Edit tour

Windows Analysis Report
batteryacid.dat.dll

Overview

General Information

Sample Name:	batteryacid.dat.dll
Analysis ID:	882879
MD5:	179d4849f8d096122d05de3c7bebb4bd
SHA1:	ee3ead69ec6801721cde4ca6480f30ecff948c08
SHA256:	2f6ae770a5d56ed8a2cfe262e196363b5c80e58468c66ff36cdf9c75306c2c55
Tags:	dll
Infos:

Detection

Qbot

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Yara detected Qbot

Multi AV Scanner detection for submitted file

Sigma detected: Execute DLL with spoofed extension

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Writes to foreign memory regions

Allocates memory in foreign processes

Injects a PE file into a foreign processes

C2 URLs / IPs found in malware configuration

Sample uses string decryption to hide its real strings

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

One or more processes crash

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query locales information (e.g. system language)

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Found evasive API chain (date check)

Internet Provider seen in connection with other malware

Detected potential crypto function

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Found evasive API chain (may stop execution after checking a module file name)

JA3 SSL client fingerprint seen in connection with other malware

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

Contains functionality which may be used to detect a debugger (GetProcessHeap)

IP address seen in connection with other malware

Creates a DirectInput object (often for capturing keystrokes)

AV process strings found (often used to terminate AV products)

PE file contains an invalid checksum

Tries to load missing DLLs

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

Found evasive API chain checking for process token information

Detected TCP or UDP traffic on non-standard ports

Checks if the current process is being debugged

Connects to several IPs in different countries

Found large amount of non-executed APIs

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

loaddll32.exe (PID: 676 cmdline: loaddll32.exe "C:\Users\user\Desktop\batteryacid.dat.dll" MD5: 3B4636AE519868037940CA5C4272091B)

conhost.exe (PID: 5908 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.exe (PID: 5680 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\batteryacid.dat.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)

rundll32.exe (PID: 6044 cmdline: rundll32.exe "C:\Users\user\Desktop\batteryacid.dat.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 3112 cmdline: rundll32.exe C:\Users\user\Desktop\batteryacid.dat.dll,l_cmsComputeInterpParams@24 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 6064 cmdline: rundll32.exe C:\Users\user\Desktop\batteryacid.dat.dll,l_cmsFloat2Half@4 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 3780 cmdline: rundll32.exe C:\Users\user\Desktop\batteryacid.dat.dll,l_cmsFreeInterpParams@4 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

WerFault.exe (PID: 128 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 3780 -s 652 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

rundll32.exe (PID: 812 cmdline: rundll32.exe "C:\Users\user\Desktop\batteryacid.dat.dll",l_cmsComputeInterpParams@24 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 5640 cmdline: rundll32.exe "C:\Users\user\Desktop\batteryacid.dat.dll",l_cmsFloat2Half@4 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 5692 cmdline: rundll32.exe "C:\Users\user\Desktop\batteryacid.dat.dll",l_cmsFreeInterpParams@4 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

WerFault.exe (PID: 7224 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5692 -s 652 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

rundll32.exe (PID: 1396 cmdline: rundll32.exe "C:\Users\user\Desktop\batteryacid.dat.dll",next MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

wermgr.exe (PID: 7404 cmdline: C:\Windows\SysWOW64\wermgr.exe MD5: CCF15E662ED5CE77B5FF1A7AAE305233)

rundll32.exe (PID: 1916 cmdline: rundll32.exe "C:\Users\user\Desktop\batteryacid.dat.dll",lmsstrcasecmp MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

WerFault.exe (PID: 7236 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 1916 -s 652 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

rundll32.exe (PID: 4364 cmdline: rundll32.exe "C:\Users\user\Desktop\batteryacid.dat.dll",lmsfilelength MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

WerFault.exe (PID: 7244 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4364 -s 652 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
QakBot, qbotQbot	QBot is a modular information stealer also known as Qakbot or Pinkslipbot. It has been active for years since 2007. It has historically been known as a banking Trojan, meaning that it steals financial data from infected systems, and a loader using C2 servers for payload targeting and download.	GOLD CABIN	http://contagiodump.blogspot.com/2010/11/template.html http://www.secureworks.com/research/threat-profiles/gold-lagoon http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_qakbot_in_detail.pdf https://0xthreatintel.medium.com/reversing-qakbot-tlp-white-d1b8b37ad8e7 https://asec.ahnlab.com/en/44662/	https://malpedia.caad.fkie.fraunhofer.de/details/win.qakbot

Malware Configuration

Threatname: Qbot

{"Bot id": "BB31", "Campaign": "1685959443", "Version": "404.1346", "C2 list": ["77.126.99.230:443", "24.234.220.88:465", "151.62.238.176:443", "85.57.212.13:3389", "199.27.66.213:443", "12.172.173.82:21", "12.172.173.82:50001", "12.172.173.82:465", "105.184.209.117:995", "193.80.73.200:995", "86.208.35.220:2222", "93.187.148.45:995", "37.189.89.196:443", "182.75.189.42:995", "65.95.141.84:2222", "84.216.198.201:6881", "105.102.10.220:443", "124.246.122.199:2222", "83.249.198.100:2222", "1.221.179.74:443", "114.143.176.236:443", "174.58.146.57:443", "12.172.173.82:2087", "73.207.160.219:443", "82.36.36.76:443", "86.173.2.12:2222", "92.98.55.221:2222", "223.166.13.95:995", "103.42.86.42:995", "176.133.4.230:995", "70.49.205.198:2222", "81.229.117.95:2222", "92.20.204.198:2222", "183.87.163.165:443", "147.147.30.126:2222", "184.181.75.148:443", "201.244.108.183:995", "94.59.123.30:2222", "184.182.66.109:443", "64.121.161.102:443", "103.140.174.20:2222", "70.28.50.223:3389", "125.63.121.38:2078", "66.241.183.99:443", "50.68.186.195:443", "89.115.200.234:443", "47.205.25.170:443", "12.172.173.82:993", "2.82.8.80:443", "12.172.173.82:22", "93.187.148.45:443", "70.28.50.223:32100", "79.168.224.165:2222", "121.121.108.120:995", "74.12.146.221:2222", "78.159.146.65:995", "116.74.164.17:443", "59.88.174.146:993", "92.184.102.115:2078", "31.53.29.216:2222", "72.205.104.134:443", "116.120.145.170:995", "217.165.233.122:443", "193.253.100.236:2222", "27.0.48.233:443", "103.123.223.133:443", "37.14.229.220:2222", "75.109.111.89:443", "24.234.220.88:995", "92.239.81.124:443", "12.172.173.82:20", "90.29.86.138:2222", "70.160.67.203:443", "92.9.45.20:2222", "95.45.50.93:2222", "100.4.163.158:2222", "201.143.215.69:443", "213.64.33.92:2222", "75.98.154.19:443", "103.139.242.6:443", "103.141.50.43:995", "178.175.187.254:443", "88.126.94.4:50000", "79.77.142.22:2222", "197.2.173.77:443", "74.14.39.7:2222", "70.28.50.223:2083", "174.4.89.3:443", "213.91.235.146:443", "78.130.215.67:443", "24.234.220.88:993", "188.28.19.84:443", "74.12.146.221:2222", "74.12.146.221:2083", "82.131.141.209:443", "70.28.50.223:2087", "24.234.220.88:990", "12.172.173.82:995", "41.227.190.59:443", "192.143.255.159:443", "82.127.153.75:2222", "122.184.143.86:443", "59.28.84.65:443", "103.144.201.48:2078", "103.87.128.228:443", "125.99.69.178:443", "122.186.210.254:443", "74.12.146.221:2083", "190.75.72.44:2222", "123.3.240.16:6881", "176.142.207.63:443", "12.172.173.82:32101", "94.207.125.252:443", "45.62.70.33:443", "81.111.108.123:443", "68.227.249.138:443", "41.186.88.38:443", "86.195.14.72:2222", "165.120.169.171:2222", "49.175.72.188:443"]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
0000000D.00000002.395308492.0000000004740000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Qbot_1	Yara detected Qbot	Joe Security
0000000D.00000002.392769153.000000000096A000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Qbot_1	Yara detected Qbot	Joe Security
decrypted.memstr	JoeSecurity_Qbot	Yara detected Qbot	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
13.2.rundll32.exe.bb0000.1.unpack	MAL_QakBot_ConfigExtraction_Feb23	QakBot Config Extraction	kevoreilly	0xec55:$params: 8B 7D 08 8B F1 57 89 55 FC E8 84 99 FF FF 8D 9E 24 04 00 00 89 03 59 85 C0 75 08 6A FC 58 E9 0xa87b:$conf: 5F 5E 5B C9 C3 51 6A 00 E8 C1 44 00 00 59 59 85 C0 75 01 C3
13.2.rundll32.exe.bb0000.1.unpack	JoeSecurity_Qbot_1	Yara detected Qbot	Joe Security
13.2.rundll32.exe.980aa0.0.unpack	MAL_QakBot_ConfigExtraction_Feb23	QakBot Config Extraction	kevoreilly	0xe055:$params: 8B 7D 08 8B F1 57 89 55 FC E8 84 99 FF FF 8D 9E 24 04 00 00 89 03 59 85 C0 75 08 6A FC 58 E9 0x9c7b:$conf: 5F 5E 5B C9 C3 51 6A 00 E8 C1 44 00 00 59 59 85 C0 75 01 C3
13.2.rundll32.exe.980aa0.0.unpack	JoeSecurity_Qbot_1	Yara detected Qbot	Joe Security
13.2.rundll32.exe.980aa0.0.raw.unpack	MAL_QakBot_ConfigExtraction_Feb23	QakBot Config Extraction	kevoreilly	0xec55:$params: 8B 7D 08 8B F1 57 89 55 FC E8 84 99 FF FF 8D 9E 24 04 00 00 89 03 59 85 C0 75 08 6A FC 58 E9 0xa87b:$conf: 5F 5E 5B C9 C3 51 6A 00 E8 C1 44 00 00 59 59 85 C0 75 01 C3
13.2.rundll32.exe.980aa0.0.raw.unpack	JoeSecurity_Qbot_1	Yara detected Qbot	Joe Security
Click to see the 1 entries

Sigma Signatures

Data Obfuscation

Sigma detected: Execute DLL with spoofed extension

Source: Process started

Author: Joe Security: Data: Command: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\batteryacid.dat.dll",#1, CommandLine: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\batteryacid.dat.dll",#1, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: loaddll32.exe "C:\Users\user\Desktop\batteryacid.dat.dll", ParentImage: C:\Windows\System32\loaddll32.exe, ParentProcessId: 676, ParentProcessName: loaddll32.exe, ProcessCommandLine: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\batteryacid.dat.dll",#1, ProcessId: 5680, ProcessName: cmd.exe

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 0000000D.00000002.392769153.000000000096A000.00000004.00000020.00020000.00000000.sdmp

Malware Configuration Extractor: Qbot {"Bot id": "BB31", "Campaign": "1685959443", "Version": "404.1346", "C2 list": ["77.126.99.230:443", "24.234.220.88:465", "151.62.238.176:443", "85.57.212.13:3389", "199.27.66.213:443", "12.172.173.82:21", "12.172.173.82:50001", "12.172.173.82:465", "105.184.209.117:995", "193.80.73.200:995", "86.208.35.220:2222", "93.187.148.45:995", "37.189.89.196:443", "182.75.189.42:995", "65.95.141.84:2222", "84.216.198.201:6881", "105.102.10.220:443", "124.246.122.199:2222", "83.249.198.100:2222", "1.221.179.74:443", "114.143.176.236:443", "174.58.146.57:443", "12.172.173.82:2087", "73.207.160.219:443", "82.36.36.76:443", "86.173.2.12:2222", "92.98.55.221:2222", "223.166.13.95:995", "103.42.86.42:995", "176.133.4.230:995", "70.49.205.198:2222", "81.229.117.95:2222", "92.20.204.198:2222", "183.87.163.165:443", "147.147.30.126:2222", "184.181.75.148:443", "201.244.108.183:995", "94.59.123.30:2222", "184.182.66.109:443", "64.121.161.102:443", "103.140.174.20:2222", "70.28.50.223:3389", "125.63.121.38:2078", "66.241.183.99:443", "50.68.186.195:443", "89.115.200.234:443", "47.205.25.170:443", "12.172.173.82:993", "2.82.8.80:443", "12.172.173.82:22", "93.187.148.45:443", "70.28.50.223:32100", "79.168.224.165:2222", "121.121.108.120:995", "74.12.146.221:2222", "78.159.146.65:995", "116.74.164.17:443", "59.88.174.146:993", "92.184.102.115:2078", "31.53.29.216:2222", "72.205.104.134:443", "116.120.145.170:995", "217.165.233.122:443", "193.253.100.236:2222", "27.0.48.233:443", "103.123.223.133:443", "37.14.229.220:2222", "75.109.111.89:443", "24.234.220.88:995", "92.239.81.124:443", "12.172.173.82:20", "90.29.86.138:2222", "70.160.67.203:443", "92.9.45.20:2222", "95.45.50.93:2222", "100.4.163.158:2222", "201.143.215.69:443", "213.64.33.92:2222", "75.98.154.19:443", "103.139.242.6:443", "103.141.50.43:995", "178.175.187.254:443", "88.126.94.4:50000", "79.77.142.22:2222", "197.2.173.77:443", "74.14.39.7:2222", "70.28.50.223:2083", "174.4.89.3:443", "213.91.235.146:443", "78.130.215.67:443", "24.234.220.88:993", "188.28.19.84:443", "74.12.146.221:2222", "74.12.146.221:2083", "82.131.141.209:443", "70.28.50.223:2087", "24.234.220.88:990", "12.172.173.82:995", "41.227.190.59:443", "192.143.255.159:443", "82.127.153.75:2222", "122.184.143.86:443", "59.28.84.65:443", "103.144.201.48:2078", "103.87.128.228:443", "125.99.69.178:443", "122.186.210.254:443", "74.12.146.221:2083", "190.75.72.44:2222", "123.3.240.16:6881", "176.142.207.63:443", "12.172.173.82:32101", "94.207.125.252:443", "45.62.70.33:443", "81.111.108.123:443", "68.227.249.138:443", "41.186.88.38:443", "86.195.14.72:2222", "165.120.169.171:2222", "49.175.72.188:443"]}

