProcess, ExitThread, ExpandEnvironmentStringsW, FindClose, FindFirstFileExW, FindNextFileW, FlushFileBuffers, FreeEnvironmentStringsW, FreeLibrary, FreeLibraryAndExitThread, GetACP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetConsoleMode, GetConsoleOutputCP, GetCurrentDirectoryW, GetCurrentProcess, GetCurrentProcessId, GetCurrentThread, GetCurrentThreadId, GetDateFormatW, GetEnvironmentStringsW, GetExitCodeThread, GetFileSizeEx, GetFileType, GetFinalPathNameByHandleW, GetLastError, GetLocalTime, GetLocaleInfoW, GetLogicalDriveStringsW, GetModuleFileNameW, GetModuleHandleA, GetModuleHandleExW, GetModuleHandleW, GetNativeSystemInfo, GetOEMCP, GetProcAddress, GetProcessHeap, GetProcessTimes, GetProductInfo, GetStartupInfoW, GetStdHandle, GetStringTypeW, GetSystemInfo, GetSystemTimeAsFileTime, GetThreadId, GetThreadPriority, GetTickCount, GetTimeFormatW, GetTimeZoneInformation, GetUserDefaultLCID, GetVersionExW, HeapAlloc, HeapFree, HeapReAlloc, HeapSize, InitOnceBeginInitialize, InitOnceComplete, InitOnceExecuteOnce, InitializeConditionVariable, InitializeCriticalSection, InitializeCriticalSectionAndSpinCount, InitializeCriticalSectionEx, InitializeSListHead, InitializeSRWLock, InterlockedFlushSList, IsDebuggerPresent, IsProcessorFeaturePresent, IsValidCodePage, IsValidLocale, IsWow64Process, LCMapStringW, LeaveCriticalSection, LoadLibraryExA, LoadLibraryExW, LoadLibraryW, MultiByteToWideChar, OutputDebugStringA, OutputDebugStringW, QueryDosDeviceW, QueryPerformanceCounter, QueryPerformanceFrequency, QueryThreadCycleTime, RaiseException, ReadConsoleW, ReadFile, ReleaseSRWLockExclusive, ReleaseSRWLockShared, ReleaseSemaphore, RemoveVectoredExceptionHandler, ResetEvent, RtlCaptureStackBackTrace, RtlUnwind, SetCurrentDirectoryW, SetEnvironmentVariableW, SetEvent, SetFilePointerEx, SetLastError, SetStdHandle, SetThreadPriority, SetUnhandledExceptionFilter, Sleep, SleepConditionVariableCS, SleepConditionVariableSRW, TerminateProcess, TerminateThread, TlsAlloc, TlsFree, TlsGetValue, TlsSetValue, TryAcquireSRWLockExclusive, TryEnterCriticalSection, UnhandledExceptionFilter, VirtualProtect, VirtualQuery, WaitForSingleObject, WaitForSingleObjectEx, WakeAllConditionVariable, WakeConditionVariable, WideCharToMultiByte, WriteConsoleW, WriteFile
ADVAPI32.dll	EventRegister, EventUnregister, EventWrite, RegCloseKey, RegOpenKeyExW, RegQueryValueExW, SystemFunction036
WINMM.dll	timeBeginPeriod, timeEndPeriod, timeGetTime
USER32.dll	CharUpperW, EnumDisplayMonitors, FindWindowA, GetMonitorInfoW
ole32.dll	CoTaskMemFree

Exports

Name	Ordinal	Address
CreateCdmInstance	1	0x10001080
DeinitializeCdmModule	2	0x10001060
GetCdmVersion	3	0x10001200
GetHandleVerifier	4	0x10333800
InitializeCdmModule_4	5	0x10001030
VerifyCdmHost_0	6	0x10001210

Version Infos

Description	Data
LegalCopyright	Copyright 2012 Google LLC. All rights reserved.
InternalName	widevinecdm
CompanyShortName	Google
FileVersion	4.10.2209.0
CompanyName	Google LLC
ProductShortName	Widevine CDM
ProductName	Widevine Content Decryption Module
LastChange	0
ProductVersion	4.10.2209.0
FileDescription	Widevine Content Decryption Module
OriginalFilename	widevinecdm.dll
Official Build	0
Translation	0x0409 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Network Port Distribution

