Edit tour

Windows Analysis Report
newadvsplash.dll

Overview

General Information

Sample name:	newadvsplash.dll
Analysis ID:	1428518
MD5:	9bc6c411efa742a5de7d8372afafa2fa
SHA1:	2b57865e87c7ca2db97d0296d8cbe0183df2c2cf
SHA256:	0cac914c87d4e73875dea8544391e383f441d624ea5ec9a4864d056db161206c
Infos:

Detection

Score:	0
Range:	0 - 100
Whitelisted:	true
Confidence:	100%

Signatures

AV process strings found (often used to terminate AV products)

Checks if the current process is being debugged

Creates a process in suspended mode (likely to inject code)

One or more processes crash

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Classification

Process Tree

System is w10x64

loaddll32.exe (PID: 6372 cmdline: loaddll32.exe "C:\Users\user\Desktop\newadvsplash.dll" MD5: 51E6071F9CBA48E79F10C84515AAE618)

conhost.exe (PID: 6388 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 6600 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\newadvsplash.dll",#1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

rundll32.exe (PID: 6672 cmdline: rundll32.exe "C:\Users\user\Desktop\newadvsplash.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 6628 cmdline: rundll32.exe C:\Users\user\Desktop\newadvsplash.dll,hwnd MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 6764 cmdline: rundll32.exe C:\Users\user\Desktop\newadvsplash.dll,play MD5: 889B99C52A60DD49227C5E485A016679)

WerFault.exe (PID: 7020 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6764 -s 628 MD5: C31336C1EFC2CCB44B4326EA793040F2)

rundll32.exe (PID: 2996 cmdline: rundll32.exe C:\Users\user\Desktop\newadvsplash.dll,show MD5: 889B99C52A60DD49227C5E485A016679)

WerFault.exe (PID: 6504 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 2996 -s 628 MD5: C31336C1EFC2CCB44B4326EA793040F2)

rundll32.exe (PID: 3756 cmdline: rundll32.exe "C:\Users\user\Desktop\newadvsplash.dll",hwnd MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 6968 cmdline: rundll32.exe "C:\Users\user\Desktop\newadvsplash.dll",play MD5: 889B99C52A60DD49227C5E485A016679)

WerFault.exe (PID: 5664 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6968 -s 628 MD5: C31336C1EFC2CCB44B4326EA793040F2)

rundll32.exe (PID: 1060 cmdline: rundll32.exe "C:\Users\user\Desktop\newadvsplash.dll",show MD5: 889B99C52A60DD49227C5E485A016679)

WerFault.exe (PID: 6972 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 1060 -s 628 MD5: C31336C1EFC2CCB44B4326EA793040F2)

rundll32.exe (PID: 6992 cmdline: rundll32.exe "C:\Users\user\Desktop\newadvsplash.dll",stop MD5: 889B99C52A60DD49227C5E485A016679)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: newadvsplash.dll

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL

Source: Amcache.hve.8.dr

String found in binary or memory: http://upx.sf.net

Source: C:\Windows\SysWOW64\rundll32.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6764 -s 628

Source: newadvsplash.dll

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL

Source: classification engine

Classification label: clean3.winDLL@24/17@0/0

Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1060
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6388:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6968
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6764
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2996

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\967e62dc-25a5-40e7-bc78-bfabbcac0167

Jump to behavior

Source: newadvsplash.dll

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\newadvsplash.dll,hwnd

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\newadvsplash.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\newadvsplash.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\newadvsplash.dll,hwnd
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\newadvsplash.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\newadvsplash.dll,play
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6764 -s 628
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\newadvsplash.dll,show
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2996 -s 628
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\newadvsplash.dll",hwnd
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\newadvsplash.dll",play
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\newadvsplash.dll",show
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\newadvsplash.dll",stop
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6968 -s 628
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1060 -s 628
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\newadvsplash.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\newadvsplash.dll,hwnd	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\newadvsplash.dll,play	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\newadvsplash.dll,show	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\newadvsplash.dll",hwnd	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\newadvsplash.dll",play	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\newadvsplash.dll",show	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\newadvsplash.dll",stop	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\newadvsplash.dll",#1	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\System32\loaddll32.exe

Thread delayed: delay time: 120000

Jump to behavior

Source: Amcache.hve.8.dr	Binary or memory string: VMware
Source: Amcache.hve.8.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.8.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.8.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.8.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.8.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.8.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.8.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.8.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.8.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.8.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.8.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.8.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.8.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.8.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.8.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.8.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.8.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.8.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.8.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.8.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.8.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.8.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.8.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.8.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.8.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.8.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.8.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.8.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\newadvsplash.dll",#1

Jump to behavior

Source: Amcache.hve.8.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.8.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.8.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.8.dr	Binary or memory string: MsMpEng.exe

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	11 Process Injection	1 Rundll32	OS Credential Dumping	21 Security Software Discovery	Remote Services	Data from Local System	Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	11 Virtualization/Sandbox Evasion	LSASS Memory	11 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	11 Process Injection	Security Account Manager	1 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
newadvsplash.dll	0%	ReversingLabs
newadvsplash.dll	1%	Virustotal		Browse

Name	Source	Malicious	Antivirus Detection	Reputation
http://upx.sf.net	Amcache.hve.8.dr	false		high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1428518
Start date and time:	2024-04-19 05:14:50 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 13s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	24
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	newadvsplash.dll
Detection:	CLEAN
Classification:	clean3.winDLL@24/17@0/0
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 27
Cookbook Comments:	Found application associated with file extension: .dll

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.42.73.29
Excluded domains from analysis (whitelisted): ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target rundll32.exe, PID 2996 because there are no executed function
Execution Graph export aborted for target rundll32.exe, PID 6764 because there are no executed function
Execution Graph export aborted for target rundll32.exe, PID 6968 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.

Simulations

Behavior and APIs

Time	Type	Description
05:15:51	API Interceptor	1x Sleep call for process: loaddll32.exe modified
05:15:58	API Interceptor	4x Sleep call for process: WerFault.exe modified