Multi AV Scanner detection for submitted file

Source: batteryacid.dat.dll

Virustotal: Detection: 10%

Perma Link

Sample uses string decryption to hide its real strings

Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: error res='%s' err=%d len=%u
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: netstat -nao
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: runas
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: ipconfig /all
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: net localgroup
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: nltest /domain_trusts /all_trusts
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: %s %04x.%u %04x.%u res: %s seh_test: %u consts_test: %d vmdetected: %d createprocess: %d
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: Microsoft
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: SELF_TEST_1
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: p%08x
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: Self test FAILED!!!
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: Self test OK.
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: /t5
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: whoami /all
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: cmd
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: microsoft.com,google.com,cisco.com,oracle.com,verisign.com,broadcom.com,yahoo.com,xfinity.com,irs.gov,linkedin.com
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: ERROR: GetModuleFileNameW() failed with error: ERROR_INSUFFICIENT_BUFFER
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: route print
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: .lnk
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: "%s\system32\schtasks.exe" /Create /ST %02u:%02u /RU "NT AUTHORITY\SYSTEM" /SC ONCE /tr "%s" /Z /ET %02u:%02u /tn %s
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: arp -a
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: %s "$%s = \"%s\"; & $%s"
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: net share
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: cmd.exe /c set
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: Self check
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: %u;%u;%u;
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: /c ping.exe -n 6 127.0.0.1 & type "%s\System32\calc.exe" > "%s"
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: ProfileImagePath
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: at.exe %u:%u "%s" /I
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: ProgramData
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: Self check ok!
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: powershell.exe
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: qwinsta
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: net view
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: nslookup -querytype=ALL -timeout=12 _ldap._tcp.dc._msdcs.%s
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: Component_08
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: Start screenshot
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: schtasks.exe /Delete /F /TN %u
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: appidapi.dll
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: %s \"$%s = \\\"%s\\\\; & $%s\"
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: c:\ProgramData
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: Component_07
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: bUdiuy81gYguty@4frdRdpfko(eKmudeuMncueaN
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: powershell.exe -encodedCommand %S
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: ERROR: GetModuleFileNameW() failed with error: %u
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: powershell.exe -encodedCommand
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: SoNuce]ugdiB3c[doMuce2s81*uXmcvP
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: \System32\WindowsPowerShell\v1.0\powershell.exe
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: schtasks.exe /Create /RU "NT AUTHORITY\SYSTEM" /SC ONSTART /TN %u /TR "%s" /NP /F
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: error res='%s' err=%d len=%u
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: netstat -nao
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: runas
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: ipconfig /all
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: Caption,Description,Vendor,Version,InstallDate,InstallSource,PackageName
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: %u.%u.%u.%u.%u.%u.%04x
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\explorer.exe
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: SystemRoot
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: cscript.exe
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: MBAMService.exe;mbamgui.exe
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: %SystemRoot%\System32\xwizard.exe
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: %SystemRoot%\System32\wermgr.exe
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: AvastSvc.exe;aswEngSrv.exe;aswToolsSvc.exe;afwServ.exe;aswidsagent.exe;AvastUI.exe
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: C:\INTERNAL\__empty
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: .dll
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: Win32_PhysicalMemory
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: ALLUSERSPROFILE
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: image/jpeg
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: LocalLow
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: displayName
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: Mozilla/5.0 (Windows NT 6.1; rv:77.0) Gecko/20100101 Firefox/77.0
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: shlwapi.dll
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\WerFault.exe
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: CommandLine
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: {%02X%02X%02X%02X-%02X%02X-%02X%02X-%02X%02X-%02X%02X%02X%02X%02X%02X}
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: kernel32.dll
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: SubmitSamplesConsent
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: 1234567890
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: wbj.go
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\wextract.exe
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: Win32_DiskDrive
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: vkise.exe;isesrv.exe;cmdagent.exe
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: System32
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: Name
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: %SystemRoot%\System32\WerFault.exe
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: WRSA.exe
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: c:\\
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: reg.exe ADD "HKLM\%s" /f /t %s /v "%s" /d "%s"
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: SpyNetReporting
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: FALSE
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: aswhookx.dll
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: Packages
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: SonicWallClientProtectionService.exe;SWDash.exe
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: application/x-shockwave-flash
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: Sophos UI.exe;SophosUI.exe;SAVAdminService.exe;SavService.exe
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: RepUx.exe
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: %SystemRoot%\System32\mspaint.exe
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: coreServiceShell.exe;PccNTMon.exe;NTRTScan.exe
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: Winsta0
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: Caption,Description,DeviceID,Manufacturer,Name,PNPDeviceID,Service,Status
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: CynetEPS.exe;CynetMS.exe;CynetConsole.exe
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\wermgr.exe
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: %ProgramFiles(x86)%\Internet Explorer\iexplore.exe
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: avp.exe;kavtray.exe
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: root\SecurityCenter2
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\backgroundTaskHost.exe
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: MsMpEng.exe
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: %SystemRoot%\System32\CertEnrollCtrl.exe
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: userenv.dll
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: csc_ui.exe
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: frida-winjector-helper-32.exe;frida-winjector-helper-64.exe;tcpdump.exe;windump.exe;ethereal.exe;wireshark.exe;ettercap.exe;rtsniff.exe;packetcapture.exe;capturenet.exe;qak_proxy;dumpcap.exe;CFF Explorer.exe;not_rundll32.exe;ProcessHacker.exe;tcpview.exe;filemon.exe;procmon.exe;idaq64.exe;loaddll32.exe;PETools.exe;ImportREC.exe;LordPE.exe;SysInspector.exe;proc_analyzer.exe;sysAnalyzer.exe;sniff_hit.exe;joeboxcontrol.exe;joeboxserver.exe;ResourceHacker.exe;x64dbg.exe;Fiddler.exe;sniff_hit.exe;sysAnalyzer.exe;BehaviorDumper.exe;processdumperx64.exe;anti-virus.EXE;sysinfoX64.exe;sctoolswrapper.exe;sysinfoX64.exe;FakeExplorer.exe;apimonitor-x86.exe;idaq.exe
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: \\.\pipe\
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: pstorec.dll
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: NTUSER.DAT
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: from
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: %SystemRoot%\System32\sethc.exe
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: netapi32.dll
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: %SystemRoot%\System32\Utilman.exe
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: gdi32.dll
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: setupapi.dll
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: SELECT * FROM Win32_Processor
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: iphlpapi.dll
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: Caption
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: CrAmTray.exe
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: ccSvcHst.exe;NortonSecurity.exe;nsWscSvc.exe
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: Win32_ComputerSystem
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: %SystemRoot%\System32\backgroundTaskHost.exe
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: %ProgramFiles%\Internet Explorer\iexplore.exe
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Paths
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: user32.dll
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: xagtnotif.exe;AppUIMonitor.exe
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: %SystemRoot%\System32\dxdiag.exe
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: SentinelServiceHost.exe;SentinelStaticEngine.exe;SentinelAgent.exe;SentinelStaticEngineScanner.exe;SentinelUI.exe
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: \sf2.dll
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\grpconv.exe
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: egui.exe;ekrn.exe
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: Software\Microsoft
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: %S.%06d
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: bcrypt.dll
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: SELECT * FROM AntiVirusProduct
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\SndVol.exe
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: %SystemRoot%\explorer.exe
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\Utilman.exe
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: SOFTWARE\Microsoft\Windows Defender\SpyNet
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: wtsapi32.dll
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: t=%s time=[%02d:%02d:%02d-%02d/%02d/%d]
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\xwizard.exe
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: shell32.dll
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: TRUE
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: Win32_Bios
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: SELECT * FROM Win32_OperatingSystem
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\mobsync.exe
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: c:\hiberfil.sysss
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: /
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\AtBroker.exe
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: abcdefghijklmnopqrstuvwxyz
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: ByteFence.exe
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: type=0x%04X
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: snxhk_border_mywnd
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: ROOT\CIMV2
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: dwengine.exe;dwarkdaemon.exe;dwwatcher.exe
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: https
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\explorer.exe
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: fshoster32.exe
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: kernelbase.dll
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: regsvr32.exe
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: %s\system32\
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\dxdiag.exe
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: Content-Type: application/x-www-form-urlencoded
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: Win32_Process
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: rundll32.exe
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: LOCALAPPDATA
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: cmd.exe
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: APPDATA
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: select
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: .exe
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: mcshield.exe
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: advapi32.dll
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: ws2_32.dll
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: .cfg
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: aabcdeefghiijklmnoopqrstuuvwxyyz
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: Win32_Product
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: WQL
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: wininet.dll
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: LastBootUpTime
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: S:(ML;;NW;;;LW)
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\CertEnrollCtrl.exe
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: urlmon.dll
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: Create
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: Win32_PnPEntity
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: %SystemRoot%\System32\grpconv.exe
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: Initializing database...
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: %SystemRoot%\System32\SearchIndexer.exe
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: winsta0\default
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: .dat
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: WBJ_IGNORE
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: next
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: %SystemRoot%\System32\AtBroker.exe
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: wpcap.dll
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: aaebcdeeifghiiojklmnooupqrstuuyvwxyyaz
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\sethc.exe
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: image/pjpeg
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: fmon.exe
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: bdagent.exe;vsserv.exe;vsservppl.exe
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: %SystemRoot%\System32\SndVol.exe
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: vbs
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: aswhooka.dll
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: SysWOW64
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\mspaint.exe
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: mpr.dll
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: image/gif
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: crypt32.dll
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: avgcsrvx.exe;avgsvcx.exe;avgcsrva.exe
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: ntdll.dll
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: open
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: %SystemRoot%\explorer.exe
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: CSFalconService.exe;CSFalconContainer.exe
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: %SystemRoot%\System32\wextract.exe
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: %SystemRoot%\System32\mobsync.exe
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\SearchIndexer.exe
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: Caption,Description,Vendor,Version,InstallDate,InstallSource,PackageName
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: Caption,Description,Vendor,Version,InstallDate,InstallSource,PackageName
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: %u.%u.%u.%u.%u.%u.%04x
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\explorer.exe
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: SystemRoot
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: cscript.exe
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: MBAMService.exe;mbamgui.exe
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: %SystemRoot%\System32\xwizard.exe
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: %SystemRoot%\System32\wermgr.exe
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: AvastSvc.exe;aswEngSrv.exe;aswToolsSvc.exe;afwServ.exe;aswidsagent.exe;AvastUI.exe
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: C:\INTERNAL\__empty
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: .dll
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: Win32_PhysicalMemory
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: ALLUSERSPROFILE
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: image/jpeg
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: LocalLow
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: displayName
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: Mozilla/5.0 (Windows NT 6.1; rv:77.0) Gecko/20100101 Firefox/77.0
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: shlwapi.dll
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\WerFault.exe
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: CommandLine
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: {%02X%02X%02X%02X-%02X%02X-%02X%02X-%02X%02X-%02X%02X%02X%02X%02X%02X}
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: kernel32.dll
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: SubmitSamplesConsent
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: 1234567890
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: wbj.go
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\wextract.exe
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: Win32_DiskDrive
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: vkise.exe;isesrv.exe;cmdagent.exe
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: System32
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: Name
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: %SystemRoot%\System32\WerFault.exe
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: WRSA.exe
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: c:\\
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: reg.exe ADD "HKLM\%s" /f /t %s /v "%s" /d "%s"
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: SpyNetReporting
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: FALSE
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: aswhookx.dll
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: Packages
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: SonicWallClientProtectionService.exe;SWDash.exe
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: application/x-shockwave-flash
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: Sophos UI.exe;SophosUI.exe;SAVAdminService.exe;SavService.exe
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: RepUx.exe
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: %SystemRoot%\System32\mspaint.exe
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: coreServiceShell.exe;PccNTMon.exe;NTRTScan.exe
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: Winsta0
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: Caption,Description,DeviceID,Manufacturer,Name,PNPDeviceID,Service,Status
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: CynetEPS.exe;CynetMS.exe;CynetConsole.exe
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\wermgr.exe
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: %ProgramFiles(x86)%\Internet Explorer\iexplore.exe
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: avp.exe;kavtray.exe
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: root\SecurityCenter2
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\backgroundTaskHost.exe
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: MsMpEng.exe
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: %SystemRoot%\System32\CertEnrollCtrl.exe
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: userenv.dll
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: csc_ui.exe
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: frida-winjector-helper-32.exe;frida-winjector-helper-64.exe;tcpdump.exe;windump.exe;ethereal.exe;wireshark.exe;ettercap.exe;rtsniff.exe;packetcapture.exe;capturenet.exe;qak_proxy;dumpcap.exe;CFF Explorer.exe;not_rundll32.exe;ProcessHacker.exe;tcpview.exe;filemon.exe;procmon.exe;idaq64.exe;loaddll32.exe;PETools.exe;ImportREC.exe;LordPE.exe;SysInspector.exe;proc_analyzer.exe;sysAnalyzer.exe;sniff_hit.exe;joeboxcontrol.exe;joeboxserver.exe;ResourceHacker.exe;x64dbg.exe;Fiddler.exe;sniff_hit.exe;sysAnalyzer.exe;BehaviorDumper.exe;processdumperx64.exe;anti-virus.EXE;sysinfoX64.exe;sctoolswrapper.exe;sysinfoX64.exe;FakeExplorer.exe;apimonitor-x86.exe;idaq.exe
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: \\.\pipe\
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: pstorec.dll
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: NTUSER.DAT
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: from
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: %SystemRoot%\System32\sethc.exe
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: netapi32.dll
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: %SystemRoot%\System32\Utilman.exe
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: gdi32.dll
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: setupapi.dll
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: SELECT * FROM Win32_Processor
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: iphlpapi.dll
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: Caption
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: CrAmTray.exe
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: ccSvcHst.exe;NortonSecurity.exe;nsWscSvc.exe
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: Win32_ComputerSystem
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: %SystemRoot%\System32\backgroundTaskHost.exe
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: %ProgramFiles%\Internet Explorer\iexplore.exe
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Paths
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: user32.dll
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: xagtnotif.exe;AppUIMonitor.exe
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: %SystemRoot%\System32\dxdiag.exe
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: SentinelServiceHost.exe;SentinelStaticEngine.exe;SentinelAgent.exe;SentinelStaticEngineScanner.exe;SentinelUI.exe
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: \sf2.dll
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\grpconv.exe
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: egui.exe;ekrn.exe
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: Software\Microsoft
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: %S.%06d
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: bcrypt.dll
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: SELECT * FROM AntiVirusProduct
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\SndVol.exe
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: %SystemRoot%\explorer.exe
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\Utilman.exe
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: SOFTWARE\Microsoft\Windows Defender\SpyNet
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: wtsapi32.dll
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: t=%s time=[%02d:%02d:%02d-%02d/%02d/%d]
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\xwizard.exe
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: shell32.dll
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: TRUE
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: Win32_Bios
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: SELECT * FROM Win32_OperatingSystem
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\mobsync.exe
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: c:\hiberfil.sysss
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: /
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\AtBroker.exe
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: abcdefghijklmnopqrstuvwxyz
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: ByteFence.exe
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: type=0x%04X
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: snxhk_border_mywnd
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: ROOT\CIMV2
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: dwengine.exe;dwarkdaemon.exe;dwwatcher.exe
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: https
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\explorer.exe
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: fshoster32.exe
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: kernelbase.dll
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: regsvr32.exe
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: %s\system32\
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\dxdiag.exe
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: Content-Type: application/x-www-form-urlencoded
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: Win32_Process
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: rundll32.exe
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: LOCALAPPDATA
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: cmd.exe
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: APPDATA
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: select
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: .exe
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: mcshield.exe
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: advapi32.dll
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: ws2_32.dll
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: .cfg
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: aabcdeefghiijklmnoopqrstuuvwxyyz
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: Win32_Product
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: WQL
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: wininet.dll
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: LastBootUpTime
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: S:(ML;;NW;;;LW)
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\CertEnrollCtrl.exe
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: urlmon.dll
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: Create
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: Win32_PnPEntity
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: %SystemRoot%\System32\grpconv.exe
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: Initializing database...
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: %SystemRoot%\System32\SearchIndexer.exe
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: winsta0\default
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: .dat
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: WBJ_IGNORE
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: next
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: %SystemRoot%\System32\AtBroker.exe
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: wpcap.dll
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: aaebcdeeifghiiojklmnooupqrstuuyvwxyyaz
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\sethc.exe
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: image/pjpeg
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: fmon.exe
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: bdagent.exe;vsserv.exe;vsservppl.exe
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: %SystemRoot%\System32\SndVol.exe
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: vbs
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: aswhooka.dll
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: SysWOW64
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\mspaint.exe
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: mpr.dll
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: image/gif
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: crypt32.dll
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: avgcsrvx.exe;avgsvcx.exe;avgcsrva.exe
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: ntdll.dll
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: open
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: %SystemRoot%\explorer.exe
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: CSFalconService.exe;CSFalconContainer.exe
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: %SystemRoot%\System32\wextract.exe
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: %SystemRoot%\System32\mobsync.exe
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\SearchIndexer.exe
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack	String decryptor: Caption,Description,Vendor,Version,InstallDate,InstallSource,PackageName

Source: batteryacid.dat.dll

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL

Source: unknown

HTTPS traffic detected: 152.216.7.110:443 -> 192.168.2.3:49720 version: TLS 1.2

Source: batteryacid.dat.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source:

Binary string: c:\Documents and Settings\Andrew\Desktop\lcms\lcms2-2.9\bin\lcms2.pdb source: rundll32.exe, 00000006.00000002.395271233.0000000010043000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000C.00000002.395418652.0000000010043000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000D.00000002.395522503.0000000010043000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.395185499.0000000010043000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000F.00000002.395263165.0000000010043000.00000002.00000001.01000000.00000003.sdmp, batteryacid.dat.dll

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 13_2_00BB9E70 FindFirstFileW,FindNextFileW,

