Joe Sandbox Cloud Basic Analysis Report
Create Interactive Tour

Windows Analysis Report 2663823750648860.dll

Overview

General Information

Sample Name:2663823750648860.dll
Analysis ID:545754
MD5:8cb16d054c16e0ca76b3ff0531b36068
SHA1:5de90fb5fc70b30155be64b04ea852630ab60f67
SHA256:8b93200127039c0f4387c357c52d6b1cc0d68c2c3bfe7c869d1466440e3a570c
Tags:dll
Infos:

Most interesting Screenshot:

Detection

Qbot
Score:92
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Yara detected Qbot
Multi AV Scanner detection for submitted file
Maps a DLL or memory area into another process
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Writes to foreign memory regions
Allocates memory in foreign processes
Injects code into the Windows Explorer (explorer.exe)
Sigma detected: Suspicious Call by Ordinal
Contains functionality to detect sleep reduction / modifications
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Antivirus or Machine Learning detection for unpacked file
One or more processes crash
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to call native functions
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
AV process strings found (often used to terminate AV products)
PE file does not import any functions
PE file contains an invalid checksum
Extensive use of GetProcAddress (often used to hide API calls)
PE file contains strange resources
Drops PE files
Checks if the current process is being debugged
PE / OLE file has an invalid certificate
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to detect sandboxes (mouse cursor move detection)
PE file overlay found
May check if the current machine is a sandbox (GetTickCount - Sleep)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 1048 cmdline: loaddll32.exe "C:\Users\user\Desktop\2663823750648860.dll" MD5: 7DEB5DB86C0AC789123DEC286286B938)
    • cmd.exe (PID: 6816 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\2663823750648860.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 6812 cmdline: rundll32.exe "C:\Users\user\Desktop\2663823750648860.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
        • explorer.exe (PID: 5636 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: 166AB1B9462E5C1D6D18EC5EC0B6A5F7)
        • WerFault.exe (PID: 6664 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6812 -s 208 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • explorer.exe (PID: 5336 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: 166AB1B9462E5C1D6D18EC5EC0B6A5F7)
  • cleanup

Malware Configuration

Threatname: Qbot

{
  "Bot id": "obama151",
  "Campaign": "1640597238",
  "Version": "403.2",
  "C2 list": [
    "70.163.1.219:443",
    "93.48.80.198:995",
    "72.252.201.34:993",
    "24.95.61.62:443",
    "31.35.28.29:443",
    "69.14.172.24:443",
    "86.97.9.221:443",
    "83.110.91.18:2222",
    "31.215.215.152:2222",
    "24.178.196.158:2222",
    "74.15.2.252:2222",
    "217.165.123.47:61200",
    "41.228.22.180:443",
    "105.198.236.99:995",
    "109.12.111.14:443",
    "149.135.101.20:443",
    "96.80.109.57:995",
    "38.70.253.226:2222",
    "24.222.20.254:443",
    "5.32.41.46:443",
    "190.73.3.148:2222",
    "120.150.218.241:995",
    "176.67.56.94:443",
    "96.21.251.127:2222",
    "128.106.122.39:443",
    "83.110.2.118:443",
    "31.215.215.152:1194",
    "117.248.109.38:21",
    "103.142.10.177:443",
    "217.164.247.241:2222",
    "94.62.161.77:995",
    "182.56.69.176:443",
    "180.233.150.134:995",
    "71.74.12.34:443",
    "103.139.242.30:990",
    "194.36.28.238:443",
    "106.51.48.170:50001",
    "75.156.151.34:443",
    "103.143.8.71:6881",
    "140.82.49.12:443",
    "32.221.229.7:443",
    "39.49.115.85:995",
    "37.210.226.125:61202",
    "45.9.20.200:2211",
    "59.6.7.83:61200",
    "176.205.194.245:2078",
    "149.200.165.116:443",
    "114.79.148.170:443",
    "144.86.10.42:443",
    "94.200.181.154:995",
    "96.37.113.36:993",
    "89.137.52.44:443",
    "121.175.104.13:32100",
    "136.232.34.70:443",
    "79.167.192.206:995",
    "73.151.236.31:443",
    "218.253.234.82:2222",
    "78.180.66.163:995",
    "76.25.142.196:443",
    "67.209.195.198:443",
    "78.100.225.202:2222",
    "83.110.219.9:32101",
    "94.60.254.81:443",
    "182.191.92.203:995",
    "173.21.10.71:2222",
    "80.14.196.176:2222",
    "67.165.206.193:993",
    "23.233.146.92:443",
    "1.253.96.148:443",
    "88.253.171.236:995",
    "75.188.35.168:443",
    "76.169.147.192:32103",
    "72.66.116.235:995",
    "31.215.70.105:443",
    "176.205.209.183:2222",
    "91.73.77.234:995",
    "130.255.238.245:61202",
    "176.205.194.245:2222",
    "197.202.51.179:443",
    "218.101.110.3:995",
    "178.153.86.181:443",
    "136.143.11.232:443",
    "78.100.225.202:443",
    "74.5.148.57:443",
    "5.193.122.139:2222",
    "24.152.219.253:995",
    "89.165.55.237:443",
    "103.139.242.30:993",
    "114.143.36.16:61202",
    "86.150.101.200:443",
    "50.237.134.22:995",
    "103.139.242.30:995",
    "86.144.217.66:443",
    "190.45.79.111:443",
    "72.252.201.34:995",
    "119.246.201.210:443",
    "148.69.189.146:443",
    "103.139.242.30:22",
    "114.38.161.124:995",
    "189.224.99.142:995",
    "70.51.153.90:2222",
    "89.101.97.139:443",
    "217.128.93.27:2222",
    "209.210.95.228:32100",
    "100.1.119.41:443",
    "201.172.31.95:80",
    "31.215.215.152:2222",
    "157.47.55.245:443",
    "24.55.112.61:443",
    "24.53.49.240:443",
    "190.39.205.165:443",
    "63.153.148.32:443",
    "82.152.39.39:443",
    "186.64.87.236:443",
    "31.219.154.176:32101",
    "102.65.38.67:443",
    "217.165.21.84:995",
    "96.80.109.57:995",
    "40.134.247.125:995",
    "83.199.144.45:2222",
    "92.154.9.41:50002",
    "111.125.245.116:995",
    "182.176.180.73:443",
    "121.175.104.13:443",
    "65.100.174.110:8443",
    "79.160.207.214:443",
    "70.224.68.92:443",
    "173.25.166.81:443",
    "176.205.152.44:443",
    "108.4.67.252:443",
    "189.174.46.65:995",
    "187.189.86.168:443",
    "176.24.150.197:443",
    "200.54.14.34:80",
    "103.139.242.30:443",
    "103.139.242.30:465",
    "103.139.242.30:993",
    "73.5.119.219:443",
    "68.186.192.69:443",
    "50.33.112.74:995",
    "70.93.80.154:995",
    "75.169.58.229:32100",
    "63.143.92.99:995",
    "46.9.77.245:995",
    "173.71.147.134:995",
    "75.110.250.187:443",
    "65.100.174.110:443",
    "65.100.174.110:443",
    "82.78.212.133:443",
    "83.110.107.123:443"
  ]
}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000000.300055482.0000000002F00000.00000040.00000001.sdmpJoeSecurity_Qbot_1Yara detected QbotJoe Security
    00000002.00000002.330146835.00000000047D0000.00000040.00000001.sdmpJoeSecurity_Qbot_1Yara detected QbotJoe Security
      00000002.00000002.330176963.0000000004830000.00000040.00000001.sdmpJoeSecurity_Qbot_1Yara detected QbotJoe Security
        00000002.00000000.301385547.0000000002F00000.00000040.00000001.sdmpJoeSecurity_Qbot_1Yara detected QbotJoe Security
          00000006.00000002.331967746.0000000000F80000.00000040.00020000.sdmpJoeSecurity_Qbot_1Yara detected QbotJoe Security
            Click to see the 11 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            2.0.rundll32.exe.2f00000.5.unpackJoeSecurity_Qbot_1Yara detected QbotJoe Security
              2.2.rundll32.exe.4830000.3.unpackJoeSecurity_Qbot_1Yara detected QbotJoe Security
                0.2.loaddll32.exe.2580000.3.unpackJoeSecurity_Qbot_1Yara detected QbotJoe Security
                  6.2.explorer.exe.f80000.0.unpackJoeSecurity_Qbot_1Yara detected QbotJoe Security
                    6.0.explorer.exe.f80000.0.unpackJoeSecurity_Qbot_1Yara detected QbotJoe Security
                      Click to see the 27 entries

                      Sigma Overview

                      System Summary:

                      barindex
                      Sigma detected: Suspicious Call by Ordinal
                      Source: Process startedAuthor: Florian Roth: Data: Command: rundll32.exe "C:\Users\user\Desktop\2663823750648860.dll",#1, CommandLine: rundll32.exe "C:\Users\user\Desktop\2663823750648860.dll",#1, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\2663823750648860.dll",#1, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 6816, ProcessCommandLine: rundll32.exe "C:\Users\user\Desktop\2663823750648860.dll",#1, ProcessId: 6812