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_2824bab859d35889dff863c9c9b5d719d6756866_7522e4b5_14ad5693-eaaf-4133-8ad1-39eb02a7164f\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.8703206497046432
Encrypted:	false
SSDEEP:	192:QaeGiNO8w0BU/wjeTRlzuiFZZ24IO8dci:QAiE8LBU/wjenzuiFZY4IO8dci
MD5:	B28A1714CADC51BD89E2EE8B56090B89
SHA1:	0330333806A5EDA6705A5ACB5746497E80A48F8B
SHA-256:	5EEF31A3E0E2971552D29E4551CCC96E172CA53C4F8B46F6D21113E44004DE3C
SHA-512:	0783042266D6C314756F8D193A87D8868D40BFDA5EEEADF0E5FCEA786DFC78FD5879B2B396536D676D82C3FEA4E4E65DAE49949D37081A03F40A9CBE55043060
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.7.9.7.0.1.5.2.2.1.7.3.8.4.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.5.7.9.7.0.1.5.2.9.3.2.4.4.6.3.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.4.a.d.5.6.9.3.-.e.a.a.f.-.4.1.3.3.-.8.a.d.1.-.3.9.e.b.0.2.a.7.1.6.4.f.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.2.0.c.9.6.5.a.-.9.4.7.7.-.4.2.d.3.-.a.3.d.1.-.f.f.b.0.5.3.c.c.b.5.9.c.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.3.8.-.0.0.0.1.-.0.0.1.4.-.c.8.d.8.-.2.4.e.2.0.7.9.2.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.8.f.a.8.8.9.e.4.5.6.a.a.6.4.6.a.4.d.0.a.4.3.4.9.9.7.7.4.3.0.c.e.5.f.a.5.e.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_2824bab859d35889dff863c9c9b5d719d6756866_7522e4b5_168b1b20-02fd-4d70-93d2-09995b142d16\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.8702045524156913
Encrypted:	false
SSDEEP:	96:qLp7FQx6i2hVyIsj94sJ7gof0QXIDcQvc6QcEVcw3cE/O/a/z+HbHg/BQAS/YyN0:CNi2OIw0BU/wjeTRlzuiFZZ24IO8dci
MD5:	30C6D36CF02FFA98CD0D5DAF498C46F2
SHA1:	E15A184C9F9B3612DAF9640B52B2EA7F901176FB
SHA-256:	BAE6C3769E21BFBCE2BC48C30984B76F48BDA376383178625495A4E754BE16B0
SHA-512:	9B35AE03B879F845F28F8771E5727B1FE92612DBACA23C3A92040E2B6D2DC81AAEEE52B1F8C5642152D23370713C5CF51452F737E587E195EBD3429369E18EFE
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.7.9.7.0.1.4.9.0.0.2.6.0.3.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.5.7.9.7.0.1.4.9.3.1.5.0.9.9.9.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.6.8.b.1.b.2.0.-.0.2.f.d.-.4.d.7.0.-.9.3.d.2.-.0.9.9.9.5.b.1.4.2.d.1.6.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.6.c.e.e.2.c.9.-.7.2.c.f.-.4.6.4.b.-.9.9.1.6.-.5.c.2.d.2.f.c.3.6.c.2.f.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.b.b.4.-.0.0.0.1.-.0.0.1.4.-.c.5.d.0.-.5.3.e.0.0.7.9.2.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.8.f.a.8.8.9.e.4.5.6.a.a.6.4.6.a.4.d.0.a.4.3.4.9.9.7.7.4.3.0.c.e.5.f.a.5.e.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_2824bab859d35889dff863c9c9b5d719d6756866_7522e4b5_f447ed26-44b0-4145-a12b-d0b00b85de75\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.869992645087777
Encrypted:	false
SSDEEP:	96:q1ApYFn6i0hVyLsj94sJ7gof0QXIDcQvc6QcEVcw3cE/O/a/z+HbHg/BQAS/YyNJ:Kci0OLw0BU/wjeTRlzuiFZZ24IO8dci
MD5:	ACA9F65AE62762E30CAD2CA0FEE2F9D8
SHA1:	80CA1A273A80BDECB5D89438E434FDC1CCFDF81E
SHA-256:	CEC4F8C206606E4A3180524F46F0670045EE63020AC405B96067A303082CC6A3
SHA-512:	B38336BD074D097F394CFAB8FB36C4D4AA5A1E0207ADAE95623F716A40BA58DACC030B44278825F825D8DD55A4C01A1ECB17973EF19AC197E48DC2DD77B24E29
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.7.9.7.0.1.5.2.2.3.0.0.8.1.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.5.7.9.7.0.1.5.2.9.4.5.1.4.0.0.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.4.4.7.e.d.2.6.-.4.4.b.0.-.4.1.4.5.-.a.1.2.b.-.d.0.b.0.0.b.8.5.d.e.7.5.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.c.5.1.8.a.e.c.-.d.f.2.b.-.4.f.e.0.-.a.7.a.9.-.f.6.e.0.b.f.1.7.c.f.4.9.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.4.2.4.-.0.0.0.1.-.0.0.1.4.-.6.5.2.7.-.2.6.e.2.0.7.9.2.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.8.f.a.8.8.9.e.4.5.6.a.a.6.4.6.a.4.d.0.a.4.3.4.9.9.7.7.4.3.0.c.e.5.f.a.5.e.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_2824bab859d35889dff863c9c9b5d719d6756866_7522e4b5_fefad15e-02a6-45e0-8ba1-606216b2d276\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.8700258423352261
Encrypted:	false
SSDEEP:	96:qdp8F9k6i4hVyDsj94sJ7gof0QXIDcQvc6QcEVcw3cE/O/a/z+HbHg/BQAS/YyNh:XNi4ODw0BU/wjeT5lzuiFZZ24IO8dci
MD5:	9A2FF4AEAC2F5AD6061F69D99CA13D39
SHA1:	B478BC05A2414F0800D93198F5A9A2ED9420F7CB
SHA-256:	99F07A3FF6ABCC54AA5D6C239BDC022FF702569E84FF1C8DE035F377C1F83019
SHA-512:	17F01F5454A7CFC269D8A150641BE42B05761DE57CE7E1DAFCF31E254DDD855413AF45649B9E4653F392E66A9D0CB5D8AE9F776CFB213C5378DE3ACDE8B5AA11
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.7.9.7.0.1.4.6.1.7.6.7.4.8.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.5.7.9.7.0.1.4.6.4.8.9.2.4.7.0.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.e.f.a.d.1.5.e.-.0.2.a.6.-.4.5.e.0.-.8.b.a.1.-.6.0.6.2.1.6.b.2.d.2.7.6.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.a.b.e.6.c.5.b.-.1.e.2.c.-.4.d.e.d.-.b.3.5.a.-.e.a.7.c.8.9.2.0.b.8.1.2.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.a.6.c.-.0.0.0.1.-.0.0.1.4.-.a.d.1.d.-.8.7.d.e.0.7.9.2.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.8.f.a.8.8.9.e.4.5.6.a.a.6.4.6.a.4.d.0.a.4.3.4.9.9.7.7.4.3.0.c.e.5.f.a.5.e.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERAC89.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Fri Apr 19 03:15:46 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	41828
Entropy (8bit):	2.0310785327941896
Encrypted:	false
SSDEEP:	192:M+5eRS0o/qNJgO5H44vfWn2nxaaNYeyJR1HL:P5eAsNJ35HFvfiCxaaYekL
MD5:	04E3691EC8CBE6370A7081636243AC62
SHA1:	9563C59887F2216A3570F8D42C6D844751B671CB
SHA-256:	3551621F8601772208B9D9B3EBCECEFBED5DF329E5B9C25D75D263EE0F0549A0
SHA-512:	F0E86D45E7900D44783DA9BCB732673CBBBA2B86FCC0D8E00B3210C6A739C6CA8E8CA5CBD1B247B7412B2ABBCB78DF9CDC7E717C0B2F831EABBAE028C1963718
Malicious:	false
Preview:	MDMP..a..... .........!f.........................................)..........T.......8...........T...............T...........<...........(...............................................................................eJ..............GenuineIntel............T.......l.....!f.............................0..1...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERAD26.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8264
Entropy (8bit):	3.6907729111254546
Encrypted:	false
SSDEEP:	192:R6l7wVeJmL606YSso67gmfTsVprT89bHhsfztm:R6lXJC606Y+67gmfTsMHafU
MD5:	0F9CB2E0409C90494ACED4FEF593ED76
SHA1:	A2BD5A4ADD04D6152D5CF03475E5B5DC7EDC3786
SHA-256:	81DDC7A1884737136FE521670980E2EEB56C98C244A2302211A19B3F3F128990
SHA-512:	F3EB2FE3B6C145E5E2443B78E3F5EB4625321208BD1F32A95366E4025C0C6AB0B8DDD67C372ADC540C7247DA8851AAB6CD2F4D644232E70CF4B09A60CCE5FD45
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.7.6.4.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERAD47.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4654
Entropy (8bit):	4.45689474131313
Encrypted:	false
SSDEEP:	48:cvIwWl8zsVJg77aI9wrWpW8VYuYm8M4JCdPVFW+q8/fMGScSld:uIjfvI7+a7VmJ5VJ3ld
MD5:	9C05E34840052D6E81F73E87FC6AFC04
SHA1:	EC8623B4CF90C9D37D1737DA5BDFB7944C019E49
SHA-256:	9CC013FB1661C99B6B39F8D6D782AF644293FF243D7183F335A237D4199B4798
SHA-512:	A6E6C2F8BFD1E026133FA8BCA04CCEC9D6A7454C06004CAAF9C2382989BE084D8FBEC897FCDD73CB6DFC3AF4FCDEB1222C8D0AD5A37D0D39C34DADE6D84E286F
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="286218" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB7A5.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Fri Apr 19 03:15:49 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	44156
Entropy (8bit):	2.0016977091669785
Encrypted:	false
SSDEEP:	192:P8t5eRSMo5qAESO5H4Cg9SGQODdyLCfeEjG26wqoeTw:Y5eAuLt5H9g9SGQAdyaeEjGt
MD5:	8258FFCDB554121220FDDF0B50C68BE4
SHA1:	35CAEC24AF628F1B51E2F6BF7A83E6187924318E
SHA-256:	7CE73A56FE6CDC01895FF7251862BE30341EDA406CF5E6BCB7A21CA5DF8FEBAB
SHA-512:	F26F301A3880AEDAE6B8D08AFBE69668DBEF2ECE211D8C4F8991A35C57B1B086956EA8BEA5CE061B015F14B11B8E833EC0F3A79964709A7B35D48E13EF0F6E9D
Malicious:	false
Preview:	MDMP..a..... .........!f.........................................)..........T.......8...........T...............l...........<...........(...............................................................................eJ..............GenuineIntel............T.............!f.............................0..1...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB804.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8264
Entropy (8bit):	3.6929275909402537
Encrypted:	false
SSDEEP:	192:R6l7wVeJx763u6YSM6zgmfTsVprT89bwbsfsQm:R6lXJ963u6Yp6zgmfTsMwgfK
MD5:	53CBB5DAA02675AD6F8260738EA82278
SHA1:	4ECF3C0F1B610EF5441D5D495E7225602F5DD31C
SHA-256:	D87FC40F0B646097B0D244462334AFD448BC13401BAEE3D320FA43B3DAFDF84C
SHA-512:	F7937106DAF4BA56D9BFA1A45C2C4810A0CD8CC2E32B8E8A4A84DB2BC9AF82BB2D6AE8BD73B09545E3BD60FD2C0CA4D56AD940DD51F213FD2B759FB04F6704D8
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.2.9.9.6.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB834.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4654
Entropy (8bit):	4.459612200668822
Encrypted:	false
SSDEEP:	48:cvIwWl8zsVJg77aI9wrWpW8VYeYm8M4JCdPVFln+q8/fSGScS0d:uIjfvI7+a7V6Jm/J30d
MD5:	C0531A974D9BB182A997C2E544985660
SHA1:	A8F58004B41E4A64EA03B5892A9434C15DFBDCCD
SHA-256:	7FA56710E85F9493A51B69B3D9BAB01B692C30B5C20DACA5365B80D14DAD1485
SHA-512:	6837142BA21D0B92ADFA8DA20FBEF7BAE31DDE2F35488643C3AC20C8D485D2D5942C77F905B9808238F5059DFE4DD918041680D3759A2B39F1DA896120793C2C
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="286218" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC438.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Fri Apr 19 03:15:52 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	43336
Entropy (8bit):	1.9768896939932683
Encrypted:	false
SSDEEP:	192:OJD5eRSNo5qcoO5H4xBf+JXCzMG5HFHqe1MHeuz:e5eAVu5HgBfQCgG5Hme
MD5:	FE7B6A757BBC6080840C82E611BE272F
SHA1:	D4490F867E15B8B72073C8139474AAC4492AB6F5
SHA-256:	8B96CAE1C5ED72C9FAB5F6F138AADFD941C4F6441215BC545E05DADC1672980D
SHA-512:	C681458F391B3C2C7769A97E2A98089EBFD738A5EAF729B5C3EF6A1711BDA82ECD021230FA8041461322CDAD216F1A50E80D6FC1444510D8A520DF78845230FD
Malicious:	false
Preview:	MDMP..a..... .........!f.........................................)..........T.......8...........T...............8...........<...........(...............................................................................eJ..............GenuineIntel............T.......8.....!f.............................0..1...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC447.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Fri Apr 19 03:15:52 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	44436
Entropy (8bit):	1.9777458033276236
Encrypted:	false
SSDEEP:	192:OL5eRSvo5quO5H4N+cTMMSOQ9MPtpARmehxjWt0:o5eALp5HI+cTpSOQ9MPtaNU0
MD5:	7C79B93CB4C8CDE39A512B83BE08FD5E
SHA1:	CD6C0A6569665492DC3C78E685ECEA87BD5E30AC
SHA-256:	B3EBF9BA9A3042E19B97F722B9444D8E134834FC4F365DC13B36D5FA5BD8A1EA
SHA-512:	FB18B11A7984EB3B7B128927E091A043399E106D0AB64276D2AAFE494438ED0EDDCA69384EC74CC4A37F7257D8F3F1F82FDF3AF481741694323F1D2022FB07BC
Malicious:	false
Preview:	MDMP..a..... .........!f.........................................)..........T.......8...........T...........................<...........(...............................................................................eJ..............GenuineIntel............T.......$.....!f.............................0..1...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC4D5.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8256
Entropy (8bit):	3.690782308869914
Encrypted:	false
SSDEEP:	192:R6l7wVeJUA6Yt6Yiv6FgmfTsVprt89byNsfXymm:R6lXJL6Yt6Ya6FgmfTsSyGfq
MD5:	08CD8251F2934479C3583235ADF2FB88
SHA1:	8032BE3AF7CFC6AEE26EE16196A37CD50C3D4737
SHA-256:	1F42067A0F93B81DF26A38E9077A765FB337229DF6FAD0D752E0F892A15ADA39
SHA-512:	C5FC41874E5672AECC6068DCD935909C9D0DBAF4407BB7BFF7E73589E4531FF2CA247AA24B547C4458AFEAC6E19D61280CC0E9890F24EB99D5F1188562DD0FC3
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.9.6.8.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC4E5.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8256
Entropy (8bit):	3.6922530688472937
Encrypted:	false
SSDEEP:	192:R6l7wVeJMLx6w6YiZ6FgmfTsVprO89byKsfzmm:R6lXJMd6w6Y86FgmfTsfypfb
MD5:	47E291FCE32E5806E10077F5CF93BCAE
SHA1:	1B76153604BBD44B9F2A08A0F2993111C928859E
SHA-256:	D4B235610DF85DDDE844B3240D6DE2F37E5A2EF6CBE1C981FE3C78C20BAEDD29
SHA-512:	EDE21E59D0457D08314D9900182C78C5F7B065163141844BDFFC3CD91C71AF36DA9D0A19600CD6E7C539270F865EF6C1073096DFF5D994769C4412121603793B
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.1.0.6.0.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC534.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4654
Entropy (8bit):	4.460083656139062
Encrypted:	false
SSDEEP:	48:cvIwWl8zsVJg77aI9wrWpW8VYFYm8M4JCdPVFd+q8/fITAGScStd:uIjfvI7+a7VNJSlcJ3td
MD5:	827DD6199841128D75CA8D7D4CE9E077
SHA1:	54992F1165DB0E9373A2AB15ACCE5C6B7B48A382
SHA-256:	A1F688C1AA6F30EFC46102E0BBF034E87F7F07D61B011D9B94308C2F9278624F
SHA-512:	70AB0E8F27DFCDCD0CB0C8AB3486214FB381FF57AD9BFA69E3762441B44151982EEAA4D19E85616177BE3F2EE76B2BADE88C94DDDC634B9E58AB3B6F33080EF9
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="286218" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC5D0.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4654
Entropy (8bit):	4.458561017867401
Encrypted:	false
SSDEEP:	48:cvIwWl8zsVJg77aI9wrWpW8VYeAYm8M4JCdPVFrQa+q8/f4GScSad:uIjfvI7+a7VXNJza5J3ad
MD5:	D6AB9549AFB87C33DACE9996B7BB9BE2
SHA1:	8332BB0F1FD6B2C70DA9023DE02E27D0B925833D
SHA-256:	BB4A4501B092849A39CC64BA40FE1ABB52D82C62E1B0033B51899E3369BAA64E
SHA-512:	C09749F7FBDD633C4BAAC46A76D2757BF16C5A6A1DEC34AF5C4B8044BD9F83337B80D095A84DAC2A65DB21F6D428006480F7975504FDBE310B7C394ACC351390
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="286218" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.46624935486006
Encrypted:	false
SSDEEP:	6144:WIXfpi67eLPU9skLmb0b4+WSPKaJG8nAgejZMMhA2gX4WABl0uNxdwBCswSbG:bXD94+WlLZMM6YFHT+G
MD5:	9BEAAB76FF412629985B984DB1E6F6E6
SHA1:	97343B87B2DAD05464CB7596922AEBE46843CDF7
SHA-256:	3D1A07B10A15ECE3AB4B7649FD88A9FF1008AFDC0366B124159CA82C9D2F24BA
SHA-512:	58EE1BFC4BD77D393732FD82F5EC9409A4BB3154F7E435A39C4973BCD61070C98B5844F640BFCB1969A2040B5A81075F5B7AD51733CDA8BD3DCC809EF548EBB7
Malicious:	false
Preview:	regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.(................................................................................................................................................................................................................................................................................................................................................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	5.429592886706823
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	newadvsplash.dll
File size:	8'704 bytes
MD5:	9bc6c411efa742a5de7d8372afafa2fa
SHA1:	2b57865e87c7ca2db97d0296d8cbe0183df2c2cf
SHA256:	0cac914c87d4e73875dea8544391e383f441d624ea5ec9a4864d056db161206c
SHA512:	092ef3f13a71a46df0f78a3b5eb4492bee32f1a12be27e0c534638ec7723b2a9aac23391768c352289df6a8988cbc6cf96ea22d8f1983b5ccf609e08d1db4bde
SSDEEP:	192:7p/MyET9lrRyFJb9kSw/T6rz91YrLV1hiI:7p/MyET90k7/T6rB1Yk
TLSH:	CA02C53671C166F3D3BA51F859836B1D4FEDA0352351A0218B7391D62CA4297FEA7703
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........Fq..("..("..("..,"..("..("..("..;"..("..)"..("..;"..("..#"..("@.,"..("Rich..("................PE..L....)CG...........!.......

