Edit tour

Windows Analysis Report
A290.dll

Overview

General Information

Sample Name:	A290.dll
Analysis ID:	878697
MD5:	061a8b23a85b75400cd719fd173767c3
SHA1:	05a7ee8edfb504be3cb6c4e5230fc3994586bf1e
SHA256:	6615dda3718170a2c4946ebf0a62ad4f36b707c1d984011f866ff56dd2c3cc24
Tags:	dllqbot
Infos:

Detection

Qbot

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Yara detected Qbot

Antivirus / Scanner detection for submitted sample

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Writes to foreign memory regions

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Allocates memory in foreign processes

Injects a PE file into a foreign processes

C2 URLs / IPs found in malware configuration

Sample uses string decryption to hide its real strings

Potentially malicious time measurement code found

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

One or more processes crash

May sleep (evasive loops) to hinder dynamic analysis

Found evasive API chain (date check)

Internet Provider seen in connection with other malware

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Sample execution stops while process was sleeping (likely an evasion)

JA3 SSL client fingerprint seen in connection with other malware

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

IP address seen in connection with other malware

Contains functionality for execution timing, often used to detect debuggers

Creates a DirectInput object (often for capturing keystrokes)

AV process strings found (often used to terminate AV products)

Sample file is different than original file name gathered from version info

PE file contains an invalid checksum

Tries to load missing DLLs

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

Found evasive API chain checking for process token information

Detected TCP or UDP traffic on non-standard ports

Checks if the current process is being debugged

Connects to several IPs in different countries

Uses Microsoft's Enhanced Cryptographic Provider

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

loaddll32.exe (PID: 6452 cmdline: loaddll32.exe "C:\Users\user\Desktop\A290.dll" MD5: 3B4636AE519868037940CA5C4272091B)

conhost.exe (PID: 6444 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.exe (PID: 4796 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\A290.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)

rundll32.exe (PID: 5508 cmdline: rundll32.exe "C:\Users\user\Desktop\A290.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

WerFault.exe (PID: 5796 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5508 -s 660 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

rundll32.exe (PID: 2460 cmdline: rundll32.exe C:\Users\user\Desktop\A290.dll,mv_add_i MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

WerFault.exe (PID: 5804 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 2460 -s 652 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

rundll32.exe (PID: 5724 cmdline: rundll32.exe C:\Users\user\Desktop\A290.dll,mv_add_q MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 5616 cmdline: rundll32.exe C:\Users\user\Desktop\A290.dll,mv_add_stable MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

WerFault.exe (PID: 6820 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5616 -s 652 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

rundll32.exe (PID: 6944 cmdline: rundll32.exe "C:\Users\user\Desktop\A290.dll",mv_add_i MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

WerFault.exe (PID: 6696 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6944 -s 652 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

rundll32.exe (PID: 5464 cmdline: rundll32.exe "C:\Users\user\Desktop\A290.dll",mv_add_q MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 5860 cmdline: rundll32.exe "C:\Users\user\Desktop\A290.dll",mv_add_stable MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

WerFault.exe (PID: 6840 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5860 -s 652 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

rundll32.exe (PID: 6648 cmdline: rundll32.exe "C:\Users\user\Desktop\A290.dll",next MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

wermgr.exe (PID: 6632 cmdline: C:\Windows\SysWOW64\wermgr.exe MD5: CCF15E662ED5CE77B5FF1A7AAE305233)

rundll32.exe (PID: 6716 cmdline: rundll32.exe "C:\Users\user\Desktop\A290.dll",mvutil_license MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 6788 cmdline: rundll32.exe "C:\Users\user\Desktop\A290.dll",mvutil_configuration MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
QakBot, qbotQbot	QBot is a modular information stealer also known as Qakbot or Pinkslipbot. It has been active for years since 2007. It has historically been known as a banking Trojan, meaning that it steals financial data from infected systems, and a loader using C2 servers for payload targeting and download.	GOLD CABIN	http://contagiodump.blogspot.com/2010/11/template.html http://www.secureworks.com/research/threat-profiles/gold-lagoon http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_qakbot_in_detail.pdf https://0xthreatintel.medium.com/reversing-qakbot-tlp-white-d1b8b37ad8e7 https://asec.ahnlab.com/en/44662/	https://malpedia.caad.fkie.fraunhofer.de/details/win.qakbot

Malware Configuration

Threatname: Qbot

{"Bot id": "BB30", "Campaign": "1685433861", "Version": "404.1320", "C2 list": ["12.172.173.82:50001", "178.175.187.254:443", "65.95.141.84:2222", "205.237.67.69:995", "83.110.223.61:443", "193.253.100.236:2222", "27.0.48.233:443", "102.159.188.125:443", "71.38.155.217:443", "58.186.75.42:443", "76.178.148.107:2222", "70.28.50.223:2087", "114.143.176.236:443", "51.14.29.227:2222", "59.28.84.65:443", "173.88.135.179:443", "103.144.201.56:2078", "96.87.28.170:2222", "105.186.128.181:995", "176.142.207.63:443", "151.62.238.176:443", "12.172.173.82:32101", "122.186.210.254:443", "82.125.44.236:2222", "84.108.200.161:443", "76.16.49.134:443", "70.28.50.223:32100", "12.172.173.82:465", "76.170.252.153:995", "184.182.66.109:443", "78.92.133.215:443", "50.68.204.71:993", "186.75.95.6:443", "113.11.92.30:443", "70.28.50.223:3389", "98.145.23.67:443", "85.57.212.13:3389", "50.68.186.195:443", "47.205.25.170:443", "12.172.173.82:993", "12.172.173.82:22", "69.242.31.249:443", "81.101.185.146:443", "79.168.224.165:2222", "75.143.236.149:443", "14.192.241.76:995", "86.195.14.72:2222", "81.229.117.95:2222", "220.240.164.182:443", "73.29.92.128:443", "12.172.173.82:21", "96.56.197.26:2222", "75.109.111.89:443", "76.86.31.59:443", "201.244.108.183:995", "68.203.69.96:443", "124.122.47.148:443", "122.184.143.86:443", "92.186.69.229:2222", "70.28.50.223:2083", "89.129.109.27:2222", "147.147.30.126:2222", "125.99.76.102:443", "88.126.94.4:50000", "151.65.167.77:443", "86.132.236.117:443", "92.154.17.149:2222", "223.166.13.95:995", "89.36.206.69:995", "96.56.197.26:2083", "78.18.105.11:443", "82.127.153.75:2222", "90.78.147.141:2222", "82.131.141.209:443", "183.87.163.165:443", "92.9.45.20:2222", "80.6.50.34:443", "80.12.88.148:2222", "69.133.162.35:443", "172.115.17.50:443", "95.45.50.93:2222", "12.172.173.82:2087", "103.140.174.20:2222", "24.198.114.130:995", "50.68.204.71:443", "69.119.123.159:2222", "64.121.161.102:443", "2.82.8.80:443", "184.181.75.148:443", "70.112.206.5:443", "198.2.51.242:993", "2.36.64.159:2078", "79.77.142.22:2222", "84.215.202.8:443", "147.219.4.194:443", "116.74.164.81:443", "70.28.50.223:2078", "12.172.173.82:995", "77.86.98.236:443", "104.35.24.154:443", "213.64.33.61:2222", "47.149.134.231:443", "72.134.124.16:443", "47.34.30.133:443", "103.42.86.42:995", "174.4.89.3:443", "161.142.103.187:995", "78.160.146.127:443", "84.35.26.14:995", "12.172.173.82:20", "70.28.50.223:2078", "124.149.143.189:2222", "70.160.67.203:443", "186.64.67.30:443", "103.123.223.133:443", "188.28.19.84:443", "174.58.146.57:443", "94.207.104.225:443", "86.97.55.89:2222", "69.123.4.221:2222"]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000014.00000002.561029904.00000000005DA000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Qbot_1	Yara detected Qbot	Joe Security
00000014.00000002.561647699.0000000000DC0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Qbot_1	Yara detected Qbot	Joe Security
decrypted.memstr	JoeSecurity_Qbot	Yara detected Qbot	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
20.2.rundll32.exe.5f1170.0.raw.unpack	MAL_QakBot_ConfigExtraction_Feb23	QakBot Config Extraction	kevoreilly	0xeb71:$params: 8B 7D 08 8B F1 57 89 55 FC E8 A0 99 FF FF 8D 9E 24 04 00 00 89 03 59 85 C0 75 08 6A FC 58 E9 0xa797:$conf: 5F 5E 5B C9 C3 51 6A 00 E8 C1 44 00 00 59 59 85 C0 75 01 C3
20.2.rundll32.exe.5f1170.0.raw.unpack	JoeSecurity_Qbot_1	Yara detected Qbot	Joe Security
20.2.rundll32.exe.ad0000.1.unpack	MAL_QakBot_ConfigExtraction_Feb23	QakBot Config Extraction	kevoreilly	0xeb71:$params: 8B 7D 08 8B F1 57 89 55 FC E8 A0 99 FF FF 8D 9E 24 04 00 00 89 03 59 85 C0 75 08 6A FC 58 E9 0xa797:$conf: 5F 5E 5B C9 C3 51 6A 00 E8 C1 44 00 00 59 59 85 C0 75 01 C3
20.2.rundll32.exe.ad0000.1.unpack	JoeSecurity_Qbot_1	Yara detected Qbot	Joe Security
20.2.rundll32.exe.5f1170.0.unpack	MAL_QakBot_ConfigExtraction_Feb23	QakBot Config Extraction	kevoreilly	0xdf71:$params: 8B 7D 08 8B F1 57 89 55 FC E8 A0 99 FF FF 8D 9E 24 04 00 00 89 03 59 85 C0 75 08 6A FC 58 E9 0x9b97:$conf: 5F 5E 5B C9 C3 51 6A 00 E8 C1 44 00 00 59 59 85 C0 75 01 C3
20.2.rundll32.exe.5f1170.0.unpack	JoeSecurity_Qbot_1	Yara detected Qbot	Joe Security
Click to see the 1 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000014.00000002.561029904.00000000005DA000.00000004.00000020.00020000.00000000.sdmp

Malware Configuration Extractor: Qbot {"Bot id": "BB30", "Campaign": "1685433861", "Version": "404.1320", "C2 list": ["12.172.173.82:50001", "178.175.187.254:443", "65.95.141.84:2222", "205.237.67.69:995", "83.110.223.61:443", "193.253.100.236:2222", "27.0.48.233:443", "102.159.188.125:443", "71.38.155.217:443", "58.186.75.42:443", "76.178.148.107:2222", "70.28.50.223:2087", "114.143.176.236:443", "51.14.29.227:2222", "59.28.84.65:443", "173.88.135.179:443", "103.144.201.56:2078", "96.87.28.170:2222", "105.186.128.181:995", "176.142.207.63:443", "151.62.238.176:443", "12.172.173.82:32101", "122.186.210.254:443", "82.125.44.236:2222", "84.108.200.161:443", "76.16.49.134:443", "70.28.50.223:32100", "12.172.173.82:465", "76.170.252.153:995", "184.182.66.109:443", "78.92.133.215:443", "50.68.204.71:993", "186.75.95.6:443", "113.11.92.30:443", "70.28.50.223:3389", "98.145.23.67:443", "85.57.212.13:3389", "50.68.186.195:443", "47.205.25.170:443", "12.172.173.82:993", "12.172.173.82:22", "69.242.31.249:443", "81.101.185.146:443", "79.168.224.165:2222", "75.143.236.149:443", "14.192.241.76:995", "86.195.14.72:2222", "81.229.117.95:2222", "220.240.164.182:443", "73.29.92.128:443", "12.172.173.82:21", "96.56.197.26:2222", "75.109.111.89:443", "76.86.31.59:443", "201.244.108.183:995", "68.203.69.96:443", "124.122.47.148:443", "122.184.143.86:443", "92.186.69.229:2222", "70.28.50.223:2083", "89.129.109.27:2222", "147.147.30.126:2222", "125.99.76.102:443", "88.126.94.4:50000", "151.65.167.77:443", "86.132.236.117:443", "92.154.17.149:2222", "223.166.13.95:995", "89.36.206.69:995", "96.56.197.26:2083", "78.18.105.11:443", "82.127.153.75:2222", "90.78.147.141:2222", "82.131.141.209:443", "183.87.163.165:443", "92.9.45.20:2222", "80.6.50.34:443", "80.12.88.148:2222", "69.133.162.35:443", "172.115.17.50:443", "95.45.50.93:2222", "12.172.173.82:2087", "103.140.174.20:2222", "24.198.114.130:995", "50.68.204.71:443", "69.119.123.159:2222", "64.121.161.102:443", "2.82.8.80:443", "184.181.75.148:443", "70.112.206.5:443", "198.2.51.242:993", "2.36.64.159:2078", "79.77.142.22:2222", "84.215.202.8:443", "147.219.4.194:443", "116.74.164.81:443", "70.28.50.223:2078", "12.172.173.82:995", "77.86.98.236:443", "104.35.24.154:443", "213.64.33.61:2222", "47.149.134.231:443", "72.134.124.16:443", "47.34.30.133:443", "103.42.86.42:995", "174.4.89.3:443", "161.142.103.187:995", "78.160.146.127:443", "84.35.26.14:995", "12.172.173.82:20", "70.28.50.223:2078", "124.149.143.189:2222", "70.160.67.203:443", "186.64.67.30:443", "103.123.223.133:443", "188.28.19.84:443", "174.58.146.57:443", "94.207.104.225:443", "86.97.55.89:2222", "69.123.4.221:2222"]}

Antivirus / Scanner detection for submitted sample

Source: A290.dll

Avira: detected

Sample uses string decryption to hide its real strings

Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: error res='%s' err=%d len=%u
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: netstat -nao
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: runas
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: ipconfig /all
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: net localgroup
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: nltest /domain_trusts /all_trusts
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: %s %04x.%u %04x.%u res: %s seh_test: %u consts_test: %d vmdetected: %d createprocess: %d
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: Microsoft
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: SELF_TEST_1
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: p%08x
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: Self test FAILED!!!
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: Self test OK.
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: /t5
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: whoami /all
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: cmd
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: microsoft.com,google.com,cisco.com,oracle.com,verisign.com,broadcom.com,yahoo.com,xfinity.com,irs.gov,linkedin.com
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: ERROR: GetModuleFileNameW() failed with error: ERROR_INSUFFICIENT_BUFFER
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: route print
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: .lnk
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: "%s\system32\schtasks.exe" /Create /ST %02u:%02u /RU "NT AUTHORITY\SYSTEM" /SC ONCE /tr "%s" /Z /ET %02u:%02u /tn %s
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: arp -a
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: %s "$%s = \"%s\"; & $%s"
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: net share
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: cmd.exe /c set
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: Self check
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: %u;%u;%u;
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: /c ping.exe -n 6 127.0.0.1 & type "%s\System32\calc.exe" > "%s"
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: ProfileImagePath
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: at.exe %u:%u "%s" /I
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: ProgramData
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: Self check ok!
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: powershell.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: qwinsta
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: net view
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: nslookup -querytype=ALL -timeout=12 _ldap._tcp.dc._msdcs.%s
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: Component_08
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: Start screenshot
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: schtasks.exe /Delete /F /TN %u
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: appidapi.dll
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: %s \"$%s = \\\"%s\\\\; & $%s\"
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: c:\ProgramData
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: Component_07
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: bUdiuy81gYguty@4frdRdpfko(eKmudeuMncueaN
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: powershell.exe -encodedCommand %S
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: ERROR: GetModuleFileNameW() failed with error: %u
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: powershell.exe -encodedCommand
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: SoNuce]ugdiB3c[doMuce2s81*uXmcvP
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: \System32\WindowsPowerShell\v1.0\powershell.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: schtasks.exe /Create /RU "NT AUTHORITY\SYSTEM" /SC ONSTART /TN %u /TR "%s" /NP /F
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: error res='%s' err=%d len=%u
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: netstat -nao
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: runas
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: ipconfig /all
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: Caption,Description,Vendor,Version,InstallDate,InstallSource,PackageName
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: %u.%u.%u.%u.%u.%u.%04x
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\explorer.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: SystemRoot
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: cscript.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: MBAMService.exe;mbamgui.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: %SystemRoot%\System32\xwizard.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: %SystemRoot%\System32\wermgr.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: AvastSvc.exe;aswEngSrv.exe;aswToolsSvc.exe;afwServ.exe;aswidsagent.exe;AvastUI.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: C:\INTERNAL\__empty
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: .dll
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: Win32_PhysicalMemory
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: ALLUSERSPROFILE
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: image/jpeg
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: LocalLow
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: displayName
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: Mozilla/5.0 (Windows NT 6.1; rv:77.0) Gecko/20100101 Firefox/77.0
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: shlwapi.dll
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\WerFault.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: CommandLine
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: {%02X%02X%02X%02X-%02X%02X-%02X%02X-%02X%02X-%02X%02X%02X%02X%02X%02X}
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: kernel32.dll
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: SubmitSamplesConsent
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: 1234567890
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: wbj.go
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\wextract.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: Win32_DiskDrive
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: vkise.exe;isesrv.exe;cmdagent.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: System32
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: Name
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: %SystemRoot%\System32\WerFault.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: WRSA.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: c:\\
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: reg.exe ADD "HKLM\%s" /f /t %s /v "%s" /d "%s"
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: SpyNetReporting
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: FALSE
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: aswhookx.dll
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: Packages
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: SonicWallClientProtectionService.exe;SWDash.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: application/x-shockwave-flash
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: Sophos UI.exe;SophosUI.exe;SAVAdminService.exe;SavService.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: RepUx.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: %SystemRoot%\System32\mspaint.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: coreServiceShell.exe;PccNTMon.exe;NTRTScan.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: Winsta0
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: Caption,Description,DeviceID,Manufacturer,Name,PNPDeviceID,Service,Status
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: CynetEPS.exe;CynetMS.exe;CynetConsole.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\wermgr.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: %ProgramFiles(x86)%\Internet Explorer\iexplore.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: avp.exe;kavtray.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: root\SecurityCenter2
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\backgroundTaskHost.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: MsMpEng.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: %SystemRoot%\System32\CertEnrollCtrl.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: userenv.dll
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: csc_ui.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: frida-winjector-helper-32.exe;frida-winjector-helper-64.exe;tcpdump.exe;windump.exe;ethereal.exe;wireshark.exe;ettercap.exe;rtsniff.exe;packetcapture.exe;capturenet.exe;qak_proxy;dumpcap.exe;CFF Explorer.exe;not_rundll32.exe;ProcessHacker.exe;tcpview.exe;filemon.exe;procmon.exe;idaq64.exe;loaddll32.exe;PETools.exe;ImportREC.exe;LordPE.exe;SysInspector.exe;proc_analyzer.exe;sysAnalyzer.exe;sniff_hit.exe;joeboxcontrol.exe;joeboxserver.exe;ResourceHacker.exe;x64dbg.exe;Fiddler.exe;sniff_hit.exe;sysAnalyzer.exe;BehaviorDumper.exe;processdumperx64.exe;anti-virus.EXE;sysinfoX64.exe;sctoolswrapper.exe;sysinfoX64.exe;FakeExplorer.exe;apimonitor-x86.exe;idaq.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: \\.\pipe\
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: pstorec.dll
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: NTUSER.DAT
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: from
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: %SystemRoot%\System32\sethc.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: netapi32.dll
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: %SystemRoot%\System32\Utilman.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: gdi32.dll
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: setupapi.dll
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: SELECT * FROM Win32_Processor
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: iphlpapi.dll
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: Caption
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: CrAmTray.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: ccSvcHst.exe;NortonSecurity.exe;nsWscSvc.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: Win32_ComputerSystem
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: %SystemRoot%\System32\backgroundTaskHost.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: %ProgramFiles%\Internet Explorer\iexplore.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Paths
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: user32.dll
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: xagtnotif.exe;AppUIMonitor.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: %SystemRoot%\System32\dxdiag.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: SentinelServiceHost.exe;SentinelStaticEngine.exe;SentinelAgent.exe;SentinelStaticEngineScanner.exe;SentinelUI.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: \sf2.dll
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\grpconv.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: egui.exe;ekrn.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: Software\Microsoft
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: %S.%06d
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: bcrypt.dll
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: SELECT * FROM AntiVirusProduct
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\SndVol.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: %SystemRoot%\explorer.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\Utilman.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: SOFTWARE\Microsoft\Windows Defender\SpyNet
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: wtsapi32.dll
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: t=%s time=[%02d:%02d:%02d-%02d/%02d/%d]
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\xwizard.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: shell32.dll
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: TRUE
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: Win32_Bios
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: SELECT * FROM Win32_OperatingSystem
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\mobsync.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: c:\hiberfil.sysss
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: /
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\AtBroker.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: abcdefghijklmnopqrstuvwxyz
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: ByteFence.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: type=0x%04X
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: snxhk_border_mywnd
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: ROOT\CIMV2
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: dwengine.exe;dwarkdaemon.exe;dwwatcher.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: https
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\explorer.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: fshoster32.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: kernelbase.dll
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: regsvr32.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: %s\system32\
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\dxdiag.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: Content-Type: application/x-www-form-urlencoded
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: Win32_Process
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: rundll32.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: LOCALAPPDATA
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: cmd.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: APPDATA
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: select
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: .exe
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: mcshield.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: advapi32.dll
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: ws2_32.dll
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: .cfg
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: aabcdeefghiijklmnoopqrstuuvwxyyz
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: Win32_Product
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: WQL
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: wininet.dll
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: LastBootUpTime
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: S:(ML;;NW;;;LW)
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\CertEnrollCtrl.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: urlmon.dll
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: Create
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: Win32_PnPEntity
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: %SystemRoot%\System32\grpconv.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: Initializing database...
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: %SystemRoot%\System32\SearchIndexer.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: winsta0\default
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: .dat
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: WBJ_IGNORE
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: next
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: %SystemRoot%\System32\AtBroker.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: wpcap.dll
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: aaebcdeeifghiiojklmnooupqrstuuyvwxyyaz
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\sethc.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: image/pjpeg
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: fmon.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: bdagent.exe;vsserv.exe;vsservppl.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: %SystemRoot%\System32\SndVol.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: vbs
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: aswhooka.dll
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: SysWOW64
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\mspaint.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: mpr.dll
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: image/gif
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: crypt32.dll
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: avgcsrvx.exe;avgsvcx.exe;avgcsrva.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: ntdll.dll
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: open
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: %SystemRoot%\explorer.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: CSFalconService.exe;CSFalconContainer.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: %SystemRoot%\System32\wextract.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: %SystemRoot%\System32\mobsync.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\SearchIndexer.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: Caption,Description,Vendor,Version,InstallDate,InstallSource,PackageName
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: Caption,Description,Vendor,Version,InstallDate,InstallSource,PackageName
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: %u.%u.%u.%u.%u.%u.%04x
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\explorer.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: SystemRoot
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: cscript.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: MBAMService.exe;mbamgui.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: %SystemRoot%\System32\xwizard.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: %SystemRoot%\System32\wermgr.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: AvastSvc.exe;aswEngSrv.exe;aswToolsSvc.exe;afwServ.exe;aswidsagent.exe;AvastUI.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: C:\INTERNAL\__empty
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: .dll
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: Win32_PhysicalMemory
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: ALLUSERSPROFILE
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: image/jpeg
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: LocalLow
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: displayName
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: Mozilla/5.0 (Windows NT 6.1; rv:77.0) Gecko/20100101 Firefox/77.0
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: shlwapi.dll
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\WerFault.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: CommandLine
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: {%02X%02X%02X%02X-%02X%02X-%02X%02X-%02X%02X-%02X%02X%02X%02X%02X%02X}
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: kernel32.dll
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: SubmitSamplesConsent
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: 1234567890
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: wbj.go
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\wextract.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: Win32_DiskDrive
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: vkise.exe;isesrv.exe;cmdagent.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: System32
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: Name
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: %SystemRoot%\System32\WerFault.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: WRSA.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: c:\\
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: reg.exe ADD "HKLM\%s" /f /t %s /v "%s" /d "%s"
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: SpyNetReporting
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: FALSE
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: aswhookx.dll
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: Packages
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: SonicWallClientProtectionService.exe;SWDash.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: application/x-shockwave-flash
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: Sophos UI.exe;SophosUI.exe;SAVAdminService.exe;SavService.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: RepUx.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: %SystemRoot%\System32\mspaint.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: coreServiceShell.exe;PccNTMon.exe;NTRTScan.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: Winsta0
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: Caption,Description,DeviceID,Manufacturer,Name,PNPDeviceID,Service,Status
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: CynetEPS.exe;CynetMS.exe;CynetConsole.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\wermgr.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: %ProgramFiles(x86)%\Internet Explorer\iexplore.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: avp.exe;kavtray.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: root\SecurityCenter2
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\backgroundTaskHost.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: MsMpEng.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: %SystemRoot%\System32\CertEnrollCtrl.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: userenv.dll
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: csc_ui.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: frida-winjector-helper-32.exe;frida-winjector-helper-64.exe;tcpdump.exe;windump.exe;ethereal.exe;wireshark.exe;ettercap.exe;rtsniff.exe;packetcapture.exe;capturenet.exe;qak_proxy;dumpcap.exe;CFF Explorer.exe;not_rundll32.exe;ProcessHacker.exe;tcpview.exe;filemon.exe;procmon.exe;idaq64.exe;loaddll32.exe;PETools.exe;ImportREC.exe;LordPE.exe;SysInspector.exe;proc_analyzer.exe;sysAnalyzer.exe;sniff_hit.exe;joeboxcontrol.exe;joeboxserver.exe;ResourceHacker.exe;x64dbg.exe;Fiddler.exe;sniff_hit.exe;sysAnalyzer.exe;BehaviorDumper.exe;processdumperx64.exe;anti-virus.EXE;sysinfoX64.exe;sctoolswrapper.exe;sysinfoX64.exe;FakeExplorer.exe;apimonitor-x86.exe;idaq.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: \\.\pipe\
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: pstorec.dll
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: NTUSER.DAT
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: from
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: %SystemRoot%\System32\sethc.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: netapi32.dll
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: %SystemRoot%\System32\Utilman.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: gdi32.dll
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: setupapi.dll
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: SELECT * FROM Win32_Processor
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: iphlpapi.dll
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: Caption
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: CrAmTray.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: ccSvcHst.exe;NortonSecurity.exe;nsWscSvc.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: Win32_ComputerSystem
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: %SystemRoot%\System32\backgroundTaskHost.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: %ProgramFiles%\Internet Explorer\iexplore.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Paths
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: user32.dll
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: xagtnotif.exe;AppUIMonitor.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: %SystemRoot%\System32\dxdiag.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: SentinelServiceHost.exe;SentinelStaticEngine.exe;SentinelAgent.exe;SentinelStaticEngineScanner.exe;SentinelUI.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: \sf2.dll
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\grpconv.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: egui.exe;ekrn.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: Software\Microsoft
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: %S.%06d
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: bcrypt.dll
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: SELECT * FROM AntiVirusProduct
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\SndVol.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: %SystemRoot%\explorer.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\Utilman.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: SOFTWARE\Microsoft\Windows Defender\SpyNet
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: wtsapi32.dll
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: t=%s time=[%02d:%02d:%02d-%02d/%02d/%d]
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\xwizard.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: shell32.dll
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: TRUE
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: Win32_Bios
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: SELECT * FROM Win32_OperatingSystem
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\mobsync.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: c:\hiberfil.sysss
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: /
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\AtBroker.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: abcdefghijklmnopqrstuvwxyz
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: ByteFence.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: type=0x%04X
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: snxhk_border_mywnd
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: ROOT\CIMV2
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: dwengine.exe;dwarkdaemon.exe;dwwatcher.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: https
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\explorer.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: fshoster32.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: kernelbase.dll
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: regsvr32.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: %s\system32\
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\dxdiag.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: Content-Type: application/x-www-form-urlencoded
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: Win32_Process
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: rundll32.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: LOCALAPPDATA
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: cmd.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: APPDATA
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: select
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: .exe
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: mcshield.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: advapi32.dll
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: ws2_32.dll
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: .cfg
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: aabcdeefghiijklmnoopqrstuuvwxyyz
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: Win32_Product
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: WQL
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: wininet.dll
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: LastBootUpTime
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: S:(ML;;NW;;;LW)
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\CertEnrollCtrl.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: urlmon.dll
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: Create
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: Win32_PnPEntity
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: %SystemRoot%\System32\grpconv.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: Initializing database...
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: %SystemRoot%\System32\SearchIndexer.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: winsta0\default
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: .dat
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: WBJ_IGNORE
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: next
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: %SystemRoot%\System32\AtBroker.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: wpcap.dll
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: aaebcdeeifghiiojklmnooupqrstuuyvwxyyaz
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\sethc.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: image/pjpeg
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: fmon.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: bdagent.exe;vsserv.exe;vsservppl.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: %SystemRoot%\System32\SndVol.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: vbs
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: aswhooka.dll
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: SysWOW64
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\mspaint.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: mpr.dll
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: image/gif
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: crypt32.dll
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: avgcsrvx.exe;avgsvcx.exe;avgcsrva.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: ntdll.dll
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: open
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: %SystemRoot%\explorer.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: CSFalconService.exe;CSFalconContainer.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: %SystemRoot%\System32\wextract.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: %SystemRoot%\System32\mobsync.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\SearchIndexer.exe
Source: 20.2.rundll32.exe.ad0000.1.unpack	String decryptor: Caption,Description,Vendor,Version,InstallDate,InstallSource,PackageName

