Create Interactive Tour

Windows Analysis Report
EMP.dll

Overview

General Information

Sample Name:	EMP.dll
Analysis ID:	705117
MD5:	39412a5854f88089d18da288bc8bb6ae
SHA1:	5f3fafba0569e43997009347014caf0ea51d39f3
SHA256:	ac2a4eb967e709a08ee39c6b5f983a3cebf6e35897564f742ef6e8ee0914e443
Infos:

Detection

Score:	23
Range:	0 - 100
Whitelisted:	false
Confidence:	40%

Signatures

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Creates a DirectInput object (often for capturing keystrokes)

One or more processes crash

Tries to load missing DLLs

Creates a process in suspended mode (likely to inject code)

Installs a global mouse hook

Entry point lies outside standard sections

PE file contains sections with non-standard names

Classification

Analysis Advice

Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior

Sample may be VM or Sandbox-aware, try analysis on a native machine

Sample crashes during execution, try analyze it on another analysis machine

Process Tree

System is w10x64

loaddll64.exe (PID: 5216 cmdline: loaddll64.exe "C:\Users\user\Desktop\EMP.dll" MD5: 4E8A40CAD6CCC047914E3A7830A2D8AA)

cmd.exe (PID: 5228 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\EMP.dll",#1 MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

rundll32.exe (PID: 5204 cmdline: rundll32.exe "C:\Users\user\Desktop\EMP.dll",#1 MD5: 73C519F050C20580F8A62C849D49215A)

WerFault.exe (PID: 5752 cmdline: C:\Windows\system32\WerFault.exe -u -p 5204 -s 436 MD5: 2AFFE478D86272288BBEF5A00BBEF6A0)

rundll32.exe (PID: 5136 cmdline: rundll32.exe C:\Users\user\Desktop\EMP.dll,EMP MD5: 73C519F050C20580F8A62C849D49215A)

WerFault.exe (PID: 5720 cmdline: C:\Windows\system32\WerFault.exe -u -p 5136 -s 428 MD5: 2AFFE478D86272288BBEF5A00BBEF6A0)

WerFault.exe (PID: 5172 cmdline: C:\Windows\system32\WerFault.exe -u -p 5216 -s 492 MD5: 2AFFE478D86272288BBEF5A00BBEF6A0)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

• Key, Mouse, Clipboard, Microphone and Screen Capturing
• System Summary
• Data Obfuscation
• Hooking and other Techniques for Hiding and Protection
• Malware Analysis System Evasion
• HIPS / PFW / Operating System Protection Evasion

Click to jump to signature section

Show All Signature Results

Source: loaddll64.exe

Binary or memory string: DirectInput8Create

Source: C:\Windows\System32\loaddll64.exe

Windows user hook set: 0 mouse low level C:\Windows\SYSTEM32\dinput8.dll

Jump to behavior

Source: C:\Windows\System32\rundll32.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 5136 -s 428

Source: C:\Windows\System32\loaddll64.exe	Section loaded: getmodulehandlea.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: virtualprotect.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: addvectoredexceptionhandler.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: virtualalloc.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: createthread.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: resumethread.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: openthread.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: setthreadcontext.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: getthreadcontext.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: closehandle.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: createfilea.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: readfile.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: writefile.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: sleep.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: exitprocess.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: getmodulefilenamew.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: createfilew.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: getfilesize.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: readfile.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: pathfileexistsw.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: shgetfolderpatha.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: createdirectorya.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: messageboxa.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: _itoa.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: createprocessa.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: getmodulefilenamea.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: allocconsole.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: setconsoletitlea.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: createconsolescreenbuffer.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: writeconsolea.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: setconsolemode.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: getstdhandle.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: deletefilea.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: freeconsole.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: zwreadfile.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: getwindowsdirectoryw.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: getvolumeinformationw.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: getcomputernamew.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: virtualfree.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: ntterminateprocess.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: getcommandlinea.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: ntquerysysteminformation.dll	Jump to behavior

Source: C:\Windows\System32\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERCC5.tmp

Jump to behavior

Source: C:\Windows\System32\loaddll64.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: classification engine

Classification label: sus23.evad.winDLL@10/12@0/0

Source: C:\Windows\System32\loaddll64.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\EMP.dll,EMP

Source: unknown	Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\EMP.dll"
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\EMP.dll",#1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\EMP.dll,EMP
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\EMP.dll",#1
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 5136 -s 428
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 5204 -s 436
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 5216 -s 492
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\EMP.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\EMP.dll,EMP	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\EMP.dll",#1	Jump to behavior

Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5136
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5216
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5204

Source: C:\Windows\System32\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: rundll32.exe, 00000003.00000000.248423347.0000029126755000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: rShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsAppsPATHEXT=.COM;.EXE;.BAT;.CMD;.VBp

