Automated Malware Analysis Report for Comhij.Dll

ID: 295267 Sample Name: comhij.dll Cookbook: default.jbs Time: 17:41:32 Date: 08/10/2020 Version: 30.0.0 Red Diamond Table of Contents

Table of Contents 2 Analysis Report comhij.dll 4 Overview 4 General Information 4 Detection 4 Signatures 4 Classification 4 Startup 5 Malware Configuration 5 Yara Overview 5 Sigma Overview 6 System Summary: 6 Signature Overview 6 AV Detection: 6 System Summary: 6 Boot Survival: 6 Mitre Att&ck Matrix 6 Behavior Graph 7 Screenshots 7 Thumbnails 7 Antivirus, Machine Learning and Genetic Malware Detection 8 Initial Sample 8 Dropped Files 8 Unpacked PE Files 8 Domains 8 URLs 8 Domains and IPs 9 Contacted Domains 9 Contacted IPs 9 General Information 9 Simulations 9 Behavior and APIs 9 Joe Sandbox View / Context 10 IPs 10 Domains 10 ASN 10 JA3 Fingerprints 10 Dropped Files 10 Created / dropped Files 10 Static File Info 10 General 10 File Icon 11 Static PE Info 11 General 11 Entrypoint Preview 11 Rich Headers 12 Data Directories 12 Sections 13 Resources 13 Imports 13 Possible Origin 13 Network Behavior 13 Code Manipulations 13 Statistics 13 Behavior 14 System Behavior 14 Copyright null 2020 Page 2 of 17 Analysis Process: loaddll64.exe PID: 160 Parent PID: 6080 14 General 14 File Activities 14 Analysis Process: cmd.exe PID: 2712 Parent PID: 160 14 General 14 File Activities 15 File Written 15 Analysis Process: sc.exe PID: 6400 Parent PID: 2712 15 General 15 File Activities 15 File Written 15 Analysis Process: sc.exe PID: 2916 Parent PID: 2712 15 General 15 File Activities 16 File Written 16 Analysis Process: schtasks.exe PID: 4628 Parent PID: 2712 16 General 16 File Activities 16 Analysis Process: regsvr32.exe PID: 4792 Parent PID: 2712 17 General 17 Analysis Process: regsvr32.exe PID: 3032 Parent PID: 936 17 General 17 Disassembly 17 Code Analysis 17

Overview

General Information Detection Signatures Classification

Sample comhij.dll Name: AAnntttiiivviiirrruuss /// SSccaannnneerrr ddeettteecctttiiioonn fffoorrr ssuubb…

Analysis ID: 295267 MAnuutlllitttviii iArAuVVs SS/ cScaacnnanneenrrre drd eedttteetccetttciiiootinno nfffoo frrro srs uusbbumb… MD5: 77ba4a18ef8719c… SMSiiigugmlti aaA dVde eSttteecccatttneendde::: rRR deeeggtsesvvcrrrt3i3o22n A Afonnroo msuaablllymy SHA1: a48f08c1aa3fdaa… USUsisgeemss a ss cdchhetttaaessckktess.d..ee:x xReee oogrrrs avatrtt..3.ee2xx eeA tnttooo amaddaddly … SHA256: de6c061aafc5d86… CUCrrsreeaasttt eesscs h aat a ppsrrrokoscc.eessxsse i iinon r s sauutss.eppxeeenn ddtoee dda dmdoo … Most interesting Screenshot: MCraaeyya stsellleese eapp p (((ereovvcaaesssiiivvsee i n llloo soouppsssp))) e tttono d hheiiindnd dmeerror …

PMPrrraooygg rrsraaleme pdd oo(eesvs a nnsooivttt e ss hhloooowwp sm) uutocch hh aianccdtttieiivvriii …

RPRereogggiiisrsattteemrrrss d aao eDDsLL LnLot show much activi

TRTrrreiiieegssis tttoeo r lllsoo aadd D mLiiLissssiiinngg DDLLLLss

VTVereirerryys lllotoonn glgo accmd dmdllliiinsnesei noogpp tttDiiiooLnnL ffsfoouunndd,,, ttthhiiiss… Score: 64 Range: 0 - 100 Very long cmdline option found, this Whitelisted: false Confidence: 100%