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10035030 mv_get_random_seed,BCryptOpenAlgorithmProvider,BCryptGenRandom,BCryptCloseAlgorithmProvider,mvpriv_open,_read,_close,mvpriv_open,_read,_close,clock,clock,mv_sha_init,mv_sha_update,mv_sha_final,mv_log,abort,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1000C0B0 mv_cast5_crypt2,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1000B0D0 mv_camellia_crypt,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10013100 mv_encryption_init_info_alloc,mv_mallocz,mv_mallocz,mv_mallocz,mv_mallocz,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_calloc,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1000C1B0 mv_cast5_crypt,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_100132D0 mv_encryption_init_info_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10002480 mv_aes_ctr_crypt,mv_aes_crypt,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10013480 mv_encryption_init_info_get_side_data,mv_encryption_init_info_alloc,mv_free,mv_free,mv_free,mv_free,mv_free,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_100084B0 mv_blowfish_crypt,mv_blowfish_crypt_ecb,mv_blowfish_crypt_ecb,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1004D4B0 mv_tea_crypt,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_100364E0 mv_rc4_crypt,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10002523 mv_aes_crypt,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1001363B mv_encryption_init_info_alloc,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1000867B mv_blowfish_crypt_ecb,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_100136FB mv_encryption_init_info_alloc,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10013860 mv_encryption_init_info_add_side_data,mv_malloc,mv_malloc,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10012A70 mv_encryption_info_alloc,mv_mallocz,mv_mallocz,mv_mallocz,mv_calloc,mv_free,mv_free,mv_free,mv_free,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10012B40 mv_encryption_info_clone,mv_encryption_info_alloc,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10001BF0 mv_aes_crypt,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10012CF0 mv_encryption_info_free,mv_free,mv_free,mv_free,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10012D40 mv_encryption_info_get_side_data,mv_encryption_info_alloc,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10007DC0 mv_blowfish_crypt_ecb,

Source: A290.dll

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE, DEBUG_STRIPPED, DLL

Source: unknown	HTTPS traffic detected: 98.137.11.163:443 -> 192.168.2.4:49713 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 87.248.100.215:443 -> 192.168.2.4:49714 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.28.19.84:443 -> 192.168.2.4:49727 version: TLS 1.2

Source: A290.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 20_2_00AD9DA8 FindFirstFileW,FindNextFileW,

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	IPs: 12.172.173.82:50001
Source: Malware configuration extractor	IPs: 178.175.187.254:443
Source: Malware configuration extractor	IPs: 65.95.141.84:2222
Source: Malware configuration extractor	IPs: 205.237.67.69:995
Source: Malware configuration extractor	IPs: 83.110.223.61:443
Source: Malware configuration extractor	IPs: 193.253.100.236:2222
Source: Malware configuration extractor	IPs: 27.0.48.233:443
Source: Malware configuration extractor	IPs: 102.159.188.125:443
Source: Malware configuration extractor	IPs: 71.38.155.217:443
Source: Malware configuration extractor	IPs: 58.186.75.42:443
Source: Malware configuration extractor	IPs: 76.178.148.107:2222
Source: Malware configuration extractor	IPs: 70.28.50.223:2087
Source: Malware configuration extractor	IPs: 114.143.176.236:443
Source: Malware configuration extractor	IPs: 51.14.29.227:2222
Source: Malware configuration extractor	IPs: 59.28.84.65:443
Source: Malware configuration extractor	IPs: 173.88.135.179:443
Source: Malware configuration extractor	IPs: 103.144.201.56:2078
Source: Malware configuration extractor	IPs: 96.87.28.170:2222
Source: Malware configuration extractor	IPs: 105.186.128.181:995
Source: Malware configuration extractor	IPs: 176.142.207.63:443
Source: Malware configuration extractor	IPs: 151.62.238.176:443
Source: Malware configuration extractor	IPs: 12.172.173.82:32101
Source: Malware configuration extractor	IPs: 122.186.210.254:443
Source: Malware configuration extractor	IPs: 82.125.44.236:2222
Source: Malware configuration extractor	IPs: 84.108.200.161:443
Source: Malware configuration extractor	IPs: 76.16.49.134:443
Source: Malware configuration extractor	IPs: 70.28.50.223:32100
Source: Malware configuration extractor	IPs: 12.172.173.82:465
Source: Malware configuration extractor	IPs: 76.170.252.153:995
Source: Malware configuration extractor	IPs: 184.182.66.109:443
Source: Malware configuration extractor	IPs: 78.92.133.215:443
Source: Malware configuration extractor	IPs: 50.68.204.71:993
Source: Malware configuration extractor	IPs: 186.75.95.6:443
Source: Malware configuration extractor	IPs: 113.11.92.30:443
Source: Malware configuration extractor	IPs: 70.28.50.223:3389
Source: Malware configuration extractor	IPs: 98.145.23.67:443
Source: Malware configuration extractor	IPs: 85.57.212.13:3389
Source: Malware configuration extractor	IPs: 50.68.186.195:443
Source: Malware configuration extractor	IPs: 47.205.25.170:443
Source: Malware configuration extractor	IPs: 12.172.173.82:993
Source: Malware configuration extractor	IPs: 12.172.173.82:22
Source: Malware configuration extractor	IPs: 69.242.31.249:443
Source: Malware configuration extractor	IPs: 81.101.185.146:443
Source: Malware configuration extractor	IPs: 79.168.224.165:2222
Source: Malware configuration extractor	IPs: 75.143.236.149:443
Source: Malware configuration extractor	IPs: 14.192.241.76:995
Source: Malware configuration extractor	IPs: 86.195.14.72:2222
Source: Malware configuration extractor	IPs: 81.229.117.95:2222
Source: Malware configuration extractor	IPs: 220.240.164.182:443
Source: Malware configuration extractor	IPs: 73.29.92.128:443
Source: Malware configuration extractor	IPs: 12.172.173.82:21
Source: Malware configuration extractor	IPs: 96.56.197.26:2222
Source: Malware configuration extractor	IPs: 75.109.111.89:443
Source: Malware configuration extractor	IPs: 76.86.31.59:443
Source: Malware configuration extractor	IPs: 201.244.108.183:995
Source: Malware configuration extractor	IPs: 68.203.69.96:443
Source: Malware configuration extractor	IPs: 124.122.47.148:443
Source: Malware configuration extractor	IPs: 122.184.143.86:443
Source: Malware configuration extractor	IPs: 92.186.69.229:2222
Source: Malware configuration extractor	IPs: 70.28.50.223:2083
Source: Malware configuration extractor	IPs: 89.129.109.27:2222
Source: Malware configuration extractor	IPs: 147.147.30.126:2222
Source: Malware configuration extractor	IPs: 125.99.76.102:443
Source: Malware configuration extractor	IPs: 88.126.94.4:50000
Source: Malware configuration extractor	IPs: 151.65.167.77:443
Source: Malware configuration extractor	IPs: 86.132.236.117:443
Source: Malware configuration extractor	IPs: 92.154.17.149:2222
Source: Malware configuration extractor	IPs: 223.166.13.95:995
Source: Malware configuration extractor	IPs: 89.36.206.69:995
Source: Malware configuration extractor	IPs: 96.56.197.26:2083
Source: Malware configuration extractor	IPs: 78.18.105.11:443
Source: Malware configuration extractor	IPs: 82.127.153.75:2222
Source: Malware configuration extractor	IPs: 90.78.147.141:2222
Source: Malware configuration extractor	IPs: 82.131.141.209:443
Source: Malware configuration extractor	IPs: 183.87.163.165:443
Source: Malware configuration extractor	IPs: 92.9.45.20:2222
Source: Malware configuration extractor	IPs: 80.6.50.34:443
Source: Malware configuration extractor	IPs: 80.12.88.148:2222
Source: Malware configuration extractor	IPs: 69.133.162.35:443
Source: Malware configuration extractor	IPs: 172.115.17.50:443
Source: Malware configuration extractor	IPs: 95.45.50.93:2222
Source: Malware configuration extractor	IPs: 12.172.173.82:2087
Source: Malware configuration extractor	IPs: 103.140.174.20:2222
Source: Malware configuration extractor	IPs: 24.198.114.130:995
Source: Malware configuration extractor	IPs: 50.68.204.71:443
Source: Malware configuration extractor	IPs: 69.119.123.159:2222
Source: Malware configuration extractor	IPs: 64.121.161.102:443
Source: Malware configuration extractor	IPs: 2.82.8.80:443
Source: Malware configuration extractor	IPs: 184.181.75.148:443
Source: Malware configuration extractor	IPs: 70.112.206.5:443
Source: Malware configuration extractor	IPs: 198.2.51.242:993
Source: Malware configuration extractor	IPs: 2.36.64.159:2078
Source: Malware configuration extractor	IPs: 79.77.142.22:2222
Source: Malware configuration extractor	IPs: 84.215.202.8:443
Source: Malware configuration extractor	IPs: 147.219.4.194:443
Source: Malware configuration extractor	IPs: 116.74.164.81:443
Source: Malware configuration extractor	IPs: 70.28.50.223:2078
Source: Malware configuration extractor	IPs: 12.172.173.82:995
Source: Malware configuration extractor	IPs: 77.86.98.236:443
Source: Malware configuration extractor	IPs: 104.35.24.154:443
Source: Malware configuration extractor	IPs: 213.64.33.61:2222
Source: Malware configuration extractor	IPs: 47.149.134.231:443
Source: Malware configuration extractor	IPs: 72.134.124.16:443
Source: Malware configuration extractor	IPs: 47.34.30.133:443
Source: Malware configuration extractor	IPs: 103.42.86.42:995
Source: Malware configuration extractor	IPs: 174.4.89.3:443
Source: Malware configuration extractor	IPs: 161.142.103.187:995
Source: Malware configuration extractor	IPs: 78.160.146.127:443
Source: Malware configuration extractor	IPs: 84.35.26.14:995
Source: Malware configuration extractor	IPs: 12.172.173.82:20
Source: Malware configuration extractor	IPs: 70.28.50.223:2078
Source: Malware configuration extractor	IPs: 124.149.143.189:2222
Source: Malware configuration extractor	IPs: 70.160.67.203:443
Source: Malware configuration extractor	IPs: 186.64.67.30:443
Source: Malware configuration extractor	IPs: 103.123.223.133:443
Source: Malware configuration extractor	IPs: 188.28.19.84:443
Source: Malware configuration extractor	IPs: 174.58.146.57:443
Source: Malware configuration extractor	IPs: 94.207.104.225:443
Source: Malware configuration extractor	IPs: 86.97.55.89:2222
Source: Malware configuration extractor	IPs: 69.123.4.221:2222

Source: Joe Sandbox View	ASN Name: MEO-RESIDENCIALPT MEO-RESIDENCIALPT
Source: Joe Sandbox View	ASN Name: ASN-CXA-ALL-CCI-22773-RDCUS ASN-CXA-ALL-CCI-22773-RDCUS

Source: Joe Sandbox View	JA3 fingerprint: 51c64c77e60f3980eea90869b68c58a8
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: Joe Sandbox View

IP Address: 2.82.8.80 2.82.8.80

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, /User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: yahoo.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, /User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheHost: www.yahoo.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /t5 HTTP/1.1Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, /Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 188.28.19.84Content-Length: 77Cache-Control: no-cache

Source: global traffic

TCP traffic: 192.168.2.4:49728 -> 86.97.55.89:2222

Source: unknown

Network traffic detected: IP country count 30

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723

Source: unknown	TCP traffic detected without corresponding DNS query: 151.65.167.77
Source: unknown	TCP traffic detected without corresponding DNS query: 151.65.167.77
Source: unknown	TCP traffic detected without corresponding DNS query: 151.65.167.77
Source: unknown	TCP traffic detected without corresponding DNS query: 151.65.167.77
Source: unknown	TCP traffic detected without corresponding DNS query: 151.65.167.77
Source: unknown	TCP traffic detected without corresponding DNS query: 151.65.167.77
Source: unknown	TCP traffic detected without corresponding DNS query: 151.65.167.77
Source: unknown	TCP traffic detected without corresponding DNS query: 151.65.167.77
Source: unknown	TCP traffic detected without corresponding DNS query: 151.65.167.77
Source: unknown	TCP traffic detected without corresponding DNS query: 151.65.167.77
Source: unknown	TCP traffic detected without corresponding DNS query: 151.65.167.77
Source: unknown	TCP traffic detected without corresponding DNS query: 151.65.167.77
Source: unknown	TCP traffic detected without corresponding DNS query: 151.65.167.77
Source: unknown	TCP traffic detected without corresponding DNS query: 151.65.167.77
Source: unknown	TCP traffic detected without corresponding DNS query: 151.65.167.77
Source: unknown	TCP traffic detected without corresponding DNS query: 151.65.167.77
Source: unknown	TCP traffic detected without corresponding DNS query: 151.65.167.77
Source: unknown	TCP traffic detected without corresponding DNS query: 151.65.167.77
Source: unknown	TCP traffic detected without corresponding DNS query: 151.65.167.77
Source: unknown	TCP traffic detected without corresponding DNS query: 151.65.167.77
Source: unknown	TCP traffic detected without corresponding DNS query: 151.65.167.77
Source: unknown	TCP traffic detected without corresponding DNS query: 151.65.167.77
Source: unknown	TCP traffic detected without corresponding DNS query: 151.65.167.77
Source: unknown	TCP traffic detected without corresponding DNS query: 151.65.167.77
Source: unknown	TCP traffic detected without corresponding DNS query: 151.65.167.77
Source: unknown	TCP traffic detected without corresponding DNS query: 151.65.167.77
Source: unknown	TCP traffic detected without corresponding DNS query: 151.65.167.77
Source: unknown	TCP traffic detected without corresponding DNS query: 151.65.167.77
Source: unknown	TCP traffic detected without corresponding DNS query: 151.65.167.77
Source: unknown	TCP traffic detected without corresponding DNS query: 151.65.167.77
Source: unknown	TCP traffic detected without corresponding DNS query: 151.65.167.77
Source: unknown	TCP traffic detected without corresponding DNS query: 151.65.167.77
Source: unknown	TCP traffic detected without corresponding DNS query: 151.65.167.77
Source: unknown	TCP traffic detected without corresponding DNS query: 151.65.167.77
Source: unknown	TCP traffic detected without corresponding DNS query: 151.65.167.77
Source: unknown	TCP traffic detected without corresponding DNS query: 151.65.167.77
Source: unknown	TCP traffic detected without corresponding DNS query: 151.65.167.77
Source: unknown	TCP traffic detected without corresponding DNS query: 151.65.167.77
Source: unknown	TCP traffic detected without corresponding DNS query: 151.65.167.77
Source: unknown	TCP traffic detected without corresponding DNS query: 151.65.167.77
Source: unknown	TCP traffic detected without corresponding DNS query: 188.28.19.84
Source: unknown	TCP traffic detected without corresponding DNS query: 188.28.19.84
Source: unknown	TCP traffic detected without corresponding DNS query: 188.28.19.84
Source: unknown	TCP traffic detected without corresponding DNS query: 188.28.19.84
Source: unknown	TCP traffic detected without corresponding DNS query: 188.28.19.84
Source: unknown	TCP traffic detected without corresponding DNS query: 188.28.19.84
Source: unknown	TCP traffic detected without corresponding DNS query: 188.28.19.84
Source: unknown	TCP traffic detected without corresponding DNS query: 188.28.19.84
Source: unknown	TCP traffic detected without corresponding DNS query: 188.28.19.84
Source: unknown	TCP traffic detected without corresponding DNS query: 86.97.55.89