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configuration
                      Source: 2.2.rundll32.exe.47d0184.2.raw.unpackMalware Configuration Extractor: Qbot {"Bot id": "obama151", "Campaign": "1640597238", "Version": "403.2", "C2 list": ["70.163.1.219:443", "93.48.80.198:995", "72.252.201.34:993", "24.95.61.62:443", "31.35.28.29:443", "69.14.172.24:443", "86.97.9.221:443", "83.110.91.18:2222", "31.215.215.152:2222", "24.178.196.158:2222", "74.15.2.252:2222", "217.165.123.47:61200", "41.228.22.180:443", "105.198.236.99:995", "109.12.111.14:443", "149.135.101.20:443", "96.80.109.57:995", "38.70.253.226:2222", "24.222.20.254:443", "5.32.41.46:443", "190.73.3.148:2222", "120.150.218.241:995", "176.67.56.94:443", "96.21.251.127:2222", "128.106.122.39:443", "83.110.2.118:443", "31.215.215.152:1194", "117.248.109.38:21", "103.142.10.177:443", "217.164.247.241:2222", "94.62.161.77:995", "182.56.69.176:443", "180.233.150.134:995", "71.74.12.34:443", "103.139.242.30:990", "194.36.28.238:443", "106.51.48.170:50001", "75.156.151.34:443", "103.143.8.71:6881", "140.82.49.12:443", "32.221.229.7:443", "39.49.115.85:995", "37.210.226.125:61202", "45.9.20.200:2211", "59.6.7.83:61200", "176.205.194.245:2078", "149.200.165.116:443", "114.79.148.170:443", "144.86.10.42:443", "94.200.181.154:995", "96.37.113.36:993", "89.137.52.44:443", "121.175.104.13:32100", "136.232.34.70:443", "79.167.192.206:995", "73.151.236.31:443", "218.253.234.82:2222", "78.180.66.163:995", "76.25.142.196:443", "67.209.195.198:443", "78.100.225.202:2222", "83.110.219.9:32101", "94.60.254.81:443", "182.191.92.203:995", "173.21.10.71:2222", "80.14.196.176:2222", "67.165.206.193:993", "23.233.146.92:443", "1.253.96.148:443", "88.253.171.236:995", "75.188.35.168:443", "76.169.147.192:32103", "72.66.116.235:995", "31.215.70.105:443", "176.205.209.183:2222", "91.73.77.234:995", "130.255.238.245:61202", "176.205.194.245:2222", "197.202.51.179:443", "218.101.110.3:995", "178.153.86.181:443", "136.143.11.232:443", "78.100.225.202:443", "74.5.148.57:443", "5.193.122.139:2222", "24.152.219.253:995", "89.165.55.237:443", "103.139.242.30:993", "114.143.36.16:61202", "86.150.101.200:443", "50.237.134.22:995", "103.139.242.30:995", "86.144.217.66:443", "190.45.79.111:443", "72.252.201.34:995", "119.246.201.210:443", "148.69.189.146:443", "103.139.242.30:22", "114.38.161.124:995", "189.224.99.142:995", "70.51.153.90:2222", "89.101.97.139:443", "217.128.93.27:2222", "209.210.95.228:32100", "100.1.119.41:443", "201.172.31.95:80", "31.215.215.152:2222", "157.47.55.245:443", "24.55.112.61:443", "24.53.49.240:443", "190.39.205.165:443", "63.153.148.32:443", "82.152.39.39:443", "186.64.87.236:443", "31.219.154.176:32101", "102.65.38.67:443", "217.165.21.84:995", "96.80.109.57:995", "40.134.247.125:995", "83.199.144.45:2222", "92.154.9.41:50002", "111.125.245.116:995", "182.176.180.73:443", "121.175.104.13:443", "65.100.174.110:8443", "79.160.207.214:443", "70.224.68.92:443", "173.25.166.81:443", "176.205.152.44:443", "108.4.67.252:443", "189.174.46.65:995", "187.189.86.168:443", "176.24.150.197:443", "200.54.14.34:80", "103.139.242.30:443", "103.139.242.30:465",
                      Multi AV Scanner detection for submitted file
                      Source: 2663823750648860.dllVirustotal: Detection: 31%Perma Link
                      Source: 2663823750648860.dllReversingLabs: Detection: 25%
                      Source: 2.2.rundll32.exe.47d0184.2.unpackAvira: Label: TR/Kazy.4159236
                      Source: 0.2.loaddll32.exe.2520184.2.unpackAvira: Label: TR/Kazy.4159236
                      Source: 2.0.rundll32.exe.47d0184.6.unpackAvira: Label: TR/Kazy.4159236
                      Source: 2.0.rundll32.exe.47d0184.2.unpackAvira: Label: TR/Kazy.4159236
                      Source: 2663823750648860.dllStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, DLL, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI
                      Source: Binary string: comctl32v582.pdb> source: WerFault.exe, 00000008.00000003.312195419.0000000004DC7000.00000004.00000040.sdmp
                      Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000008.00000003.306086919.0000000004796000.00000004.00000001.sdmp, WerFault.exe, 00000008.00000003.312164856.0000000004C21000.00000004.00000001.sdmp
                      Source: Binary string: bcrypt.pdb source: WerFault.exe, 00000008.00000003.312195419.0000000004DC7000.00000004.00000040.sdmp
                      Source: Binary string: sfc_os.pdb source: WerFault.exe, 00000008.00000003.312195419.0000000004DC7000.00000004.00000040.sdmp
                      Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000008.00000003.312181392.0000000004DC0000.00000004.00000040.sdmp
                      Source: Binary string: wkscli.pdbU source: WerFault.exe, 00000008.00000003.312195419.0000000004DC7000.00000004.00000040.sdmp
                      Source: Binary string: wUxTheme.pdb source: WerFault.exe, 00000008.00000003.312195419.0000000004DC7000.00000004.00000040.sdmp
                      Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000008.00000003.312164856.0000000004C21000.00000004.00000001.sdmp
                      Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 00000008.00000003.312181392.0000000004DC0000.00000004.00000040.sdmp
                      Source: Binary string: wntdll.pdb source: WerFault.exe, 00000008.00000003.312164856.0000000004C21000.00000004.00000001.sdmp
                      Source: Binary string: logoncli.pdb9 source: WerFault.exe, 00000008.00000003.312195419.0000000004DC7000.00000004.00000040.sdmp
                      Source: Binary string: shcore.pdb source: WerFault.exe, 00000008.00000003.312181392.0000000004DC0000.00000004.00000040.sdmp
                      Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000008.00000003.312164856.0000000004C21000.00000004.00000001.sdmp
                      Source: Binary string: fltLib.pdb source: WerFault.exe, 00000008.00000003.312195419.0000000004DC7000.00000004.00000040.sdmp
                      Source: Binary string: advapi32.pdb source: WerFault.exe, 00000008.00000003.312195419.0000000004DC7000.00000004.00000040.sdmp
                      Source: Binary string: wsspicli.pdb source: WerFault.exe, 00000008.00000003.312195419.0000000004DC7000.00000004.00000040.sdmp
                      Source: Binary string: shell32.pdb source: WerFault.exe, 00000008.00000003.312181392.0000000004DC0000.00000004.00000040.sdmp
                      Source: Binary string: samcli.pdb source: WerFault.exe, 00000008.00000003.312195419.0000000004DC7000.00000004.00000040.sdmp
                      Source: Binary string: srvcli.pdbc source: WerFault.exe, 00000008.00000003.312195419.0000000004DC7000.00000004.00000040.sdmp
                      Source: Binary string: msvcp_win.pdbk source: WerFault.exe, 00000008.00000003.312181392.0000000004DC0000.00000004.00000040.sdmp
                      Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000008.00000003.312181392.0000000004DC0000.00000004.00000040.sdmp
                      Source: Binary string: netapi32.pdb3 source: WerFault.exe, 00000008.00000003.312195419.0000000004DC7000.00000004.00000040.sdmp
                      Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000008.00000003.312164856.0000000004C21000.00000004.00000001.sdmp
                      Source: Binary string: wimm32.pdb source: WerFault.exe, 00000008.00000003.312195419.0000000004DC7000.00000004.00000040.sdmp
                      Source: Binary string: userenv.pdb source: WerFault.exe, 00000008.00000003.312195419.0000000004DC7000.00000004.00000040.sdmp
                      Source: Binary string: mpr.pdb source: WerFault.exe, 00000008.00000003.312181392.0000000004DC0000.00000004.00000040.sdmp
                      Source: Binary string: shlwapi.pdb source: WerFault.exe, 00000008.00000003.312195419.0000000004DC7000.00000004.00000040.sdmp
                      Source: Binary string: samcli.pdb? source: WerFault.exe, 00000008.00000003.312195419.0000000004DC7000.00000004.00000040.sdmp
                      Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000008.00000003.312164856.0000000004C21000.00000004.00000001.sdmp
                      Source: Binary string: setupapi.pdb source: WerFault.exe, 00000008.00000003.312195419.0000000004DC7000.00000004.00000040.sdmp
                      Source: Binary string: mpr.pdb= source: WerFault.exe, 00000008.00000003.312181392.0000000004DC0000.00000004.00000040.sdmp
                      Source: Binary string: imagehlp.pdb source: WerFault.exe, 00000008.00000003.312195419.0000000004DC7000.00000004.00000040.sdmp
                      Source: Binary string: wUxTheme.pdb source: WerFault.exe, 00000008.00000003.312195419.0000000004DC7000.00000004.00000040.sdmp
                      Source: Binary string: wkscli.pdb source: WerFault.exe, 00000008.00000003.312195419.0000000004DC7000.00000004.00000040.sdmp
                      Source: Binary string: srvcli.pdb source: WerFault.exe, 00000008.00000003.312195419.0000000004DC7000.00000004.00000040.sdmp
                      Source: Binary string: shcore.pdbk source: WerFault.exe, 00000008.00000003.312181392.0000000004DC0000.00000004.00000040.sdmp
                      Source: Binary string: profapi.pdb source: WerFault.exe, 00000008.00000003.312195419.0000000004DC7000.00000004.00000040.sdmp
                      Source: Binary string: ws2_32.pdb source: WerFault.exe, 00000008.00000003.312195419.0000000004DC7000.00000004.00000040.sdmp
                      Source: Binary string: winspool.pdb source: WerFault.exe, 00000008.00000003.312195419.0000000004DC7000.00000004.00000040.sdmp
                      Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000008.00000003.312164856.0000000004C21000.00000004.00000001.sdmp
                      Source: Binary string: shell32.pdbk source: WerFault.exe, 00000008.00000003.312181392.0000000004DC0000.00000004.00000040.sdmp
                      Source: Binary string: sechost.pdb source: WerFault.exe, 00000008.00000003.312195419.0000000004DC7000.00000004.00000040.sdmp
                      Source: Binary string: iphlpapi.pdb source: WerFault.exe, 00000008.00000003.312195419.0000000004DC7000.00000004.00000040.sdmp
                      Source: Binary string: propsys.pdb source: WerFault.exe, 00000008.00000003.312195419.0000000004DC7000.00000004.00000040.sdmp
                      Source: Binary string: cfgmgr32.pdbk source: WerFault.exe, 00000008.00000003.312181392.0000000004DC0000.00000004.00000040.sdmp
                      Source: Binary string: ucrtbase.pdbk source: WerFault.exe, 00000008.00000003.312181392.0000000004DC0000.00000004.00000040.sdmp
                      Source: Binary string: powrprof.pdb source: WerFault.exe, 00000008.00000003.312195419.0000000004DC7000.00000004.00000040.sdmp
                      Source: Binary string: version.pdb source: WerFault.exe, 00000008.00000003.312195419.0000000004DC7000.00000004.00000040.sdmp
                      Source: Binary string: ole32.pdb source: WerFault.exe, 00000008.00000003.312195419.0000000004DC7000.00000004.00000040.sdmp
                      Source: Binary string: AcLayers.pdb source: WerFault.exe, 00000008.00000003.312164856.0000000004C21000.00000004.00000001.sdmp
                      Source: Binary string: logoncli.pdb source: WerFault.exe, 00000008.00000003.312195419.0000000004DC7000.00000004.00000040.sdmp
                      Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000008.00000003.312181392.0000000004DC0000.00000004.00000040.sdmp
                      Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000008.00000003.312195419.0000000004DC7000.00000004.00000040.sdmp
                      Source: Binary string: comctl32v582.pdb source: WerFault.exe, 00000008.00000003.312195419.0000000004DC7000.00000004.00000040.sdmp
                      Source: Binary string: netapi32.pdb source: WerFault.exe, 00000008.00000003.312195419.0000000004DC7000.00000004.00000040.sdmp
                      Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 00000008.00000003.312181392.0000000004DC0000.00000004.00000040.sdmp
                      Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000008.00000003.312181392.0000000004DC0000.00000004.00000040.sdmp
                      Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 00000008.00000003.312181392.0000000004DC0000.00000004.00000040.sdmp
                      Source: Binary string: combase.pdb source: WerFault.exe, 00000008.00000003.312195419.0000000004DC7000.00000004.00000040.sdmp
                      Source: Binary string: rundll32.pdb source: WerFault.exe, 00000008.00000003.312164856.0000000004C21000.00000004.00000001.sdmp
                      Source: Binary string: oleaut32.pdb source: WerFault.exe, 00000008.00000003.312195419.0000000004DC7000.00000004.00000040.sdmp
                      Source: Binary string: sfc.pdb source: WerFault.exe, 00000008.00000003.312195419.0000000004DC7000.00000004.00000040.sdmp
                      Source: Binary string: apphelp.pdb source: WerFault.exe, 00000008.00000003.312164856.0000000004C21000.00000004.00000001.sdmp
                      Source: Binary string: wuser32.pdb source: WerFault.exe, 00000008.00000003.312164856.0000000004C21000.00000004.00000001.sdmp
                      Source: Binary string: aenjrhnCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 00000008.00000002.322630793.00000000002F2000.00000004.00000001.sdmp
                      Source: Binary string: netutils.pdb source: WerFault.exe, 00000008.00000003.312195419.0000000004DC7000.00000004.00000040.sdmp
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00724FF4 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00404FF4 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,
                      Source: C:\Windows\SysWOW64\explorer.exeCode function: 6_2_00F8B055 FindFirstFileW,FindNextFileW,
                      Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_00DAB055 FindFirstFileW,FindNextFileW,
                      Source: WerFault.exe, 00000008.00000002.324551339.0000000004ED0000.00000002.00020000.sdmp, 2663823750648860.dllString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
                      Source: WerFault.exe, 00000008.00000002.324551339.0000000004ED0000.00000002.00020000.sdmp, WerFault.exe, 00000008.00000003.321371090.00000000046BD000.00000004.00000001.sdmp, WerFault.exe, 00000008.00000002.324214438.00000000046BD000.00000004.00000001.sdmp, 2663823750648860.dllString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
                      Source: WerFault.exe, 00000008.00000003.321371090.00000000046BD000.00000004.00000001.sdmp, WerFault.exe, 00000008.00000002.324214438.00000000046BD000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                      Source: WerFault.exe, 00000008.00000002.324551339.0000000004ED0000.00000002.00020000.sdmp, 2663823750648860.dllString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
                      Source: WerFault.exe, 00000008.00000002.324551339.0000000004ED0000.00000002.00020000.sdmp, 2663823750648860.dllString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
                      Source: WerFault.exe, 00000008.00000002.324551339.0000000004ED0000.00000002.00020000.sdmp, 2663823750648860.dllString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
                      Source: WerFault.exe, 00000008.00000002.324551339.0000000004ED0000.00000002.00020000.sdmp, 2663823750648860.dllString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
                      Source: WerFault.exe, 00000008.00000002.324551339.0000000004ED0000.00000002.00020000.sdmp, 2663823750648860.dllString found in binary or memory: http://ocsp.comodoca.com0
                      Source: WerFault.exe, 00000008.00000002.324551339.0000000004ED0000.00000002.00020000.sdmp, 2663823750648860.dllString found in binary or memory: http://ocsp.sectigo.com0
                      Source: Amcache.hve.8.drString found in binary or memory: http://upx.sf.net
                      Source: WerFault.exe, 00000008.00000002.324551339.0000000004ED0000.00000002.00020000.sdmp, 2663823750648860.dllString found in binary or memory: https://sectigo.com/CPS0
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0074070C GetClipboardData,CopyEnhMetaFileA,GetEnhMetaFileHeader,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00420D50 GetObjectA,GetDC,CreateCompatibleDC,CreateBitmap,CreateCompatibleBitmap,GetDeviceCaps,GetDeviceCaps,SelectObject,GetDIBColorTable,GetDIBits,SelectObject,CreateDIBSection,GetDIBits,SelectObject,SelectPalette,RealizePalette,FillRect,SetTextColor,SetBkColor,SetDIBColorTable,PatBlt,CreateCompatibleDC,SelectObject,SelectPalette,RealizePalette,SetTextColor,SetBkColor,BitBlt,SelectPalette,SelectObject,DeleteDC,SelectPalette,
                      Source: loaddll32.exe, 00000000.00000002.305345102.000000000080B000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0074FC0C GetKeyboardState,