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	IPs: 77.126.99.230:443
Source: Malware configuration extractor	IPs: 24.234.220.88:465
Source: Malware configuration extractor	IPs: 151.62.238.176:443
Source: Malware configuration extractor	IPs: 85.57.212.13:3389
Source: Malware configuration extractor	IPs: 199.27.66.213:443
Source: Malware configuration extractor	IPs: 12.172.173.82:21
Source: Malware configuration extractor	IPs: 12.172.173.82:50001
Source: Malware configuration extractor	IPs: 12.172.173.82:465
Source: Malware configuration extractor	IPs: 105.184.209.117:995
Source: Malware configuration extractor	IPs: 193.80.73.200:995
Source: Malware configuration extractor	IPs: 86.208.35.220:2222
Source: Malware configuration extractor	IPs: 93.187.148.45:995
Source: Malware configuration extractor	IPs: 37.189.89.196:443
Source: Malware configuration extractor	IPs: 182.75.189.42:995
Source: Malware configuration extractor	IPs: 65.95.141.84:2222
Source: Malware configuration extractor	IPs: 84.216.198.201:6881
Source: Malware configuration extractor	IPs: 105.102.10.220:443
Source: Malware configuration extractor	IPs: 124.246.122.199:2222
Source: Malware configuration extractor	IPs: 83.249.198.100:2222
Source: Malware configuration extractor	IPs: 1.221.179.74:443
Source: Malware configuration extractor	IPs: 114.143.176.236:443
Source: Malware configuration extractor	IPs: 174.58.146.57:443
Source: Malware configuration extractor	IPs: 12.172.173.82:2087
Source: Malware configuration extractor	IPs: 73.207.160.219:443
Source: Malware configuration extractor	IPs: 82.36.36.76:443
Source: Malware configuration extractor	IPs: 86.173.2.12:2222
Source: Malware configuration extractor	IPs: 92.98.55.221:2222
Source: Malware configuration extractor	IPs: 223.166.13.95:995
Source: Malware configuration extractor	IPs: 103.42.86.42:995
Source: Malware configuration extractor	IPs: 176.133.4.230:995
Source: Malware configuration extractor	IPs: 70.49.205.198:2222
Source: Malware configuration extractor	IPs: 81.229.117.95:2222
Source: Malware configuration extractor	IPs: 92.20.204.198:2222
Source: Malware configuration extractor	IPs: 183.87.163.165:443
Source: Malware configuration extractor	IPs: 147.147.30.126:2222
Source: Malware configuration extractor	IPs: 184.181.75.148:443
Source: Malware configuration extractor	IPs: 201.244.108.183:995
Source: Malware configuration extractor	IPs: 94.59.123.30:2222
Source: Malware configuration extractor	IPs: 184.182.66.109:443
Source: Malware configuration extractor	IPs: 64.121.161.102:443
Source: Malware configuration extractor	IPs: 103.140.174.20:2222
Source: Malware configuration extractor	IPs: 70.28.50.223:3389
Source: Malware configuration extractor	IPs: 125.63.121.38:2078
Source: Malware configuration extractor	IPs: 66.241.183.99:443
Source: Malware configuration extractor	IPs: 50.68.186.195:443
Source: Malware configuration extractor	IPs: 89.115.200.234:443
Source: Malware configuration extractor	IPs: 47.205.25.170:443
Source: Malware configuration extractor	IPs: 12.172.173.82:993
Source: Malware configuration extractor	IPs: 2.82.8.80:443
Source: Malware configuration extractor	IPs: 12.172.173.82:22
Source: Malware configuration extractor	IPs: 93.187.148.45:443
Source: Malware configuration extractor	IPs: 70.28.50.223:32100
Source: Malware configuration extractor	IPs: 79.168.224.165:2222
Source: Malware configuration extractor	IPs: 121.121.108.120:995
Source: Malware configuration extractor	IPs: 74.12.146.221:2222
Source: Malware configuration extractor	IPs: 78.159.146.65:995
Source: Malware configuration extractor	IPs: 116.74.164.17:443
Source: Malware configuration extractor	IPs: 59.88.174.146:993
Source: Malware configuration extractor	IPs: 92.184.102.115:2078
Source: Malware configuration extractor	IPs: 31.53.29.216:2222
Source: Malware configuration extractor	IPs: 72.205.104.134:443
Source: Malware configuration extractor	IPs: 116.120.145.170:995
Source: Malware configuration extractor	IPs: 217.165.233.122:443
Source: Malware configuration extractor	IPs: 193.253.100.236:2222
Source: Malware configuration extractor	IPs: 27.0.48.233:443
Source: Malware configuration extractor	IPs: 103.123.223.133:443
Source: Malware configuration extractor	IPs: 37.14.229.220:2222
Source: Malware configuration extractor	IPs: 75.109.111.89:443
Source: Malware configuration extractor	IPs: 24.234.220.88:995
Source: Malware configuration extractor	IPs: 92.239.81.124:443
Source: Malware configuration extractor	IPs: 12.172.173.82:20
Source: Malware configuration extractor	IPs: 90.29.86.138:2222
Source: Malware configuration extractor	IPs: 70.160.67.203:443
Source: Malware configuration extractor	IPs: 92.9.45.20:2222
Source: Malware configuration extractor	IPs: 95.45.50.93:2222
Source: Malware configuration extractor	IPs: 100.4.163.158:2222
Source: Malware configuration extractor	IPs: 201.143.215.69:443
Source: Malware configuration extractor	IPs: 213.64.33.92:2222
Source: Malware configuration extractor	IPs: 75.98.154.19:443
Source: Malware configuration extractor	IPs: 103.139.242.6:443
Source: Malware configuration extractor	IPs: 103.141.50.43:995
Source: Malware configuration extractor	IPs: 178.175.187.254:443
Source: Malware configuration extractor	IPs: 88.126.94.4:50000
Source: Malware configuration extractor	IPs: 79.77.142.22:2222
Source: Malware configuration extractor	IPs: 197.2.173.77:443
Source: Malware configuration extractor	IPs: 74.14.39.7:2222
Source: Malware configuration extractor	IPs: 70.28.50.223:2083
Source: Malware configuration extractor	IPs: 174.4.89.3:443
Source: Malware configuration extractor	IPs: 213.91.235.146:443
Source: Malware configuration extractor	IPs: 78.130.215.67:443
Source: Malware configuration extractor	IPs: 24.234.220.88:993
Source: Malware configuration extractor	IPs: 188.28.19.84:443
Source: Malware configuration extractor	IPs: 74.12.146.221:2222
Source: Malware configuration extractor	IPs: 74.12.146.221:2083
Source: Malware configuration extractor	IPs: 82.131.141.209:443
Source: Malware configuration extractor	IPs: 70.28.50.223:2087
Source: Malware configuration extractor	IPs: 24.234.220.88:990
Source: Malware configuration extractor	IPs: 12.172.173.82:995
Source: Malware configuration extractor	IPs: 41.227.190.59:443
Source: Malware configuration extractor	IPs: 192.143.255.159:443
Source: Malware configuration extractor	IPs: 82.127.153.75:2222
Source: Malware configuration extractor	IPs: 122.184.143.86:443
Source: Malware configuration extractor	IPs: 59.28.84.65:443
Source: Malware configuration extractor	IPs: 103.144.201.48:2078
Source: Malware configuration extractor	IPs: 103.87.128.228:443
Source: Malware configuration extractor	IPs: 125.99.69.178:443
Source: Malware configuration extractor	IPs: 122.186.210.254:443
Source: Malware configuration extractor	IPs: 74.12.146.221:2083
Source: Malware configuration extractor	IPs: 190.75.72.44:2222
Source: Malware configuration extractor	IPs: 123.3.240.16:6881
Source: Malware configuration extractor	IPs: 176.142.207.63:443
Source: Malware configuration extractor	IPs: 12.172.173.82:32101
Source: Malware configuration extractor	IPs: 94.207.125.252:443
Source: Malware configuration extractor	IPs: 45.62.70.33:443
Source: Malware configuration extractor	IPs: 81.111.108.123:443
Source: Malware configuration extractor	IPs: 68.227.249.138:443
Source: Malware configuration extractor	IPs: 41.186.88.38:443
Source: Malware configuration extractor	IPs: 86.195.14.72:2222
Source: Malware configuration extractor	IPs: 165.120.169.171:2222
Source: Malware configuration extractor	IPs: 49.175.72.188:443

Source: Joe Sandbox View

ASN Name: MEO-RESIDENCIALPT MEO-RESIDENCIALPT

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: Joe Sandbox View

IP Address: 2.82.8.80 2.82.8.80

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: irs.govCache-Control: no-cache

Source: global traffic	TCP traffic: 192.168.2.3:49722 -> 74.14.39.7:2222
Source: global traffic	TCP traffic: 192.168.2.3:49734 -> 92.184.102.115:2078

Source: unknown

Network traffic detected: IP country count 29

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443

Source: unknown	TCP traffic detected without corresponding DNS query: 74.14.39.7
Source: unknown	TCP traffic detected without corresponding DNS query: 74.14.39.7
Source: unknown	TCP traffic detected without corresponding DNS query: 74.14.39.7
Source: unknown	TCP traffic detected without corresponding DNS query: 74.14.39.7
Source: unknown	TCP traffic detected without corresponding DNS query: 74.14.39.7
Source: unknown	TCP traffic detected without corresponding DNS query: 74.14.39.7
Source: unknown	TCP traffic detected without corresponding DNS query: 74.14.39.7
Source: unknown	TCP traffic detected without corresponding DNS query: 74.14.39.7
Source: unknown	TCP traffic detected without corresponding DNS query: 74.14.39.7
Source: unknown	TCP traffic detected without corresponding DNS query: 74.14.39.7
Source: unknown	TCP traffic detected without corresponding DNS query: 74.14.39.7
Source: unknown	TCP traffic detected without corresponding DNS query: 74.14.39.7
Source: unknown	TCP traffic detected without corresponding DNS query: 74.14.39.7
Source: unknown	TCP traffic detected without corresponding DNS query: 74.14.39.7
Source: unknown	TCP traffic detected without corresponding DNS query: 74.14.39.7
Source: unknown	TCP traffic detected without corresponding DNS query: 74.14.39.7
Source: unknown	TCP traffic detected without corresponding DNS query: 74.14.39.7
Source: unknown	TCP traffic detected without corresponding DNS query: 74.14.39.7
Source: unknown	TCP traffic detected without corresponding DNS query: 74.14.39.7
Source: unknown	TCP traffic detected without corresponding DNS query: 74.14.39.7
Source: unknown	TCP traffic detected without corresponding DNS query: 74.14.39.7
Source: unknown	TCP traffic detected without corresponding DNS query: 74.14.39.7
Source: unknown	TCP traffic detected without corresponding DNS query: 74.14.39.7
Source: unknown	TCP traffic detected without corresponding DNS query: 74.14.39.7
Source: unknown	TCP traffic detected without corresponding DNS query: 74.14.39.7
Source: unknown	TCP traffic detected without corresponding DNS query: 74.14.39.7
Source: unknown	TCP traffic detected without corresponding DNS query: 74.14.39.7
Source: unknown	TCP traffic detected without corresponding DNS query: 74.14.39.7
Source: unknown	TCP traffic detected without corresponding DNS query: 74.14.39.7
Source: unknown	TCP traffic detected without corresponding DNS query: 74.14.39.7
Source: unknown	TCP traffic detected without corresponding DNS query: 74.14.39.7
Source: unknown	TCP traffic detected without corresponding DNS query: 74.14.39.7
Source: unknown	TCP traffic detected without corresponding DNS query: 74.14.39.7
Source: unknown	TCP traffic detected without corresponding DNS query: 74.14.39.7
Source: unknown	TCP traffic detected without corresponding DNS query: 74.14.39.7
Source: unknown	TCP traffic detected without corresponding DNS query: 74.14.39.7
Source: unknown	TCP traffic detected without corresponding DNS query: 74.14.39.7
Source: unknown	TCP traffic detected without corresponding DNS query: 74.14.39.7
Source: unknown	TCP traffic detected without corresponding DNS query: 74.14.39.7
Source: unknown	TCP traffic detected without corresponding DNS query: 74.14.39.7
Source: unknown	TCP traffic detected without corresponding DNS query: 92.184.102.115
Source: unknown	TCP traffic detected without corresponding DNS query: 92.184.102.115
Source: unknown	TCP traffic detected without corresponding DNS query: 92.184.102.115
Source: unknown	TCP traffic detected without corresponding DNS query: 92.184.102.115
Source: unknown	TCP traffic detected without corresponding DNS query: 92.184.102.115
Source: unknown	TCP traffic detected without corresponding DNS query: 92.184.102.115
Source: unknown	TCP traffic detected without corresponding DNS query: 92.184.102.115
Source: unknown	TCP traffic detected without corresponding DNS query: 92.184.102.115
Source: unknown	TCP traffic detected without corresponding DNS query: 92.184.102.115

Source: 5NRH02A3.htm.22.dr	String found in binary or memory: <a href="https://www.facebook.com/IRS" aria-label="fa-facebook-square"> equals www.facebook.com (Facebook)
Source: 5NRH02A3.htm.22.dr	String found in binary or memory: <a href="https://www.linkedin.com/company/irs" aria-label="fa-linkedin"> equals www.linkedin.com (Linkedin)
Source: 5NRH02A3.htm.22.dr	String found in binary or memory: <a href="https://www.twitter.com/IRSnews" aria-label="fa-twitter-square"> equals www.twitter.com (Twitter)
Source: 5NRH02A3.htm.22.dr	String found in binary or memory: <a href="https://www.youtube.com/user/irsvideos" aria-label="fa-youtube-play"> equals www.youtube.com (Youtube)
Source: 5NRH02A3.htm.22.dr	String found in binary or memory: t Fall for Employee Retention Credit Scams" src="https://www.youtube.com/embed/p3mmROYjyYM?autoplay=0&start=0&rel=0"></iframe> equals www.youtube.com (Youtube)

Source: batteryacid.dat.dll	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: batteryacid.dat.dll	String found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: batteryacid.dat.dll	String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: batteryacid.dat.dll	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: batteryacid.dat.dll	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: batteryacid.dat.dll	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: batteryacid.dat.dll	String found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: batteryacid.dat.dll	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: batteryacid.dat.dll	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: batteryacid.dat.dll	String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: batteryacid.dat.dll	String found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0J
Source: batteryacid.dat.dll	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: batteryacid.dat.dll	String found in binary or memory: http://ocsp.digicert.com0C
Source: batteryacid.dat.dll	String found in binary or memory: http://ocsp.digicert.com0H
Source: batteryacid.dat.dll	String found in binary or memory: http://ocsp.digicert.com0I
Source: batteryacid.dat.dll	String found in binary or memory: http://ocsp.digicert.com0O
Source: Amcache.hve.9.dr	String found in binary or memory: http://upx.sf.net
Source: batteryacid.dat.dll	String found in binary or memory: http://www.digicert.com/CPS0
Source: batteryacid.dat.dll	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: 5NRH02A3.htm.22.dr	String found in binary or memory: https://home.treasury.gov/footer/no-fear-act
Source: 5NRH02A3.htm.22.dr	String found in binary or memory: https://jobs.irs.gov/
Source: 5NRH02A3.htm.22.dr	String found in binary or memory: https://s.go-mpulse.net/boomerang/
Source: 5NRH02A3.htm.22.dr	String found in binary or memory: https://s2.go-mpulse.net/boomerang/
Source: 5NRH02A3.htm.22.dr	String found in binary or memory: https://sa.www4.irs.gov/irfof/lang/en/irfofgetstatus.jsp
Source: 5NRH02A3.htm.22.dr	String found in binary or memory: https://static.addtoany.com/menu/page.js
Source: 5NRH02A3.htm.22.dr	String found in binary or memory: https://twitter.com/IRSnews
Source: batteryacid.dat.dll	String found in binary or memory: https://www.digicert.com/CPS0
Source: 5NRH02A3.htm.22.dr	String found in binary or memory: https://www.drupal.org)
Source: 5NRH02A3.htm.22.dr	String found in binary or memory: https://www.googletagmanager.com/ns.html?id=GTM-KV978ZL
Source: 5NRH02A3.htm.22.dr	String found in binary or memory: https://www.instagram.com/irsnews
Source: 5NRH02A3.htm.22.dr	String found in binary or memory: https://www.irs.gov
Source: 5NRH02A3.htm.22.dr	String found in binary or memory: https://www.irs.gov/
Source: 5NRH02A3.htm.22.dr	String found in binary or memory: https://www.irs.gov/es
Source: 5NRH02A3.htm.22.dr	String found in binary or memory: https://www.irs.gov/ht
Source: 5NRH02A3.htm.22.dr	String found in binary or memory: https://www.irs.gov/ko
Source: 5NRH02A3.htm.22.dr	String found in binary or memory: https://www.irs.gov/pub/image/logo_small.jpg
Source: 5NRH02A3.htm.22.dr	String found in binary or memory: https://www.irs.gov/ru
Source: 5NRH02A3.htm.22.dr	String found in binary or memory: https://www.irs.gov/vi
Source: 5NRH02A3.htm.22.dr	String found in binary or memory: https://www.irs.gov/zh-hans
Source: 5NRH02A3.htm.22.dr	String found in binary or memory: https://www.irs.gov/zh-hant
Source: 5NRH02A3.htm.22.dr	String found in binary or memory: https://www.linkedin.com/company/irs
Source: 5NRH02A3.htm.22.dr	String found in binary or memory: https://www.treasury.gov/
Source: 5NRH02A3.htm.22.dr	String found in binary or memory: https://www.treasury.gov/tigta/
Source: 5NRH02A3.htm.22.dr	String found in binary or memory: https://www.twitter.com/IRSnews
Source: 5NRH02A3.htm.22.dr	String found in binary or memory: https://www.usa.gov/
Source: 5NRH02A3.htm.22.dr	String found in binary or memory: https://www.usaspending.gov
Source: 5NRH02A3.htm.22.dr	String found in binary or memory: https://www.youtube.com/embed/p3mmROYjyYM?autoplay=0&start=0&rel=0
Source: 5NRH02A3.htm.22.dr	String found in binary or memory: https://www.youtube.com/user/irsvideos

Source: unknown

DNS traffic detected: queries for: irs.gov

Source: global traffic

Source: unknown

HTTPS traffic detected: 152.216.7.110:443 -> 192.168.2.3:49720 version: TLS 1.2

Source: loaddll32.exe, 00000000.00000002.379802574.0000000000D9B000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Source: batteryacid.dat.dll