Source: YWUEZVG8.htm.26.dr	String found in binary or memory: C = {"useYAC":0,"usePE":0,"servicePath":"https:\/\/www.yahoo.com\/pdarla\/php\/fc.php","xservicePath":"","beaconPath":"https:\/\/www.yahoo.com\/pdarla\/php\/b.php","renderPath":"","allowFiF":false,"srenderPath":"https:\/\/s.yimg.com\/rq\/darla\/4-11-1\/html\/r-sf.html","renderFile":"https:\/\/s.yimg.com\/rq\/darla\/4-11-1\/html\/r-sf.html","sfbrenderPath":"https:\/\/s.yimg.com\/rq\/darla\/4-11-1\/html\/r-sf.html","msgPath":"https:\/\/fc.yahoo.com\/unsupported-1946.html","cscPath":"https:\/\/s.yimg.com\/rq\/darla\/4-11-1\/html\/r-csc.html","root":"pdarla","edgeRoot":"https:\/\/s.yimg.com\/rq\/darla\/4-11-1","sedgeRoot":"https:\/\/s.yimg.com\/rq\/darla\/4-11-1","version":"4-11-1","tpbURI":"","hostFile":"https:\/\/s.yimg.com\/rq\/darla\/4-11-1\/js\/g-r-min.js","beaconsDisabled":true,"rotationTimingDisabled":true,"fdb_locale":"What don't you like about this ad?\|It's offensive\|Something else\|Thank you for helping us improve your Yahoo experience\|It's not relevant\|It's distracting\|I don't like this ad\|Send\|Done\|Why do I see ads?\|Learn more about your feedback.\|Want an ad-free inbox? Upgrade to Yahoo Mail Pro!\|Upgrade Now","positions":{"DEFAULT":{"supports":false},"LDRB":{"w":728,"h":90},"LREC":{"w":300,"h":250},"MAST":{"w":1,"h":1},"MON":{"w":1,"h":1}},"lang":"en-US"}, equals www.yahoo.com (Yahoo)
Source: YWUEZVG8.htm.26.dr	String found in binary or memory: C.events = {"AUTO":{"autoDDG":1,"autoIV":1,"autoMax":25,"autoRT":10000,"autoStart":1,"name":"AUTO","ps":{"LREC":{"autoIV":1,"autoMax":25,"autoRT":"10000"},"LREC3":{"autoIV":1,"autoMax":25,"autoRT":"10000"},"LREC4":{"autoIV":1,"autoMax":25,"autoRT":"10000"},"MON":{"autoIV":1,"autoMax":25,"autoRT":"10000"},"MON2":{"autoIV":1,"autoMax":25,"autoRT":"10000"}},"groups":{"LREC3":"MON2","LREC4":"MON2","MON2":"LREC3,LREC4"},"sp":2023538075,"sa":"Y-BUCKET=\"900\" ctout=380 rs=\"lu:0;pt:home;site:fp;ver:megastrm\" refresh=true","ref":"https:\/\/www.yahoo.com\/","ult":{"pg":{"property":"fp_en-US","rid":"62257iti7d3i8","test":"900"}}},"adFetch":{"ps":"LDRB,LREC,MAST,MON","sp":2023538075,"sa":"Y-BUCKET=\"900\" ctout=380 rs=\"lu:0;pt:home;site:fp;ver:megastrm\"","ref":"https:\/\/www.yahoo.com\/","ult":{"pg":{"property":"fp_en-US","rid":"62257iti7d3i8","test":"900"}}}}; equals www.yahoo.com (Yahoo)
Source: YWUEZVG8.htm.26.dr	String found in binary or memory: C.positions = {"LDRB":{"clean":"sda-LDRB","dest":"sda-LDRB-iframe","fdb":1,"h":90,"id":"LDRB","metaSize":true,"pos":"LDRB","supports":{"exp-ovr":1,"exp-push":1,"lyr":0},"w":728,"meta":{"hostURL":"https:\/\/www.yahoo.com\/"}},"LREC":{"clean":"sda-LREC","dest":"sda-LREC-iframe","fdb":1,"h":250,"id":"LREC","metaSize":true,"pos":"LREC","supports":{"exp-ovr":0,"exp-push":0,"lyr":0},"w":300,"meta":{"hostURL":"https:\/\/www.yahoo.com\/"},"doubleBuffering":false},"MAST":{"clean":"sda-MAST","closeBtn":{"adc":0,"mode":2,"useShow":1},"dest":"sda-MAST-iframe","fdb":1,"h":250,"id":"MAST","metaSize":true,"pos":"MAST","supports":{"exp-ovr":0,"exp-push":1,"resize-to":1},"w":970,"meta":{"hostURL":"https:\/\/www.yahoo.com\/"}},"MON":{"clean":"sda-MON","dest":"sda-MON-iframe","fdb":1,"h":600,"id":"MON","metaSize":true,"pos":"MON","supports":{"exp-ovr":1,"exp-push":1,"lyr":0,"resize-to":1},"w":300,"meta":{"hostURL":"https:\/\/www.yahoo.com\/"}},"DEFAULT":{"sandbox":false}}; equals www.yahoo.com (Yahoo)
Source: YWUEZVG8.htm.26.dr	String found in binary or memory: w._comscore.push({"c1":"2","c2":"7241469","c5":2023538075,"c7":"https://www.yahoo.com/","c14":-1}); equals www.yahoo.com (Yahoo)
Source: YWUEZVG8.htm.26.dr	String found in binary or memory: var pixelDetectUrl = "https://www.yahoo.com/px.gif"; equals www.yahoo.com (Yahoo)
Source: YWUEZVG8.htm.26.dr	String found in binary or memory: {"@context":"http://schema.org","@type":"WebSite","url":"https://www.yahoo.com/","potentialAction":{"@type":"SearchAction","target":"https://search.yahoo.com/search?p={search_term_string}","query-input":"required name=search_term_string"}} equals www.yahoo.com (Yahoo)
Source: YWUEZVG8.htm.26.dr	String found in binary or memory: </script><noscript><img src=https://sb.scorecardresearch.com/p?c1=2&c2=7241469&c5=2023538075&c7=https%3A%2F%2Fwww.yahoo.com%2F&c14=-1></noscript><script type=text/javascript nonce=9fed29942f93d952c4078d7d1426bc778ee3c135cce17ba6c34e363dabf90f17> equals www.yahoo.com (Yahoo)
Source: YWUEZVG8.htm.26.dr	String found in binary or memory: Abs, Major Underboob, And Massive Rock On IG</span><u class="StretchedBox"></u></a></h3><p class="LineClamp(2,38px) finance-ticker-fetch-success_D(n) sub-upsell-fetch-success_D(n) Fz(14px) Lh(18px) C($streamSummaryClass) M(0) Bxz(bb) Mb(12px)" data-test-locator="stream-item-summary">Bella Thorne just got engaged and she took the moment to show off her mega-toned abs in an underboob-baring top. Bella is all about feeling good in your body.</p></div></div><div class="drawer-fetch-boundary Pos(r)"><div data-bucket="900" data-cfg="{"adMeta":{"adchoicesUrl":"https://legal.yahoo.com/us/en/yahoo/privacy/adinfo/index.html","advertiseWithUsUrl":"https://www.ad.com/?utm_source=yahoo-home&utm_medium=referral&utm_campaign=ad-feedback","sponsoredUrl":"https://legal.yahoo.com/us/en/yahoo/privacy/adinfo/index.html","enableDrawerFeedback":false,"enableAdLiteUpSellFeedback":true},"features":{},"i13n":{"bpos":1,"categoryLabel":"Celebrity","cpos":16,"cposy":33},"intlFujiUiConfig":{"roundedCorner":false,"useVerticalControlIcons":false},"xhrPathPrefix":"/fp_ms/_rcv/remote","ncpParams":{"query":{"pageContext":{"lu":0,"pageType":"home","site":"fp","appName":"megastrm"}}}}" data-wf-boundary="drawer-fetch-boundary" data-wf-retry-count="1" data-wf-target=".drawer-fetch-target" data-wf-trigger="onLoad" data-wf-url="/fp_ms/_rcv/remote?m_mode=json&m_id=react-wafer-stream&ctrl=StreamRelated" class="stream-drawer Trsde(0.3s) Trsdu(0.7s) Trstf(eio) Trsp(max-height) Mah(0px) show-drawer_Mah(280px) D(n) drawer-beacon_D(b) Ov(h) stream-related-drawer"><div class="drawer-fetch-target"></div></div><div class="adfeedback-dialog"> </div></div></div></li><li class="stream-item js-stream-content Pos(r) Bgc(--white)" data-type="1" data-uuid="fa9fcd1b-4126-3c4a-8414-306cfbe5708c" data-cpos="17" data-cposy="34" data-ycts="001000637" data-wikis="Washington,_California,California,Yuba_River" data-property="U.S." data-i13n-cfg="{"bpos":1,"categoryLabel":"U.S.","cpos":17,"cposy":34}" data-test-locator="stream-item" data-yaft-module="stream_item_17"><div class="Mih(140px)"><div class="Py(12px) Pos(r) Cf"><div class="Fl(start) Pos(r) Mend(25px) Maw(220px) W(26%)"><div class="H(0) T(0px) Bdrs(2px) Start(0) Pos(r)" style="padding-bottom:55.91%" data-test-locator="stream-item-image"><a href="/news/bear-swept-raging-rapids-no-205839118.html" data-ylk="itc:0;elm:img;elmt:ct;imgt:ss;bpos:1;cpos:17;cposy:34;rspns:nav;t1:a3;t2:strm;t3:ct;ccode:megastream_unified__en-US__frontpage__default__default__desktop__ga__noSplit;ct:story;g:fa9fcd1b-4126-3c4a-8414-306cfbe5708c;grpt:singlestory;pkgt:orphan_img;pos:1;cnt_tpc:U.S.;slk:Bear is swep
Source: YWUEZVG8.htm.26.dr	String found in binary or memory: Booty In A Naked Dress At Cannes</span><u class="StretchedBox"></u></a></h3><p class="LineClamp(2,38px) finance-ticker-fetch-success_D(n) sub-upsell-fetch-success_D(n) Fz(14px) Lh(18px) C($streamSummaryClass) M(0) Bxz(bb) Mb(12px)" data-test-locator="stream-item-summary">Shay Mitchell hit up Cannes in a naked dress that showed off her mega-toned butt and legs in new photos. She likes to fit in workouts with the Openfit app.</p></div></div><div class="drawer-fetch-boundary Pos(r)"><div data-bucket="900" data-cfg="{"adMeta":{"adchoicesUrl":"https://legal.yahoo.com/us/en/yahoo/privacy/adinfo/index.html","advertiseWithUsUrl":"https://www.ad.com/?utm_source=yahoo-home&utm_medium=referral&utm_campaign=ad-feedback","sponsoredUrl":"https://legal.yahoo.com/us/en/yahoo/privacy/adinfo/index.html","enableDrawerFeedback":false,"enableAdLiteUpSellFeedback":true},"features":{},"i13n":{"bpos":1,"categoryLabel":"Lifestyle","cpos":21,"cposy":42},"intlFujiUiConfig":{"roundedCorner":false,"useVerticalControlIcons":false},"xhrPathPrefix":"/fp_ms/_rcv/remote","ncpParams":{"query":{"pageContext":{"lu":0,"pageType":"home","site":"fp","appName":"megastrm"}}}}" data-wf-boundary="drawer-fetch-boundary" data-wf-retry-count="1" data-wf-target=".drawer-fetch-target" data-wf-trigger="onLoad" data-wf-url="/fp_ms/_rcv/remote?m_mode=json&m_id=react-wafer-stream&ctrl=StreamRelated" class="stream-drawer Trsde(0.3s) Trsdu(0.7s) Trstf(eio) Trsp(max-height) Mah(0px) show-drawer_Mah(280px) D(n) drawer-beacon_D(b) Ov(h) stream-related-drawer"><div class="drawer-fetch-target"></div></div><div class="adfeedback-dialog"> </div></div></div></li><script class="stream-uuid-list" type="application/json" nonce="9fed29942f93d952c4078d7d1426bc778ee3c135cce17ba6c34e363dabf90f17">{"uuidList":["f4a31bd8-52a0-390c-9724-d4940f6856d0","eee10156-ed77-33aa-8de8-f2a0c2b19331","c744b922-8429-3619-bffa-8817a3bc01c1","39362670714","26782943-a822-36a3-a563-f2d7ec146681","265639c4-84d8-32bb-86cf-617e01201aa8","6b746654-6874-39e2-bbdd-0f42c12ed722","bba5b75d-cad3-3e5b-9a53-aa8b3235991e","40bfa048-5af3-31e7-b557-cf356bab88c4","bf91b542-6dd3-3783-90ff-2beeab346466","a30448d9-3077-3ca5-a6b7-fbb569663620","55cd3b73-b530-3b32-81aa-54f0a914adff","17534886-7333-3a68-996a-6f10c610d0ef","a0baa0a2-af3c-3d82-8b7d-7bce57a7699b","9eb93f5a-d12f-3d34-80b3-8fa147146ac9","5b450b10-0d94-3575-97da-47ae363fa9f8","35363e57-d5e8-31bc-a290-5227cab52cbe","16bd6d13-8675-3de3-99f8-7656ee5640f9","2719a581-9c2b-31d6-b08e-807cfa7eae7d","ef1fbfb3-31ca-39d2-9a4b-36f932f00be0","c1f6e82a-f0f3-30e9-88fd-f550011cf1c0","38fa5320-1213-3155-b6f5-0d0b1d1cac67","7a331f34-2fd5-3226-b156-768746ac18b5","38510797499","9cf7cbfa-2cfb-3
Source: YWUEZVG8.htm.26.dr	String found in binary or memory: Right Wingers</div><div class="C($streamItemGray) Fz(11px) Mt(2px) Va(b) D(ib)--md1160" data-test-locator="stream-cluster-pub">Rolling Stone</div></a></li></ul></div></div><div class="drawer-fetch-boundary Pos(r)"><div data-bucket="900" data-cfg="{"adMeta":{"adchoicesUrl":"https://legal.yahoo.com/us/en/yahoo/privacy/adinfo/index.html","advertiseWithUsUrl":"https://www.ad.com/?utm_source=yahoo-home&utm_medium=referral&utm_campaign=ad-feedback","sponsoredUrl":"https://legal.yahoo.com/us/en/yahoo/privacy/adinfo/index.html","enableDrawerFeedback":false,"enableAdLiteUpSellFeedback":true},"features":{},"i13n":{"bpos":1,"categoryLabel":"U.S.","cpos":5,"cposy":14},"intlFujiUiConfig":{"roundedCorner":false,"useVerticalControlIcons":false},"xhrPathPrefix":"/fp_ms/_rcv/remote","ncpParams":{"query":{"pageContext":{"lu":0,"pageType":"home","site":"fp","appName":"megastrm"}}}}" data-wf-boundary="drawer-fetch-boundary" data-wf-retry-count="1" data-wf-target=".drawer-fetch-target" data-wf-trigger="onLoad" data-wf-url="/fp_ms/_rcv/remote?m_mode=json&m_id=react-wafer-stream&ctrl=StreamRelated" class="stream-drawer Trsde(0.3s) Trsdu(0.7s) Trstf(eio) Trsp(max-height) Mah(0px) show-drawer_Mah(280px) D(n) drawer-beacon_D(b) Ov(h) stream-related-drawer"><div class="drawer-fetch-target"></div></div><div class="adfeedback-dialog"> </div></div></div></li><li class="stream-item js-stream-content Pos(r) Bgc(--white)" data-type="1" data-uuid="a30448d9-3077-3ca5-a6b7-fbb569663620" data-cpos="6" data-cposy="17" data-ycts="001000661,001000700" data-wikis="Donald_Trump,Jus_soli,Rolling_Stone,Fourteenth_Amendment_to_the_United_States_Constitution,Illegal_immigration" data-property="Politics" data-has-cluster="true" data-i13n-cfg="{"bpos":1,"categoryLabel":"Politics","cpos":6,"cposy":17}" data-test-locator="stream-item" data-yaft-module="stream_item_6"><div class="Mih(140px)"><div class="Py(12px) Pos(r) Cf"><div class="Fl(start) Pos(r) Mend(25px) Maw(220px) W(26%)"><div class="H(0) T(0px) Bdrs(2px) Start(0) Pos(r)" style="padding-bottom:87.73%" data-test-locator="stream-item-image"><a href="/entertainment/trump-promises-violate-14th-amendment-193116065.html" data-ylk="itc:0;elm:img;elmt:ct;imgt:ss;bpos:1;cpos:6;cposy:17;rspns:nav;t1:a3;t2:strm;t3:ct;ccode:megastream_unified__en-US__frontpage__default__default__desktop__ga__noSplit;ct:story;g:a30448d9-3077-3ca5-a6b7-fbb569663620;grpt:storyCluster;pkgt:cluster_all_img;pos:1;cnt_tpc:Politics;slk:Trump Promises to Violate 14th Amendment equals www.yahoo.com (Yahoo)
Source: YWUEZVG8.htm.26.dr	String found in binary or memory: t catch them</span><u class="StretchedBox"></u></a></h3><p class="LineClamp(2,38px) finance-ticker-fetch-success_D(n) sub-upsell-fetch-success_D(n) Fz(14px) Lh(18px) C($streamSummaryClass) M(0) Bxz(bb) Mb(12px)" data-test-locator="stream-item-summary">If you find one on a beach, you should call the state Department of Fish and Wildlife to report it, columnist Carly Vester writes.</p></div></div><div class="drawer-fetch-boundary Pos(r)"><div data-bucket="900" data-cfg="{"adMeta":{"adchoicesUrl":"https://legal.yahoo.com/us/en/yahoo/privacy/adinfo/index.html","advertiseWithUsUrl":"https://www.ad.com/?utm_source=yahoo-home&utm_medium=referral&utm_campaign=ad-feedback","sponsoredUrl":"https://legal.yahoo.com/us/en/yahoo/privacy/adinfo/index.html","enableDrawerFeedback":false,"enableAdLiteUpSellFeedback":true},"features":{},"i13n":{"bpos":1,"categoryLabel":"U.S.","cpos":7,"cposy":20},"intlFujiUiConfig":{"roundedCorner":false,"useVerticalControlIcons":false},"xhrPathPrefix":"/fp_ms/_rcv/remote","ncpParams":{"query":{"pageContext":{"lu":0,"pageType":"home","site":"fp","appName":"megastrm"}}}}" data-wf-boundary="drawer-fetch-boundary" data-wf-retry-count="1" data-wf-target=".drawer-fetch-target" data-wf-trigger="onLoad" data-wf-url="/fp_ms/_rcv/remote?m_mode=json&m_id=react-wafer-stream&ctrl=StreamRelated" class="stream-drawer Trsde(0.3s) Trsdu(0.7s) Trstf(eio) Trsp(max-height) Mah(0px) show-drawer_Mah(280px) D(n) drawer-beacon_D(b) Ov(h) stream-related-drawer"><div class="drawer-fetch-target"></div></div><div class="adfeedback-dialog"> </div></div></div></li><li class="stream-item js-stream-content Pos(r) Bgc(--white)" data-type="1" data-uuid="9eb93f5a-d12f-3d34-80b3-8fa147146ac9" data-cpos="8" data-cposy="21" data-ycts="001000069,001000117" data-wikis="Zooey_Deschanel,Christina_Applegate,Blond" data-property="Celebrity" data-has-cluster="true" data-i13n-cfg="{"bpos":1,"categoryLabel":"Celebrity","cpos":8,"cposy":21}" data-test-locator="stream-item" data-yaft-module="stream_item_8"><div class="Mih(140px)"><div class="Py(12px) Pos(r) Cf"><div class="Fl(start) Pos(r) Mend(25px) Maw(220px) W(26%)"><div class="H(0) T(0px) Bdrs(2px) Start(0) Pos(r)" style="padding-bottom:87.73%" data-test-locator="stream-item-image"><a href="/lifestyle/zooey-deschanel-big-blonde-hair-184802299.html" data-ylk="itc:0;elm:img;elmt:ct;imgt:ss;bpos:1;cpos:8;cposy:21;rspns:nav;t1:a3;t2:strm;t3:ct;ccode:megastream_unified__en-US__frontpage__default__default__desktop__ga__noSplit;ct:story;g:9eb93f5a-d12f-3d34-80b3-8fa147146ac9;grpt:storyCluster;pkgt:cluster_all_img;pos:1;cnt_tpc:Celebrity;slk:Zooey Deschanel With B

Source: YWUEZVG8.htm.26.dr	String found in binary or memory: http://schema.org
Source: Amcache.hve.9.dr	String found in binary or memory: http://upx.sf.net
Source: YWUEZVG8.htm.26.dr	String found in binary or memory: http://www.opensource.org/licenses/mit-license.php
Source: YWUEZVG8.htm.26.dr	String found in binary or memory: https://5.ras.yahoo.com/adcount%7C2.0%7C5113.1%7C4830424%7C0%7C0%7CAdId=-41;BnId=0;ct=76544163;st=99
Source: YWUEZVG8.htm.26.dr	String found in binary or memory: https://5.ras.yahoo.com/adcount%7C2.0%7C5113.1%7C4830441%7C0%7C225%7CAdId=11101911;BnId=2;ct=7654416
Source: YWUEZVG8.htm.26.dr	String found in binary or memory: https://fp-graviton-home-gateway.media.yahoo.com/
Source: YWUEZVG8.htm.26.dr	String found in binary or memory: https://legal.yahoo.com/us/en/yahoo/privacy/adinfo/index.html"
Source: YWUEZVG8.htm.26.dr	String found in binary or memory: https://openweb.jac.yahoosandbox.com
Source: YWUEZVG8.htm.26.dr	String found in binary or memory: https://openweb.jac.yahoosandbox.com/1.5.0/jac.js
Source: YWUEZVG8.htm.26.dr	String found in binary or memory: https://s.yimg.com/aaq/hc/homepage-pwa-defer-1.1.6.js
Source: YWUEZVG8.htm.26.dr	String found in binary or memory: https://s.yimg.com/aaq/nel/js/spotIm.custom.SpotIMJAC.modal.9d3270fa67932556c75baaed2c09c955.js
Source: YWUEZVG8.htm.26.dr	String found in binary or memory: https://s.yimg.com/aaq/spotim/
Source: YWUEZVG8.htm.26.dr	String found in binary or memory: https://s.yimg.com/aaq/vzm/cs_1.4.0.js
Source: YWUEZVG8.htm.26.dr	String found in binary or memory: https://s.yimg.com/aaq/wf/wf-core-1.63.0.js
Source: YWUEZVG8.htm.26.dr	String found in binary or memory: https://s.yimg.com/cx/pv/perf-vitals_3.1.0.js
Source: YWUEZVG8.htm.26.dr	String found in binary or memory: https://s.yimg.com/nn/lib/metro/g/myy/advertisement_0.0.19.js
Source: YWUEZVG8.htm.26.dr	String found in binary or memory: https://s.yimg.com/ss/rapid-3.53.38.js
Source: YWUEZVG8.htm.26.dr	String found in binary or memory: https://s.yimg.com/uc/sf/0.1.322/js/safe.min.js
Source: YWUEZVG8.htm.26.dr	String found in binary or memory: https://s.yimg.com/uu/api/res/1.2/DgW4vH5M_FUgIVI7P1drOg--~B/Zmk9c3RyaW07aD0yNDY7cT04MDt3PTQ0MDthcHB
Source: YWUEZVG8.htm.26.dr	String found in binary or memory: https://s.yimg.com/uu/api/res/1.2/GrbIGl3XT7cxPkRfHGfS9A--~B/Zmk9c3RyaW07aD0zODY7cT04MDt3PTQ0MDthcHB
Source: YWUEZVG8.htm.26.dr	String found in binary or memory: https://s.yimg.com/uu/api/res/1.2/IOHHaqoGtz8E_nhSi9n_SA--~B/Zmk9c3RyaW07aD0xNDA7cT05MDt3PTE0MDthcHB
Source: YWUEZVG8.htm.26.dr	String found in binary or memory: https://s.yimg.com/uu/api/res/1.2/JB3oERIZNZLPfu6X4e9z6A--~B/Zmk9c3RyaW07aD0yNDY7cT04MDt3PTQ0MDthcHB
Source: YWUEZVG8.htm.26.dr	String found in binary or memory: https://s.yimg.com/uu/api/res/1.2/M7GzoPQf97leZFwCZRF3Kg--~B/Zmk9c3RyaW07aD0xNDA7cT05MDt3PTE0MDthcHB
Source: YWUEZVG8.htm.26.dr	String found in binary or memory: https://s.yimg.com/uu/api/res/1.2/NyxskLh1ww_qP2VNMLLXPg--~B/Zmk9c3RyaW07aD0xNDA7cT05MDt3PTE0MDthcHB
Source: YWUEZVG8.htm.26.dr	String found in binary or memory: https://s.yimg.com/uu/api/res/1.2/YcilHawp_AKChrUBidk12w--~B/Zmk9c3RyaW07aD0zODg7cT05NTt3PTcyMDthcHB
Source: YWUEZVG8.htm.26.dr	String found in binary or memory: https://s.yimg.com/uu/api/res/1.2/_CIJXKXQDZkVo9bAyJDDdA--~B/Zmk9c3RyaW07aD0yNDY7cT04MDt3PTQ0MDthcHB
Source: YWUEZVG8.htm.26.dr	String found in binary or memory: https://s.yimg.com/uu/api/res/1.2/_thhUXx96QwnlqajJOOzag--~B/Zmk9c3RyaW07aD0yNDY7cT04MDt3PTQ0MDthcHB
Source: YWUEZVG8.htm.26.dr	String found in binary or memory: https://s.yimg.com/uu/api/res/1.2/bgsoedXfbB0Gb9NBLPpSgA--~B/Zmk9c3RyaW07aD0zODY7cT04MDt3PTQ0MDthcHB
Source: YWUEZVG8.htm.26.dr	String found in binary or memory: https://s.yimg.com/uu/api/res/1.2/h64YbbKcO2GsKYAy1QMRMw--~B/Zmk9c3RyaW07aD0zODY7cT04MDt3PTQ0MDthcHB
Source: YWUEZVG8.htm.26.dr	String found in binary or memory: https://s.yimg.com/uu/api/res/1.2/xRSr.LEimIgdYlvzWwz1eg--~B/Zmk9c3RyaW07aD0xNDA7cT05MDt3PTE0MDthcHB
Source: YWUEZVG8.htm.26.dr	String found in binary or memory: https://sb.scorecardresearch.com/p?c1=2&c2=7241469&c5=2023538075&c7=https%3A%2F%2Fwww.yahoo.com%2F&c
Source: YWUEZVG8.htm.26.dr	String found in binary or memory: https://search.yahoo.com/search?p=
Source: rundll32.exe, rundll32.exe, 00000003.00000002.546649132.00000000100AE000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.546624364.00000000100AE000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000C.00000002.546734237.00000000100AE000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000010.00000002.555876068.00000000100AE000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000013.00000002.556014337.00000000100AE000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000014.00000002.565392341.00000000100AE000.00000002.00000001.01000000.00000003.sdmp, A290.dll	String found in binary or memory: https://streams.videolan.org/upload/
Source: YWUEZVG8.htm.26.dr	String found in binary or memory: https://www.ad.com/?utm_source=yahoo-home&utm_medium=referral&utm_campaign=ad-feedback"
Source: YWUEZVG8.htm.26.dr	String found in binary or memory: https://www.yahoo.com/
Source: YWUEZVG8.htm.26.dr	String found in binary or memory: https://www.yahoo.com/px.gif
Source: YWUEZVG8.htm.26.dr	String found in binary or memory: https://yep.video.yahoo.com/oath/js/1/oath-player.js?ypv=8.5.43&lang=en-US

Source: unknown

HTTP traffic detected: POST /t5 HTTP/1.1Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 188.28.19.84Content-Length: 77Cache-Control: no-cache

Source: unknown

DNS traffic detected: queries for: yahoo.com

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_1004D9B0 mv_thread_message_queue_recv,AcquireSRWLockExclusive,SleepConditionVariableSRW,SleepConditionVariableSRW,mv_fifo_can_read,mv_fifo_can_read,ReleaseSRWLockExclusive,mv_fifo_read,WakeConditionVariable,mv_fifo_can_read,