Source: EMP.dll

Static file information: File size 4115456 > 1048576

Source: EMP.dll

Static PE information: Raw size of EMP1 is bigger than: 0x100000 < 0x3ec800

Source: initial sample

Static PE information: section where entry point is pointing to: EMP1

Source: EMP.dll	Static PE information: section name: EMP0
Source: EMP.dll	Static PE information: section name: EMP1

Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: loaddll64.exe, loaddll64.exe, 00000000.00000000.254444737.0000000013004000.00000040.00000001.01000000.00000003.sdmp, rundll32.exe, 00000002.00000002.260544238.0000000013004000.00000040.00000001.01000000.00000003.sdmp, rundll32.exe, 00000003.00000000.248847901.0000000013004000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: loaddll64.exe, 00000000.00000000.254444737.0000000013004000.00000040.00000001.01000000.00000003.sdmp, rundll32.exe, 00000002.00000002.260544238.0000000013004000.00000040.00000001.01000000.00000003.sdmp, rundll32.exe, 00000003.00000000.248847901.0000000013004000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: FREEZEKERNEL32.DLLWINE_GET_UNIX_FILE_NAMENTDLL.DLLRTLIMAGENTHEADEREXSAVE

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\EMP.dll",#1

Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	11 Process Injection	1 Virtualization/Sandbox Evasion	2 Input Capture	1 Security Software Discovery	Remote Services	2 Input Capture	Exfiltration Over Other Network Medium	Data Obfuscation	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Rundll32	LSASS Memory	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	11 Process Injection	Security Account Manager	1 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	1 DLL Side-Loading	NTDS	1 Remote System Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Download Video

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Link
EMP.dll	8%	ReversingLabs
EMP.dll	5%	Virustotal	Browse
EMP.dll	3%	Metadefender	Browse

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
dual-a-0001.a-msedge.net	0%	Virustotal		Browse

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
dual-a-0001.a-msedge.net	204.79.197.200	true	false	0%, Virustotal, Browse	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox Version:	36.0.0 Rainbow Opal
Analysis ID:	705117
Start date and time:	2022-09-18 22:52:07 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 4m 27s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	EMP.dll
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	SUS
Classification:	sus23.evad.winDLL@10/12@0/0
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .dll Sleeps bigger than 300000ms are automatically reduced to 1000ms Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): WerFault.exe
Excluded IPs from analysis (whitelisted): 104.208.16.94, 20.42.73.29, 52.168.117.173
Excluded domains from analysis (whitelisted): www.bing.com, onedsblobprdeus16.eastus.cloudapp.azure.com, fs.microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, watson.telemetry.microsoft.com, www-www.bing.com.trafficmanager.net, onedsblobprdcus16.centralus.cloudapp.azure.com
Execution Graph export aborted for target rundll32.exe, PID 5136 because there are no executed function
Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
dual-a-0001.a-msedge.net	0dcfbd7eb5c77375e55f845ceade408c83553a98b0f85.exe	Get hash	malicious	Browse	204.79.197.200
	rUp4k6hRKh.exe	Get hash	malicious	Browse	204.79.197.200
	OnEI7ajdhl.exe	Get hash	malicious	Browse	204.79.197.200
	qMXKSwbQoV.exe	Get hash	malicious	Browse	204.79.197.200
	file.exe	Get hash	malicious	Browse	204.79.197.200
	https://www.yumpu.com/en/document/read/67227829/t-nationhttp:/www2.nobicon.se/0371/func/click.php?docID=2269311&noblink=http://www.hm.com	Get hash	malicious	Browse	204.79.197.200
	bad (2).js	Get hash	malicious	Browse	13.107.21.200
	SecuriteInfo.com.Gen.Variant.Nemesis.10876.25881.26814.exe	Get hash	malicious	Browse	13.107.21.200
	http://bizoutreachsolution.com	Get hash	malicious	Browse	204.79.197.200
	DHL delivery label 627881.exe	Get hash	malicious	Browse	204.79.197.200
	DHL delivery label 627881.exe	Get hash	malicious	Browse	204.79.197.200
	file.exe	Get hash	malicious	Browse	204.79.197.200
	SecuriteInfo.com.Gen.Variant.Nemesis.10876.17604.12002.exe	Get hash	malicious	Browse	13.107.21.200
	MainFails#146504.img	Get hash	malicious	Browse	204.79.197.200
	Logs.bin.exe	Get hash	malicious	Browse	204.79.197.200
	Paid invoice.ppa	Get hash	malicious	Browse	204.79.197.200
	https://resilinc.page.link/?link=https://ewr.resilinc.com/%23/eventwarroom/15264574/false?id%3D234066%26tk%3Doauth:session:ew_guest:E6630AC6BAE14F3DACB0D28DB2B21A9C&apn=com.resilinc.resilincapp&isi=1067740887&ibi=com.resilinc.ResilincApp	Get hash	malicious	Browse	204.79.197.200
	infected.dll	Get hash	malicious	Browse	204.79.197.200
	https://%D1%8F%D1%80%D0%BC%D0%B0%D1%80%D0%BA%D0%B0%D1%82%D0%B5%D0%BA%D1%81%D1%82%D0%B8%D0%BB%D1%8F.%D1%80%D1%84/%D0%BA%D0%B0%D1%80%D1%82%D0%B8%D0%BD%D0%BA%D0%B8/%D1%87%D0%B5%D1%80%D0%BD%D1%8B/%D0%B2%D0%BA%D0%BB%D1%8E%D1%87%D0%B0%D0%B5%D1%82/%D1%83%D1%82%D1%80%D0%BE/%D0%97%D0%90%D0%93%D0%9E%D0%9B%D0%9E%D0%92%D0%9E%D0%9A/%D1%83%D0%B4%D0%B8%D0%B2%D0%BB%D1%8F%D1%82%D1%8C%D1%81%D1%8F/%D1%81%D0%B5%D1%80%D0%B4%D1%86%D0%B5/%D1%87%D0%B5%D1%80%D0%BD%D0%B8%D0%BB%D0%B0/AAOFN_htuA/%D1%81%D0%BB%D0%B5%D0%B4%D0%B8%D1%82%D1%8C/%D0%B7%D0%B5%D0%BC%D0%BB%D1%8F/	Get hash	malicious	Browse	204.79.197.200
	background.js	Get hash	malicious	Browse	204.79.197.200