File Icon


Icon Hash:	7ae282899bbab082

Static PE Info

General

Entrypoint:	0x10001bac
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x10000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL
DLL Characteristics:
Time Stamp:	0x474329B3 [Tue Nov 20 18:38:43 2007 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	eee37c14e102da3f62385f9796c701ce

Entrypoint Preview

Instruction
mov eax, dword ptr [esp+04h]
push 00000001h
mov dword ptr [10003090h], eax
pop eax
retn 000Ch
push ebp
mov ebp, esp
sub esp, 24h
push ebx
push esi
push edi
mov edi, dword ptr [ebp+08h]
mov esi, dword ptr [ebp+0Ch]
or dword ptr [ebp-08h], FFFFFFFFh
push 00000006h
lea eax, dword ptr [ebp-10h]
pop ebx
push ebx
push eax
push edi
call 00007F87E911A9CFh
add esp, 0Ch
cmp eax, ebx
jne 00007F87E911A6C6h
push ebx
lea eax, dword ptr [ebp-10h]
push 10003074h
push eax
call 00007F87E911A9B3h
add esp, 0Ch
test eax, eax
je 00007F87E911A66Ch
push ebx
lea eax, dword ptr [ebp-10h]
push 1000307Ch
push eax
call 00007F87E911A99Dh
add esp, 0Ch
test eax, eax
je 00007F87E911A656h
push 00000005h
jmp 00007F87E911A698h
push 00000007h
lea eax, dword ptr [ebp-18h]
pop ebx
push ebx
push eax
push edi
call 00007F87E911A98Ah
add esp, 0Ch
cmp eax, ebx
je 00007F87E911A659h
mov eax, ebx
jmp 00007F87E911A8C2h
mov al, byte ptr [ebp-14h]
and eax, ebx
test byte ptr [ebp-14h], FFFFFF80h
lea ecx, dword ptr [eax+01h]
mov dword ptr [esi+10h], ecx
je 00007F87E911A671h
push 00000003h
lea eax, dword ptr [esi+14h]
pop ebx
shl ebx, cl
push ebx
push eax
push edi
call 00007F87E911A95Bh
add esp, 0Ch
cmp eax, ebx
je 00007F87E911A67Ah
push 00000007h
pop eax
jmp 00007F87E911A892h
push 00000003h
lea eax, dword ptr [esi+14h]
pop edx
shl edx, cl
push edx
push 00000000h
push eax
call 00007F87E911A92Fh
or byte ptr [esi+19h], FFFFFFFFh

Rich Headers

Programming Language:

[LNK] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x2700	0x75	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x2130	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x4000	0x1fc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x114	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xf6e	0x1000	078394702e3b33a4b0e7ce21f6a314ca	False	0.613525390625	data	5.993634441845734	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x2000	0x775	0x800	2eecb7662addefb4920dadc9b170fa79	False	0.482421875	data	4.766760155626801	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x3000	0x121	0x200	57ee42191345a6bad71ea355af516c36	False	0.248046875	Matlab v4 mat-file (little endian) p, sparse, rows 257, columns 2036427888	1.633861647378341	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0x4000	0x27a	0x400	7272a7e17e27606a17b7d4f452582835	False	0.4853515625	data	4.072715018730573	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLL	Import
KERNEL32.dll	MultiByteToWideChar, GetProcAddress, GetModuleHandleA, CloseHandle, CreateThread, lstrcpynA, lstrlenA, GetCurrentThreadId, Sleep, lstrcpyA, lstrcmpiA, lstrcatA, GlobalAlloc, GlobalFree, WaitForSingleObject
USER32.dll	DefWindowProcA, DestroyWindow, IsWindowVisible, UnregisterClassA, EnumDisplaySettingsA, wsprintfA, SetWindowPos, LoadCursorA, BeginPaint, CreateWindowExA, GetMessageA, TranslateMessage, DispatchMessageA, IsWindow, GetClientRect, SetWindowLongA, SetForegroundWindow, AttachThreadInput, GetWindowThreadProcessId, GetForegroundWindow, RegisterClassA, SystemParametersInfoA, SendMessageA, ShowWindow, PostMessageA, SetWindowRgn, EndPaint
GDI32.dll	CombineRgn, GetObjectA, CreateCompatibleDC, SelectObject, GetDIBits, CreateRectRgn, DeleteObject
MSVFW32.dll	MCIWndCreateA
WINMM.dll	timeSetEvent, PlaySoundA, timeKillEvent
OLEAUT32.dll	OleLoadPicturePath
MSVCRT.dll	_lseek, memset, memcmp, _read, memcpy, _close, _open, strtol

Exports

Name	Ordinal	Address
hwnd	1	0x10001b5e
play	2	0x1000127f
show	3	0x100016dc
stop	4	0x100019ac

Target ID:	0
Start time:	05:15:42
Start date:	19/04/2024
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe "C:\Users\user\Desktop\newadvsplash.dll"
Imagebase:	0xc0000
File size:	126'464 bytes
MD5 hash:	51E6071F9CBA48E79F10C84515AAE618
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	05:15:42
Start date:	19/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	05:15:42
Start date:	19/04/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\newadvsplash.dll",#1
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	05:15:42
Start date:	19/04/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\newadvsplash.dll,hwnd
Imagebase:	0x230000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	05:15:42
Start date:	19/04/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\newadvsplash.dll",#1
Imagebase:	0x230000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	05:15:45
Start date:	19/04/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\newadvsplash.dll,play
Imagebase:	0x230000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	05:15:45
Start date:	19/04/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 6764 -s 628
Imagebase:	0xd60000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	05:15:48
Start date:	19/04/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\newadvsplash.dll,show
Imagebase:	0x230000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	05:15:48
Start date:	19/04/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 2996 -s 628
Imagebase:	0xd60000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	05:15:51
Start date:	19/04/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\newadvsplash.dll",hwnd
Imagebase:	0x230000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	05:15:51
Start date:	19/04/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\newadvsplash.dll",play
Imagebase:	0x230000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	05:15:51
Start date:	19/04/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\newadvsplash.dll",show
Imagebase:	0x230000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	05:15:51
Start date:	19/04/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\newadvsplash.dll",stop
Imagebase:	0x230000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	05:15:52
Start date:	19/04/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 6968 -s 628
Imagebase:	0xd60000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	05:15:52
Start date:	19/04/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 1060 -s 628
Imagebase:	0xd60000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Function 10001BBB Relevance: 38.8, APIs: 19, Strings: 3, Instructions: 280COMMON

