Edit tour

Windows Analysis Report
F086.dll

Overview

General Information

Sample Name:	F086.dll
Analysis ID:	878699
MD5:	931f3d361902807103b23fa74beb16a2
SHA1:	9ec1f75beaf217246fd8d97fa3d1e591300babb3
SHA256:	5f1a29b7907453a8785d9e6087a85c7bfab6b7fe3955bd645cb37ffdb20409c5
Tags:	dllqbot
Infos:

Detection

Qbot

Score:	92
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Yara detected Qbot

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Writes to foreign memory regions

Allocates memory in foreign processes

Injects a PE file into a foreign processes

C2 URLs / IPs found in malware configuration

Sample uses string decryption to hide its real strings

Potentially malicious time measurement code found

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

One or more processes crash

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Found evasive API chain (date check)

Internet Provider seen in connection with other malware

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

IP address seen in connection with other malware

Contains functionality for execution timing, often used to detect debuggers

Creates a DirectInput object (often for capturing keystrokes)

AV process strings found (often used to terminate AV products)

Sample file is different than original file name gathered from version info

PE file contains an invalid checksum

Contains functionality to read the PEB

Found evasive API chain checking for process token information

Checks if the current process is being debugged

Connects to several IPs in different countries

Uses Microsoft's Enhanced Cryptographic Provider

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

loaddll32.exe (PID: 3100 cmdline: loaddll32.exe "C:\Users\user\Desktop\F086.dll" MD5: 3B4636AE519868037940CA5C4272091B)

conhost.exe (PID: 3620 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.exe (PID: 1388 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\F086.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)

rundll32.exe (PID: 3996 cmdline: rundll32.exe "C:\Users\user\Desktop\F086.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

WerFault.exe (PID: 4112 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 3996 -s 668 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

rundll32.exe (PID: 3688 cmdline: rundll32.exe C:\Users\user\Desktop\F086.dll,mv_add_i MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

WerFault.exe (PID: 4936 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 3688 -s 652 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

rundll32.exe (PID: 6648 cmdline: rundll32.exe C:\Users\user\Desktop\F086.dll,mv_add_q MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 6980 cmdline: rundll32.exe C:\Users\user\Desktop\F086.dll,mv_add_stable MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

WerFault.exe (PID: 7004 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6980 -s 652 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

rundll32.exe (PID: 7052 cmdline: rundll32.exe "C:\Users\user\Desktop\F086.dll",mv_add_i MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

WerFault.exe (PID: 5116 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7052 -s 652 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

rundll32.exe (PID: 7104 cmdline: rundll32.exe "C:\Users\user\Desktop\F086.dll",mv_add_q MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 4948 cmdline: rundll32.exe "C:\Users\user\Desktop\F086.dll",mv_add_stable MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 6836 cmdline: rundll32.exe "C:\Users\user\Desktop\F086.dll",next MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

wermgr.exe (PID: 6964 cmdline: C:\Windows\SysWOW64\wermgr.exe MD5: CCF15E662ED5CE77B5FF1A7AAE305233)

rundll32.exe (PID: 4716 cmdline: rundll32.exe "C:\Users\user\Desktop\F086.dll",mvutil_license MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 4104 cmdline: rundll32.exe "C:\Users\user\Desktop\F086.dll",mvutil_configuration MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
QakBot, qbotQbot	QBot is a modular information stealer also known as Qakbot or Pinkslipbot. It has been active for years since 2007. It has historically been known as a banking Trojan, meaning that it steals financial data from infected systems, and a loader using C2 servers for payload targeting and download.	GOLD CABIN	http://contagiodump.blogspot.com/2010/11/template.html http://www.secureworks.com/research/threat-profiles/gold-lagoon http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_qakbot_in_detail.pdf https://0xthreatintel.medium.com/reversing-qakbot-tlp-white-d1b8b37ad8e7 https://asec.ahnlab.com/en/44662/	https://malpedia.caad.fkie.fraunhofer.de/details/win.qakbot

Malware Configuration

Threatname: Qbot

{"Bot id": "BB30", "Campaign": "1685433861", "Version": "404.1320", "C2 list": ["12.172.173.82:50001", "178.175.187.254:443", "65.95.141.84:2222", "205.237.67.69:995", "83.110.223.61:443", "193.253.100.236:2222", "27.0.48.233:443", "102.159.188.125:443", "71.38.155.217:443", "58.186.75.42:443", "76.178.148.107:2222", "70.28.50.223:2087", "114.143.176.236:443", "51.14.29.227:2222", "59.28.84.65:443", "173.88.135.179:443", "103.144.201.56:2078", "96.87.28.170:2222", "105.186.128.181:995", "176.142.207.63:443", "151.62.238.176:443", "12.172.173.82:32101", "122.186.210.254:443", "82.125.44.236:2222", "84.108.200.161:443", "76.16.49.134:443", "70.28.50.223:32100", "12.172.173.82:465", "76.170.252.153:995", "184.182.66.109:443", "78.92.133.215:443", "50.68.204.71:993", "186.75.95.6:443", "113.11.92.30:443", "70.28.50.223:3389", "98.145.23.67:443", "85.57.212.13:3389", "50.68.186.195:443", "47.205.25.170:443", "12.172.173.82:993", "12.172.173.82:22", "69.242.31.249:443", "81.101.185.146:443", "79.168.224.165:2222", "75.143.236.149:443", "14.192.241.76:995", "86.195.14.72:2222", "81.229.117.95:2222", "220.240.164.182:443", "73.29.92.128:443", "12.172.173.82:21", "96.56.197.26:2222", "75.109.111.89:443", "76.86.31.59:443", "201.244.108.183:995", "68.203.69.96:443", "124.122.47.148:443", "122.184.143.86:443", "92.186.69.229:2222", "70.28.50.223:2083", "89.129.109.27:2222", "147.147.30.126:2222", "125.99.76.102:443", "88.126.94.4:50000", "151.65.167.77:443", "86.132.236.117:443", "92.154.17.149:2222", "223.166.13.95:995", "89.36.206.69:995", "96.56.197.26:2083", "78.18.105.11:443", "82.127.153.75:2222", "90.78.147.141:2222", "82.131.141.209:443", "183.87.163.165:443", "92.9.45.20:2222", "80.6.50.34:443", "80.12.88.148:2222", "69.133.162.35:443", "172.115.17.50:443", "95.45.50.93:2222", "12.172.173.82:2087", "103.140.174.20:2222", "24.198.114.130:995", "50.68.204.71:443", "69.119.123.159:2222", "64.121.161.102:443", "2.82.8.80:443", "184.181.75.148:443", "70.112.206.5:443", "198.2.51.242:993", "2.36.64.159:2078", "79.77.142.22:2222", "84.215.202.8:443", "147.219.4.194:443", "116.74.164.81:443", "70.28.50.223:2078", "12.172.173.82:995", "77.86.98.236:443", "104.35.24.154:443", "213.64.33.61:2222", "47.149.134.231:443", "72.134.124.16:443", "47.34.30.133:443", "103.42.86.42:995", "174.4.89.3:443", "161.142.103.187:995", "78.160.146.127:443", "84.35.26.14:995", "12.172.173.82:20", "70.28.50.223:2078", "124.149.143.189:2222", "70.160.67.203:443", "186.64.67.30:443", "103.123.223.133:443", "188.28.19.84:443", "174.58.146.57:443", "94.207.104.225:443", "86.97.55.89:2222", "69.123.4.221:2222"]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000015.00000002.559780221.0000000000B3A000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Qbot_1	Yara detected Qbot	Joe Security
00000015.00000002.559899165.0000000004780000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Qbot_1	Yara detected Qbot	Joe Security
decrypted.memstr	JoeSecurity_Qbot	Yara detected Qbot	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
21.2.rundll32.exe.1060000.1.unpack	MAL_QakBot_ConfigExtraction_Feb23	QakBot Config Extraction	kevoreilly	0xeb71:$params: 8B 7D 08 8B F1 57 89 55 FC E8 A0 99 FF FF 8D 9E 24 04 00 00 89 03 59 85 C0 75 08 6A FC 58 E9 0xa797:$conf: 5F 5E 5B C9 C3 51 6A 00 E8 C1 44 00 00 59 59 85 C0 75 01 C3
21.2.rundll32.exe.1060000.1.unpack	JoeSecurity_Qbot_1	Yara detected Qbot	Joe Security
21.2.rundll32.exe.b51128.0.unpack	MAL_QakBot_ConfigExtraction_Feb23	QakBot Config Extraction	kevoreilly	0xdf71:$params: 8B 7D 08 8B F1 57 89 55 FC E8 A0 99 FF FF 8D 9E 24 04 00 00 89 03 59 85 C0 75 08 6A FC 58 E9 0x9b97:$conf: 5F 5E 5B C9 C3 51 6A 00 E8 C1 44 00 00 59 59 85 C0 75 01 C3
21.2.rundll32.exe.b51128.0.unpack	JoeSecurity_Qbot_1	Yara detected Qbot	Joe Security
26.2.wermgr.exe.1200000.0.unpack	MAL_QakBot_ConfigExtraction_Feb23	QakBot Config Extraction	kevoreilly	0xeb71:$params: 8B 7D 08 8B F1 57 89 55 FC E8 A0 99 FF FF 8D 9E 24 04 00 00 89 03 59 85 C0 75 08 6A FC 58 E9 0xa797:$conf: 5F 5E 5B C9 C3 51 6A 00 E8 C1 44 00 00 59 59 85 C0 75 01 C3
26.2.wermgr.exe.1200000.0.unpack	JoeSecurity_Qbot_1	Yara detected Qbot	Joe Security
21.2.rundll32.exe.b51128.0.raw.unpack	MAL_QakBot_ConfigExtraction_Feb23	QakBot Config Extraction	kevoreilly	0xeb71:$params: 8B 7D 08 8B F1 57 89 55 FC E8 A0 99 FF FF 8D 9E 24 04 00 00 89 03 59 85 C0 75 08 6A FC 58 E9 0xa797:$conf: 5F 5E 5B C9 C3 51 6A 00 E8 C1 44 00 00 59 59 85 C0 75 01 C3
21.2.rundll32.exe.b51128.0.raw.unpack	JoeSecurity_Qbot_1	Yara detected Qbot	Joe Security
Click to see the 3 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000015.00000002.559780221.0000000000B3A000.00000004.00000020.00020000.00000000.sdmp

Malware Configuration Extractor: Qbot {"Bot id": "BB30", "Campaign": "1685433861", "Version": "404.1320", "C2 list": ["12.172.173.82:50001", "178.175.187.254:443", "65.95.141.84:2222", "205.237.67.69:995", "83.110.223.61:443", "193.253.100.236:2222", "27.0.48.233:443", "102.159.188.125:443", "71.38.155.217:443", "58.186.75.42:443", "76.178.148.107:2222", "70.28.50.223:2087", "114.143.176.236:443", "51.14.29.227:2222", "59.28.84.65:443", "173.88.135.179:443", "103.144.201.56:2078", "96.87.28.170:2222", "105.186.128.181:995", "176.142.207.63:443", "151.62.238.176:443", "12.172.173.82:32101", "122.186.210.254:443", "82.125.44.236:2222", "84.108.200.161:443", "76.16.49.134:443", "70.28.50.223:32100", "12.172.173.82:465", "76.170.252.153:995", "184.182.66.109:443", "78.92.133.215:443", "50.68.204.71:993", "186.75.95.6:443", "113.11.92.30:443", "70.28.50.223:3389", "98.145.23.67:443", "85.57.212.13:3389", "50.68.186.195:443", "47.205.25.170:443", "12.172.173.82:993", "12.172.173.82:22", "69.242.31.249:443", "81.101.185.146:443", "79.168.224.165:2222", "75.143.236.149:443", "14.192.241.76:995", "86.195.14.72:2222", "81.229.117.95:2222", "220.240.164.182:443", "73.29.92.128:443", "12.172.173.82:21", "96.56.197.26:2222", "75.109.111.89:443", "76.86.31.59:443", "201.244.108.183:995", "68.203.69.96:443", "124.122.47.148:443", "122.184.143.86:443", "92.186.69.229:2222", "70.28.50.223:2083", "89.129.109.27:2222", "147.147.30.126:2222", "125.99.76.102:443", "88.126.94.4:50000", "151.65.167.77:443", "86.132.236.117:443", "92.154.17.149:2222", "223.166.13.95:995", "89.36.206.69:995", "96.56.197.26:2083", "78.18.105.11:443", "82.127.153.75:2222", "90.78.147.141:2222", "82.131.141.209:443", "183.87.163.165:443", "92.9.45.20:2222", "80.6.50.34:443", "80.12.88.148:2222", "69.133.162.35:443", "172.115.17.50:443", "95.45.50.93:2222", "12.172.173.82:2087", "103.140.174.20:2222", "24.198.114.130:995", "50.68.204.71:443", "69.119.123.159:2222", "64.121.161.102:443", "2.82.8.80:443", "184.181.75.148:443", "70.112.206.5:443", "198.2.51.242:993", "2.36.64.159:2078", "79.77.142.22:2222", "84.215.202.8:443", "147.219.4.194:443", "116.74.164.81:443", "70.28.50.223:2078", "12.172.173.82:995", "77.86.98.236:443", "104.35.24.154:443", "213.64.33.61:2222", "47.149.134.231:443", "72.134.124.16:443", "47.34.30.133:443", "103.42.86.42:995", "174.4.89.3:443", "161.142.103.187:995", "78.160.146.127:443", "84.35.26.14:995", "12.172.173.82:20", "70.28.50.223:2078", "124.149.143.189:2222", "70.160.67.203:443", "186.64.67.30:443", "103.123.223.133:443", "188.28.19.84:443", "174.58.146.57:443", "94.207.104.225:443", "86.97.55.89:2222", "69.123.4.221:2222"]}