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, /User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: yahoo.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, /User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheHost: www.yahoo.comConnection: Keep-Alive

Source: unknown	HTTPS traffic detected: 98.137.11.163:443 -> 192.168.2.4:49713 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 87.248.100.215:443 -> 192.168.2.4:49714 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.28.19.84:443 -> 192.168.2.4:49727 version: TLS 1.2

Source: loaddll32.exe, 00000000.00000002.550583540.00000000014DB000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Source: A290.dll

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE, DEBUG_STRIPPED, DLL

Source: 20.2.rundll32.exe.5f1170.0.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_QakBot_ConfigExtraction_Feb23 cape_options = bp0=$params+23,action0=setdump:eax::ecx,bp1=$c2list1+40,bp1=$c2list2+38,action1=dump,bp2=$conf+13,action2=dump,count=1,typestring=QakBot Config, date = 2023-02-17, author = kevoreilly, description = QakBot Config Extraction, reference = https://github.com/kevoreilly/CAPEv2/blob/master/analyzer/windows/data/yara/QakBot.yar, license = https://github.com/kevoreilly/CAPEv2/blob/master/LICENSE, packed = f084d87078a1e4b0ee208539c53e4853a52b5698e98f0578d7c12948e3831a68
Source: 20.2.rundll32.exe.ad0000.1.unpack, type: UNPACKEDPE	Matched rule: MAL_QakBot_ConfigExtraction_Feb23 cape_options = bp0=$params+23,action0=setdump:eax::ecx,bp1=$c2list1+40,bp1=$c2list2+38,action1=dump,bp2=$conf+13,action2=dump,count=1,typestring=QakBot Config, date = 2023-02-17, author = kevoreilly, description = QakBot Config Extraction, reference = https://github.com/kevoreilly/CAPEv2/blob/master/analyzer/windows/data/yara/QakBot.yar, license = https://github.com/kevoreilly/CAPEv2/blob/master/LICENSE, packed = f084d87078a1e4b0ee208539c53e4853a52b5698e98f0578d7c12948e3831a68
Source: 20.2.rundll32.exe.5f1170.0.unpack, type: UNPACKEDPE	Matched rule: MAL_QakBot_ConfigExtraction_Feb23 cape_options = bp0=$params+23,action0=setdump:eax::ecx,bp1=$c2list1+40,bp1=$c2list2+38,action1=dump,bp2=$conf+13,action2=dump,count=1,typestring=QakBot Config, date = 2023-02-17, author = kevoreilly, description = QakBot Config Extraction, reference = https://github.com/kevoreilly/CAPEv2/blob/master/analyzer/windows/data/yara/QakBot.yar, license = https://github.com/kevoreilly/CAPEv2/blob/master/LICENSE, packed = f084d87078a1e4b0ee208539c53e4853a52b5698e98f0578d7c12948e3831a68

Source: C:\Windows\SysWOW64\rundll32.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2460 -s 652

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1000D060
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10028070
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1002B0B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1000B0D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10008144
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1002A1A1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_100101D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1001021B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10027220
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10033261
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10007270
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10024280
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10023350
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_100353B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_100243C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10013480
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1004D4B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1004C4C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1000D4D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1001F523
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_100105C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_100215D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1000164B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_100206A7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10010750
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1000E760
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10010778
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1002A800
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10030800
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1000B830
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10026870
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10001900
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10091900
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1000D910
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1001F91B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1009D970
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10010980
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1001099C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_100339B9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1000C9F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1000FA00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1000AA10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10091A40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10007A50
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1000EAC0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1000FAE0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1000FAF7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10025B0C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1000AB30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10003BA5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1000FBC0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10001C10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1000DC10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1000EC10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10031C30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1000BC40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10004C96
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1000ECC9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1000DD40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1000CD50
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1002DD90
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1000EDB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10007DC0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 20_2_00AE71FF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 20_2_00AE8D30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 20_2_00AE320D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 20_2_00AE4A6F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 20_2_00AD3A40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 20_2_00AE6E40

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 20_2_00ADA823 GetThreadContext,NtProtectVirtualMemory,NtWriteVirtualMemory,NtProtectVirtualMemory,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 20_2_00ADA412 NtAllocateVirtualMemory,NtWriteVirtualMemory,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 20_2_00ADCA0F NtAllocateVirtualMemory,NtWriteVirtualMemory,NtProtectVirtualMemory,NtFreeVirtualMemory,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 20_2_00AE43F4 NtProtectVirtualMemory,NtProtectVirtualMemory,

Source: A290.dll

Binary or memory string: OriginalFilenameavutil-lav-57.dll. vs A290.dll

Source: C:\Windows\SysWOW64\wermgr.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\SysWOW64\wermgr.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\wermgr.exe	Section loaded: winhttp.dll
Source: C:\Windows\SysWOW64\wermgr.exe	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\wermgr.exe	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\wermgr.exe	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\wermgr.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\SysWOW64\wermgr.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\SysWOW64\wermgr.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\SysWOW64\wermgr.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\SysWOW64\wermgr.exe	Section loaded: schannel.dll
Source: C:\Windows\SysWOW64\wermgr.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\SysWOW64\wermgr.exe	Section loaded: ncrypt.dll
Source: C:\Windows\SysWOW64\wermgr.exe	Section loaded: ntasn1.dll
Source: C:\Windows\SysWOW64\wermgr.exe	Section loaded: dpapi.dll
Source: C:\Windows\SysWOW64\wermgr.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\wermgr.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\wermgr.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\wermgr.exe	Section loaded: ncryptsslp.dll

Source: A290.dll

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\A290.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\A290.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\A290.dll,mv_add_i
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\A290.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2460 -s 652
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5508 -s 660
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\A290.dll,mv_add_q
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\A290.dll,mv_add_stable
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5616 -s 652
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\A290.dll",mv_add_i
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\A290.dll",mv_add_q
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\A290.dll",mv_add_stable
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\A290.dll",next
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\A290.dll",mvutil_license
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6944 -s 652
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\A290.dll",mvutil_configuration
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5860 -s 652
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\wermgr.exe C:\Windows\SysWOW64\wermgr.exe
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\A290.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\A290.dll,mv_add_i
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\A290.dll,mv_add_q
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\A290.dll,mv_add_stable
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\A290.dll",mv_add_i
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\A290.dll",mv_add_q
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\A290.dll",mv_add_stable
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\A290.dll",next
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\A290.dll",mvutil_license
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\A290.dll",mvutil_configuration
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\A290.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\wermgr.exe C:\Windows\SysWOW64\wermgr.exe

Source: C:\Windows\SysWOW64\wermgr.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Ymdmdosqoawo

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER8532.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winDLL@31/24@2/100

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 20_2_00ADD213 CoInitializeEx,CoInitializeSecurity,CoCreateInstance,SysAllocString,CoSetProxyBlanket,

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 20_2_00ADC71C CreateToolhelp32Snapshot,Process32First,Process32Next,FindCloseChangeNotification,

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\A290.dll,mv_add_i

Source: C:\Windows\SysWOW64\wermgr.exe	Mutant created: \Sessions\1\BaseNamedObjects\{C2305DE9-81F7-4032-97E9-671A0F043C28}
Source: C:\Windows\SysWOW64\wermgr.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{281F1E04-E2C5-4D9F-895E-6E44B85850EA}
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2460
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6444:120:WilError_01
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5616
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5508
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5860
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6944
Source: C:\Windows\SysWOW64\wermgr.exe	Mutant created: \Sessions\1\BaseNamedObjects\{281F1E04-E2C5-4D9F-895E-6E44B85850EA}

Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\wermgr.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\wermgr.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\wermgr.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: A290.dll

Static PE information: More than 582 > 100 exports found

Source: A290.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_1001F523 mv_dict_get,LoadLibraryA,LoadLibraryA,InitOnceBeginInitialize,InitOnceComplete,LoadLibraryA,GetProcAddress,mv_log,atoi,mv_log,mv_log,GetProcAddress,

Source: A290.dll

Static PE information: real checksum: 0xf1b7b should be: 0x100382

Hooking and other Techniques for Hiding and Protection

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Source: C:\Windows\SysWOW64\rundll32.exe

Memory written: PID: 6632 base: D03C50 value: E9 63 D7 45 FF

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wermgr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wermgr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wermgr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wermgr.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: wermgr.exe, 0000001A.00000003.591280509.0000000005330000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000001A.00000003.600143641.0000000005330000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000001A.00000003.591304574.0000000005330000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000001A.00000003.600296293.0000000005330000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000001A.00000003.559657902.000000000436F000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000001A.00000003.600190022.0000000005330000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000001A.00000003.600018276.0000000005330000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000001A.00000003.599821146.0000000005330000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000001A.00000003.599845838.0000000005330000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PROCMON.EXE
Source: wermgr.exe, 0000001A.00000003.559657902.000000000436F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: FRIDA-WINJECTOR-HELPER-32.EXE
Source: wermgr.exe, 0000001A.00000003.559657902.000000000436F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: FRIDA-WINJECTOR-HELPER-64.EXE
Source: wermgr.exe, 0000001A.00000003.591280509.0000000005330000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000001A.00000003.600143641.0000000005330000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000001A.00000003.591304574.0000000005330000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000001A.00000003.600296293.0000000005330000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000001A.00000003.600190022.0000000005330000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000001A.00000003.600018276.0000000005330000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000001A.00000003.599821146.0000000005330000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000001A.00000003.599845838.0000000005330000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: IMPORTREC.EXE
Source: wermgr.exe, 0000001A.00000003.591280509.0000000005330000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000001A.00000003.600143641.0000000005330000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000001A.00000003.591304574.0000000005330000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000001A.00000003.600296293.0000000005330000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000001A.00000003.600190022.0000000005330000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000001A.00000003.600018276.0000000005330000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000001A.00000003.599821146.0000000005330000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000001A.00000003.599845838.0000000005330000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PETOOLS.EXE
Source: wermgr.exe, 0000001A.00000003.591280509.0000000005330000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000001A.00000003.600143641.0000000005330000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000001A.00000003.591304574.0000000005330000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000001A.00000003.600296293.0000000005330000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000001A.00000003.568896607.0000000005330000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000001A.00000003.600190022.0000000005330000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000001A.00000003.600018276.0000000005330000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000001A.00000003.599821146.0000000005330000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000001A.00000003.599845838.0000000005330000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SNIFF_HIT.EXE
Source: wermgr.exe, 0000001A.00000003.591280509.0000000005330000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000001A.00000003.600143641.0000000005330000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000001A.00000003.591304574.0000000005330000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000001A.00000003.600296293.0000000005330000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000001A.00000003.559657902.000000000436F000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000001A.00000003.600190022.0000000005330000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000001A.00000003.600018276.0000000005330000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000001A.00000003.599821146.0000000005330000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000001A.00000003.599845838.0000000005330000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: TCPDUMP.EXE
Source: wermgr.exe, 0000001A.00000003.591280509.0000000005330000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000001A.00000003.600143641.0000000005330000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000001A.00000003.591304574.0000000005330000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000001A.00000003.600296293.0000000005330000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000001A.00000003.559657902.000000000436F000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000001A.00000003.600190022.0000000005330000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000001A.00000003.600018276.0000000005330000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000001A.00000003.599821146.0000000005330000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000001A.00000003.599845838.0000000005330000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: WINDUMP.EXE
Source: wermgr.exe, 0000001A.00000003.591280509.0000000005330000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000001A.00000003.600143641.0000000005330000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000001A.00000003.591304574.0000000005330000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000001A.00000003.600296293.0000000005330000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000001A.00000003.568896607.0000000005330000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000001A.00000003.600190022.0000000005330000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000001A.00000003.600018276.0000000005330000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000001A.00000003.599821146.0000000005330000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000001A.00000003.599845838.0000000005330000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SYSANALYZER.EXE
Source: wermgr.exe, 0000001A.00000003.591280509.0000000005330000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000001A.00000003.600143641.0000000005330000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000001A.00000003.591304574.0000000005330000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000001A.00000003.600296293.0000000005330000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000001A.00000003.568896607.0000000005330000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000001A.00000003.600190022.0000000005330000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000001A.00000003.600018276.0000000005330000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000001A.00000003.599821146.0000000005330000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000001A.00000003.599845838.0000000005330000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: IDAQ.EXE
Source: wermgr.exe, 0000001A.00000003.591280509.0000000005330000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000001A.00000003.600143641.0000000005330000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000001A.00000003.591304574.0000000005330000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000001A.00000003.600296293.0000000005330000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000001A.00000003.559657902.000000000436F000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000001A.00000003.600190022.0000000005330000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000001A.00000003.600018276.0000000005330000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000001A.00000003.599821146.0000000005330000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000001A.00000003.599845838.0000000005330000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: DUMPCAP.EXE
Source: wermgr.exe, 0000001A.00000003.591280509.0000000005330000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000001A.00000003.600143641.0000000005330000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000001A.00000003.591304574.0000000005330000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000001A.00000003.600296293.0000000005330000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000001A.00000003.559657902.000000000436F000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000001A.00000003.600190022.0000000005330000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000001A.00000003.600018276.0000000005330000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000001A.00000003.599821146.0000000005330000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000001A.00000003.599845838.0000000005330000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: WIRESHARK.EXE
Source: wermgr.exe, 0000001A.00000003.591280509.0000000005330000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000001A.00000003.600143641.0000000005330000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000001A.00000003.591304574.0000000005330000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000001A.00000003.600296293.0000000005330000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000001A.00000003.559657902.000000000436F000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000001A.00000003.600190022.0000000005330000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000001A.00000003.600018276.0000000005330000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000001A.00000003.599821146.0000000005330000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000001A.00000003.599845838.0000000005330000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: FILEMON.EXE

Source: C:\Windows\SysWOW64\rundll32.exe TID: 6636

Thread sleep count: 177 > 30

Source: C:\Windows\SysWOW64\rundll32.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_10035030 rdtsc

Source: C:\Windows\SysWOW64\rundll32.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

Source: C:\Windows\SysWOW64\wermgr.exe

Process information queried: ProcessInformation

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 20_2_00ADB883 GetSystemInfo,

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 20_2_00AD9DA8 FindFirstFileW,FindNextFileW,

Source: C:\Windows\System32\loaddll32.exe

Thread delayed: delay time: 120000

Source: Amcache.hve.9.dr	Binary or memory string: VMware
Source: Amcache.hve.9.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
Source: Amcache.hve.9.dr	Binary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.9.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.9.dr	Binary or memory string: VMware-42 35 9c fb 73 fa 4e 1b-fb a4 60 e7 7b e5 4a ed
Source: Amcache.hve.9.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.9.dr	Binary or memory string: VMware Virtual disk SCSI Disk Devicehbin
Source: Amcache.hve.9.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.9.dr	Binary or memory string: VMware7,1
Source: Amcache.hve.9.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.9.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.9.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.9.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.9.dr	Binary or memory string: VMware, Inc.me
Source: YWUEZVG8.htm.26.dr	Binary or memory string: ;" aria-hidden="true" class="js-content-viewer rapidnofollow" tabindex="-1"><img class="W(100%) Bdrs(2px)" src="https://s.yimg.com/uu/api/res/1.2/GrbIGl3XT7cxPkRfHGfS9A--~B/Zmk9c3RyaW07aD0zODY7cT04MDt3PTQ0MDthcHBpZD15dGFjaHlvbg--/https://media.zenfs.com/en/rollingstone.com/1559327ca430d396aaa47b044ff6e77a.cf.jpg" alt="" data-test-locator="stream-item-image"/></a></div> </div><div class="Pend(45px) Ov(h)"><div class="Fz(16px) Fw(b) Tt(c) D(ib) Mb(4px) Mend(9px) Lh(1) C($cat-politics)" data-test-locator="stream-item-category-label">Politics</div><div class="C($streamItemGray) Fz(12px) D(ib) Mb(4px) Lh(1)" id="stream-item-publisher_6" data-test-locator="stream-item-publisher">Rolling Stone</div><h3 class="LineClamp(2,2.6em) Mb(4px) Mb(0)--md1160 Mt(0) Lh(1.3) Fz(19px) stream-item-title" data-test-locator="stream-item-title"><a class="js-content-viewer rapidnofollow wafer-caas D(b) Td(n) Td(n):f C(--cobalt) C(--dory):h" data-uuid="a30448d9-3077-3ca5-a6b7-fbb569663620" href="/entertainment/trump-promises-violate-14th-amendment-193116065.html" data-ylk="itc:0;elm:hdln;elmt:ct;bpos:1;cpos:6;cposy:17;rspns:nav;t1:a3;t2:strm;t3:ct;ccode:megastream_unified__en-US__frontpage__default__default__desktop__ga__noSplit;ct:story;g:a30448d9-3077-3ca5-a6b7-fbb569663620;grpt:storyCluster;pkgt:cluster_all_img;pos:1;cnt_tpc:Politics;slk:Trump Promises to Violate 14th Amendment
Source: Amcache.hve.9.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.9.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.18227214.B64.2106252220,BiosReleaseDate:06/25/2021,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.9.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000

Anti Debugging

Potentially malicious time measurement code found

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_10035030 Start: 10035315 End: 1003515E

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_1001F523 mv_dict_get,LoadLibraryA,LoadLibraryA,InitOnceBeginInitialize,InitOnceComplete,LoadLibraryA,GetProcAddress,mv_log,atoi,mv_log,mv_log,GetProcAddress,

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_10035030 rdtsc

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1001E0D9 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 20_3_00AC2297 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 20_2_00AD1015 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 20_2_00AD21CD mov eax, dword ptr fs:[00000030h]

Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort

HIPS / PFW / Operating System Protection Evasion

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\SysWOW64\wermgr.exe base: 190000
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\SysWOW64\wermgr.exe base: 160000
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\SysWOW64\wermgr.exe base: D03C50

Allocates memory in foreign processes

Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: C:\Windows\SysWOW64\wermgr.exe base: 160000 protect: page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: C:\Windows\SysWOW64\wermgr.exe base: 190000 protect: page read and write

Injects a PE file into a foreign processes

Source: C:\Windows\SysWOW64\rundll32.exe

Memory written: C:\Windows\SysWOW64\wermgr.exe base: 160000 value starts with: 4D5A

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\A290.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\wermgr.exe C:\Windows\SysWOW64\wermgr.exe

Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\wermgr.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\wermgr.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_1008DB50 cpuid

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_100A0AD0 GetCurrentThread,GetThreadTimes,GetSystemTimeAsFileTime,QueryPerformanceFrequency,QueryPerformanceCounter,GetCurrentProcess,GetProcessTimes,_errno,GetModuleHandleA,GetProcAddress,

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_10092180 GetTimeZoneInformation,GetModuleHandleA,GetProcAddress,

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 20_2_00ADBB4D GetCurrentProcessId,GetLastError,GetVersionExA,GetWindowsDirectoryW,

Source: rundll32.exe, 00000014.00000003.549554692.0000000000E3F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: bdagent.exe
Source: rundll32.exe, 00000014.00000003.549554692.0000000000E3F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vsserv.exe
Source: rundll32.exe, 00000014.00000003.549554692.0000000000E3F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: avp.exe
Source: Amcache.hve.9.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: rundll32.exe, 00000014.00000003.549554692.0000000000E3F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: avgcsrvx.exe
Source: rundll32.exe, 00000014.00000003.549554692.0000000000E3F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: mcshield.exe
Source: rundll32.exe, 00000014.00000003.549554692.0000000000E3F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected Qbot

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: 20.2.rundll32.exe.5f1170.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.rundll32.exe.ad0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.rundll32.exe.5f1170.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000014.00000002.561029904.00000000005DA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.561647699.0000000000DC0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected Qbot

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: 20.2.rundll32.exe.5f1170.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.rundll32.exe.ad0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.rundll32.exe.5f1170.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000014.00000002.561029904.00000000005DA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.561647699.0000000000DC0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	3 Native API	1 DLL Side-Loading	311 Process Injection	1 Masquerading	1 Credential API Hooking	2 System Time Discovery	Remote Services	1 Credential API Hooking	Exfiltration Over Other Network Medium	21 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	21 Virtualization/Sandbox Evasion	1 Input Capture	131 Security Software Discovery	Remote Desktop Protocol	1 Input Capture	Exfiltration Over Bluetooth	1 Non-Standard Port	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	311 Process Injection	Security Account Manager	21 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	1 Archive Collected Data	Automated Exfiltration	2 Ingress Tool Transfer	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	1 Rundll32	NTDS	2 Process Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	3 Non-Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	1 Remote System Discovery	SSH	Keylogging	Data Transfer Size Limits	114 Application Layer Protocol	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	1 File and Directory Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	24 System Information Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
A290.dll	3%	ReversingLabs	Win32.Malware.Generic
A290.dll	5%	Virustotal		Browse
A290.dll	100%	Avira	HEUR/AGEN.1363694