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL

Source: 13.2.rundll32.exe.bb0000.1.unpack, type: UNPACKEDPE	Matched rule: MAL_QakBot_ConfigExtraction_Feb23 cape_options = bp0=$params+23,action0=setdump:eax::ecx,bp1=$c2list1+40,bp1=$c2list2+38,action1=dump,bp2=$conf+13,action2=dump,count=1,typestring=QakBot Config, date = 2023-02-17, author = kevoreilly, description = QakBot Config Extraction, reference = https://github.com/kevoreilly/CAPEv2/blob/master/analyzer/windows/data/yara/QakBot.yar, license = https://github.com/kevoreilly/CAPEv2/blob/master/LICENSE, packed = f084d87078a1e4b0ee208539c53e4853a52b5698e98f0578d7c12948e3831a68
Source: 13.2.rundll32.exe.980aa0.0.unpack, type: UNPACKEDPE	Matched rule: MAL_QakBot_ConfigExtraction_Feb23 cape_options = bp0=$params+23,action0=setdump:eax::ecx,bp1=$c2list1+40,bp1=$c2list2+38,action1=dump,bp2=$conf+13,action2=dump,count=1,typestring=QakBot Config, date = 2023-02-17, author = kevoreilly, description = QakBot Config Extraction, reference = https://github.com/kevoreilly/CAPEv2/blob/master/analyzer/windows/data/yara/QakBot.yar, license = https://github.com/kevoreilly/CAPEv2/blob/master/LICENSE, packed = f084d87078a1e4b0ee208539c53e4853a52b5698e98f0578d7c12948e3831a68
Source: 13.2.rundll32.exe.980aa0.0.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_QakBot_ConfigExtraction_Feb23 cape_options = bp0=$params+23,action0=setdump:eax::ecx,bp1=$c2list1+40,bp1=$c2list2+38,action1=dump,bp2=$conf+13,action2=dump,count=1,typestring=QakBot Config, date = 2023-02-17, author = kevoreilly, description = QakBot Config Extraction, reference = https://github.com/kevoreilly/CAPEv2/blob/master/analyzer/windows/data/yara/QakBot.yar, license = https://github.com/kevoreilly/CAPEv2/blob/master/LICENSE, packed = f084d87078a1e4b0ee208539c53e4853a52b5698e98f0578d7c12948e3831a68

Source: C:\Windows\SysWOW64\rundll32.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3780 -s 652

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1003C225
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10035263
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1001B410
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10034455
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1002E4D5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1001B5C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_100126F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1003C769
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10018B90
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1003BCE1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1003DD61
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1000BD80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10015DB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1003CE61
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1003FF89
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_00BC32F1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_00BC72EF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_00BC8E20
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_00BB3A40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_00BC6F30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_00BC4B53

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 1001DD00 appears 84 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 10007710 appears 84 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 10030A44 appears 42 times

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_00BC44D8 NtProtectVirtualMemory,NtProtectVirtualMemory,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_00BBA93E GetThreadContext,NtProtectVirtualMemory,NtWriteVirtualMemory,NtProtectVirtualMemory,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_00BBA51F NtAllocateVirtualMemory,NtWriteVirtualMemory,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_00BBCAF3 NtAllocateVirtualMemory,NtWriteVirtualMemory,NtProtectVirtualMemory,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_00BBAA38 GetLastError,NtResumeThread,FindCloseChangeNotification,

Source: C:\Windows\SysWOW64\wermgr.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\SysWOW64\wermgr.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\wermgr.exe	Section loaded: winhttp.dll
Source: C:\Windows\SysWOW64\wermgr.exe	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\wermgr.exe	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\wermgr.exe	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\wermgr.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\SysWOW64\wermgr.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\SysWOW64\wermgr.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\SysWOW64\wermgr.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\SysWOW64\wermgr.exe	Section loaded: schannel.dll
Source: C:\Windows\SysWOW64\wermgr.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\SysWOW64\wermgr.exe	Section loaded: ncrypt.dll
Source: C:\Windows\SysWOW64\wermgr.exe	Section loaded: ntasn1.dll
Source: C:\Windows\SysWOW64\wermgr.exe	Section loaded: dpapi.dll
Source: C:\Windows\SysWOW64\wermgr.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\wermgr.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\wermgr.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\wermgr.exe	Section loaded: ncryptsslp.dll

Source: batteryacid.dat.dll

Virustotal: Detection: 10%

Source: batteryacid.dat.dll

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\batteryacid.dat.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\batteryacid.dat.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\batteryacid.dat.dll,l_cmsComputeInterpParams@24
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\batteryacid.dat.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\batteryacid.dat.dll,l_cmsFloat2Half@4
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\batteryacid.dat.dll,l_cmsFreeInterpParams@4
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3780 -s 652
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\batteryacid.dat.dll",l_cmsComputeInterpParams@24
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\batteryacid.dat.dll",l_cmsFloat2Half@4
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\batteryacid.dat.dll",l_cmsFreeInterpParams@4
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\batteryacid.dat.dll",next
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\batteryacid.dat.dll",lmsstrcasecmp
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\batteryacid.dat.dll",lmsfilelength
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5692 -s 652
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1916 -s 652
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4364 -s 652
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\wermgr.exe C:\Windows\SysWOW64\wermgr.exe
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\batteryacid.dat.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\batteryacid.dat.dll,l_cmsComputeInterpParams@24
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\batteryacid.dat.dll,l_cmsFloat2Half@4
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\batteryacid.dat.dll,l_cmsFreeInterpParams@4
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\batteryacid.dat.dll",l_cmsComputeInterpParams@24
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\batteryacid.dat.dll",l_cmsFloat2Half@4
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\batteryacid.dat.dll",l_cmsFreeInterpParams@4
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\batteryacid.dat.dll",next
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\batteryacid.dat.dll",lmsstrcasecmp
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\batteryacid.dat.dll",lmsfilelength
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\batteryacid.dat.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\wermgr.exe C:\Windows\SysWOW64\wermgr.exe

Source: C:\Windows\SysWOW64\wermgr.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Mxtumm

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERF3D8.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winDLL@30/19@2/100

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 13_2_00BBD2F7 CoInitializeEx,CoInitializeSecurity,CoCreateInstance,SysAllocString,CoSetProxyBlanket,

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 13_2_00BBC800 CreateToolhelp32Snapshot,Process32First,FindCloseChangeNotification,

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\batteryacid.dat.dll,l_cmsComputeInterpParams@24

Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5692
Source: C:\Windows\SysWOW64\wermgr.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{61E64532-F7FB-448C-9242-F06B5640F3AF}
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3780
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1916
Source: C:\Windows\SysWOW64\wermgr.exe	Mutant created: \Sessions\1\BaseNamedObjects\{61E64532-F7FB-448C-9242-F06B5640F3AF}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5908:120:WilError_01
Source: C:\Windows\SysWOW64\wermgr.exe	Mutant created: \Sessions\1\BaseNamedObjects\{2EEA2E20-1A62-4F85-9741-F9DC2536BDC6}
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4364

Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\wermgr.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\wermgr.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\wermgr.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: batteryacid.dat.dll

Static PE information: More than 356 > 100 exports found

Source: batteryacid.dat.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: batteryacid.dat.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: batteryacid.dat.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: batteryacid.dat.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: batteryacid.dat.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: batteryacid.dat.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: batteryacid.dat.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: batteryacid.dat.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 6_2_10030A89 push ecx; ret

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 6_2_10039744 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,

Source: batteryacid.dat.dll

Static PE information: real checksum: 0x81929 should be: 0x8a7fa

Hooking and other Techniques for Hiding and Protection

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Source: C:\Windows\SysWOW64\rundll32.exe

Memory written: PID: 7404 base: 1153C50 value: E9 63 D7 C7 FF

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wermgr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wermgr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wermgr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wermgr.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Windows\SysWOW64\rundll32.exe TID: 736	Thread sleep count: 194 > 30
Source: C:\Windows\SysWOW64\wermgr.exe TID: 7420	Thread sleep time: -30000s >= -30000s

Source: C:\Windows\SysWOW64\rundll32.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\SysWOW64\rundll32.exe

Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep

Source: C:\Windows\SysWOW64\rundll32.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

Source: C:\Windows\SysWOW64\rundll32.exe

API coverage: 0.4 %

Source: C:\Windows\SysWOW64\wermgr.exe

Process information queried: ProcessInformation

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 13_2_00BBB967 GetSystemInfo,

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 13_2_00BB9E70 FindFirstFileW,FindNextFileW,

Source: C:\Windows\System32\loaddll32.exe

Thread delayed: delay time: 120000

Source: Amcache.hve.9.dr	Binary or memory string: VMware
Source: Amcache.hve.9.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
Source: Amcache.hve.9.dr	Binary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.9.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.9.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.9.dr	Binary or memory string: VMware Virtual disk SCSI Disk Devicehbin
Source: Amcache.hve.9.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.9.dr	Binary or memory string: VMware7,1
Source: Amcache.hve.9.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.9.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.9.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.9.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.9.dr	Binary or memory string: VMware, Inc.me
Source: Amcache.hve.9.dr	Binary or memory string: VMware-42 35 d8 20 48 cb c7 ff-aa 5e d0 37 a0 49 53 d7
Source: Amcache.hve.9.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.9.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.18227214.B64.2106252220,BiosReleaseDate:06/25/2021,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.9.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 6_2_1002E1A7 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 6_2_1003B12F CreateFileA,__lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock,

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_3_00BA2297 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_00BB1015 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_00BB21CD mov eax, dword ptr fs:[00000030h]

Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1002E1A7 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1003B4C9 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1002BBCA IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

HIPS / PFW / Operating System Protection Evasion

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\SysWOW64\wermgr.exe base: 1000000
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\SysWOW64\wermgr.exe base: DD0000
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\SysWOW64\wermgr.exe base: 1153C50

Allocates memory in foreign processes

Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: C:\Windows\SysWOW64\wermgr.exe base: DD0000 protect: page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: C:\Windows\SysWOW64\wermgr.exe base: 1000000 protect: page read and write

Injects a PE file into a foreign processes

Source: C:\Windows\SysWOW64\rundll32.exe

Memory written: C:\Windows\SysWOW64\wermgr.exe base: DD0000 value starts with: 4D5A

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\batteryacid.dat.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\wermgr.exe C:\Windows\SysWOW64\wermgr.exe

Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\wermgr.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\wermgr.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: GetLocaleInfoA,

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 6_2_1002DB67 GetSystemTimeAsFileTime,__aulldiv,

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 6_2_1003A572 __lock,__get_daylight,__invoke_watson,__get_daylight,__invoke_watson,__get_daylight,__invoke_watson,____lc_codepage_func,__getenv_helper_nolock,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,__invoke_watson,__invoke_watson,

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 13_2_00BBBC31 GetCurrentProcessId,GetLastError,GetVersionExA,GetWindowsDirectoryW,

Source: rundll32.exe, 0000000D.00000003.379651963.00000000047BF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: bdagent.exe
Source: rundll32.exe, 0000000D.00000003.379651963.00000000047BF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vsserv.exe
Source: rundll32.exe, 0000000D.00000003.379651963.00000000047BF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: avp.exe
Source: Amcache.hve.9.dr	Binary or memory string: c:\users\user\desktop\procexp.exe
Source: Amcache.hve.9.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: rundll32.exe, 0000000D.00000003.379651963.00000000047BF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: avgcsrvx.exe
Source: rundll32.exe, 0000000D.00000003.379651963.00000000047BF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: mcshield.exe
Source: Amcache.hve.9.dr	Binary or memory string: procexp.exe
Source: rundll32.exe, 0000000D.00000003.379651963.00000000047BF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected Qbot

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: 13.2.rundll32.exe.bb0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.980aa0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.980aa0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000002.395308492.0000000004740000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.392769153.000000000096A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected Qbot

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: 13.2.rundll32.exe.bb0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.980aa0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.980aa0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000002.395308492.0000000004740000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.392769153.000000000096A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	4 Native API	1 DLL Side-Loading	311 Process Injection	1 Masquerading	1 Credential API Hooking	2 System Time Discovery	Remote Services	1 Credential API Hooking	Exfiltration Over Other Network Medium	11 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	21 Virtualization/Sandbox Evasion	1 Input Capture	41 Security Software Discovery	Remote Desktop Protocol	1 Input Capture	Exfiltration Over Bluetooth	1 Non-Standard Port	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	311 Process Injection	Security Account Manager	21 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	1 Archive Collected Data	Automated Exfiltration	1 Ingress Tool Transfer	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	1 Deobfuscate/Decode Files or Information	NTDS	2 Process Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	2 Non-Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	2 Obfuscated Files or Information	LSA Secrets	1 Remote System Discovery	SSH	Keylogging	Data Transfer Size Limits	113 Application Layer Protocol	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	1 Rundll32	Cached Domain Credentials	1 File and Directory Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	24 System Information Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
batteryacid.dat.dll	4%	ReversingLabs
batteryacid.dat.dll	10%	Virustotal		Browse