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_loaddll64.exe_aa88da1bb5e83c899d2fe4fa8e29f434d6df4_310ec4b5_14752445\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.7919728236354776
Encrypted:	false
SSDEEP:	96:W4F1wupa4thUL7ufDpXIQcQgc6ObcE6cw3+2v+HbHgmksn3eZFDPCFYOyPdTxifS:T4upa0H+KbQIjz5/u7sSS274lt+
MD5:	CD478A69357F7166EDBC23965EA3A429
SHA1:	4B6AB71949797BBDFB727AA1E24F187D891D07DC
SHA-256:	F38E1F2A7BC4D3803D311EF75D5F8C393AA7C1DDAB55A3468AAE2F511E6A3895
SHA-512:	F28AF679B8546CB1B1DB42308FFACDEAA1C52CB4E1D3DD9E133FE84A29911B0433B3625947202CC30650FA81D240A825CD09451094C4F71B20E73DE9230A8CEC
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.0.8.0.4.0.3.8.7.0.3.9.1.7.8.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.0.8.0.4.0.3.8.8.2.8.9.1.5.8.9.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.a.d.7.f.a.a.2.-.d.2.9.8.-.4.c.3.a.-.b.2.2.a.-.5.0.d.4.b.5.e.6.3.1.2.c.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.7.d.a.3.e.f.3.-.8.d.2.f.-.4.8.3.6.-.a.e.e.1.-.2.1.2.8.b.a.1.3.0.6.e.f.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.l.o.a.d.d.l.l.6.4...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.4.6.0.-.0.0.0.1.-.0.0.1.f.-.9.6.5.f.-.1.4.1.2.e.c.c.b.d.8.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.5.f.e.1.f.7.3.2.2.5.e.8.c.2.3.3.1.b.8.d.3.7.3.d.3.f.9.1.a.c.4.2.0.0.0.0.f.f.f.f.!.0.0.0.0.8.e.8.d.7.7.2.a.1.e.4.5.d.c.e.2.0.b.3.8.5.0.7.3.9.f.8.e.e.5.1.d.6.c.4.0.3.d.e.9.!.l.o.a.d.d.l.l.6.4...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.1././.1.2././.1.3.:.0.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_EMP_e9f21e596a914cd6457389e5ed4eb9cec9a87d_3f3ed4d9_161917b2\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.7988839305400732
Encrypted:	false
SSDEEP:	96:xyFeU7ESRirJPnyujA55L7ufDpXIQcQgc6ObcE6cw3+XaXz+HbHgSQgJPb9kp8WI:gZbirJKmH+KbQAjUt/u7sSS274ltG3
MD5:	C211BE82A914F91CDDD6657FF202A682
SHA1:	2FA4A32B67C2007B0DFDD00C81D92D504BCB1601
SHA-256:	C057457DAF6984132AA903B00333D196550E92F9FDECD547C576E06A7E0CA4FD
SHA-512:	0FAA9761B69A98A4AE31C8D87FB2E70DAA2A107AB95C39CB6471F8713710BD5734E043D5A19D7DD78B6F6897520216A357413569B980EE9491D436CFC734FD1C
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.0.8.0.4.0.3.8.3.3.1.5.3.1.6.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.0.8.0.4.0.3.8.4.7.0.5.9.4.8.3.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.4.b.d.c.1.a.0.-.d.3.b.f.-.4.0.b.7.-.8.1.9.d.-.2.4.c.b.e.8.a.4.6.5.4.d.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.e.d.0.4.7.a.4.-.b.4.f.6.-.4.a.6.5.-.a.3.9.b.-.2.a.6.6.e.3.7.7.6.4.e.0.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e._.E.M.P...d.l.l.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.4.1.0.-.0.0.0.1.-.0.0.1.f.-.a.d.8.0.-.8.2.1.2.e.c.c.b.d.8.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.2.f.3.4.c.c.f.d.d.8.1.4.1.a.e.e.e.2.e.8.9.f.f.b.0.7.0.c.e.2.3.9.c.7.d.0.0.7.0.6.!.r.u.n.d.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_EMP_e9f21e596a914cd6457389e5ed4eb9cec9a87d_3f3ed4d9_163918cb\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.7983255214577226
Encrypted:	false
SSDEEP:	96:GYFdRiYJPnyVjA55L7ufDpXIQcQgc6ObcE6cw3+XaXz+HbHgSQgJPb9kp8WpsvOU:T5iYJKtH+KbQAjUt/u7sSS274ltG3
MD5:	7094056FA762811907CE17F80868EAA7
SHA1:	0F3781B559835AE943D1E16CB08B3EAD45E1AFC9
SHA-256:	101302FB5CB881B4FD42EFDE7DC8839A345AE929966AF2397CB86CF373E300FC
SHA-512:	B0CF3C9742F67C7FF49EE482A16AE0ACB5A2174410D6BA7A4525C1CB01298F8B43892A42B732CBF073CE479E2FCEBE300A7DD994FE5A05E8CB950378345E31C9