Source	Detection	Scanner	Label	Link
https://www.ad.com/?utm_source=yahoo-home&utm_medium=referral&utm_campaign=ad-feedback"	0%	URL Reputation	safe
https://www.ad.com/?utm_source=yahoo-home&utm_medium=referral&utm_campaign=ad-feedback"	0%	URL Reputation	safe
https://openweb.jac.yahoosandbox.com	0%	Virustotal		Browse
https://188.28.19.84/t5	0%	Virustotal		Browse
https://188.28.19.84/t5	0%	Avira URL Cloud	safe
https://sb.scorecardresearch.com/p?c1=2&c2=7241469&c5=2023538075&c7=https%3A%2F%2Fwww.yahoo.com%2F&c	0%	Avira URL Cloud	safe
https://openweb.jac.yahoosandbox.com	0%	Avira URL Cloud	safe
https://openweb.jac.yahoosandbox.com/1.5.0/jac.js	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
new-fp-shed.wg1.b.yahoo.com	87.248.100.215	true	false	high
yahoo.com	98.137.11.163	true	false	high
www.yahoo.com	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://yahoo.com/	false		high
https://www.yahoo.com/	false		high
https://188.28.19.84/t5	true	0%, Virustotal, Browse Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://s.yimg.com/ss/rapid-3.53.38.js	YWUEZVG8.htm.26.dr	false		high
https://s.yimg.com/aaq/vzm/cs_1.4.0.js	YWUEZVG8.htm.26.dr	false		high
https://s.yimg.com/uu/api/res/1.2/h64YbbKcO2GsKYAy1QMRMw--~B/Zmk9c3RyaW07aD0zODY7cT04MDt3PTQ0MDthcHB	YWUEZVG8.htm.26.dr	false		high
https://s.yimg.com/cx/pv/perf-vitals_3.1.0.js	YWUEZVG8.htm.26.dr	false		high
https://s.yimg.com/uu/api/res/1.2/bgsoedXfbB0Gb9NBLPpSgA--~B/Zmk9c3RyaW07aD0zODY7cT04MDt3PTQ0MDthcHB	YWUEZVG8.htm.26.dr	false		high
https://s.yimg.com/aaq/spotim/	YWUEZVG8.htm.26.dr	false		high
https://s.yimg.com/uu/api/res/1.2/IOHHaqoGtz8E_nhSi9n_SA--~B/Zmk9c3RyaW07aD0xNDA7cT05MDt3PTE0MDthcHB	YWUEZVG8.htm.26.dr	false		high
https://s.yimg.com/uu/api/res/1.2/JB3oERIZNZLPfu6X4e9z6A--~B/Zmk9c3RyaW07aD0yNDY7cT04MDt3PTQ0MDthcHB	YWUEZVG8.htm.26.dr	false		high
https://fp-graviton-home-gateway.media.yahoo.com/	YWUEZVG8.htm.26.dr	false		high
http://upx.sf.net	Amcache.hve.9.dr	false		high
https://openweb.jac.yahoosandbox.com	YWUEZVG8.htm.26.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://s.yimg.com/uc/sf/0.1.322/js/safe.min.js	YWUEZVG8.htm.26.dr	false		high
https://s.yimg.com/uu/api/res/1.2/xRSr.LEimIgdYlvzWwz1eg--~B/Zmk9c3RyaW07aD0xNDA7cT05MDt3PTE0MDthcHB	YWUEZVG8.htm.26.dr	false		high
https://www.ad.com/?utm_source=yahoo-home&utm_medium=referral&utm_campaign=ad-feedback"	YWUEZVG8.htm.26.dr	false	URL Reputation: safe URL Reputation: safe	unknown
https://5.ras.yahoo.com/adcount%7C2.0%7C5113.1%7C4830441%7C0%7C225%7CAdId=11101911;BnId=2;ct=7654416	YWUEZVG8.htm.26.dr	false		high
https://www.yahoo.com/px.gif	YWUEZVG8.htm.26.dr	false		high
https://search.yahoo.com/search?p=	YWUEZVG8.htm.26.dr	false		high
https://s.yimg.com/uu/api/res/1.2/_CIJXKXQDZkVo9bAyJDDdA--~B/Zmk9c3RyaW07aD0yNDY7cT04MDt3PTQ0MDthcHB	YWUEZVG8.htm.26.dr	false		high
http://schema.org	YWUEZVG8.htm.26.dr	false		high
http://www.opensource.org/licenses/mit-license.php	YWUEZVG8.htm.26.dr	false		high
https://legal.yahoo.com/us/en/yahoo/privacy/adinfo/index.html"	YWUEZVG8.htm.26.dr	false		high
https://streams.videolan.org/upload/	rundll32.exe, rundll32.exe, 00000003.00000002.546649132.00000000100AE000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.546624364.00000000100AE000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000C.00000002.546734237.00000000100AE000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000010.00000002.555876068.00000000100AE000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000013.00000002.556014337.00000000100AE000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000014.00000002.565392341.00000000100AE000.00000002.00000001.01000000.00000003.sdmp, A290.dll	false		high
https://s.yimg.com/aaq/wf/wf-core-1.63.0.js	YWUEZVG8.htm.26.dr	false		high
https://sb.scorecardresearch.com/p?c1=2&c2=7241469&c5=2023538075&c7=https%3A%2F%2Fwww.yahoo.com%2F&c	YWUEZVG8.htm.26.dr	false	Avira URL Cloud: safe	unknown
https://s.yimg.com/uu/api/res/1.2/DgW4vH5M_FUgIVI7P1drOg--~B/Zmk9c3RyaW07aD0yNDY7cT04MDt3PTQ0MDthcHB	YWUEZVG8.htm.26.dr	false		high
https://s.yimg.com/uu/api/res/1.2/_thhUXx96QwnlqajJOOzag--~B/Zmk9c3RyaW07aD0yNDY7cT04MDt3PTQ0MDthcHB	YWUEZVG8.htm.26.dr	false		high
https://5.ras.yahoo.com/adcount%7C2.0%7C5113.1%7C4830424%7C0%7C0%7CAdId=-41;BnId=0;ct=76544163;st=99	YWUEZVG8.htm.26.dr	false		high
https://s.yimg.com/uu/api/res/1.2/M7GzoPQf97leZFwCZRF3Kg--~B/Zmk9c3RyaW07aD0xNDA7cT05MDt3PTE0MDthcHB	YWUEZVG8.htm.26.dr	false		high
https://s.yimg.com/nn/lib/metro/g/myy/advertisement_0.0.19.js	YWUEZVG8.htm.26.dr	false		high
https://s.yimg.com/aaq/nel/js/spotIm.custom.SpotIMJAC.modal.9d3270fa67932556c75baaed2c09c955.js	YWUEZVG8.htm.26.dr	false		high
https://s.yimg.com/uu/api/res/1.2/YcilHawp_AKChrUBidk12w--~B/Zmk9c3RyaW07aD0zODg7cT05NTt3PTcyMDthcHB	YWUEZVG8.htm.26.dr	false		high
https://yep.video.yahoo.com/oath/js/1/oath-player.js?ypv=8.5.43&lang=en-US	YWUEZVG8.htm.26.dr	false		high
https://s.yimg.com/aaq/hc/homepage-pwa-defer-1.1.6.js	YWUEZVG8.htm.26.dr	false		high
https://openweb.jac.yahoosandbox.com/1.5.0/jac.js	YWUEZVG8.htm.26.dr	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
2.82.8.80	unknown	Portugal	3243	MEO-RESIDENCIALPT	true
70.160.67.203	unknown	United States	22773	ASN-CXA-ALL-CCI-22773-RDCUS	true
75.143.236.149	unknown	United States	20115	CHARTER-20115US	true
83.110.223.61	unknown	United Arab Emirates	5384	EMIRATES-INTERNETEmiratesInternetAE	true
86.195.14.72	unknown	France	3215	FranceTelecom-OrangeFR	true
84.215.202.8	unknown	Norway	41164	GET-NOGETNorwayNO	true
184.182.66.109	unknown	United States	22773	ASN-CXA-ALL-CCI-22773-RDCUS	true
92.186.69.229	unknown	France	12479	UNI2-ASES	true
174.4.89.3	unknown	Canada	6327	SHAWCA	true
161.142.103.187	unknown	Malaysia	9930	TTNET-MYTIMEdotComBerhadMY	true
114.143.176.236	unknown	India	17762	HTIL-TTML-IN-APTataTeleservicesMaharashtraLtdIN	true
14.192.241.76	unknown	Malaysia	9534	MAXIS-AS1-APBinariangBerhadMY	true
173.88.135.179	unknown	United States	10796	TWC-10796-MIDWESTUS	true
84.108.200.161	unknown	Israel	8551	BEZEQ-INTERNATIONAL-ASBezeqintInternetBackboneIL	true
47.34.30.133	unknown	United States	20115	CHARTER-20115US	true
183.87.163.165	unknown	India	132220	JPRDIGITAL-INJPRDigitalPvtLtdIN	true
184.181.75.148	unknown	United States	22773	ASN-CXA-ALL-CCI-22773-RDCUS	true
124.149.143.189	unknown	Australia	7545	TPG-INTERNET-APTPGTelecomLimitedAU	true
84.35.26.14	unknown	Netherlands	21221	INFOPACT-ASTheNetherlandsNL	true
73.29.92.128	unknown	United States	7922	COMCAST-7922US	true
68.203.69.96	unknown	United States	11427	TWC-11427-TEXASUS	true
82.131.141.209	unknown	Hungary	20845	DIGICABLEHU	true
64.121.161.102	unknown	United States	6079	RCN-ASUS	true
98.137.11.163	yahoo.com	United States	36647	YAHOO-GQ1US	false
178.175.187.254	unknown	Moldova Republic of	43289	TRABIAMD	true
96.56.197.26	unknown	United States	6128	CABLE-NET-1US	true
188.28.19.84	unknown	United Kingdom	206067	H3GUKGB	true
186.64.67.30	unknown	Argentina	27953	NODOSUDSAAR	true
125.99.76.102	unknown	India	17488	HATHWAY-NET-APHathwayIPOverCableInternetIN	true
81.101.185.146	unknown	United Kingdom	5089	NTLGB	true
59.28.84.65	unknown	Korea Republic of	4766	KIXS-AS-KRKoreaTelecomKR	true
105.186.128.181	unknown	South Africa	37457	Telkom-InternetZA	true
76.86.31.59	unknown	United States	20001	TWC-20001-PACWESTUS	true
147.147.30.126	unknown	United Kingdom	6871	PLUSNETUKInternetServiceProviderGB	true
96.87.28.170	unknown	United States	7922	COMCAST-7922US	true
75.109.111.89	unknown	United States	19108	SUDDENLINK-COMMUNICATIONSUS	true
78.92.133.215	unknown	Hungary	5483	MAGYAR-TELEKOM-MAIN-ASMagyarTelekomNyrtHU	true
124.122.47.148	unknown	Thailand	17552	TRUE-AS-APTrueInternetCoLtdTH	true
88.126.94.4	unknown	France	12322	PROXADFR	true
51.14.29.227	unknown	United Kingdom	2856	BT-UK-ASBTnetUKRegionalnetworkGB	true
85.57.212.13	unknown	Spain	12479	UNI2-ASES	true
47.205.25.170	unknown	United States	5650	FRONTIER-FRTRUS	true
95.45.50.93	unknown	Ireland	5466	EIRCOMInternetHouseIE	true
80.12.88.148	unknown	France	3215	FranceTelecom-OrangeFR	true
69.133.162.35	unknown	United States	11426	TWC-11426-CAROLINASUS	true
86.132.236.117	unknown	United Kingdom	2856	BT-UK-ASBTnetUKRegionalnetworkGB	true
151.62.238.176	unknown	Italy	1267	ASN-WINDTREIUNETEU	true
70.112.206.5	unknown	United States	11427	TWC-11427-TEXASUS	true
205.237.67.69	unknown	Canada	11290	CC-3272CA	true
102.159.188.125	unknown	Tunisia	37705	TOPNETTN	true
151.65.167.77	unknown	Italy	1267	ASN-WINDTREIUNETEU	true
87.248.100.215	new-fp-shed.wg1.b.yahoo.com	United Kingdom	34010	YAHOO-IRDGB	false
76.178.148.107	unknown	United States	10838	OCEANIC-INTERNET-RRUS	true
89.36.206.69	unknown	Italy	48544	TECNOADSL-ASIT	true
69.242.31.249	unknown	United States	7922	COMCAST-7922US	true
193.253.100.236	unknown	France	3215	FranceTelecom-OrangeFR	true
76.16.49.134	unknown	United States	7922	COMCAST-7922US	true
94.207.104.225	unknown	United Arab Emirates	15802	DU-AS1AE	true
201.244.108.183	unknown	Colombia	19429	ETB-ColombiaCO	true
103.42.86.42	unknown	India	133660	EDIGITAL-ASE-InfrastructureandEntertainmentIndiaPvtLt	true
78.18.105.11	unknown	Ireland	2110	AS-BTIREBTIrelandwaspreviouslyknownasEsatNetEUnet	true
80.6.50.34	unknown	United Kingdom	5089	NTLGB	true
103.144.201.56	unknown	unknown	139762	MSSOLUTION-AS-APSolutionBD	true
27.0.48.233	unknown	India	132573	SAINGN-AS-INSAINGNNetworkServicesIN	true
70.28.50.223	unknown	Canada	577	BACOMCA	true
98.145.23.67	unknown	United States	20001	TWC-20001-PACWESTUS	true
47.149.134.231	unknown	United States	5650	FRONTIER-FRTRUS	true
82.125.44.236	unknown	France	3215	FranceTelecom-OrangeFR	true
81.229.117.95	unknown	Sweden	3301	TELIANET-SWEDENTeliaCompanySE	true
89.129.109.27	unknown	Spain	12479	UNI2-ASES	true
122.186.210.254	unknown	India	9498	BBIL-APBHARTIAirtelLtdIN	true
79.77.142.22	unknown	United Kingdom	9105	TISCALI-UKTalkTalkCommunicationsLimitedGB	true
90.78.147.141	unknown	France	3215	FranceTelecom-OrangeFR	true
122.184.143.86	unknown	India	9498	BBIL-APBHARTIAirtelLtdIN	true
186.75.95.6	unknown	Panama	11556	CableWirelessPanamaPA	true
50.68.186.195	unknown	Canada	6327	SHAWCA	true
12.172.173.82	unknown	United States	2386	INS-ASUS	true
213.64.33.61	unknown	Sweden	3301	TELIANET-SWEDENTeliaCompanySE	true
86.97.55.89	unknown	United Arab Emirates	5384	EMIRATES-INTERNETEmiratesInternetAE	true
79.168.224.165	unknown	Portugal	2860	NOS_COMUNICACOESPT	true
176.142.207.63	unknown	France	5410	BOUYGTEL-ISPFR	true
92.154.17.149	unknown	France	3215	FranceTelecom-OrangeFR	true
174.58.146.57	unknown	United States	7922	COMCAST-7922US	true
78.160.146.127	unknown	Turkey	9121	TTNETTR	true
58.186.75.42	unknown	Viet Nam	18403	FPT-AS-APTheCorporationforFinancingPromotingTechnolo	true
223.166.13.95	unknown	China	17621	CNCGROUP-SHChinaUnicomShanghainetworkCN	true
65.95.141.84	unknown	Canada	577	BACOMCA	true
50.68.204.71	unknown	Canada	6327	SHAWCA	true
71.38.155.217	unknown	United States	209	CENTURYLINK-US-LEGACY-QWESTUS	true
104.35.24.154	unknown	United States	20001	TWC-20001-PACWESTUS	true
220.240.164.182	unknown	Australia	7545	TPG-INTERNET-APTPGTelecomLimitedAU	true
103.123.223.133	unknown	India	138329	KWS-AS-APKenstarWebSolutionsPrivateLimitedIN	true
24.198.114.130	unknown	United States	11351	TWC-11351-NORTHEASTUS	true
2.36.64.159	unknown	Italy	30722	VODAFONE-IT-ASNIT	true
198.2.51.242	unknown	United States	20001	TWC-20001-PACWESTUS	true
92.9.45.20	unknown	United Kingdom	13285	OPALTELECOM-ASTalkTalkCommunicationsLimitedGB	true
113.11.92.30	unknown	Bangladesh	7565	BDCOM-BDRangsNiluSquare5thFloorHouse75Road5AD	true
69.119.123.159	unknown	United States	6128	CABLE-NET-1US	true
69.123.4.221	unknown	United States	6128	CABLE-NET-1US	true
172.115.17.50	unknown	United States	20001	TWC-20001-PACWESTUS	true

General Information

Joe Sandbox Version:	37.1.0 Beryl
Analysis ID:	878697
Start date and time:	2023-05-31 01:57:08 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 13m 58s
Hypervisor based Inspection enabled:	false
Report type:	light
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	27
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	A290.dll
Detection:	MAL
Classification:	mal100.troj.evad.winDLL@31/24@2/100
EGA Information:	Successful, ratio: 50%
HDC Information:	Successful, ratio: 10.7% (good quality ratio 8.6%) Quality average: 58.5% Quality standard deviation: 37.4%
HCA Information:	Successful, ratio: 99% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .dll Override analysis time to 240s for rundll32

Warnings

Exclude process from analysis (whitelisted): audiodg.exe, WerFault.exe, WMIADAP.exe, svchost.exe
TCP Packets have been reduced to 100
Excluded IPs from analysis (whitelisted): 104.208.16.94, 52.168.117.173, 52.182.143.212
Excluded domains from analysis (whitelisted): onedsblobprdeus16.eastus.cloudapp.azure.com, onedsblobprdcus15.centralus.cloudapp.azure.com, login.live.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, watson.telemetry.microsoft.com, onedsblobprdcus16.centralus.cloudapp.azure.com
Execution Graph export aborted for target rundll32.exe, PID 2460 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.

Simulations

Behavior and APIs

Time	Type	Description
01:58:05	API Interceptor	5x Sleep call for process: WerFault.exe modified
01:58:07	API Interceptor	1x Sleep call for process: loaddll32.exe modified
01:58:17	API Interceptor	9x Sleep call for process: wermgr.exe modified