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
https://s2.go-mpulse.net/boomerang/	0%	URL Reputation	safe
https://s2.go-mpulse.net/boomerang/	0%	URL Reputation	safe
https://s.go-mpulse.net/boomerang/	0%	URL Reputation	safe
https://s.go-mpulse.net/boomerang/	0%	URL Reputation	safe
https://www.drupal.org)	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
irs.gov	152.216.7.110	true	false		high
www.irs.gov	unknown	unknown	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://irs.gov/	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://home.treasury.gov/footer/no-fear-act	5NRH02A3.htm.22.dr	false		high
https://www.linkedin.com/company/irs	5NRH02A3.htm.22.dr	false		high
https://s2.go-mpulse.net/boomerang/	5NRH02A3.htm.22.dr	false	URL Reputation: safe URL Reputation: safe	unknown
https://sa.www4.irs.gov/irfof/lang/en/irfofgetstatus.jsp	5NRH02A3.htm.22.dr	false		high
https://www.twitter.com/IRSnews	5NRH02A3.htm.22.dr	false		high
https://www.irs.gov/ht	5NRH02A3.htm.22.dr	false		high
https://www.usaspending.gov	5NRH02A3.htm.22.dr	false		high
http://upx.sf.net	Amcache.hve.9.dr	false		high
https://twitter.com/IRSnews	5NRH02A3.htm.22.dr	false		high
https://www.irs.gov/ru	5NRH02A3.htm.22.dr	false		high
https://www.irs.gov/pub/image/logo_small.jpg	5NRH02A3.htm.22.dr	false		high
https://www.youtube.com/embed/p3mmROYjyYM?autoplay=0&start=0&rel=0	5NRH02A3.htm.22.dr	false		high
https://www.youtube.com/user/irsvideos	5NRH02A3.htm.22.dr	false		high
https://s.go-mpulse.net/boomerang/	5NRH02A3.htm.22.dr	false	URL Reputation: safe URL Reputation: safe	unknown
https://www.irs.gov/zh-hans	5NRH02A3.htm.22.dr	false		high
https://www.treasury.gov/tigta/	5NRH02A3.htm.22.dr	false		high
https://jobs.irs.gov/	5NRH02A3.htm.22.dr	false		high
https://www.irs.gov/zh-hant	5NRH02A3.htm.22.dr	false		high
https://www.irs.gov/es	5NRH02A3.htm.22.dr	false		high
https://www.treasury.gov/	5NRH02A3.htm.22.dr	false		high
https://static.addtoany.com/menu/page.js	5NRH02A3.htm.22.dr	false		high
https://www.irs.gov/	5NRH02A3.htm.22.dr	false		high
https://www.irs.gov/vi	5NRH02A3.htm.22.dr	false		high
https://www.instagram.com/irsnews	5NRH02A3.htm.22.dr	false		high
https://www.irs.gov	5NRH02A3.htm.22.dr	false		high
https://www.irs.gov/ko	5NRH02A3.htm.22.dr	false		high
https://www.drupal.org)	5NRH02A3.htm.22.dr	false	Avira URL Cloud: safe	low
https://www.usa.gov/	5NRH02A3.htm.22.dr	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
2.82.8.80	unknown	Portugal	3243	MEO-RESIDENCIALPT	true
92.98.55.221	unknown	United Arab Emirates	5384	EMIRATES-INTERNETEmiratesInternetAE	true
70.160.67.203	unknown	United States	22773	ASN-CXA-ALL-CCI-22773-RDCUS	true
86.208.35.220	unknown	France	3215	FranceTelecom-OrangeFR	true
86.195.14.72	unknown	France	3215	FranceTelecom-OrangeFR	true
82.36.36.76	unknown	United Kingdom	5089	NTLGB	true
184.182.66.109	unknown	United States	22773	ASN-CXA-ALL-CCI-22773-RDCUS	true
125.99.69.178	unknown	India	17488	HATHWAY-NET-APHathwayIPOverCableInternetIN	true
74.14.39.7	unknown	Canada	577	BACOMCA	true
174.4.89.3	unknown	Canada	6327	SHAWCA	true
121.121.108.120	unknown	Malaysia	9534	MAXIS-AS1-APBinariangBerhadMY	true
116.74.164.17	unknown	India	17488	HATHWAY-NET-APHathwayIPOverCableInternetIN	true
213.64.33.92	unknown	Sweden	3301	TELIANET-SWEDENTeliaCompanySE	true
114.143.176.236	unknown	India	17762	HTIL-TTML-IN-APTataTeleservicesMaharashtraLtdIN	true
24.234.220.88	unknown	United States	22773	ASN-CXA-ALL-CCI-22773-RDCUS	true
123.3.240.16	unknown	Australia	9443	VOCUS-RETAIL-AUVocusRetailAU	true
78.130.215.67	unknown	Bulgaria	9070	COOOLBOXBG	true
176.133.4.230	unknown	France	5410	BOUYGTEL-ISPFR	true
72.205.104.134	unknown	United States	22773	ASN-CXA-ALL-CCI-22773-RDCUS	true
217.165.233.122	unknown	United Arab Emirates	5384	EMIRATES-INTERNETEmiratesInternetAE	true
183.87.163.165	unknown	India	132220	JPRDIGITAL-INJPRDigitalPvtLtdIN	true
190.75.72.44	unknown	Venezuela	8048	CANTVServiciosVenezuelaVE	true
70.49.205.198	unknown	Canada	577	BACOMCA	true
184.181.75.148	unknown	United States	22773	ASN-CXA-ALL-CCI-22773-RDCUS	true
37.14.229.220	unknown	Spain	12479	UNI2-ASES	true
41.227.190.59	unknown	Tunisia	2609	TN-BB-ASTunisiaBackBoneASTN	true
100.4.163.158	unknown	United States	701	UUNETUS	true
103.141.50.43	unknown	India	133693	SKISP-AS-INSriKrishnaInternetServicesPrivateLimitedI	true
165.120.169.171	unknown	United States	2856	BT-UK-ASBTnetUKRegionalnetworkGB	true
82.131.141.209	unknown	Hungary	20845	DIGICABLEHU	true
64.121.161.102	unknown	United States	6079	RCN-ASUS	true
89.115.200.234	unknown	Portugal	12353	VODAFONE-PTVodafonePortugalPT	true
31.53.29.216	unknown	United Kingdom	2856	BT-UK-ASBTnetUKRegionalnetworkGB	true
178.175.187.254	unknown	Moldova Republic of	43289	TRABIAMD	true
188.28.19.84	unknown	United Kingdom	206067	H3GUKGB	true
103.87.128.228	unknown	India	55947	BBNL-INBangaloreBroadbandNetworkPvtLtdIN	true
94.59.123.30	unknown	United Arab Emirates	5384	EMIRATES-INTERNETEmiratesInternetAE	true
37.189.89.196	unknown	Portugal	3243	MEO-RESIDENCIALPT	true
124.246.122.199	unknown	Singapore	63850	ENTRUSTICT-AS-APQRHUBPTYLTDTAEntrustICTAU	true
59.28.84.65	unknown	Korea Republic of	4766	KIXS-AS-KRKoreaTelecomKR	true
147.147.30.126	unknown	United Kingdom	6871	PLUSNETUKInternetServiceProviderGB	true
75.109.111.89	unknown	United States	19108	SUDDENLINK-COMMUNICATIONSUS	true
88.126.94.4	unknown	France	12322	PROXADFR	true
85.57.212.13	unknown	Spain	12479	UNI2-ASES	true
1.221.179.74	unknown	Korea Republic of	3786	LGDACOMLGDACOMCorporationKR	true
66.241.183.99	unknown	United States	16604	HUNTEL-NETUS	true
47.205.25.170	unknown	United States	5650	FRONTIER-FRTRUS	true
95.45.50.93	unknown	Ireland	5466	EIRCOMInternetHouseIE	true
81.111.108.123	unknown	United Kingdom	5089	NTLGB	true
103.144.201.48	unknown	unknown	139762	MSSOLUTION-AS-APSolutionBD	true
151.62.238.176	unknown	Italy	1267	ASN-WINDTREIUNETEU	true
92.20.204.198	unknown	United Kingdom	13285	OPALTELECOM-ASTalkTalkCommunicationsLimitedGB	true
201.143.215.69	unknown	Mexico	8151	UninetSAdeCVMX	true
193.80.73.200	unknown	Austria	1901	EUNETAT-ASA1TelekomAustriaAGAT	true
192.143.255.159	unknown	South Africa	37611	AfrihostZA	true
92.239.81.124	unknown	United Kingdom	5089	NTLGB	true
41.186.88.38	unknown	Rwanda	36890	MTNRW-ASNRW	true
193.253.100.236	unknown	France	3215	FranceTelecom-OrangeFR	true
105.184.209.117	unknown	South Africa	37457	Telkom-InternetZA	true
201.244.108.183	unknown	Colombia	19429	ETB-ColombiaCO	true
103.42.86.42	unknown	India	133660	EDIGITAL-ASE-InfrastructureandEntertainmentIndiaPvtLt	true
125.63.121.38	unknown	India	10029	SHYAMSPECTRA-ASSHYAMSPECTRAPVTLTDIN	true
68.227.249.138	unknown	United States	22773	ASN-CXA-ALL-CCI-22773-RDCUS	true
182.75.189.42	unknown	India	9498	BBIL-APBHARTIAirtelLtdIN	true
105.102.10.220	unknown	Algeria	36947	ALGTEL-ASDZ	true
116.120.145.170	unknown	Korea Republic of	9318	SKB-ASSKBroadbandCoLtdKR	true
103.139.242.6	unknown	India	138798	MUTINY-AS-INMutinySystemsPrivateLimitedIN	true
27.0.48.233	unknown	India	132573	SAINGN-AS-INSAINGNNetworkServicesIN	true
70.28.50.223	unknown	Canada	577	BACOMCA	true
81.229.117.95	unknown	Sweden	3301	TELIANET-SWEDENTeliaCompanySE	true
122.186.210.254	unknown	India	9498	BBIL-APBHARTIAirtelLtdIN	true
78.159.146.65	unknown	Italy	48544	TECNOADSL-ASIT	true
92.184.102.115	unknown	France	3215	FranceTelecom-OrangeFR	true
79.77.142.22	unknown	United Kingdom	9105	TISCALI-UKTalkTalkCommunicationsLimitedGB	true
93.187.148.45	unknown	United Kingdom	8680	SURE-INTERNATIONAL-LIMITEDGB	true
122.184.143.86	unknown	India	9498	BBIL-APBHARTIAirtelLtdIN	true
50.68.186.195	unknown	Canada	6327	SHAWCA	true
45.62.70.33	unknown	Canada	40440	NRTC-CA	true
83.249.198.100	unknown	Sweden	39651	COMHEM-SWEDENSE	true
12.172.173.82	unknown	United States	2386	INS-ASUS	true
79.168.224.165	unknown	Portugal	2860	NOS_COMUNICACOESPT	true
199.27.66.213	unknown	United States	40608	HCTNEBRASKAUS	true
176.142.207.63	unknown	France	5410	BOUYGTEL-ISPFR	true
86.173.2.12	unknown	United Kingdom	2856	BT-UK-ASBTnetUKRegionalnetworkGB	true
74.12.146.221	unknown	Canada	577	BACOMCA	true
90.29.86.138	unknown	France	3215	FranceTelecom-OrangeFR	true
197.2.173.77	unknown	Tunisia	37705	TOPNETTN	true
174.58.146.57	unknown	United States	7922	COMCAST-7922US	true
59.88.174.146	unknown	India	9829	BSNL-NIBNationalInternetBackboneIN	true
223.166.13.95	unknown	China	17621	CNCGROUP-SHChinaUnicomShanghainetworkCN	true
65.95.141.84	unknown	Canada	577	BACOMCA	true
49.175.72.188	unknown	Korea Republic of	17858	POWERVIS-AS-KRLGPOWERCOMMKR	true
75.98.154.19	unknown	United States	32444	SAFELINK-MVUS	true
213.91.235.146	unknown	Bulgaria	8866	BTC-ASBULGARIABG	true
77.126.99.230	unknown	Israel	9116	GOLDENLINES-ASNPartnerCommunicationsMainAutonomousSyste	true
103.123.223.133	unknown	India	138329	KWS-AS-APKenstarWebSolutionsPrivateLimitedIN	true
84.216.198.201	unknown	Sweden	2119	TELENOR-NEXTELTelenorNorgeASNO	true
92.9.45.20	unknown	United Kingdom	13285	OPALTELECOM-ASTalkTalkCommunicationsLimitedGB	true
94.207.125.252	unknown	United Arab Emirates	15802	DU-AS1AE	true
73.207.160.219	unknown	United States	7922	COMCAST-7922US	true

General Information

Joe Sandbox Version:	37.1.0 Beryl
Analysis ID:	882879
Start date and time:	2023-06-06 23:39:07 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 11m 16s
Hypervisor based Inspection enabled:	false
Report type:	light
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	27
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	batteryacid.dat.dll
Detection:	MAL
Classification:	mal100.troj.evad.winDLL@30/19@2/100
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 80.6% (good quality ratio 74.8%) Quality average: 77.8% Quality standard deviation: 30.2%
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .dll Override analysis time to 240s for rundll32

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, WerFault.exe, WMIADAP.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.42.73.29, 104.208.16.94, 104.77.224.126
Excluded domains from analysis (whitelisted): www.irs.gov.edgekey.net, login.live.com, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, e3920.dscna.akamaiedge.net, ctldl.windowsupdate.com, watson.telemetry.microsoft.com, onedsblobprdcus16.centralus.cloudapp.azure.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.

Simulations

Behavior and APIs

Time	Type	Description
23:40:09	API Interceptor	1x Sleep call for process: loaddll32.exe modified
23:40:15	API Interceptor	4x Sleep call for process: WerFault.exe modified
23:40:19	API Interceptor	9x Sleep call for process: wermgr.exe modified