Sample uses string decryption to hide its real strings

Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: error res='%s' err=%d len=%u
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: netstat -nao
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: runas
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: ipconfig /all
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: net localgroup
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: nltest /domain_trusts /all_trusts
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: %s %04x.%u %04x.%u res: %s seh_test: %u consts_test: %d vmdetected: %d createprocess: %d
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: Microsoft
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: SELF_TEST_1
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: p%08x
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: Self test FAILED!!!
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: Self test OK.
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: /t5
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: whoami /all
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: cmd
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: microsoft.com,google.com,cisco.com,oracle.com,verisign.com,broadcom.com,yahoo.com,xfinity.com,irs.gov,linkedin.com
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: ERROR: GetModuleFileNameW() failed with error: ERROR_INSUFFICIENT_BUFFER
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: route print
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: .lnk
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: "%s\system32\schtasks.exe" /Create /ST %02u:%02u /RU "NT AUTHORITY\SYSTEM" /SC ONCE /tr "%s" /Z /ET %02u:%02u /tn %s
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: arp -a
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: %s "$%s = \"%s\"; & $%s"
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: net share
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: cmd.exe /c set
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: Self check
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: %u;%u;%u;
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: /c ping.exe -n 6 127.0.0.1 & type "%s\System32\calc.exe" > "%s"
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: ProfileImagePath
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: at.exe %u:%u "%s" /I
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: ProgramData
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: Self check ok!
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: powershell.exe
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: qwinsta
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: net view
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: nslookup -querytype=ALL -timeout=12 _ldap._tcp.dc._msdcs.%s
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: Component_08
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: Start screenshot
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: schtasks.exe /Delete /F /TN %u
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: appidapi.dll
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: %s \"$%s = \\\"%s\\\\; & $%s\"
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: c:\ProgramData
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: Component_07
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: bUdiuy81gYguty@4frdRdpfko(eKmudeuMncueaN
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: powershell.exe -encodedCommand %S
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: ERROR: GetModuleFileNameW() failed with error: %u
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: powershell.exe -encodedCommand
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: SoNuce]ugdiB3c[doMuce2s81*uXmcvP
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: \System32\WindowsPowerShell\v1.0\powershell.exe
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: schtasks.exe /Create /RU "NT AUTHORITY\SYSTEM" /SC ONSTART /TN %u /TR "%s" /NP /F
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: error res='%s' err=%d len=%u
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: netstat -nao
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: runas
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: ipconfig /all
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: Caption,Description,Vendor,Version,InstallDate,InstallSource,PackageName
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: %u.%u.%u.%u.%u.%u.%04x
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\explorer.exe
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: SystemRoot
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: cscript.exe
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: MBAMService.exe;mbamgui.exe
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: %SystemRoot%\System32\xwizard.exe
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: %SystemRoot%\System32\wermgr.exe
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: AvastSvc.exe;aswEngSrv.exe;aswToolsSvc.exe;afwServ.exe;aswidsagent.exe;AvastUI.exe
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: C:\INTERNAL\__empty
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: .dll
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: Win32_PhysicalMemory
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: ALLUSERSPROFILE
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: image/jpeg
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: LocalLow
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: displayName
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: Mozilla/5.0 (Windows NT 6.1; rv:77.0) Gecko/20100101 Firefox/77.0
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: shlwapi.dll
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\WerFault.exe
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: CommandLine
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: {%02X%02X%02X%02X-%02X%02X-%02X%02X-%02X%02X-%02X%02X%02X%02X%02X%02X}
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: kernel32.dll
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: SubmitSamplesConsent
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: 1234567890
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: wbj.go
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\wextract.exe
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: Win32_DiskDrive
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: vkise.exe;isesrv.exe;cmdagent.exe
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: System32
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: Name
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: %SystemRoot%\System32\WerFault.exe
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: WRSA.exe
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: c:\\
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: reg.exe ADD "HKLM\%s" /f /t %s /v "%s" /d "%s"
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: SpyNetReporting
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: FALSE
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: aswhookx.dll
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: Packages
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: SonicWallClientProtectionService.exe;SWDash.exe
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: application/x-shockwave-flash
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: Sophos UI.exe;SophosUI.exe;SAVAdminService.exe;SavService.exe
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: RepUx.exe
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: %SystemRoot%\System32\mspaint.exe
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: coreServiceShell.exe;PccNTMon.exe;NTRTScan.exe
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: Winsta0
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: Caption,Description,DeviceID,Manufacturer,Name,PNPDeviceID,Service,Status
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: CynetEPS.exe;CynetMS.exe;CynetConsole.exe
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\wermgr.exe
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: %ProgramFiles(x86)%\Internet Explorer\iexplore.exe
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: avp.exe;kavtray.exe
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: root\SecurityCenter2
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\backgroundTaskHost.exe
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: MsMpEng.exe
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: %SystemRoot%\System32\CertEnrollCtrl.exe
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: userenv.dll
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: csc_ui.exe
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: frida-winjector-helper-32.exe;frida-winjector-helper-64.exe;tcpdump.exe;windump.exe;ethereal.exe;wireshark.exe;ettercap.exe;rtsniff.exe;packetcapture.exe;capturenet.exe;qak_proxy;dumpcap.exe;CFF Explorer.exe;not_rundll32.exe;ProcessHacker.exe;tcpview.exe;filemon.exe;procmon.exe;idaq64.exe;loaddll32.exe;PETools.exe;ImportREC.exe;LordPE.exe;SysInspector.exe;proc_analyzer.exe;sysAnalyzer.exe;sniff_hit.exe;joeboxcontrol.exe;joeboxserver.exe;ResourceHacker.exe;x64dbg.exe;Fiddler.exe;sniff_hit.exe;sysAnalyzer.exe;BehaviorDumper.exe;processdumperx64.exe;anti-virus.EXE;sysinfoX64.exe;sctoolswrapper.exe;sysinfoX64.exe;FakeExplorer.exe;apimonitor-x86.exe;idaq.exe
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: \\.\pipe\
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: pstorec.dll
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: NTUSER.DAT
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: from
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: %SystemRoot%\System32\sethc.exe
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: netapi32.dll
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: %SystemRoot%\System32\Utilman.exe
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: gdi32.dll
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: setupapi.dll
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: SELECT * FROM Win32_Processor
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: iphlpapi.dll
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: Caption
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: CrAmTray.exe
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: ccSvcHst.exe;NortonSecurity.exe;nsWscSvc.exe
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: Win32_ComputerSystem
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: %SystemRoot%\System32\backgroundTaskHost.exe
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: %ProgramFiles%\Internet Explorer\iexplore.exe
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Paths
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: user32.dll
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: xagtnotif.exe;AppUIMonitor.exe
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: %SystemRoot%\System32\dxdiag.exe
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: SentinelServiceHost.exe;SentinelStaticEngine.exe;SentinelAgent.exe;SentinelStaticEngineScanner.exe;SentinelUI.exe
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: \sf2.dll
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\grpconv.exe
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: egui.exe;ekrn.exe
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: Software\Microsoft
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: %S.%06d
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: bcrypt.dll
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: SELECT * FROM AntiVirusProduct
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\SndVol.exe
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: %SystemRoot%\explorer.exe
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\Utilman.exe
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: SOFTWARE\Microsoft\Windows Defender\SpyNet
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: wtsapi32.dll
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: t=%s time=[%02d:%02d:%02d-%02d/%02d/%d]
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\xwizard.exe
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: shell32.dll
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: TRUE
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: Win32_Bios
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: SELECT * FROM Win32_OperatingSystem
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\mobsync.exe
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: c:\hiberfil.sysss
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: /
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\AtBroker.exe
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: abcdefghijklmnopqrstuvwxyz
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: ByteFence.exe
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: type=0x%04X
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: snxhk_border_mywnd
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: ROOT\CIMV2
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: dwengine.exe;dwarkdaemon.exe;dwwatcher.exe
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: https
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\explorer.exe
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: fshoster32.exe
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: kernelbase.dll
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: regsvr32.exe
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: %s\system32\
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\dxdiag.exe
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: Content-Type: application/x-www-form-urlencoded
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: Win32_Process
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: rundll32.exe
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: LOCALAPPDATA
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: cmd.exe
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: APPDATA
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: select
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: .exe
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: mcshield.exe
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: advapi32.dll
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: ws2_32.dll
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: .cfg
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: aabcdeefghiijklmnoopqrstuuvwxyyz
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: Win32_Product
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: WQL
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: wininet.dll
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: LastBootUpTime
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: S:(ML;;NW;;;LW)
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\CertEnrollCtrl.exe
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: urlmon.dll
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: Create
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: Win32_PnPEntity
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: %SystemRoot%\System32\grpconv.exe
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: Initializing database...
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: %SystemRoot%\System32\SearchIndexer.exe
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: winsta0\default
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: .dat
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: WBJ_IGNORE
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: next
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: %SystemRoot%\System32\AtBroker.exe
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: wpcap.dll
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: aaebcdeeifghiiojklmnooupqrstuuyvwxyyaz
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\sethc.exe
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: image/pjpeg
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: fmon.exe
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: bdagent.exe;vsserv.exe;vsservppl.exe
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: %SystemRoot%\System32\SndVol.exe
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: vbs
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: aswhooka.dll
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: SysWOW64
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\mspaint.exe
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: mpr.dll
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: image/gif
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: crypt32.dll
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: avgcsrvx.exe;avgsvcx.exe;avgcsrva.exe
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: ntdll.dll
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: open
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: %SystemRoot%\explorer.exe
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: CSFalconService.exe;CSFalconContainer.exe
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: %SystemRoot%\System32\wextract.exe
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: %SystemRoot%\System32\mobsync.exe
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\SearchIndexer.exe
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: Caption,Description,Vendor,Version,InstallDate,InstallSource,PackageName
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: Caption,Description,Vendor,Version,InstallDate,InstallSource,PackageName
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: %u.%u.%u.%u.%u.%u.%04x
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\explorer.exe
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: SystemRoot
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: cscript.exe
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: MBAMService.exe;mbamgui.exe
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: %SystemRoot%\System32\xwizard.exe
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: %SystemRoot%\System32\wermgr.exe
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: AvastSvc.exe;aswEngSrv.exe;aswToolsSvc.exe;afwServ.exe;aswidsagent.exe;AvastUI.exe
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: C:\INTERNAL\__empty
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: .dll
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: Win32_PhysicalMemory
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: ALLUSERSPROFILE
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: image/jpeg
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: LocalLow
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: displayName
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: Mozilla/5.0 (Windows NT 6.1; rv:77.0) Gecko/20100101 Firefox/77.0
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: shlwapi.dll
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\WerFault.exe
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: CommandLine
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: {%02X%02X%02X%02X-%02X%02X-%02X%02X-%02X%02X-%02X%02X%02X%02X%02X%02X}
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: kernel32.dll
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: SubmitSamplesConsent
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: 1234567890
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: wbj.go
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\wextract.exe
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: Win32_DiskDrive
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: vkise.exe;isesrv.exe;cmdagent.exe
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: System32
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: Name
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: %SystemRoot%\System32\WerFault.exe
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: WRSA.exe
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: c:\\
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: reg.exe ADD "HKLM\%s" /f /t %s /v "%s" /d "%s"
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: SpyNetReporting
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: FALSE
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: aswhookx.dll
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: Packages
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: SonicWallClientProtectionService.exe;SWDash.exe
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: application/x-shockwave-flash
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: Sophos UI.exe;SophosUI.exe;SAVAdminService.exe;SavService.exe
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: RepUx.exe
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: %SystemRoot%\System32\mspaint.exe
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: coreServiceShell.exe;PccNTMon.exe;NTRTScan.exe
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: Winsta0
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: Caption,Description,DeviceID,Manufacturer,Name,PNPDeviceID,Service,Status
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: CynetEPS.exe;CynetMS.exe;CynetConsole.exe
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\wermgr.exe
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: %ProgramFiles(x86)%\Internet Explorer\iexplore.exe
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: avp.exe;kavtray.exe
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: root\SecurityCenter2
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\backgroundTaskHost.exe
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: MsMpEng.exe
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: %SystemRoot%\System32\CertEnrollCtrl.exe
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: userenv.dll
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: csc_ui.exe
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: frida-winjector-helper-32.exe;frida-winjector-helper-64.exe;tcpdump.exe;windump.exe;ethereal.exe;wireshark.exe;ettercap.exe;rtsniff.exe;packetcapture.exe;capturenet.exe;qak_proxy;dumpcap.exe;CFF Explorer.exe;not_rundll32.exe;ProcessHacker.exe;tcpview.exe;filemon.exe;procmon.exe;idaq64.exe;loaddll32.exe;PETools.exe;ImportREC.exe;LordPE.exe;SysInspector.exe;proc_analyzer.exe;sysAnalyzer.exe;sniff_hit.exe;joeboxcontrol.exe;joeboxserver.exe;ResourceHacker.exe;x64dbg.exe;Fiddler.exe;sniff_hit.exe;sysAnalyzer.exe;BehaviorDumper.exe;processdumperx64.exe;anti-virus.EXE;sysinfoX64.exe;sctoolswrapper.exe;sysinfoX64.exe;FakeExplorer.exe;apimonitor-x86.exe;idaq.exe
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: \\.\pipe\
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: pstorec.dll
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: NTUSER.DAT
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: from
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: %SystemRoot%\System32\sethc.exe
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: netapi32.dll
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: %SystemRoot%\System32\Utilman.exe
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: gdi32.dll
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: setupapi.dll
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: SELECT * FROM Win32_Processor
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: iphlpapi.dll
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: Caption
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: CrAmTray.exe
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: ccSvcHst.exe;NortonSecurity.exe;nsWscSvc.exe
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: Win32_ComputerSystem
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: %SystemRoot%\System32\backgroundTaskHost.exe
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: %ProgramFiles%\Internet Explorer\iexplore.exe
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Paths
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: user32.dll
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: xagtnotif.exe;AppUIMonitor.exe
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: %SystemRoot%\System32\dxdiag.exe
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: SentinelServiceHost.exe;SentinelStaticEngine.exe;SentinelAgent.exe;SentinelStaticEngineScanner.exe;SentinelUI.exe
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: \sf2.dll
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\grpconv.exe
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: egui.exe;ekrn.exe
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: Software\Microsoft
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: %S.%06d
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: bcrypt.dll
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: SELECT * FROM AntiVirusProduct
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\SndVol.exe
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: %SystemRoot%\explorer.exe
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\Utilman.exe
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: SOFTWARE\Microsoft\Windows Defender\SpyNet
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: wtsapi32.dll
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: t=%s time=[%02d:%02d:%02d-%02d/%02d/%d]
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\xwizard.exe
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: shell32.dll
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: TRUE
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: Win32_Bios
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: SELECT * FROM Win32_OperatingSystem
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\mobsync.exe
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: c:\hiberfil.sysss
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: /
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\AtBroker.exe
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: abcdefghijklmnopqrstuvwxyz
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: ByteFence.exe
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: type=0x%04X
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: snxhk_border_mywnd
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: ROOT\CIMV2
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: dwengine.exe;dwarkdaemon.exe;dwwatcher.exe
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: https
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\explorer.exe
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: fshoster32.exe
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: kernelbase.dll
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: regsvr32.exe
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: %s\system32\
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\dxdiag.exe
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: Content-Type: application/x-www-form-urlencoded
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: Win32_Process
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: rundll32.exe
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: LOCALAPPDATA
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: cmd.exe
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: APPDATA
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: select
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: .exe
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: mcshield.exe
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: advapi32.dll
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: ws2_32.dll
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: .cfg
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: aabcdeefghiijklmnoopqrstuuvwxyyz
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: Win32_Product
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: WQL
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: wininet.dll
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: LastBootUpTime
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: S:(ML;;NW;;;LW)
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\CertEnrollCtrl.exe
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: urlmon.dll
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: Create
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: Win32_PnPEntity
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: %SystemRoot%\System32\grpconv.exe
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: Initializing database...
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: %SystemRoot%\System32\SearchIndexer.exe
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: winsta0\default
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: .dat
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: WBJ_IGNORE
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: next
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: %SystemRoot%\System32\AtBroker.exe
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: wpcap.dll
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: aaebcdeeifghiiojklmnooupqrstuuyvwxyyaz
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\sethc.exe
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: image/pjpeg
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: fmon.exe
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: bdagent.exe;vsserv.exe;vsservppl.exe
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: %SystemRoot%\System32\SndVol.exe
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: vbs
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: aswhooka.dll
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: SysWOW64
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\mspaint.exe
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: mpr.dll
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: image/gif
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: crypt32.dll
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: avgcsrvx.exe;avgsvcx.exe;avgcsrva.exe
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: ntdll.dll
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: open
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: %SystemRoot%\explorer.exe
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: CSFalconService.exe;CSFalconContainer.exe
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: %SystemRoot%\System32\wextract.exe
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: %SystemRoot%\System32\mobsync.exe
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\SearchIndexer.exe
Source: 21.2.rundll32.exe.1060000.1.unpack	String decryptor: Caption,Description,Vendor,Version,InstallDate,InstallSource,PackageName

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10035030 mv_get_random_seed,BCryptOpenAlgorithmProvider,BCryptGenRandom,BCryptCloseAlgorithmProvider,mvpriv_open,_read,_close,mvpriv_open,_read,_close,clock,clock,mv_sha_init,mv_sha_update,mv_sha_final,mv_log,abort,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_100500A3 mv_twofish_crypt,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1000C0B0 mv_cast5_crypt2,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1000B0D0 mv_camellia_crypt,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10013100 mv_encryption_init_info_alloc,mv_mallocz,mv_mallocz,mv_mallocz,mv_mallocz,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_calloc,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1000C1B0 mv_cast5_crypt,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_100132D0 mv_encryption_init_info_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10002480 mv_aes_ctr_crypt,mv_aes_crypt,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10013480 mv_encryption_init_info_get_side_data,mv_encryption_init_info_alloc,mv_free,mv_free,mv_free,mv_free,mv_free,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_100084B0 mv_blowfish_crypt,mv_blowfish_crypt_ecb,mv_blowfish_crypt_ecb,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1004D4B0 mv_tea_crypt,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_100364E0 mv_rc4_crypt,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10002523 mv_aes_crypt,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1001363B mv_encryption_init_info_alloc,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1000867B mv_blowfish_crypt_ecb,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_100136FB mv_encryption_init_info_alloc,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10013860 mv_encryption_init_info_add_side_data,mv_malloc,mv_malloc,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10012A70 mv_encryption_info_alloc,mv_mallocz,mv_mallocz,mv_mallocz,mv_calloc,mv_free,mv_free,mv_free,mv_free,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10012B40 mv_encryption_info_clone,mv_encryption_info_alloc,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10001BF0 mv_aes_crypt,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10012CF0 mv_encryption_info_free,mv_free,mv_free,mv_free,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10012D40 mv_encryption_info_get_side_data,mv_encryption_info_alloc,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10007DC0 mv_blowfish_crypt_ecb,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10010E40 mv_des_crypt,