                      System Summary:

                      barindex
                      Source: 2663823750648860.dllStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, DLL, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6812 -s 208
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00784348
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00442288
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0044742C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_048424EB
                      Source: C:\Windows\SysWOW64\explorer.exeCode function: 6_2_00F918FD
                      Source: C:\Windows\SysWOW64\explorer.exeCode function: 6_2_00F924EB
                      Source: C:\Windows\SysWOW64\explorer.exeCode function: 6_2_00F97150
                      Source: C:\Windows\SysWOW64\explorer.exeCode function: 6_2_00F95260
                      Source: C:\Windows\SysWOW64\explorer.exeCode function: 6_2_00F9561F
                      Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_00DB18FD
                      Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_00DB24EB
                      Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_00DB7150
                      Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_00DB5260
                      Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_00DB561F
                      Source: C:\Windows\System32\loaddll32.exeCode function: String function: 00726030 appears 48 times
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 00403F1C appears 67 times
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 00406030 appears 61 times
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00747064 NtdllDefWindowProc_A,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00442288 GetSubMenu,SaveDC,RestoreDC,GetWindowDC,SaveDC,RestoreDC,NtdllDefWindowProc_A,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00432ADC NtdllDefWindowProc_A,GetCapture,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0044CFC4 NtdllDefWindowProc_A,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00427064 NtdllDefWindowProc_A,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0044D76C IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0044D81C IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0483CD1D memset,GetThreadContext,NtProtectVirtualMemory,NtWriteVirtualMemory,NtProtectVirtualMemory,FreeLibrary,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0483C866 NtCreateSection,DefWindowProcA,RegisterClassExA,CreateWindowExA,DestroyWindow,UnregisterClassA,GetCurrentProcess,NtMapViewOfSection,NtMapViewOfSection,VirtualAllocEx,WriteProcessMemory,GetCurrentProcess,NtUnmapViewOfSection,
                      Source: 2663823750648860.dll.7.drStatic PE information: No import functions for PE file found
                      Source: 2663823750648860.dllStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
                      Source: 2663823750648860.dllStatic PE information: invalid certificate
                      Source: 2663823750648860.dll.7.drStatic PE information: Data appended to the last section found
                      Source: 2663823750648860.dllVirustotal: Detection: 31%
                      Source: 2663823750648860.dllReversingLabs: Detection: 25%
                      Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                      Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\2663823750648860.dll"
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\2663823750648860.dll",#1
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\2663823750648860.dll",#1
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6812 -s 208
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\2663823750648860.dll",#1
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\2663823750648860.dll",#1
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
                      Source: C:\Windows\SysWOW64\explorer.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\UsoybacxweeJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER664A.tmpJump to behavior
                      Source: classification engineClassification label: mal92.troj.evad.winDLL@10/7@0/0
                      Source: C:\Windows\SysWOW64\explorer.exeCode function: 6_2_00F8D6CC CoInitializeEx,CoInitializeSecurity,CoCreateInstance,SysAllocString,CoSetProxyBlanket,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_007283C8 GetDiskFreeSpaceA,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0073DBAC GetLastError,FormatMessageA,
                      Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                      Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0483AD44 CreateToolhelp32Snapshot,memset,Process32First,Process32Next,FindCloseChangeNotification,
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\2663823750648860.dll",#1
                      Source: C:\Windows\SysWOW64\explorer.exeMutant created: \Sessions\1\BaseNamedObjects\{6A61BD0B-4B87-40FA-9701-3A76E1C0A30D}
                      Source: C:\Windows\SysWOW64\explorer.exeMutant created: \Sessions\1\BaseNamedObjects\{5AA344D3-E3FE-4A87-95B9-5AD8A23FEBF7}
                      Source: C:\Windows\SysWOW64\explorer.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{5AA344D3-E3FE-4A87-95B9-5AD8A23FEBF7}
                      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6812
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_007362E0 FindResourceA,LoadResource,SizeofResource,LockResource,
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\explorer.exe
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\explorer.exe
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\explorer.exe
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\explorer.exe
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: Binary string: comctl32v582.pdb> source: WerFault.exe, 00000008.00000003.312195419.0000000004DC7000.00000004.00000040.sdmp
                      Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000008.00000003.306086919.0000000004796000.00000004.00000001.sdmp, WerFault.exe, 00000008.00000003.312164856.0000000004C21000.00000004.00000001.sdmp
                      Source: Binary string: bcrypt.pdb source: WerFault.exe, 00000008.00000003.312195419.0000000004DC7000.00000004.00000040.sdmp
                      Source: Binary string: sfc_os.pdb source: WerFault.exe, 00000008.00000003.312195419.0000000004DC7000.00000004.00000040.sdmp
                      Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000008.00000003.312181392.0000000004DC0000.00000004.00000040.sdmp
                      Source: Binary string: wkscli.pdbU source: WerFault.exe, 00000008.00000003.312195419.0000000004DC7000.00000004.00000040.sdmp
                      Source: Binary string: wUxTheme.pdb source: WerFault.exe, 00000008.00000003.312195419.0000000004DC7000.00000004.00000040.sdmp
                      Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000008.00000003.312164856.0000000004C21000.00000004.00000001.sdmp
                      Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 00000008.00000003.312181392.0000000004DC0000.00000004.00000040.sdmp
                      Source: Binary string: wntdll.pdb source: WerFault.exe, 00000008.00000003.312164856.0000000004C21000.00000004.00000001.sdmp
                      Source: Binary string: logoncli.pdb9 source: WerFault.exe, 00000008.00000003.312195419.0000000004DC7000.00000004.00000040.sdmp
                      Source: Binary string: shcore.pdb source: WerFault.exe, 00000008.00000003.312181392.0000000004DC0000.00000004.00000040.sdmp
                      Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000008.00000003.312164856.0000000004C21000.00000004.00000001.sdmp
                      Source: Binary string: fltLib.pdb source: WerFault.exe, 00000008.00000003.312195419.0000000004DC7000.00000004.00000040.sdmp
                      Source: Binary string: advapi32.pdb source: WerFault.exe, 00000008.00000003.312195419.0000000004DC7000.00000004.00000040.sdmp
                      Source: Binary string: wsspicli.pdb source: WerFault.exe, 00000008.00000003.312195419.0000000004DC7000.00000004.00000040.sdmp
                      Source: Binary string: shell32.pdb source: WerFault.exe, 00000008.00000003.312181392.0000000004DC0000.00000004.00000040.sdmp
                      Source: Binary string: samcli.pdb source: WerFault.exe, 00000008.00000003.312195419.0000000004DC7000.00000004.00000040.sdmp
                      Source: Binary string: srvcli.pdbc source: WerFault.exe, 00000008.00000003.312195419.0000000004DC7000.00000004.00000040.sdmp
                      Source: Binary string: msvcp_win.pdbk source: WerFault.exe, 00000008.00000003.312181392.0000000004DC0000.00000004.00000040.sdmp
                      Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000008.00000003.312181392.0000000004DC0000.00000004.00000040.sdmp
                      Source: Binary string: netapi32.pdb3 source: WerFault.exe, 00000008.00000003.312195419.0000000004DC7000.00000004.00000040.sdmp
                      Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000008.00000003.312164856.0000000004C21000.00000004.00000001.sdmp
                      Source: Binary string: wimm32.pdb source: WerFault.exe, 00000008.00000003.312195419.0000000004DC7000.00000004.00000040.sdmp
                      Source: Binary string: userenv.pdb source: WerFault.exe, 00000008.00000003.312195419.0000000004DC7000.00000004.00000040.sdmp
                      Source: Binary string: mpr.pdb source: WerFault.exe, 00000008.00000003.312181392.0000000004DC0000.00000004.00000040.sdmp
                      Source: Binary string: shlwapi.pdb source: WerFault.exe, 00000008.00000003.312195419.0000000004DC7000.00000004.00000040.sdmp
                      Source: Binary string: samcli.pdb? source: WerFault.exe, 00000008.00000003.312195419.0000000004DC7000.00000004.00000040.sdmp
                      Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000008.00000003.312164856.0000000004C21000.00000004.00000001.sdmp
                      Source: Binary string: setupapi.pdb source: WerFault.exe, 00000008.00000003.312195419.0000000004DC7000.00000004.00000040.sdmp
                      Source: Binary string: mpr.pdb= source: WerFault.exe, 00000008.00000003.312181392.0000000004DC0000.00000004.00000040.sdmp
                      Source: Binary string: imagehlp.pdb source: WerFault.exe, 00000008.00000003.312195419.0000000004DC7000.00000004.00000040.sdmp
                      Source: Binary string: wUxTheme.pdb source: WerFault.exe, 00000008.00000003.312195419.0000000004DC7000.00000004.00000040.sdmp
                      Source: Binary string: wkscli.pdb source: WerFault.exe, 00000008.00000003.312195419.0000000004DC7000.00000004.00000040.sdmp
                      Source: Binary string: srvcli.pdb source: WerFault.exe, 00000008.00000003.312195419.0000000004DC7000.00000004.00000040.sdmp
                      Source: Binary string: shcore.pdbk source: WerFault.exe, 00000008.00000003.312181392.0000000004DC0000.00000004.00000040.sdmp
                      Source: Binary string: profapi.pdb source: WerFault.exe, 00000008.00000003.312195419.0000000004DC7000.00000004.00000040.sdmp
                      Source: Binary string: ws2_32.pdb source: WerFault.exe, 00000008.00000003.312195419.0000000004DC7000.00000004.00000040.sdmp
                      Source: Binary string: winspool.pdb source: WerFault.exe, 00000008.00000003.312195419.0000000004DC7000.00000004.00000040.sdmp
                      Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000008.00000003.312164856.0000000004C21000.00000004.00000001.sdmp
                      Source: Binary string: shell32.pdbk source: WerFault.exe, 00000008.00000003.312181392.0000000004DC0000.00000004.00000040.sdmp
                      Source: Binary string: sechost.pdb source: WerFault.exe, 00000008.00000003.312195419.0000000004DC7000.00000004.00000040.sdmp
                      Source: Binary string: iphlpapi.pdb source: WerFault.exe, 00000008.00000003.312195419.0000000004DC7000.00000004.00000040.sdmp
                      Source: Binary string: propsys.pdb source: WerFault.exe, 00000008.00000003.312195419.0000000004DC7000.00000004.00000040.sdmp
                      Source: Binary string: cfgmgr32.pdbk source: WerFault.exe, 00000008.00000003.312181392.0000000004DC0000.00000004.00000040.sdmp
                      Source: Binary string: ucrtbase.pdbk source: WerFault.exe, 00000008.00000003.312181392.0000000004DC0000.00000004.00000040.sdmp
                      Source: Binary string: powrprof.pdb source: WerFault.exe, 00000008.00000003.312195419.0000000004DC7000.00000004.00000040.sdmp
                      Source: Binary string: version.pdb source: WerFault.exe, 00000008.00000003.312195419.0000000004DC7000.00000004.00000040.sdmp
                      Source: Binary string: ole32.pdb source: WerFault.exe, 00000008.00000003.312195419.0000000004DC7000.00000004.00000040.sdmp
                      Source: Binary string: AcLayers.pdb source: WerFault.exe, 00000008.00000003.312164856.0000000004C21000.00000004.00000001.sdmp
                      Source: Binary string: logoncli.pdb source: WerFault.exe, 00000008.00000003.312195419.0000000004DC7000.00000004.00000040.sdmp
                      Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000008.00000003.312181392.0000000004DC0000.00000004.00000040.sdmp
                      Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000008.00000003.312195419.0000000004DC7000.00000004.00000040.sdmp
                      Source: Binary string: comctl32v582.pdb source: WerFault.exe, 00000008.00000003.312195419.0000000004DC7000.00000004.00000040.sdmp
                      Source: Binary string: netapi32.pdb source: WerFault.exe, 00000008.00000003.312195419.0000000004DC7000.00000004.00000040.sdmp
                      Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 00000008.00000003.312181392.0000000004DC0000.00000004.00000040.sdmp
                      Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000008.00000003.312181392.0000000004DC0000.00000004.00000040.sdmp
                      Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 00000008.00000003.312181392.0000000004DC0000.00000004.00000040.sdmp
                      Source: Binary string: combase.pdb source: WerFault.exe, 00000008.00000003.312195419.0000000004DC7000.00000004.00000040.sdmp
                      Source: Binary string: rundll32.pdb source: WerFault.exe, 00000008.00000003.312164856.0000000004C21000.00000004.00000001.sdmp
                      Source: Binary string: oleaut32.pdb source: WerFault.exe, 00000008.00000003.312195419.0000000004DC7000.00000004.00000040.sdmp
                      Source: Binary string: sfc.pdb source: WerFault.exe, 00000008.00000003.312195419.0000000004DC7000.00000004.00000040.sdmp
                      Source: Binary string: apphelp.pdb source: WerFault.exe, 00000008.00000003.312164856.0000000004C21000.00000004.00000001.sdmp
                      Source: Binary string: wuser32.pdb source: WerFault.exe, 00000008.00000003.312164856.0000000004C21000.00000004.00000001.sdmp
                      Source: Binary string: aenjrhnCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 00000008.00000002.322630793.00000000002F2000.00000004.00000001.sdmp
                      Source: Binary string: netutils.pdb source: WerFault.exe, 00000008.00000003.312195419.0000000004DC7000.00000004.00000040.sdmp
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00784348 push dword ptr [00787C50h]; ret
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00748080 push 007480F6h; ret
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_007311B4 push 00731201h; ret
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0073120C push 00731238h; ret
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00746350 push 0074639Fh; ret
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_007463F8 push 00746424h; ret
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_007463C0 push 007463ECh; ret
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0074547C push 007454BAh; ret
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00746468 push 00746494h; ret
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00744454 push 00744480h; ret
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00746430 push 0074645Ch; ret
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_007454FC push 00745534h; ret
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_007464D8 push 00746504h; ret
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_007454C4 push 007454F0h; ret
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_007464A0 push 007464CCh; ret
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00744494 push 007444C0h; ret
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0072D48C push 0072D608h; ret
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00746548 push 00746574h; ret
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00746510 push 0074653Ch; ret
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00746580 push 007465ACh; ret
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0072D60C push 0072D67Bh; ret
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0072D68C push 0072D6B8h; ret
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00743748 push 00743818h; ret
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_007307E0 push 00730856h; ret
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00730858 push 00730900h; ret
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00745820 push 0074584Ch; ret
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_007498F8 push 0074996Dh; ret
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00749970 push 007499C9h; ret
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00743928 push 00743954h; ret
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0073A910 push 0073A9BBh; ret
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_007309EC push 00730A18h; ret
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00745BC4 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,
                      Source: 2663823750648860.dll.7.drStatic PE information: real checksum: 0xd3885 should be: 0xe6e1
                      Source: C:\Windows\SysWOW64\explorer.exeFile created: C:\Users\user\Desktop\2663823750648860.dllJump to dropped file