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.0.8.0.4.0.3.8.3.4.8.9.2.2.9.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.0.8.0.4.0.3.8.5.1.9.2.3.4.7.9.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.3.d.f.3.1.5.2.-.f.4.1.1.-.4.f.4.0.-.8.b.4.e.-.8.8.8.5.e.b.e.4.c.0.5.1.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.7.d.4.1.b.4.e.-.7.4.7.2.-.4.5.6.4.-.b.9.0.7.-.9.6.4.1.f.5.2.7.3.2.3.c.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e._.E.M.P...d.l.l.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.4.5.4.-.0.0.0.1.-.0.0.1.f.-.1.8.a.0.-.8.4.1.2.e.c.c.b.d.8.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.2.f.3.4.c.c.f.d.d.8.1.4.1.a.e.e.e.2.e.8.9.f.f.b.0.7.0.c.e.2.3.9.c.7.d.0.0.7.0.6.!.r.u.n.d.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1070.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4698
Entropy (8bit):	4.456550630823905
Encrypted:	false
SSDEEP:	48:cvIwSD8zsFJgtBI93XWgc8sqYjt8fm8M4JCZCQjVtFuRtoyq85msWqewZESC5SMd:uITfflmgrsqYuJOrsewVvMd
MD5:	34E0E1E180207D1EB1373786DC78B845
SHA1:	AC7572AA3FE55B88AC0D5095EDD8F4AD3E8D272E
SHA-256:	2084E4D79650E28085A178819E43E2A69F8A77DD2C2AC571FB14FC3BA54E2E50
SHA-512:	21184793923DA5AEEBF4B2D9FFB8B59FE1E9819889F7321B5271690B29E16D50D3AB0AC1583FC7AA735C8E640A1C298F328D369D0709955DDB976CC91C3D005A
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1698663" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\ProgramData\Microsoft\Windows\WER\Temp\WER10FC.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8490
Entropy (8bit):	3.693495259318594
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNiVMIKYe6YecAgmfckS/2D+CpDb89b2nrfeSm:RrlsNi5E6YNAgmfckS/h2rfS
MD5:	3BD16566C073779941E01F4712912CB8
SHA1:	5B92F9B9E94F8228DA644F889794CD7BB58288ED
SHA-256:	03788D4C1D62816F6196B7D7B7D2E7048C3DB9BF4BF46CAC3D7821ABCEB332DE
SHA-512:	C40CE79B255021644396C50CEF7A13314020A9FE82990275F84D4DEB5076A81834016D7A08FBE0CAE011AF897518040C23973BA996D7DD90CD7B192A2866A52C
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.2.0.4.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WER12F1.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4698
Entropy (8bit):	4.460832761200755
Encrypted:	false
SSDEEP:	48:cvIwSD8zsFJgtBI93XWgc8sqYjo8fm8M4JCZCQjVtFTyq85msWqm5ZESC5SNd:uITfflmgrsqYJJOrs8VvNd
MD5:	45F66DE9900DBBCD5C54CDAF0445DEB5
SHA1:	BBC4502348DBCD08A05149499A9EC309E2E41DB7
SHA-256:	377A0A597E2DEBC565C6080F31F5C47E4B4367F5CD8D25A64E7DF709EC9D198D
SHA-512:	3BAD51AD7C0EB4E7B93780C7CAD6F47AD021F27801CBD797DD7B38A68A643351009F5D805B1F0562515B58B7BD8E017BEBEA51B802386B0D0B218834B550BB68
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1698663" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1B4C.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Mon Sep 19 05:53:07 2022, 0x1205a4 type
Category:	dropped
Size (bytes):	78902
Entropy (8bit):	1.3718980534191463
Encrypted:	false
SSDEEP:	192:Ht50bUNpDUvC6KO2YZx+ARPxNKOXpGn1NE/o0gdVS16O5qbp:jCeDUq6V22w+j/pG1NEw0gdQf52p
MD5:	4494CDAC0FEE155DF9EAC98B9ECAE03A
SHA1:	FBF687E6CEC027B248A842D3EBE91F14C50B8572
SHA-256:	CB972A1769A8B8CC7B6135291ABF5D7C7C8623CC3771E251D4B89456E241A458
SHA-512:	1037A9DB279210BCF4B30657B714DF3A426A0E6A3DBE9942F9419DB4B89B698F9356B94A46A6E7A00120E850170CCC578C301358436EF58AB8E684D1A0AAEDAD
Malicious:	false
Preview:	MDMP....... .........(c........................@...........$...H.......4...B7..........`.......8...........T...........H.... ..........l...........X....................................................................U...........B..............Lw.....................T.......`.....(c.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1D70.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8508
Entropy (8bit):	3.6931613083132837