Source: F086.dll

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE, DEBUG_STRIPPED, DLL

Source: F086.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 21_2_01069DA8 FindFirstFileW,FindNextFileW,

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	IPs: 12.172.173.82:50001
Source: Malware configuration extractor	IPs: 178.175.187.254:443
Source: Malware configuration extractor	IPs: 65.95.141.84:2222
Source: Malware configuration extractor	IPs: 205.237.67.69:995
Source: Malware configuration extractor	IPs: 83.110.223.61:443
Source: Malware configuration extractor	IPs: 193.253.100.236:2222
Source: Malware configuration extractor	IPs: 27.0.48.233:443
Source: Malware configuration extractor	IPs: 102.159.188.125:443
Source: Malware configuration extractor	IPs: 71.38.155.217:443
Source: Malware configuration extractor	IPs: 58.186.75.42:443
Source: Malware configuration extractor	IPs: 76.178.148.107:2222
Source: Malware configuration extractor	IPs: 70.28.50.223:2087
Source: Malware configuration extractor	IPs: 114.143.176.236:443
Source: Malware configuration extractor	IPs: 51.14.29.227:2222
Source: Malware configuration extractor	IPs: 59.28.84.65:443
Source: Malware configuration extractor	IPs: 173.88.135.179:443
Source: Malware configuration extractor	IPs: 103.144.201.56:2078
Source: Malware configuration extractor	IPs: 96.87.28.170:2222
Source: Malware configuration extractor	IPs: 105.186.128.181:995
Source: Malware configuration extractor	IPs: 176.142.207.63:443
Source: Malware configuration extractor	IPs: 151.62.238.176:443
Source: Malware configuration extractor	IPs: 12.172.173.82:32101
Source: Malware configuration extractor	IPs: 122.186.210.254:443
Source: Malware configuration extractor	IPs: 82.125.44.236:2222
Source: Malware configuration extractor	IPs: 84.108.200.161:443
Source: Malware configuration extractor	IPs: 76.16.49.134:443
Source: Malware configuration extractor	IPs: 70.28.50.223:32100
Source: Malware configuration extractor	IPs: 12.172.173.82:465
Source: Malware configuration extractor	IPs: 76.170.252.153:995
Source: Malware configuration extractor	IPs: 184.182.66.109:443
Source: Malware configuration extractor	IPs: 78.92.133.215:443
Source: Malware configuration extractor	IPs: 50.68.204.71:993
Source: Malware configuration extractor	IPs: 186.75.95.6:443
Source: Malware configuration extractor	IPs: 113.11.92.30:443
Source: Malware configuration extractor	IPs: 70.28.50.223:3389
Source: Malware configuration extractor	IPs: 98.145.23.67:443
Source: Malware configuration extractor	IPs: 85.57.212.13:3389
Source: Malware configuration extractor	IPs: 50.68.186.195:443
Source: Malware configuration extractor	IPs: 47.205.25.170:443
Source: Malware configuration extractor	IPs: 12.172.173.82:993
Source: Malware configuration extractor	IPs: 12.172.173.82:22
Source: Malware configuration extractor	IPs: 69.242.31.249:443
Source: Malware configuration extractor	IPs: 81.101.185.146:443
Source: Malware configuration extractor	IPs: 79.168.224.165:2222
Source: Malware configuration extractor	IPs: 75.143.236.149:443
Source: Malware configuration extractor	IPs: 14.192.241.76:995
Source: Malware configuration extractor	IPs: 86.195.14.72:2222
Source: Malware configuration extractor	IPs: 81.229.117.95:2222
Source: Malware configuration extractor	IPs: 220.240.164.182:443
Source: Malware configuration extractor	IPs: 73.29.92.128:443
Source: Malware configuration extractor	IPs: 12.172.173.82:21
Source: Malware configuration extractor	IPs: 96.56.197.26:2222
Source: Malware configuration extractor	IPs: 75.109.111.89:443
Source: Malware configuration extractor	IPs: 76.86.31.59:443
Source: Malware configuration extractor	IPs: 201.244.108.183:995
Source: Malware configuration extractor	IPs: 68.203.69.96:443
Source: Malware configuration extractor	IPs: 124.122.47.148:443
Source: Malware configuration extractor	IPs: 122.184.143.86:443
Source: Malware configuration extractor	IPs: 92.186.69.229:2222
Source: Malware configuration extractor	IPs: 70.28.50.223:2083
Source: Malware configuration extractor	IPs: 89.129.109.27:2222
Source: Malware configuration extractor	IPs: 147.147.30.126:2222
Source: Malware configuration extractor	IPs: 125.99.76.102:443
Source: Malware configuration extractor	IPs: 88.126.94.4:50000
Source: Malware configuration extractor	IPs: 151.65.167.77:443
Source: Malware configuration extractor	IPs: 86.132.236.117:443
Source: Malware configuration extractor	IPs: 92.154.17.149:2222
Source: Malware configuration extractor	IPs: 223.166.13.95:995
Source: Malware configuration extractor	IPs: 89.36.206.69:995
Source: Malware configuration extractor	IPs: 96.56.197.26:2083
Source: Malware configuration extractor	IPs: 78.18.105.11:443
Source: Malware configuration extractor	IPs: 82.127.153.75:2222
Source: Malware configuration extractor	IPs: 90.78.147.141:2222
Source: Malware configuration extractor	IPs: 82.131.141.209:443
Source: Malware configuration extractor	IPs: 183.87.163.165:443
Source: Malware configuration extractor	IPs: 92.9.45.20:2222
Source: Malware configuration extractor	IPs: 80.6.50.34:443
Source: Malware configuration extractor	IPs: 80.12.88.148:2222
Source: Malware configuration extractor	IPs: 69.133.162.35:443
Source: Malware configuration extractor	IPs: 172.115.17.50:443
Source: Malware configuration extractor	IPs: 95.45.50.93:2222
Source: Malware configuration extractor	IPs: 12.172.173.82:2087
Source: Malware configuration extractor	IPs: 103.140.174.20:2222
Source: Malware configuration extractor	IPs: 24.198.114.130:995
Source: Malware configuration extractor	IPs: 50.68.204.71:443
Source: Malware configuration extractor	IPs: 69.119.123.159:2222
Source: Malware configuration extractor	IPs: 64.121.161.102:443
Source: Malware configuration extractor	IPs: 2.82.8.80:443
Source: Malware configuration extractor	IPs: 184.181.75.148:443
Source: Malware configuration extractor	IPs: 70.112.206.5:443
Source: Malware configuration extractor	IPs: 198.2.51.242:993
Source: Malware configuration extractor	IPs: 2.36.64.159:2078
Source: Malware configuration extractor	IPs: 79.77.142.22:2222
Source: Malware configuration extractor	IPs: 84.215.202.8:443
Source: Malware configuration extractor	IPs: 147.219.4.194:443
Source: Malware configuration extractor	IPs: 116.74.164.81:443
Source: Malware configuration extractor	IPs: 70.28.50.223:2078
Source: Malware configuration extractor	IPs: 12.172.173.82:995
Source: Malware configuration extractor	IPs: 77.86.98.236:443
Source: Malware configuration extractor	IPs: 104.35.24.154:443
Source: Malware configuration extractor	IPs: 213.64.33.61:2222
Source: Malware configuration extractor	IPs: 47.149.134.231:443
Source: Malware configuration extractor	IPs: 72.134.124.16:443
Source: Malware configuration extractor	IPs: 47.34.30.133:443
Source: Malware configuration extractor	IPs: 103.42.86.42:995
Source: Malware configuration extractor	IPs: 174.4.89.3:443
Source: Malware configuration extractor	IPs: 161.142.103.187:995
Source: Malware configuration extractor	IPs: 78.160.146.127:443
Source: Malware configuration extractor	IPs: 84.35.26.14:995
Source: Malware configuration extractor	IPs: 12.172.173.82:20
Source: Malware configuration extractor	IPs: 70.28.50.223:2078
Source: Malware configuration extractor	IPs: 124.149.143.189:2222
Source: Malware configuration extractor	IPs: 70.160.67.203:443
Source: Malware configuration extractor	IPs: 186.64.67.30:443
Source: Malware configuration extractor	IPs: 103.123.223.133:443
Source: Malware configuration extractor	IPs: 188.28.19.84:443
Source: Malware configuration extractor	IPs: 174.58.146.57:443
Source: Malware configuration extractor	IPs: 94.207.104.225:443
Source: Malware configuration extractor	IPs: 86.97.55.89:2222
Source: Malware configuration extractor	IPs: 69.123.4.221:2222

Source: Joe Sandbox View	ASN Name: MEO-RESIDENCIALPT MEO-RESIDENCIALPT
Source: Joe Sandbox View	ASN Name: ASN-CXA-ALL-CCI-22773-RDCUS ASN-CXA-ALL-CCI-22773-RDCUS

Source: Joe Sandbox View	IP Address: 2.82.8.80 2.82.8.80
Source: Joe Sandbox View	IP Address: 70.160.67.203 70.160.67.203

Source: unknown

Network traffic detected: IP country count 30

Source: 57C8EDB95DF3F0AD4EE2DC2B8CFD4157.8.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab
Source: Amcache.hve.9.dr	String found in binary or memory: http://upx.sf.net
Source: rundll32.exe, rundll32.exe, 00000003.00000002.602747086.00000000100AE000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.605878743.00000000100AE000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000D.00000002.612716145.00000000100AE000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000011.00000002.619943009.00000000100AE000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000014.00000002.552416444.00000000100AE000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000015.00000002.561034686.00000000100AE000.00000002.00000001.01000000.00000003.sdmp, F086.dll	String found in binary or memory: https://streams.videolan.org/upload/

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_1004D9B0 mv_thread_message_queue_recv,AcquireSRWLockExclusive,SleepConditionVariableSRW,SleepConditionVariableSRW,mv_fifo_can_read,mv_fifo_can_read,ReleaseSRWLockExclusive,mv_fifo_read,WakeConditionVariable,mv_fifo_can_read,

Source: loaddll32.exe, 00000000.00000002.808838749.0000000000C0B000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Source: F086.dll

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE, DEBUG_STRIPPED, DLL

Source: 21.2.rundll32.exe.1060000.1.unpack, type: UNPACKEDPE	Matched rule: MAL_QakBot_ConfigExtraction_Feb23 cape_options = bp0=$params+23,action0=setdump:eax::ecx,bp1=$c2list1+40,bp1=$c2list2+38,action1=dump,bp2=$conf+13,action2=dump,count=1,typestring=QakBot Config, date = 2023-02-17, author = kevoreilly, description = QakBot Config Extraction, reference = https://github.com/kevoreilly/CAPEv2/blob/master/analyzer/windows/data/yara/QakBot.yar, license = https://github.com/kevoreilly/CAPEv2/blob/master/LICENSE, packed = f084d87078a1e4b0ee208539c53e4853a52b5698e98f0578d7c12948e3831a68
Source: 21.2.rundll32.exe.b51128.0.unpack, type: UNPACKEDPE	Matched rule: MAL_QakBot_ConfigExtraction_Feb23 cape_options = bp0=$params+23,action0=setdump:eax::ecx,bp1=$c2list1+40,bp1=$c2list2+38,action1=dump,bp2=$conf+13,action2=dump,count=1,typestring=QakBot Config, date = 2023-02-17, author = kevoreilly, description = QakBot Config Extraction, reference = https://github.com/kevoreilly/CAPEv2/blob/master/analyzer/windows/data/yara/QakBot.yar, license = https://github.com/kevoreilly/CAPEv2/blob/master/LICENSE, packed = f084d87078a1e4b0ee208539c53e4853a52b5698e98f0578d7c12948e3831a68
Source: 26.2.wermgr.exe.1200000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_QakBot_ConfigExtraction_Feb23 cape_options = bp0=$params+23,action0=setdump:eax::ecx,bp1=$c2list1+40,bp1=$c2list2+38,action1=dump,bp2=$conf+13,action2=dump,count=1,typestring=QakBot Config, date = 2023-02-17, author = kevoreilly, description = QakBot Config Extraction, reference = https://github.com/kevoreilly/CAPEv2/blob/master/analyzer/windows/data/yara/QakBot.yar, license = https://github.com/kevoreilly/CAPEv2/blob/master/LICENSE, packed = f084d87078a1e4b0ee208539c53e4853a52b5698e98f0578d7c12948e3831a68
Source: 21.2.rundll32.exe.b51128.0.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_QakBot_ConfigExtraction_Feb23 cape_options = bp0=$params+23,action0=setdump:eax::ecx,bp1=$c2list1+40,bp1=$c2list2+38,action1=dump,bp2=$conf+13,action2=dump,count=1,typestring=QakBot Config, date = 2023-02-17, author = kevoreilly, description = QakBot Config Extraction, reference = https://github.com/kevoreilly/CAPEv2/blob/master/analyzer/windows/data/yara/QakBot.yar, license = https://github.com/kevoreilly/CAPEv2/blob/master/LICENSE, packed = f084d87078a1e4b0ee208539c53e4853a52b5698e98f0578d7c12948e3831a68

Source: C:\Windows\SysWOW64\rundll32.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3688 -s 652

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1004F020
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1000D060
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10028070
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_100500A3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1002B0B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1000B0D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_100500E1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10008144
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1002A1A1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_100101D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1001021B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10058218
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10027220
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10033261
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10007270
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10024280
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10023350
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_100353B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_100243C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10013480
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1004D4B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1004C4C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1000D4D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1004E517
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1001F523
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_100105C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_100215D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10023620
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1000164B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_100206A7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1004E71B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10010750
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1000E760
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10010778
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1002A800
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10030800
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1000B830
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10026870
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10001900
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10091900
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1000D910
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1001F91B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1009D970
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10010980
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1001099C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_100339B9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1000C9F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1000FA00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1000AA10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10091A40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10007A50
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1000EAC0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1000FAE0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1000FAF7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1000AB30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10003BA5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1000FBC0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10001C10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1000DC10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1000EC10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10031C30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1000BC40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10004C96
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1000ECC9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1000DD40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1000CD50
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1002DD90
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1000EDB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10007DC0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1004DDC5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10023E60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10004E92
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1000CEA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1002EEB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 21_2_01078D30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 21_2_010771FF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 21_2_0107320D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 21_2_01063A40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 21_2_01076E40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 21_2_01074A6F

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: String function: 100089C0 appears 35 times

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 21_2_0106A412 NtAllocateVirtualMemory,NtWriteVirtualMemory,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 21_2_0106A823 GetThreadContext,NtProtectVirtualMemory,NtWriteVirtualMemory,NtProtectVirtualMemory,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 21_2_010743F4 NtProtectVirtualMemory,NtProtectVirtualMemory,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 21_2_0106CA0F NtAllocateVirtualMemory,NtWriteVirtualMemory,NtProtectVirtualMemory,NtFreeVirtualMemory,

Source: F086.dll

Binary or memory string: OriginalFilenameavutil-lav-57.dll. vs F086.dll

Source: F086.dll

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\F086.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\F086.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\F086.dll,mv_add_i
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\F086.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3688 -s 652
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3996 -s 668
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\F086.dll,mv_add_q
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\F086.dll,mv_add_stable
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6980 -s 652
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\F086.dll",mv_add_i
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\F086.dll",mv_add_q
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\F086.dll",mv_add_stable
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\F086.dll",next
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\F086.dll",mvutil_license
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\F086.dll",mvutil_configuration
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7052 -s 652
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\wermgr.exe C:\Windows\SysWOW64\wermgr.exe
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\F086.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\F086.dll,mv_add_i
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\F086.dll,mv_add_q
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\F086.dll,mv_add_stable
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\F086.dll",mv_add_i
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\F086.dll",mv_add_q
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\F086.dll",mv_add_stable
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\F086.dll",next
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\F086.dll",mvutil_license
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\F086.dll",mvutil_configuration
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\F086.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\wermgr.exe C:\Windows\SysWOW64\wermgr.exe

Source: C:\Windows\SysWOW64\wermgr.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Lxuqeem