                      Hooking and other Techniques for Hiding and Protection:

                      barindex
                      Overwrites code with unconditional jumps - possibly settings hooks in foreign process
                      Source: C:\Windows\System32\loaddll32.exeMemory written: PID: 5336 base: 11CF380 value: E9 16 6B DB FF
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5636 base: 11CF380 value: E9 16 6B BD FF
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00754200 IsIconic,GetCapture,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00755334 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00754AB4 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00743F0C IsIconic,GetWindowPlacement,GetWindowRect,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00434200 IsIconic,GetCapture,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00434AB4 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0044D04C PostMessageA,PostMessageA,SendMessageA,GetProcAddress,GetLastError,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00435334 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0044D76C IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0044D81C IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00423F0C IsIconic,GetWindowPlacement,GetWindowRect,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00449FE4 SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00745BC4 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX

                      Malware Analysis System Evasion:

                      barindex
                      Contains functionality to detect sleep reduction / modifications
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_007497F8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_004297F8
                      Source: C:\Windows\SysWOW64\explorer.exe TID: 5344Thread sleep count: 704 > 30
                      Source: C:\Windows\SysWOW64\explorer.exe TID: 4556Thread sleep time: -148000s >= -30000s
                      Source: C:\Windows\SysWOW64\explorer.exeLast function: Thread delayed
                      Source: C:\Windows\SysWOW64\explorer.exeWindow / User API: threadDelayed 704
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetCurrentThreadId,GetCursorPos,WaitForSingleObject,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_007497F8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_004297F8
                      Source: C:\Windows\System32\loaddll32.exeProcess information queried: ProcessInformation
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0073E13C GetSystemInfo,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00724FF4 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00404FF4 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,
                      Source: C:\Windows\SysWOW64\explorer.exeCode function: 6_2_00F8B055 FindFirstFileW,FindNextFileW,
                      Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_00DAB055 FindFirstFileW,FindNextFileW,
                      Source: Amcache.hve.8.drBinary or memory string: VMware
                      Source: Amcache.hve.8.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
                      Source: Amcache.hve.8.drBinary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
                      Source: Amcache.hve.8.drBinary or memory string: VMware Virtual USB Mouse
                      Source: Amcache.hve.8.drBinary or memory string: VMware, Inc.
                      Source: WerFault.exe, 00000008.00000002.324410031.0000000004790000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW0
                      Source: Amcache.hve.8.drBinary or memory string: VMware Virtual disk SCSI Disk Devicehbin
                      Source: WerFault.exe, 00000008.00000002.324171497.00000000046A5000.00000004.00000001.sdmp, WerFault.exe, 00000008.00000003.321425802.00000000046A5000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAWnedsblobprdeus15
                      Source: Amcache.hve.8.drBinary or memory string: Microsoft Hyper-V Generation Counter
                      Source: Amcache.hve.8.drBinary or memory string: VMware7,1
                      Source: Amcache.hve.8.drBinary or memory string: NECVMWar VMware SATA CD00
                      Source: Amcache.hve.8.drBinary or memory string: VMware Virtual disk SCSI Disk Device
                      Source: Amcache.hve.8.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.13989454.B64.1906190538,BiosReleaseDate:06/19/2019,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
                      Source: WerFault.exe, 00000008.00000002.324171497.00000000046A5000.00000004.00000001.sdmp, WerFault.exe, 00000008.00000003.321425802.00000000046A5000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
                      Source: Amcache.hve.8.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
                      Source: Amcache.hve.8.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
                      Source: Amcache.hve.8.drBinary or memory string: VMware, Inc.me
                      Source: Amcache.hve.8.drBinary or memory string: VMware-42 35 d8 20 48 cb c7 ff-aa 5e d0 37 a0 49 53 d7
                      Source: Amcache.hve.8.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
                      Source: Amcache.hve.8.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_04836131 EntryPoint,OutputDebugStringA,GetModuleHandleA,GetModuleFileNameW,GetLastError,memset,MultiByteToWideChar,GetFileAttributesW,CreateThread,SetLastError,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00745BC4 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0483BD83 LdrInitializeThunk,
                      Source: C:\Windows\System32\loaddll32.exeMemory protected: page write copy | page execute and write copy | page guard
                      Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_00DA5CA6 RtlAddVectoredExceptionHandler,