Miner Spreading

mmaallliiiccciiioouusss

malicious

Evader Phishing

sssuusssppiiiccciiioouusss

suspicious

cccllleeaann

clean

Exploiter Banker

Spyware Trojan / Bot

Adware

Startup

System is w10x64 loaddll64.exe (PID: 160 cmdline: loaddll64.exe 'C:\Users\user\Desktop\comhij.dll' MD5: A114C89B549F4E21B5564D7865BE5374) cmd.exe (PID: 2712 cmdline: /c sc config wercplsupport start= auto & sc start wercplsupport & copy c:\windows\System32\dialogex.dll c:\windows\System32\wercplsupporte.dll /y & schtasks /create /tn 'Windows Problems Collection' /tr 'regsvr32.exe /s c:\windows\System32\wercplsupporte.dll' /sc DAILY /st 20:02 /F /RU System & start '' regsvr32.exe /s c:\windows\System32\dialogex.dll MD5: 4E2ACF4F8A396486AB4268C94A6A245F) sc.exe (PID: 6400 cmdline: sc config wercplsupport start= auto MD5: D79784553A9410D15E04766AAAB77CD6) sc.exe (PID: 2916 cmdline: sc start wercplsupport MD5: D79784553A9410D15E04766AAAB77CD6) schtasks.exe (PID: 4628 cmdline: schtasks /create /tn 'Windows Problems Collection' /tr 'regsvr32.exe /s c:\windows\System32\wercplsupporte.dll' /sc DAILY /st 20:02 /F /RU System MD5: 838D346D1D28F00783B7A6C6BD03A0DA) regsvr32.exe (PID: 4792 cmdline: regsvr32.exe /s c:\windows\System32\dialogex.dll MD5: D78B75FC68247E8A63ACBA846182740E) regsvr32.exe (PID: 3032 cmdline: regsvr32.exe /s c:\windows\System32\wercplsupporte.dll MD5: D78B75FC68247E8A63ACBA846182740E) cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

System Summary:

Sigma detected: Regsvr32 Anomaly

Signature Overview

• AV Detection • System Summary • Data Obfuscation • Boot Survival • Malware Analysis System Evasion • Anti Debugging • HIPS / PFW / Operating System Protection Evasion

Click to jump to signature section

AV Detection:

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

System Summary:

Boot Survival:

Uses schtasks.exe or at.exe to add and modify task schedules

Mitre Att&ck Matrix

Remote Initial Privilege Credential Lateral Command Network Service Access Execution Persistence Escalation Defense Evasion Access Discovery Movement Collection Exfiltration and Control Effects Effects Valid Command Windows Windows Regsvr32 1 OS Security Software Remote Data from Exfiltration Data Eavesdrop on Remotely Accounts and Scripting Service 1 Service 1 Credential Discovery 1 Services Local Over Other Obfuscation Insecure Track Device Interpreter 1 Dumping System Network Network Without Medium Communication Authorization Default Scheduled Scheduled Process Virtualization/Sandbox LSASS Virtualization/Sandbox Remote Data from Exfiltration Junk Data Exploit SS7 to Remotely Accounts Task/Job 1 Task/Job 1 Injection 1 1 Evasion 1 Memory Evasion 1 Desktop Removable Over Redirect Phone Wipe Data Protocol Media Bluetooth Calls/SMS Without Authorization Domain Service DLL Side- Scheduled Process Security System Information SMB/Windows Data from Automated Steganography Exploit SS7 to Obtain Accounts Execution 1 Loading 1 Task/Job 1 Injection 1 1 Account Discovery 1 Admin Shares Network Exfiltration Track Device Device Manager Shared Location Cloud Drive Backups Local At (Windows) Logon Script DLL Side- DLL Side-Loading 1 NTDS System Network Distributed Input Scheduled Protocol SIM Card Accounts (Mac) Loading 1 Configuration Component Capture Transfer Impersonation Swap Discovery Object Model

Hide Legend Legend: Process Signature Behavior Graph

ID: 295267 Created File Sample: comhij.dll DNS/IP Info Startdate: 08/10/2020 Is Dropped Architecture: WINDOWS Score: 64 Is Windows Process