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_4a2b263a88ec6871bb19ce2ee3f04564bd3fea_82810a17_16e0a0aa\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9052197643451435
Encrypted:	false
SSDEEP:	192:V74i00oXlHBUZMX4jed+c/u7svS274ItWc:R4iCXVBUZMX4jeZ/u7svX4ItWc
MD5:	F958BF85DCD28A282473F6BE2CEF1377
SHA1:	EB68D1D00D9751A8C40071BB77F66427DCA435B2
SHA-256:	C450AAA5A8707B80338FA41F8527842A9629ECA394AB57C5B633CC8B4B78BBCE
SHA-512:	D465671A1901A596265E88C1FC67CFB52AA4FFC665B508FE61D6D4358B0400BDD9C0C6E92ED57827C704853F488F972250178A7F340E58552BCDEFB245686FB8
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.2.9.9.6.4.6.7.8.5.5.7.2.1.6.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.2.9.9.6.4.6.7.9.3.5.4.1.0.4.9.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.f.6.8.2.9.9.2.-.7.8.8.1.-.4.b.a.9.-.8.6.7.f.-.6.8.f.0.8.3.0.f.0.3.7.f.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.4.3.b.3.6.3.3.-.c.5.7.b.-.4.f.1.c.-.a.b.8.f.-.c.f.f.e.f.2.8.2.1.a.e.a.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.5.8.4.-.0.0.0.1.-.0.0.1.f.-.0.d.b.3.-.a.5.8.e.5.2.9.3.d.9.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.b.c.c.5.d.c.3.2.2.2.0.3.4.d.3.f.2.5.7.f.1.f.d.3.5.8.8.9.e.5.b.e.9.0.f.0.9.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_4a2b263a88ec6871bb19ce2ee3f04564bd3fea_82810a17_16e8a0e8\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.904477321391494
Encrypted:	false
SSDEEP:	192:Ynvi00oXwHBUZMX4jed+c/u7svS274ItWc:aviCXYBUZMX4jeZ/u7svX4ItWc
MD5:	264D980E954111C3761E64E7EE8EBF29
SHA1:	F0DE915634E9CBDD49CDB1DDB8E66CA57CDC75E8
SHA-256:	68886283065633D2DA02AA80D0E162D45D0ACA4D1C3D52B8EA7DE6163B9E438C
SHA-512:	29B12B3F3B491CBEC0488E4ED32BABA6E671D1C7E2F2AE1BAEB243A3F7CC071DE1634367D1FA7851284F4490346F26C4E3A8B11A9CB404CD4C4C8D25CF62A15F
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.2.9.9.6.4.6.7.8.4.7.0.8.2.8.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.2.9.9.6.4.6.7.9.3.7.7.0.8.1.4.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.3.a.8.e.e.4.a.-.0.b.f.8.-.4.4.d.8.-.a.d.3.9.-.d.0.2.2.f.0.8.7.c.2.e.d.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.7.e.7.f.4.6.6.-.7.7.1.a.-.4.1.d.4.-.a.7.f.d.-.f.d.2.d.5.2.8.5.1.8.3.0.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.9.9.c.-.0.0.0.1.-.0.0.1.f.-.0.a.2.c.-.a.3.8.e.5.2.9.3.d.9.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.b.c.c.5.d.c.3.2.2.2.0.3.4.d.3.f.2.5.7.f.1.f.d.3.5.8.8.9.e.5.b.e.9.0.f.0.9.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_4a2b263a88ec6871bb19ce2ee3f04564bd3fea_82810a17_1a6cb20f\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9051074053759652
Encrypted:	false
SSDEEP:	192:ODi30oXnHBUZMX4jed+c/u7svS274ItWc:SiJXHBUZMX4jeZ/u7svX4ItWc
MD5:	E3CE6FFB47189228E9D5794CD73D47AE
SHA1:	D8A8844E8719ACF0AA4CF2CE468BD13041A45D19
SHA-256:	C2343739CA626B0CF97E9C43B27CC5505FF17F73ABE6CC30E0F2084744DEB910
SHA-512:	C9CEF2A26D9E1B495441C0E39B9263FD9EBAD42A36F1F638E682AA217BC5D6A88A8CF08F5F2F06697C78C8AB47DB3A9FBAF9AA60CC960F0B0A3C24916CB0F19C
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.2.9.9.6.4.6.8.7.8.5.6.2.4.8.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.2.9.9.6.4.6.8.9.1.5.7.1.5.1.3.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.4.1.c.a.6.6.4.-.f.1.5.c.-.4.9.b.2.-.a.7.f.c.-.e.5.2.f.4.2.1.8.5.2.b.e.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.e.a.2.9.9.b.0.-.0.c.8.8.-.4.a.c.a.-.a.3.e.3.-.1.d.4.7.d.c.8.8.0.0.9.8.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.2.0.-.0.0.0.1.-.0.0.1.f.-.5.0.b.7.-.1.b.9.4.5.2.9.3.d.9.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.b.c.c.5.d.c.3.2.2.2.0.3.4.d.3.f.2.5.7.f.1.f.d.3.5.8.8.9.e.5.b.e.9.0.f.0.9.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_86b3cac39a2cad5204e578b2befa7f9972cac_82810a17_1ae0a1c3\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9053032903616895
Encrypted:	false
SSDEEP:	192:/f9iq0oXSHBUZMX4jed+c/u7svS274ItWc:/li8XqBUZMX4jeZ/u7svX4ItWc
MD5:	19149BF897ECD0734A1752983A9A327A
SHA1:	231CEEB8EC8D579665AEF04EA1BA5121E153154D
SHA-256:	9EF0EB67AEDEF2C41557FDA704B5EDD8B3C1D22DA18BFCDD6443313B325C3B9F
SHA-512:	46E88C93CA946E5F5828CAA846F624D062CE9E0D190EC5D2DE03BCB2490BE18A89D1E8DB40CBD9103C89184DD71AAC6A9CA0A9CC71D0292B1FC1D8EC66655576
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.2.9.9.6.4.6.8.3.9.3.0.1.9.5.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.2.9.9.6.4.6.8.5.1.3.8.3.8.8.8.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.0.c.0.3.7.8.d.-.0.0.d.a.-.4.3.6.9.-.8.7.4.b.-.0.c.1.3.9.e.8.c.b.8.6.7.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.1.d.5.d.3.9.7.-.c.5.f.9.-.4.a.5.d.-.b.4.2.1.-.2.f.c.e.8.c.0.9.6.f.9.4.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.5.f.0.-.0.0.0.1.-.0.0.1.f.-.1.9.b.c.-.4.6.9.2.5.2.9.3.d.9.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.b.c.c.5.d.c.3.2.2.2.0.3.4.d.3.f.2.5.7.f.1.f.d.3.5.8.8.9.e.5.b.e.9.0.f.0.9.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_86b3cac39a2cad5204e578b2befa7f9972cac_82810a17_1afcb29b\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.902693322870849
Encrypted:	false
SSDEEP:	192:rGCiH0oXiHBUZMX4jed+c/u7svS274ItWc:iCi5X6BUZMX4jeZ/u7svX4ItWc
MD5:	D2CFEECC0DF271607016D33A4A91C12B
SHA1:	0DC665F4441A79B4C68741EA1F18611707DE5445
SHA-256:	662BF647DBB46C83E5FB0F29C0D54AEFA7EEAE036ED86A4FE18E4E78757288E7
SHA-512:	F540BA622702888C1B566F058B831134AD31281CDCC7E2CF3CE9F20E6E605DB597DE8C8827E369335EA37EC697971D9210EA26F89902DA0542856E926A6A518F
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.2.9.9.6.4.6.8.8.0.9.5.7.9.7.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.2.9.9.6.4.6.8.9.3.5.0.3.3.7.8.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.6.6.d.b.0.e.0.-.e.f.b.e.-.4.0.c.4.-.9.b.e.a.-.4.c.b.a.c.5.1.e.1.6.c.1.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.1.f.4.7.3.3.9.-.a.5.7.4.-.4.a.b.e.-.a.b.2.c.-.d.9.b.e.a.5.5.3.8.4.1.7.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.6.e.4.-.0.0.0.1.-.0.0.1.f.-.4.3.2.d.-.4.1.9.4.5.2.9.3.d.9.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.b.c.c.5.d.c.3.2.2.2.0.3.4.d.3.f.2.5.7.f.1.f.d.3.5.8.8.9.e.5.b.e.9.0.f.0.9.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER8532.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Tue May 30 23:57:58 2023, 0x1205a4 type
Category:	dropped
Size (bytes):	35950
Entropy (8bit):	2.352297457009687
Encrypted:	false
SSDEEP:	192:WdE6sZy56WH2p0O5Skb/1jaytMTtjjno8uTQKCSwJdQrQRi/iXnw:Rqs75Lb/R6jjo8bK6JdQrQgyw
MD5:	AE1A8CBBB6510C248A0F1CC40F99F2B9
SHA1:	70F902761F97134D182FBFC2C801A9923C36E03F
SHA-256:	D493F25F198D3A4886E7342CF99E464FC6B5AF5523B73A4C39CDFBB9DD280F62
SHA-512:	30620B31D18A3D767BC1B2DD9672836FB3B48EC75185D4349AB9CFCAC390CA79A495E510813E79E0FBFFB29BF13701F86EAF9DCD336B75F84E8F1CDB117ED495
Malicious:	false
Preview:	MDMP....... .........vd............d...............l............)..........T.......8...........T...............nr...........................................................................................U...........B..............GenuineIntelW...........T.............vd.............................0..=...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .D.a.y.l.i.g.h.t. .T.i.m.e.......................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER8581.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Tue May 30 23:57:58 2023, 0x1205a4 type
Category:	dropped
Size (bytes):	37350
Entropy (8bit):	2.2884351783055745
Encrypted:	false
SSDEEP:	192:WCG6sZy56WHnhRO5SkblrIvpDODQp1jjNN8F3QIQlFXnpP:AqhE5Lb0Dnp1jjH8F3QIQzX
MD5:	E2FF5E700104A79ADAED8B54C7425E0B
SHA1:	38EECB658F64F297C2600F11428CCF2FA4C087FE
SHA-256:	77DAB6BFEF9F1943C89C41D9DD51483AA65F992D8CD8A555506B9C7121180B08
SHA-512:	A9264DFEBA6FB54131A37A2AA79453C7D439FB9F464178B65CA00D8DF0E1A4326177ECFF36E7095CE252CE910AFD1E24D728A1510C64B97A287A792ABB31924D
Malicious:	false
Preview:	MDMP....... .........vd............d...............l............)..........T.......8...........T...........P....w...........................................................................................U...........B..............GenuineIntelW...........T.............vd.............................0..=...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .D.a.y.l.i.g.h.t. .T.i.m.e.......................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER868B.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8248
Entropy (8bit):	3.686077051812785
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNidv67zaHI6YnP63ngmfT4Svm+pr789bvxPsf+qdhm:RrlsNiV6yHI6YP63gmfT4S+vx0f++c
MD5:	D1D0D24B126FCB14F22F34ADC47766D9
SHA1:	1F01594B2341A4F81363F631C7A6EAC5E636AD40
SHA-256:	813A89E1C748D1FB12E5C81FB108DBDD7F613B03C00EABB76131B921D095032E
SHA-512:	1F963B76AC26B926A0D13376CD3496B516CCF4905D2D6493EA5DCE2334E2FD27E6C07CAD480BF2F3242DAF7E6DC62F2132970E2E724A0B97FAD7433B06900C1B
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.2.4.6.0.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WER86AA.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8242
Entropy (8bit):	3.688634041315938
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNidT67zx6Yf+6sgmfT4Svm+pr189bvxmsfndhm:RrlsNip6J6Y26sgmfT4SAvxFfdc
MD5:	8518A87D024D1D9489D1D22B5289694D
SHA1:	420074EB6F02CBA4FBDD8EABA218BC4A5579C71E
SHA-256:	7A32B60959EFB10049DA711A32E207FD01098446DAEE5E1955DB5629EA8A88CD
SHA-512:	A827FD0BD592D49C712DD4C3E12F81CE46E02A7583A657C5AF64CA982EC13CF69B563D576634DF99ACD811F26BDA48099F8E0E90D50AA7B70B29F4A859992F79
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.5.0.8.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WER86EA.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4626
Entropy (8bit):	4.448333913003201
Encrypted:	false
SSDEEP:	48:cvIwSD8zs6xJgtWI9LrWgc8sqYje8fm8M4JCdsmZFN+q8/BKt4SrSnd:uITf6D4agrsqYHJwZSKDWnd
MD5:	ADE2F02EA649D05E651EF35EAC39528E
SHA1:	A3FD8F1A441E26B5EEEE7B8BC19526F542D86EA9
SHA-256:	B0BB386985893AFBE7423AFCF7B391E3FFF7A54F56114A15B42394787C2501DF
SHA-512:	7E7E52FE4E29D68A7BA2DC7D6E8C4FAE9F0F6D0CC335CB942027E74E5556608618BE9C9E2D41B6AADD31A05155495DAC133AF97D65B9F12E215E23A0F3D1B27A
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="2064068" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\ProgramData\Microsoft\Windows\WER\Temp\WER86FA.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4626
Entropy (8bit):	4.447610529383943
Encrypted:	false
SSDEEP:	48:cvIwSD8zs6xJgtWI9LrWgc8sqYjHw/8fm8M4JCdsmZFCMxno+q8/BKn4SrSMd:uITf6D4agrsqY7RJwroSYDWMd
MD5:	4C91B5CF76BD1FDEF51EC24720C5B3E5
SHA1:	224C1954CA3988FE5D317215C2ACC07528B24A80
SHA-256:	CA8043919A1EC0D443BE3C618EDE3C0AC0A31A205C5E06607EC8C24AE8B85BEC
SHA-512:	DD1FF6D09BF83048A46F5E53FFC90280ACD425104902EDBCCAEFA064C846EA164686EF11589ACD67B300234CE6EEA542281A246E1D1346B4A0E5F6D3B6ACCAB5
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="2064068" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9A80.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Tue May 30 23:58:04 2023, 0x1205a4 type
Category:	dropped
Size (bytes):	38010
Entropy (8bit):	2.238640039494979
Encrypted:	false
SSDEEP:	192:kz0O6sZy56WH728O5Skbrxdjj0ZFHsi7+peVDTeVnl7:5oqKz5LbrXjjWweVXeV9
MD5:	A06C04162DFE654397D58FB06E8E43C7
SHA1:	E64D7349F81E5A407F119CF6A86F2A22AC967111
SHA-256:	7FC901B6D7C3E56B3EA73F6695EA33640983F716669A19D98A60DCD47AEB87AF
SHA-512:	56C41C1610998E040D9181DE751AB4D94C7B7734ACDE2787576D6705F5BE7241BDF99B46716F6CB5DF5090A87884412A416B01FBEF9AE73424251DC8A5378E54
Malicious:	false
Preview:	MDMP....... .........vd............d...............l............)..........T.......8...........T...............zz...........................................................................................U...........B..............GenuineIntelW...........T.............vd.............................0..=...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .D.a.y.l.i.g.h.t. .T.i.m.e.......................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9BA9.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8246
Entropy (8bit):	3.6879205063250273
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNiJO67zLHI6YnU6F4gmfTYSvm+prO89bfDsfQ1m:RrlsNig6THI6YU6agmfTYSlfofv
MD5:	806E43B66D329651461F9B332772E483
SHA1:	6C5ADAA83EEA6255ED62A7CFB5AF2B7B8A42F662
SHA-256:	4FF63DD7CD25C11C634A9D651CAFED45030661CE1B0F3747D893180CFB2F9F7A
SHA-512:	FB8335439A103676A0E29D8C4860B2837B353B712294D651788038E9DA4B57878F5EA2E19498E97EE805CB4B0BEB92CAF130E21153C3B9AA05EDEA445249142F
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.6.1.6.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9C47.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4626
Entropy (8bit):	4.451225937110308
Encrypted:	false
SSDEEP:	48:cvIwSD8zs6xJgtWI9LrWgc8sqYjJ8fm8M4JCdsm9FxGI+q8/B8X4SrSVMd:uITf6D4agrsqY6JwpbSKDWVMd
MD5:	E9E945B3211FDC82C358890CF81AC19F
SHA1:	9CE1386AD8BECCC1BC4CD6C917C2E1AC07ABCBBC
SHA-256:	EC1300DE7C68321CC46B1B593AE92B946AD396126D3C20C5CECCD93CB13F8B38
SHA-512:	51DC801547F3B1883197016A9937BB61A54AAF493A1857C1566D2A614290983B9776263A5F2F47938196595277974A268E11D0711A85EE96246DD2902FFF91ED
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="2064068" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA9D1.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Tue May 30 23:58:08 2023, 0x1205a4 type
Category:	dropped
Size (bytes):	45130
Entropy (8bit):	2.0466120165162818
Encrypted:	false
SSDEEP:	192:wGlrQQ3UO5SkbHvln/8jj2ScitMEvQgqv3V:b5LbNnUjjjltMlV
MD5:	D793F060448DF6818BE40DD8C7061727
SHA1:	A5ACC0BED8E6EF299CC513B06ED4C081592D1904
SHA-256:	C2E82C8E53DBE47CCC68E83DCD574D15436A6EFAF44E62189BCCEBCC8D93B3A0
SHA-512:	017944884A631B4F2B50ADB75798BCF5401E77272EB79543E986F4CC281986509B339CD93A0085537E0E85F7C94D51ECED568D0D2ACA164943281A1514C5924D
Malicious:	false
Preview:	MDMP....... .........vd.........................................,..........T.......8...........T...............J...........0................................................................................U...........B..............GenuineIntelW...........T....... .....vd.............................0..=...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .D.a.y.l.i.g.h.t. .T.i.m.e.......................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERAACB.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Tue May 30 23:58:08 2023, 0x1205a4 type
Category:	dropped
Size (bytes):	38034
Entropy (8bit):	2.264599948857644
Encrypted:	false
SSDEEP:	192:wPl6sZy56WHHslO5Skby8mjjtFC7ksHXn6:GqMI5Lby8mjjtFuks6
MD5:	F4A954A2B25A5C52D24F82541F1BF967
SHA1:	230EFFB23F82238A7C47D9626E38B9AFCF7FFB57
SHA-256:	DCD236781D7512CBF48ADB03FD3025531F16F925E20BD985BAA38E29C38ABEBC
SHA-512:	570230A5CA4865407A4C1ADE55B537920070D7A7E762E755802C0FC72AAD068BB7B9508F80CA176BAEE8D009335AE86036DEB9176213268DB5B2FE03C9A1A95A
Malicious:	false
Preview:	MDMP....... .........vd............d...............l............)..........T.......8...........T................z...........................................................................................U...........B..............GenuineIntelW...........T.............vd.............................0..=...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .D.a.y.l.i.g.h.t. .T.i.m.e.......................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERAC34.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8240
Entropy (8bit):	3.686714096918007
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNiaK66b6YP664PgmfT4Svm+prr89bzrsfaRm:RrlsNiX6m6YS64PgmfT4SuzwfF
MD5:	2C6BF7DFA6563DB46A40BB12E3C8797D
SHA1:	586B3DA3FC7613B930D16A379FB2CBA96019A288
SHA-256:	C170F7D6243C1077BA797B2648E3C04662339AE6BD093F8BF761938638BCB1C9
SHA-512:	FF567E89B3EF2B3E5B0A4474E368224E6BD7A323CB36D2EA040C0168C7A6CEDEB1CF65C166A811BA2DC5E59F77C73D493DB57D8EB9CF601589D62B06086786DA
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.9.4.4.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WERACC1.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4626
Entropy (8bit):	4.4461893635228416
Encrypted:	false
SSDEEP:	48:cvIwSD8zs6xJgtWI9LrWgc8sqYjV8fm8M4JCdsmZFX+q8/BKWZ4SrScH6d:uITf6D4agrsqYuJw7SnZDWi6d
MD5:	F907A0882890D7D6D2B43629EEDE4D62
SHA1:	505F29275E34046F952B566FA54AA442087922D0
SHA-256:	703BA07F2349362A2544751F6CD68389A9C691AC3EE7E9FBB31B5A191032BDFC
SHA-512:	851CF774CFC60B6B0E2090D67AAEB356A29569F9AD3F82920719C6F77062918728367C7341A092C71E7820AFA416706078DB163738B9E53C17E1B3F9FCACE215
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="2064068" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\ProgramData\Microsoft\Windows\WER\Temp\WERACEF.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8240
Entropy (8bit):	3.6871043505443533
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNi2s67zm6YPA64PgmfTYSvm+prk89bzJsfp5Rm:RrlsNiN6e6Y464PgmfTYSDzifpO
MD5:	18F532759E12C6F4CBC8793BE3AC803B
SHA1:	4B64D86FB6903145FEE4635B7CB2438C81F77A99
SHA-256:	77300251CC62052F4B4D6844A5CA1CF5D9FC41244C42FC9C58424FCF696A63B5
SHA-512:	7BFC7363CB2FCA385463D8ADE22B7365F93F189E68ED447511B350F8BC8125C1CBFAE61E03147A7BA147041F621B4D6766559E12905B59529C2CF4C657DB6683
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.8.6.0.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WERADAC.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4626
Entropy (8bit):	4.44990230140723
Encrypted:	false
SSDEEP:	48:cvIwSD8zs6xJgtWI9LrWgc8sqYjQI8fm8M4JCdsm9FY5+q8/B8E4SrSrd:uITf6D4agrsqYMlJw2S5DWrd
MD5:	F2BBAB4E3F0915F821F122A53A08E69D
SHA1:	C4CD4CEAC34E9F1B73509DCA98CD843A0C6DC15C
SHA-256:	7F4209F199482BDFBE0874D306BE88E1B560AB798F2313FEB2F7E0481446CE52
SHA-512:	E2F0D729606207D8D591C06045D11CAB46A6B366A18E130151BDB09AE1765FD4556A6D369536BDB5A3594E0F648D02AD7092BF240B90E3CA11C2221C4CF061F3
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="2064068" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\YWUEZVG8.htm

Download File

Process:	C:\Windows\SysWOW64\wermgr.exe
File Type:	HTML document, ASCII text, with very long lines (64945)
Category:	dropped
Size (bytes):	879390
Entropy (8bit):	5.582494478021937
Encrypted:	false
SSDEEP:	6144:lQYjR8Wd18F3OYRCBWbWptCLhQtICvOFguJkRejcax0A0:ldR8x3OYUfp0WO+uJ5cM0A0
MD5:	4988AE458B898B6B5E0957E446FDE2B1
SHA1:	4A452447129A992FB6690C9BF4F25CDCE1306DAB
SHA-256:	DAB752F8CB890BAD6881626408AA0B2761F523664687724CF942429D58258BA4
SHA-512:	25BC07A2D3BE2E6A675641483884A2545E81EC46F6EF60EAB76EAF238B844EC33E16CFCE7D102A5C3BB1703ABC3B56DDB7ACACB2EC12F1ED0CA966D1B9E60258
Malicious:	false
Preview:	<!doctype html><html id=atomic class="ltr desktop-lite fp fp-none bkt900 ua-ie ua-11.0" lang=en-US data-color-scheme><head><script nonce=9fed29942f93d952c4078d7d1426bc778ee3c135cce17ba6c34e363dabf90f17>. window.performance.mark('PageStart');. document.documentElement.className += ' JsEnabled jsenabled';. /*. Empty darlaOnready method, to avoid JS error.. * This can happen when Async Darla JS file is loaded earlier than Darla Proxy JS.. * This method will be overridden by Darla Proxy. */. window.darlaOnready = function() {};. </script><title>Yahoo \| Mail, Weather, Search, Politics, News, Finance, Sports & Videos</title><meta http-equiv=content-type content="text/html; charset=utf-8"><meta http-equiv=x-dns-prefetch-control content=on><meta http-equiv=X-UA-Compatible content=chrome=1><meta name=description content="Latest news coverage, email, free stock quotes, live scores and video are just the beginning. Discover m

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\t5[1]

Download File

Process:	C:\Windows\SysWOW64\wermgr.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	41
Entropy (8bit):	4.373051322261979
Encrypted:	false
SSDEEP:	3:bzVHaYIUnZjVnHn:bzbjZjVH
MD5:	95727490AF2055AA9EBB186AF4529945
SHA1:	6AB0F01813F295F82F220771AEF26E46C2C43545
SHA-256:	730788681D9BDB7D912F709A3D6FF52B116B1BAC246F18CD002E855707946A46
SHA-512:	3DE1DC718DAC2644E781C53B63EB11F14C9EAA90D74EDC14C7AF7E36723C24D5D60AC3AEB547BFEB59365EDD4D9355131505E3DC5DB4FE056A37C18161CCDD4B
Malicious:	false
Preview:	ParseHTTPResponse() failed pCurlResp=NULL

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1572864
Entropy (8bit):	4.311735735286071
Encrypted:	false
SSDEEP:	12288:0+2sLhXpztZ+sQhFRH9Iy0qu4o1wtmgN/Xd5h8JT2WulbJ1KZa:d2sLhXpztZ5QhFUt4w
MD5:	6A5FF81C4F71FBBB3E7EB9D540DFA231
SHA1:	D7AE3DCCC9857564DDFE6D25633BB1A400ADD328
SHA-256:	634B72037D8C4BFC47B9BC80EED6116832C14AF8100397015DF7AA15CFC4FDC1
SHA-512:	C7399BE166210B4FFD913ADF8264600DE53456A53ECDC6D1D454204D389BBA87915EAB0D856234D0E8D665BBACEE94C548341A39F67985CF0297591CB5E54EBC
Malicious:	false
Preview:	regfR...R...p.\..,.................. .... ......\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm....R...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve.LOG1

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	24576
Entropy (8bit):	3.0512967329198144
Encrypted:	false
SSDEEP:	384:GDK5K5ijaM1gnVVeeDzed1NKZtjlvejNZpuU9fWejNZpuE:mUKEg/eeDzeHNYtjtkZpuyfWkZpu
MD5:	B1D4A6D23CFAB0DE4C6AE58FE347E41A
SHA1:	BFDBB24AC814E153E716AFEB598DABFEBD5657D5
SHA-256:	B5D88D1039D031E31584C7C3D6AC5D847772188AB384D5EA779CE6CA6D960901
SHA-512:	AAC79F6C25B090E2DD7CAF14065E2923C5886DF188F71D0974F7D6093F9919D28DCED17CFD2770E33E492BB2A0060CC4DEC79ED110F4C4FB5DA569A41F24D063
Malicious:	false
Preview:	regfQ...Q...p.\..,.................. .... ......\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm....R...................................................................................................................................................................................................................................................................................................................................................HvLE.>......Q.... .......B..e.\|u../...W........................hbin................p.\..,..........nk,.Yo..R................................... ...........................&...{ad79c032-a2ea-f756-e377-72fb9332c3ae}......nk .Yo..R....... ........................... .......Z.......................Root........lf......Root....nk .Yo..R................................... ...............*...............DeviceCensus.......................vk..................WritePermissionsCheck.......p...

Static File Info

General

File type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Entropy (8bit):	6.5974525554369166
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	A290.dll
File size:	1000208
MD5:	061a8b23a85b75400cd719fd173767c3
SHA1:	05a7ee8edfb504be3cb6c4e5230fc3994586bf1e
SHA256:	6615dda3718170a2c4946ebf0a62ad4f36b707c1d984011f866ff56dd2c3cc24
SHA512:	afb49e376023ea801421315277579f7a9745ac3e84a909382d3732a51b6ec3f9e638d31e3a90dde7e91bdc642a583b73e9d0a55b7083245ef5156250fa04cedc
SSDEEP:	24576:D7AkdHt+UnNtqbVotX4Dw/9JGCZdBK/+NYouXFPn/yd4p:DZ8RDwlJGoY7Xp
TLSH:	C1258EC0FBD744FAE46718B1B09AB7AFAB3112050138CE76DFA58E09E976B401DDB245
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....0d...........#...'.....................................................0 .....{.....@... .........................hC.

File Icon


Icon Hash:	7ae282899bbab082

Static PE Info

General

Entrypoint:	0x10001390
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x10000000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE, DEBUG_STRIPPED, DLL
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x6430AE80 [Sat Apr 8 00:00:00 2023 UTC]
TLS Callbacks:	0x10090cc0, 0x10090c70, 0x100a1c60
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	ac404a1028e7ce450416867d9b3974cc

Entrypoint Preview

Instruction
sub esp, 0Ch
mov dword ptr [101D86FCh], 00000000h
mov ecx, dword ptr [esp+18h]
mov edx, dword ptr [esp+14h]
mov eax, dword ptr [esp+10h]
call 00007F7240DFA3B7h
add esp, 0Ch
retn 000Ch
lea esi, dword ptr [esi+00000000h]
lea esi, dword ptr [esi+00h]
nop
sub esp, 1Ch
mov eax, dword ptr [esp+20h]
mov dword ptr [esp], 100C9000h
mov dword ptr [esp+04h], eax
call 00007F7240E9934Eh
add esp, 1Ch
ret
nop
nop
nop
nop
nop
push ebp
mov ebp, esp
sub esp, 18h
mov dword ptr [esp], 10001400h
call 00007F7240DFA533h
leave
ret
lea esi, dword ptr [esi+00000000h]
lea esi, dword ptr [esi+00h]
nop
ret
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
push ebp
push edi
push esi
push ebx
mov edx, dword ptr [esp+14h]
mov esi, dword ptr [esp+1Ch]
mov edi, dword ptr [esp+18h]
movzx ebx, dx
shr edx, 10h
test esi, esi
je 00007F7240DFA5E8h
nop
cmp esi, 04h
jbe 00007F7240DFA5A2h
lea esi, dword ptr [esi+00000000h]
lea esi, dword ptr [esi+00h]
movzx eax, byte ptr [edi]
add edi, 04h
sub esi, 04h
movzx ebp, byte ptr [edi-03h]
movzx ecx, byte ptr [edi-02h]
add eax, ebx
movzx ebx, byte ptr [edi-01h]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x1da000	0x4368	.edata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1df000	0x1388	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x1e3000	0x378	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x1e4000	0x4128	.rsrc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc61e4	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1df328	0x2c4	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xab124	0xab200	False	0.4480831126734843	data	6.432110661692397	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0xad000	0x100	0x200	False	0.28125	Matlab v4 mat-file (little endian) \377\377\377\377 , text, rows 4294967295, columns 4294967295, imaginary	2.102897197014083	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0xae000	0x1a624	0x1a800	False	0.3911224941037736	data	5.329684115990636	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.bss	0xc9000	0x110264	0x0	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.edata	0x1da000	0x4368	0x4400	False	0.4040670955882353	data	5.488698281853443	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.idata	0x1df000	0x1388	0x1400	False	0.3810546875	data	5.386273709762828	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.CRT	0x1e1000	0x30	0x200	False	0.060546875	data	0.25451054171027127	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x1e2000	0x8	0x200	False	0.02734375	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x1e3000	0x1a64e	0x1b000	False	0.9544813368055556	data	7.905006025130965	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0x1fe000	0x4128	0x4200	False	0.7178030303030303	data	6.590473987933104	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0x1e3058	0x31c	data	English	United States

Imports

DLL	Import
bcrypt.dll	BCryptCloseAlgorithmProvider, BCryptGenRandom, BCryptOpenAlgorithmProvider
KERNEL32.dll	AcquireSRWLockExclusive, AddVectoredExceptionHandler, CloseHandle, CreateEventA, CreateFileMappingA, CreateMutexA, CreateSemaphoreA, DeleteCriticalSection, DuplicateHandle, EnterCriticalSection, FileTimeToSystemTime, FreeLibrary, GetConsoleMode, GetConsoleScreenBufferInfo, GetCurrentProcess, GetCurrentProcessId, GetCurrentThread, GetCurrentThreadId, GetFullPathNameW, GetHandleInformation, GetLastError, GetModuleFileNameW, GetModuleHandleA, GetModuleHandleW, GetProcAddress, GetProcessAffinityMask, GetProcessTimes, GetStdHandle, GetSystemDirectoryW, GetSystemTimeAdjustment, GetSystemTimeAsFileTime, GetThreadContext, GetThreadPriority, GetThreadTimes, GetTickCount64, GetTimeZoneInformation, InitOnceBeginInitialize, InitOnceComplete, InitializeConditionVariable, InitializeCriticalSection, InitializeSRWLock, IsDBCSLeadByteEx, IsDebuggerPresent, LeaveCriticalSection, LoadLibraryA, LoadLibraryExA, LoadLibraryExW, MapViewOfFile, MultiByteToWideChar, OpenProcess, OutputDebugStringA, QueryPerformanceCounter, QueryPerformanceFrequency, RaiseException, ReleaseMutex, ReleaseSRWLockExclusive, ReleaseSemaphore, RemoveVectoredExceptionHandler, ResetEvent, ResumeThread, SetConsoleTextAttribute, SetEvent, SetLastError, SetProcessAffinityMask, SetSystemTime, SetThreadContext, SetThreadPriority, Sleep, SleepConditionVariableSRW, SuspendThread, TlsAlloc, TlsGetValue, TlsSetValue, TryEnterCriticalSection, UnmapViewOfFile, VirtualProtect, VirtualQuery, WaitForMultipleObjects, WaitForSingleObject, WaitForSingleObjectEx, WakeAllConditionVariable, WakeConditionVariable, WideCharToMultiByte, WriteConsoleW
msvcrt.dll	__mb_cur_max, __setusermatherr, _aligned_free, _aligned_malloc, _aligned_realloc, _amsg_exit, _beginthreadex, _endthreadex, _errno, _fstat64, _get_osfhandle, _gmtime64, _hypot, _initterm, _iob, _localtime64, _lock, _mktime64, _setjmp3, _sopen, _ultoa, _unlock, _wsopen, abort, acos, asin, atan, atoi, bsearch, calloc, clock, cosh, exit, fprintf, fputc, fputs, free, fwrite, getc, getenv, islower, isspace, isupper, isxdigit, localeconv, log10, malloc, memchr, memcmp, memcpy, memmove, memset, printf, rand, realloc, setlocale, sinh, strchr, strcmp, strcpy, strcspn, strerror, strftime, strlen, strncmp, strrchr, strspn, strstr, strtol, strtoul, tan, tanh, tolower, ungetc, vfprintf, wcscat, wcscpy, wcslen, wcsrchr, longjmp, _strdup, _read, _isatty, _fdopen, _close
USER32.dll	GetDesktopWindow