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 24, 2021 21:07:03.837800980 CEST	49257	53	192.168.2.4	8.8.8.8
Jun 24, 2021 21:07:03.901772022 CEST	53	49257	8.8.8.8	192.168.2.4
Jun 24, 2021 21:07:04.747138023 CEST	62389	53	192.168.2.4	8.8.8.8
Jun 24, 2021 21:07:04.801808119 CEST	53	62389	8.8.8.8	192.168.2.4
Jun 24, 2021 21:07:05.588140011 CEST	49910	53	192.168.2.4	8.8.8.8
Jun 24, 2021 21:07:05.652739048 CEST	53	49910	8.8.8.8	192.168.2.4
Jun 24, 2021 21:07:05.740221024 CEST	55854	53	192.168.2.4	8.8.8.8
Jun 24, 2021 21:07:05.797275066 CEST	53	55854	8.8.8.8	192.168.2.4
Jun 24, 2021 21:07:06.483484983 CEST	64549	53	192.168.2.4	8.8.8.8
Jun 24, 2021 21:07:06.538487911 CEST	53	64549	8.8.8.8	192.168.2.4
Jun 24, 2021 21:07:07.280432940 CEST	63153	53	192.168.2.4	8.8.8.8
Jun 24, 2021 21:07:07.332520008 CEST	53	63153	8.8.8.8	192.168.2.4
Jun 24, 2021 21:07:08.372864008 CEST	52991	53	192.168.2.4	8.8.8.8
Jun 24, 2021 21:07:08.423280954 CEST	53	52991	8.8.8.8	192.168.2.4
Jun 24, 2021 21:07:09.512891054 CEST	53700	53	192.168.2.4	8.8.8.8
Jun 24, 2021 21:07:09.567929029 CEST	53	53700	8.8.8.8	192.168.2.4
Jun 24, 2021 21:07:10.328118086 CEST	51726	53	192.168.2.4	8.8.8.8
Jun 24, 2021 21:07:10.374236107 CEST	53	51726	8.8.8.8	192.168.2.4
Jun 24, 2021 21:07:11.213555098 CEST	56794	53	192.168.2.4	8.8.8.8
Jun 24, 2021 21:07:11.262924910 CEST	53	56794	8.8.8.8	192.168.2.4
Jun 24, 2021 21:07:12.071068048 CEST	56534	53	192.168.2.4	8.8.8.8
Jun 24, 2021 21:07:12.129436970 CEST	53	56534	8.8.8.8	192.168.2.4
Jun 24, 2021 21:07:12.870992899 CEST	56627	53	192.168.2.4	8.8.8.8
Jun 24, 2021 21:07:12.918900013 CEST	53	56627	8.8.8.8	192.168.2.4
Jun 24, 2021 21:07:13.771217108 CEST	56621	53	192.168.2.4	8.8.8.8
Jun 24, 2021 21:07:13.817639112 CEST	53	56621	8.8.8.8	192.168.2.4
Jun 24, 2021 21:07:14.664376020 CEST	63116	53	192.168.2.4	8.8.8.8
Jun 24, 2021 21:07:14.719182968 CEST	53	63116	8.8.8.8	192.168.2.4
Jun 24, 2021 21:07:15.565291882 CEST	64078	53	192.168.2.4	8.8.8.8
Jun 24, 2021 21:07:15.621052027 CEST	53	64078	8.8.8.8	192.168.2.4
Jun 24, 2021 21:07:16.386956930 CEST	64801	53	192.168.2.4	8.8.8.8
Jun 24, 2021 21:07:16.447460890 CEST	53	64801	8.8.8.8	192.168.2.4
Jun 24, 2021 21:07:17.304117918 CEST	61721	53	192.168.2.4	8.8.8.8
Jun 24, 2021 21:07:17.363568068 CEST	53	61721	8.8.8.8	192.168.2.4
Jun 24, 2021 21:07:18.124691963 CEST	51255	53	192.168.2.4	8.8.8.8
Jun 24, 2021 21:07:18.173938036 CEST	53	51255	8.8.8.8	192.168.2.4
Jun 24, 2021 21:07:18.909158945 CEST	61522	53	192.168.2.4	8.8.8.8
Jun 24, 2021 21:07:18.961997986 CEST	53	61522	8.8.8.8	192.168.2.4
Jun 24, 2021 21:07:19.827653885 CEST	52337	53	192.168.2.4	8.8.8.8
Jun 24, 2021 21:07:19.877238989 CEST	53	52337	8.8.8.8	192.168.2.4
Jun 24, 2021 21:07:34.551573038 CEST	55046	53	192.168.2.4	8.8.8.8
Jun 24, 2021 21:07:34.606359959 CEST	53	55046	8.8.8.8	192.168.2.4
Jun 24, 2021 21:07:39.932852030 CEST	49612	53	192.168.2.4	8.8.8.8
Jun 24, 2021 21:07:39.990175962 CEST	53	49612	8.8.8.8	192.168.2.4
Jun 24, 2021 21:07:52.792403936 CEST	49285	53	192.168.2.4	8.8.8.8
Jun 24, 2021 21:07:52.942918062 CEST	53	49285	8.8.8.8	192.168.2.4
Jun 24, 2021 21:07:53.603702068 CEST	50601	53	192.168.2.4	8.8.8.8
Jun 24, 2021 21:07:53.672935963 CEST	53	50601	8.8.8.8	192.168.2.4
Jun 24, 2021 21:07:54.152818918 CEST	60875	53	192.168.2.4	8.8.8.8
Jun 24, 2021 21:07:54.311340094 CEST	53	60875	8.8.8.8	192.168.2.4
Jun 24, 2021 21:07:54.969229937 CEST	56448	53	192.168.2.4	8.8.8.8
Jun 24, 2021 21:07:55.023768902 CEST	53	56448	8.8.8.8	192.168.2.4
Jun 24, 2021 21:07:55.493412971 CEST	59172	53	192.168.2.4	8.8.8.8
Jun 24, 2021 21:07:55.563376904 CEST	53	59172	8.8.8.8	192.168.2.4
Jun 24, 2021 21:07:56.504024029 CEST	62420	53	192.168.2.4	8.8.8.8
Jun 24, 2021 21:07:56.560173988 CEST	53	62420	8.8.8.8	192.168.2.4
Jun 24, 2021 21:07:57.302853107 CEST	60579	53	192.168.2.4	8.8.8.8
Jun 24, 2021 21:07:57.357652903 CEST	53	60579	8.8.8.8	192.168.2.4
Jun 24, 2021 21:07:58.003144026 CEST	50183	53	192.168.2.4	8.8.8.8
Jun 24, 2021 21:07:58.058485985 CEST	53	50183	8.8.8.8	192.168.2.4
Jun 24, 2021 21:07:59.211174011 CEST	61531	53	192.168.2.4	8.8.8.8
Jun 24, 2021 21:07:59.261657000 CEST	53	61531	8.8.8.8	192.168.2.4
Jun 24, 2021 21:08:00.131247997 CEST	49228	53	192.168.2.4	8.8.8.8
Jun 24, 2021 21:08:00.190673113 CEST	53	49228	8.8.8.8	192.168.2.4
Jun 24, 2021 21:08:00.746334076 CEST	59794	53	192.168.2.4	8.8.8.8
Jun 24, 2021 21:08:00.803313971 CEST	53	59794	8.8.8.8	192.168.2.4
Jun 24, 2021 21:08:01.504477024 CEST	55916	53	192.168.2.4	8.8.8.8
Jun 24, 2021 21:08:01.563810110 CEST	53	55916	8.8.8.8	192.168.2.4
Jun 24, 2021 21:08:09.098278999 CEST	52752	53	192.168.2.4	8.8.8.8
Jun 24, 2021 21:08:09.147910118 CEST	53	52752	8.8.8.8	192.168.2.4
Jun 24, 2021 21:08:09.300215960 CEST	60542	53	192.168.2.4	8.8.8.8
Jun 24, 2021 21:08:09.365307093 CEST	53	60542	8.8.8.8	192.168.2.4
Jun 24, 2021 21:08:13.004371881 CEST	60689	53	192.168.2.4	8.8.8.8
Jun 24, 2021 21:08:13.066945076 CEST	53	60689	8.8.8.8	192.168.2.4
Jun 24, 2021 21:08:43.222981930 CEST	64206	53	192.168.2.4	8.8.8.8
Jun 24, 2021 21:08:43.269803047 CEST	53	64206	8.8.8.8	192.168.2.4
Jun 24, 2021 21:08:44.854011059 CEST	50904	53	192.168.2.4	8.8.8.8
Jun 24, 2021 21:08:44.908883095 CEST	53	50904	8.8.8.8	192.168.2.4