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERED39.tmp

Jump to behavior

Source: classification engine

Classification label: mal92.troj.evad.winDLL@30/19@0/100

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 21_2_0106D213 CoInitializeEx,CoInitializeSecurity,CoCreateInstance,SysAllocString,CoSetProxyBlanket,

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 21_2_0106C71C CreateToolhelp32Snapshot,Process32First,Process32Next,FindCloseChangeNotification,

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\F086.dll,mv_add_i

Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7052
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6980
Source: C:\Windows\SysWOW64\wermgr.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{68B87196-8F4A-4548-A38A-24248073FA5A}
Source: C:\Windows\SysWOW64\wermgr.exe	Mutant created: \Sessions\1\BaseNamedObjects\{EDC7F789-D5BB-4CFA-883D-02BA6AAF426D}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3620:120:WilError_01
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3688
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3996
Source: C:\Windows\SysWOW64\wermgr.exe	Mutant created: \Sessions\1\BaseNamedObjects\{68B87196-8F4A-4548-A38A-24248073FA5A}

Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: F086.dll

Static PE information: More than 582 > 100 exports found

Source: F086.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_100A2A90 push eax; mov dword ptr [esp], esi

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_1001F523 mv_dict_get,LoadLibraryA,LoadLibraryA,InitOnceBeginInitialize,InitOnceComplete,LoadLibraryA,GetProcAddress,mv_log,atoi,mv_log,mv_log,GetProcAddress,

Source: F086.dll

Static PE information: real checksum: 0xf1b7b should be: 0xee8fa

Hooking and other Techniques for Hiding and Protection

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Source: C:\Windows\SysWOW64\rundll32.exe

Memory written: PID: 6964 base: 13A3C50 value: E9 63 D7 E5 FF

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Windows\SysWOW64\rundll32.exe TID: 6876

Thread sleep count: 199 > 30

Source: C:\Windows\SysWOW64\rundll32.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_10035030 rdtsc

Source: C:\Windows\SysWOW64\rundll32.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

Source: C:\Windows\SysWOW64\wermgr.exe

Process information queried: ProcessInformation

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 21_2_0106B883 GetSystemInfo,

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 21_2_01069DA8 FindFirstFileW,FindNextFileW,

Source: C:\Windows\System32\loaddll32.exe

Thread delayed: delay time: 120000

Source: Amcache.hve.9.dr	Binary or memory string: VMware
Source: Amcache.hve.9.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
Source: Amcache.hve.9.dr	Binary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.9.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.9.dr	Binary or memory string: VMware-42 35 9c fb 73 fa 4e 1b-fb a4 60 e7 7b e5 4a ed
Source: Amcache.hve.9.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.9.dr	Binary or memory string: VMware Virtual disk SCSI Disk Devicehbin
Source: Amcache.hve.9.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.9.dr	Binary or memory string: VMware7,1
Source: Amcache.hve.9.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.9.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.9.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.9.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.9.dr	Binary or memory string: VMware, Inc.me
Source: Amcache.hve.9.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.9.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.18227214.B64.2106252220,BiosReleaseDate:06/25/2021,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.9.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000

Anti Debugging

Potentially malicious time measurement code found

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_10035030 Start: 10035315 End: 1003515E

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_1001F523 mv_dict_get,LoadLibraryA,LoadLibraryA,InitOnceBeginInitialize,InitOnceComplete,LoadLibraryA,GetProcAddress,mv_log,atoi,mv_log,mv_log,GetProcAddress,

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_10035030 rdtsc

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1001E0D9 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 21_3_01052297 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 21_2_01061015 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 21_2_010621CD mov eax, dword ptr fs:[00000030h]

Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort

HIPS / PFW / Operating System Protection Evasion

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\SysWOW64\wermgr.exe base: 1230000
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\SysWOW64\wermgr.exe base: 1200000
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\SysWOW64\wermgr.exe base: 13A3C50

Allocates memory in foreign processes

Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: C:\Windows\SysWOW64\wermgr.exe base: 1200000 protect: page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: C:\Windows\SysWOW64\wermgr.exe base: 1230000 protect: page read and write

Injects a PE file into a foreign processes

Source: C:\Windows\SysWOW64\rundll32.exe

Memory written: C:\Windows\SysWOW64\wermgr.exe base: 1200000 value starts with: 4D5A

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\F086.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\wermgr.exe C:\Windows\SysWOW64\wermgr.exe

Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\wermgr.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\wermgr.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_1008DB50 cpuid

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_100A0AD0 GetCurrentThread,GetThreadTimes,GetSystemTimeAsFileTime,QueryPerformanceFrequency,QueryPerformanceCounter,GetCurrentProcess,GetProcessTimes,_errno,GetModuleHandleA,GetProcAddress,

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_10092180 GetTimeZoneInformation,GetModuleHandleA,GetProcAddress,

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 21_2_0106BB4D GetCurrentProcessId,GetLastError,GetVersionExA,GetWindowsDirectoryW,

Source: rundll32.exe, 00000015.00000003.551536900.00000000047FF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: bdagent.exe
Source: rundll32.exe, 00000015.00000003.551536900.00000000047FF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vsserv.exe
Source: rundll32.exe, 00000015.00000003.551536900.00000000047FF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: avp.exe
Source: Amcache.hve.9.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: rundll32.exe, 00000015.00000003.551536900.00000000047FF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: avgcsrvx.exe
Source: rundll32.exe, 00000015.00000003.551536900.00000000047FF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: mcshield.exe
Source: rundll32.exe, 00000015.00000003.551536900.00000000047FF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected Qbot

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: 21.2.rundll32.exe.1060000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.rundll32.exe.b51128.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.wermgr.exe.1200000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.rundll32.exe.b51128.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000015.00000002.559780221.0000000000B3A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.559899165.0000000004780000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected Qbot

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: 21.2.rundll32.exe.1060000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.rundll32.exe.b51128.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.wermgr.exe.1200000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.rundll32.exe.b51128.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000015.00000002.559780221.0000000000B3A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.559899165.0000000004780000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	3 Native API	Path Interception	311 Process Injection	1 Masquerading	1 Credential API Hooking	2 System Time Discovery	Remote Services	1 Credential API Hooking	Exfiltration Over Other Network Medium	2 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	21 Virtualization/Sandbox Evasion	1 Input Capture	31 Security Software Discovery	Remote Desktop Protocol	1 Input Capture	Exfiltration Over Bluetooth	1 Ingress Tool Transfer	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	311 Process Injection	Security Account Manager	21 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	1 Archive Collected Data	Automated Exfiltration	1 Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	1 Deobfuscate/Decode Files or Information	NTDS	2 Process Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	2 Obfuscated Files or Information	LSA Secrets	1 Remote System Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	1 Rundll32	Cached Domain Credentials	1 File and Directory Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	24 System Information Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
F086.dll	0%	ReversingLabs
F086.dll	0%	Virustotal		Browse

Source	Detection	Scanner	Label	Link
windowsupdatebg.s.llnwi.net	1%	Virustotal		Browse

Name	IP	Active	Malicious	Antivirus Detection	Reputation
windowsupdatebg.s.llnwi.net	95.140.230.192	true	false	1%, Virustotal, Browse	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://upx.sf.net	Amcache.hve.9.dr	false		high
https://streams.videolan.org/upload/	rundll32.exe, rundll32.exe, 00000003.00000002.602747086.00000000100AE000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.605878743.00000000100AE000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000D.00000002.612716145.00000000100AE000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000011.00000002.619943009.00000000100AE000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000014.00000002.552416444.00000000100AE000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000015.00000002.561034686.00000000100AE000.00000002.00000001.01000000.00000003.sdmp, F086.dll	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
2.82.8.80	unknown	Portugal	3243	MEO-RESIDENCIALPT	true
70.160.67.203	unknown	United States	22773	ASN-CXA-ALL-CCI-22773-RDCUS	true
75.143.236.149	unknown	United States	20115	CHARTER-20115US	true
83.110.223.61	unknown	United Arab Emirates	5384	EMIRATES-INTERNETEmiratesInternetAE	true
86.195.14.72	unknown	France	3215	FranceTelecom-OrangeFR	true
84.215.202.8	unknown	Norway	41164	GET-NOGETNorwayNO	true
184.182.66.109	unknown	United States	22773	ASN-CXA-ALL-CCI-22773-RDCUS	true
92.186.69.229	unknown	France	12479	UNI2-ASES	true
174.4.89.3	unknown	Canada	6327	SHAWCA	true
161.142.103.187	unknown	Malaysia	9930	TTNET-MYTIMEdotComBerhadMY	true
114.143.176.236	unknown	India	17762	HTIL-TTML-IN-APTataTeleservicesMaharashtraLtdIN	true
14.192.241.76	unknown	Malaysia	9534	MAXIS-AS1-APBinariangBerhadMY	true
173.88.135.179	unknown	United States	10796	TWC-10796-MIDWESTUS	true
84.108.200.161	unknown	Israel	8551	BEZEQ-INTERNATIONAL-ASBezeqintInternetBackboneIL	true
47.34.30.133	unknown	United States	20115	CHARTER-20115US	true
183.87.163.165	unknown	India	132220	JPRDIGITAL-INJPRDigitalPvtLtdIN	true
184.181.75.148	unknown	United States	22773	ASN-CXA-ALL-CCI-22773-RDCUS	true
124.149.143.189	unknown	Australia	7545	TPG-INTERNET-APTPGTelecomLimitedAU	true
84.35.26.14	unknown	Netherlands	21221	INFOPACT-ASTheNetherlandsNL	true
73.29.92.128	unknown	United States	7922	COMCAST-7922US	true
68.203.69.96	unknown	United States	11427	TWC-11427-TEXASUS	true
82.131.141.209	unknown	Hungary	20845	DIGICABLEHU	true
64.121.161.102	unknown	United States	6079	RCN-ASUS	true
178.175.187.254	unknown	Moldova Republic of	43289	TRABIAMD	true
96.56.197.26	unknown	United States	6128	CABLE-NET-1US	true
186.64.67.30	unknown	Argentina	27953	NODOSUDSAAR	true
188.28.19.84	unknown	United Kingdom	206067	H3GUKGB	true
125.99.76.102	unknown	India	17488	HATHWAY-NET-APHathwayIPOverCableInternetIN	true
81.101.185.146	unknown	United Kingdom	5089	NTLGB	true
59.28.84.65	unknown	Korea Republic of	4766	KIXS-AS-KRKoreaTelecomKR	true
105.186.128.181	unknown	South Africa	37457	Telkom-InternetZA	true
76.86.31.59	unknown	United States	20001	TWC-20001-PACWESTUS	true
147.147.30.126	unknown	United Kingdom	6871	PLUSNETUKInternetServiceProviderGB	true
96.87.28.170	unknown	United States	7922	COMCAST-7922US	true
75.109.111.89	unknown	United States	19108	SUDDENLINK-COMMUNICATIONSUS	true
78.92.133.215	unknown	Hungary	5483	MAGYAR-TELEKOM-MAIN-ASMagyarTelekomNyrtHU	true
124.122.47.148	unknown	Thailand	17552	TRUE-AS-APTrueInternetCoLtdTH	true
88.126.94.4	unknown	France	12322	PROXADFR	true
51.14.29.227	unknown	United Kingdom	2856	BT-UK-ASBTnetUKRegionalnetworkGB	true
85.57.212.13	unknown	Spain	12479	UNI2-ASES	true
47.205.25.170	unknown	United States	5650	FRONTIER-FRTRUS	true
95.45.50.93	unknown	Ireland	5466	EIRCOMInternetHouseIE	true
80.12.88.148	unknown	France	3215	FranceTelecom-OrangeFR	true
69.133.162.35	unknown	United States	11426	TWC-11426-CAROLINASUS	true
86.132.236.117	unknown	United Kingdom	2856	BT-UK-ASBTnetUKRegionalnetworkGB	true
151.62.238.176	unknown	Italy	1267	ASN-WINDTREIUNETEU	true
70.112.206.5	unknown	United States	11427	TWC-11427-TEXASUS	true
205.237.67.69	unknown	Canada	11290	CC-3272CA	true
102.159.188.125	unknown	Tunisia	37705	TOPNETTN	true
151.65.167.77	unknown	Italy	1267	ASN-WINDTREIUNETEU	true
76.178.148.107	unknown	United States	10838	OCEANIC-INTERNET-RRUS	true
89.36.206.69	unknown	Italy	48544	TECNOADSL-ASIT	true
69.242.31.249	unknown	United States	7922	COMCAST-7922US	true
193.253.100.236	unknown	France	3215	FranceTelecom-OrangeFR	true
76.16.49.134	unknown	United States	7922	COMCAST-7922US	true
94.207.104.225	unknown	United Arab Emirates	15802	DU-AS1AE	true
201.244.108.183	unknown	Colombia	19429	ETB-ColombiaCO	true
103.42.86.42	unknown	India	133660	EDIGITAL-ASE-InfrastructureandEntertainmentIndiaPvtLt	true
78.18.105.11	unknown	Ireland	2110	AS-BTIREBTIrelandwaspreviouslyknownasEsatNetEUnet	true
80.6.50.34	unknown	United Kingdom	5089	NTLGB	true
103.144.201.56	unknown	unknown	139762	MSSOLUTION-AS-APSolutionBD	true
27.0.48.233	unknown	India	132573	SAINGN-AS-INSAINGNNetworkServicesIN	true
70.28.50.223	unknown	Canada	577	BACOMCA	true
98.145.23.67	unknown	United States	20001	TWC-20001-PACWESTUS	true
47.149.134.231	unknown	United States	5650	FRONTIER-FRTRUS	true
82.125.44.236	unknown	France	3215	FranceTelecom-OrangeFR	true
81.229.117.95	unknown	Sweden	3301	TELIANET-SWEDENTeliaCompanySE	true
89.129.109.27	unknown	Spain	12479	UNI2-ASES	true
122.186.210.254	unknown	India	9498	BBIL-APBHARTIAirtelLtdIN	true
79.77.142.22	unknown	United Kingdom	9105	TISCALI-UKTalkTalkCommunicationsLimitedGB	true
90.78.147.141	unknown	France	3215	FranceTelecom-OrangeFR	true
122.184.143.86	unknown	India	9498	BBIL-APBHARTIAirtelLtdIN	true
186.75.95.6	unknown	Panama	11556	CableWirelessPanamaPA	true
50.68.186.195	unknown	Canada	6327	SHAWCA	true
12.172.173.82	unknown	United States	2386	INS-ASUS	true
213.64.33.61	unknown	Sweden	3301	TELIANET-SWEDENTeliaCompanySE	true
79.168.224.165	unknown	Portugal	2860	NOS_COMUNICACOESPT	true
86.97.55.89	unknown	United Arab Emirates	5384	EMIRATES-INTERNETEmiratesInternetAE	true
176.142.207.63	unknown	France	5410	BOUYGTEL-ISPFR	true
92.154.17.149	unknown	France	3215	FranceTelecom-OrangeFR	true
174.58.146.57	unknown	United States	7922	COMCAST-7922US	true
78.160.146.127	unknown	Turkey	9121	TTNETTR	true
58.186.75.42	unknown	Viet Nam	18403	FPT-AS-APTheCorporationforFinancingPromotingTechnolo	true
223.166.13.95	unknown	China	17621	CNCGROUP-SHChinaUnicomShanghainetworkCN	true
65.95.141.84	unknown	Canada	577	BACOMCA	true
50.68.204.71	unknown	Canada	6327	SHAWCA	true
71.38.155.217	unknown	United States	209	CENTURYLINK-US-LEGACY-QWESTUS	true
104.35.24.154	unknown	United States	20001	TWC-20001-PACWESTUS	true
220.240.164.182	unknown	Australia	7545	TPG-INTERNET-APTPGTelecomLimitedAU	true
103.123.223.133	unknown	India	138329	KWS-AS-APKenstarWebSolutionsPrivateLimitedIN	true
24.198.114.130	unknown	United States	11351	TWC-11351-NORTHEASTUS	true
2.36.64.159	unknown	Italy	30722	VODAFONE-IT-ASNIT	true
198.2.51.242	unknown	United States	20001	TWC-20001-PACWESTUS	true
92.9.45.20	unknown	United Kingdom	13285	OPALTELECOM-ASTalkTalkCommunicationsLimitedGB	true
113.11.92.30	unknown	Bangladesh	7565	BDCOM-BDRangsNiluSquare5thFloorHouse75Road5AD	true
69.119.123.159	unknown	United States	6128	CABLE-NET-1US	true
69.123.4.221	unknown	United States	6128	CABLE-NET-1US	true
172.115.17.50	unknown	United States	20001	TWC-20001-PACWESTUS	true
77.86.98.236	unknown	United Kingdom	12390	KINGSTON-UK-ASGB	true
147.219.4.194	unknown	United States	1498	DNIC-ASBLK-01498-01499US	true