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_1771c62af96114fb83baec5ef424ae1819cb3650_82810a17_00d61356\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9073852431266827
Encrypted:	false
SSDEEP:	192:KuiF0oXXHBUZMX4jed+7/u7seS274ItWc:7iLX3BUZMX4je2/u7seX4ItWc
MD5:	1C13F577AA09A478D65EF8A1CB64911E
SHA1:	4B0240FD01E3869B66A9AD09920F85BC90A477A7
SHA-256:	0643ABE896582F47CFF4FBDE7BD522F002694AE5DF46E37261BC8ABFFCFC7D8F
SHA-512:	3CC9F7762DE79E3DF1CDAD9C0EEA6A9F010AA360881198A477AEF6CA6B25DFCDA4E6ACBF09B69E91EE54649EF82D688FE78471CA4BD8475DDE3A7141146D17D9
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.3.0.5.9.3.6.0.7.6.4.2.5.1.8.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.3.0.5.9.3.6.0.8.4.0.8.1.3.1.4.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.7.c.b.9.e.3.c.-.b.a.e.3.-.4.b.3.7.-.9.0.7.0.-.4.8.b.b.d.0.7.8.b.5.b.5.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.d.6.9.7.6.9.a.-.6.3.f.a.-.4.3.b.6.-.b.8.9.c.-.6.2.5.8.c.4.a.5.f.e.c.2.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.e.c.4.-.0.0.0.1.-.0.0.1.f.-.7.1.a.0.-.b.6.e.5.0.a.9.9.d.9.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.b.c.c.5.d.c.3.2.2.2.0.3.4.d.3.f.2.5.7.f.1.f.d.3.5.8.8.9.e.5.b.e.9.0.f.0.9.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_1771c62af96114fb83baec5ef424ae1819cb3650_82810a17_1c6e13d3\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.907338939292545
Encrypted:	false
SSDEEP:	192:rPig0oXTHBUZMX4jed+7/u7seS274ItWc:zi2XTBUZMX4je2/u7seX4ItWc
MD5:	1862D45905CE3D72F238184758824D37
SHA1:	DE05A8CBD87CE5738CF106AC50187AF76899EA71
SHA-256:	70337856EEED7BCCFA627DB7B8B5C6410CA5BDBCBBAC1C49EB135CCAC5BAED69
SHA-512:	3A7526BE84E9525DB30DF940554EED00F36FB435F94017BCBA5BF0122231E5514FE5848E62050FA6B8A8BD8D6ECB58313836B631DF7BC9E6D946B85DFC2D5DB4
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.3.0.5.9.3.6.1.0.7.8.6.9.6.9.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.3.0.5.9.3.6.1.1.9.2.7.5.9.6.5.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.3.a.3.d.9.5.b.-.c.3.a.f.-.4.b.5.5.-.b.e.e.2.-.0.1.2.9.2.9.a.0.5.3.6.0.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.f.d.5.3.7.4.2.-.5.0.3.3.-.4.0.9.0.-.b.9.1.9.-.8.a.3.7.d.1.0.9.1.e.3.8.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.6.3.c.-.0.0.0.1.-.0.0.1.f.-.d.3.1.9.-.8.f.e.7.0.a.9.9.d.9.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.b.c.c.5.d.c.3.2.2.2.0.3.4.d.3.f.2.5.7.f.1.f.d.3.5.8.8.9.e.5.b.e.9.0.f.0.9.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_26a6cc57e4ced2c19f09ae278ade2876040a245_82810a17_1c1a1441\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9045007439995117
Encrypted:	false
SSDEEP:	192:7UiQ0oXNHBUZMX4jed+7/u7seS274ItWc:oiGXdBUZMX4je2/u7seX4ItWc
MD5:	AB316FBD477A42BF0FF5279DCF72D50A
SHA1:	F38647562B6A107E4DF1C514356170F479034D2D
SHA-256:	168E322BE89DD82B8568E9DD84E02666C1B398C47502E6044CAF5D7695B00610
SHA-512:	F9C8E70CCD60B998A13AC31BC4DCB85F41163183EB85A1E5B43237ACB44218C5E5F3A773311895937459B193280CF5414BF87D1F80AE9DBD769142F5BDE5C72C
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.3.0.5.9.3.6.1.0.8.3.7.9.4.5.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.3.0.5.9.3.6.1.2.0.8.7.9.4.9.7.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.7.2.9.6.a.e.d.-.4.c.2.3.-.4.b.4.0.-.9.5.c.0.-.b.5.d.1.a.8.8.d.0.4.6.e.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.b.6.6.5.a.2.0.-.2.7.a.6.-.4.d.f.1.-.8.c.0.c.-.a.4.6.0.1.4.f.8.9.f.3.8.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.1.0.c.-.0.0.0.1.-.0.0.1.f.-.c.6.3.6.-.a.4.e.7.0.a.9.9.d.9.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.b.c.c.5.d.c.3.2.2.2.0.3.4.d.3.f.2.5.7.f.1.f.d.3.5.8.8.9.e.5.b.e.9.0.f.0.9.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_7ec94696d4f5167a22d8d01ba83c94e0c28d4894_82810a17_1c121402\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.907247786439782
Encrypted:	false
SSDEEP:	192:1dqiO0oXhHBUZMX4jed+7/u7seS274ItWc:Pqi4XxBUZMX4je2/u7seX4ItWc
MD5:	6023C1656074B693B79BB6EF59ED57C8
SHA1:	06052F0BF45D5A976C4DB20969772DDBFE1D9960
SHA-256:	C6897557A381D2D28420D2C24E20A249438430A0111FB982998EC5F98D061515
SHA-512:	B412322F083C569D8A8D485A7B8E6BBE5DA57A6446386BF8B9DA257263C7F88DE7BFD2B27CD042A3CF06622E908EED4620D2A0A55F2A5AEA292A399BF800A932
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.3.0.5.9.3.6.1.0.7.3.3.1.5.6.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.3.0.5.9.3.6.1.1.7.8.0.0.3.8.1.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.3.a.f.a.4.a.4.-.2.d.1.2.-.4.5.6.9.-.9.0.e.7.-.b.b.f.a.b.4.a.1.8.6.a.5.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.d.c.8.5.0.6.2.-.d.4.1.a.-.4.3.7.3.-.9.a.0.6.-.3.f.f.8.9.7.b.1.0.0.5.3.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.7.7.c.-.0.0.0.1.-.0.0.1.f.-.0.d.2.5.-.9.9.e.7.0.a.9.9.d.9.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.b.c.c.5.d.c.3.2.2.2.0.3.4.d.3.f.2.5.7.f.1.f.d.3.5.8.8.9.e.5.b.e.9.0.f.0.9.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1A4.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8246
Entropy (8bit):	3.6875909619860447
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNi67676YlQD6jgmfT0SvrCprQ89b6DsfA+m:RrlsNi2676YGD6jgmfT0Se6ofw
MD5:	DD492362F51C9189ABB21F9F16A5F6B7
SHA1:	F71A1597459C499AB6BF3ED9A85350318885CC89
SHA-256:	AFC7B863542BEE183D5E95275D17D966334A3A6953D22A19CC9D6C5D5992B5B2
SHA-512:	92962874F3CCCC93791BFC93545EB9374B5D291DFEF89A760F5506A6C919AAC2297716ED418573A9C0E2F07316C1A45C778F1198329DE7630378D28F77795DF6
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.1.9.1.6.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1D.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Wed Jun 7 06:40:11 2023, 0x1205a4 type
Category:	dropped
Size (bytes):	43444
Entropy (8bit):	2.1253427704960455
Encrypted:	false
SSDEEP:	192:w1LwnCO5SkbbM0SCdIMCfPS+DFVl57Tqg/:rd5LbbM0T+DFhHl
MD5:	23783038ED5CC8E1CF032BFC8C60CEF4
SHA1:	7BB8D2EE4FA24A087ED121FEE9B428536A65AE2F
SHA-256:	0597FD0A76DCCC672A39909304E54E7D0F069742FF6F866517621AF21D730623
SHA-512:	D8D817EE60ED1D5B8E945DAD8AF197A17FB45301BAC66ABDCB97A6106CEF71A1C72DDEA52B06A402C530700BC46E12F1EE36F5714F21BD945725B1B218AFAB77
Malicious:	false
Preview:	MDMP....... .......K&.d.........................................,..........T.......8...........T...........................0................................................................................U...........B..............GenuineIntelW...........T.......<...I&.d.............................0..=...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1E4.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4640
Entropy (8bit):	4.451374218380647
Encrypted:	false
SSDEEP:	48:cvIwSD8zsvJgtWI9JCGWgc8sqYjT8fm8M4JCdsbSF9o+q8/4ie4SrS1d:uITfRmCHgrsqYUJMorDW1d
MD5:	A0D9C890AC94C8E4AEE1F0A4E13CE769
SHA1:	E31058BB05B2ED085DBBF67B83F574E7E003DD99
SHA-256:	0D4BE1215957B8DA573D0D6B714CABF828DA347F5A0FB2AA088CD8ECC2FBF7FC
SHA-512:	41BBF88047856F01F2E5DB8F1D94EBD741519741E7CE77C5F0AD3EC7BCE00414CEA110BFE9D0BDB568EE201A2C25569E096DDB672A408704B92EDEFEFA520D18
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="2074550" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\ProgramData\Microsoft\Windows\WER\Temp\WER212.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8246
Entropy (8bit):	3.688359860160411
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNiFT636YlQQ6jgmfTrSvrCprp89b6msfc+m:RrlsNiR636YGQ6jgmfTrSF6FfM
MD5:	1A6FA161CBCA5A868BCEE3E09EBC9A90
SHA1:	0023BA9AF855D4EE43A40AD97CF629614707BD1C
SHA-256:	FF7CBEFA83653779F4CF491C411C6ECFBF5E14A0FDE80A0B95ADA4420850E69B
SHA-512:	D12196FF607855FC8202B6BA9E8A9B20650531BE72C44A293B2DE67057335D21704AF4F02427509CD73E79265634ECBB875963344FB8FC9B9125A1A60B8F5385
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.6.9.2.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WER270.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4640
Entropy (8bit):	4.449653135538571
Encrypted:	false
SSDEEP:	48:cvIwSD8zsvJgtWI9JCGWgc8sqYj18fm8M4JCdsbbFdz+q8/4i74SrSvd:uITfRmCHgrsqY+JteDWvd
MD5:	284E0A47C892FBA074357E213CD40BCB
SHA1:	D275B62F6217419C7271057718F2AB86060F95E1
SHA-256:	9A36A8195FE4F814707A1625A85AF89A952891D5FA593FF5F4B834BAE8F5C8BB
SHA-512:	741FF3ED7C5BE6B7CA923A8B7743BF90B2CA4BAE02FC6C563850CF7F5CD0630D5F98F12697D93E99693EA078409DD1F24BE7132FB456CAB562E3044E96C24207
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="2074550" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\ProgramData\Microsoft\Windows\WER\Temp\WER34A.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8236
Entropy (8bit):	3.6891967336726013
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNig16m6YlaT6jgmfTkdSvrCpr089b6Osf0v+m:RrlsNii6m6YU6jgmfTkdSS6NfM
MD5:	7ED034F52ECDAE3259215617AC37C973
SHA1:	38794AB9BAF4EF896220CD2139487217D92615C3
SHA-256:	8E1A6454F220163F968A5C931119EDEFFAB3BF34C6EAC8E07F57A008118983BD
SHA-512:	6C356BE8FE30F2F0510B0BC54042F251B8271794FF4983A85BF6AD02E47BF092EF5ABB3C3AD27D895DFE4E523122229FE9FA0ADBBC71E5BB14AF42EB104A6ED6
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.3.6.4.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3A9.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4630
Entropy (8bit):	4.449366904396621
Encrypted:	false
SSDEEP:	48:cvIwSD8zsvJgtWI9JCGWgc8sqYjf8fm8M4JCdsWF6+q8/524SrSchd:uITfRmCHgrsqY4J3FDW4d
MD5:	29AFA1E7DBFBAD2E3AFB6C637725FD3E
SHA1:	459DC4CC147788903A99034B6D4FBE33234411FC
SHA-256:	12CC68A591E7472065CBFFF4CC72A798B21D15E9992FABB7F9E0D52D1DD6296A
SHA-512:	E327F624529F20471F46D80C901784121CA17FD25252549B0D81866179D2935D1FFDF82197CAC4BAD3A12BF47822F7E92684C9B243396958259C3F73F61BDC59
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="2074550" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5B.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Wed Jun 7 06:40:11 2023, 0x1205a4 type
Category:	dropped
Size (bytes):	37384
Entropy (8bit):	2.3163608535977733
Encrypted:	false
SSDEEP:	192:wn+gZ53+e+UBO5SkbpPJS28JmhOWquSk5H23xHuWxbXFr1znn:sF+p5Lbbi2QYQu2bPzn
MD5:	2AAAAAB364E1B60350DC3AFF1BCCF57F
SHA1:	7C451AD2631E773488EABFCAADD0C71EE49BD6F0
SHA-256:	12FB992E6990D235DB537901FAA8D4723D2734CE49AA43899AAB4251EFA71E74
SHA-512:	882FD97D8CCC640552E5C1162604A6855B299B66B678FE2EB33D028BCF9CBED8277586E2F683E10A4DC50812FDF540BFF212DB9BF9DE4AEF96A0C5E3E76121F4
Malicious:	false
Preview:	MDMP....... .......K&.d............d...............l............)..........T.......8...........T................x...........................................................................................U...........B..............GenuineIntelW...........T...........I&.d.............................0..=...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF3D8.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Wed Jun 7 06:40:07 2023, 0x1205a4 type
Category:	dropped
Size (bytes):	37460
Entropy (8bit):	2.2605989983425414
Encrypted:	false
SSDEEP:	192:8dngZ53+e+GwO5Skb0SW2dS0SGWWqOLnZ457oT+:1F+Q5Lb0v0SyfZus
MD5:	91F870A1E7FAE83C8FACCA4E620DC5D6
SHA1:	B2C7BF8383BFE306A2D507CCCDD1E5868148475B
SHA-256:	F1A10CFA716BC45A9814FAC05CBDD85102DD3AECD595BF613168DC6473121307
SHA-512:	155664D14F0BE54E6E034560A3027CEFB88EEE85F7BBB4AA3C53524690D9D878CA9DAC60E8655D76C528FF2E2E2395318475509794D75059E7D3997C653F8B03
Malicious:	false
Preview:	MDMP....... .......G&.d............d...............l............)..........T.......8...........T...............Tx...........................................................................................U...........B..............GenuineIntelW...........T...........F&.d.............................0..=...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF56F.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8256
Entropy (8bit):	3.689832835505259
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNiZ/6+6YNq6wYgmfTrSvrCpr/89bKQsfoum:RrlsNix6+6Yw6dgmfTrSDKjf4
MD5:	98902D35703C1C35090F4D998A2FA48D
SHA1:	3E246DABBABFBC62F26CE9E5E991599D1485B95B
SHA-256:	83479A521CEEAD1AA98B10387E45CE34AC383AF94452843D0303500A70BB53B4
SHA-512:	18802848D64A124DB7F0DE4B93CB5C4093DACF533E527C2C33EC1CA8684FDED789AC441B00EB0426BF6B6E78FF88E95CA9384D6394BC98C1563A993D6D03E5AC
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.3.7.8.0.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF59F.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4640
Entropy (8bit):	4.450557292049522
Encrypted:	false
SSDEEP:	48:cvIwSD8zsvJgtWI9JCGWgc8sqYjM8fm8M4JCdsbbF2+q8/4iY4SrScH6d:uITfRmCHgrsqYdJOBDWi6d
MD5:	82AED4D7CA292D2E20E6FF0BCC089DB1
SHA1:	73745F095163B1FB51296488B09E5D86213F7256
SHA-256:	FEB2E76154A26DBBE5C04E71F6F2BE83DFBDC77BA08EF9846EC457B9E9918DD5
SHA-512:	FCFC12F3406F0088BEDBE126ECEE4A328A428882E6C0997836B834B903A40D95DF64F511D0DB50E0A5B3F91C4803F4EB41CB7CDC21B050712B528C6C540F9531
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="2074550" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\ProgramData\Microsoft\Windows\WER\Temp\WERFFEE.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Wed Jun 7 06:40:11 2023, 0x1205a4 type
Category:	dropped
Size (bytes):	37292
Entropy (8bit):	2.266393108153774
Encrypted:	false
SSDEEP:	192:wg0gZ53+e+a+O5Skbjeo6y1VrSeeBpPZmtImDqByz:xF+m5Lbio6y7PeHxuDd
MD5:	A8F913A0D0E18A4F017A70FEC4A40E60
SHA1:	04F376296B9C6A4E90441BCDD514FA46CFFF69D4
SHA-256:	80ACF4B9C4FA0CEB13123F56CE2C0FD7E6076E40320A9CDE100983798650A818
SHA-512:	85318139ED79797FCD39DB75DCFFA8E3B323E0CA0C89840ADFC44D9CA10AE1EC8F662B7ADB385321CE7B730AD43A01B21B87A10EF4E173B9DBBC4498680C5CC1
Malicious:	false
Preview:	MDMP....... .......K&.d............d...............l............)..........T.......8...........T................w...........................................................................................U...........B..............GenuineIntelW...........T.......\|...I&.d.............................0..=...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\5NRH02A3.htm

Download File

Process:	C:\Windows\SysWOW64\wermgr.exe
File Type:	HTML document, Unicode text, UTF-8 text, with very long lines (26606)
Category:	dropped
Size (bytes):	139608
Entropy (8bit):	4.907905809354912
Encrypted:	false
SSDEEP:	3072:kPIJDbCdRTKXlbPFCypAIbCl+ONYudProZ:kPINi9KXdPzpAeCO
MD5:	EAAD78E9543F2AA3D904B5C9176FA87B
SHA1:	06402C658010716653F9B438819D2C454C88EBC4
SHA-256:	5D82F715ECE849A08AA6A2A4EA978BCF68B6887BA6194CB4681CF3D7D5B6C034
SHA-512:	5FDC0BF56C3ED9FC55A2623D53C285431DAD5845755315A24D336B667AEB2EA90C67732E804E3FE7057C91F71CDED2DE295C02EAAD3413D850E02BBEDEFF945A
Malicious:	false
Preview:	<!DOCTYPE html>.<html lang="en" dir="ltr" prefix="content: http://purl.org/rss/1.0/modules/content/ dc: http://purl.org/dc/terms/ foaf: http://xmlns.com/foaf/0.1/ og: http://ogp.me/ns# rdfs: http://www.w3.org/2000/01/rdf-schema# schema: http://schema.org/ sioc: http://rdfs.org/sioc/ns# sioct: http://rdfs.org/sioc/types# skos: http://www.w3.org/2004/02/skos/core# xsd: http://www.w3.org/2001/XMLSchema# ">. <head>. <meta charset="utf-8" /><script type="text/javascript">(window.NREUM\|\|(NREUM={})).init={ajax:{deny_list:["bam.nr-data.net"]}};(window.NREUM\|\|(NREUM={})).loader_config={licenseKey:"b67fc6a152",applicationID:"70700070"};;(()=>{"use strict";var e,t,n={8768:(e,t,n)=>{n.d(t,{T:()=>r,p:()=>i});const r=/(iPad\|iPhone\|iPod)/g.test(navigator.userAgent),i=r&&Boolean("undefined"==typeof SharedWorker)},2919:(e,t,n)=>{n.d(t,{P_:()=>h,Mt:()=>p,C5:()=>c,DL:()=>w,OP:()=>N,lF:()=>C,Yu:()=>A,Dg:()=>v,CX:()=>u,GE:()=>y,sU:()=>I});var r={};n.r(r),n.d(r,{agent:()=>x,match:()=>k,version

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1572864
Entropy (8bit):	4.292293784515798
Encrypted:	false
SSDEEP:	12288:Bm9foPhXuqOaWLhywZOrUo3qGS+ShZeCXcGcztguKk3vNRwEsk5dEAg:yfoPhXuqOaWLhyZ3J
MD5:	356F619184B5900BB47A7BF400FF104C
SHA1:	EB8079827207C95C65D83E5554A70830A436212D
SHA-256:	E5925A355CF74464C22FF5A6CF424EA738DD9A3C27736A53B2653155D41F26C5
SHA-512:	6D9AA958F9FAC81FA90A9AB7679A8C714B34201532AAEBC6E58EF465C156A7FCA444BAEE7D275AED01280439B8E95DE2A94AF5AA1347917B1975925B1734D945
Malicious:	false
Preview:	regfj...j...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm.....................................................................................................................................................................................................................................................................................................................................................~..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve.LOG1

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	28672
Entropy (8bit):	3.8219847808575618
Encrypted:	false
SSDEEP:	768:uPiRftx1eJ4JRHQAJfaqigJ9kqQKSC9OcMYqqE:j4wJd
MD5:	B7231E7F26245E45ACBF5D8245A1A098
SHA1:	06F183B1098284427016A00040AA7985BDFD0295
SHA-256:	0E3D24A48DBB4456EB9F38020546098A60161278E22214F713DA18AFE6403D07
SHA-512:	AA6D4746D83BBCC7CC82077EB9CB4AE4DA086FFAB2A29962EBC351D4AC32B143904E1B37246EB4222A367FA903FCA0B71C33754DCC791A42ED1EAAC5C6FFD1EB
Malicious:	false
Preview:	regfi...i...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm.....................................................................................................................................................................................................................................................................................................................................................~..HvLE.n......i...........v.&..P.j@...............0...................0..hbin................p.\..,..........nk,.............h........................... ...........................&...{ad79c032-a2ea-f756-e377-72fb9332c3ae}......nk ............. ........................... .......Z.......................Root........lf......Root....nk ..........................}.............. ...............*...............DeviceCensus.......................vk..................WritePermissionsCheck...

Static File Info

General

File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.009485424923022
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	batteryacid.dat.dll
File size:	508020
MD5:	179d4849f8d096122d05de3c7bebb4bd
SHA1:	ee3ead69ec6801721cde4ca6480f30ecff948c08
SHA256:	2f6ae770a5d56ed8a2cfe262e196363b5c80e58468c66ff36cdf9c75306c2c55
SHA512:	f449ac3cba0d31168328f3e0af94bb91f2f2d1c2a9ec3e4200d4f946973a2ac34bc3e42f10fa03c433d1eb89f131e39ada44f2cc921c836b35e56efeac62cdfe
SSDEEP:	12288:W5XwIjvPgzGgQChM5u/7hIYArytfqYsgzelZ7CPZUeQ58:njhhArytfqYsgalZWPRQ58
TLSH:	B9B4D011E782D0F2C0AA1076916B6A275AF94B311735D9F7B7B14E2E8F217D01A7E3C2
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........W..i9..i9..i9...B..i9..i8..i9..;...i9..;...i9..;...i9..;...i9..;...i9..;...i9.Rich.i9.........PE..L...~.5[...........!.......