Download Yara Rule

APIs

_read.MSVCRT ref: 10001BD7
memcmp.MSVCRT ref: 10001BED
memcmp.MSVCRT ref: 10001C03
_read.MSVCRT ref: 10001C1C
_read.MSVCRT ref: 10001C4B
memset.MSVCRT ref: 10001C6B
_read.MSVCRT ref: 10001C88
_read.MSVCRT ref: 10001CAF
_read.MSVCRT ref: 10001D00
_read.MSVCRT ref: 10001D27
_read.MSVCRT ref: 10001D3D
_lseek.MSVCRT ref: 10001D54
_read.MSVCRT ref: 10001D6D
_read.MSVCRT ref: 10001D83
_lseek.MSVCRT ref: 10001DA2
_read.MSVCRT ref: 10001DAD
_lseek.MSVCRT ref: 10001DDA
_read.MSVCRT ref: 10001DF4

Strings

;, xrefs: 10001E7E
GIF89a, xrefs: 10001BFD
GIF87a, xrefs: 10001BE7

Memory Dump Source

Source File: 00000005.00000002.1866754982.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.1866736405.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1866771159.0000000010002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1866787502.0000000010003000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1866805628.0000000010004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_rundll32.jbxd

Similarity

API ID: _read$_lseek$memcmp$memset
String ID: ;$GIF87a$GIF89a
API String ID: 1644322006-3016656665
Opcode ID: 4f4a161c639526b64d83bce3c9706c14373bd2a6221ddef19f0586687814ebf0
Instruction ID: ab14dbe8ec25d23e52d0a0a6250c50f5e40e28a3088dd02f9076d74bd2d26e4c
Opcode Fuzzy Hash: 4f4a161c639526b64d83bce3c9706c14373bd2a6221ddef19f0586687814ebf0
Instruction Fuzzy Hash: E691F9B280468A6EF711CA60CC81FFF7BEDDB052E4F14446AFD69D5185E324EA488762

Uniqueness

Uniqueness Score: -1.00%

Function 100016DC Relevance: 38.7, APIs: 16, Strings: 6, Instructions: 200stringthreadcomCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 100016E7

Part of subcall function 10001391: lstrcpyA.KERNEL32(?,?,play,100012C6,?), ref: 100013A9
Part of subcall function 10001391: GlobalFree.KERNEL32(play), ref: 100013BA

strtol.MSVCRT ref: 1000171C
strtol.MSVCRT ref: 1000173E
strtol.MSVCRT ref: 10001760
strtol.MSVCRT ref: 10001782
lstrcmpiA.KERNEL32(0000002F,/nocancel), ref: 100017BA
lstrcmpiA.KERNEL32(0000002F,/passive), ref: 100017D5
EnumDisplaySettingsA.USER32(00000000,?,?), ref: 10001829
GetModuleHandleA.KERNEL32(user32,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 1000183D
GetProcAddress.KERNEL32(00000000,SetLayeredWindowAttributes), ref: 10001849
MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,00000104,?,?,?,?,?,?,?,?,?), ref: 100018F7
OleLoadPicturePath.OLEAUT32(?,00000000,00000000,00000000,10002120,10003118), ref: 10001911
UnregisterClassA.USER32(?), ref: 10001956
CreateThread.KERNEL32(00000000,00000000,100013CB,00000000,00000000,?), ref: 1000196B
IsWindowVisible.USER32(00000000), ref: 10001980
Sleep.KERNEL32(0000000A,?,?,00000104,?,?,?,?,?,?,?,?,?,?,?,?), ref: 1000198C

Strings

/nocancel, xrefs: 100017B4
user32, xrefs: 10001838
SetLayeredWindowAttributes, xrefs: 10001843
/, xrefs: 100017A5
, xrefs: 1000182F
/passive, xrefs: 100017CF

Memory Dump Source

Source File: 00000005.00000002.1866754982.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.1866736405.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1866771159.0000000010002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1866787502.0000000010003000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1866805628.0000000010004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_rundll32.jbxd

Similarity

API ID: strtol$Threadlstrcmpi$AddressByteCharClassCreateCurrentDisplayEnumFreeGlobalHandleLoadModuleMultiPathPictureProcSettingsSleepUnregisterVisibleWideWindowlstrcpy
String ID: $/$/nocancel$/passive$SetLayeredWindowAttributes$user32
API String ID: 2566538546-4237892920
Opcode ID: 247d67194737215ebdc2a93959d0f9179d56def93fe1df6c76eef458194bc551
Instruction ID: a3a8cb6ee60f1ab520b37688dbef40d18398f4cb317f0d28f3f58c925ff2203f
Opcode Fuzzy Hash: 247d67194737215ebdc2a93959d0f9179d56def93fe1df6c76eef458194bc551
Instruction Fuzzy Hash: 50714FB5905229EFF712CB61CCD6ADB77BCEB083C4F00C466E549D2159EB709A888F61

Uniqueness

Uniqueness Score: -1.00%

Function 1000103C Relevance: 26.4, APIs: 12, Strings: 3, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,00000000,00000000,_sp,00000000), ref: 1000108D
CreateCompatibleDC.GDI32(00000000), ref: 1000109C
SelectObject.GDI32(00000000), ref: 100010AC
GetDIBits.GDI32(?,00000000,00000000,00000028,00000000), ref: 100010C8
CreateRectRgn.GDI32(00000000,00000000), ref: 100010E2
CreateRectRgn.GDI32(?,-00000001,?,?), ref: 10001155
CombineRgn.GDI32(100014BC,100014BC,00000000,00000003), ref: 10001163
DeleteObject.GDI32(?), ref: 1000116C
SetWindowRgn.USER32(?,100014BC,00000001), ref: 1000119C
DeleteObject.GDI32(100014BC), ref: 100011A5
DeleteObject.GDI32(?), ref: 100011AA
GlobalFree.KERNEL32(?), ref: 100011AF

Strings

, xrefs: 10001072
(, xrefs: 10001062
_sp, xrefs: 10001055

Memory Dump Source

Source File: 00000005.00000002.1866754982.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.1866736405.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1866771159.0000000010002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1866787502.0000000010003000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1866805628.0000000010004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_rundll32.jbxd

Similarity

API ID: Object$CreateDelete$GlobalRect$AllocBitsCombineCompatibleFreeSelectWindow
String ID: $($_sp
API String ID: 2139451681-603639786
Opcode ID: defff89bcc057d18feec87a9dfcfc9dda377938f87e52fd26b5d3971be7515f9
Instruction ID: 443b8ba32a8eed289a3bed2c2def7bd03334e0efb226090786353cc7b566566d
Opcode Fuzzy Hash: defff89bcc057d18feec87a9dfcfc9dda377938f87e52fd26b5d3971be7515f9
Instruction Fuzzy Hash: F2414B71D01229EFEF16CF90DC849EEBBBAFF48380F20811AE601A2264C7315A45DF90

Uniqueness

Uniqueness Score: -1.00%

Function 100013CB Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 129windowregistryCOMMON

Download Yara Rule

APIs

LoadCursorA.USER32(00000000,00007F00), ref: 100013EF
RegisterClassA.USER32(100030C0), ref: 1000140A
GetObjectA.GDI32(00000018,100030A8), ref: 10001436
CreateWindowExA.USER32(00000000,_sp,_sp,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 1000146E
timeSetEvent.WINMM(00000008,100011BA,00000001), ref: 100014E2
IsWindow.USER32 ref: 100014F9
GetMessageA.USER32(?,00000000,00000000), ref: 1000150B
TranslateMessage.USER32(?), ref: 10001519
DispatchMessageA.USER32(?), ref: 10001523
IsWindow.USER32(00000000), ref: 1000153B
SendMessageA.USER32(00000010,00000000,00000000), ref: 1000154B
PlaySoundA.WINMM(00000000,00000000,00000000,?,?,?,?,?,00000104,?,?,?,?,?,?), ref: 1000156B

Strings

_sp, xrefs: 100013F5, 10001469, 1000146C

Memory Dump Source

Source File: 00000005.00000002.1866754982.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.1866736405.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1866771159.0000000010002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1866787502.0000000010003000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1866805628.0000000010004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_rundll32.jbxd

Similarity

API ID: Message$Window$ClassCreateCursorDispatchEventLoadObjectPlayRegisterSendSoundTranslatetime
String ID: _sp
API String ID: 3149607642-3434539926
Opcode ID: a2c1ba3c3305b83aaedef59b5378115774cd37c6ac2417f510c30f497a65bc11
Instruction ID: e6bc9b32f9051cb428cc47af31c85f0ffb573052bd2de18e104081983c3da1d9
Opcode Fuzzy Hash: a2c1ba3c3305b83aaedef59b5378115774cd37c6ac2417f510c30f497a65bc11
Instruction Fuzzy Hash: 12414470A01621EFFB12CB66CCD9E973BBDFB897C2B008529F60586279D7318841CB60

Uniqueness

Uniqueness Score: -1.00%

Function 100019AC Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 104synchronizationstringsleepCOMMON

Download Yara Rule

APIs

Part of subcall function 10001391: lstrcpyA.KERNEL32(?,?,play,100012C6,?), ref: 100013A9
Part of subcall function 10001391: GlobalFree.KERNEL32(play), ref: 100013BA

lstrcmpiA.KERNEL32(?,/fadeout), ref: 100019F5
stop.NEWADVSPLASH(?,?,?,?,?,?), ref: 10001A0F
WaitForSingleObject.KERNEL32(?,?,?), ref: 10001A58
lstrcmpiA.KERNEL32(?,/wait), ref: 10001A63
WaitForSingleObject.KERNEL32(00000003,?), ref: 10001A9B
IsWindow.USER32(?), ref: 10001AAE
SendMessageA.USER32(00000113,00000000,00000000), ref: 10001AC5
WaitForSingleObject.KERNEL32(000003E8), ref: 10001AD6
CloseHandle.KERNEL32 ref: 10001ADE
UnregisterClassA.USER32 ref: 10001AF6
Sleep.KERNEL32(0000000A), ref: 10001AFE

Strings

/fadeout, xrefs: 100019EF
/wait, xrefs: 10001A5D

Memory Dump Source

Source File: 00000005.00000002.1866754982.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.1866736405.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1866771159.0000000010002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1866787502.0000000010003000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1866805628.0000000010004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_rundll32.jbxd

Similarity

API ID: ObjectSingleWait$lstrcmpi$ClassCloseFreeGlobalHandleMessageSendSleepUnregisterWindowlstrcpystop
String ID: /fadeout$/wait
API String ID: 3084239452-2082618422
Opcode ID: c6d6f2c23090cdc0f53fe60711dbe15e9a396be31b19294a83937cb7207dd3f3
Instruction ID: 74a161a0c42bc7f0ded7157649f8f774d35bc99b0ded71235a3226dadd583209
Opcode Fuzzy Hash: c6d6f2c23090cdc0f53fe60711dbe15e9a396be31b19294a83937cb7207dd3f3
Instruction Fuzzy Hash: 89313D71602226EFFB12DF60CCE6EDA7BADEB053C5B01C026E6049617DD7319945CB52