General Information

Joe Sandbox Version:	37.1.0 Beryl
Analysis ID:	878699
Start date and time:	2023-05-31 02:13:09 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 10m 44s
Hypervisor based Inspection enabled:	false
Report type:	light
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	27
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	F086.dll
Detection:	MAL
Classification:	mal92.troj.evad.winDLL@30/19@0/100
EGA Information:	Successful, ratio: 50%
HDC Information:	Successful, ratio: 10.2% (good quality ratio 7.9%) Quality average: 56.4% Quality standard deviation: 38.3%
HCA Information:	Successful, ratio: 99% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .dll Sleeps bigger than 100000000ms are automatically reduced to 1000ms

Warnings

Exclude process from analysis (whitelisted): audiodg.exe, WerFault.exe, WMIADAP.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.182.143.212, 20.42.65.92, 209.197.3.8, 93.184.221.240, 20.42.73.29
Excluded domains from analysis (whitelisted): wu.ec.azureedge.net, ctldl.windowsupdate.com, cds.d2s7q6s2.hwcdn.net, wu-bg-shim.trafficmanager.net, wu.azureedge.net, onedsblobprdeus17.eastus.cloudapp.azure.com, onedsblobprdcus15.centralus.cloudapp.azure.com, blobcollector.events.data.trafficmanager.net, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, onedsblobprdeus15.eastus.cloudapp.azure.com, hlb.apr-52dd2-0.edgecastdns.net, watson.telemetry.microsoft.com
Execution Graph export aborted for target rundll32.exe, PID 3688 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_92f46c7f299346a6ffcb64477668158ac3e1de1_82810a17_1b34096c\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9055131298747424
Encrypted:	false
SSDEEP:	192:V8Iiq0oXYHBUZMX4jed+u/u7sVS274ItWc:Zi8XABUZMX4jeL/u7sVX4ItWc
MD5:	55B2B81307518F99025F67BBF80B3D11
SHA1:	7BEF96E67FED2897598331B2D726DF5E6C403C5B
SHA-256:	D1C7F2C24EFD30376A9F9684FC977B90F8893E2D6630B0C480EB0BED0ED7AFBC
SHA-512:	E882D8C4F3261FF77016A1A29C41838AFCC6FA4EE2EAAA1709AF2B84F498070D1D3C00A077222328B4C9E58FDC994B84BAD882B18E95BAD1CF02A072A7517056
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.2.9.9.6.5.6.4.7.1.4.3.7.5.9.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.2.9.9.6.5.6.4.8.0.9.4.0.7.1.4.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.a.3.6.e.b.9.a.-.4.0.7.6.-.4.2.0.8.-.8.f.b.8.-.f.2.3.c.1.0.f.4.8.7.a.f.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.4.9.9.6.6.3.4.-.8.4.4.2.-.4.f.0.7.-.a.e.9.c.-.9.7.0.8.9.b.0.2.4.b.7.2.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.4.4.-.0.0.0.1.-.0.0.1.f.-.b.5.8.a.-.5.8.d.0.5.4.9.3.d.9.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.b.c.c.5.d.c.3.2.2.2.0.3.4.d.3.f.2.5.7.f.1.f.d.3.5.8.8.9.e.5.b.e.9.0.f.0.9.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_e81cd1d5139fff9fe89f63caf8b194b6696e72da_82810a17_1077f69f\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9051055765755451
Encrypted:	false
SSDEEP:	192:C0s0jih0oXQHBUZMX4jed+u/u7sVS274ItWc:JiPX4BUZMX4jeL/u7sVX4ItWc
MD5:	B78E12F870A8A72208354B4626138F54
SHA1:	E3E0586B5B4F4475DEC017E358B259BC09CDCA7F
SHA-256:	8EC672D0045C650FE465C220381489A6BFFB74EE5F639F79EC651C1CF66377BA
SHA-512:	5712667A37AF9F34DD43A96CEF9C9971B20A174964B16FC79A60BADA657E8FA47100775A299C0F653154C5AA1E05B48B3BC5C268E8CE3C95B672BC06C6B8E1E2
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.2.9.9.6.5.6.4.1.6.2.6.6.4.0.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.2.9.9.6.5.6.4.2.6.2.6.6.4.2.4.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.0.3.a.0.c.0.4.-.9.a.4.c.-.4.2.e.c.-.b.2.0.f.-.7.9.6.2.6.0.0.9.c.0.0.7.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.d.5.9.a.8.e.7.-.a.f.b.c.-.4.2.a.0.-.a.6.7.f.-.c.9.3.1.e.b.3.4.2.9.8.3.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.f.9.c.-.0.0.0.1.-.0.0.1.f.-.2.a.0.3.-.b.a.c.c.5.4.9.3.d.9.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.b.c.c.5.d.c.3.2.2.2.0.3.4.d.3.f.2.5.7.f.1.f.d.3.5.8.8.9.e.5.b.e.9.0.f.0.9.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_e81cd1d5139fff9fe89f63caf8b194b6696e72da_82810a17_132ff69f\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	modified
Size (bytes):	65536
Entropy (8bit):	0.9027512917886359
Encrypted:	false
SSDEEP:	192:nWuiy40oXTHBUZMX4jed+u/u7sVS274ItWc:fiTXTBUZMX4jeL/u7sVX4ItWc
MD5:	1D1F778A8E4533F5A0768F09E9916C69
SHA1:	61093C2CE249CCAD17B3BBE2A425D584FF4E5287
SHA-256:	A39EE716FACB9C1B6D936FAF7CA8A58F11A43D30A80727E27B67662A6F4DA8AE
SHA-512:	58B7BA9AF9E998A5744F5FC511A319963FD80D34F59BF0480E2DB0B1FFF143F91693087BED4F6468224D067A092ACAFFF02CD65F717085736A4C98B544CFD7A8
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.2.9.9.6.5.6.4.1.5.8.9.0.4.3.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.2.9.9.6.5.6.4.2.4.7.9.6.6.9.3.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.2.6.8.7.c.f.3.-.9.1.e.0.-.4.a.5.e.-.b.a.1.3.-.9.a.3.c.b.6.3.1.9.1.7.b.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.7.a.0.3.3.6.6.-.8.9.0.6.-.4.4.e.0.-.b.8.d.d.-.7.5.c.1.9.2.8.0.4.5.f.0.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.e.6.8.-.0.0.0.1.-.0.0.1.f.-.8.e.0.0.-.b.7.c.c.5.4.9.3.d.9.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.b.c.c.5.d.c.3.2.2.2.0.3.4.d.3.f.2.5.7.f.1.f.d.3.5.8.8.9.e.5.b.e.9.0.f.0.9.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_e81cd1d5139fff9fe89f63caf8b194b6696e72da_82810a17_1394167c\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9049368762346357
Encrypted:	false
SSDEEP:	192:QJiw0oXwHBUZMX4jed+u/u7sVS274ItWc:aimXYBUZMX4jeL/u7sVX4ItWc
MD5:	BB9865500A8CC7E393F0E0D055157368
SHA1:	74314FEE4AE456873DF5EDF741193FDEB2ABFF39
SHA-256:	466B4DBAACBF28FBE6C6F887B8BDD374C74F240FBEBB8A01DF94ABAE8C17B81B
SHA-512:	9D9D4BF67E12F028C6CD0C958BF34851A68E753E40DE8AFF5CB6534E648B60715DE4F7D5B36238869B2A922EB2E44F9D543D3134ED472944CE8C12064162C1A0
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.2.9.9.6.5.6.5.0.7.2.8.5.6.0.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.2.9.9.6.5.6.5.1.4.7.7.4.2.1.0.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.1.3.1.9.5.f.9.-.4.0.f.4.-.4.7.8.e.-.9.2.a.8.-.d.7.2.a.c.4.8.2.d.5.9.e.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.e.e.6.0.e.5.2.-.3.0.e.8.-.4.c.d.4.-.8.a.b.3.-.4.4.f.8.6.1.4.9.e.e.0.3.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.8.c.-.0.0.0.1.-.0.0.1.f.-.4.d.8.4.-.2.f.d.2.5.4.9.3.d.9.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.b.c.c.5.d.c.3.2.2.2.0.3.4.d.3.f.2.5.7.f.1.f.d.3.5.8.8.9.e.5.b.e.9.0.f.0.9.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER10EE.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Wed May 31 00:14:11 2023, 0x1205a4 type
Category:	dropped
Size (bytes):	37146
Entropy (8bit):	2.279955894786345
Encrypted:	false
SSDEEP:	192:XsK6sZy56WhuCphO5SkbP0OGjjM2lgroOpl2cgdJnB:LUI5LbNGjjfl/MlC
MD5:	A51DDAB877B583B207BC2295F1D52284
SHA1:	3095F886BCA3A4A3F89362B3BB3C4F2166939FA1
SHA-256:	68622B86743C36E2096AB2545510F49A02D1F3EDB7C1E95C7C8248E96612CB83
SHA-512:	78AAEAAA6AD7B4642F68066173D65A9F4B8F844D202AA9098AC8DA8666634BCECD8D12D027CAA1806D0BC0B58C690D128A5E7EE339C27D8F0B4F864F8FB29B4A
Malicious:	false
Preview:	MDMP....... .......S.vd............d...............l............)..........T.......8...........T................w...........................................................................................U...........B..............GenuineIntelW...........T...........Q.vd.............................0..=...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .D.a.y.l.i.g.h.t. .T.i.m.e.......................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1246.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8260
Entropy (8bit):	3.688158143446261
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNid867zP6YADq6/vgmfTOSc+pra89bzwsfnxm:RrlsNi26n6YKq6/vgmfTOSzzDfM
MD5:	242ECAFDF109552F5B22029DC3D2190F
SHA1:	61015571828D42572FAA69F660F7464A24493A4E
SHA-256:	A91734114B8DC027CC4E703AA85A0CBC2C15407ECED2AAC4D15A7648C757DA9C
SHA-512:	BC822BF9ED82A9ACD48F8AA1B717E08450F7C4AE622F75E1D60CB3D34806307B434826002C6CD18AE8707DCC7FF3BB744B94D5A26EB5C67A14FD5551EC427FFF
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.0.5.2.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WER12A5.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4626
Entropy (8bit):	4.449681607530768
Encrypted:	false
SSDEEP:	48:cvIwSD8zs62+JgtWI9obyWgc8sqYjX8fm8M4JCdsEZFwN+q8/vKUQ4SrSXd:uITf6hrbTgrsqYAJiwUyDWXd
MD5:	8C7642FA9900AD58A0496E224D01D790
SHA1:	A53230896A77F953CD65890A95F255AA41F239CD
SHA-256:	6FE236EC4504383DCB26868605CB1DD81E93045312F7DB9AD9222F03E6D2DE9F
SHA-512:	0024FB17CC95FBBD958FA13054C21B4B0BF7402E297AB3852BEFB77FE7B96447E0C7C119470872C8961707CC3F627D25AF8E3C4B83B9D43BD5C299737EC69C07
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="2064084" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2E4.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Wed May 31 00:14:07 2023, 0x1205a4 type
Category:	dropped
Size (bytes):	38166
Entropy (8bit):	2.225145616155827
Encrypted:	false
SSDEEP:	192:DjL6sZy56WhaxDO5SkbZujjw+JGCNB+EInu:PUD5LbZujjDJ7NcEIu
MD5:	F5B1E4135009ABF1FB2461A9BAC6B921
SHA1:	72EC5F8CDFDB62AF901AFB35186355F35296FCE4
SHA-256:	295F5039107A5730A0981D9CFAAF7B520C06EB0CE7AF2986FDAF186ABDB43838
SHA-512:	CED883F7B5FCCCDA0781F329C3C14EBB0E8420992D6CA6EFC2B117494F08F2A06868C721C706F234725F123D821E2B8547E7E2FC49121108BB1C0974201C2C68
Malicious:	false
Preview:	MDMP....... .......O.vd............d...............l............)..........T.......8...........T................{...........................................................................................U...........B..............GenuineIntelW...........T.......D...N.vd.............................0..=...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .D.a.y.l.i.g.h.t. .T.i.m.e.......................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER47B.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8246
Entropy (8bit):	3.6896336762973987
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNiSu67zy6YAc6FOgmfTuSc+prt89bubbsfSojm:RrlsNiD6a6Y76sgmfTuSaubgfB6
MD5:	C6CB8DAB5798DA4339F86459605D3442
SHA1:	52A78743D1C930E1287E3D3C3C510ACE2AF82D25
SHA-256:	40AC39CE5246823BFC892D267C9B8A1EFBE9F3140A9C162464048868E3B2C2FF
SHA-512:	CFA24837DA841217D6A83CB5E2AFD82734E05DAA0AFBFB5A6F02F51CEA77E86F52AEBED00EC3D50B797AAB6A44B9E583E7471E2AF841F4D2D4D464A4FD276017
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.9.8.0.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WER4DA.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4626
Entropy (8bit):	4.454488569665358
Encrypted:	false
SSDEEP:	48:cvIwSD8zs62+JgtWI9obyWgc8sqYjhL8fm8M4JCdsE9FClL+q8/v8/4SrS1d:uITf6hrbTgrsqY9oJiqBUKDW1d
MD5:	4C54DFE9D19371595B682DB6B5A5892B
SHA1:	6862F62B0322B9C955275BC613119E717A6720C9
SHA-256:	66E606A10D0AD6D4BB696D5AF700C8A81687EA37D9305A332E2A379AC2DF21E5
SHA-512:	42E5F956715A49FA55E485A1385BA2255BB58DD745A340A047492698E1C1DEA4B1ED96D8E6056F81C6879B3B41A9A1A6056EACA2CADCEECD0126AB115ECFC51F
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="2064084" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\ProgramData\Microsoft\Windows\WER\Temp\WERED39.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Wed May 31 00:14:01 2023, 0x1205a4 type
Category:	dropped
Size (bytes):	37738
Entropy (8bit):	2.243386740692205
Encrypted:	false
SSDEEP:	192:lIpD6sZy56WhjWoO5Skb//ZoEjjI9Nu/fIAd50uve+c:wUq5LbXZjjkNu/Q4auvo
MD5:	B459E02B7431D2B4E028870FF7FF4B5D
SHA1:	535936D4B932527E621F80730E99AADC026E0F70
SHA-256:	1615000AC79F8135750637E46099F65912A99237A60C999122960A84535AB35C
SHA-512:	1BD75F0B0A06A134FCFA034DFAF42A3B0B7FDB2FC060022D9EC60F77F3A3810A383BB1E72E7FDF19C3B7F649E8586526A4D31D91DB289862340CC681F87BFA82
Malicious:	false
Preview:	MDMP....... .......I.vd............d...............l............)..........T.......8...........T...............jy...........................................................................................U...........B..............GenuineIntelW...........T.......h...H.vd.............................0..=...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .D.a.y.l.i.g.h.t. .T.i.m.e.......................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERED68.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Wed May 31 00:14:01 2023, 0x1205a4 type
Category:	dropped
Size (bytes):	42586
Entropy (8bit):	2.1664846431200213
Encrypted:	false
SSDEEP:	192:lOurQQayO5Skb5oIF47ljjd9EH0ZfnyC+/nD4g:WN5Lbo7ljjbEinoMg
MD5:	B4C037A87261B21529F5E7900FBFDCB5
SHA1:	073C2752DEE10EFE1B14F58A14E08C8028F4B101
SHA-256:	9BB6A1AA97D3D77658D2423E491AFCF4F9E73AAC97C136EB503E7EA2E4584E6D
SHA-512:	3BC946D00B7E4FCDC0E597EB6A5E244A1693F8783884D9BA10162CDE4DE1E92059635541B2230A0EA90DB48A822AF723148026F677A17BE24877F3C8AD8582CB
Malicious:	false
Preview:	MDMP....... .......I.vd.........................................,..........T.......8...........T...........P...............0................................................................................U...........B..............GenuineIntelW...........T...........H.vd.............................0..=...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .D.a.y.l.i.g.h.t. .T.i.m.e.......................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WEREE92.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8248
Entropy (8bit):	3.6886902077663004
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNiIV67zD6YAv6wgmfTOSc+pr189bSMsf0mm:RrlsNiK6L6YI6wgmfTOSySffM
MD5:	D08CAF43EBC395DE2FB2CC4F32063CDD
SHA1:	FEDC90FECC4DAC1A03ED97C5EF0BC316F82889CD
SHA-256:	7B7DDB1E27F2B403BD223FE9CAC8558AE0E61F97EB105FDAACD2A84CE7703C1E
SHA-512:	02F57B9D1F589C9DAAA9C2BAB76800727D6B77A89F72E838F32ED52A4E48A106B5448D9525E6B55A6A170825D88B814F2074A154103E54423F9E968F74A2FCE2
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.3.6.8.8.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WEREED0.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8242
Entropy (8bit):	3.68719304413973
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNiwp6v6YR66NgmfTOSc+prA89bp/sfcMlDm:RrlsNi+6v6Ys6NgmfTOSNpkfcV
MD5:	A997516C04285B28475E3ABA55458A98
SHA1:	A08209D1CE91F1095F94DA53206682DEFE7CBC92
SHA-256:	2E138618BC4CC02F28E2A7B8588C0924CCEBE931E16BB5C40ED970DE7AFD850B
SHA-512:	C737515B76BE1A2F406B45268918D4E3CBA9512E6D9A8FAE9568CF8E1CD4E979C5D03DF222943ACEB51B34C81504CB515D9CE734708E10E184DEAC1928DEC326
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.3.9.9.6.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WEREF2F.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4626
Entropy (8bit):	4.4493677045843265
Encrypted:	false
SSDEEP:	48:cvIwSD8zs62+JgtWI9obyWgc8sqYjp8fm8M4JCdsEZFM+q8/vK84SrSod:uITf6hrbTgrsqYSJiAUzDWod
MD5:	2E8C037D0C42F9ED734BFDCCC5FE5F04
SHA1:	7D0B248A48218256555CE761B0B50428DFB99895
SHA-256:	4E928264B3F6F899ADCBD5E51010F64207A7FFBED3DAC45AB3C158D805862B0F
SHA-512:	C87C4737183F62EDA5509091C1A9B9495A0350513536A9ADCC605E5E8E53628CA51C696795CAF0614416674AA5A0D83D783F730184AA22B8CB02567065C6D890
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="2064084" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\ProgramData\Microsoft\Windows\WER\Temp\WEREFBD.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4626
Entropy (8bit):	4.450006669795609
Encrypted:	false
SSDEEP:	48:cvIwSD8zs62+JgtWI9obyWgc8sqYjr8fm8M4JCdsEZFyJ+q8/vK84SrSZd:uITf6hrbTgrsqY0Ji+UzDWZd
MD5:	C35594112DBF97EB69306E5EA735FABD
SHA1:	A3F0194D50BF2A3709093A06987C6990FA8D0193
SHA-256:	3FD6C933015F4175CB6C0A05C88DDF6F3BD5877D8FA94269E488D9E6DECA3789
SHA-512:	EC7DC1C79A4DFFC803F81835286A02748DF1B9CE052CC26547365EF70C0BE7140AB915A6145DFA80B6D1ECED92F75EC5A3C7C9EE04B1125ACD1A4C8BBEEEE66C
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="2064084" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	data
Category:	dropped
Size (bytes):	340
Entropy (8bit):	3.456404735954774
Encrypted:	false
SSDEEP:	6:kK5r8zLNYEN+SkQlPlEGYRMY9z+s3Ql2DUeA:hraukPlE99SCQl2DUeA
MD5:	BDF8491796DBEFD8631C9D8D79230279
SHA1:	EE7B8EA8A86FBFB7DEA698ADB86867374DDFA41A
SHA-256:	80D271F811B542C50506241AC7CB17768F41AF7F95BBBC6E2FC3C9E5507DA210
SHA-512:	792D5123590E35817057FFBFE499CEDA5EBB6F4AE74755A76DBE410E88DD6C21BE1F47666C423CA5250919797D00367F2C373D0381172336F05080AF6D765296
Malicious:	false
Preview:	p...... .........E..T...(...............................................9..A.... .........Z.6.......&...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.d.i.s.a.l.l.o.w.e.d.c.e.r.t.s.t.l...c.a.b...".0.8.f.5.a.b.0.3.6.1.a.d.7.1.:.0."...