File Icon


Icon Hash:	7ae282899bbab082

Static PE Info

General

Entrypoint:	0x1002de46
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x10000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x5B350A7E [Thu Jun 28 16:19:10 2018 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	8e0a1f2284a5f7dab96c697a66241e4a

Authenticode Signature

Signature Valid:
Signature Issuer:
Signature Validation Error:
Error Number:
Not Before, Not After
Subject Chain
Version:
Thumbprint MD5:
Thumbprint SHA-1:
Thumbprint SHA-256:
Serial:

Entrypoint Preview

Instruction
mov edi, edi
push ebp
mov ebp, esp
cmp dword ptr [ebp+0Ch], 01h
jne 00007F7FA46C3E27h
call 00007F7FA46CCBB6h
push dword ptr [ebp+08h]
mov ecx, dword ptr [ebp+10h]
mov edx, dword ptr [ebp+0Ch]
call 00007F7FA46C3D11h
pop ecx
pop ebp
retn 000Ch
mov edi, edi
push ebp
mov ebp, esp
sub esp, 00000328h
mov dword ptr [1005A7C0h], eax
mov dword ptr [1005A7BCh], ecx
mov dword ptr [1005A7B8h], edx
mov dword ptr [1005A7B4h], ebx
mov dword ptr [1005A7B0h], esi
mov dword ptr [1005A7ACh], edi
mov word ptr [1005A7D8h], ss
mov word ptr [1005A7CCh], cs
mov word ptr [1005A7A8h], ds
mov word ptr [1005A7A4h], es
mov word ptr [1005A7A0h], fs
mov word ptr [1005A79Ch], gs
pushfd
pop dword ptr [1005A7D0h]
mov eax, dword ptr [ebp+00h]
mov dword ptr [1005A7C4h], eax
mov eax, dword ptr [ebp+04h]
mov dword ptr [1005A7C8h], eax
lea eax, dword ptr [ebp+08h]
mov dword ptr [1005A7D4h], eax
mov eax, dword ptr [ebp-00000320h]
mov dword ptr [1005A710h], 00010001h
mov eax, dword ptr [1005A7C8h]
mov dword ptr [1005A6C4h], eax
mov dword ptr [1005A6B8h], C0000409h
mov dword ptr [1005A6BCh], 00000001h

Rich Headers

Programming Language:

[IMP] VS2005 build 50727
[C++] VS2008 build 21022
[ASM] VS2008 build 21022
[ C ] VS2008 build 21022
[EXP] VS2008 build 21022
[LNK] VS2008 build 21022

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x51190	0x2ad8	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x509fc	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x5d000	0x1b4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x5be00	0x1cc8
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x5e000	0x224c	.rsrc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x43190	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x503b0	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x43000	0x150	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x417fb	0x41800	False	0.5453803375477099	data	6.7423506479537325	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x43000	0x10c68	0x10e00	False	0.5152199074074074	data	6.30032677521701	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x54000	0x8b4c	0x6800	False	0.25777493990384615	data	3.6288843465773213	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x5d000	0x1a53f	0x1b000	False	0.9533148871527778	data	7.904860604753045	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x78000	0x28c6	0x2a00	False	0.6647135416666666	data	5.9997920394314095	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_MANIFEST	0x5d058	0x15a	ASCII text, with CRLF line terminators	English	United States

Imports

DLL

Import

KERNEL32.dll

InitializeCriticalSection, LeaveCriticalSection, EnterCriticalSection, DeleteCriticalSection, CreateMutexW, WaitForSingleObject, InterlockedCompareExchange, ReleaseMutex, CloseHandle, GetLastError, HeapFree, HeapAlloc, HeapReAlloc, DeleteFileA, GetSystemTimeAsFileTime, GetCurrentThreadId, GetCommandLineA, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, SetHandleCount, GetStdHandle, GetFileType, GetStartupInfoA, GetCPInfo, InterlockedIncrement, InterlockedDecrement, GetACP, GetOEMCP, IsValidCodePage, GetModuleHandleW, GetProcAddress, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, SetLastError, RtlUnwind, MultiByteToWideChar, ReadFile, WriteFile, WideCharToMultiByte, GetConsoleCP, GetConsoleMode, LCMapStringA, LCMapStringW, HeapCreate, HeapDestroy, VirtualFree, VirtualAlloc, Sleep, ExitProcess, GetModuleFileNameA, SetFilePointer, RaiseException, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, GetEnvironmentStringsW, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, InitializeCriticalSectionAndSpinCount, GetStringTypeA, GetStringTypeW, GetLocaleInfoA, CreateFileA, SetStdHandle, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, FlushFileBuffers, LoadLibraryA, GetModuleHandleA, GetTimeZoneInformation, SetEndOfFile, GetProcessHeap, HeapSize, CompareStringA, CompareStringW, SetEnvironmentVariableA

Exports

Name	Ordinal	Address
l_cmsComputeInterpParams@24	7	0x1000a580
l_cmsFloat2Half@4	16	0x1000a3c0
l_cmsFreeInterpParams@4	18	0x1000a5e0
l_cmsGetFormatter@16	19	0x1001b930
l_cmsHalf2Float@4	23	0x1000a380
l_cmsQuantizeVal@12	37	0x10011440
l_cmsReadDevicelinkLUT@8	40	0x1000ff60
l_cmsReadInputLUT@8	42	0x1000f890
l_cmsReadOutputLUT@8	43	0x1000fd80
l_cmsStageAllocIdentityCLut@8	53	0x100113c0
l_cmsStageAllocIdentityCurves@8	54	0x10010a80
l_cmsStageAllocLab2XYZ@4	55	0x10011ac0
l_cmsStageAllocLabV2ToV4@4	56	0x10011bb0
l_cmsStageAllocLabV4ToV2@4	57	0x10011be0
l_cmsStageAllocNamedColor@8	58	0x100141a0
l_cmsStageAllocXYZ2Lab@4	60	0x10011d90
lcms15Fixed16toDouble	1	0x1001da20
lcms8Fixed8toDouble	2	0x1001d9d0
lcmsAdjustEndianess16	3	0x1001d470
lcmsAdjustEndianess32	4	0x1001d490
lcmsAdjustEndianess64	5	0x1001d4c0
lcmsCalloc	6	0x10007480
lcmsCreateMutex	8	0x100078b0
lcmsDecodeDateTimeNumber	9	0x1001daa0
lcmsDefaultICCintents	10	0x100065e0
lcmsDestroyMutex	11	0x100078e0
lcmsDoTransformLineStride@36	144	0x1002a430
lcmsDoubleTo15Fixed16	12	0x1001da70
lcmsDoubleTo8Fixed8	13	0x1001da00
lcmsDupMem	14	0x10007510
lcmsEncodeDateTimeNumber	15	0x1001db30
lcmsFree	17	0x100074e0
lcmsGetTransformFormatters16	20	0x1002b070
lcmsGetTransformFormattersFloat	21	0x1002b0a0
lcmsGetTransformUserData	22	0x1002b060
lcmsICCcolorSpace	24	0x1001ce80
lcmsIOPrintf	25	0x1001dd00
lcmsLCMScolorSpace	26	0x1001cff0
lcmsLockMutex	27	0x10007910
lcmsMAT3eval	28	0x100134c0
lcmsMAT3identity	29	0x10013140
lcmsMAT3inverse	30	0x10013360
lcmsMAT3isIdentity	31	0x100131c0
lcmsMAT3per	32	0x10013240
lcmsMAT3solve	33	0x10013460
lcmsMalloc	34	0x10007420
lcmsMallocZero	35	0x10007450
lcmsOpenProfileFromIOhandler2THR@12	275	0x1000e2b0
lcmsPipelineSetOptimizationParameters	36	0x100123c0
lcmsRead15Fixed16Number	38	0x1001d6e0
lcmsReadAlignment	39	0x1001dc50
lcmsReadFloat32Number	41	0x1001d620
lcmsReadTypeBase	44	0x1001dba0
lcmsReadUInt16Array	45	0x1001d580
lcmsReadUInt16Number	46	0x1001d540
lcmsReadUInt32Number	47	0x1001d5d0
lcmsReadUInt64Number	48	0x1001d690
lcmsReadUInt8Number	49	0x1001d500
lcmsReadXYZNumber	50	0x1001d730
lcmsRealloc	51	0x100074b0
lcmsSetTransformUserData	52	0x1002b040
lcmsStageAllocPlaceholder	59	0x100104a0
lcmsUnlockMutex	61	0x10007940
lcmsVEC3cross	62	0x10013070
lcmsVEC3distance	63	0x10013100
lcmsVEC3dot	64	0x100130b0
lcmsVEC3init	65	0x10013020
lcmsVEC3length	66	0x100130d0
lcmsVEC3minus	67	0x10013040
lcmsWrite15Fixed16Number	68	0x1001d900
lcmsWriteAlignment	69	0x1001dca0
lcmsWriteFloat32Number	70	0x1001d880
lcmsWriteTypeBase	71	0x1001dc00
lcmsWriteUInt16Array	72	0x1001d810
lcmsWriteUInt16Number	73	0x1001d7d0
lcmsWriteUInt32Number	74	0x1001d850
lcmsWriteUInt64Number	75	0x1001d8c0
lcmsWriteUInt8Number	76	0x1001d7b0
lcmsWriteXYZNumber	77	0x1001d950
lmsAdaptToIlluminant	78	0x1002a180
lmsAllocNamedColorList	79	0x10013c70
lmsAllocProfileSequenceDescription	80	0x10014210
lmsAppendNamedColor	81	0x10013dd0
lmsBFDdeltaE	82	0x1001c3e0
lmsBuildGamma	83	0x10008840
lmsBuildParametricToneCurve	84	0x10008790
lmsBuildSegmentedToneCurve	85	0x100085b0
lmsBuildTabulatedToneCurve16	86	0x10008560
lmsBuildTabulatedToneCurveFloat	87	0x100086d0
lmsCIE2000DeltaE	88	0x1001c920
lmsCIE94DeltaE	89	0x1001c280
lmsCIECAM02Done	90	0x10002620
lmsCIECAM02Forward	91	0x10002640
lmsCIECAM02Init	92	0x10002420
lmsCIECAM02Reverse	93	0x10002750
lmsCMCdeltaE	94	0x1001c740
lmsChangeBuffersFormat	95	0x1002bb30
lmsChannelsOf	96	0x1001d270
lmsCloseIOhandler	97	0x1000d860
lmsCloseProfile	98	0x1000ea10
lmsCreateBCHSWabstractProfile	99	0x10029330
lmsCreateBCHSWabstractProfileTHR	100	0x10029170
lmsCreateContext	101	0x1001e070
lmsCreateExtendedTransform	102	0x1002b500
lmsCreateGrayProfile	103	0x100288b0
lmsCreateGrayProfileTHR	104	0x100287f0
lmsCreateInkLimitingDeviceLink	105	0x10028ca0
lmsCreateInkLimitingDeviceLinkTHR	106	0x10028ac0
lmsCreateLab2Profile	107	0x10028da0
lmsCreateLab2ProfileTHR	108	0x10028cc0
lmsCreateLab4Profile	109	0x10028e90
lmsCreateLab4ProfileTHR	110	0x10028db0
lmsCreateLinearizationDeviceLink	111	0x100289c0
lmsCreateLinearizationDeviceLinkTHR	112	0x100288d0
lmsCreateMultiprofileTransform	113	0x1002b8f0
lmsCreateMultiprofileTransformTHR	114	0x1002b830
lmsCreateNULLProfile	115	0x100294f0
lmsCreateNULLProfileTHR	116	0x10029370
lmsCreateProfilePlaceholder	117	0x1000d880
lmsCreateProofingTransform	118	0x1002bab0
lmsCreateProofingTransformTHR	119	0x1002b9d0
lmsCreateRGBProfile	120	0x100287d0
lmsCreateRGBProfileTHR	121	0x10028580
lmsCreateTransform	122	0x1002b9a0
lmsCreateTransformTHR	123	0x1002b950
lmsCreateXYZProfile	124	0x10028f70
lmsCreateXYZProfileTHR	125	0x10028ea0
lmsCreate_sRGBProfile	126	0x100290c0
lmsCreate_sRGBProfileTHR	127	0x10028fe0
lmsD50_XYZ	128	0x10029b30
lmsD50_xyY	129	0x10029b40
lmsDeleteContext	130	0x1001e370
lmsDeleteTransform	131	0x1002a330
lmsDeltaE	132	0x1001c220
lmsDesaturateLab	133	0x1000a180
lmsDetectBlackPoint	134	0x1001ffb0
lmsDetectDestinationBlackPoint	135	0x10020470
lmsDetectTAC	136	0x1000a0a0
lmsDictAddEntry	137	0x100144d0
lmsDictAlloc	138	0x10014420
lmsDictDup	139	0x10014540
lmsDictFree	140	0x10014440
lmsDictGetEntryList	141	0x100145a0
lmsDictNextEntry	142	0x100145a0
lmsDoTransform	143	0x1002a3b0
lmsDoTransformStride	145	0x1002a3f0
lmsDupContext	146	0x1001e250
lmsDupNamedColorList	147	0x10013d30
lmsDupProfileSequenceDescription	148	0x10014310
lmsDupToneCurve	149	0x10008950
lmsEstimateGamma	150	0x10009800
lmsEvalToneCurve16	151	0x100097d0
lmsEvalToneCurveFloat	152	0x10009760
lmsFloat2LabEncoded	153	0x1001bed0
lmsFloat2LabEncodedV2	154	0x1001bda0
lmsFloat2XYZEncoded	155	0x1001c0e0
lmsFormatterForColorspaceOfProfile	156	0x1001b9b0
lmsFormatterForPCSOfProfile	157	0x1001b9f0
lmsFreeNamedColorList	158	0x10013d00
lmsFreeProfileSequenceDescription	159	0x100142a0
lmsFreeToneCurve	160	0x10008860
lmsFreeToneCurveTriple	161	0x10008900
lmsGBDAlloc	162	0x10020e20
lmsGBDFree	163	0x1000a5e0
lmsGDBAddPoint	164	0x10020f20
lmsGDBCheckPoint	165	0x10020fa0
lmsGDBCompute	166	0x100214b0
lmsGetAlarmCodes	167	0x1002a2f0
lmsGetAlarmCodesTHR	168	0x1002a2b0
lmsGetColorSpace	169	0x1000e110
lmsGetContextUserData	170	0x1001e430
lmsGetDeviceClass	171	0x1000e130
lmsGetEncodedCMMversion	172	0x10007130
lmsGetEncodedICCversion	173	0x1000e150
lmsGetHeaderAttributes	174	0x1000e050
lmsGetHeaderCreationDateTime	175	0x1000e0d0
lmsGetHeaderCreator	176	0x1000e020
lmsGetHeaderFlags	177	0x1000dfe0
lmsGetHeaderManufacturer	178	0x1000e000
lmsGetHeaderModel	179	0x1000e030
lmsGetHeaderProfileID	180	0x1000e090
lmsGetHeaderRenderingIntent	181	0x1000dfc0
lmsGetNamedColorList	182	0x100141f0
lmsGetPCS	183	0x1000e0f0
lmsGetPipelineContextID	184	0x10011e10
lmsGetPostScriptCRD	185	0x1001fc30
lmsGetPostScriptCSA	186	0x1001fc90
lmsGetPostScriptColorResource	187	0x1001fbe0
lmsGetProfileContextID	188	0x1002bb10
lmsGetProfileIOhandler	189	0x100145a0
lmsGetProfileInfo	190	0x10010420
lmsGetProfileInfoASCII	191	0x10010460
lmsGetProfileVersion	192	0x1000e230
lmsGetSupportedIntents	193	0x10007090
lmsGetSupportedIntentsTHR	194	0x10007000
lmsGetTagCount	195	0x1000d900
lmsGetTagSignature	196	0x1000d920
lmsGetToneCurveEstimatedTable	197	0x10008550
lmsGetToneCurveEstimatedTableEntries	198	0x10008540
lmsGetToneCurveParametricType	199	0x10009740
lmsGetTransformContextID	200	0x1002baf0
lmsGetTransformInputFormat	201	0x100145a0
lmsGetTransformOutputFormat	202	0x1002bb10
lmsIT8Alloc	203	0x10003ad0
lmsIT8DefineDblFormat	204	0x10005990
lmsIT8EnumDataFormat	205	0x10005340
lmsIT8EnumProperties	206	0x10005370
lmsIT8EnumPropertyMulti	207	0x100053d0
lmsIT8FindDataFormat	208	0x10005570
lmsIT8Free	209	0x10003720
lmsIT8GetData	210	0x10005680
lmsIT8GetDataDbl	211	0x100056d0
lmsIT8GetDataRowCol	212	0x10005590
lmsIT8GetDataRowColDbl	213	0x100055b0
lmsIT8GetPatchByName	214	0x10005870
lmsIT8GetPatchName	215	0x10005820
lmsIT8GetProperty	216	0x10003e60
lmsIT8GetPropertyDbl	217	0x10003ea0
lmsIT8GetPropertyMulti	218	0x10003ec0
lmsIT8GetSheetType	219	0x10003bf0
lmsIT8LoadFromFile	220	0x10005270
lmsIT8LoadFromMem	221	0x100051a0
lmsIT8SaveToFile	222	0x10004580
lmsIT8SaveToMem	223	0x10004610
lmsIT8SetComment	224	0x10003c30
lmsIT8SetData	225	0x100056f0
lmsIT8SetDataDbl	226	0x100057b0
lmsIT8SetDataFormat	227	0x10004010
lmsIT8SetDataRowCol	228	0x100055e0
lmsIT8SetDataRowColDbl	229	0x10005600
lmsIT8SetIndexColumn	230	0x10005950
lmsIT8SetPropertyDbl	231	0x10003cc0
lmsIT8SetPropertyHex	232	0x10003d50
lmsIT8SetPropertyMulti	233	0x10003e20
lmsIT8SetPropertyStr	234	0x10003c80
lmsIT8SetPropertyUncooked	235	0x10003de0
lmsIT8SetSheetType	236	0x10003c00
lmsIT8SetTable	237	0x10003a90
lmsIT8SetTableByLabel	238	0x10005890
lmsIT8TableCount	239	0x10012370
lmsIsCLUT	240	0x100101b0
lmsIsIntentSupported	241	0x10010260
lmsIsMatrixShaper	242	0x10010110
lmsIsTag	243	0x1000da80
lmsIsToneCurveDescending	244	0x10009700
lmsIsToneCurveLinear	245	0x10009600
lmsIsToneCurveMonotonic	246	0x10009670
lmsIsToneCurveMultisegment	247	0x10009720
lmsJoinToneCurve	248	0x10008980
lmsLCh2Lab	249	0x1001c070
lmsLab2LCh	250	0x1001c000
lmsLab2XYZ	251	0x1001bb80
lmsLabEncoded2Float	252	0x1001bd10
lmsLabEncoded2FloatV2	253	0x1001bce0
lmsLinkTag	254	0x1000f300
lmsMD5computeID	255	0x10012ef0
lmsMLUalloc	256	0x10013520
lmsMLUdup	257	0x10013830
lmsMLUfree	258	0x100138e0
lmsMLUgetASCII	259	0x100139e0
lmsMLUgetTranslation	260	0x10013b30
lmsMLUgetWide	261	0x10013a90
lmsMLUsetASCII	262	0x10013720
lmsMLUsetWide	263	0x100137e0
lmsMLUtranslationsCodes	264	0x10013bc0
lmsMLUtranslationsCount	265	0x10013ba0
lmsNamedColorCount	266	0x100145a0
lmsNamedColorIndex	267	0x10013fb0
lmsNamedColorInfo	268	0x10013ee0
lmsOpenIOhandlerFromFile	269	0x1000d650
lmsOpenIOhandlerFromMem	270	0x1000d3d0
lmsOpenIOhandlerFromNULL	271	0x1000d200
lmsOpenIOhandlerFromStream	272	0x1000d7c0
lmsOpenProfileFromFile	273	0x1000e380
lmsOpenProfileFromFileTHR	274	0x1000e310
lmsOpenProfileFromIOhandlerTHR	276	0x1000e270
lmsOpenProfileFromMem	277	0x1000e480
lmsOpenProfileFromMemTHR	278	0x1000e420
lmsOpenProfileFromStream	279	0x1000e400
lmsOpenProfileFromStreamTHR	280	0x1000e3a0
lmsPipelineAlloc	281	0x10012010
lmsPipelineCat	282	0x100122f0
lmsPipelineCheckAndRetreiveStages	283	0x100107b0
lmsPipelineDup	284	0x10012130
lmsPipelineEval16	285	0x100120f0
lmsPipelineEvalFloat	286	0x10012110
lmsPipelineEvalReverseFloat	287	0x10012480
lmsPipelineFree	288	0x100120a0
lmsPipelineGetPtrToFirstStage	289	0x10012370
lmsPipelineGetPtrToLastStage	290	0x10012380
lmsPipelineInputChannels	291	0x10011e00
lmsPipelineInsertStage	292	0x10012210
lmsPipelineOutputChannels	293	0x10012090
lmsPipelineSetSaveAs8bitsFlag	294	0x10012350
lmsPipelineStageCount	295	0x100123a0
lmsPipelineUnlinkStage	296	0x10012270
lmsPlugin	297	0x1001dde0
lmsPluginTHR	298	0x1001ddf0
lmsReadRawTag	299	0x1000efd0
lmsReadTag	300	0x1000eb20
lmsReverseToneCurve	301	0x10008d40
lmsReverseToneCurveEx	302	0x10008b40
lmsSaveProfileToFile	303	0x1000e8f0
lmsSaveProfileToIOhandler	304	0x1000e7a0
lmsSaveProfileToMem	305	0x1000e990
lmsSaveProfileToStream	306	0x1000e950
lmsSetAdaptationState	307	0x1002a260
lmsSetAdaptationStateTHR	308	0x1002a230
lmsSetAlarmCodes	309	0x1002a2e0
lmsSetAlarmCodesTHR	310	0x1002a280
lmsSetColorSpace	311	0x1000e120
lmsSetDeviceClass	312	0x1000e140
lmsSetEncodedICCversion	313	0x1000e160
lmsSetHeaderAttributes	314	0x1000e070
lmsSetHeaderFlags	315	0x1000dff0
lmsSetHeaderManufacturer	316	0x1000e010
lmsSetHeaderModel	317	0x1000e040
lmsSetHeaderProfileID	318	0x1000e0b0
lmsSetHeaderRenderingIntent	319	0x1000dfd0
lmsSetLogErrorHandler	320	0x10007700
lmsSetLogErrorHandlerTHR	321	0x100076d0
lmsSetPCS	322	0x1000e100
lmsSetProfileVersion	323	0x1000e1c0
lmsSignalError	324	0x10007710
lmsSliceSpace16	325	0x10011870
lmsSliceSpaceFloat	326	0x10011960
lmsSmoothToneCurve	327	0x10009390
lmsStageAllocCLut16bit	328	0x10011130
lmsStageAllocCLut16bitGranular	329	0x10011010
lmsStageAllocCLutFloat	330	0x1001ba60
lmsStageAllocCLutFloatGranular	331	0x100111d0
lmsStageAllocIdentity	332	0x10010510
lmsStageAllocMatrix	333	0x10010c20
lmsStageAllocToneCurves	334	0x100109a0
lmsStageData	335	0x10011e10
lmsStageDup	336	0x10011e30
lmsStageFree	337	0x10011dc0
lmsStageInputChannels	338	0x10011de0
lmsStageNext	339	0x10011e20
lmsStageOutputChannels	340	0x10011df0
lmsStageSampleCLut16bit	341	0x10011480
lmsStageSampleCLutFloat	342	0x10011650
lmsStageType	343	0x10011e00
lmsTagLinkedTo	344	0x1000f3a0
lmsTempFromWhitePoint	345	0x10029c80
lmsTransform2DeviceLink	346	0x10029750
lmsUnregisterPlugins	347	0x1001df70
lmsUnregisterPluginsTHR	348	0x1001dfd0
lmsWhitePointFromTemp	349	0x10029b60
lmsWriteRawTag	350	0x1000f230
lmsWriteTag	351	0x1000ed90
lmsXYZ2Lab	352	0x1001baf0
lmsXYZ2xyY	353	0x1001ba30
lmsXYZEncoded2Float	354	0x1001c1e0
lmsfilelength	355	0x100071c0
lmsstrcasecmp	356	0x10007140
next	357	0x10011180