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNiRyr46e6Yqws3gmfbS/2D+CpD489bBbB+f0Kbjm:RrlsNi0o6YNs3gmfbS/4BbIfb6
MD5:	1CB6F864B6368104B89D9033716B93A8
SHA1:	C66F35F2BBB5895BD7CC81E829D9D0A32AEF4C14
SHA-256:	8F30D18EB0975A52E5D6D14238432CD112B275D0CFD9C1BA29D94A9E70761D04
SHA-512:	FF9806559CB6E31A467934FB6E2052F622AB1B49316A9F8599A465AD6DBC742B8B47D7FF852BF2528DAD98F814B0CFE134130DB5CE1E005011C89C05AA78195F
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.2.1.6.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1EC8.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4602
Entropy (8bit):	4.422172421423899
Encrypted:	false
SSDEEP:	48:cvIwSD8zsFJgtBI93XWgc8sqYjW8fm8M4JoujVtFSyq85qyWq2FVs95d:uITfflmgrsqY/JpKY2FK95d
MD5:	02CF71ADDAFEF0C769714BAAA6C5D86C
SHA1:	E0E43ACFE64E79E1FD087406A59F090398E8C5EB
SHA-256:	0B60B4BE4C6688A2EF44540E45DD1960FBE0F332B9096A71768DA327159EBCCC
SHA-512:	AEC1EEC177E46F2193FEFFC66E12525BA039D7E453D4C3982D863DC8FF0A9CF066B90DA5CEA8BC70162E09DFBAFEEF62E99DC56CC4FF488F4B73467D97FDD55C
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1698663" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\ProgramData\Microsoft\Windows\WER\Temp\WERCC5.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Mon Sep 19 05:53:03 2022, 0x1205a4 type
Category:	dropped
Size (bytes):	89370
Entropy (8bit):	1.32384068656244
Encrypted:	false
SSDEEP:	192:mTPUmDpcOC515JZyHtXUnTR81lW7/a+FwdkqPWVeY:aZTCn5JZyH5UnujWDa+CxNY
MD5:	F4115782A643B9FF9138C168C662B35F
SHA1:	1CFECE721F57E18C70279FBE2E692F22BE290EDE
SHA-256:	191C7986DC019A5D74F6D6264C066413BD426E413A2E7CE2822ADADEA9C203D6
SHA-512:	28ACBBA5F4025361011256F1A1B5373B85225C7CC08F1191CACA70D474807A97A295307F46574899BF80D250843CD379F1F0B417E37AF5670FB6129B9E81E764
Malicious:	false
Preview:	MDMP....... .........(c............$...........@...,.......T....;..........T.......8...........T................L..........l...........X....................................................................U...........B..............Lw......................T.............(c.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD71.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Mon Sep 19 05:53:03 2022, 0x1205a4 type
Category:	dropped
Size (bytes):	81366
Entropy (8bit):	1.3618201081053767
Encrypted:	false
SSDEEP:	192:mGsUa1epn7OC51wBzMwnSR4X6e8yLO96fwQGSvyPkunMc:AdmnCCnySOD8yLOmw3V82p
MD5:	7D5B5182B44EECCA54A2E8202D69AA90
SHA1:	E3F25B39C4BFB3ECF2A7EB2046D784C7F3D6BF2E
SHA-256:	B0C6BFF4C531ECFD933E392D6A1DDB0587950148698B582F31DEE01672BEB55B
SHA-512:	BFDEE09889E17CE47A684A7078F0301F75440AC20491300B7470AE2468A58726B4421C77748839901B69C536BEB73834BDB514402765B800023F1376D27C09E1
Malicious:	false
Preview:	MDMP....... .........(c........................@...........$....6..........T.......8...........T...........h...n,..........<...........(....................................................................U...........B..............Lw................A.....T.......T.....(c.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF47.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8700
Entropy (8bit):	3.6966629658675263
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNiEQL8KI6YxZjILgmfckS/2D+CpDg89b2mpf2Sm:RrlsNirS6Y/ggmfckS/A2If6
MD5:	F27B298D2427EF300F2EA779AE520457
SHA1:	5789534EFEE8373662ADC5A71470935707D82B52
SHA-256:	07ACB1F8BC45AFAAA5024D1DEF2E596F3941831F5EDF8E47206496C256D848B8
SHA-512:	465EFD91228A9C5BB94F277AE0EFC3B25757539B90368508A23843A936DBB344126A5B700D29D00A4E693143572FDD03CB031EC3833D5E9FDA3C0178A00742C8
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.1.3.6.<./.P.i.d.>.......