Number of created Registry Values

Number of created Files Antivirus / Scanner Uses schtasks.exe or Multi AV Scanner detection Sigma detected: Regsvr32 detection for submitted at.exe to add and modify started started for submitted file Anomaly sample task schedules Visual Basic

Delphi

Java loaddll64.exe regsvr32.exe .Net C# or VB.NET

C, C++ or other language 1 Is malicious

started Internet

cmd.exe

started started started started

regsvr32.exe schtasks.exe sc.exe sc.exe

1 1 1

Screenshots

Thumbnails This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Initial Sample

Source Detection Scanner Label Link comhij.dll 74% Virustotal Browse comhij.dll 76% ReversingLabs ByteCode- MSIL.Backdoor.Bladabhind i comhij.dll 100% Avira TR/Agent.claqy

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Contacted Domains

No contacted domains info

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version: 30.0.0 Red Diamond Analysis ID: 295267 Start date: 08.10.2020 Start time: 17:41:32 Joe Sandbox Product: CloudBasic Overall analysis duration: 0h 5m 3s Hypervisor based Inspection enabled: false Report type: light Sample file name: comhij.dll Cookbook file name: default.jbs Analysis system description: w10x64 Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 Number of analysed new started processes analysed: 25 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies: HCA enabled EGA enabled HDC enabled AMSI enabled Analysis Mode: default Analysis stop reason: Timeout Detection: MAL Classification: mal64.winDLL@12/0@0/0 EGA Information: Failed HDC Information: Failed HCA Information: Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0 Cookbook Comments: Adjust boot time Enable AMSI Found application associated with file extension: .dll Warnings: Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, HxTsr.exe, RuntimeBroker.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe

Simulations

Behavior and APIs

Copyright null 2020 Page 9 of 17 Time Type Description 17:42:28 API Interceptor 1x Sleep call for process: loaddll64.exe modified 17:42:31 Task Scheduler Run new task: Windows Problems Collection path: regsvr32.exe s>/s c:\windows\System32\wercplsupporte.dll

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General File type: PE32+ executable (DLL) (GUI) x86-64, for MS Windows Entropy (8bit): 6.096364038517354 TrID: Win64 Dynamic Link Library (generic) (102004/3) 86.43% Win64 Executable (generic) (12005/4) 10.17% Generic Win/DOS Executable (2004/3) 1.70% DOS Executable Generic (2002/1) 1.70% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.01% File name: comhij.dll File size: 109568 MD5: 77ba4a18ef8719c2f218e87dfdcba58f SHA1: a48f08c1aa3fdaaec9d2bf98cc0aec3c71979896 SHA256: de6c061aafc5d86e692bec45f69b2ea18639abd540b59c2 c281717a054a48dd5 SHA512: b8d7e3ed7fe939cb10da9800135a85db2208f7102673cce b210352b747a0a6b51761fb154ea41cdad2078fd2b54a5d 0bc37911c10826cbc1fcdbf98060c58699 SSDEEP: 1536:xEwaH7v1+36g72n2fktCjFBzaAAiPqg2++sW4Od P9dlLVJ61vNLF:xE77N+qe8WkwXzaAAAqCUvRL611L F File Content Preview: MZ...... @...... !..L.!Th is program cannot be run in DOS mode....$...... !.!.e.O.e. O.e.O..h..a.O..h....O..h..h.O.^.L.b.O.^.J.q.O.^.K.u.O.....f. O.e.N.2.O...F.d.O.....d.O...M.d.O.Riche.O......

Icon Hash: 74f0e4ecccdce0e4

Static PE Info

General Entrypoint: 0x180001530 Entrypoint Section: .text Digitally signed: false Imagebase: 0x180000000 Subsystem: windows gui Image File Characteristics: EXECUTABLE_IMAGE, DLL, LARGE_ADDRESS_AWARE DLL Characteristics: DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA Time Stamp: 0x5E51414D [Sat Feb 22 14:57:17 2020 UTC] TLS Callbacks: CLR (.Net) Version: OS Version Major: 6 OS Version Minor: 0 File Version Major: 6 File Version Minor: 0 Subsystem Version Major: 6 Subsystem Version Minor: 0 Import Hash: 8432f0b0e6fbfe4ac5d53400aa09d6e5