                      HIPS / PFW / Operating System Protection Evasion:

                      barindex
                      Maps a DLL or memory area into another process
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: unknown target: C:\Windows\SysWOW64\explorer.exe protection: execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: unknown target: C:\Windows\SysWOW64\explorer.exe protection: execute and read and write
                      Writes to foreign memory regions
                      Source: C:\Windows\System32\loaddll32.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: FB0000
                      Source: C:\Windows\System32\loaddll32.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 11CF380
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: DD0000
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 11CF380
                      Allocates memory in foreign processes
                      Source: C:\Windows\System32\loaddll32.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: FB0000 protect: page read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: DD0000 protect: page read and write
                      Injects code into the Windows Explorer (explorer.exe)
                      Source: C:\Windows\System32\loaddll32.exeMemory written: PID: 5336 base: FB0000 value: 9C
                      Source: C:\Windows\System32\loaddll32.exeMemory written: PID: 5336 base: 11CF380 value: E9
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5636 base: DD0000 value: 9C
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5636 base: 11CF380 value: E9
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\2663823750648860.dll",#1
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
                      Source: rundll32.exe, 00000002.00000000.301457142.00000000032C0000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000000.300119474.00000000032C0000.00000002.00020000.sdmp, explorer.exe, 00000007.00000002.691919238.0000000003BC0000.00000002.00020000.sdmpBinary or memory string: Program Manager
                      Source: rundll32.exe, 00000002.00000000.301457142.00000000032C0000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000000.300119474.00000000032C0000.00000002.00020000.sdmp, explorer.exe, 00000007.00000002.691919238.0000000003BC0000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
                      Source: rundll32.exe, 00000002.00000000.301457142.00000000032C0000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000000.300119474.00000000032C0000.00000002.00020000.sdmp, explorer.exe, 00000007.00000002.691919238.0000000003BC0000.00000002.00020000.sdmpBinary or memory string: Progman
                      Source: rundll32.exe, 00000002.00000000.301457142.00000000032C0000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000000.300119474.00000000032C0000.00000002.00020000.sdmp, explorer.exe, 00000007.00000002.691919238.0000000003BC0000.00000002.00020000.sdmpBinary or memory string: Progmanlock
                      Source: C:\Windows\System32\loaddll32.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\explorer.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\explorer.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\System32\loaddll32.exeCode function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,
                      Source: C:\Windows\System32\loaddll32.exeCode function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,
                      Source: C:\Windows\System32\loaddll32.exeCode function: GetLocaleInfoA,GetACP,
                      Source: C:\Windows\System32\loaddll32.exeCode function: GetLocaleInfoA,
                      Source: C:\Windows\System32\loaddll32.exeCode function: GetLocaleInfoA,
                      Source: C:\Windows\System32\loaddll32.exeCode function: GetLocaleInfoA,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoA,GetACP,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoA,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoA,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoA,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoA,
                      Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_00DA328D CreateNamedPipeA,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00729A44 GetLocalTime,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0072BEC0 GetVersionExA,
                      Source: rundll32.exe, 00000002.00000000.300301530.00000000049BF000.00000004.00000040.sdmpBinary or memory string: bdagent.exe
                      Source: rundll32.exe, 00000002.00000000.300288378.0000000004944000.00000004.00000040.sdmpBinary or memory string: cmdagent.exe
                      Source: rundll32.exe, 00000002.00000000.300301530.00000000049BF000.00000004.00000040.sdmpBinary or memory string: vsserv.exe
                      Source: rundll32.exe, 00000002.00000000.300301530.00000000049BF000.00000004.00000040.sdmpBinary or memory string: avp.exe
                      Source: rundll32.exe, 00000002.00000000.300288378.0000000004944000.00000004.00000040.sdmpBinary or memory string: SavService.exe
                      Source: Amcache.hve.LOG1.8.dr, Amcache.hve.8.drBinary or memory string: c:\users\user\desktop\procexp.exe
                      Source: Amcache.hve.8.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
                      Source: rundll32.exe, 00000002.00000000.300301530.00000000049BF000.00000004.00000040.sdmpBinary or memory string: avgcsrvx.exe
                      Source: rundll32.exe, 00000002.00000000.300288378.0000000004944000.00000004.00000040.sdmpBinary or memory string: dwengine.exe
                      Source: rundll32.exe, 00000002.00000000.300301530.00000000049BF000.00000004.00000040.sdmpBinary or memory string: mcshield.exe
                      Source: rundll32.exe, 00000002.00000000.300301530.00000000049BF000.00000004.00000040.sdmpBinary or memory string: SAVAdminService.exe
                      Source: Amcache.hve.LOG1.8.dr, Amcache.hve.8.drBinary or memory string: procexp.exe
                      Source: rundll32.exe, 00000002.00000000.300301530.00000000049BF000.00000004.00000040.sdmpBinary or memory string: MsMpEng.exe

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected Qbot
                      Source: Yara matchFile source: 2.0.rundll32.exe.2f00000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.rundll32.exe.4830000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.2580000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.explorer.exe.f80000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.0.explorer.exe.f80000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.0.rundll32.exe.47d0184.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.2580000.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.explorer.exe.f80000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.0.rundll32.exe.4830000.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.0.rundll32.exe.2f00000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.rundll32.exe.47d0184.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.0.rundll32.exe.2f00000.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.rundll32.exe.2f00000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.0.rundll32.exe.47d0184.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.0.rundll32.exe.4830000.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.0.explorer.exe.da0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.2520184.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.rundll32.exe.47d0184.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.0.rundll32.exe.47d0184.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.0.explorer.exe.da0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.0.explorer.exe.f80000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.rundll32.exe.2f00000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.explorer.exe.da0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.0.rundll32.exe.4830000.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.0.rundll32.exe.2f00000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.0.rundll32.exe.47d0184.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.9b0000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.rundll32.exe.4830000.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.9b0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.2520184.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.0.rundll32.exe.4830000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.explorer.exe.da0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000002.00000000.300055482.0000000002F00000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.330146835.00000000047D0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.330176963.0000000004830000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000000.301385547.0000000002F00000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.331967746.0000000000F80000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000000.300209728.0000000004830000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.305731123.0000000002520000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000000.303817977.0000000000F80000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000000.300181290.00000000047D0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000000.322630401.0000000000DA0000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.690831006.0000000000DA0000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000000.301506954.00000000047D0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.330052618.0000000002F00000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.305504607.00000000009B0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.305748370.0000000002580000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000000.301526882.0000000004830000.00000040.00000001.sdmp, type: MEMORY

                      Remote Access Functionality:

                      barindex
                      Yara detected Qbot
                      Source: Yara matchFile source: 2.0.rundll32.exe.2f00000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.rundll32.exe.4830000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.2580000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.explorer.exe.f80000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.0.explorer.exe.f80000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.0.rundll32.exe.47d0184.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.2580000.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.explorer.exe.f80000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.0.rundll32.exe.4830000.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.0.rundll32.exe.2f00000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.rundll32.exe.47d0184.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.0.rundll32.exe.2f00000.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.rundll32.exe.2f00000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.0.rundll32.exe.47d0184.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.0.rundll32.exe.4830000.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.0.explorer.exe.da0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.2520184.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.rundll32.exe.47d0184.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.0.rundll32.exe.47d0184.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.0.explorer.exe.da0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.0.explorer.exe.f80000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.rundll32.exe.2f00000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.explorer.exe.da0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.0.rundll32.exe.4830000.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.0.rundll32.exe.2f00000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.0.rundll32.exe.47d0184.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.9b0000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.rundll32.exe.4830000.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.9b0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.2520184.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.0.rundll32.exe.4830000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.explorer.exe.da0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000002.00000000.300055482.0000000002F00000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.330146835.00000000047D0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.330176963.0000000004830000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000000.301385547.0000000002F00000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.331967746.0000000000F80000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000000.300209728.0000000004830000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.305731123.0000000002520000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000000.303817977.0000000000F80000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000000.300181290.00000000047D0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000000.322630401.0000000000DA0000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.690831006.0000000000DA0000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000000.301506954.00000000047D0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.330052618.0000000002F00000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.305504607.00000000009B0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.305748370.0000000002580000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000000.301526882.0000000004830000.00000040.00000001.sdmp, type: MEMORY

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsNative API1Application Shimming1Process Injection413Masquerading1Credential API Hooking1System Time Discovery1Remote ServicesScreen Capture1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsApplication Shimming1Virtualization/Sandbox Evasion2Input Capture21Security Software Discovery151Remote Desktop ProtocolCredential API Hooking1Exfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Disable or Modify Tools1Security Account ManagerVirtualization/Sandbox Evasion2SMB/Windows Admin SharesInput Capture21Automated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection413NTDSProcess Discovery3Distributed Component Object ModelArchive Collected Data1Scheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsApplication Window Discovery11SSHClipboard Data1Data Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information2Cached Domain CredentialsRemote System Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsRundll321DCSyncFile and Directory Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobSoftware Packing1Proc FilesystemSystem Information Discovery25Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 signatures2 2 Behavior Graph ID: 545754 Sample: 2663823750648860.dll Startdate: 27/12/2021 Architecture: WINDOWS Score: 92 25 Found malware configuration 2->25 27 Multi AV Scanner detection for submitted file 2->27 29 Yara detected Qbot 2->29 31 Sigma detected: Suspicious Call by Ordinal 2->31 8 loaddll32.exe 1 2->8         started        process3 signatures4 33 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 8->33 35 Injects code into the Windows Explorer (explorer.exe) 8->35 37 Writes to foreign memory regions 8->37 39 3 other signatures 8->39 11 cmd.exe 1 8->11         started        13 explorer.exe 8->13         started        process5 process6 15 rundll32.exe 11->15         started        signatures7 41 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 15->41 43 Injects code into the Windows Explorer (explorer.exe) 15->43 45 Writes to foreign memory regions 15->45 47 3 other signatures 15->47 18 explorer.exe 8 1 15->18         started        21 WerFault.exe 23 9 15->21         started        process8 file9 23 C:\Users\user\Desktop\2663823750648860.dll, PE32 18->23 dropped

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      2663823750648860.dll31%VirustotalBrowse
                      2663823750648860.dll26%ReversingLabsWin32.Backdoor.Quakbot

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      2.2.rundll32.exe.47d0184.2.unpack100%AviraTR/Kazy.4159236Download File
                      0.2.loaddll32.exe.2520184.2.unpack100%AviraTR/Kazy.4159236Download File
                      2.0.rundll32.exe.47d0184.6.unpack100%AviraTR/Kazy.4159236Download File
                      2.0.rundll32.exe.400000.0.unpack100%AviraHEUR/AGEN.1108767Download File
                      2.0.rundll32.exe.400000.4.unpack100%AviraHEUR/AGEN.1108767Download File
                      2.2.rundll32.exe.400000.0.unpack100%AviraHEUR/AGEN.1108767Download File
                      2.0.rundll32.exe.47d0184.2.unpack100%AviraTR/Kazy.4159236Download File
                      0.2.loaddll32.exe.720000.0.unpack100%AviraHEUR/AGEN.1108767Download File

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#0%URL Reputationsafe
                      https://sectigo.com/CPS00%URL Reputationsafe
                      http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#0%URL Reputationsafe
                      http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y0%URL Reputationsafe
                      http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl00%URL Reputationsafe
                      http://ocsp.sectigo.com00%URL Reputationsafe

                      Domains and IPs

                      Contacted Domains

                      No contacted domains info
                      NameSourceMaliciousAntivirus DetectionReputation
                      http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#WerFault.exe, 00000008.00000002.324551339.0000000004ED0000.00000002.00020000.sdmp, 2663823750648860.dllfalse
                      • URL Reputation: safe
                      		unknown
                      http://upx.sf.netAmcache.hve.8.drfalse
                        		high
                        https://sectigo.com/CPS0WerFault.exe, 00000008.00000002.324551339.0000000004ED0000.00000002.00020000.sdmp, 2663823750648860.dllfalse
                        • URL Reputation: safe
                        		unknown
                        http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#WerFault.exe, 00000008.00000002.324551339.0000000004ED0000.00000002.00020000.sdmp, 2663823750648860.dllfalse
                        • URL Reputation: safe
                        		unknown
                        http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0yWerFault.exe, 00000008.00000002.324551339.0000000004ED0000.00000002.00020000.sdmp, 2663823750648860.dllfalse
                        • URL Reputation: safe
                        		unknown
                        http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0WerFault.exe, 00000008.00000002.324551339.0000000004ED0000.00000002.00020000.sdmp, 2663823750648860.dllfalse
                        • URL Reputation: safe
                        		unknown
                        http://ocsp.sectigo.com0WerFault.exe, 00000008.00000002.324551339.0000000004ED0000.00000002.00020000.sdmp, 2663823750648860.dllfalse
                        • URL Reputation: safe
                        		unknown