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: loaddll32.exe PID: 7104 Parent PID: 6040

General

Start time:	21:07:09
Start date:	24/06/2021
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe 'C:\Users\user\Desktop\widevinecdm.dll'
Imagebase:	0xf80000
File size:	116736 bytes
MD5 hash:	542795ADF7CC08EFCF675D65310596E8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: cmd.exe PID: 7144 Parent PID: 7104

General

Start time:	21:07:09
Start date:	24/06/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\widevinecdm.dll',#1
Imagebase:	0x11d0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 6316 Parent PID: 7104

General

Start time:	21:07:10
Start date:	24/06/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\widevinecdm.dll,CreateCdmInstance
Imagebase:	0xb30000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 6164 Parent PID: 7144

General

Start time:	21:07:10
Start date:	24/06/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe 'C:\Users\user\Desktop\widevinecdm.dll',#1
Imagebase:	0xb30000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 6212 Parent PID: 7104

General

Start time:	21:07:13
Start date:	24/06/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\widevinecdm.dll,DeinitializeCdmModule
Imagebase:	0xb30000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 1320 Parent PID: 7104

General

Start time:	21:07:17
Start date:	24/06/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\widevinecdm.dll,GetCdmVersion
Imagebase:	0xb30000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 6560 Parent PID: 7104