Exports

Name	Ordinal	Address
mv_add_i	1	0x10023c30
mv_add_q	2	0x10035990
mv_add_stable	3	0x10027e10
mv_adler32_update	4	0x10001410
mv_aes_alloc	5	0x10001bd0
mv_aes_crypt	6	0x10001bf0
mv_aes_ctr_alloc	7	0x100022f0
mv_aes_ctr_crypt	8	0x10002480
mv_aes_ctr_free	9	0x10002420
mv_aes_ctr_get_iv	10	0x10002370
mv_aes_ctr_increment_iv	11	0x10002430
mv_aes_ctr_init	12	0x100023c0
mv_aes_ctr_set_full_iv	13	0x10002340
mv_aes_ctr_set_iv	14	0x10002310
mv_aes_ctr_set_random_iv	15	0x10002380
mv_aes_init	16	0x10001c10
mv_aes_size	17	0x100ae00c
mv_append_path_component	18	0x10006eb0
mv_asprintf	19	0x10006850
mv_assert0_fpu	20	0x1008cfa0
mv_audio_fifo_alloc	21	0x10002670
mv_audio_fifo_drain	22	0x10002af0
mv_audio_fifo_free	23	0x10002610
mv_audio_fifo_peek	24	0x10002900
mv_audio_fifo_peek_at	25	0x10002990
mv_audio_fifo_read	26	0x10002a40
mv_audio_fifo_realloc	27	0x100027b0
mv_audio_fifo_reset	28	0x10002b70
mv_audio_fifo_size	29	0x10002bb0
mv_audio_fifo_space	30	0x10002bc0
mv_audio_fifo_write	31	0x10002850
mv_base64_decode	32	0x100076c0
mv_base64_encode	33	0x100078d0
mv_basename	34	0x10006d70
mv_blowfish_alloc	35	0x10007da0
mv_blowfish_crypt	36	0x100084b0
mv_blowfish_crypt_ecb	37	0x10007dc0
mv_blowfish_init	38	0x100a6ac0
mv_bmg_get	39	0x10024fe0
mv_bprint_append_data	40	0x10008f30
mv_bprint_channel_layout	41	0x1000c9f0
mv_bprint_chars	42	0x10008d20
mv_bprint_clear	43	0x10009670
mv_bprint_escape	44	0x10009730
mv_bprint_finalize	45	0x10009690
mv_bprint_get_buffer	46	0x10009500
mv_bprint_init	47	0x10008880
mv_bprint_init_for_buffer	48	0x100089a0
mv_bprint_strftime	49	0x10009130
mv_bprintf	50	0x100089c0
mv_buffer_alloc	51	0x10009dc0
mv_buffer_allocz	52	0x10009ef0
mv_buffer_create	53	0x10009e60
mv_buffer_default_free	54	0x10009d10
mv_buffer_get_opaque	55	0x1000a090
mv_buffer_get_ref_count	56	0x1000a0a0
mv_buffer_is_writable	57	0x1000a070
mv_buffer_make_writable	58	0x1000a0b0
mv_buffer_pool_buffer_get_opaque	59	0x1000a9b0
mv_buffer_pool_get	60	0x1000a720
mv_buffer_pool_init	61	0x1000a5f0
mv_buffer_pool_init2	62	0x1000a590
mv_buffer_pool_uninit	63	0x1000a650
mv_buffer_realloc	64	0x1000a1d0
mv_buffer_ref	65	0x10009fc0
mv_buffer_replace	66	0x1000a480
mv_buffer_unref	67	0x1000a000
mv_calloc	68	0x100291f0
mv_camellia_alloc	69	0x1000b0b0
mv_camellia_crypt	70	0x1000b0d0
mv_camellia_init	71	0x100a6c8e
mv_camellia_size	72	0x100af650
mv_cast5_alloc	73	0x1000c090
mv_cast5_crypt	74	0x1000c1b0
mv_cast5_crypt2	75	0x1000c0b0
mv_cast5_init	76	0x100a7a6e
mv_cast5_size	77	0x100b1a60
mv_channel_description	78	0x1000c470
mv_channel_description_bprint	79	0x1000c3c0
mv_channel_from_string	80	0x1000c560
mv_channel_layout_channel_from_index	81	0x1000dc10
mv_channel_layout_channel_from_string	82	0x1000eac0
mv_channel_layout_check	83	0x1000ec10
mv_channel_layout_compare	84	0x1000edb0
mv_channel_layout_copy	85	0x1000d340
mv_channel_layout_default	86	0x1000eff0
mv_channel_layout_describe	87	0x1000dba0
mv_channel_layout_describe_bprint	88	0x1000d4d0
mv_channel_layout_extract_channel	89	0x1000d060
mv_channel_layout_from_mask	90	0x1000d1b0
mv_channel_layout_from_string	91	0x1000dd40
mv_channel_layout_index_from_channel	92	0x1000e760
mv_channel_layout_index_from_string	93	0x1000e950
mv_channel_layout_standard	94	0x1000f050
mv_channel_layout_subset	95	0x1000f080
mv_channel_layout_uninit	96	0x1000d270
mv_channel_name	97	0x1000c2d0
mv_channel_name_bprint	98	0x1000c220
mv_chroma_location_enum_to_pos	99	0x10034f30
mv_chroma_location_from_name	100	0x10034ee0
mv_chroma_location_name	101	0x10034ec0
mv_chroma_location_pos_to_enum	102	0x10034f70
mv_cmp_i	103	0x10024200
mv_color_primaries_from_name	104	0x10034d90
mv_color_primaries_name	105	0x10034d70
mv_color_range_from_name	106	0x10034d20
mv_color_range_name	107	0x10034d00
mv_color_space_from_name	108	0x10034e70
mv_color_space_name	109	0x10034e50
mv_color_transfer_from_name	110	0x10034e00
mv_color_transfer_name	111	0x10034de0
mv_compare_mod	112	0x100279f0
mv_compare_ts	113	0x10027830
mv_content_light_metadata_alloc	114	0x10027020
mv_content_light_metadata_create_side_data	115	0x10027050
mv_cpu_count	116	0x1000f8f0
mv_cpu_force_count	117	0x1000f9e0
mv_cpu_max_align	118	0x1000f9f0
mv_crc	119	0x100101d0
mv_crc_get_table	120	0x1000fdb0
mv_crc_init	121	0x1000fbc0
mv_csp_luma_coeffs_from_avcsp	122	0x100102b0
mv_csp_primaries_desc_from_id	123	0x100102f0
mv_csp_primaries_id_from_desc	124	0x10010320
mv_d2q	125	0x10035aa0
mv_d2str	126	0x100068e0
mv_default_get_category	127	0x10026240
mv_default_item_name	128	0x10026230
mv_des_alloc	129	0x10010d80
mv_des_crypt	130	0x10010e40
mv_des_init	131	0x10010da0
mv_des_mac	132	0x10010e90
mv_detection_bbox_alloc	133	0x10010ee0
mv_detection_bbox_create_side_data	134	0x10010f70
mv_dict_copy	135	0x10011d20
mv_dict_count	136	0x10011070
mv_dict_free	137	0x10011cc0
mv_dict_get	138	0x100110d0
mv_dict_get_string	139	0x100121a0
mv_dict_iterate	140	0x10011090
mv_dict_parse_string	141	0x100118c0
mv_dict_set	142	0x10011210
mv_dict_set_int	143	0x10011560
mv_dirname	144	0x10006e10
mv_display_matrix_flip	145	0x100126f0
mv_display_rotation_get	146	0x10012470
mv_display_rotation_set	147	0x100125c0
mv_div_i	148	0x10024ef0
mv_div_q	149	0x10035920
mv_dovi_alloc	150	0x10012780
mv_dovi_metadata_alloc	151	0x100127b0
mv_downmix_info_update_side_data	152	0x10012800
mv_dynamic_hdr_plus_alloc	153	0x1001d0a0
mv_dynamic_hdr_plus_create_side_data	154	0x1001d0d0
mv_dynamic_hdr_vivid_alloc	155	0x1001d130
mv_dynamic_hdr_vivid_create_side_data	156	0x1001d160
mv_dynarray2_add	157	0x100296f0
mv_dynarray_add	158	0x10029620
mv_dynarray_add_nofree	159	0x10029560
mv_encryption_info_add_side_data	160	0x10012f30
mv_encryption_info_alloc	161	0x10012a70
mv_encryption_info_clone	162	0x10012b40
mv_encryption_info_free	163	0x10012cf0
mv_encryption_info_get_side_data	164	0x10012d40
mv_encryption_init_info_add_side_data	165	0x10013860
mv_encryption_init_info_alloc	166	0x10013100
mv_encryption_init_info_free	167	0x100132d0
mv_encryption_init_info_get_side_data	168	0x10013480
mv_escape	169	0x10007050
mv_expr_count_func	170	0x100176e0
mv_expr_count_vars	171	0x10017650
mv_expr_eval	172	0x100177a0
mv_expr_free	173	0x10015280
mv_expr_parse	174	0x10017110
mv_expr_parse_and_eval	175	0x100177f0
mv_fast_malloc	176	0x10029d10
mv_fast_mallocz	177	0x10029df0
mv_fast_realloc	178	0x10029c60
mv_fifo_alloc	179	0x10018a20
mv_fifo_alloc2	180	0x10017e40
mv_fifo_alloc_array	181	0x10018990
mv_fifo_auto_grow_limit	182	0x10017ef0
mv_fifo_can_read	183	0x10017f10
mv_fifo_can_write	184	0x10017f40
mv_fifo_drain	185	0x100192b0
mv_fifo_drain2	186	0x100188c0
mv_fifo_elem_size	187	0x10017f00
mv_fifo_free	188	0x10018aa0
mv_fifo_freep	189	0x10018ae0
mv_fifo_freep2	190	0x10018950
mv_fifo_generic_peek	191	0x10019120
mv_fifo_generic_peek_at	192	0x10018fc0
mv_fifo_generic_read	193	0x10019160
mv_fifo_generic_write	194	0x10018e70
mv_fifo_grow	195	0x10018ce0
mv_fifo_grow2	196	0x10017f70
mv_fifo_peek	197	0x10018760
mv_fifo_peek_to_cb	198	0x100188a0
mv_fifo_read	199	0x10018500
mv_fifo_read_to_cb	200	0x100186c0
mv_fifo_realloc2	201	0x10018b70
mv_fifo_reset	202	0x10018b20
mv_fifo_reset2	203	0x10018930
mv_fifo_size	204	0x10018b40
mv_fifo_space	205	0x10018b50
mv_fifo_write	206	0x100180f0
mv_fifo_write_from_cb	207	0x100182a0
mv_file_map	208	0x100192e0
mv_file_unmap	209	0x10019570
mv_film_grain_params_alloc	210	0x10019b60
mv_film_grain_params_create_side_data	211	0x10019b90
mv_find_best_pix_fmt_of_2	212	0x10034a40
mv_find_info_tag	213	0x10032410
mv_find_nearest_q_idx	214	0x10035e60
mv_fopen_utf8	215	0x10019b50
mv_force_cpu_flags	216	0x1000f820
mv_fourcc_make_string	217	0x1008ced0
mv_frame_alloc	218	0x1001ac40
mv_frame_apply_cropping	219	0x1001c490
mv_frame_clone	220	0x1001c050
mv_frame_copy	221	0x1001b8d0
mv_frame_copy_props	222	0x1001b550
mv_frame_free	223	0x1001adb0
mv_frame_get_buffer	224	0x1001adf0
mv_frame_get_plane_buffer	225	0x1001b570
mv_frame_get_side_data	226	0x1001b890
mv_frame_is_writable	227	0x1001b4b0
mv_frame_make_writable	228	0x1001c210
mv_frame_move_ref	229	0x1001b320
mv_frame_new_side_data	230	0x1001b7e0
mv_frame_new_side_data_from_buf	231	0x1001b750
mv_frame_ref	232	0x1001bc40
mv_frame_remove_side_data	233	0x1001c3e0
mv_frame_side_data_name	234	0x1001c470
mv_frame_unref	235	0x1001b300
mv_free	236	0x100290d0
mv_freep	237	0x100290e0
mv_gcd	238	0x10027090
mv_gcd_q	239	0x100362f0
mv_get_alt_sample_fmt	240	0x1003c9f0
mv_get_bits_per_pixel	241	0x100345a0
mv_get_bytes_per_sample	242	0x1003cb50
mv_get_channel_description	243	0x1000cf80
mv_get_channel_layout	244	0x1000c640
mv_get_channel_layout_channel_index	245	0x1000cd50
mv_get_channel_layout_nb_channels	246	0x1000cc80
mv_get_channel_layout_string	247	0x1000cbf0
mv_get_channel_name	248	0x1000cea0
mv_get_colorspace_name	249	0x1001ac20
mv_get_cpu_flags	250	0x1000f880
mv_get_default_channel_layout	251	0x1000cd10
mv_get_extended_channel_layout	252	0x1000c8f0
mv_get_known_color_name	253	0x10031760
mv_get_media_type_string	254	0x1008cd60
mv_get_packed_sample_fmt	255	0x1003ca30
mv_get_padded_bits_per_pixel	256	0x100345f0
mv_get_picture_type_char	257	0x1008cd80
mv_get_pix_fmt	258	0x10034480
mv_get_pix_fmt_loss	259	0x10034a10
mv_get_pix_fmt_name	260	0x10034450
mv_get_pix_fmt_string	261	0x100346a0
mv_get_planar_sample_fmt	262	0x1003ca70
mv_get_random_seed	263	0x10035030
mv_get_sample_fmt	264	0x1003c860
mv_get_sample_fmt_name	265	0x1003c840
mv_get_sample_fmt_string	266	0x1003caa0
mv_get_standard_channel_layout	267	0x1000d150
mv_get_time_base_q	268	0x1008cf90
mv_get_token	269	0x10006940
mv_gettime	270	0x1004dbb0
mv_gettime_relative	271	0x1004dbf0
mv_gettime_relative_is_monotonic	272	0x1004dc60
mv_hash_alloc	273	0x1001c790
mv_hash_final	274	0x1001cb30
mv_hash_final_b64	275	0x1001ce80
mv_hash_final_bin	276	0x1001cbc0
mv_hash_final_hex	277	0x1001ce00
mv_hash_freep	278	0x1001d070
mv_hash_get_name	279	0x1001c770
mv_hash_get_size	280	0x1001c780
mv_hash_init	281	0x1001c870
mv_hash_names	282	0x1001c750
mv_hash_update	283	0x1001ca10
mv_hmac_alloc	284	0x1001d220
mv_hmac_calc	285	0x1001d720
mv_hmac_final	286	0x1001d5a0
mv_hmac_free	287	0x1001d3a0
mv_hmac_init	288	0x1001d3e0
mv_hmac_update	289	0x1001d590
mv_hwdevice_ctx_alloc	290	0x1001d9d0
mv_hwdevice_ctx_create	291	0x1001e0b0
mv_hwdevice_ctx_create_derived	292	0x1001e320
mv_hwdevice_ctx_create_derived_opts	293	0x1001e190
mv_hwdevice_ctx_init	294	0x1001db30
mv_hwdevice_find_type_by_name	295	0x1001d920
mv_hwdevice_get_hwframe_constraints	296	0x1001dfd0
mv_hwdevice_get_type_name	297	0x1001d970
mv_hwdevice_hwconfig_alloc	298	0x1001dfa0
mv_hwdevice_iterate_types	299	0x1001d990
mv_hwframe_constraints_free	300	0x1001e070
mv_hwframe_ctx_alloc	301	0x1008d450
mv_hwframe_ctx_create_derived	302	0x1001ea30
mv_hwframe_ctx_init	303	0x1001e7f0
mv_hwframe_get_buffer	304	0x1001e690
mv_hwframe_map	305	0x1001e450
mv_hwframe_transfer_data	306	0x1001dd70
mv_hwframe_transfer_get_formats	307	0x1001dd40
mv_i2int	308	0x10024fb0
mv_image_alloc	309	0x10021d20
mv_image_check_sar	310	0x100222b0
mv_image_check_size	311	0x100221c0
mv_image_check_size2	312	0x10022070
mv_image_copy	313	0x10022610
mv_image_copy_plane	314	0x100224f0
mv_image_copy_plane_uc_from	315	0x10022390
mv_image_copy_to_buffer	316	0x10023350
mv_image_copy_uc_from	317	0x10022af0
mv_image_fill_arrays	318	0x10022fe0
mv_image_fill_black	319	0x10023620
mv_image_fill_linesizes	320	0x100215d0
mv_image_fill_max_pixsteps	321	0x10021380
mv_image_fill_plane_sizes	322	0x100219b0
mv_image_fill_pointers	323	0x10021af0
mv_image_get_buffer_size	324	0x10023180
mv_image_get_linesize	325	0x10021480
mv_int2i	326	0x10024f80
mv_int_list_length_for_size	327	0x1008cda0
mv_lfg_init	328	0x100a7ee0
mv_lfg_init_from_data	329	0x10025100
mv_log	330	0x10026560
mv_log2	331	0x10024fc0
mv_log2_16bit	332	0x10024fd0
mv_log2_i	333	0x10023dd0
mv_log_default_callback	334	0x10025b10
mv_log_format_line	335	0x10026550
mv_log_format_line2	336	0x10026250
mv_log_get_flags	337	0x10026710
mv_log_get_level	338	0x100266e0
mv_log_once	339	0x100265d0
mv_log_set_callback	340	0x10026720
mv_log_set_flags	341	0x10026700
mv_log_set_level	342	0x100266f0
mv_lzo1x_decode	343	0x10026870
mv_malloc	344	0x10028d50
mv_malloc_array	345	0x10028ec0
mv_mallocz	346	0x10029100
mv_mallocz_array	347	0x10028f20
mv_mastering_display_metadata_alloc	348	0x10026f40
mv_mastering_display_metadata_create_side_data	349	0x10026f60
mv_match_list	350	0x100075a0
mv_match_name	351	0x10007100
mv_max_alloc	352	0x10028d40
mv_md5_alloc	353	0x10028790
mv_md5_final	354	0x100289f0
mv_md5_init	355	0x100287b0
mv_md5_size	356	0x100b7208
mv_md5_sum	357	0x10028b00
mv_md5_update	358	0x100287e0
mv_memcpy_backptr	359	0x10029830
mv_memdup	360	0x100294a0
mv_mod_i	361	0x100243c0
mv_mul_i	362	0x10023e60
mv_mul_q	363	0x100358c0
mv_murmur3_alloc	364	0x10029fc0
mv_murmur3_final	365	0x1002a800
mv_murmur3_init	366	0x1002a0d0
mv_murmur3_init_seeded	367	0x10029fe0
mv_murmur3_update	368	0x1002a1b0
mv_nearer_q	369	0x10035ca0
mv_opt_child_class_iterate	370	0x100303a0
mv_opt_child_next	371	0x10030380
mv_opt_copy	372	0x10030430
mv_opt_eval_double	373	0x1002f620
mv_opt_eval_flags	374	0x1002f520
mv_opt_eval_float	375	0x1002f5e0
mv_opt_eval_int	376	0x1002f560
mv_opt_eval_int64	377	0x1002f5a0
mv_opt_eval_q	378	0x1002f660
mv_opt_find	379	0x1002ee70
mv_opt_find2	380	0x1002ec60
mv_opt_flag_is_set	381	0x100302d0
mv_opt_free	382	0x1002ebd0
mv_opt_freep_ranges	383	0x10030760
mv_opt_get	384	0x1002d870
mv_opt_get_channel_layout	385	0x1002e4c0
mv_opt_get_chlayout	386	0x1002e550
mv_opt_get_dict_val	387	0x1002e5e0
mv_opt_get_double	388	0x1002df00
mv_opt_get_image_size	389	0x1002e1a0
mv_opt_get_int	390	0x1002dd90
mv_opt_get_key_value	391	0x1002ea50
mv_opt_get_pixel_fmt	392	0x1002e3c0
mv_opt_get_q	393	0x1002e010
mv_opt_get_sample_fmt	394	0x1002e440
mv_opt_get_video_rate	395	0x1002e230
mv_opt_is_set_to_default	396	0x10030800
mv_opt_is_set_to_default_by_name	397	0x10030d80
mv_opt_next	398	0x1002c760
mv_opt_ptr	399	0x100303c0
mv_opt_query_ranges	400	0x10030700
mv_opt_query_ranges_default	401	0x1002b9f0
mv_opt_serialize	402	0x10030dd0
mv_opt_set	403	0x1002f6a0
mv_opt_set_bin	404	0x1002cfc0
mv_opt_set_channel_layout	405	0x1002d730
mv_opt_set_chlayout	406	0x1002d820
mv_opt_set_defaults	407	0x1002ea30
mv_opt_set_defaults2	408	0x1002e6b0
mv_opt_set_dict	409	0x100302a0
mv_opt_set_dict2	410	0x10030180
mv_opt_set_dict_val	411	0x1002d7b0
mv_opt_set_double	412	0x1002c9d0
mv_opt_set_from_string	413	0x1002ff20
mv_opt_set_image_size	414	0x1002d120
mv_opt_set_int	415	0x1002c7b0
mv_opt_set_pixel_fmt	416	0x1002d510
mv_opt_set_q	417	0x1002ccc0
mv_opt_set_sample_fmt	418	0x1002d620
mv_opt_set_video_rate	419	0x1002d1e0
mv_opt_show2	420	0x1002e640
mv_parse_color	421	0x10031420
mv_parse_cpu_caps	422	0x1000f8b0
mv_parse_ratio	423	0x100310f0
mv_parse_time	424	0x10031c30
mv_parse_video_rate	425	0x100312c0
mv_parse_video_size	426	0x10031200
mv_pix_fmt_count_planes	427	0x10034870
mv_pix_fmt_desc_get	428	0x10034790
mv_pix_fmt_desc_get_id	429	0x10034800
mv_pix_fmt_desc_next	430	0x100347c0
mv_pix_fmt_get_chroma_sub_sample	431	0x10034830
mv_pix_fmt_swap_endianness	432	0x10034920
mv_pixelutils_get_sad_fn	433	0x10035000
mv_q2intfloat	434	0x10036090
mv_rc4_alloc	435	0x100363e0
mv_rc4_crypt	436	0x100364e0
mv_rc4_init	437	0x10036400
mv_read_image_line	438	0x100339c0
mv_read_image_line2	439	0x10033270
mv_realloc	440	0x10028da0
mv_realloc_array	441	0x10029010
mv_realloc_f	442	0x10028de0
mv_reallocp	443	0x10028e40
mv_reallocp_array	444	0x10029050
mv_reduce	445	0x100353b0
mv_rescale	446	0x10027760
mv_rescale_delta	447	0x10027a80
mv_rescale_q	448	0x100277e0
mv_rescale_q_rnd	449	0x100277b0
mv_rescale_rnd	450	0x10027220
mv_ripemd_alloc	451	0x1003c470
mv_ripemd_final	452	0x1003c6e0
mv_ripemd_init	453	0x100a7f8c
mv_ripemd_size	454	0x100bf9a4
mv_ripemd_update	455	0x1003c490
mv_sample_fmt_is_planar	456	0x1003cb70
mv_samples_alloc	457	0x1003ce40
mv_samples_alloc_array_and_samples	458	0x1003d010
mv_samples_copy	459	0x1003d270
mv_samples_fill_arrays	460	0x1003ccd0
mv_samples_get_buffer_size	461	0x1003cb90
mv_samples_set_silence	462	0x1003d450
mv_set_options_string	463	0x1002fd50
mv_sha512_alloc	464	0x1004c260
mv_sha512_final	465	0x1004c4c0
mv_sha512_init	466	0x100a81b0
mv_sha512_size	467	0x100bfaec
mv_sha512_update	468	0x1004c280
mv_sha_alloc	469	0x100411a0
mv_sha_final	470	0x10041410
mv_sha_init	471	0x100a80b4
mv_sha_size	472	0x100bfae4
mv_sha_update	473	0x100411c0
mv_shr_i	474	0x10024280
mv_size_mult	475	0x10029fa0
mv_small_strptime	476	0x10031790
mv_spherical_alloc	477	0x1004d120
mv_spherical_from_name	478	0x1004d280
mv_spherical_projection_name	479	0x1004d260
mv_spherical_tile_bounds	480	0x1004d150
mv_sscanf	481	0x10002f80
mv_stereo3d_alloc	482	0x1004d2d0
mv_stereo3d_create_side_data	483	0x1004d2f0
mv_stereo3d_from_name	484	0x1004d360
mv_stereo3d_type_name	485	0x1004d340
mv_strcasecmp	486	0x10006b30
mv_strdup	487	0x100292e0
mv_strerror	488	0x10013b30
mv_strireplace	489	0x10006bf0
mv_stristart	490	0x10006580
mv_stristr	491	0x100065f0
mv_strlcat	492	0x10006750
mv_strlcatf	493	0x100067f0
mv_strlcpy	494	0x100066e0
mv_strncasecmp	495	0x10006b80
mv_strndup	496	0x100293b0
mv_strnstr	497	0x10006660
mv_strstart	498	0x10006530
mv_strtod	499	0x100150e0
mv_strtok	500	0x10006aa0
mv_sub_i	501	0x10023d00
mv_sub_q	502	0x10035a10
mv_tea_alloc	503	0x1004d460
mv_tea_crypt	504	0x1004d4b0
mv_tea_init	505	0x1004d480
mv_tea_size	506	0x100bfc60
mv_tempfile	507	0x100195a0
mv_thread_message_flush	508	0x1004db40
mv_thread_message_queue_alloc	509	0x1004d700
mv_thread_message_queue_free	510	0x1004d7d0
mv_thread_message_queue_nb_elems	511	0x1004d880
mv_thread_message_queue_recv	512	0x1004d9b0
mv_thread_message_queue_send	513	0x1004d8d0
mv_thread_message_queue_set_err_recv	514	0x1004daf0
mv_thread_message_queue_set_err_send	515	0x1004daa0
mv_thread_message_queue_set_free_func	516	0x1004d7c0
mv_timecode_adjust_ntsc_framenum2	517	0x1004dd30
mv_timecode_check_frame_rate	518	0x1004e8c0
mv_timecode_get_smpte	519	0x1004e080
mv_timecode_get_smpte_from_framenum	520	0x1004ddd0
mv_timecode_init	521	0x1004e930
mv_timecode_init_from_components	522	0x1004ea50
mv_timecode_init_from_string	523	0x1004ec80
mv_timecode_make_mpeg_tc_string	524	0x1004e850
mv_timecode_make_smpte_tc_string	525	0x1004e720
mv_timecode_make_smpte_tc_string2	526	0x1004e520
mv_timecode_make_string	527	0x1004e270
mv_timegm	528	0x10031b50
mv_tree_destroy	529	0x1004f8f0
mv_tree_enumerate	530	0x1004fad0
mv_tree_find	531	0x1004ef60
mv_tree_insert	532	0x1004f020
mv_tree_node_alloc	533	0x1004ef40
mv_tree_node_size	534	0x100bfd80
mv_twofish_alloc	535	0x10050090
mv_twofish_crypt	536	0x100500b0
mv_twofish_init	537	0x100a8637
mv_twofish_size	538	0x100bfda0
mv_tx_init	539	0x100a9843
mv_tx_uninit	540	0x100a8f2b
mv_usleep	541	0x1004dc70
mv_utf8_decode	542	0x10007270
mv_util_ffversion	543	0x100c3fa0
mv_uuid_parse	544	0x1008d110
mv_uuid_parse_range	545	0x1008cff0
mv_uuid_unparse	546	0x1008d160
mv_uuid_urn_parse	547	0x1008d3e0
mv_vbprintf	548	0x10008b70
mv_version_info	549	0x1008d440
mv_video_enc_params_alloc	550	0x1008d480
mv_video_enc_params_create_side_data	551	0x1008d500
mv_vk_frame_alloc	552	0x10021370
mv_vkfmt_from_pixfmt	553	0x10021360
mv_vlog	554	0x10026650
mv_write_image_line	555	0x10034210
mv_write_image_line2	556	0x10033e70
mv_xtea_alloc	557	0x10090760
mv_xtea_crypt	558	0x100907d0
mv_xtea_init	559	0x10090780
mv_xtea_le_crypt	560	0x10090910
mv_xtea_le_init	561	0x100907b0
mvpriv_alloc_fixed_dsp	562	0x10019fa0
mvpriv_cga_font	563	0x100c59e0
mvpriv_dict_set_timestamp	564	0x10012370
mvpriv_float_dsp_alloc	565	0x100a7b20
mvpriv_fopen_utf8	566	0x10019a90
mvpriv_get_gamma_from_trc	567	0x1000f7d0
mvpriv_get_trc_function_from_trc	568	0x1000f800
mvpriv_init_lls	569	0x100a7f58
mvpriv_open	570	0x100195e0
mvpriv_report_missing_feature	571	0x100267e0
mvpriv_request_sample	572	0x10026730
mvpriv_scalarproduct_float_c	573	0x1001a2e0
mvpriv_set_systematic_pal2	574	0x10021bf0
mvpriv_slicethread_create	575	0x1004ce50
mvpriv_slicethread_execute	576	0x1004cb50
mvpriv_slicethread_free	577	0x1004cd20
mvpriv_solve_lls	578	0x10025270
mvpriv_tempfile	579	0x10019970
mvpriv_vga16_font	580	0x100c49e0
mvutil_configuration	581	0x1008d460
mvutil_license	582	0x1008d470
next	583	0x1001db90