                        Contacted IPs

                        No contacted IP infos

                        General Information

                        Joe Sandbox Version:34.0.0 Boulder Opal
                        Analysis ID:545754
                        Start date:27.12.2021
                        Start time:22:16:00
                        Joe Sandbox Product:CloudBasic
                        Overall analysis duration:0h 11m 16s
                        Hypervisor based Inspection enabled:false
                        Report type:light
                        Sample file name:2663823750648860.dll
                        Cookbook file name:default.jbs
                        Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                        Run name:Run with higher sleep bypass
                        Number of analysed new started processes analysed:24
                        Number of new started drivers analysed:0
                        Number of existing processes analysed:0
                        Number of existing drivers analysed:0
                        Number of injected processes analysed:0
                        Technologies:
                        • HCA enabled
                        • EGA enabled
                        • HDC enabled
                        • AMSI enabled
                        Analysis Mode:default
                        Analysis stop reason:Timeout
                        Detection:MAL
                        Classification:mal92.troj.evad.winDLL@10/7@0/0
                        EGA Information:Failed
                        HDC Information:
                        • Successful, ratio: 38.7% (good quality ratio 37.8%)
                        • Quality average: 79.9%
                        • Quality standard deviation: 24.5%
                        HCA Information:
                        • Successful, ratio: 96%
                        • Number of executed functions: 0
                        • Number of non-executed functions: 0
                        Cookbook Comments:
                        • Adjust boot time
                        • Enable AMSI
                        • Sleeps bigger than 120000ms are automatically reduced to 1000ms
                        • Found application associated with file extension: .dll
                        Warnings:
                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WerFault.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
                        • Excluded IPs from analysis (whitelisted): 20.42.73.29, 52.251.79.25, 20.54.110.249
                        • Excluded domains from analysis (whitelisted): displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, consumer-displaycatalogrp-aks2aks-useast.md.mp.microsoft.com.akadns.net, eus2-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ctldl.windowsupdate.com, arc.msn.com, ris.api.iris.microsoft.com, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, login.live.com, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, displaycatalog-rp-useast.md.mp.microsoft.com.akadns.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, watson.telemetry.microsoft.com, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                        • Not all processes where analyzed, report is missing behavior information
                        • Report creation exceeded maximum time and may have missing disassembly code information.

                        Simulations

                        No simulations

                        Joe Sandbox View / Context

                        IPs

                        No context

                        Domains

                        No context

                        ASN

                        No context

                        JA3 Fingerprints

                        No context

                        Dropped Files

                        No context

                        Created / dropped Files

                        C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_f39793c21e501f19e18e1252204ca53eca8f23a3_82810a17_1b2d7e47\Report.wer
                        Process:C:\Windows\SysWOW64\WerFault.exe
                        File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):65536
                        Entropy (8bit):0.9825185313967902
                        Encrypted:false
                        SSDEEP:192:mJi50oXjHBUZMX4jed+yvi1/u7sK/S274ItWc:ki3XjBUZMX4jenu/u7sK/X4ItWc
                        MD5:7BEF473AD1C250B06A032B655D45633B
                        SHA1:A3940F480D948B485E3585880FD29C7C3D45BA7E
                        SHA-256:D3258C715A82C352C3BD1ACFD0A40F8DF635820F9A4414DBD6A243EE55969348
                        SHA-512:F7D2BF50452B676D7CB1B53B4947D5069D123C4E9B219C11893F6C96172489511539E79D8270EE5EABEAEF9B645ADA08FFB646EFC62B402C6A275FC5887ADC00
                        Malicious:false
                        Reputation:low
                        Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.8.5.1.4.5.8.2.5.9.4.2.0.8.5.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.8.5.1.4.5.8.3.0.5.8.2.7.2.3.0.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.1.6.b.a.1.3.4.-.1.d.2.8.-.4.0.2.3.-.8.1.d.9.-.9.e.a.f.b.1.c.d.1.a.6.2.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.4.f.1.f.3.9.4.-.8.5.3.0.-.4.4.9.d.-.9.8.8.5.-.a.d.d.8.4.4.c.4.5.c.d.2.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.a.9.c.-.0.0.0.1.-.0.0.1.c.-.1.9.1.4.-.4.5.8.5.b.2.f.b.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.b.c.c.5.d.c.3.2.2.2.0.3.4.d.3.f.2.5.7.f.1.f.d.3.5.8.8.9.e.5.b.e.9.0.f.0.9.
                        C:\ProgramData\Microsoft\Windows\WER\Temp\WER664A.tmp.dmp
                        Process:C:\Windows\SysWOW64\WerFault.exe
                        File Type:Mini DuMP crash report, 14 streams, Tue Dec 28 06:17:07 2021, 0x1205a4 type
                        Category:dropped
                        Size (bytes):54670
                        Entropy (8bit):2.075149597322524
                        Encrypted:false
                        SSDEEP:192:q2FDgBAcu6H71eO5SkbCDO8XGQOf6NNjNWQdyDqq/zeXYLYFdn:5HRGZ5LbCNC6N/WQWqqGFd
                        MD5:3427ACF83799A541A21A6A7BDEA45BF4
                        SHA1:E07C5A022ABDD31A3B3FB2389A281F8144AA8C29
                        SHA-256:4AAB507FE4DB701FAE1EFE45503972472BD50BA8F58EC3C96A07142E6408F722
                        SHA-512:F9B50C2E3040A2EFE5B939BCFA2BDDF879000B95E624A531B21C605794DE9642182FB632377EF86F424365D887B1B438E2784E74B18C57DD05A798A94F491B39
                        Malicious:false
                        Reputation:low
                        Preview: MDMP....... .........a........................`...........4....4..........T.......8...........T...........h ..&...........,............ ...................................................................U...........B....... ......GenuineIntelW...........T.............a.............................0..1...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................
                        C:\ProgramData\Microsoft\Windows\WER\Temp\WER6DDC.tmp.WERInternalMetadata.xml
                        Process:C:\Windows\SysWOW64\WerFault.exe
                        File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):8302
                        Entropy (8bit):3.6962551786355817
                        Encrypted:false
                        SSDEEP:192:Rrl7r3GLNiAS6D4Ae6Y6b6YgmfT9SSCprX89bKMsfLOm:RrlsNiV666YG6YgmfT9SyKff7
                        MD5:6824A87E7D46B2083DDED1A7C24400D6
                        SHA1:1D91802A841E86CFE70FD377E0EA0A35B468C77F
                        SHA-256:B484EE30FDCAB7D2C7B627E48BFD8F2C2D24732C39522B1E5F8261F53358341F
                        SHA-512:4C2D235E16CC27611FFF5B64492FA3FF52F209F986ED9792C0A3FF9F39AA6434DD5FF8EFAAAB4AB7E608A4E9A2D7A33F7194A31BE5A5608FBDF19CEBDEFBE097
                        Malicious:false
                        Reputation:low
                        Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.8.1.2.<./.P.i.d.>.......
                        C:\ProgramData\Microsoft\Windows\WER\Temp\WER7168.tmp.xml
                        Process:C:\Windows\SysWOW64\WerFault.exe
                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):4670
                        Entropy (8bit):4.496566928075135
                        Encrypted:false
                        SSDEEP:48:cvIwSD8zszJgtWI9VqJIWSC8Bv/s8fm8M4JCdsfZFg+q8/Ovv4SrSOd:uITfNbfSN55JlchvDWOd
                        MD5:ECC37558FC70FFBACF9C43522E0863B2
                        SHA1:2D2A2EA516CDAFF40129021FCF55E2CC901718FB
                        SHA-256:2C69E3B0F08A8F52846C716FA90B8A0928DF2BCCE268122A31A3833B373669B4
                        SHA-512:7F67348484CB7B457D8A28200FCA58B2B47AE9DE91189BFB641BA5775032E18076F18E266433297D290AD7D11E51B3821C61F7DFF937F68D3058FA0AB1CD72F8
                        Malicious:false
                        Reputation:low
                        Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1317087" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
                        C:\Users\user\Desktop\2663823750648860.dll
                        Process:C:\Windows\SysWOW64\explorer.exe
                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):4096
                        Entropy (8bit):4.386149525268657
                        Encrypted:false
                        SSDEEP:48:OEPGD6I8LgS72DsOA1dyqQrD1tXPFJhsppwAOY5iRYgZX0dB1mkK52wR6PD:nPGot2Dk1dyqIF9JhsLwAOhf2ZW2wIPD
                        MD5:FDE994C2930356C024ACDB2BBB7E5EFA
                        SHA1:72E89EF4F628BD724A26D51992FE9803790E5CA9
                        SHA-256:9EA0E87704B638607FC556EE4C2C302F4C73CDEE77FF39F652A113AA7C99A22C
                        SHA-512:714FA584D1EB55247E8E0E22D78CDAE9E58DD6E955E758EE3F645A29EC2DFD1DB84461C73CC3224969471E2FB41F2F65BD2A91DAD413DCA638B2B36DFDB99628
                        Malicious:true
                        Reputation:low
                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................8..........HC.......P....@..................................8...........................................!... ...`...........>..........Lk..................................................................................CODE.....6.......8.................. ..`DATA.........P.......<..............@...BSS..........p.......P...................idata...!......."...P..............@....reloc..Lk.......l...r..............@..P.rsrc....`... ...`..................@..P.....................>..............@..P........................................................................................................................................................................................................................
                        C:\Windows\appcompat\Programs\Amcache.hve
                        Process:C:\Windows\SysWOW64\WerFault.exe
                        File Type:MS Windows registry file, NT/2000 or above
                        Category:dropped
                        Size (bytes):1572864
                        Entropy (8bit):4.275113904173718
                        Encrypted:false
                        SSDEEP:12288:z06qxXJSQo4MP7Q1BG72a1xxGrtQ6FMPOzsJO8G4dnRdgziHW/Jqs1:g6qxXJSQo4MP7QKp
                        MD5:8891AD1CFF546B7D6435CAB7B57139C6
                        SHA1:CC1E63C9CFDB296127FF6133FE30E4720A410B84
                        SHA-256:3267666B3BA87E6D8627CA84AFAFCEF8C5FBFD48B9B87BCE45EFF948FE053389
                        SHA-512:A3643CE1F7C44D160F26199CC6B4CD033FBA5E028F26750C65FFB611116D6E61B1CC4C70456D89795610ACDA0FCF628F41A817831E86DA635B0325632EB72F99
                        Malicious:false
                        Preview: regfZ...Z...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtmN.a...................................................................................................................................................................................................................................................................................................................................................e.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                        C:\Windows\appcompat\Programs\Amcache.hve.LOG1
                        Process:C:\Windows\SysWOW64\WerFault.exe
                        File Type:MS Windows registry file, NT/2000 or above
                        Category:dropped
                        Size (bytes):24576
                        Entropy (8bit):4.031958056980713
                        Encrypted:false
                        SSDEEP:384:BOSp3B5Rftx1bPJ4XwsFcnE7kUPBqXrSeq5QMVyi6+/Rjl4Lk4KZd1DoXzn9XvwD:3pvRftx1DJ4X1FcE7BBqX+eq5QMVyi6C
                        MD5:877ED5ABF2D190F2DEBFC9F528A8C07A
                        SHA1:FB5CA0BBD2E4A8CD3ABDA204CEE759C19C336930
                        SHA-256:083185A150D5622E3344D4FC095E8D0BA6403841817ADBBDD0865E63C004904F
                        SHA-512:5F27B2D522FCFB5A1F340F6D1018DF509BD5F5208B92A6A83BB17EDBC54CB6B4C3D6ABCDC3F0B78AE5287474E688BAC5CCDF3BB818B4D306E4A2E755790EE69A
                        Malicious:false
                        Preview: regfY...Y...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtmN.a...................................................................................................................................................................................................................................................................................................................................................e.HvLE.^......Y............s...J.....1..C.........0................... ..hbin................p.\..,..........nk,...c..................................... ...........................&...{ad79c032-a2ea-f756-e377-72fb9332c3ae}......nk ...c......... ........................... .......Z.......................Root........lf......Root....nk ...c......................}.............. ...............*...............DeviceCensus.......................vk..................WritePermissionsCheck...