General

Start time:	21:07:20
Start date:	24/06/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\widevinecdm.dll,GetHandleVerifier
Imagebase:	0xb30000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 7024 Parent PID: 7104

General

Start time:	21:07:23
Start date:	24/06/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\widevinecdm.dll,InitializeCdmModule_4
Imagebase:	0xb30000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 660 Parent PID: 7104

General

Start time:	21:07:27
Start date:	24/06/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\widevinecdm.dll,VerifyCdmHost_0
Imagebase:	0xb30000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 6596 Parent PID: 7104

General

Start time:	21:07:30
Start date:	24/06/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe 'C:\Users\user\Desktop\widevinecdm.dll',CreateCdmInstance
Imagebase:	0xb30000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 6616 Parent PID: 7104

General

Start time:	21:07:30
Start date:	24/06/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe 'C:\Users\user\Desktop\widevinecdm.dll',DeinitializeCdmModule
Imagebase:	0xb30000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 7096 Parent PID: 7104

General

Start time:	21:07:30
Start date:	24/06/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe 'C:\Users\user\Desktop\widevinecdm.dll',GetCdmVersion
Imagebase:	0xb30000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 6736 Parent PID: 7104

General

Start time:	21:07:31
Start date:	24/06/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe 'C:\Users\user\Desktop\widevinecdm.dll',GetHandleVerifier
Imagebase:	0xb30000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 6732 Parent PID: 7104

General

Start time:	21:07:31
Start date:	24/06/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe 'C:\Users\user\Desktop\widevinecdm.dll',InitializeCdmModule_4
Imagebase:	0xb30000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: WerFault.exe PID: 6760 Parent PID: 660

General

Start time:	21:07:31
Start date:	24/06/2021
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 660 -s 712
Imagebase:	0xc90000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: rundll32.exe PID: 660 Parent PID: 7104 rundll32.exeCOMMON

Execution Graph

Execution Coverage:	0.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	7.2%
Total number of Nodes:	880
Total number of Limit Nodes:	3

Executed Functions

Function 6C041210, Relevance: 1.5, APIs: 1, Instructions: 17
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL(?,?), ref: 6C041226

Memory Dump Source

Source File: 0000000B.00000002.707784985.000000006C041000.00000020.00020000.sdmp, Offset: 6C040000, based on PE: true

Associated: 0000000B.00000002.707765537.000000006C040000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.708258845.000000006C4D0000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.708814446.000000006C965000.00000008.00020000.sdmp Download File
Associated: 0000000B.00000002.708832834.000000006C966000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.708918517.000000006D3DF000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.708953976.000000006D423000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.708980202.000000006D426000.00000020.00020000.sdmp Download File
Associated: 0000000B.00000002.709009923.000000006D429000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6c040000_rundll32.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: ddbfff9273990e24690d879215bcb72f3e88f7ba5bcd1fd2e4ac8403229365af
Instruction ID: 6388aac8878ab3f564ae8065f177cecea51b476d25456c69bae4cd3a39f6a629
Opcode Fuzzy Hash: ddbfff9273990e24690d879215bcb72f3e88f7ba5bcd1fd2e4ac8403229365af
Instruction Fuzzy Hash: 77D0A93A2001186B8B009A06E804CDBBB6CEECA23030081A1F9088B700C631BC428BE0

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 6C376B60, Relevance: 5.2, Strings: 4, Instructions: 229
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

osof, xrefs: 6C376E16
t Hv, xrefs: 6C376E06
GenuineIntel, xrefs: 6C376C51
Micr, xrefs: 6C376E0E

Memory Dump Source

Source File: 0000000B.00000002.707784985.000000006C041000.00000020.00020000.sdmp, Offset: 6C040000, based on PE: true

Associated: 0000000B.00000002.707765537.000000006C040000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.708258845.000000006C4D0000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.708814446.000000006C965000.00000008.00020000.sdmp Download File
Associated: 0000000B.00000002.708832834.000000006C966000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.708918517.000000006D3DF000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.708953976.000000006D423000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.708980202.000000006D426000.00000020.00020000.sdmp Download File
Associated: 0000000B.00000002.709009923.000000006D429000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6c040000_rundll32.jbxd

Similarity

API ID: _strlen
String ID: GenuineIntel$Micr$osof$t Hv
API String ID: 4218353326-1419972731
Opcode ID: 56c462993b612c7e631256e93f404fd15cf9f610628d779b7ce9edccc1f8ce41
Instruction ID: 034edf133df0fdfcc8e7d912bb238d80fce1e1ec5c8dbd77f159e20a5591a556
Opcode Fuzzy Hash: 56c462993b612c7e631256e93f404fd15cf9f610628d779b7ce9edccc1f8ce41
Instruction Fuzzy Hash: E381C171A1C3818FD328CF29849134ABBF0EB99318F148A2EE4D9D7B41C739E549CB56