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1572864
Entropy (8bit):	4.311546181149005
Encrypted:	false
SSDEEP:	12288:6i0ipfBEZTCyhxh+n9983GkoGpkK/GisBdP3/a9p8kVSFbjjJO:70ipfBEZTCExh+cCGG
MD5:	DB0AB6F570408B424F507A0388F77CEB
SHA1:	ABCBF2E8BE3137B8700EBB78548C3A13DD56AD6C
SHA-256:	075D40C9F02371052520077EAEB382B5AA5458D057AD3DC5E55C85F68851A075
SHA-512:	205815755A034C4E5A5D350D0E6037ED84642BD4F756EEE05CE97340A1A6DB889C517FDEA8CD5D5A435B0D06686D76BEC76E307E5243C11BB03D92C4C26DAD71
Malicious:	false
Preview:	regfS...S...p.\..,.................. .... ......\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm"...T...............................................................................................................................................................................................................................................................................................................................................66..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve.LOG1

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	24576
Entropy (8bit):	3.051704849069228
Encrypted:	false
SSDEEP:	384:7L15K5JojaM1gnVVeeDzego1NKZtjYovelNZpuC9fWelNZpu9:HLK4g/eeDzezNYtjpyZpuIfWyZpu
MD5:	98373C9EC6F65482DCB9C76B13E31DC1
SHA1:	A049C825E743EEBBF45E1A0D948A9A1036566453
SHA-256:	D22C4525820E9DEFD88542F6FEB86ADBBB4749468A7866914795A9AB93E23B52
SHA-512:	00E8A613CEDBC3DF85CF39285E410D45DF8B9A1CD9E29FDB2DC0791172D6EB43D84BC78CABF44E541D3973771F90F6612891FF9B9A5AAE94A27FEF2DE3AB1D1F
Malicious:	false
Preview:	regfR...R...p.\..,.................. .... ......\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm"...T...............................................................................................................................................................................................................................................................................................................................................06..HvLE.>......R.... .......zn>.3]2S..H/..........................hbin................p.\..,..........nk,....T................................... ...........................&...{ad79c032-a2ea-f756-e377-72fb9332c3ae}......nk ....T....... ........................... .......Z.......................Root........lf......Root....nk ....T................................... ...............*...............DeviceCensus.......................vk..................WritePermissionsCheck.......p...

Static File Info

General

File type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Entropy (8bit):	6.737928842435983
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	F086.dll
File size:	965185
MD5:	931f3d361902807103b23fa74beb16a2
SHA1:	9ec1f75beaf217246fd8d97fa3d1e591300babb3
SHA256:	5f1a29b7907453a8785d9e6087a85c7bfab6b7fe3955bd645cb37ffdb20409c5
SHA512:	4c8322f125e7b51e0c6375dd1ec14e2c71bbb1972f68afd038013ebba763ba0e41a960fd782b9eb3d8b739f4ab26b129cf9ba3dca9b1a21739a495abb25aaacc
SSDEEP:	24576:D7AkdHt+UnNtqbVotX4Dw/9JGCZdBK/+NYouXFPn/yd4X:DZ8RDwlJGoY7XX
TLSH:	B5258EC0FBD744FAE46718B1B09AB7AFAB3112050138CE76DFA58E09E976B401DDB245
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....0d...........#...'.....................................................0 .....{.....@... .........................hC.

File Icon


Icon Hash:	7ae282899bbab082

Static PE Info

General

Entrypoint:	0x10001390
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x10000000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE, DEBUG_STRIPPED, DLL
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x6430AE80 [Sat Apr 8 00:00:00 2023 UTC]
TLS Callbacks:	0x10090cc0, 0x10090c70, 0x100a1c60
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	ac404a1028e7ce450416867d9b3974cc

Entrypoint Preview

Instruction
sub esp, 0Ch
mov dword ptr [101D86FCh], 00000000h
mov ecx, dword ptr [esp+18h]
mov edx, dword ptr [esp+14h]
mov eax, dword ptr [esp+10h]
call 00007EFE95489787h
add esp, 0Ch
retn 000Ch
lea esi, dword ptr [esi+00000000h]
lea esi, dword ptr [esi+00h]
nop
sub esp, 1Ch
mov eax, dword ptr [esp+20h]
mov dword ptr [esp], 100C9000h
mov dword ptr [esp+04h], eax
call 00007EFE9552871Eh
add esp, 1Ch
ret
nop
nop
nop
nop
nop
push ebp
mov ebp, esp
sub esp, 18h
mov dword ptr [esp], 10001400h
call 00007EFE95489903h
leave
ret
lea esi, dword ptr [esi+00000000h]
lea esi, dword ptr [esi+00h]
nop
ret
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
push ebp
push edi
push esi
push ebx
mov edx, dword ptr [esp+14h]
mov esi, dword ptr [esp+1Ch]
mov edi, dword ptr [esp+18h]
movzx ebx, dx
shr edx, 10h
test esi, esi
je 00007EFE954899B8h
nop
cmp esi, 04h
jbe 00007EFE95489972h
lea esi, dword ptr [esi+00000000h]
lea esi, dword ptr [esi+00h]
movzx eax, byte ptr [edi]
add edi, 04h
sub esi, 04h
movzx ebp, byte ptr [edi-03h]
movzx ecx, byte ptr [edi-02h]
add eax, ebx
movzx ebx, byte ptr [edi-01h]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x1da000	0x4368	.edata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1df000	0x1388	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x1e3000	0x378	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x1e4000	0x4128	.rsrc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc61e4	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1df328	0x2c4	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xab124	0xab200	False	0.4480831126734843	data	6.432110661692397	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0xad000	0x100	0x200	False	0.28125	Matlab v4 mat-file (little endian) \377\377\377\377 , text, rows 4294967295, columns 4294967295, imaginary	2.102897197014083	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0xae000	0x1a624	0x1a800	False	0.3911224941037736	data	5.329684115990636	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.bss	0xc9000	0x110264	0x0	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.edata	0x1da000	0x4368	0x4400	False	0.4040670955882353	data	5.488698281853443	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.idata	0x1df000	0x1388	0x1400	False	0.3810546875	data	5.386273709762828	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.CRT	0x1e1000	0x30	0x200	False	0.060546875	data	0.25451054171027127	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x1e2000	0x8	0x200	False	0.02734375	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x1e3000	0x1a64e	0x1b000	False	0.9544722945601852	data	7.904997942181886	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0x1fe000	0x4128	0x4200	False	0.7178030303030303	data	6.590473987933104	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0x1e3058	0x31c	data	English	United States

Imports

DLL	Import
bcrypt.dll	BCryptCloseAlgorithmProvider, BCryptGenRandom, BCryptOpenAlgorithmProvider
KERNEL32.dll	AcquireSRWLockExclusive, AddVectoredExceptionHandler, CloseHandle, CreateEventA, CreateFileMappingA, CreateMutexA, CreateSemaphoreA, DeleteCriticalSection, DuplicateHandle, EnterCriticalSection, FileTimeToSystemTime, FreeLibrary, GetConsoleMode, GetConsoleScreenBufferInfo, GetCurrentProcess, GetCurrentProcessId, GetCurrentThread, GetCurrentThreadId, GetFullPathNameW, GetHandleInformation, GetLastError, GetModuleFileNameW, GetModuleHandleA, GetModuleHandleW, GetProcAddress, GetProcessAffinityMask, GetProcessTimes, GetStdHandle, GetSystemDirectoryW, GetSystemTimeAdjustment, GetSystemTimeAsFileTime, GetThreadContext, GetThreadPriority, GetThreadTimes, GetTickCount64, GetTimeZoneInformation, InitOnceBeginInitialize, InitOnceComplete, InitializeConditionVariable, InitializeCriticalSection, InitializeSRWLock, IsDBCSLeadByteEx, IsDebuggerPresent, LeaveCriticalSection, LoadLibraryA, LoadLibraryExA, LoadLibraryExW, MapViewOfFile, MultiByteToWideChar, OpenProcess, OutputDebugStringA, QueryPerformanceCounter, QueryPerformanceFrequency, RaiseException, ReleaseMutex, ReleaseSRWLockExclusive, ReleaseSemaphore, RemoveVectoredExceptionHandler, ResetEvent, ResumeThread, SetConsoleTextAttribute, SetEvent, SetLastError, SetProcessAffinityMask, SetSystemTime, SetThreadContext, SetThreadPriority, Sleep, SleepConditionVariableSRW, SuspendThread, TlsAlloc, TlsGetValue, TlsSetValue, TryEnterCriticalSection, UnmapViewOfFile, VirtualProtect, VirtualQuery, WaitForMultipleObjects, WaitForSingleObject, WaitForSingleObjectEx, WakeAllConditionVariable, WakeConditionVariable, WideCharToMultiByte, WriteConsoleW
msvcrt.dll	__mb_cur_max, __setusermatherr, _aligned_free, _aligned_malloc, _aligned_realloc, _amsg_exit, _beginthreadex, _endthreadex, _errno, _fstat64, _get_osfhandle, _gmtime64, _hypot, _initterm, _iob, _localtime64, _lock, _mktime64, _setjmp3, _sopen, _ultoa, _unlock, _wsopen, abort, acos, asin, atan, atoi, bsearch, calloc, clock, cosh, exit, fprintf, fputc, fputs, free, fwrite, getc, getenv, islower, isspace, isupper, isxdigit, localeconv, log10, malloc, memchr, memcmp, memcpy, memmove, memset, printf, rand, realloc, setlocale, sinh, strchr, strcmp, strcpy, strcspn, strerror, strftime, strlen, strncmp, strrchr, strspn, strstr, strtol, strtoul, tan, tanh, tolower, ungetc, vfprintf, wcscat, wcscpy, wcslen, wcsrchr, longjmp, _strdup, _read, _isatty, _fdopen, _close
USER32.dll	GetDesktopWindow