Uniqueness

Uniqueness Score: -1.00%

Function 1000127F Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 91windowstringCOMMON

Download Yara Rule

APIs

Part of subcall function 10001391: lstrcpyA.KERNEL32(?,?,play,100012C6,?), ref: 100013A9
Part of subcall function 10001391: GlobalFree.KERNEL32(play), ref: 100013BA

lstrcmpiA.KERNEL32(?,/loop), ref: 100012DA
lstrcatA.KERNEL32(?, repeat), ref: 100012EF
IsWindow.USER32(00000000), ref: 10001319
SendMessageA.USER32(00000010,00000000,00000000), ref: 1000132D
MCIWndCreateA.MSVFW32(?,00000000,00000002,?), ref: 10001348
ShowWindow.USER32(00000000,00000000), ref: 1000135B
SendMessageA.USER32(00000490,00000000,00000000), ref: 10001374
SendMessageA.USER32(00000465,00000000,?), ref: 1000138A

Strings

/loop, xrefs: 100012D4
repeat, xrefs: 100012E9
play, xrefs: 1000128B

Memory Dump Source

Source File: 00000005.00000002.1866754982.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.1866736405.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1866771159.0000000010002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1866787502.0000000010003000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1866805628.0000000010004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_rundll32.jbxd

Similarity

API ID: MessageSend$Window$CreateFreeGlobalShowlstrcatlstrcmpilstrcpy
String ID: repeat$/loop$play
API String ID: 3660629810-890840800
Opcode ID: 95bb0b1a6ed8e27fac21a1510b2401407bee353cf1146c80af158e7f869a67f9
Instruction ID: f7067f49b8ce5df945ad2e355731b84990f5a30851f9aba2a16d427cbeeb495c
Opcode Fuzzy Hash: 95bb0b1a6ed8e27fac21a1510b2401407bee353cf1146c80af158e7f869a67f9
Instruction Fuzzy Hash: 24310AB1900229AFFB11DB64CC84ADB7BECEB083C4F008566F604E6159E775EE548EA0

Uniqueness

Uniqueness Score: -1.00%

Function 10001579 Relevance: 15.1, APIs: 10, Instructions: 129COMMON

Download Yara Rule

APIs

timeKillEvent.WINMM ref: 100015B5
PlaySoundA.WINMM(00000000,00000000,00000000), ref: 100015CF
DestroyWindow.USER32(?), ref: 100015D8
DefWindowProcA.USER32(?,?,?,?), ref: 100015EA
BeginPaint.USER32(?,?), ref: 100015FC
GetClientRect.USER32(?,?), ref: 10001613
EndPaint.USER32(?,?), ref: 10001671
SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 10001686
SetWindowLongA.USER32(?,000000F0,00000000), ref: 10001692
SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,00000044), ref: 100016CE

Memory Dump Source

Source File: 00000005.00000002.1866754982.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.1866736405.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1866771159.0000000010002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1866787502.0000000010003000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1866805628.0000000010004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_rundll32.jbxd

Similarity

API ID: Window$Paint$BeginClientDestroyEventInfoKillLongParametersPlayProcRectSoundSystemtime
String ID:
API String ID: 3727496372-0
Opcode ID: 4a184da1d31787eb103406e5fae2125ab06ca05df0c2250890ecf0326e8422cc
Instruction ID: 2268aec3e567ff5bc94b7250f85f29b164a63c8fca58fdafc73b740dcb6aa661
Opcode Fuzzy Hash: 4a184da1d31787eb103406e5fae2125ab06ca05df0c2250890ecf0326e8422cc
Instruction Fuzzy Hash: B441E87250011AFFEB01CFE4CD89DEE7BBAEB48385F108114F6059A169D7319E85DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 10001EA1 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 52stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?,.gif), ref: 10001EB4
lstrcmpiA.KERNEL32(?), ref: 10001EBF
_open.MSVCRT ref: 10001ED6
_close.MSVCRT ref: 10001EF9
memcpy.MSVCRT ref: 10001F25

Strings

.gif, xrefs: 10001EAE

Memory Dump Source

Source File: 00000005.00000002.1866754982.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.1866736405.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1866771159.0000000010002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1866787502.0000000010003000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1866805628.0000000010004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_rundll32.jbxd

Similarity

API ID: _close_openlstrcmpilstrlenmemcpy
String ID: .gif
API String ID: 2844665498-1021300279
Opcode ID: 3cffe85df737e646b1d3b49a1d63581c8dba693fe8338c044406ca8efd5e9a07
Instruction ID: 2c3d1d5f5064721856c2e5df9e8e33a79122b57ce5c3316ddc064795b00bbb47
Opcode Fuzzy Hash: 3cffe85df737e646b1d3b49a1d63581c8dba693fe8338c044406ca8efd5e9a07
Instruction Fuzzy Hash: E611613581420AABEB10CB68DC85AED77B8EF047E4F208775F929D60D5EB34E7558A80

Uniqueness

Uniqueness Score: -1.00%

Function 10001000 Relevance: 9.0, APIs: 6, Instructions: 25threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 10001003
GetForegroundWindow.USER32(00000000,?,?,00000000,100019A7,?,?,00000104,?,?,?,?,?,?), ref: 1000100D
GetWindowThreadProcessId.USER32(00000000), ref: 10001014
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,00000000,100019A7,?,?,00000104,?,?,?,?,?,?), ref: 10001026
SetForegroundWindow.USER32(00000104), ref: 1000102C
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,00000000,100019A7,?,?,00000104,?,?,?,?,?,?), ref: 10001036

Memory Dump Source

Source File: 00000005.00000002.1866754982.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.1866736405.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1866771159.0000000010002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1866787502.0000000010003000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1866805628.0000000010004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_rundll32.jbxd

Similarity

API ID: Thread$Window$AttachForegroundInput$CurrentProcess
String ID:
API String ID: 2613519895-0
Opcode ID: a215d5a4d22534b256d48cf7891d9fba3e6d4de3984394a3f2c7dc878b779262
Instruction ID: a5834dc10bb954abe9c812e520c7fb4d8dd8d4515b90736262e8dd16f5beccb2
Opcode Fuzzy Hash: a215d5a4d22534b256d48cf7891d9fba3e6d4de3984394a3f2c7dc878b779262
Instruction Fuzzy Hash: 5FE0B672601360ABFA102BF18CCCF5B7E2DEB857E2F004826F602961A6CA754841CB60

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: rundll32.exePID: 2996, Parent PID: 6372COMMON

Non-executed Functions

Function 10001BBB Relevance: 38.8, APIs: 19, Strings: 3, Instructions: 280COMMON

Download Yara Rule

APIs

_read.MSVCRT ref: 10001BD7
memcmp.MSVCRT ref: 10001BED
memcmp.MSVCRT ref: 10001C03
_read.MSVCRT ref: 10001C1C
_read.MSVCRT ref: 10001C4B
memset.MSVCRT ref: 10001C6B
_read.MSVCRT ref: 10001C88
_read.MSVCRT ref: 10001CAF
_read.MSVCRT ref: 10001D00
_read.MSVCRT ref: 10001D27
_read.MSVCRT ref: 10001D3D
_lseek.MSVCRT ref: 10001D54
_read.MSVCRT ref: 10001D6D
_read.MSVCRT ref: 10001D83
_lseek.MSVCRT ref: 10001DA2
_read.MSVCRT ref: 10001DAD
_lseek.MSVCRT ref: 10001DDA
_read.MSVCRT ref: 10001DF4

Strings

;, xrefs: 10001E7E
GIF89a, xrefs: 10001BFD
GIF87a, xrefs: 10001BE7

Memory Dump Source

Source File: 00000009.00000002.1846835297.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.1846819820.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.1846854669.0000000010002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.1846870806.0000000010003000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.1846889027.0000000010004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Similarity

API ID: _read$_lseek$memcmp$memset
String ID: ;$GIF87a$GIF89a
API String ID: 1644322006-3016656665
Opcode ID: 4f4a161c639526b64d83bce3c9706c14373bd2a6221ddef19f0586687814ebf0
Instruction ID: ab14dbe8ec25d23e52d0a0a6250c50f5e40e28a3088dd02f9076d74bd2d26e4c
Opcode Fuzzy Hash: 4f4a161c639526b64d83bce3c9706c14373bd2a6221ddef19f0586687814ebf0
Instruction Fuzzy Hash: E691F9B280468A6EF711CA60CC81FFF7BEDDB052E4F14446AFD69D5185E324EA488762

Uniqueness

Uniqueness Score: -1.00%

Function 100016DC Relevance: 38.7, APIs: 16, Strings: 6, Instructions: 200stringthreadcomCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 100016E7

Part of subcall function 10001391: lstrcpyA.KERNEL32(?,?,play,100012C6,?), ref: 100013A9
Part of subcall function 10001391: GlobalFree.KERNEL32(play), ref: 100013BA

strtol.MSVCRT ref: 1000171C
strtol.MSVCRT ref: 1000173E
strtol.MSVCRT ref: 10001760
strtol.MSVCRT ref: 10001782
lstrcmpiA.KERNEL32(0000002F,/nocancel), ref: 100017BA
lstrcmpiA.KERNEL32(0000002F,/passive), ref: 100017D5
EnumDisplaySettingsA.USER32(00000000,?,?), ref: 10001829
GetModuleHandleA.KERNEL32(user32,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 1000183D
GetProcAddress.KERNEL32(00000000,SetLayeredWindowAttributes), ref: 10001849
MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,00000104,?,?,?,?,?,?,?,?,?), ref: 100018F7
OleLoadPicturePath.OLEAUT32(?,00000000,00000000,00000000,10002120,10003118), ref: 10001911
UnregisterClassA.USER32(?), ref: 10001956
CreateThread.KERNEL32(00000000,00000000,100013CB,00000000,00000000,?), ref: 1000196B
IsWindowVisible.USER32(00000000), ref: 10001980
Sleep.KERNEL32(0000000A,?,?,00000104,?,?,?,?,?,?,?,?,?,?,?,?), ref: 1000198C

Strings

/, xrefs: 100017A5
SetLayeredWindowAttributes, xrefs: 10001843
, xrefs: 1000182F
/passive, xrefs: 100017CF
/nocancel, xrefs: 100017B4
user32, xrefs: 10001838

Memory Dump Source

Source File: 00000009.00000002.1846835297.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.1846819820.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.1846854669.0000000010002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.1846870806.0000000010003000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.1846889027.0000000010004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Similarity