Entrypoint Preview

Instruction dec eax mov dword ptr [esp+08h], ebx dec eax mov dword ptr [esp+10h], esi push edi dec eax sub esp, 20h dec ecx mov edi, eax mov ebx, edx dec eax mov esi, ecx cmp edx, 01h jne 00007F59C48FBE97h call 00007F59C48FC52Ch dec esp mov eax, edi mov edx, ebx dec eax mov ecx, esi dec eax mov ebx, dword ptr [esp+30h] dec eax mov esi, dword ptr [esp+38h] dec eax add esp, 20h pop edi jmp 00007F59C48FBD0Ch int3 int3 int3 inc eax push ebx dec eax sub esp, 20h Copyright null 2020 Page 11 of 17 Instruction dec eax mov ebx, ecx xor ecx, ecx call dword ptr [0000EAAFh] dec eax mov ecx, ebx call dword ptr [0000EA9Eh] call dword ptr [0000EAA8h] dec eax mov ecx, eax mov edx, C0000409h dec eax add esp, 20h pop ebx dec eax jmp dword ptr [0000EA9Ch] dec eax mov dword ptr [esp+08h], ecx dec eax sub esp, 38h mov ecx, 00000017h call 00007F59C490993Ah test eax, eax je 00007F59C48FBE99h mov ecx, 00000002h int 29h dec eax lea ecx, dword ptr [000193D7h] call 00007F59C48FC05Fh dec eax mov eax, dword ptr [esp+38h] dec eax mov dword ptr [000194BEh], eax dec eax lea eax, dword ptr [esp+38h] dec eax add eax, 08h dec eax mov dword ptr [0001944Eh], eax dec eax mov eax, dword ptr [000194A7h] dec eax mov dword ptr [00019318h], eax

Rich Headers

Programming Language: [RES] VS2015 UPD3 build 24213

Data Directories

Name Virtual Address Virtual Size Is in Section IMAGE_DIRECTORY_ENTRY_EXPORT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_IMPORT 0x18dac 0x28 .rdata IMAGE_DIRECTORY_ENTRY_RESOURCE 0x1e000 0x1e0 .rsrc IMAGE_DIRECTORY_ENTRY_EXCEPTION 0x1c000 0xf0c .pdata IMAGE_DIRECTORY_ENTRY_SECURITY 0x0 0x0 IMAGE_DIRECTORY_ENTRY_BASERELOC 0x1f000 0x60c .reloc IMAGE_DIRECTORY_ENTRY_DEBUG 0x17dd0 0x38 .rdata IMAGE_DIRECTORY_ENTRY_COPYRIGHT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_GLOBALPTR 0x0 0x0 IMAGE_DIRECTORY_ENTRY_TLS 0x0 0x0 IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG 0x17e10 0x94 .rdata IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_IAT 0x10000 0x228 .rdata IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT 0x0 0x0

Copyright null 2020 Page 12 of 17 Name Virtual Address Virtual Size Is in Section IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR 0x0 0x0 IMAGE_DIRECTORY_ENTRY_RESERVED 0x0 0x0

Sections

Name Virtual Address Virtual Size Raw Size Xored PE ZLIB Complexity File Type Entropy Characteristics .text 0x1000 0xeb20 0xec00 False 0.593352754237 data 6.44328003418 IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ .rdata 0x10000 0x94fc 0x9600 False 0.473463541667 data 5.09347459582 IMAGE_SCN_CNT_INITIALIZED_ DATA, IMAGE_SCN_MEM_READ .data 0x1a000 0x1b40 0xa00 False 0.136328125 data 1.84147504248 IMAGE_SCN_CNT_INITIALIZED_ DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ .pdata 0x1c000 0xf0c 0x1000 False 0.451416015625 PEX Binary Archive 4.67992228021 IMAGE_SCN_CNT_INITIALIZED_ DATA, IMAGE_SCN_MEM_READ .gfids 0x1d000 0x94 0x200 False 0.240234375 data 1.25396659554 IMAGE_SCN_CNT_INITIALIZED_ DATA, IMAGE_SCN_MEM_READ .rsrc 0x1e000 0x1e0 0x200 False 0.53125 data 4.71767883295 IMAGE_SCN_CNT_INITIALIZED_ DATA, IMAGE_SCN_MEM_READ .reloc 0x1f000 0x60c 0x800 False 0.51953125 data 4.72307921116 IMAGE_SCN_CNT_INITIALIZED_ DATA, IMAGE_SCN_MEM_DISCARDAB LE, IMAGE_SCN_MEM_READ