Uniqueness

Uniqueness Score: -1.00%

Function 6C4B82B6, Relevance: 4.6, APIs: 3, Instructions: 77
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 6C4B83AE
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 6C4B83B8
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 6C4B83C5

Memory Dump Source

Source File: 0000000B.00000002.707784985.000000006C041000.00000020.00020000.sdmp, Offset: 6C040000, based on PE: true

Associated: 0000000B.00000002.707765537.000000006C040000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.708258845.000000006C4D0000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.708814446.000000006C965000.00000008.00020000.sdmp Download File
Associated: 0000000B.00000002.708832834.000000006C966000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.708918517.000000006D3DF000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.708953976.000000006D423000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.708980202.000000006D426000.00000020.00020000.sdmp Download File
Associated: 0000000B.00000002.709009923.000000006D429000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6c040000_rundll32.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 07661ca3ef64fa5cc05c6dc078f4ff095d77c6fcdbb4d5a8de63268ec6faa3bd
Instruction ID: 7774f140865b63fce2138cc8b5a98459ef518c12512e7037f376674595813646
Opcode Fuzzy Hash: 07661ca3ef64fa5cc05c6dc078f4ff095d77c6fcdbb4d5a8de63268ec6faa3bd
Instruction Fuzzy Hash: 6131E8749012199BDB21DF65C888BCDBBB8BF18315F6041DAE41CA7290E7319F858F54

Uniqueness

Uniqueness Score: -1.00%

Function 6C4B4CF1, Relevance: 4.5, APIs: 3, Instructions: 20COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,?,6C4B4DA9,6C4AAD14,00000003,00000000,6C4AAD14,00000000), ref: 6C4B4D13
TerminateProcess.KERNEL32(00000000,?,6C4B4DA9,6C4AAD14,00000003,00000000,6C4AAD14,00000000), ref: 6C4B4D1A
ExitProcess.KERNEL32 ref: 6C4B4D2C

Memory Dump Source

Source File: 0000000B.00000002.707784985.000000006C041000.00000020.00020000.sdmp, Offset: 6C040000, based on PE: true

Associated: 0000000B.00000002.707765537.000000006C040000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.708258845.000000006C4D0000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.708814446.000000006C965000.00000008.00020000.sdmp Download File
Associated: 0000000B.00000002.708832834.000000006C966000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.708918517.000000006D3DF000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.708953976.000000006D423000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.708980202.000000006D426000.00000020.00020000.sdmp Download File
Associated: 0000000B.00000002.709009923.000000006D429000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6c040000_rundll32.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 3b14aa36512f7419beec02f5638b03ef899c17a51baea962fb8b182389c82d73
Instruction ID: 24c32790174afa6bab94bed95a99b8de29175edf7208da2442fd6a2504afaf5c
Opcode Fuzzy Hash: 3b14aa36512f7419beec02f5638b03ef899c17a51baea962fb8b182389c82d73
Instruction Fuzzy Hash: 2EE08C31104208AFDF02AF51C908E5C3FB8FB16686B205418F90697E60CB35E881DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 6C4C6ECD, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 140timeCOMMON

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(00000000,00000000,00000000,?,?,6C4C7420,?,?,?,?,?,?,-00000004,00000000), ref: 6C4C6F81

Part of subcall function 6C4C65B8: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,00000000,00000000,?,6C4C0098,?,00000000,00000000), ref: 6C4C6664

Strings

tLl, xrefs: 6C4C6F2A, 6C4C703B, 6C4C6F30

Memory Dump Source

Source File: 0000000B.00000002.707784985.000000006C041000.00000020.00020000.sdmp, Offset: 6C040000, based on PE: true

Associated: 0000000B.00000002.707765537.000000006C040000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.708258845.000000006C4D0000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.708814446.000000006C965000.00000008.00020000.sdmp Download File
Associated: 0000000B.00000002.708832834.000000006C966000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.708918517.000000006D3DF000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.708953976.000000006D423000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.708980202.000000006D426000.00000020.00020000.sdmp Download File
Associated: 0000000B.00000002.709009923.000000006D429000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6c040000_rundll32.jbxd

Similarity

API ID: ByteCharInformationMultiTimeWideZone
String ID: tLl
API String ID: 1123094072-3393625556
Opcode ID: 33c0392f0fd01aa99da461e9f6e856f71ed830fd099c9d5393a7a6781c54b9d9
Instruction ID: 14a7ba64d7d2e56cd0c4df1a9855e9a2c7c261700d7ec10b287c0eb7d3cb2efd
Opcode Fuzzy Hash: 33c0392f0fd01aa99da461e9f6e856f71ed830fd099c9d5393a7a6781c54b9d9
Instruction Fuzzy Hash: 5641C375A00115ABDB00EFA5CC00EEE7B78EF15354F148169E918E77A4E7319E04CBD5