Static File Info

General

File type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Entropy (8bit):	7.914102296938064
TrID:	Win64 Dynamic Link Library (generic) (102004/3) 86.41% Win64 Executable (generic) (12005/4) 10.17% Generic Win/DOS Executable (2004/3) 1.70% DOS Executable Generic (2002/1) 1.70% VXD Driver (31/22) 0.03%
File name:	EMP.dll
File size:	4115456
MD5:	39412a5854f88089d18da288bc8bb6ae
SHA1:	5f3fafba0569e43997009347014caf0ea51d39f3
SHA256:	ac2a4eb967e709a08ee39c6b5f983a3cebf6e35897564f742ef6e8ee0914e443
SHA512:	b59e781d89f380075812a11f15aadb618086e2586c9de487fcfa7f5e1ec34e76a8ddfa1a9001d47933475f156d6524ca93232b7894c0e4bf0b01e67628fe5bbc
SSDEEP:	98304:WCeAEmz8unU80/byTuwInrft+rO6FRLf/HQ:WaELuUjyTAft+rOQhP
TLSH:	9F16335CE23D5E50C654843B48CE66C32552ED06B980F243AEA7EBDDD1729EAF44BE03
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......a..........# ......>.........`.\.......................................\........... ................................

File Icon


Icon Hash:	74f0e4ecccdce0e4

Static PE Info

General

Entrypoint:	0x135cc260
Entrypoint Section:	EMP1
Digitally signed:	false
Imagebase:	0x13000000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, DLL
DLL Characteristics:	HIGH_ENTROPY_VA
Time Stamp:	0x61ADF69D [Mon Dec 6 11:40:13 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	6859c1fbd5011b39e2b3c5ccd6eda491

Entrypoint Preview

Instruction
dec eax
mov dword ptr [esp+08h], ecx
dec eax
mov dword ptr [esp+10h], edx
dec esp
mov dword ptr [esp+18h], eax
cmp dl, 00000001h
jne 00007F1818D5D595h
push ebx
push esi
push edi
push ebp
dec eax
lea esi, dword ptr [FFC13DA2h]
dec eax
lea edi, dword ptr [esi-001DF025h]
push edi
xor ebx, ebx
xor ecx, ecx
dec eax
or ebp, FFFFFFFFh
call 00007F1818D5D395h
add ebx, ebx
je 00007F1818D5D344h
rep ret
mov ebx, dword ptr [esi]
dec eax
sub esi, FFFFFFFCh
adc ebx, ebx
mov dl, byte ptr [esi]
rep ret
dec eax
lea eax, dword ptr [edi+ebp]
cmp ecx, 05h
mov dl, byte ptr [eax]
jbe 00007F1818D5D363h
dec eax
cmp ebp, FFFFFFFCh
jnbe 00007F1818D5D35Dh
sub ecx, 04h
mov edx, dword ptr [eax]
dec eax
add eax, 04h
sub ecx, 04h
mov dword ptr [edi], edx
dec eax
lea edi, dword ptr [edi+04h]
jnc 00007F1818D5D331h
add ecx, 04h
mov dl, byte ptr [eax]
je 00007F1818D5D352h
dec eax
inc eax
mov byte ptr [edi], dl
sub ecx, 01h
mov dl, byte ptr [eax]
dec eax
lea edi, dword ptr [edi+01h]
jne 00007F1818D5D332h
rep ret
cld
inc ecx
pop ebx
jmp 00007F1818D5D34Ah
dec eax
inc esi
mov byte ptr [edi], dl
dec eax
inc edi
mov dl, byte ptr [esi]
add ebx, ebx
jne 00007F1818D5D34Ch
mov ebx, dword ptr [esi]
dec eax
sub esi, FFFFFFFCh
adc ebx, ebx
mov dl, byte ptr [esi]
jc 00007F1818D5D328h
lea eax, dword ptr [ecx+01h]
inc ecx
call ebx
adc eax, eax
add ebx, ebx
jne 00007F1818D5D34Ch
mov ebx, dword ptr [esi]
dec eax
sub esi, FFFFFFFCh
adc ebx, ebx
mov dl, byte ptr [esi]
jnc 00007F1818D5D32Dh
sub eax, 03h
jc 00007F1818D5D355h
shl eax, 08h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x5cd178	0x48	.rsrc
IMAGE_DIRECTORY_ENTRY_IMPORT	0x5cd0f0	0x88	.rsrc
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x5cd000	0xf0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x5c88a0	0x234	EMP1
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x5cc4e0	0x130	EMP1
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
EMP0	0x1000	0x1df000	0x0	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
EMP1	0x1e0000	0x3ed000	0x3ec800	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x5cd000	0x1000	0x200	False	0.57421875	data	3.993113977578181	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country
RT_MANIFEST	0x5cd05c	0x91	XML 1.0 document text	English	United States