API ID: strtol$Threadlstrcmpi$AddressByteCharClassCreateCurrentDisplayEnumFreeGlobalHandleLoadModuleMultiPathPictureProcSettingsSleepUnregisterVisibleWideWindowlstrcpy
String ID: $/$/nocancel$/passive$SetLayeredWindowAttributes$user32
API String ID: 2566538546-4237892920
Opcode ID: 247d67194737215ebdc2a93959d0f9179d56def93fe1df6c76eef458194bc551
Instruction ID: a3a8cb6ee60f1ab520b37688dbef40d18398f4cb317f0d28f3f58c925ff2203f
Opcode Fuzzy Hash: 247d67194737215ebdc2a93959d0f9179d56def93fe1df6c76eef458194bc551
Instruction Fuzzy Hash: 50714FB5905229EFF712CB61CCD6ADB77BCEB083C4F00C466E549D2159EB709A888F61

Uniqueness

Uniqueness Score: -1.00%

Function 1000103C Relevance: 26.4, APIs: 12, Strings: 3, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,00000000,00000000,_sp,00000000), ref: 1000108D
CreateCompatibleDC.GDI32(00000000), ref: 1000109C
SelectObject.GDI32(00000000), ref: 100010AC
GetDIBits.GDI32(?,00000000,00000000,00000028,00000000), ref: 100010C8
CreateRectRgn.GDI32(00000000,00000000), ref: 100010E2
CreateRectRgn.GDI32(?,-00000001,?,?), ref: 10001155
CombineRgn.GDI32(100014BC,100014BC,00000000,00000003), ref: 10001163
DeleteObject.GDI32(?), ref: 1000116C
SetWindowRgn.USER32(?,100014BC,00000001), ref: 1000119C
DeleteObject.GDI32(100014BC), ref: 100011A5
DeleteObject.GDI32(?), ref: 100011AA
GlobalFree.KERNEL32(?), ref: 100011AF

Strings

_sp, xrefs: 10001055
, xrefs: 10001072
(, xrefs: 10001062

Memory Dump Source

Source File: 00000009.00000002.1846835297.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.1846819820.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.1846854669.0000000010002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.1846870806.0000000010003000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.1846889027.0000000010004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Similarity

API ID: Object$CreateDelete$GlobalRect$AllocBitsCombineCompatibleFreeSelectWindow
String ID: $($_sp
API String ID: 2139451681-603639786
Opcode ID: defff89bcc057d18feec87a9dfcfc9dda377938f87e52fd26b5d3971be7515f9
Instruction ID: 443b8ba32a8eed289a3bed2c2def7bd03334e0efb226090786353cc7b566566d
Opcode Fuzzy Hash: defff89bcc057d18feec87a9dfcfc9dda377938f87e52fd26b5d3971be7515f9
Instruction Fuzzy Hash: F2414B71D01229EFEF16CF90DC849EEBBBAFF48380F20811AE601A2264C7315A45DF90

Uniqueness

Uniqueness Score: -1.00%

Function 100013CB Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 129windowregistryCOMMON

Download Yara Rule

APIs

LoadCursorA.USER32(00000000,00007F00), ref: 100013EF
RegisterClassA.USER32(100030C0), ref: 1000140A
GetObjectA.GDI32(00000018,100030A8), ref: 10001436
CreateWindowExA.USER32(00000000,_sp,_sp,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 1000146E
timeSetEvent.WINMM(00000008,100011BA,00000001), ref: 100014E2
IsWindow.USER32 ref: 100014F9
GetMessageA.USER32(?,00000000,00000000), ref: 1000150B
TranslateMessage.USER32(?), ref: 10001519
DispatchMessageA.USER32(?), ref: 10001523
IsWindow.USER32(00000000), ref: 1000153B
SendMessageA.USER32(00000010,00000000,00000000), ref: 1000154B
PlaySoundA.WINMM(00000000,00000000,00000000,?,?,?,?,?,00000104,?,?,?,?,?,?), ref: 1000156B

Strings

_sp, xrefs: 100013F5, 10001469, 1000146C

Memory Dump Source

Source File: 00000009.00000002.1846835297.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.1846819820.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.1846854669.0000000010002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.1846870806.0000000010003000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.1846889027.0000000010004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Similarity

API ID: Message$Window$ClassCreateCursorDispatchEventLoadObjectPlayRegisterSendSoundTranslatetime
String ID: _sp
API String ID: 3149607642-3434539926
Opcode ID: a2c1ba3c3305b83aaedef59b5378115774cd37c6ac2417f510c30f497a65bc11
Instruction ID: e6bc9b32f9051cb428cc47af31c85f0ffb573052bd2de18e104081983c3da1d9
Opcode Fuzzy Hash: a2c1ba3c3305b83aaedef59b5378115774cd37c6ac2417f510c30f497a65bc11
Instruction Fuzzy Hash: 12414470A01621EFFB12CB66CCD9E973BBDFB897C2B008529F60586279D7318841CB60

Uniqueness

Uniqueness Score: -1.00%

Function 100019AC Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 104synchronizationstringsleepCOMMON

Download Yara Rule

APIs

Part of subcall function 10001391: lstrcpyA.KERNEL32(?,?,play,100012C6,?), ref: 100013A9
Part of subcall function 10001391: GlobalFree.KERNEL32(play), ref: 100013BA

lstrcmpiA.KERNEL32(?,/fadeout), ref: 100019F5
stop.NEWADVSPLASH(?,?,?,?,?,?), ref: 10001A0F
WaitForSingleObject.KERNEL32(?,?,?), ref: 10001A58
lstrcmpiA.KERNEL32(?,/wait), ref: 10001A63
WaitForSingleObject.KERNEL32(00000003,?), ref: 10001A9B
IsWindow.USER32(?), ref: 10001AAE
SendMessageA.USER32(00000113,00000000,00000000), ref: 10001AC5
WaitForSingleObject.KERNEL32(000003E8), ref: 10001AD6
CloseHandle.KERNEL32 ref: 10001ADE
UnregisterClassA.USER32 ref: 10001AF6
Sleep.KERNEL32(0000000A), ref: 10001AFE

Strings

/wait, xrefs: 10001A5D
/fadeout, xrefs: 100019EF

Memory Dump Source

Source File: 00000009.00000002.1846835297.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.1846819820.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.1846854669.0000000010002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.1846870806.0000000010003000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.1846889027.0000000010004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Similarity

API ID: ObjectSingleWait$lstrcmpi$ClassCloseFreeGlobalHandleMessageSendSleepUnregisterWindowlstrcpystop
String ID: /fadeout$/wait
API String ID: 3084239452-2082618422
Opcode ID: c6d6f2c23090cdc0f53fe60711dbe15e9a396be31b19294a83937cb7207dd3f3
Instruction ID: 74a161a0c42bc7f0ded7157649f8f774d35bc99b0ded71235a3226dadd583209
Opcode Fuzzy Hash: c6d6f2c23090cdc0f53fe60711dbe15e9a396be31b19294a83937cb7207dd3f3
Instruction Fuzzy Hash: 89313D71602226EFFB12DF60CCE6EDA7BADEB053C5B01C026E6049617DD7319945CB52

Uniqueness

Uniqueness Score: -1.00%

Function 1000127F Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 91windowstringCOMMON

Download Yara Rule

APIs

Part of subcall function 10001391: lstrcpyA.KERNEL32(?,?,play,100012C6,?), ref: 100013A9
Part of subcall function 10001391: GlobalFree.KERNEL32(play), ref: 100013BA

lstrcmpiA.KERNEL32(?,/loop), ref: 100012DA
lstrcatA.KERNEL32(?, repeat), ref: 100012EF
IsWindow.USER32(00000000), ref: 10001319
SendMessageA.USER32(00000010,00000000,00000000), ref: 1000132D
MCIWndCreateA.MSVFW32(?,00000000,00000002,?), ref: 10001348
ShowWindow.USER32(00000000,00000000), ref: 1000135B
SendMessageA.USER32(00000490,00000000,00000000), ref: 10001374
SendMessageA.USER32(00000465,00000000,?), ref: 1000138A

Strings

play, xrefs: 1000128B
/loop, xrefs: 100012D4
repeat, xrefs: 100012E9

Memory Dump Source

Source File: 00000009.00000002.1846835297.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.1846819820.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.1846854669.0000000010002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.1846870806.0000000010003000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.1846889027.0000000010004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Similarity

API ID: MessageSend$Window$CreateFreeGlobalShowlstrcatlstrcmpilstrcpy
String ID: repeat$/loop$play
API String ID: 3660629810-890840800
Opcode ID: 95bb0b1a6ed8e27fac21a1510b2401407bee353cf1146c80af158e7f869a67f9
Instruction ID: f7067f49b8ce5df945ad2e355731b84990f5a30851f9aba2a16d427cbeeb495c
Opcode Fuzzy Hash: 95bb0b1a6ed8e27fac21a1510b2401407bee353cf1146c80af158e7f869a67f9
Instruction Fuzzy Hash: 24310AB1900229AFFB11DB64CC84ADB7BECEB083C4F008566F604E6159E775EE548EA0

Uniqueness

Uniqueness Score: -1.00%

Function 10001579 Relevance: 15.1, APIs: 10, Instructions: 129COMMON

Download Yara Rule

APIs

timeKillEvent.WINMM ref: 100015B5
PlaySoundA.WINMM(00000000,00000000,00000000), ref: 100015CF
DestroyWindow.USER32(?), ref: 100015D8
DefWindowProcA.USER32(?,?,?,?), ref: 100015EA
BeginPaint.USER32(?,?), ref: 100015FC
GetClientRect.USER32(?,?), ref: 10001613
EndPaint.USER32(?,?), ref: 10001671
SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 10001686
SetWindowLongA.USER32(?,000000F0,00000000), ref: 10001692
SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,00000044), ref: 100016CE

Memory Dump Source

Source File: 00000009.00000002.1846835297.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.1846819820.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.1846854669.0000000010002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.1846870806.0000000010003000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.1846889027.0000000010004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Similarity

API ID: Window$Paint$BeginClientDestroyEventInfoKillLongParametersPlayProcRectSoundSystemtime
String ID:
API String ID: 3727496372-0
Opcode ID: 4a184da1d31787eb103406e5fae2125ab06ca05df0c2250890ecf0326e8422cc
Instruction ID: 2268aec3e567ff5bc94b7250f85f29b164a63c8fca58fdafc73b740dcb6aa661
Opcode Fuzzy Hash: 4a184da1d31787eb103406e5fae2125ab06ca05df0c2250890ecf0326e8422cc
Instruction Fuzzy Hash: B441E87250011AFFEB01CFE4CD89DEE7BBAEB48385F108114F6059A169D7319E85DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 10001EA1 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 52stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?,.gif), ref: 10001EB4
lstrcmpiA.KERNEL32(?), ref: 10001EBF
_open.MSVCRT ref: 10001ED6
_close.MSVCRT ref: 10001EF9
memcpy.MSVCRT ref: 10001F25