Resources

Name RVA Size Type Language Country RT_MANIFEST 0x1e060 0x17d XML 1.0 document text English United States

Imports

DLL Import KERNEL32.dll Sleep, CreateProcessA, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, GetModuleHandleW, RtlUnwindEx, InterlockedFlushSList, GetLastError, SetLastError, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, GetProcAddress, LoadLibraryExW, ExitProcess, GetModuleHandleExW, GetModuleFileNameA, MultiByteToWideChar, WideCharToMultiByte, HeapFree, HeapAlloc, GetACP, GetStdHandle, GetFileType, LCMapStringW, FindClose, FindFirstFileExA, FindNextFileA, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, GetProcessHeap, GetStringTypeW, SetStdHandle, HeapSize, HeapReAlloc, WriteFile, GetConsoleCP, GetConsoleMode, SetFilePointerEx, FlushFileBuffers, WriteConsoleW, CloseHandle, RaiseException, CreateFileW

Possible Origin

Language of compilation system Country where language is spoken Map

English United States

Network Behavior

No network behavior found

Code Manipulations

Statistics

• loaddll64.exe • cmd.exe • sc.exe • sc.exe • schtasks.exe • regsvr32.exe • regsvr32.exe

Click to jump to process

System Behavior

Analysis Process: loaddll64.exe PID: 160 Parent PID: 6080

General

Start time: 17:42:25 Start date: 08/10/2020 Path: C:\Windows\System32\loaddll64.exe Wow64 process (32bit): false Commandline: loaddll64.exe 'C:\Users\user\Desktop\comhij.dll' Imagebase: 0x7ff635530000 File size: 143872 bytes MD5 hash: A114C89B549F4E21B5564D7865BE5374 Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language Reputation: moderate

File Activities

Source File Path Access Attributes Options Completion Count Address Symbol

Analysis Process: cmd.exe PID: 2712 Parent PID: 160

General

Start time: 17:42:26 Start date: 08/10/2020 Path: C:\Windows\System32\cmd.exe Wow64 process (32bit): false Commandline: /c sc config wercplsupport start= auto & sc start wercplsupport & copy c:\windows\System3 2\dialogex.dll c:\windows\System32\wercplsupporte.dll /y & schtasks /create /tn 'Windows P roblems Collection' /tr 'regsvr32.exe /s c:\windows\System32\wercplsupporte.dll' /sc DAILY /st 20:02 /F /RU System & start '' regsvr32.exe /s c:\windows\System32\dialogex.dll Imagebase: 0x7ff7180e0000 File size: 273920 bytes MD5 hash: 4E2ACF4F8A396486AB4268C94A6A245F Has elevated privileges: true Copyright null 2020 Page 14 of 17 Has administrator privileges: true Programmed in: C, C++ or other language Reputation: high

File Activities

Source File Path Access Attributes Options Completion Count Address Symbol

File Written

Source File Path Offset Length Value Ascii Completion Count Address Symbol unknown unknown 44 54 68 65 20 73 79 73 The system cannot find invalid handle 1 7FF7180F275B WriteFile 74 65 6d 20 63 61 6e the file specified... 6e 6f 74 20 66 69 6e 64 20 74 68 65 20 66 69 6c 65 20 73 70 65 63 69 66 69 65 64 2e 0d 0a

Analysis Process: sc.exe PID: 6400 Parent PID: 2712

General

Start time: 17:42:26 Start date: 08/10/2020 Path: C:\Windows\System32\sc.exe Wow64 process (32bit): false Commandline: sc config wercplsupport start= auto Imagebase: 0x7ff7c3280000 File size: 69120 bytes MD5 hash: D79784553A9410D15E04766AAAB77CD6 Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language Reputation: moderate