Imports

DLL	Import
KERNEL32.DLL	LoadLibraryA, GetProcAddress, VirtualProtect

Exports

Name	Ordinal	Address
EMP	1	0x13001010

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

⊘No network behavior found

Statistics

Click to jump to process

Memory Usage

• loaddll64.exe
• cmd.exe
• rundll32.exe
• rundll32.exe
• WerFault.exe
• WerFault.exe
• WerFault.exe

Click to jump to process

High Level Behavior Distribution

• File
• Registry

Click to dive into process behavior distribution

Behavior

• loaddll64.exe
• cmd.exe
• rundll32.exe
• rundll32.exe
• WerFault.exe
• WerFault.exe
• WerFault.exe

Click to jump to process

System Behavior

Analysis Process: loaddll64.exePID: 5216, Parent PID: 5520

Function Logs

General

Target ID:	0
Start time:	22:52:58
Start date:	18/09/2022
Path:	C:\Windows\System32\loaddll64.exe
Wow64 process (32bit):	false
Commandline:	loaddll64.exe "C:\Users\user\Desktop\EMP.dll"
Imagebase:	0x7ff7d1230000
File size:	140288 bytes
MD5 hash:	4E8A40CAD6CCC047914E3A7830A2D8AA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

File Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Section Activities

Sections loaded by Windows

Sections loaded by Program

Show Windows behavior

Registry Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Mutex Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Process Activities

Process Created

Show Windows behavior

Thread Activities

Thread Delayed

Show Windows behavior

Memory Activities

Memory Usage Statistics

Show Windows behavior

System Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Windows UI Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

LPC Port Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Chronological Activities

Analysis Process: cmd.exePID: 5228, Parent PID: 5216

Function Logs

General

Target ID:	1
Start time:	22:52:58
Start date:	18/09/2022
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\EMP.dll",#1
Imagebase:	0x7ff707bb0000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

File Activities

File Opened

File Attributes Queried

Show Windows behavior

Section Activities

Sections loaded by Windows

Show Windows behavior

Process Activities

Process Created

Process Information Set

Show Windows behavior

Thread Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Memory Activities

Memory Usage Statistics

Show Windows behavior

System Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

LPC Port Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Chronological Activities

Analysis Process: rundll32.exePID: 5136, Parent PID: 5216

Function Logs

General

Target ID:	2
Start time:	22:52:59
Start date:	18/09/2022
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe C:\Users\user\Desktop\EMP.dll,EMP
Imagebase:	0x7ff734df0000
File size:	69632 bytes
MD5 hash:	73C519F050C20580F8A62C849D49215A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

File Activities

File Attributes Queried

Show Windows behavior

Section Activities

Sections loaded by Windows

Sections loaded by Program

Show Windows behavior

Registry Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Mutex Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Process Activities

Process Information Set

Show Windows behavior

Thread Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Memory Activities

Memory Protection Changed

Memory Usage Statistics

Show Windows behavior

System Activities

System Information Queried

Show Windows behavior

Windows UI Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

LPC Port Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Chronological Activities

Analysis Process: rundll32.exePID: 5204, Parent PID: 5228

Function Logs

General

Target ID:	3
Start time:	22:52:59
Start date:	18/09/2022
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe "C:\Users\user\Desktop\EMP.dll",#1
Imagebase:	0x7ff734df0000
File size:	69632 bytes
MD5 hash:	73C519F050C20580F8A62C849D49215A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

File Activities

File Attributes Queried

Show Windows behavior

Section Activities

Sections loaded by Windows

Sections loaded by Program

Show Windows behavior

Registry Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Mutex Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Process Activities