                        Static File Info

                        General

                        File type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                        Entropy (8bit):6.019312669866233
                        TrID:
                        • Win32 Dynamic Link Library (generic) (1002004/3) 97.97%
                        • Win32 Executable Delphi generic (14689/80) 1.44%
                        • Win16/32 Executable Delphi generic (2074/23) 0.20%
                        • Generic Win/DOS Executable (2004/3) 0.20%
                        • DOS Executable Generic (2002/1) 0.20%
                        File name:2663823750648860.dll
                        File size:808968
                        MD5:8cb16d054c16e0ca76b3ff0531b36068
                        SHA1:5de90fb5fc70b30155be64b04ea852630ab60f67
                        SHA256:8b93200127039c0f4387c357c52d6b1cc0d68c2c3bfe7c869d1466440e3a570c
                        SHA512:23dd5ae3a57a0fffd44447934c7bde81f80da054c0cc591f289063cf32029bdcf276a332e628d50372c96dabec9b6bd0011f8989e52ed55005822f7c3397adc0
                        SSDEEP:12288:iB8f4xLhGkZQsxxUlBigSgaxAVwz7x4ftLqJfw:mi4SkZ7m/igSgaxAVwuWw
                        File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

                        File Icon

                        Icon Hash:b99988fcd4f66e0f

                        Static PE Info

                        General

                        Entrypoint:0x464348
                        Entrypoint Section:CODE
                        Digitally signed:true
                        Imagebase:0x400000
                        Subsystem:windows gui
                        Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, DLL, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI
                        DLL Characteristics:
                        Time Stamp:0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
                        TLS Callbacks:
                        CLR (.Net) Version:
                        OS Version Major:4
                        OS Version Minor:0
                        File Version Major:4
                        File Version Minor:0
                        Subsystem Version Major:4
                        Subsystem Version Minor:0
                        Import Hash:6a7707fd73880ddab159ae76fca6e136

                        Authenticode Signature

                        Signature Valid:false
                        Signature Issuer:CN=Sectigo Public Code Signing CA R36, O=Sectigo Limited, C=GB
                        Signature Validation Error:A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file
                        Error Number:-2146762495
                        Not Before, Not After
                        • 12/18/2021 4:00:00 PM 12/19/2022 3:59:59 PM
                        Subject Chain
                        • CN=AXIUM NORTHWESTERN HYDRO INC., O=AXIUM NORTHWESTERN HYDRO INC., S=Ontario, C=CA
                        Version:3
                        Thumbprint MD5:DBE7F24E7D5F2DC6EC70A07071F4C75E
                        Thumbprint SHA-1:6C15651791EA8D91909A557EADABE3581B4D1BE9
                        Thumbprint SHA-256:7F685DA41300DC815B00BC7FEFE90A4D7355A66793D3F4969993FFE3CDB2C573
                        Serial:00AA1D84779792B57F91FE7A4BDE041942
                        Instruction
                        push ebp
                        mov ebp, esp
                        add esp, FFFFFFC4h
                        push ebx
                        mov eax, 004640E8h
                        call 00007FA190B39708h
                        mov dword ptr [00467C6Ch], esp
                        add dword ptr [00467C6Ch], 44h
                        mov dword ptr [00467C70h], ebp
                        add dword ptr [00467C70h], 20h
                        lea ecx, dword ptr [00467660h]
                        mov eax, dword ptr [ecx-10h]
                        mov dword ptr [00467C78h], eax
                        mov eax, dword ptr [ecx-14h]
                        mov dword ptr [00467C74h], eax
                        mov dword ptr [00467C80h], 0008A7BCh
                        mov dword ptr [00467C94h], 00000033h
                        push 00000000h
                        call 00007FA190B39BD1h
                        inc dword ptr [00467C94h]
                        cmp dword ptr [00467C94h], 0024D961h
                        jne 00007FA190B97CB9h
                        mov dword ptr [00467C94h], 00000033h
                        push 00000000h
                        call 00007FA190B39BAEh
                        inc dword ptr [00467C94h]
                        cmp dword ptr [00467C94h], 031FC9E1h
                        jne 00007FA190B97CB9h
                        push 00000978h
                        push 00000000h
                        call 00007FA190B3A030h
                        test eax, eax
                        jne 00007FA190B97FA9h
                        push 0000006Fh
                        push 0000000Ah
                        mov ecx, dword ptr [00467660h]
                        mov dl, 01h
                        mov eax, dword ptr [004120E4h]
                        call 00007FA190B49AF2h
                        mov dword ptr [00467C38h], eax
                        mov dword ptr [00467C7Ch], 0000013Ch
                        NameVirtual AddressVirtual Size Is in Section
                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IMPORT0x680000x21dc.idata
                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x720000x56000.rsrc
                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                        IMAGE_DIRECTORY_ENTRY_SECURITY0xc3e000x1a08.rsrc
                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x6b0000x6b4c.reloc
                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                        Sections

                        NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                        CODE0x10000x636c80x63800False0.52874479821data6.52738931362IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                        DATA0x650000x130c0x1400False0.441796875data4.20508350135IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                        BSS0x670000xc990x0False0empty0.0IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                        .idata0x680000x21dc0x2200False0.370059742647data5.03718449636IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                        .reloc0x6b0000x6b4c0x6c00False0.611870659722data6.6415642971IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
                        .rsrc0x720000x560000x56000False0.355962708939data4.1917592262IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
                        NameRVASizeTypeLanguageCountry
                        RT_CURSOR0x72b780x134data
                        RT_CURSOR0x72cac0x134data
                        RT_CURSOR0x72de00x134data
                        RT_CURSOR0x72f140x134data
                        RT_CURSOR0x730480x134data
                        RT_CURSOR0x7317c0x134data
                        RT_CURSOR0x732b00x134data
                        RT_CURSOR0x733e40x134data
                        RT_BITMAP0x735180x1d0data
                        RT_BITMAP0x736e80x1e4data
                        RT_BITMAP0x738cc0x1d0data
                        RT_BITMAP0x73a9c0x1d0data
                        RT_BITMAP0x73c6c0x1d0data
                        RT_BITMAP0x73e3c0x1d0data
                        RT_BITMAP0x7400c0x1d0data
                        RT_BITMAP0x741dc0x1d0data
                        RT_BITMAP0x743ac0x1d0data
                        RT_BITMAP0x7457c0x1d0data
                        RT_BITMAP0x7474c0xe8GLS_BINARY_LSB_FIRST
                        RT_ICON0x748340x2e8dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 49, next used block 48059EnglishUnited States
                        RT_DIALOG0x74b1c0x52data
                        RT_STRING0x74b700xc0data
                        RT_STRING0x74c300x368data
                        RT_STRING0x74f980x250data
                        RT_STRING0x751e80x1d4data
                        RT_STRING0x753bc0xecdata
                        RT_STRING0x754a80x2fcdata
                        RT_STRING0x757a40xd4data
                        RT_STRING0x758780x110data
                        RT_STRING0x759880x24cdata
                        RT_STRING0x75bd40x3f8data
                        RT_STRING0x75fcc0x384data
                        RT_STRING0x763500x440data
                        RT_STRING0x767900x160data
                        RT_STRING0x768f00xecdata
                        RT_STRING0x769dc0x20cdata
                        RT_STRING0x76be80x3f4data
                        RT_STRING0x76fdc0x340data
                        RT_STRING0x7731c0x2c4data
                        RT_RCDATA0x775e00x10data
                        RT_RCDATA0x775f00x318data
                        RT_RCDATA0x779080x504c4dataIndonesianIndonesia
                        RT_GROUP_CURSOR0xc7dcc0x14Lotus unknown worksheet or configuration, revision 0x1
                        RT_GROUP_CURSOR0xc7de00x14Lotus unknown worksheet or configuration, revision 0x1
                        RT_GROUP_CURSOR0xc7df40x14Lotus unknown worksheet or configuration, revision 0x1
                        RT_GROUP_CURSOR0xc7e080x14Lotus unknown worksheet or configuration, revision 0x1
                        RT_GROUP_CURSOR0xc7e1c0x14Lotus unknown worksheet or configuration, revision 0x1
                        RT_GROUP_CURSOR0xc7e300x14Lotus unknown worksheet or configuration, revision 0x1
                        RT_GROUP_CURSOR0xc7e440x14Lotus unknown worksheet or configuration, revision 0x1
                        RT_GROUP_CURSOR0xc7e580x14Lotus unknown worksheet or configuration, revision 0x1
                        RT_GROUP_ICON0xc7e6c0x14dataEnglishUnited States
                        DLLImport
                        kernel32.dllDeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, GetVersion, GetCurrentThreadId, InterlockedDecrement, InterlockedIncrement, VirtualQuery, WideCharToMultiByte, MultiByteToWideChar, lstrlenA, lstrcpynA, LoadLibraryExA, GetThreadLocale, GetStartupInfoA, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetCommandLineA, FreeLibrary, FindFirstFileA, FindClose, ExitProcess, WriteFile, UnhandledExceptionFilter, RtlUnwind, RaiseException, GetStdHandle
                        user32.dllGetKeyboardType, LoadStringA, MessageBoxA, CharNextA
                        advapi32.dllRegQueryValueExA, RegOpenKeyExA, RegCloseKey
                        oleaut32.dllSysFreeString, SysReAllocStringLen, SysAllocStringLen
                        kernel32.dllTlsSetValue, TlsGetValue, TlsFree, TlsAlloc, LocalFree, LocalAlloc
                        advapi32.dllRegQueryValueExA, RegOpenKeyExA, RegCloseKey
                        kernel32.dlllstrcpyA, WriteFile, WaitForSingleObject, VirtualQuery, VirtualAllocEx, VirtualAlloc, Sleep, SizeofResource, SetThreadLocale, SetFilePointer, SetEvent, SetErrorMode, SetEndOfFile, ResetEvent, ReadFile, MulDiv, LockResource, LoadResource, LoadLibraryA, LeaveCriticalSection, InitializeCriticalSection, GlobalUnlock, GlobalReAlloc, GlobalHandle, GlobalLock, GlobalFree, GlobalFindAtomA, GlobalDeleteAtom, GlobalAlloc, GlobalAddAtomA, GetVersionExA, GetVersion, GetTickCount, GetThreadLocale, GetSystemInfo, GetStringTypeExA, GetStdHandle, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLocalTime, GetLastError, GetFullPathNameA, GetDiskFreeSpaceA, GetDateFormatA, GetCurrentThreadId, GetCurrentProcessId, GetCPInfo, GetACP, FreeResource, InterlockedExchange, FreeLibrary, FormatMessageA, FindResourceA, EnumCalendarInfoA, EnterCriticalSection, DeleteCriticalSection, CreateThread, CreateFileA, CreateEventA, CompareStringA, CloseHandle
                        version.dllVerQueryValueA, GetFileVersionInfoSizeA, GetFileVersionInfoA
                        gdi32.dllUnrealizeObject, TextOutA, StretchBlt, SetWindowOrgEx, SetWinMetaFileBits, SetViewportOrgEx, SetTextColor, SetTextAlign, SetStretchBltMode, SetROP2, SetPixel, SetEnhMetaFileBits, SetDIBColorTable, SetBrushOrgEx, SetBkMode, SetBkColor, SelectPalette, SelectObject, SelectClipRgn, SaveDC, RoundRect, RestoreDC, Rectangle, RectVisible, RealizePalette, Polyline, Polygon, PlayEnhMetaFile, Pie, PatBlt, MoveToEx, MaskBlt, LineTo, LPtoDP, IntersectClipRect, GetWindowOrgEx, GetWinMetaFileBits, GetTextMetricsA, GetTextExtentPoint32A, GetTextAlign, GetSystemPaletteEntries, GetStockObject, GetPixel, GetPaletteEntries, GetObjectA, GetMapMode, GetEnhMetaFilePaletteEntries, GetEnhMetaFileHeader, GetEnhMetaFileBits, GetDeviceCaps, GetDIBits, GetDIBColorTable, GetDCOrgEx, GetDCPenColor, GetCurrentPositionEx, GetClipBox, GetBrushOrgEx, GetBkMode, GetBkColor, GetBitmapBits, ExtSelectClipRgn, ExtCreatePen, ExcludeClipRect, Ellipse, DeleteObject, DeleteEnhMetaFile, DeleteDC, CreateSolidBrush, CreateRectRgn, CreatePolygonRgn, CreatePenIndirect, CreatePalette, CreateHalftonePalette, CreateFontIndirectA, CreateDIBitmap, CreateDIBSection, CreateCompatibleDC, CreateCompatibleBitmap, CreateBrushIndirect, CreateBitmap, CopyEnhMetaFileA, BitBlt, Arc
                        user32.dllCreateWindowExA, WindowFromPoint, WinHelpA, WaitMessage, UpdateWindow, UnregisterClassA, UnhookWindowsHookEx, TranslateMessage, TranslateMDISysAccel, TrackPopupMenu, SystemParametersInfoA, ShowWindow, ShowScrollBar, ShowOwnedPopups, ShowCursor, SetWindowsHookExA, SetWindowPos, SetWindowPlacement, SetWindowLongA, SetTimer, SetScrollRange, SetScrollPos, SetScrollInfo, SetRect, SetPropA, SetParent, SetMenuItemInfoA, SetMenu, SetForegroundWindow, SetFocus, SetCursor, SetClassLongA, SetCapture, SetActiveWindow, SendMessageA, ScrollWindow, ScreenToClient, RemovePropA, RemoveMenu, ReleaseDC, ReleaseCapture, RegisterWindowMessageA, RegisterClipboardFormatA, RegisterClassA, RedrawWindow, PtInRect, PostQuitMessage, PostMessageA, PeekMessageA, OffsetRect, OemToCharA, MessageBoxA, MapWindowPoints, MapVirtualKeyA, LoadStringA, LoadKeyboardLayoutA, LoadIconW, LoadIconA, LoadCursorA, LoadBitmapA, KillTimer, IsZoomed, IsWindowVisible, IsWindowEnabled, IsWindow, IsRectEmpty, IsIconic, IsDialogMessageA, IsChild, InvalidateRect, IntersectRect, InsertMenuItemA, InsertMenuA, InflateRect, GetWindowThreadProcessId, GetWindowTextA, GetWindowRect, GetWindowPlacement, GetWindowLongA, GetWindowDC, GetTopWindow, GetSystemMetrics, GetSystemMenu, GetSysColorBrush, GetSysColor, GetSubMenu, GetScrollRange, GetScrollPos, GetScrollInfo, GetPropA, GetParent, GetWindow, GetMenuStringA, GetMenuState, GetMenuItemInfoA, GetMenuItemID, GetMenuItemCount, GetMenu, GetLastActivePopup, GetKeyboardState, GetKeyboardLayoutList, GetKeyboardLayout, GetKeyState, GetKeyNameTextA, GetIconInfo, GetForegroundWindow, GetFocus, GetDesktopWindow, GetDCEx, GetDC, GetCursorPos, GetCursor, GetClipboardData, GetClientRect, GetClassNameA, GetClassInfoA, GetCapture, GetActiveWindow, FrameRect, FindWindowA, FillRect, EqualRect, EnumWindows, EnumThreadWindows, EndPaint, EnableWindow, EnableScrollBar, EnableMenuItem, DrawTextA, DrawMenuBar, DrawIconEx, DrawIcon, DrawFrameControl, DrawEdge, DispatchMessageA, DestroyWindow, DestroyMenu, DestroyIcon, DestroyCursor, DeleteMenu, DefWindowProcA, DefMDIChildProcA, DefFrameProcA, CreatePopupMenu, CreateMenu, CreateIcon, ClientToScreen, CheckMenuItem, CallWindowProcA, CallNextHookEx, BeginPaint, CharNextA, CharLowerBuffA, CharLowerA, CharToOemA, AdjustWindowRectEx, ActivateKeyboardLayout
                        kernel32.dllSleep
                        oleaut32.dllSafeArrayPtrOfIndex, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayCreate, VariantChangeType, VariantCopy, VariantClear, VariantInit
                        comctl32.dllImageList_SetIconSize, ImageList_GetIconSize, ImageList_Write, ImageList_Read, ImageList_GetDragImage, ImageList_DragShowNolock, ImageList_SetDragCursorImage, ImageList_DragMove, ImageList_DragLeave, ImageList_DragEnter, ImageList_EndDrag, ImageList_BeginDrag, ImageList_Remove, ImageList_DrawEx, ImageList_Draw, ImageList_GetBkColor, ImageList_SetBkColor, ImageList_ReplaceIcon, ImageList_Add, ImageList_GetImageCount, ImageList_Destroy, ImageList_Create