Strings

.gif, xrefs: 10001EAE

Memory Dump Source

Source File: 00000009.00000002.1846835297.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.1846819820.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.1846854669.0000000010002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.1846870806.0000000010003000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.1846889027.0000000010004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Similarity

API ID: _close_openlstrcmpilstrlenmemcpy
String ID: .gif
API String ID: 2844665498-1021300279
Opcode ID: 3cffe85df737e646b1d3b49a1d63581c8dba693fe8338c044406ca8efd5e9a07
Instruction ID: 2c3d1d5f5064721856c2e5df9e8e33a79122b57ce5c3316ddc064795b00bbb47
Opcode Fuzzy Hash: 3cffe85df737e646b1d3b49a1d63581c8dba693fe8338c044406ca8efd5e9a07
Instruction Fuzzy Hash: E611613581420AABEB10CB68DC85AED77B8EF047E4F208775F929D60D5EB34E7558A80

Uniqueness

Uniqueness Score: -1.00%

Function 10001000 Relevance: 9.0, APIs: 6, Instructions: 25threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 10001003
GetForegroundWindow.USER32(00000000,?,?,00000000,100019A7,?,?,00000104,?,?,?,?,?,?), ref: 1000100D
GetWindowThreadProcessId.USER32(00000000), ref: 10001014
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,00000000,100019A7,?,?,00000104,?,?,?,?,?,?), ref: 10001026
SetForegroundWindow.USER32(00000104), ref: 1000102C
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,00000000,100019A7,?,?,00000104,?,?,?,?,?,?), ref: 10001036

Memory Dump Source

Source File: 00000009.00000002.1846835297.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.1846819820.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.1846854669.0000000010002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.1846870806.0000000010003000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.1846889027.0000000010004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Similarity

API ID: Thread$Window$AttachForegroundInput$CurrentProcess
String ID:
API String ID: 2613519895-0
Opcode ID: a215d5a4d22534b256d48cf7891d9fba3e6d4de3984394a3f2c7dc878b779262
Instruction ID: a5834dc10bb954abe9c812e520c7fb4d8dd8d4515b90736262e8dd16f5beccb2
Opcode Fuzzy Hash: a215d5a4d22534b256d48cf7891d9fba3e6d4de3984394a3f2c7dc878b779262
Instruction Fuzzy Hash: 5FE0B672601360ABFA102BF18CCCF5B7E2DEB857E2F004826F602961A6CA754841CB60

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: rundll32.exePID: 6968, Parent PID: 6372COMMON

Non-executed Functions

Function 10001BBB Relevance: 38.8, APIs: 19, Strings: 3, Instructions: 280COMMON

Download Yara Rule

APIs

_read.MSVCRT ref: 10001BD7
memcmp.MSVCRT ref: 10001BED
memcmp.MSVCRT ref: 10001C03
_read.MSVCRT ref: 10001C1C
_read.MSVCRT ref: 10001C4B
memset.MSVCRT ref: 10001C6B
_read.MSVCRT ref: 10001C88
_read.MSVCRT ref: 10001CAF
_read.MSVCRT ref: 10001D00
_read.MSVCRT ref: 10001D27
_read.MSVCRT ref: 10001D3D
_lseek.MSVCRT ref: 10001D54
_read.MSVCRT ref: 10001D6D
_read.MSVCRT ref: 10001D83
_lseek.MSVCRT ref: 10001DA2
_read.MSVCRT ref: 10001DAD
_lseek.MSVCRT ref: 10001DDA
_read.MSVCRT ref: 10001DF4

Strings

;, xrefs: 10001E7E
GIF89a, xrefs: 10001BFD
GIF87a, xrefs: 10001BE7

Memory Dump Source

Source File: 0000000D.00000002.1852320434.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000D.00000002.1852307242.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1852332984.0000000010002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1852345634.0000000010003000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1852358400.0000000010004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_10000000_rundll32.jbxd

Similarity

API ID: _read$_lseek$memcmp$memset
String ID: ;$GIF87a$GIF89a
API String ID: 1644322006-3016656665
Opcode ID: 4f4a161c639526b64d83bce3c9706c14373bd2a6221ddef19f0586687814ebf0
Instruction ID: ab14dbe8ec25d23e52d0a0a6250c50f5e40e28a3088dd02f9076d74bd2d26e4c
Opcode Fuzzy Hash: 4f4a161c639526b64d83bce3c9706c14373bd2a6221ddef19f0586687814ebf0
Instruction Fuzzy Hash: E691F9B280468A6EF711CA60CC81FFF7BEDDB052E4F14446AFD69D5185E324EA488762

Uniqueness

Uniqueness Score: -1.00%

Function 100016DC Relevance: 38.7, APIs: 16, Strings: 6, Instructions: 200stringthreadcomCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 100016E7

Part of subcall function 10001391: lstrcpyA.KERNEL32(?,?,play,100012C6,?), ref: 100013A9
Part of subcall function 10001391: GlobalFree.KERNEL32(play), ref: 100013BA

strtol.MSVCRT ref: 1000171C
strtol.MSVCRT ref: 1000173E
strtol.MSVCRT ref: 10001760
strtol.MSVCRT ref: 10001782
lstrcmpiA.KERNEL32(0000002F,/nocancel), ref: 100017BA
lstrcmpiA.KERNEL32(0000002F,/passive), ref: 100017D5
EnumDisplaySettingsA.USER32(00000000,?,?), ref: 10001829
GetModuleHandleA.KERNEL32(user32,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 1000183D
GetProcAddress.KERNEL32(00000000,SetLayeredWindowAttributes), ref: 10001849
MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,00000104,?,?,?,?,?,?,?,?,?), ref: 100018F7
OleLoadPicturePath.OLEAUT32(?,00000000,00000000,00000000,10002120,10003118), ref: 10001911
UnregisterClassA.USER32(?), ref: 10001956
CreateThread.KERNEL32(00000000,00000000,100013CB,00000000,00000000,?), ref: 1000196B
IsWindowVisible.USER32(00000000), ref: 10001980
Sleep.KERNEL32(0000000A,?,?,00000104,?,?,?,?,?,?,?,?,?,?,?,?), ref: 1000198C

Strings

SetLayeredWindowAttributes, xrefs: 10001843
/nocancel, xrefs: 100017B4
/passive, xrefs: 100017CF
, xrefs: 1000182F
/, xrefs: 100017A5
user32, xrefs: 10001838

Memory Dump Source

Source File: 0000000D.00000002.1852320434.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000D.00000002.1852307242.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1852332984.0000000010002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1852345634.0000000010003000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1852358400.0000000010004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_10000000_rundll32.jbxd

Similarity

API ID: strtol$Threadlstrcmpi$AddressByteCharClassCreateCurrentDisplayEnumFreeGlobalHandleLoadModuleMultiPathPictureProcSettingsSleepUnregisterVisibleWideWindowlstrcpy
String ID: $/$/nocancel$/passive$SetLayeredWindowAttributes$user32
API String ID: 2566538546-4237892920
Opcode ID: 247d67194737215ebdc2a93959d0f9179d56def93fe1df6c76eef458194bc551
Instruction ID: a3a8cb6ee60f1ab520b37688dbef40d18398f4cb317f0d28f3f58c925ff2203f
Opcode Fuzzy Hash: 247d67194737215ebdc2a93959d0f9179d56def93fe1df6c76eef458194bc551
Instruction Fuzzy Hash: 50714FB5905229EFF712CB61CCD6ADB77BCEB083C4F00C466E549D2159EB709A888F61

Uniqueness

Uniqueness Score: -1.00%

Function 1000103C Relevance: 26.4, APIs: 12, Strings: 3, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,00000000,00000000,_sp,00000000), ref: 1000108D
CreateCompatibleDC.GDI32(00000000), ref: 1000109C
SelectObject.GDI32(00000000), ref: 100010AC
GetDIBits.GDI32(?,00000000,00000000,00000028,00000000), ref: 100010C8
CreateRectRgn.GDI32(00000000,00000000), ref: 100010E2
CreateRectRgn.GDI32(?,-00000001,?,?), ref: 10001155
CombineRgn.GDI32(100014BC,100014BC,00000000,00000003), ref: 10001163
DeleteObject.GDI32(?), ref: 1000116C
SetWindowRgn.USER32(?,100014BC,00000001), ref: 1000119C
DeleteObject.GDI32(100014BC), ref: 100011A5
DeleteObject.GDI32(?), ref: 100011AA
GlobalFree.KERNEL32(?), ref: 100011AF

Strings

(, xrefs: 10001062
_sp, xrefs: 10001055
, xrefs: 10001072

Memory Dump Source

Source File: 0000000D.00000002.1852320434.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000D.00000002.1852307242.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1852332984.0000000010002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1852345634.0000000010003000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1852358400.0000000010004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_10000000_rundll32.jbxd

Similarity

API ID: Object$CreateDelete$GlobalRect$AllocBitsCombineCompatibleFreeSelectWindow
String ID: $($_sp
API String ID: 2139451681-603639786
Opcode ID: defff89bcc057d18feec87a9dfcfc9dda377938f87e52fd26b5d3971be7515f9
Instruction ID: 443b8ba32a8eed289a3bed2c2def7bd03334e0efb226090786353cc7b566566d
Opcode Fuzzy Hash: defff89bcc057d18feec87a9dfcfc9dda377938f87e52fd26b5d3971be7515f9
Instruction Fuzzy Hash: F2414B71D01229EFEF16CF90DC849EEBBBAFF48380F20811AE601A2264C7315A45DF90

Uniqueness

Uniqueness Score: -1.00%

Function 100013CB Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 129windowregistryCOMMON

Download Yara Rule

APIs

LoadCursorA.USER32(00000000,00007F00), ref: 100013EF
RegisterClassA.USER32(100030C0), ref: 1000140A
GetObjectA.GDI32(00000018,100030A8), ref: 10001436
CreateWindowExA.USER32(00000000,_sp,_sp,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 1000146E
timeSetEvent.WINMM(00000008,100011BA,00000001), ref: 100014E2
IsWindow.USER32 ref: 100014F9
GetMessageA.USER32(?,00000000,00000000), ref: 1000150B
TranslateMessage.USER32(?), ref: 10001519
DispatchMessageA.USER32(?), ref: 10001523
IsWindow.USER32(00000000), ref: 1000153B
SendMessageA.USER32(00000010,00000000,00000000), ref: 1000154B
PlaySoundA.WINMM(00000000,00000000,00000000,?,?,?,?,?,00000104,?,?,?,?,?,?), ref: 1000156B