Exports

Name	Ordinal	Address
mv_add_i	1	0x10023c30
mv_add_q	2	0x10035990
mv_add_stable	3	0x10027e10
mv_adler32_update	4	0x10001410
mv_aes_alloc	5	0x10001bd0
mv_aes_crypt	6	0x10001bf0
mv_aes_ctr_alloc	7	0x100022f0
mv_aes_ctr_crypt	8	0x10002480
mv_aes_ctr_free	9	0x10002420
mv_aes_ctr_get_iv	10	0x10002370
mv_aes_ctr_increment_iv	11	0x10002430
mv_aes_ctr_init	12	0x100023c0
mv_aes_ctr_set_full_iv	13	0x10002340
mv_aes_ctr_set_iv	14	0x10002310
mv_aes_ctr_set_random_iv	15	0x10002380
mv_aes_init	16	0x10001c10
mv_aes_size	17	0x100ae00c
mv_append_path_component	18	0x10006eb0
mv_asprintf	19	0x10006850
mv_assert0_fpu	20	0x1008cfa0
mv_audio_fifo_alloc	21	0x10002670
mv_audio_fifo_drain	22	0x10002af0
mv_audio_fifo_free	23	0x10002610
mv_audio_fifo_peek	24	0x10002900
mv_audio_fifo_peek_at	25	0x10002990
mv_audio_fifo_read	26	0x10002a40
mv_audio_fifo_realloc	27	0x100027b0
mv_audio_fifo_reset	28	0x10002b70
mv_audio_fifo_size	29	0x10002bb0
mv_audio_fifo_space	30	0x10002bc0
mv_audio_fifo_write	31	0x10002850
mv_base64_decode	32	0x100076c0
mv_base64_encode	33	0x100078d0
mv_basename	34	0x10006d70
mv_blowfish_alloc	35	0x10007da0
mv_blowfish_crypt	36	0x100084b0
mv_blowfish_crypt_ecb	37	0x10007dc0
mv_blowfish_init	38	0x100a6ac0
mv_bmg_get	39	0x10024fe0
mv_bprint_append_data	40	0x10008f30
mv_bprint_channel_layout	41	0x1000c9f0
mv_bprint_chars	42	0x10008d20
mv_bprint_clear	43	0x10009670
mv_bprint_escape	44	0x10009730
mv_bprint_finalize	45	0x10009690
mv_bprint_get_buffer	46	0x10009500
mv_bprint_init	47	0x10008880
mv_bprint_init_for_buffer	48	0x100089a0
mv_bprint_strftime	49	0x10009130
mv_bprintf	50	0x100089c0
mv_buffer_alloc	51	0x10009dc0
mv_buffer_allocz	52	0x10009ef0
mv_buffer_create	53	0x10009e60
mv_buffer_default_free	54	0x10009d10
mv_buffer_get_opaque	55	0x1000a090
mv_buffer_get_ref_count	56	0x1000a0a0
mv_buffer_is_writable	57	0x1000a070
mv_buffer_make_writable	58	0x1000a0b0
mv_buffer_pool_buffer_get_opaque	59	0x1000a9b0
mv_buffer_pool_get	60	0x1000a720
mv_buffer_pool_init	61	0x1000a5f0
mv_buffer_pool_init2	62	0x1000a590
mv_buffer_pool_uninit	63	0x1000a650
mv_buffer_realloc	64	0x1000a1d0
mv_buffer_ref	65	0x10009fc0
mv_buffer_replace	66	0x1000a480
mv_buffer_unref	67	0x1000a000
mv_calloc	68	0x100291f0
mv_camellia_alloc	69	0x1000b0b0
mv_camellia_crypt	70	0x1000b0d0
mv_camellia_init	71	0x100a6c8e
mv_camellia_size	72	0x100af650
mv_cast5_alloc	73	0x1000c090
mv_cast5_crypt	74	0x1000c1b0
mv_cast5_crypt2	75	0x1000c0b0
mv_cast5_init	76	0x100a7a6e
mv_cast5_size	77	0x100b1a60
mv_channel_description	78	0x1000c470
mv_channel_description_bprint	79	0x1000c3c0
mv_channel_from_string	80	0x1000c560
mv_channel_layout_channel_from_index	81	0x1000dc10
mv_channel_layout_channel_from_string	82	0x1000eac0
mv_channel_layout_check	83	0x1000ec10
mv_channel_layout_compare	84	0x1000edb0
mv_channel_layout_copy	85	0x1000d340
mv_channel_layout_default	86	0x1000eff0
mv_channel_layout_describe	87	0x1000dba0
mv_channel_layout_describe_bprint	88	0x1000d4d0
mv_channel_layout_extract_channel	89	0x1000d060
mv_channel_layout_from_mask	90	0x1000d1b0
mv_channel_layout_from_string	91	0x1000dd40
mv_channel_layout_index_from_channel	92	0x1000e760
mv_channel_layout_index_from_string	93	0x1000e950
mv_channel_layout_standard	94	0x1000f050
mv_channel_layout_subset	95	0x1000f080
mv_channel_layout_uninit	96	0x1000d270
mv_channel_name	97	0x1000c2d0
mv_channel_name_bprint	98	0x1000c220
mv_chroma_location_enum_to_pos	99	0x10034f30
mv_chroma_location_from_name	100	0x10034ee0
mv_chroma_location_name	101	0x10034ec0
mv_chroma_location_pos_to_enum	102	0x10034f70
mv_cmp_i	103	0x10024200
mv_color_primaries_from_name	104	0x10034d90
mv_color_primaries_name	105	0x10034d70
mv_color_range_from_name	106	0x10034d20
mv_color_range_name	107	0x10034d00
mv_color_space_from_name	108	0x10034e70
mv_color_space_name	109	0x10034e50
mv_color_transfer_from_name	110	0x10034e00
mv_color_transfer_name	111	0x10034de0
mv_compare_mod	112	0x100279f0
mv_compare_ts	113	0x10027830
mv_content_light_metadata_alloc	114	0x10027020
mv_content_light_metadata_create_side_data	115	0x10027050
mv_cpu_count	116	0x1000f8f0
mv_cpu_force_count	117	0x1000f9e0
mv_cpu_max_align	118	0x1000f9f0
mv_crc	119	0x100101d0
mv_crc_get_table	120	0x1000fdb0
mv_crc_init	121	0x1000fbc0
mv_csp_luma_coeffs_from_avcsp	122	0x100102b0
mv_csp_primaries_desc_from_id	123	0x100102f0
mv_csp_primaries_id_from_desc	124	0x10010320
mv_d2q	125	0x10035aa0
mv_d2str	126	0x100068e0
mv_default_get_category	127	0x10026240
mv_default_item_name	128	0x10026230
mv_des_alloc	129	0x10010d80
mv_des_crypt	130	0x10010e40
mv_des_init	131	0x10010da0
mv_des_mac	132	0x10010e90
mv_detection_bbox_alloc	133	0x10010ee0
mv_detection_bbox_create_side_data	134	0x10010f70
mv_dict_copy	135	0x10011d20
mv_dict_count	136	0x10011070
mv_dict_free	137	0x10011cc0
mv_dict_get	138	0x100110d0
mv_dict_get_string	139	0x100121a0
mv_dict_iterate	140	0x10011090
mv_dict_parse_string	141	0x100118c0
mv_dict_set	142	0x10011210
mv_dict_set_int	143	0x10011560
mv_dirname	144	0x10006e10
mv_display_matrix_flip	145	0x100126f0
mv_display_rotation_get	146	0x10012470
mv_display_rotation_set	147	0x100125c0
mv_div_i	148	0x10024ef0
mv_div_q	149	0x10035920
mv_dovi_alloc	150	0x10012780
mv_dovi_metadata_alloc	151	0x100127b0
mv_downmix_info_update_side_data	152	0x10012800
mv_dynamic_hdr_plus_alloc	153	0x1001d0a0
mv_dynamic_hdr_plus_create_side_data	154	0x1001d0d0
mv_dynamic_hdr_vivid_alloc	155	0x1001d130
mv_dynamic_hdr_vivid_create_side_data	156	0x1001d160
mv_dynarray2_add	157	0x100296f0
mv_dynarray_add	158	0x10029620
mv_dynarray_add_nofree	159	0x10029560
mv_encryption_info_add_side_data	160	0x10012f30
mv_encryption_info_alloc	161	0x10012a70
mv_encryption_info_clone	162	0x10012b40
mv_encryption_info_free	163	0x10012cf0
mv_encryption_info_get_side_data	164	0x10012d40
mv_encryption_init_info_add_side_data	165	0x10013860
mv_encryption_init_info_alloc	166	0x10013100
mv_encryption_init_info_free	167	0x100132d0
mv_encryption_init_info_get_side_data	168	0x10013480
mv_escape	169	0x10007050
mv_expr_count_func	170	0x100176e0
mv_expr_count_vars	171	0x10017650
mv_expr_eval	172	0x100177a0
mv_expr_free	173	0x10015280
mv_expr_parse	174	0x10017110
mv_expr_parse_and_eval	175	0x100177f0
mv_fast_malloc	176	0x10029d10
mv_fast_mallocz	177	0x10029df0
mv_fast_realloc	178	0x10029c60
mv_fifo_alloc	179	0x10018a20
mv_fifo_alloc2	180	0x10017e40
mv_fifo_alloc_array	181	0x10018990
mv_fifo_auto_grow_limit	182	0x10017ef0
mv_fifo_can_read	183	0x10017f10
mv_fifo_can_write	184	0x10017f40
mv_fifo_drain	185	0x100192b0
mv_fifo_drain2	186	0x100188c0
mv_fifo_elem_size	187	0x10017f00
mv_fifo_free	188	0x10018aa0
mv_fifo_freep	189	0x10018ae0
mv_fifo_freep2	190	0x10018950
mv_fifo_generic_peek	191	0x10019120
mv_fifo_generic_peek_at	192	0x10018fc0
mv_fifo_generic_read	193	0x10019160
mv_fifo_generic_write	194	0x10018e70
mv_fifo_grow	195	0x10018ce0
mv_fifo_grow2	196	0x10017f70
mv_fifo_peek	197	0x10018760
mv_fifo_peek_to_cb	198	0x100188a0
mv_fifo_read	199	0x10018500
mv_fifo_read_to_cb	200	0x100186c0
mv_fifo_realloc2	201	0x10018b70
mv_fifo_reset	202	0x10018b20
mv_fifo_reset2	203	0x10018930
mv_fifo_size	204	0x10018b40
mv_fifo_space	205	0x10018b50
mv_fifo_write	206	0x100180f0
mv_fifo_write_from_cb	207	0x100182a0
mv_file_map	208	0x100192e0
mv_file_unmap	209	0x10019570
mv_film_grain_params_alloc	210	0x10019b60
mv_film_grain_params_create_side_data	211	0x10019b90
mv_find_best_pix_fmt_of_2	212	0x10034a40
mv_find_info_tag	213	0x10032410
mv_find_nearest_q_idx	214	0x10035e60
mv_fopen_utf8	215	0x10019b50
mv_force_cpu_flags	216	0x1000f820
mv_fourcc_make_string	217	0x1008ced0
mv_frame_alloc	218	0x1001ac40
mv_frame_apply_cropping	219	0x1001c490
mv_frame_clone	220	0x1001c050
mv_frame_copy	221	0x1001b8d0
mv_frame_copy_props	222	0x1001b550
mv_frame_free	223	0x1001adb0
mv_frame_get_buffer	224	0x1001adf0
mv_frame_get_plane_buffer	225	0x1001b570
mv_frame_get_side_data	226	0x1001b890
mv_frame_is_writable	227	0x1001b4b0
mv_frame_make_writable	228	0x1001c210
mv_frame_move_ref	229	0x1001b320
mv_frame_new_side_data	230	0x1001b7e0
mv_frame_new_side_data_from_buf	231	0x1001b750
mv_frame_ref	232	0x1001bc40
mv_frame_remove_side_data	233	0x1001c3e0
mv_frame_side_data_name	234	0x1001c470
mv_frame_unref	235	0x1001b300
mv_free	236	0x100290d0
mv_freep	237	0x100290e0
mv_gcd	238	0x10027090
mv_gcd_q	239	0x100362f0
mv_get_alt_sample_fmt	240	0x1003c9f0
mv_get_bits_per_pixel	241	0x100345a0
mv_get_bytes_per_sample	242	0x1003cb50
mv_get_channel_description	243	0x1000cf80
mv_get_channel_layout	244	0x1000c640
mv_get_channel_layout_channel_index	245	0x1000cd50
mv_get_channel_layout_nb_channels	246	0x1000cc80
mv_get_channel_layout_string	247	0x1000cbf0
mv_get_channel_name	248	0x1000cea0
mv_get_colorspace_name	249	0x1001ac20
mv_get_cpu_flags	250	0x1000f880
mv_get_default_channel_layout	251	0x1000cd10
mv_get_extended_channel_layout	252	0x1000c8f0
mv_get_known_color_name	253	0x10031760
mv_get_media_type_string	254	0x1008cd60
mv_get_packed_sample_fmt	255	0x1003ca30
mv_get_padded_bits_per_pixel	256	0x100345f0
mv_get_picture_type_char	257	0x1008cd80
mv_get_pix_fmt	258	0x10034480
mv_get_pix_fmt_loss	259	0x10034a10
mv_get_pix_fmt_name	260	0x10034450
mv_get_pix_fmt_string	261	0x100346a0
mv_get_planar_sample_fmt	262	0x1003ca70
mv_get_random_seed	263	0x10035030
mv_get_sample_fmt	264	0x1003c860
mv_get_sample_fmt_name	265	0x1003c840
mv_get_sample_fmt_string	266	0x1003caa0
mv_get_standard_channel_layout	267	0x1000d150
mv_get_time_base_q	268	0x1008cf90
mv_get_token	269	0x10006940
mv_gettime	270	0x1004dbb0
mv_gettime_relative	271	0x1004dbf0
mv_gettime_relative_is_monotonic	272	0x1004dc60
mv_hash_alloc	273	0x1001c790
mv_hash_final	274	0x1001cb30
mv_hash_final_b64	275	0x1001ce80
mv_hash_final_bin	276	0x1001cbc0
mv_hash_final_hex	277	0x1001ce00
mv_hash_freep	278	0x1001d070
mv_hash_get_name	279	0x1001c770
mv_hash_get_size	280	0x1001c780
mv_hash_init	281	0x1001c870
mv_hash_names	282	0x1001c750
mv_hash_update	283	0x1001ca10
mv_hmac_alloc	284	0x1001d220
mv_hmac_calc	285	0x1001d720
mv_hmac_final	286	0x1001d5a0
mv_hmac_free	287	0x1001d3a0
mv_hmac_init	288	0x1001d3e0
mv_hmac_update	289	0x1001d590
mv_hwdevice_ctx_alloc	290	0x1001d9d0
mv_hwdevice_ctx_create	291	0x1001e0b0
mv_hwdevice_ctx_create_derived	292	0x1001e320
mv_hwdevice_ctx_create_derived_opts	293	0x1001e190
mv_hwdevice_ctx_init	294	0x1001db30
mv_hwdevice_find_type_by_name	295	0x1001d920
mv_hwdevice_get_hwframe_constraints	296	0x1001dfd0
mv_hwdevice_get_type_name	297	0x1001d970
mv_hwdevice_hwconfig_alloc	298	0x1001dfa0
mv_hwdevice_iterate_types	299	0x1001d990
mv_hwframe_constraints_free	300	0x1001e070
mv_hwframe_ctx_alloc	301	0x1008d450
mv_hwframe_ctx_create_derived	302	0x1001ea30
mv_hwframe_ctx_init	303	0x1001e7f0
mv_hwframe_get_buffer	304	0x1001e690
mv_hwframe_map	305	0x1001e450
mv_hwframe_transfer_data	306	0x1001dd70
mv_hwframe_transfer_get_formats	307	0x1001dd40
mv_i2int	308	0x10024fb0
mv_image_alloc	309	0x10021d20
mv_image_check_sar	310	0x100222b0
mv_image_check_size	311	0x100221c0
mv_image_check_size2	312	0x10022070
mv_image_copy	313	0x10022610
mv_image_copy_plane	314	0x100224f0
mv_image_copy_plane_uc_from	315	0x10022390
mv_image_copy_to_buffer	316	0x10023350
mv_image_copy_uc_from	317	0x10022af0
mv_image_fill_arrays	318	0x10022fe0
mv_image_fill_black	319	0x10023620
mv_image_fill_linesizes	320	0x100215d0
mv_image_fill_max_pixsteps	321	0x10021380
mv_image_fill_plane_sizes	322	0x100219b0
mv_image_fill_pointers	323	0x10021af0
mv_image_get_buffer_size	324	0x10023180
mv_image_get_linesize	325	0x10021480
mv_int2i	326	0x10024f80
mv_int_list_length_for_size	327	0x1008cda0
mv_lfg_init	328	0x100a7ee0
mv_lfg_init_from_data	329	0x10025100
mv_log	330	0x10026560
mv_log2	331	0x10024fc0
mv_log2_16bit	332	0x10024fd0
mv_log2_i	333	0x10023dd0
mv_log_default_callback	334	0x10025b10
mv_log_format_line	335	0x10026550
mv_log_format_line2	336	0x10026250
mv_log_get_flags	337	0x10026710
mv_log_get_level	338	0x100266e0
mv_log_once	339	0x100265d0
mv_log_set_callback	340	0x10026720
mv_log_set_flags	341	0x10026700
mv_log_set_level	342	0x100266f0
mv_lzo1x_decode	343	0x10026870
mv_malloc	344	0x10028d50
mv_malloc_array	345	0x10028ec0
mv_mallocz	346	0x10029100
mv_mallocz_array	347	0x10028f20
mv_mastering_display_metadata_alloc	348	0x10026f40
mv_mastering_display_metadata_create_side_data	349	0x10026f60
mv_match_list	350	0x100075a0
mv_match_name	351	0x10007100
mv_max_alloc	352	0x10028d40
mv_md5_alloc	353	0x10028790
mv_md5_final	354	0x100289f0
mv_md5_init	355	0x100287b0
mv_md5_size	356	0x100b7208
mv_md5_sum	357	0x10028b00
mv_md5_update	358	0x100287e0
mv_memcpy_backptr	359	0x10029830
mv_memdup	360	0x100294a0
mv_mod_i	361	0x100243c0
mv_mul_i	362	0x10023e60
mv_mul_q	363	0x100358c0
mv_murmur3_alloc	364	0x10029fc0
mv_murmur3_final	365	0x1002a800
mv_murmur3_init	366	0x1002a0d0
mv_murmur3_init_seeded	367	0x10029fe0
mv_murmur3_update	368	0x1002a1b0
mv_nearer_q	369	0x10035ca0
mv_opt_child_class_iterate	370	0x100303a0
mv_opt_child_next	371	0x10030380
mv_opt_copy	372	0x10030430
mv_opt_eval_double	373	0x1002f620
mv_opt_eval_flags	374	0x1002f520
mv_opt_eval_float	375	0x1002f5e0
mv_opt_eval_int	376	0x1002f560
mv_opt_eval_int64	377	0x1002f5a0
mv_opt_eval_q	378	0x1002f660
mv_opt_find	379	0x1002ee70
mv_opt_find2	380	0x1002ec60
mv_opt_flag_is_set	381	0x100302d0
mv_opt_free	382	0x1002ebd0
mv_opt_freep_ranges	383	0x10030760
mv_opt_get	384	0x1002d870
mv_opt_get_channel_layout	385	0x1002e4c0
mv_opt_get_chlayout	386	0x1002e550
mv_opt_get_dict_val	387	0x1002e5e0
mv_opt_get_double	388	0x1002df00
mv_opt_get_image_size	389	0x1002e1a0
mv_opt_get_int	390	0x1002dd90
mv_opt_get_key_value	391	0x1002ea50
mv_opt_get_pixel_fmt	392	0x1002e3c0
mv_opt_get_q	393	0x1002e010
mv_opt_get_sample_fmt	394	0x1002e440
mv_opt_get_video_rate	395	0x1002e230
mv_opt_is_set_to_default	396	0x10030800
mv_opt_is_set_to_default_by_name	397	0x10030d80
mv_opt_next	398	0x1002c760
mv_opt_ptr	399	0x100303c0
mv_opt_query_ranges	400	0x10030700
mv_opt_query_ranges_default	401	0x1002b9f0
mv_opt_serialize	402	0x10030dd0
mv_opt_set	403	0x1002f6a0
mv_opt_set_bin	404	0x1002cfc0
mv_opt_set_channel_layout	405	0x1002d730
mv_opt_set_chlayout	406	0x1002d820
mv_opt_set_defaults	407	0x1002ea30
mv_opt_set_defaults2	408	0x1002e6b0
mv_opt_set_dict	409	0x100302a0
mv_opt_set_dict2	410	0x10030180
mv_opt_set_dict_val	411	0x1002d7b0
mv_opt_set_double	412	0x1002c9d0
mv_opt_set_from_string	413	0x1002ff20
mv_opt_set_image_size	414	0x1002d120
mv_opt_set_int	415	0x1002c7b0
mv_opt_set_pixel_fmt	416	0x1002d510
mv_opt_set_q	417	0x1002ccc0
mv_opt_set_sample_fmt	418	0x1002d620
mv_opt_set_video_rate	419	0x1002d1e0
mv_opt_show2	420	0x1002e640
mv_parse_color	421	0x10031420
mv_parse_cpu_caps	422	0x1000f8b0
mv_parse_ratio	423	0x100310f0
mv_parse_time	424	0x10031c30
mv_parse_video_rate	425	0x100312c0
mv_parse_video_size	426	0x10031200
mv_pix_fmt_count_planes	427	0x10034870
mv_pix_fmt_desc_get	428	0x10034790
mv_pix_fmt_desc_get_id	429	0x10034800
mv_pix_fmt_desc_next	430	0x100347c0
mv_pix_fmt_get_chroma_sub_sample	431	0x10034830
mv_pix_fmt_swap_endianness	432	0x10034920
mv_pixelutils_get_sad_fn	433	0x10035000
mv_q2intfloat	434	0x10036090
mv_rc4_alloc	435	0x100363e0
mv_rc4_crypt	436	0x100364e0
mv_rc4_init	437	0x10036400
mv_read_image_line	438	0x100339c0
mv_read_image_line2	439	0x10033270
mv_realloc	440	0x10028da0
mv_realloc_array	441	0x10029010
mv_realloc_f	442	0x10028de0
mv_reallocp	443	0x10028e40
mv_reallocp_array	444	0x10029050
mv_reduce	445	0x100353b0
mv_rescale	446	0x10027760
mv_rescale_delta	447	0x10027a80
mv_rescale_q	448	0x100277e0
mv_rescale_q_rnd	449	0x100277b0
mv_rescale_rnd	450	0x10027220
mv_ripemd_alloc	451	0x1003c470
mv_ripemd_final	452	0x1003c6e0
mv_ripemd_init	453	0x100a7f8c
mv_ripemd_size	454	0x100bf9a4
mv_ripemd_update	455	0x1003c490
mv_sample_fmt_is_planar	456	0x1003cb70
mv_samples_alloc	457	0x1003ce40
mv_samples_alloc_array_and_samples	458	0x1003d010
mv_samples_copy	459	0x1003d270
mv_samples_fill_arrays	460	0x1003ccd0
mv_samples_get_buffer_size	461	0x1003cb90
mv_samples_set_silence	462	0x1003d450
mv_set_options_string	463	0x1002fd50
mv_sha512_alloc	464	0x1004c260
mv_sha512_final	465	0x1004c4c0
mv_sha512_init	466	0x100a81b0
mv_sha512_size	467	0x100bfaec
mv_sha512_update	468	0x1004c280
mv_sha_alloc	469	0x100411a0
mv_sha_final	470	0x10041410
mv_sha_init	471	0x100a80b4
mv_sha_size	472	0x100bfae4
mv_sha_update	473	0x100411c0
mv_shr_i	474	0x10024280
mv_size_mult	475	0x10029fa0
mv_small_strptime	476	0x10031790
mv_spherical_alloc	477	0x1004d120
mv_spherical_from_name	478	0x1004d280
mv_spherical_projection_name	479	0x1004d260
mv_spherical_tile_bounds	480	0x1004d150
mv_sscanf	481	0x10002f80
mv_stereo3d_alloc	482	0x1004d2d0
mv_stereo3d_create_side_data	483	0x1004d2f0
mv_stereo3d_from_name	484	0x1004d360
mv_stereo3d_type_name	485	0x1004d340
mv_strcasecmp	486	0x10006b30
mv_strdup	487	0x100292e0
mv_strerror	488	0x10013b30
mv_strireplace	489	0x10006bf0
mv_stristart	490	0x10006580
mv_stristr	491	0x100065f0
mv_strlcat	492	0x10006750
mv_strlcatf	493	0x100067f0
mv_strlcpy	494	0x100066e0
mv_strncasecmp	495	0x10006b80
mv_strndup	496	0x100293b0
mv_strnstr	497	0x10006660
mv_strstart	498	0x10006530
mv_strtod	499	0x100150e0
mv_strtok	500	0x10006aa0
mv_sub_i	501	0x10023d00
mv_sub_q	502	0x10035a10
mv_tea_alloc	503	0x1004d460
mv_tea_crypt	504	0x1004d4b0
mv_tea_init	505	0x1004d480
mv_tea_size	506	0x100bfc60
mv_tempfile	507	0x100195a0
mv_thread_message_flush	508	0x1004db40
mv_thread_message_queue_alloc	509	0x1004d700
mv_thread_message_queue_free	510	0x1004d7d0
mv_thread_message_queue_nb_elems	511	0x1004d880
mv_thread_message_queue_recv	512	0x1004d9b0
mv_thread_message_queue_send	513	0x1004d8d0
mv_thread_message_queue_set_err_recv	514	0x1004daf0
mv_thread_message_queue_set_err_send	515	0x1004daa0
mv_thread_message_queue_set_free_func	516	0x1004d7c0
mv_timecode_adjust_ntsc_framenum2	517	0x1004dd30
mv_timecode_check_frame_rate	518	0x1004e8c0
mv_timecode_get_smpte	519	0x1004e080
mv_timecode_get_smpte_from_framenum	520	0x1004ddd0
mv_timecode_init	521	0x1004e930
mv_timecode_init_from_components	522	0x1004ea50
mv_timecode_init_from_string	523	0x1004ec80
mv_timecode_make_mpeg_tc_string	524	0x1004e850
mv_timecode_make_smpte_tc_string	525	0x1004e720
mv_timecode_make_smpte_tc_string2	526	0x1004e520
mv_timecode_make_string	527	0x1004e270
mv_timegm	528	0x10031b50
mv_tree_destroy	529	0x1004f8f0
mv_tree_enumerate	530	0x1004fad0
mv_tree_find	531	0x1004ef60
mv_tree_insert	532	0x1004f020
mv_tree_node_alloc	533	0x1004ef40
mv_tree_node_size	534	0x100bfd80
mv_twofish_alloc	535	0x10050090
mv_twofish_crypt	536	0x100500b0
mv_twofish_init	537	0x100a8637
mv_twofish_size	538	0x100bfda0
mv_tx_init	539	0x100a9843
mv_tx_uninit	540	0x100a8f2b
mv_usleep	541	0x1004dc70
mv_utf8_decode	542	0x10007270
mv_util_ffversion	543	0x100c3fa0
mv_uuid_parse	544	0x1008d110
mv_uuid_parse_range	545	0x1008cff0
mv_uuid_unparse	546	0x1008d160
mv_uuid_urn_parse	547	0x1008d3e0
mv_vbprintf	548	0x10008b70
mv_version_info	549	0x1008d440
mv_video_enc_params_alloc	550	0x1008d480
mv_video_enc_params_create_side_data	551	0x1008d500
mv_vk_frame_alloc	552	0x10021370
mv_vkfmt_from_pixfmt	553	0x10021360
mv_vlog	554	0x10026650
mv_write_image_line	555	0x10034210
mv_write_image_line2	556	0x10033e70
mv_xtea_alloc	557	0x10090760
mv_xtea_crypt	558	0x100907d0
mv_xtea_init	559	0x10090780
mv_xtea_le_crypt	560	0x10090910
mv_xtea_le_init	561	0x100907b0
mvpriv_alloc_fixed_dsp	562	0x10019fa0
mvpriv_cga_font	563	0x100c59e0
mvpriv_dict_set_timestamp	564	0x10012370
mvpriv_float_dsp_alloc	565	0x100a7b20
mvpriv_fopen_utf8	566	0x10019a90
mvpriv_get_gamma_from_trc	567	0x1000f7d0
mvpriv_get_trc_function_from_trc	568	0x1000f800
mvpriv_init_lls	569	0x100a7f58
mvpriv_open	570	0x100195e0
mvpriv_report_missing_feature	571	0x100267e0
mvpriv_request_sample	572	0x10026730
mvpriv_scalarproduct_float_c	573	0x1001a2e0
mvpriv_set_systematic_pal2	574	0x10021bf0
mvpriv_slicethread_create	575	0x1004ce50
mvpriv_slicethread_execute	576	0x1004cb50
mvpriv_slicethread_free	577	0x1004cd20
mvpriv_solve_lls	578	0x10025270
mvpriv_tempfile	579	0x10019970
mvpriv_vga16_font	580	0x100c49e0
mvutil_configuration	581	0x1008d460
mvutil_license	582	0x1008d470
next	583	0x1001db90