                        Possible Origin

                        Language of compilation systemCountry where language is spokenMap
                        EnglishUnited States
                        IndonesianIndonesia

                        Network Behavior

                        No network behavior found

                        Code Manipulations

                        Statistics

                        Behavior

                        Click to jump to process

                        System Behavior

                        Analysis Process: loaddll32.exe PID: 1048 Parent PID: 3676

                        General

                        Start time:22:16:58
                        Start date:27/12/2021
                        Path:C:\Windows\System32\loaddll32.exe
                        Wow64 process (32bit):true
                        Commandline:loaddll32.exe "C:\Users\user\Desktop\2663823750648860.dll"
                        Imagebase:0x9f0000
                        File size:116736 bytes
                        MD5 hash:7DEB5DB86C0AC789123DEC286286B938
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:Borland Delphi
                        Yara matches:
                        • Rule: JoeSecurity_Qbot_1, Description: Yara detected Qbot, Source: 00000000.00000002.305731123.0000000002520000.00000040.00000001.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Qbot_1, Description: Yara detected Qbot, Source: 00000000.00000002.305504607.00000000009B0000.00000040.00000001.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Qbot_1, Description: Yara detected Qbot, Source: 00000000.00000002.305748370.0000000002580000.00000040.00000001.sdmp, Author: Joe Security
                        Reputation:moderate
                        Show Windows behavior

                        File Activities

                        Analysis Process: cmd.exe PID: 6816 Parent PID: 1048

                        General

                        Start time:22:16:58
                        Start date:27/12/2021
                        Path:C:\Windows\SysWOW64\cmd.exe
                        Wow64 process (32bit):true
                        Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\2663823750648860.dll",#1
                        Imagebase:0xd80000
                        File size:232960 bytes
                        MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Show Windows behavior

                        File Activities

                        Analysis Process: rundll32.exe PID: 6812 Parent PID: 6816

                        General

                        Start time:22:16:59
                        Start date:27/12/2021
                        Path:C:\Windows\SysWOW64\rundll32.exe
                        Wow64 process (32bit):true
                        Commandline:rundll32.exe "C:\Users\user\Desktop\2663823750648860.dll",#1
                        Imagebase:0xae0000
                        File size:61952 bytes
                        MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:Borland Delphi
                        Yara matches:
                        • Rule: JoeSecurity_Qbot_1, Description: Yara detected Qbot, Source: 00000002.00000000.300055482.0000000002F00000.00000040.00000001.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Qbot_1, Description: Yara detected Qbot, Source: 00000002.00000002.330146835.00000000047D0000.00000040.00000001.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Qbot_1, Description: Yara detected Qbot, Source: 00000002.00000002.330176963.0000000004830000.00000040.00000001.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Qbot_1, Description: Yara detected Qbot, Source: 00000002.00000000.301385547.0000000002F00000.00000040.00000001.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Qbot_1, Description: Yara detected Qbot, Source: 00000002.00000000.300209728.0000000004830000.00000040.00000001.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Qbot_1, Description: Yara detected Qbot, Source: 00000002.00000000.300181290.00000000047D0000.00000040.00000001.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Qbot_1, Description: Yara detected Qbot, Source: 00000002.00000000.301506954.00000000047D0000.00000040.00000001.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Qbot_1, Description: Yara detected Qbot, Source: 00000002.00000002.330052618.0000000002F00000.00000040.00000001.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Qbot_1, Description: Yara detected Qbot, Source: 00000002.00000000.301526882.0000000004830000.00000040.00000001.sdmp, Author: Joe Security
                        Reputation:high
                        Show Windows behavior

                        File Activities

                        Analysis Process: explorer.exe PID: 5336 Parent PID: 1048

                        General

                        Start time:22:17:02
                        Start date:27/12/2021
                        Path:C:\Windows\SysWOW64\explorer.exe
                        Wow64 process (32bit):true
                        Commandline:C:\Windows\SysWOW64\explorer.exe
                        Imagebase:0x1110000
                        File size:3611360 bytes
                        MD5 hash:166AB1B9462E5C1D6D18EC5EC0B6A5F7
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_Qbot_1, Description: Yara detected Qbot, Source: 00000006.00000002.331967746.0000000000F80000.00000040.00020000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Qbot_1, Description: Yara detected Qbot, Source: 00000006.00000000.303817977.0000000000F80000.00000040.00020000.sdmp, Author: Joe Security
                        Reputation:high
                        Show Windows behavior

                        File Activities

                        Show Windows behavior

                        Registry Activities

                        Analysis Process: explorer.exe PID: 5636 Parent PID: 6812

                        General

                        Start time:22:17:02
                        Start date:27/12/2021
                        Path:C:\Windows\SysWOW64\explorer.exe
                        Wow64 process (32bit):true
                        Commandline:C:\Windows\SysWOW64\explorer.exe
                        Imagebase:0x1110000
                        File size:3611360 bytes
                        MD5 hash:166AB1B9462E5C1D6D18EC5EC0B6A5F7
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_Qbot_1, Description: Yara detected Qbot, Source: 00000007.00000000.322630401.0000000000DA0000.00000040.00020000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Qbot_1, Description: Yara detected Qbot, Source: 00000007.00000002.690831006.0000000000DA0000.00000040.00020000.sdmp, Author: Joe Security
                        Reputation:high
                        Show Windows behavior

                        File Activities

                        Show Windows behavior

                        Registry Activities

                        Analysis Process: WerFault.exe PID: 6664 Parent PID: 6812

                        General

                        Start time:22:17:02
                        Start date:27/12/2021
                        Path:C:\Windows\SysWOW64\WerFault.exe
                        Wow64 process (32bit):true
                        Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6812 -s 208
                        Imagebase:0xa40000
                        File size:434592 bytes
                        MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Show Windows behavior

                        File Activities

                        Show Windows behavior

                        Registry Activities

                        Disassembly

                        Code Analysis