Uniqueness

Uniqueness Score: -1.00%

Function 6C4C2B7F, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.707784985.000000006C041000.00000020.00020000.sdmp, Offset: 6C040000, based on PE: true

Associated: 0000000B.00000002.707765537.000000006C040000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.708258845.000000006C4D0000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.708814446.000000006C965000.00000008.00020000.sdmp Download File
Associated: 0000000B.00000002.708832834.000000006C966000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.708918517.000000006D3DF000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.708953976.000000006D423000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.708980202.000000006D426000.00000020.00020000.sdmp Download File
Associated: 0000000B.00000002.709009923.000000006D429000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6c040000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: edbddc2eb31399773057d65153992727c8735c7af67086445bf3d4c43e6de264
Instruction ID: 907572939a0fd338470654d54c5a868fa0701a6028efd552a9bcd4bf3d876ae3
Opcode Fuzzy Hash: edbddc2eb31399773057d65153992727c8735c7af67086445bf3d4c43e6de264
Instruction Fuzzy Hash: DFE08C76A12228EBCB24CF88C944D8AF7FCEB48A04B1114AAB511D3620D6B0DE41C7D1

Uniqueness

Uniqueness Score: -1.00%

Function 6C4AABB0, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 145
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_ValidateLocalCookies.LIBCMT ref: 6C4AABE7
___except_validate_context_record.LIBVCRUNTIME ref: 6C4AABEF
_ValidateLocalCookies.LIBCMT ref: 6C4AAC78
__IsNonwritableInCurrentImage.LIBCMT ref: 6C4AACA3
_ValidateLocalCookies.LIBCMT ref: 6C4AACF8

Strings

csm, xrefs: 6C4AAC8D

Memory Dump Source

Source File: 0000000B.00000002.707784985.000000006C041000.00000020.00020000.sdmp, Offset: 6C040000, based on PE: true

Associated: 0000000B.00000002.707765537.000000006C040000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.708258845.000000006C4D0000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.708814446.000000006C965000.00000008.00020000.sdmp Download File
Associated: 0000000B.00000002.708832834.000000006C966000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.708918517.000000006D3DF000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.708953976.000000006D423000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.708980202.000000006D426000.00000020.00020000.sdmp Download File
Associated: 0000000B.00000002.709009923.000000006D429000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6c040000_rundll32.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 217450383a26bd1f0ff9327f20cad46883906c42df2b11b2977572e9eb8bd198
Instruction ID: 79c51ec11326c4389e5ef9bfba3ab6f4b3f75e6369835111c2a6555d43586dc5
Opcode Fuzzy Hash: 217450383a26bd1f0ff9327f20cad46883906c42df2b11b2977572e9eb8bd198
Instruction Fuzzy Hash: 4A510734A01118ABEF00DFA8C884EDE7BB1BF15719F108159E8196BB59C731DA06CFD1

Uniqueness

Uniqueness Score: -1.00%

Function 6C4C0CD7, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

api-ms-, xrefs: 6C4C0D2E
ext-ms-, xrefs: 6C4C0D42

Memory Dump Source

Source File: 0000000B.00000002.707784985.000000006C041000.00000020.00020000.sdmp, Offset: 6C040000, based on PE: true

Associated: 0000000B.00000002.707765537.000000006C040000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.708258845.000000006C4D0000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.708814446.000000006C965000.00000008.00020000.sdmp Download File
Associated: 0000000B.00000002.708832834.000000006C966000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.708918517.000000006D3DF000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.708953976.000000006D423000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.708980202.000000006D426000.00000020.00020000.sdmp Download File
Associated: 0000000B.00000002.709009923.000000006D429000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6c040000_rundll32.jbxd

Similarity

API ID:
String ID: api-ms-$ext-ms-
API String ID: 0-537541572
Opcode ID: f625b67e388fc4dc0be6e94b54f8c167a9be6a6e56acd1077a0c7f86ac314b1d
Instruction ID: 6c1b3fff975f8da6a2be9bb4650d175d0fe4b26f898b81a75502742184af95b8
Opcode Fuzzy Hash: f625b67e388fc4dc0be6e94b54f8c167a9be6a6e56acd1077a0c7f86ac314b1d
Instruction Fuzzy Hash: 5D21EBBDB496A0ABDB21C6698C84F5A37689B02B65F250614EC16ABBA0D730FD0185D2

Uniqueness

Uniqueness Score: -1.00%

Function 6C4C84E6, Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 375
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__freea.LIBCMT ref: 6C4C866C
__freea.LIBCMT ref: 6C4C8688

Strings

a/p, xrefs: 6C4C8750
txLl, xrefs: 6C4C88F7
am/pm, xrefs: 6C4C86EC

Memory Dump Source

Source File: 0000000B.00000002.707784985.000000006C041000.00000020.00020000.sdmp, Offset: 6C040000, based on PE: true