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 31, 2023 02:01:11.365823984 CEST	49713	443	192.168.2.4	98.137.11.163
May 31, 2023 02:01:11.365888119 CEST	443	49713	98.137.11.163	192.168.2.4
May 31, 2023 02:01:11.366014957 CEST	49713	443	192.168.2.4	98.137.11.163
May 31, 2023 02:01:11.372970104 CEST	49713	443	192.168.2.4	98.137.11.163
May 31, 2023 02:01:11.373011112 CEST	443	49713	98.137.11.163	192.168.2.4
May 31, 2023 02:01:11.722124100 CEST	443	49713	98.137.11.163	192.168.2.4
May 31, 2023 02:01:11.722259045 CEST	49713	443	192.168.2.4	98.137.11.163
May 31, 2023 02:01:11.902034044 CEST	49713	443	192.168.2.4	98.137.11.163
May 31, 2023 02:01:11.902095079 CEST	443	49713	98.137.11.163	192.168.2.4
May 31, 2023 02:01:11.902678013 CEST	443	49713	98.137.11.163	192.168.2.4
May 31, 2023 02:01:11.902765989 CEST	49713	443	192.168.2.4	98.137.11.163
May 31, 2023 02:01:11.904942989 CEST	49713	443	192.168.2.4	98.137.11.163
May 31, 2023 02:01:11.948295116 CEST	443	49713	98.137.11.163	192.168.2.4
May 31, 2023 02:01:12.072602987 CEST	443	49713	98.137.11.163	192.168.2.4
May 31, 2023 02:01:12.072773933 CEST	49713	443	192.168.2.4	98.137.11.163
May 31, 2023 02:01:12.072808981 CEST	443	49713	98.137.11.163	192.168.2.4
May 31, 2023 02:01:12.072833061 CEST	443	49713	98.137.11.163	192.168.2.4
May 31, 2023 02:01:12.072868109 CEST	49713	443	192.168.2.4	98.137.11.163
May 31, 2023 02:01:12.074109077 CEST	49713	443	192.168.2.4	98.137.11.163
May 31, 2023 02:01:12.089850903 CEST	49713	443	192.168.2.4	98.137.11.163
May 31, 2023 02:01:12.089895964 CEST	443	49713	98.137.11.163	192.168.2.4
May 31, 2023 02:01:12.111356020 CEST	49714	443	192.168.2.4	87.248.100.215
May 31, 2023 02:01:12.111417055 CEST	443	49714	87.248.100.215	192.168.2.4
May 31, 2023 02:01:12.111498117 CEST	49714	443	192.168.2.4	87.248.100.215
May 31, 2023 02:01:12.113153934 CEST	49714	443	192.168.2.4	87.248.100.215
May 31, 2023 02:01:12.113203049 CEST	443	49714	87.248.100.215	192.168.2.4
May 31, 2023 02:01:12.199604034 CEST	443	49714	87.248.100.215	192.168.2.4
May 31, 2023 02:01:12.199758053 CEST	49714	443	192.168.2.4	87.248.100.215
May 31, 2023 02:01:12.206707001 CEST	49714	443	192.168.2.4	87.248.100.215
May 31, 2023 02:01:12.206734896 CEST	443	49714	87.248.100.215	192.168.2.4
May 31, 2023 02:01:12.207331896 CEST	443	49714	87.248.100.215	192.168.2.4
May 31, 2023 02:01:12.207426071 CEST	49714	443	192.168.2.4	87.248.100.215
May 31, 2023 02:01:12.208091974 CEST	49714	443	192.168.2.4	87.248.100.215
May 31, 2023 02:01:12.248297930 CEST	443	49714	87.248.100.215	192.168.2.4
May 31, 2023 02:01:12.412744999 CEST	443	49714	87.248.100.215	192.168.2.4
May 31, 2023 02:01:12.412872076 CEST	443	49714	87.248.100.215	192.168.2.4
May 31, 2023 02:01:12.412925005 CEST	443	49714	87.248.100.215	192.168.2.4
May 31, 2023 02:01:12.412955046 CEST	49714	443	192.168.2.4	87.248.100.215
May 31, 2023 02:01:12.412961960 CEST	443	49714	87.248.100.215	192.168.2.4
May 31, 2023 02:01:12.412982941 CEST	443	49714	87.248.100.215	192.168.2.4
May 31, 2023 02:01:12.413022041 CEST	49714	443	192.168.2.4	87.248.100.215
May 31, 2023 02:01:12.413286924 CEST	49714	443	192.168.2.4	87.248.100.215
May 31, 2023 02:01:12.428611040 CEST	443	49714	87.248.100.215	192.168.2.4
May 31, 2023 02:01:12.428872108 CEST	49714	443	192.168.2.4	87.248.100.215
May 31, 2023 02:01:12.451219082 CEST	443	49714	87.248.100.215	192.168.2.4
May 31, 2023 02:01:12.451339960 CEST	443	49714	87.248.100.215	192.168.2.4
May 31, 2023 02:01:12.451390982 CEST	443	49714	87.248.100.215	192.168.2.4
May 31, 2023 02:01:12.451440096 CEST	443	49714	87.248.100.215	192.168.2.4
May 31, 2023 02:01:12.451461077 CEST	49714	443	192.168.2.4	87.248.100.215
May 31, 2023 02:01:12.451491117 CEST	443	49714	87.248.100.215	192.168.2.4
May 31, 2023 02:01:12.451514959 CEST	49714	443	192.168.2.4	87.248.100.215
May 31, 2023 02:01:12.451538086 CEST	49714	443	192.168.2.4	87.248.100.215
May 31, 2023 02:01:12.451545954 CEST	443	49714	87.248.100.215	192.168.2.4
May 31, 2023 02:01:12.451597929 CEST	443	49714	87.248.100.215	192.168.2.4
May 31, 2023 02:01:12.451642990 CEST	49714	443	192.168.2.4	87.248.100.215
May 31, 2023 02:01:12.451647997 CEST	443	49714	87.248.100.215	192.168.2.4
May 31, 2023 02:01:12.451668024 CEST	443	49714	87.248.100.215	192.168.2.4
May 31, 2023 02:01:12.451688051 CEST	49714	443	192.168.2.4	87.248.100.215
May 31, 2023 02:01:12.451705933 CEST	49714	443	192.168.2.4	87.248.100.215
May 31, 2023 02:01:12.451730967 CEST	443	49714	87.248.100.215	192.168.2.4
May 31, 2023 02:01:12.451770067 CEST	49714	443	192.168.2.4	87.248.100.215
May 31, 2023 02:01:12.451782942 CEST	443	49714	87.248.100.215	192.168.2.4
May 31, 2023 02:01:12.451822996 CEST	49714	443	192.168.2.4	87.248.100.215
May 31, 2023 02:01:12.451837063 CEST	443	49714	87.248.100.215	192.168.2.4
May 31, 2023 02:01:12.451878071 CEST	49714	443	192.168.2.4	87.248.100.215
May 31, 2023 02:01:12.451889038 CEST	443	49714	87.248.100.215	192.168.2.4
May 31, 2023 02:01:12.451924086 CEST	49714	443	192.168.2.4	87.248.100.215
May 31, 2023 02:01:12.451941013 CEST	443	49714	87.248.100.215	192.168.2.4
May 31, 2023 02:01:12.451982021 CEST	49714	443	192.168.2.4	87.248.100.215
May 31, 2023 02:01:12.467137098 CEST	443	49714	87.248.100.215	192.168.2.4
May 31, 2023 02:01:12.467228889 CEST	443	49714	87.248.100.215	192.168.2.4
May 31, 2023 02:01:12.467279911 CEST	443	49714	87.248.100.215	192.168.2.4
May 31, 2023 02:01:12.467325926 CEST	443	49714	87.248.100.215	192.168.2.4
May 31, 2023 02:01:12.467369080 CEST	443	49714	87.248.100.215	192.168.2.4
May 31, 2023 02:01:12.467386961 CEST	49714	443	192.168.2.4	87.248.100.215
May 31, 2023 02:01:12.467420101 CEST	443	49714	87.248.100.215	192.168.2.4
May 31, 2023 02:01:12.467447996 CEST	49714	443	192.168.2.4	87.248.100.215
May 31, 2023 02:01:12.467473984 CEST	49714	443	192.168.2.4	87.248.100.215
May 31, 2023 02:01:12.489692926 CEST	443	49714	87.248.100.215	192.168.2.4
May 31, 2023 02:01:12.489784002 CEST	49714	443	192.168.2.4	87.248.100.215
May 31, 2023 02:01:12.489794016 CEST	443	49714	87.248.100.215	192.168.2.4
May 31, 2023 02:01:12.489814043 CEST	443	49714	87.248.100.215	192.168.2.4
May 31, 2023 02:01:12.489840031 CEST	49714	443	192.168.2.4	87.248.100.215
May 31, 2023 02:01:12.489881992 CEST	49714	443	192.168.2.4	87.248.100.215
May 31, 2023 02:01:12.489896059 CEST	443	49714	87.248.100.215	192.168.2.4
May 31, 2023 02:01:12.489972115 CEST	443	49714	87.248.100.215	192.168.2.4
May 31, 2023 02:01:12.490024090 CEST	49714	443	192.168.2.4	87.248.100.215
May 31, 2023 02:01:12.490025043 CEST	443	49714	87.248.100.215	192.168.2.4
May 31, 2023 02:01:12.490041018 CEST	443	49714	87.248.100.215	192.168.2.4
May 31, 2023 02:01:12.490067005 CEST	49714	443	192.168.2.4	87.248.100.215
May 31, 2023 02:01:12.490083933 CEST	49714	443	192.168.2.4	87.248.100.215
May 31, 2023 02:01:12.490094900 CEST	443	49714	87.248.100.215	192.168.2.4
May 31, 2023 02:01:12.490190029 CEST	443	49714	87.248.100.215	192.168.2.4
May 31, 2023 02:01:12.490236998 CEST	49714	443	192.168.2.4	87.248.100.215
May 31, 2023 02:01:12.490238905 CEST	443	49714	87.248.100.215	192.168.2.4
May 31, 2023 02:01:12.490256071 CEST	443	49714	87.248.100.215	192.168.2.4
May 31, 2023 02:01:12.490279913 CEST	49714	443	192.168.2.4	87.248.100.215
May 31, 2023 02:01:12.490300894 CEST	49714	443	192.168.2.4	87.248.100.215
May 31, 2023 02:01:12.490312099 CEST	443	49714	87.248.100.215	192.168.2.4
May 31, 2023 02:01:12.490387917 CEST	443	49714	87.248.100.215	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 31, 2023 02:01:11.332484007 CEST	64906	53	192.168.2.4	8.8.8.8
May 31, 2023 02:01:11.355811119 CEST	53	64906	8.8.8.8	192.168.2.4
May 31, 2023 02:01:12.094624043 CEST	59446	53	192.168.2.4	8.8.8.8
May 31, 2023 02:01:12.109289885 CEST	53	59446	8.8.8.8	192.168.2.4

ICMP Packets

Timestamp	Source IP	Dest IP	Checksum	Code	Type
May 31, 2023 02:01:50.126132965 CEST	86.97.55.89	192.168.2.4	4d8c	(Host unreachable)	Destination Unreachable
May 31, 2023 02:01:53.169068098 CEST	86.97.55.89	192.168.2.4	4d8c	(Host unreachable)	Destination Unreachable
May 31, 2023 02:01:59.737780094 CEST	86.97.55.89	192.168.2.4	4d8c	(Host unreachable)	Destination Unreachable

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
May 31, 2023 02:01:11.332484007 CEST	192.168.2.4	8.8.8.8	0xf3a3	Standard query (0)	yahoo.com	A (IP address)	IN (0x0001)	false
May 31, 2023 02:01:12.094624043 CEST	192.168.2.4	8.8.8.8	0x904e	Standard query (0)	www.yahoo.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
May 31, 2023 02:01:11.355811119 CEST	8.8.8.8	192.168.2.4	0xf3a3	No error (0)	yahoo.com		98.137.11.163	A (IP address)	IN (0x0001)	false
May 31, 2023 02:01:11.355811119 CEST	8.8.8.8	192.168.2.4	0xf3a3	No error (0)	yahoo.com		74.6.231.20	A (IP address)	IN (0x0001)	false
May 31, 2023 02:01:11.355811119 CEST	8.8.8.8	192.168.2.4	0xf3a3	No error (0)	yahoo.com		74.6.143.25	A (IP address)	IN (0x0001)	false
May 31, 2023 02:01:11.355811119 CEST	8.8.8.8	192.168.2.4	0xf3a3	No error (0)	yahoo.com		98.137.11.164	A (IP address)	IN (0x0001)	false
May 31, 2023 02:01:11.355811119 CEST	8.8.8.8	192.168.2.4	0xf3a3	No error (0)	yahoo.com		34.225.127.72	A (IP address)	IN (0x0001)	false
May 31, 2023 02:01:11.355811119 CEST	8.8.8.8	192.168.2.4	0xf3a3	No error (0)	yahoo.com		74.6.231.21	A (IP address)	IN (0x0001)	false
May 31, 2023 02:01:11.355811119 CEST	8.8.8.8	192.168.2.4	0xf3a3	No error (0)	yahoo.com		54.161.105.65	A (IP address)	IN (0x0001)	false
May 31, 2023 02:01:11.355811119 CEST	8.8.8.8	192.168.2.4	0xf3a3	No error (0)	yahoo.com		74.6.143.26	A (IP address)	IN (0x0001)	false
May 31, 2023 02:01:12.109289885 CEST	8.8.8.8	192.168.2.4	0x904e	No error (0)	www.yahoo.com	new-fp-shed.wg1.b.yahoo.com		CNAME (Canonical name)	IN (0x0001)	false
May 31, 2023 02:01:12.109289885 CEST	8.8.8.8	192.168.2.4	0x904e	No error (0)	new-fp-shed.wg1.b.yahoo.com		87.248.100.215	A (IP address)	IN (0x0001)	false
May 31, 2023 02:01:12.109289885 CEST	8.8.8.8	192.168.2.4	0x904e	No error (0)	new-fp-shed.wg1.b.yahoo.com		87.248.100.216	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

yahoo.com

www.yahoo.com

188.28.19.84

Target ID:	0
Start time:	01:57:57
Start date:	31/05/2023
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe "C:\Users\user\Desktop\A290.dll"
Imagebase:	0x9c0000
File size:	126464 bytes
MD5 hash:	3B4636AE519868037940CA5C4272091B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Analysis Process: conhost.exePID: 6444, Parent PID: 6452

General

Target ID:	1
Start time:	01:57:57
Start date:	31/05/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7c72c0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: cmd.exePID: 4796, Parent PID: 6452

General

Target ID:	2
Start time:	01:57:57
Start date:	31/05/2023
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\A290.dll",#1
Imagebase:	0xd90000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: rundll32.exePID: 2460, Parent PID: 6452

General

Target ID:	3
Start time:	01:57:57
Start date:	31/05/2023
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\A290.dll,mv_add_i
Imagebase:	0x12a0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: rundll32.exePID: 5508, Parent PID: 4796

General

Target ID:	4
Start time:	01:57:57
Start date:	31/05/2023
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\A290.dll",#1
Imagebase:	0x12a0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: WerFault.exePID: 5804, Parent PID: 2460

General

Target ID:	8
Start time:	01:57:57
Start date:	31/05/2023
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 2460 -s 652
Imagebase:	0x3b0000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: WerFault.exePID: 5796, Parent PID: 5508

General

Target ID:	9
Start time:	01:57:57
Start date:	31/05/2023
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 5508 -s 660
Imagebase:	0x3b0000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: rundll32.exePID: 5724, Parent PID: 6452

General

Target ID:	10
Start time:	01:58:00
Start date:	31/05/2023
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\A290.dll,mv_add_q
Imagebase:	0x12a0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: rundll32.exePID: 5616, Parent PID: 6452

General

Target ID:	12
Start time:	01:58:03
Start date:	31/05/2023
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\A290.dll,mv_add_stable
Imagebase:	0x12a0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: WerFault.exePID: 6820, Parent PID: 5616

General

Target ID:	14
Start time:	01:58:03
Start date:	31/05/2023
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 5616 -s 652
Imagebase:	0x3b0000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: rundll32.exePID: 6944, Parent PID: 6452

General

Target ID:	16
Start time:	01:58:06
Start date:	31/05/2023
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\A290.dll",mv_add_i
Imagebase:	0x12a0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: rundll32.exePID: 5464, Parent PID: 6452

General

Target ID:	17
Start time:	01:58:06
Start date:	31/05/2023
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\A290.dll",mv_add_q
Imagebase:	0x12a0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: rundll32.exePID: 5860, Parent PID: 6452

General

Target ID:	19
Start time:	01:58:06
Start date:	31/05/2023
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\A290.dll",mv_add_stable
Imagebase:	0x12a0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: rundll32.exePID: 6648, Parent PID: 6452

General

Target ID:	20
Start time:	01:58:07
Start date:	31/05/2023
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\A290.dll",next
Imagebase:	0x12a0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Qbot_1, Description: Yara detected Qbot, Source: 00000014.00000002.561029904.00000000005DA000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Qbot_1, Description: Yara detected Qbot, Source: 00000014.00000002.561647699.0000000000DC0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security

Analysis Process: rundll32.exePID: 6716, Parent PID: 6452

General

Target ID:	22
Start time:	01:58:07
Start date:	31/05/2023
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\A290.dll",mvutil_license
Imagebase:	0x12a0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: WerFault.exePID: 6696, Parent PID: 6944

General

Target ID:	23
Start time:	01:58:07
Start date:	31/05/2023
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 6944 -s 652
Imagebase:	0x3b0000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: rundll32.exePID: 6788, Parent PID: 6452

General

Target ID:	24
Start time:	01:58:07
Start date:	31/05/2023
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\A290.dll",mvutil_configuration
Imagebase:	0x12a0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: WerFault.exePID: 6840, Parent PID: 5860

General

Target ID:	25
Start time:	01:58:07
Start date:	31/05/2023
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 5860 -s 652
Imagebase:	0x3b0000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: wermgr.exePID: 6632, Parent PID: 6648

General

Target ID:	26
Start time:	01:58:11
Start date:	31/05/2023
Path:	C:\Windows\SysWOW64\wermgr.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\wermgr.exe
Imagebase:	0xcf0000
File size:	191904 bytes
MD5 hash:	CCF15E662ED5CE77B5FF1A7AAE305233
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Disassembly

⊘No disassembly

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Loaded DLLs, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report A290.dll

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Qbot

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_4a2b263a88ec6871bb19ce2ee3f04564bd3fea_82810a17_16e0a0aa\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_4a2b263a88ec6871bb19ce2ee3f04564bd3fea_82810a17_16e8a0e8\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_4a2b263a88ec6871bb19ce2ee3f04564bd3fea_82810a17_1a6cb20f\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_86b3cac39a2cad5204e578b2befa7f9972cac_82810a17_1ae0a1c3\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_86b3cac39a2cad5204e578b2befa7f9972cac_82810a17_1afcb29b\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER8532.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER8581.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER868B.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER86AA.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER86EA.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER86FA.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9A80.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9BA9.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9C47.tmp.xml

Windows Analysis Report
A290.dll