Process Information Set

Show Windows behavior

Thread Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Memory Activities

Memory Protection Changed

Memory Usage Statistics

Show Windows behavior

System Activities

System Information Queried

Show Windows behavior

Windows UI Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

LPC Port Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Chronological Activities

Analysis Process: WerFault.exePID: 5720, Parent PID: 5136

Function Logs

General

Target ID:	6
Start time:	22:53:02
Start date:	18/09/2022
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 5136 -s 428
Imagebase:	0x7ff679980000
File size:	494488 bytes
MD5 hash:	2AFFE478D86272288BBEF5A00BBEF6A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

File Activities

File Opened

File Created

File Deleted

File Written

File Attributes Queried

Other File Operations

Volume Information Queried

Show Windows behavior

Section Activities

Sections loaded by Windows

Sections loaded by Program

Show Windows behavior

Registry Activities

Key Opened

Key Created

Key Deleted

Key Value Created

Key Value Modified

Show Windows behavior

Mutex Activities

Mutex Created

Show Windows behavior

Process Activities

Process Queried

Process Information Set

Show Windows behavior

Thread Activities

Thread Created

Thread Execution Resumed

Thread Execution Suspended

Thread Delayed

Thread Terminated

Thread Information Set

Show Windows behavior

Memory Activities

Memory Usage Statistics

Show Windows behavior

System Activities

System Information Set

Language or Locale ID Queried

System Information Queried

Show Windows behavior

Timing Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Windows UI Activities

Window Created

Process Token Activities

Token Adjusted

Show Windows behavior

Object Security Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

LPC Port Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Chronological Activities

Analysis Process: WerFault.exePID: 5752, Parent PID: 5204

Function Logs

General

Target ID:	7
Start time:	22:53:02
Start date:	18/09/2022
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 5204 -s 436
Imagebase:	0x7ff679980000
File size:	494488 bytes
MD5 hash:	2AFFE478D86272288BBEF5A00BBEF6A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

File Activities

File Opened

File Created

File Deleted

File Written

File Attributes Queried

Other File Operations

Volume Information Queried

Show Windows behavior

Section Activities

Sections loaded by Windows

Sections loaded by Program

Show Windows behavior

Registry Activities

Key Opened

Key Created

Key Deleted

Show Windows behavior

Mutex Activities

Mutex Created

Show Windows behavior

Process Activities

Process Queried

Process Information Set

Show Windows behavior

Thread Activities

Thread Created

Thread Execution Resumed

Thread Execution Suspended

Thread Delayed

Thread Terminated

Thread Information Set

Show Windows behavior

Memory Activities

Memory Usage Statistics

Show Windows behavior

System Activities

System Information Set

Language or Locale ID Queried

System Information Queried

Show Windows behavior

Timing Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Windows UI Activities

Window Created

Process Token Activities

Token Adjusted

Show Windows behavior

Object Security Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

LPC Port Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Chronological Activities

Analysis Process: WerFault.exePID: 5172, Parent PID: 5216

Function Logs

General

Target ID:	9
Start time:	22:53:06
Start date:	18/09/2022
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 5216 -s 492
Imagebase:	0x7ff679980000
File size:	494488 bytes
MD5 hash:	2AFFE478D86272288BBEF5A00BBEF6A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

File Activities

File Opened

File Created

File Deleted

File Written

File Attributes Queried

Other File Operations

Volume Information Queried

Show Windows behavior

Section Activities

Sections loaded by Windows

Sections loaded by Program

Show Windows behavior

Registry Activities

Key Opened

Key Created

Key Deleted

Key Value Created

Show Windows behavior

Mutex Activities

Mutex Created

Show Windows behavior

Process Activities

Process Queried

Process Information Set

Show Windows behavior

Thread Activities

Thread Created

Thread Execution Resumed

Thread Execution Suspended

Thread Delayed

Thread Terminated

Thread Information Set

Show Windows behavior

Memory Activities

Memory Usage Statistics

Show Windows behavior

System Activities

System Information Set

Language or Locale ID Queried

System Information Queried

Show Windows behavior

Timing Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Windows UI Activities

Window Created

Process Token Activities

Token Adjusted

Show Windows behavior

Object Security Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

LPC Port Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report EMP.dll

Overview

General Information

Detection

Signatures

Classification

Analysis Advice

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_loaddll64.exe_aa88da1bb5e83c899d2fe4fa8e29f434d6df4_310ec4b5_14752445\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_EMP_e9f21e596a914cd6457389e5ed4eb9cec9a87d_3f3ed4d9_161917b2\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_EMP_e9f21e596a914cd6457389e5ed4eb9cec9a87d_3f3ed4d9_163918cb\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1070.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER10FC.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER12F1.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1B4C.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1D70.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1EC8.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERCC5.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD71.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF47.tmp.WERInternalMetadata.xml

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Exports

Possible Origin

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Windows Analysis Report
EMP.dll