Associated: 0000000B.00000002.707765537.000000006C040000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.708258845.000000006C4D0000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.708814446.000000006C965000.00000008.00020000.sdmp Download File
Associated: 0000000B.00000002.708832834.000000006C966000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.708918517.000000006D3DF000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.708953976.000000006D423000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.708980202.000000006D426000.00000020.00020000.sdmp Download File
Associated: 0000000B.00000002.709009923.000000006D429000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6c040000_rundll32.jbxd

Similarity

API ID: __freea
String ID: a/p$am/pm$txLl
API String ID: 240046367-1057221516
Opcode ID: 552080632c906660c3d388012e0f5d36228d0fbfa935e27a207c6a88c357c37c
Instruction ID: fb19a0fd4d9c78f36928e035a59cb4c29660827884bc64f9d9d9e3080f74b82e
Opcode Fuzzy Hash: 552080632c906660c3d388012e0f5d36228d0fbfa935e27a207c6a88c357c37c
Instruction Fuzzy Hash: AEC19E39B45216DADB00CF68C894FAA77B0FF06719F20415BE514ABF60E3359942CBA7

Uniqueness

Uniqueness Score: -1.00%

Function 6C4BE213, Relevance: 9.1, APIs: 6, Instructions: 60
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32(?,00000001,6C4BE20A,6C4AAD14,00000011), ref: 6C4BE221
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 6C4BE22F
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 6C4BE248
SetLastError.KERNEL32(00000000), ref: 6C4BE29A

Memory Dump Source

Source File: 0000000B.00000002.707784985.000000006C041000.00000020.00020000.sdmp, Offset: 6C040000, based on PE: true

Associated: 0000000B.00000002.707765537.000000006C040000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.708258845.000000006C4D0000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.708814446.000000006C965000.00000008.00020000.sdmp Download File
Associated: 0000000B.00000002.708832834.000000006C966000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.708918517.000000006D3DF000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.708953976.000000006D423000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.708980202.000000006D426000.00000020.00020000.sdmp Download File
Associated: 0000000B.00000002.709009923.000000006D429000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6c040000_rundll32.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: c01e271cbc5e3221bf0fd762b021714780787e4d82d1730420b2bdee2a4dfc4d
Instruction ID: ca3cbfa0ef8842bc911e0410b557147d963b9093b35f432559a026c4a6c77994
Opcode Fuzzy Hash: c01e271cbc5e3221bf0fd762b021714780787e4d82d1730420b2bdee2a4dfc4d
Instruction Fuzzy Hash: 5301283A32DB116EB70859B76CC1C662B64EB4277D330032EE52466FD0EF26484692F0

Uniqueness

Uniqueness Score: -1.00%

Function 6C4B4C9E, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 30
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,6C4B4D28,00000000,?,6C4B4DA9,6C4AAD14,00000003,00000000), ref: 6C4B4CB3
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 6C4B4CC6
FreeLibrary.KERNEL32(00000000,?,?,6C4B4D28,00000000,?,6C4B4DA9,6C4AAD14,00000003,00000000), ref: 6C4B4CE9

Strings

CorExitProcess, xrefs: 6C4B4CBE
mscoree.dll, xrefs: 6C4B4CAC

Memory Dump Source

Source File: 0000000B.00000002.707784985.000000006C041000.00000020.00020000.sdmp, Offset: 6C040000, based on PE: true

Associated: 0000000B.00000002.707765537.000000006C040000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.708258845.000000006C4D0000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.708814446.000000006C965000.00000008.00020000.sdmp Download File
Associated: 0000000B.00000002.708832834.000000006C966000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.708918517.000000006D3DF000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.708953976.000000006D423000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.708980202.000000006D426000.00000020.00020000.sdmp Download File
Associated: 0000000B.00000002.709009923.000000006D429000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6c040000_rundll32.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: d544dcb69a852d3cd2fc62f6821e708e2c60074e4dc29bb10fa320e1d26fbd41
Instruction ID: 6d2e5921ad4e76f9f0be894a6261007a3fa98a04affac28a447ccdc577f6c4da
Opcode Fuzzy Hash: d544dcb69a852d3cd2fc62f6821e708e2c60074e4dc29bb10fa320e1d26fbd41
Instruction Fuzzy Hash: 67F01235502118FBDF01DB61CD09FAD7B74FB41797F610058B401B2A94CB71DE10EA94

Uniqueness

Uniqueness Score: -1.00%

Function 6C4B7A79, Relevance: 6.2, APIs: 4, Instructions: 152
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000B.00000002.707784985.000000006C041000.00000020.00020000.sdmp, Offset: 6C040000, based on PE: true