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Target ID:	0
Start time:	02:14:00
Start date:	31/05/2023
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe "C:\Users\user\Desktop\F086.dll"
Imagebase:	0xd30000
File size:	126464 bytes
MD5 hash:	3B4636AE519868037940CA5C4272091B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Analysis Process: conhost.exePID: 3620, Parent PID: 3100

General

Target ID:	1
Start time:	02:14:00
Start date:	31/05/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7c72c0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: cmd.exePID: 1388, Parent PID: 3100

General

Target ID:	2
Start time:	02:14:00
Start date:	31/05/2023
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\F086.dll",#1
Imagebase:	0xd90000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: rundll32.exePID: 3688, Parent PID: 3100

General

Target ID:	3
Start time:	02:14:00
Start date:	31/05/2023
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\F086.dll,mv_add_i
Imagebase:	0x11c0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: rundll32.exePID: 3996, Parent PID: 1388

General

Target ID:	4
Start time:	02:14:00
Start date:	31/05/2023
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\F086.dll",#1
Imagebase:	0x11c0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: WerFault.exePID: 4936, Parent PID: 3688

General

Target ID:	8
Start time:	02:14:00
Start date:	31/05/2023
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 3688 -s 652
Imagebase:	0xea0000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: WerFault.exePID: 4112, Parent PID: 3996

General

Target ID:	9
Start time:	02:14:00
Start date:	31/05/2023
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 3996 -s 668
Imagebase:	0xea0000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: rundll32.exePID: 6648, Parent PID: 3100

General

Target ID:	11
Start time:	02:14:03
Start date:	31/05/2023
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\F086.dll,mv_add_q
Imagebase:	0x11c0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: rundll32.exePID: 6980, Parent PID: 3100

General

Target ID:	13
Start time:	02:14:06
Start date:	31/05/2023
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\F086.dll,mv_add_stable
Imagebase:	0x11c0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: WerFault.exePID: 7004, Parent PID: 6980

General

Target ID:	16
Start time:	02:14:07
Start date:	31/05/2023
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 6980 -s 652
Imagebase:	0xea0000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: rundll32.exePID: 7052, Parent PID: 3100

General

Target ID:	17
Start time:	02:14:09
Start date:	31/05/2023
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\F086.dll",mv_add_i
Imagebase:	0x11c0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: rundll32.exePID: 7104, Parent PID: 3100

General

Target ID:	18
Start time:	02:14:09
Start date:	31/05/2023
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\F086.dll",mv_add_q
Imagebase:	0x11c0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: rundll32.exePID: 4948, Parent PID: 3100

General

Target ID:	20
Start time:	02:14:09
Start date:	31/05/2023
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\F086.dll",mv_add_stable
Imagebase:	0x11c0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: rundll32.exePID: 6836, Parent PID: 3100

General

Target ID:	21
Start time:	02:14:09
Start date:	31/05/2023
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\F086.dll",next
Imagebase:	0x11c0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Qbot_1, Description: Yara detected Qbot, Source: 00000015.00000002.559780221.0000000000B3A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Qbot_1, Description: Yara detected Qbot, Source: 00000015.00000002.559899165.0000000004780000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security

Analysis Process: rundll32.exePID: 4716, Parent PID: 3100

General

Target ID:	23
Start time:	02:14:10
Start date:	31/05/2023
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\F086.dll",mvutil_license
Imagebase:	0x11c0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: rundll32.exePID: 4104, Parent PID: 3100

General

Target ID:	24
Start time:	02:14:10
Start date:	31/05/2023
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\F086.dll",mvutil_configuration
Imagebase:	0x11c0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: WerFault.exePID: 5116, Parent PID: 7052

General

Target ID:	25
Start time:	02:14:10
Start date:	31/05/2023
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7052 -s 652
Imagebase:	0xea0000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: wermgr.exePID: 6964, Parent PID: 6836

General

Target ID:	26
Start time:	02:14:14
Start date:	31/05/2023
Path:	C:\Windows\SysWOW64\wermgr.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\wermgr.exe
Imagebase:	0x1390000
File size:	191904 bytes
MD5 hash:	CCF15E662ED5CE77B5FF1A7AAE305233
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Disassembly

⊘No disassembly

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Loaded DLLs, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report F086.dll

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Qbot

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_92f46c7f299346a6ffcb64477668158ac3e1de1_82810a17_1b34096c\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_e81cd1d5139fff9fe89f63caf8b194b6696e72da_82810a17_1077f69f\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_e81cd1d5139fff9fe89f63caf8b194b6696e72da_82810a17_132ff69f\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_e81cd1d5139fff9fe89f63caf8b194b6696e72da_82810a17_1394167c\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER10EE.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1246.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER12A5.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2E4.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER47B.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER4DA.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERED39.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERED68.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WEREE92.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WEREED0.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WEREF2F.tmp.xml

Windows Analysis Report
F086.dll