File Activities

Source File Path Access Attributes Options Completion Count Address Symbol

File Written

Source File Path Offset Length Value Ascii Completion Count Address Symbol unknown unknown 34 5b 53 43 5d 20 43 68 [SC] invalid handle 1 7FF7C3288B47 WriteFile 61 6e 67 65 53 65 72 ChangeServiceConfig 76 69 63 65 43 6f 6e SUCCESS.. 66 69 67 20 53 55 43 43 45 53 53 0d 0a

Analysis Process: sc.exe PID: 2916 Parent PID: 2712

General

Start time: 17:42:27 Start date: 08/10/2020 Path: C:\Windows\System32\sc.exe Wow64 process (32bit): false Commandline: sc start wercplsupport Imagebase: 0x7ff7c3280000 File size: 69120 bytes

Copyright null 2020 Page 15 of 17 MD5 hash: D79784553A9410D15E04766AAAB77CD6 Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language Reputation: moderate

File Activities

Source File Path Access Attributes Options Completion Count Address Symbol

File Written

Source File Path Offset Length Value Ascii Completion Count Address Symbol unknown unknown 417 0d 0a 53 45 52 56 49 ..SERVICE_NAME: invalid handle 1 7FF7C3281C50 WriteFile 43 45 5f 4e 41 4d 45 wercplsupport .. 3a 20 77 65 72 63 70 TYPE : 30 6c 73 75 70 70 6f 72 WIN32 .. STATE 74 20 0d 0a 20 20 20 : 2 START_PENDING .. 20 20 20 20 20 54 59 (NOT_STOPPABLE, 50 45 20 20 20 20 20 NOT_PAUSABLE, 20 20 20 20 20 20 20 IGNORES_SHUTDOWN).. 20 20 20 3a 20 33 30 WIN32_EXIT_CODE : 0 20 20 57 49 4e 33 32 (0x0).. SERVI 20 20 0d 0a 20 20 20 20 20 20 20 20 53 54 41 54 45 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3a 20 32 20 20 53 54 41 52 54 5f 50 45 4e 44 49 4e 47 20 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 28 4e 4f 54 5f 53 54 4f 50 50 41 42 4c 45 2c 20 4e 4f 54 5f 50 41 55 53 41 42 4c 45 2c 20 49 47 4e 4f 52 45 53 5f 53 48 55 54 44 4f 57 4e 29 0d 0a 20 20 20 20 20 20 20 20 57 49 4e 33 32 5f 45 58 49 54 5f 43 4f 44 45 20 20 20 20 3a 20 30 20 20 28 30 78 30 29 0d 0a 20 20 20 20 20 20 20 20 53 45 52 56 49

Analysis Process: schtasks.exe PID: 4628 Parent PID: 2712

General

Start time: 17:42:29 Start date: 08/10/2020 Path: C:\Windows\System32\schtasks.exe Wow64 process (32bit): false Commandline: schtasks /create /tn 'Windows Problems Collection' /tr 'regsvr32.exe /s c:\windows\System 32\wercplsupporte.dll' /sc DAILY /st 20:02 /F /RU System Imagebase: 0x7ff7224a0000 File size: 226816 bytes MD5 hash: 838D346D1D28F00783B7A6C6BD03A0DA Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language Reputation: moderate

File Activities

Analysis Process: regsvr32.exe PID: 4792 Parent PID: 2712

General

Start time: 17:42:29 Start date: 08/10/2020 Path: C:\Windows\System32\regsvr32.exe Wow64 process (32bit): false Commandline: regsvr32.exe /s c:\windows\System32\dialogex.dll Imagebase: 0x7ff6f8ec0000 File size: 24064 bytes MD5 hash: D78B75FC68247E8A63ACBA846182740E Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language Reputation: moderate

Analysis Process: regsvr32.exe PID: 3032 Parent PID: 936

General

Start time: 17:42:31 Start date: 08/10/2020 Path: C:\Windows\System32\regsvr32.exe Wow64 process (32bit): false Commandline: regsvr32.exe /s c:\windows\System32\wercplsupporte.dll Imagebase: 0x7ff6f8ec0000 File size: 24064 bytes MD5 hash: D78B75FC68247E8A63ACBA846182740E Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language Reputation: moderate

Disassembly

Code Analysis