Associated: 0000000B.00000002.707765537.000000006C040000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.708258845.000000006C4D0000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.708814446.000000006C965000.00000008.00020000.sdmp Download File
Associated: 0000000B.00000002.708832834.000000006C966000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.708918517.000000006D3DF000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.708953976.000000006D423000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.708980202.000000006D426000.00000020.00020000.sdmp Download File
Associated: 0000000B.00000002.709009923.000000006D429000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6c040000_rundll32.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: a0d9db27308b92b73bcaaada536c00fed4215f7d3dbacf7dc5fbf76636d461ea
Instruction ID: 606707ea989ebdebfd76cadb2232a7f2f62facf8937883b644ff43f795f89292
Opcode Fuzzy Hash: a0d9db27308b92b73bcaaada536c00fed4215f7d3dbacf7dc5fbf76636d461ea
Instruction Fuzzy Hash: BC41E372A04644AFD714DF78C844F9ABBB8EB85724F11862EE051ABB80D771AA4587F0

Uniqueness

Uniqueness Score: -1.00%

Function 6C4B93F4, Relevance: 6.1, APIs: 4, Instructions: 83
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000B.00000002.707784985.000000006C041000.00000020.00020000.sdmp, Offset: 6C040000, based on PE: true

Associated: 0000000B.00000002.707765537.000000006C040000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.708258845.000000006C4D0000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.708814446.000000006C965000.00000008.00020000.sdmp Download File
Associated: 0000000B.00000002.708832834.000000006C966000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.708918517.000000006D3DF000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.708953976.000000006D423000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.708980202.000000006D426000.00000020.00020000.sdmp Download File
Associated: 0000000B.00000002.709009923.000000006D429000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6c040000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eaf207e6cfc0e9730314ae0308d78c906b2f04d902cb3ea721d434a00174cbd6
Instruction ID: 4cf5f03a3f5227a36c0885f0206518bcd86362b52b5b44f9ec0e613f68a79b54
Opcode Fuzzy Hash: eaf207e6cfc0e9730314ae0308d78c906b2f04d902cb3ea721d434a00174cbd6
Instruction Fuzzy Hash: 56217F7160C615AFDB10DF668C80D9AB77DAF7537D7148618E828A7E90E732DC0087B0

Uniqueness

Uniqueness Score: -1.00%

Function 6C373800, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 6C37380E
GetProcAddress.KERNEL32(00000000,GetHandleVerifier), ref: 6C37381A

Strings

GetHandleVerifier, xrefs: 6C373814

Memory Dump Source

Source File: 0000000B.00000002.707784985.000000006C041000.00000020.00020000.sdmp, Offset: 6C040000, based on PE: true

Associated: 0000000B.00000002.707765537.000000006C040000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.708258845.000000006C4D0000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.708814446.000000006C965000.00000008.00020000.sdmp Download File
Associated: 0000000B.00000002.708832834.000000006C966000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.708918517.000000006D3DF000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.708953976.000000006D423000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.708980202.000000006D426000.00000020.00020000.sdmp Download File
Associated: 0000000B.00000002.709009923.000000006D429000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6c040000_rundll32.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: GetHandleVerifier
API String ID: 1646373207-1090674830
Opcode ID: b515f917a85de24645e08242a614a5f65668caf0269f9b2cbf601923f1cbe122
Instruction ID: ef5557dae0ad6fdb20b035ad9cd6dcb0682bdb8bec4776b5c24c73e39900c656
Opcode Fuzzy Hash: b515f917a85de24645e08242a614a5f65668caf0269f9b2cbf601923f1cbe122
Instruction Fuzzy Hash: 9ED05B30248204BAEBA027554805F1932B8771A70EF440124F14DD7EC0DF78C444CD36

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report widevinecdm.dll

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Overview

Sigma Overview

Signature Overview

Compliance:

Networking:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Exports

Version Infos

Possible Origin

Network Behavior

Network Port Distribution

UDP Packets

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: loaddll32.exe PID: 7104 Parent PID: 6040

General

Analysis Process: cmd.exe PID: 7144 Parent PID: 7104

General

Function 6C041210, Relevance: 1.5, APIs: 1, Instructions: 17
COMMON

Function 6C376B60, Relevance: 5.2, Strings: 4, Instructions: 229
COMMON

Function 6C4B82B6, Relevance: 4.6, APIs: 3, Instructions: 77
COMMON

Function 6C4AABB0, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 145
COMMON

Function 6C4C0CD7, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77
COMMONLIBRARYCODE

Function 6C4C84E6, Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 375
COMMON

Function 6C4BE213, Relevance: 9.1, APIs: 6, Instructions: 60
COMMON

Function 6C4B4C9E, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 30
libraryloaderCOMMON

Function 6C4B7A79, Relevance: 6.2, APIs: 4, Instructions: 152
COMMON

Function 6C4B93F4, Relevance: 6.1, APIs: 4, Instructions: 83
COMMON