Strings

_sp, xrefs: 100013F5, 10001469, 1000146C

Memory Dump Source

Source File: 0000000D.00000002.1852320434.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000D.00000002.1852307242.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1852332984.0000000010002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1852345634.0000000010003000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1852358400.0000000010004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_10000000_rundll32.jbxd

Similarity

API ID: Message$Window$ClassCreateCursorDispatchEventLoadObjectPlayRegisterSendSoundTranslatetime
String ID: _sp
API String ID: 3149607642-3434539926
Opcode ID: a2c1ba3c3305b83aaedef59b5378115774cd37c6ac2417f510c30f497a65bc11
Instruction ID: e6bc9b32f9051cb428cc47af31c85f0ffb573052bd2de18e104081983c3da1d9
Opcode Fuzzy Hash: a2c1ba3c3305b83aaedef59b5378115774cd37c6ac2417f510c30f497a65bc11
Instruction Fuzzy Hash: 12414470A01621EFFB12CB66CCD9E973BBDFB897C2B008529F60586279D7318841CB60

Uniqueness

Uniqueness Score: -1.00%

Function 100019AC Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 104synchronizationstringsleepCOMMON

Download Yara Rule

APIs

Part of subcall function 10001391: lstrcpyA.KERNEL32(?,?,play,100012C6,?), ref: 100013A9
Part of subcall function 10001391: GlobalFree.KERNEL32(play), ref: 100013BA

lstrcmpiA.KERNEL32(?,/fadeout), ref: 100019F5
stop.NEWADVSPLASH(?,?,?,?,?,?), ref: 10001A0F
WaitForSingleObject.KERNEL32(?,?,?), ref: 10001A58
lstrcmpiA.KERNEL32(?,/wait), ref: 10001A63
WaitForSingleObject.KERNEL32(00000003,?), ref: 10001A9B
IsWindow.USER32(?), ref: 10001AAE
SendMessageA.USER32(00000113,00000000,00000000), ref: 10001AC5
WaitForSingleObject.KERNEL32(000003E8), ref: 10001AD6
CloseHandle.KERNEL32 ref: 10001ADE
UnregisterClassA.USER32 ref: 10001AF6
Sleep.KERNEL32(0000000A), ref: 10001AFE

Strings

/fadeout, xrefs: 100019EF
/wait, xrefs: 10001A5D

Memory Dump Source

Source File: 0000000D.00000002.1852320434.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000D.00000002.1852307242.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1852332984.0000000010002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1852345634.0000000010003000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1852358400.0000000010004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_10000000_rundll32.jbxd

Similarity

API ID: ObjectSingleWait$lstrcmpi$ClassCloseFreeGlobalHandleMessageSendSleepUnregisterWindowlstrcpystop
String ID: /fadeout$/wait
API String ID: 3084239452-2082618422
Opcode ID: c6d6f2c23090cdc0f53fe60711dbe15e9a396be31b19294a83937cb7207dd3f3
Instruction ID: 74a161a0c42bc7f0ded7157649f8f774d35bc99b0ded71235a3226dadd583209
Opcode Fuzzy Hash: c6d6f2c23090cdc0f53fe60711dbe15e9a396be31b19294a83937cb7207dd3f3
Instruction Fuzzy Hash: 89313D71602226EFFB12DF60CCE6EDA7BADEB053C5B01C026E6049617DD7319945CB52

Uniqueness

Uniqueness Score: -1.00%

Function 1000127F Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 91windowstringCOMMON

Download Yara Rule

APIs

Part of subcall function 10001391: lstrcpyA.KERNEL32(?,?,play,100012C6,?), ref: 100013A9
Part of subcall function 10001391: GlobalFree.KERNEL32(play), ref: 100013BA

lstrcmpiA.KERNEL32(?,/loop), ref: 100012DA
lstrcatA.KERNEL32(?, repeat), ref: 100012EF
IsWindow.USER32(00000000), ref: 10001319
SendMessageA.USER32(00000010,00000000,00000000), ref: 1000132D
MCIWndCreateA.MSVFW32(?,00000000,00000002,?), ref: 10001348
ShowWindow.USER32(00000000,00000000), ref: 1000135B
SendMessageA.USER32(00000490,00000000,00000000), ref: 10001374
SendMessageA.USER32(00000465,00000000,?), ref: 1000138A

Strings

/loop, xrefs: 100012D4
play, xrefs: 1000128B
repeat, xrefs: 100012E9

Memory Dump Source

Source File: 0000000D.00000002.1852320434.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000D.00000002.1852307242.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1852332984.0000000010002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1852345634.0000000010003000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1852358400.0000000010004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_10000000_rundll32.jbxd

Similarity

API ID: MessageSend$Window$CreateFreeGlobalShowlstrcatlstrcmpilstrcpy
String ID: repeat$/loop$play
API String ID: 3660629810-890840800
Opcode ID: 95bb0b1a6ed8e27fac21a1510b2401407bee353cf1146c80af158e7f869a67f9
Instruction ID: f7067f49b8ce5df945ad2e355731b84990f5a30851f9aba2a16d427cbeeb495c
Opcode Fuzzy Hash: 95bb0b1a6ed8e27fac21a1510b2401407bee353cf1146c80af158e7f869a67f9
Instruction Fuzzy Hash: 24310AB1900229AFFB11DB64CC84ADB7BECEB083C4F008566F604E6159E775EE548EA0

Uniqueness

Uniqueness Score: -1.00%

Function 10001579 Relevance: 15.1, APIs: 10, Instructions: 129COMMON

Download Yara Rule

APIs

timeKillEvent.WINMM ref: 100015B5
PlaySoundA.WINMM(00000000,00000000,00000000), ref: 100015CF
DestroyWindow.USER32(?), ref: 100015D8
DefWindowProcA.USER32(?,?,?,?), ref: 100015EA
BeginPaint.USER32(?,?), ref: 100015FC
GetClientRect.USER32(?,?), ref: 10001613
EndPaint.USER32(?,?), ref: 10001671
SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 10001686
SetWindowLongA.USER32(?,000000F0,00000000), ref: 10001692
SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,00000044), ref: 100016CE

Memory Dump Source

Source File: 0000000D.00000002.1852320434.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000D.00000002.1852307242.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1852332984.0000000010002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1852345634.0000000010003000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1852358400.0000000010004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_10000000_rundll32.jbxd

Similarity

API ID: Window$Paint$BeginClientDestroyEventInfoKillLongParametersPlayProcRectSoundSystemtime
String ID:
API String ID: 3727496372-0
Opcode ID: 4a184da1d31787eb103406e5fae2125ab06ca05df0c2250890ecf0326e8422cc
Instruction ID: 2268aec3e567ff5bc94b7250f85f29b164a63c8fca58fdafc73b740dcb6aa661
Opcode Fuzzy Hash: 4a184da1d31787eb103406e5fae2125ab06ca05df0c2250890ecf0326e8422cc
Instruction Fuzzy Hash: B441E87250011AFFEB01CFE4CD89DEE7BBAEB48385F108114F6059A169D7319E85DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 10001EA1 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 52stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?,.gif), ref: 10001EB4
lstrcmpiA.KERNEL32(?), ref: 10001EBF
_open.MSVCRT ref: 10001ED6
_close.MSVCRT ref: 10001EF9
memcpy.MSVCRT ref: 10001F25

Strings

.gif, xrefs: 10001EAE

Memory Dump Source

Source File: 0000000D.00000002.1852320434.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000D.00000002.1852307242.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1852332984.0000000010002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1852345634.0000000010003000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1852358400.0000000010004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_10000000_rundll32.jbxd

Similarity

API ID: _close_openlstrcmpilstrlenmemcpy
String ID: .gif
API String ID: 2844665498-1021300279
Opcode ID: 3cffe85df737e646b1d3b49a1d63581c8dba693fe8338c044406ca8efd5e9a07
Instruction ID: 2c3d1d5f5064721856c2e5df9e8e33a79122b57ce5c3316ddc064795b00bbb47
Opcode Fuzzy Hash: 3cffe85df737e646b1d3b49a1d63581c8dba693fe8338c044406ca8efd5e9a07
Instruction Fuzzy Hash: E611613581420AABEB10CB68DC85AED77B8EF047E4F208775F929D60D5EB34E7558A80

Uniqueness

Uniqueness Score: -1.00%

Function 10001000 Relevance: 9.0, APIs: 6, Instructions: 25threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 10001003
GetForegroundWindow.USER32(00000000,?,?,00000000,100019A7,?,?,00000104,?,?,?,?,?,?), ref: 1000100D
GetWindowThreadProcessId.USER32(00000000), ref: 10001014
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,00000000,100019A7,?,?,00000104,?,?,?,?,?,?), ref: 10001026
SetForegroundWindow.USER32(00000104), ref: 1000102C
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,00000000,100019A7,?,?,00000104,?,?,?,?,?,?), ref: 10001036

Memory Dump Source

Source File: 0000000D.00000002.1852320434.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000D.00000002.1852307242.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1852332984.0000000010002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1852345634.0000000010003000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1852358400.0000000010004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_10000000_rundll32.jbxd

Similarity

API ID: Thread$Window$AttachForegroundInput$CurrentProcess
String ID:
API String ID: 2613519895-0
Opcode ID: a215d5a4d22534b256d48cf7891d9fba3e6d4de3984394a3f2c7dc878b779262
Instruction ID: a5834dc10bb954abe9c812e520c7fb4d8dd8d4515b90736262e8dd16f5beccb2
Opcode Fuzzy Hash: a215d5a4d22534b256d48cf7891d9fba3e6d4de3984394a3f2c7dc878b779262
Instruction Fuzzy Hash: 5FE0B672601360ABFA102BF18CCCF5B7E2DEB857E2F004826F602961A6CA754841CB60

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: `rundll32.exe {DLLname, DLLfunction}` ).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report newadvsplash.dll

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Compliance

Networking

System Summary

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_2824bab859d35889dff863c9c9b5d719d6756866_7522e4b5_14ad5693-eaaf-4133-8ad1-39eb02a7164f\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_2824bab859d35889dff863c9c9b5d719d6756866_7522e4b5_168b1b20-02fd-4d70-93d2-09995b142d16\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_2824bab859d35889dff863c9c9b5d719d6756866_7522e4b5_f447ed26-44b0-4145-a12b-d0b00b85de75\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_2824bab859d35889dff863c9c9b5d719d6756866_7522e4b5_fefad15e-02a6-45e0-8ba1-606216b2d276\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WERAC89.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERAD26.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERAD47.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB7A5.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB804.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB834.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC438.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC447.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC4D5.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC4E5.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC534.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC5D0.tmp.xml

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Imports

Exports

Windows Analysis Report
newadvsplash.dll