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 6, 2023 23:43:13.772653103 CEST	49720	443	192.168.2.3	152.216.7.110
Jun 6, 2023 23:43:13.772721052 CEST	443	49720	152.216.7.110	192.168.2.3
Jun 6, 2023 23:43:13.772905111 CEST	49720	443	192.168.2.3	152.216.7.110
Jun 6, 2023 23:43:13.780080080 CEST	49720	443	192.168.2.3	152.216.7.110
Jun 6, 2023 23:43:13.780119896 CEST	443	49720	152.216.7.110	192.168.2.3
Jun 6, 2023 23:43:14.236531973 CEST	443	49720	152.216.7.110	192.168.2.3
Jun 6, 2023 23:43:14.236670971 CEST	49720	443	192.168.2.3	152.216.7.110
Jun 6, 2023 23:43:14.401582003 CEST	49720	443	192.168.2.3	152.216.7.110
Jun 6, 2023 23:43:14.401637077 CEST	443	49720	152.216.7.110	192.168.2.3
Jun 6, 2023 23:43:14.402534962 CEST	443	49720	152.216.7.110	192.168.2.3
Jun 6, 2023 23:43:14.402626991 CEST	49720	443	192.168.2.3	152.216.7.110
Jun 6, 2023 23:43:14.404046059 CEST	49720	443	192.168.2.3	152.216.7.110
Jun 6, 2023 23:43:14.444346905 CEST	443	49720	152.216.7.110	192.168.2.3
Jun 6, 2023 23:43:14.548178911 CEST	443	49720	152.216.7.110	192.168.2.3
Jun 6, 2023 23:43:14.548391104 CEST	49720	443	192.168.2.3	152.216.7.110
Jun 6, 2023 23:43:14.548429012 CEST	443	49720	152.216.7.110	192.168.2.3
Jun 6, 2023 23:43:14.548480988 CEST	443	49720	152.216.7.110	192.168.2.3
Jun 6, 2023 23:43:14.548518896 CEST	49720	443	192.168.2.3	152.216.7.110
Jun 6, 2023 23:43:14.548558950 CEST	49720	443	192.168.2.3	152.216.7.110
Jun 6, 2023 23:43:14.550103903 CEST	49720	443	192.168.2.3	152.216.7.110
Jun 6, 2023 23:43:14.550133944 CEST	443	49720	152.216.7.110	192.168.2.3
Jun 6, 2023 23:43:14.550185919 CEST	49720	443	192.168.2.3	152.216.7.110
Jun 6, 2023 23:43:14.550225019 CEST	49720	443	192.168.2.3	152.216.7.110
Jun 6, 2023 23:43:15.469978094 CEST	49722	2222	192.168.2.3	74.14.39.7
Jun 6, 2023 23:43:15.623806953 CEST	2222	49722	74.14.39.7	192.168.2.3
Jun 6, 2023 23:43:15.624104023 CEST	49722	2222	192.168.2.3	74.14.39.7
Jun 6, 2023 23:43:15.624629974 CEST	49722	2222	192.168.2.3	74.14.39.7
Jun 6, 2023 23:43:15.784729004 CEST	2222	49722	74.14.39.7	192.168.2.3
Jun 6, 2023 23:43:15.786788940 CEST	49723	2222	192.168.2.3	74.14.39.7
Jun 6, 2023 23:43:15.939502001 CEST	2222	49723	74.14.39.7	192.168.2.3
Jun 6, 2023 23:43:15.939660072 CEST	49723	2222	192.168.2.3	74.14.39.7
Jun 6, 2023 23:43:15.940356016 CEST	49723	2222	192.168.2.3	74.14.39.7
Jun 6, 2023 23:43:16.096566916 CEST	2222	49723	74.14.39.7	192.168.2.3
Jun 6, 2023 23:43:16.097275019 CEST	49724	2222	192.168.2.3	74.14.39.7
Jun 6, 2023 23:43:16.249723911 CEST	2222	49724	74.14.39.7	192.168.2.3
Jun 6, 2023 23:43:16.249895096 CEST	49724	2222	192.168.2.3	74.14.39.7
Jun 6, 2023 23:43:16.249978065 CEST	49724	2222	192.168.2.3	74.14.39.7
Jun 6, 2023 23:43:16.252191067 CEST	49725	2222	192.168.2.3	74.14.39.7
Jun 6, 2023 23:43:16.406713009 CEST	2222	49724	74.14.39.7	192.168.2.3
Jun 6, 2023 23:43:16.406760931 CEST	2222	49724	74.14.39.7	192.168.2.3
Jun 6, 2023 23:43:16.406846046 CEST	49724	2222	192.168.2.3	74.14.39.7
Jun 6, 2023 23:43:16.407531977 CEST	2222	49725	74.14.39.7	192.168.2.3
Jun 6, 2023 23:43:16.407655954 CEST	49725	2222	192.168.2.3	74.14.39.7
Jun 6, 2023 23:43:16.407974005 CEST	49725	2222	192.168.2.3	74.14.39.7
Jun 6, 2023 23:43:16.571815014 CEST	2222	49725	74.14.39.7	192.168.2.3
Jun 6, 2023 23:43:16.572467089 CEST	49726	2222	192.168.2.3	74.14.39.7
Jun 6, 2023 23:43:16.723673105 CEST	2222	49726	74.14.39.7	192.168.2.3
Jun 6, 2023 23:43:16.723856926 CEST	49726	2222	192.168.2.3	74.14.39.7
Jun 6, 2023 23:43:16.724138975 CEST	49726	2222	192.168.2.3	74.14.39.7
Jun 6, 2023 23:43:16.883757114 CEST	2222	49726	74.14.39.7	192.168.2.3
Jun 6, 2023 23:43:16.884465933 CEST	49727	2222	192.168.2.3	74.14.39.7
Jun 6, 2023 23:43:17.036744118 CEST	2222	49727	74.14.39.7	192.168.2.3
Jun 6, 2023 23:43:17.036863089 CEST	49727	2222	192.168.2.3	74.14.39.7
Jun 6, 2023 23:43:17.036969900 CEST	49727	2222	192.168.2.3	74.14.39.7
Jun 6, 2023 23:43:17.188668013 CEST	2222	49727	74.14.39.7	192.168.2.3
Jun 6, 2023 23:43:17.189570904 CEST	2222	49727	74.14.39.7	192.168.2.3
Jun 6, 2023 23:43:17.189701080 CEST	49727	2222	192.168.2.3	74.14.39.7
Jun 6, 2023 23:43:19.049897909 CEST	49728	2222	192.168.2.3	74.14.39.7
Jun 6, 2023 23:43:19.202702045 CEST	2222	49728	74.14.39.7	192.168.2.3
Jun 6, 2023 23:43:19.203049898 CEST	49728	2222	192.168.2.3	74.14.39.7
Jun 6, 2023 23:43:19.203618050 CEST	49728	2222	192.168.2.3	74.14.39.7
Jun 6, 2023 23:43:19.361663103 CEST	2222	49728	74.14.39.7	192.168.2.3
Jun 6, 2023 23:43:19.362502098 CEST	49729	2222	192.168.2.3	74.14.39.7
Jun 6, 2023 23:43:19.515388012 CEST	2222	49729	74.14.39.7	192.168.2.3
Jun 6, 2023 23:43:19.515501976 CEST	49729	2222	192.168.2.3	74.14.39.7
Jun 6, 2023 23:43:19.515868902 CEST	49729	2222	192.168.2.3	74.14.39.7
Jun 6, 2023 23:43:19.677449942 CEST	2222	49729	74.14.39.7	192.168.2.3
Jun 6, 2023 23:43:19.678214073 CEST	49730	2222	192.168.2.3	74.14.39.7
Jun 6, 2023 23:43:19.829617977 CEST	2222	49730	74.14.39.7	192.168.2.3
Jun 6, 2023 23:43:19.829778910 CEST	49730	2222	192.168.2.3	74.14.39.7
Jun 6, 2023 23:43:19.829926014 CEST	49730	2222	192.168.2.3	74.14.39.7
Jun 6, 2023 23:43:19.831707001 CEST	49731	2222	192.168.2.3	74.14.39.7
Jun 6, 2023 23:43:19.980777979 CEST	2222	49730	74.14.39.7	192.168.2.3
Jun 6, 2023 23:43:19.980806112 CEST	2222	49730	74.14.39.7	192.168.2.3
Jun 6, 2023 23:43:19.980878115 CEST	49730	2222	192.168.2.3	74.14.39.7
Jun 6, 2023 23:43:19.982347012 CEST	2222	49731	74.14.39.7	192.168.2.3
Jun 6, 2023 23:43:19.982445955 CEST	49731	2222	192.168.2.3	74.14.39.7
Jun 6, 2023 23:43:19.982742071 CEST	49731	2222	192.168.2.3	74.14.39.7
Jun 6, 2023 23:43:20.144462109 CEST	2222	49731	74.14.39.7	192.168.2.3
Jun 6, 2023 23:43:20.145157099 CEST	49732	2222	192.168.2.3	74.14.39.7
Jun 6, 2023 23:43:20.300904036 CEST	2222	49732	74.14.39.7	192.168.2.3
Jun 6, 2023 23:43:20.301054955 CEST	49732	2222	192.168.2.3	74.14.39.7
Jun 6, 2023 23:43:20.301310062 CEST	49732	2222	192.168.2.3	74.14.39.7
Jun 6, 2023 23:43:20.464747906 CEST	2222	49732	74.14.39.7	192.168.2.3
Jun 6, 2023 23:43:20.466057062 CEST	49733	2222	192.168.2.3	74.14.39.7
Jun 6, 2023 23:43:20.621412992 CEST	2222	49733	74.14.39.7	192.168.2.3
Jun 6, 2023 23:43:20.623039007 CEST	49733	2222	192.168.2.3	74.14.39.7
Jun 6, 2023 23:43:20.623155117 CEST	49733	2222	192.168.2.3	74.14.39.7
Jun 6, 2023 23:43:20.779586077 CEST	2222	49733	74.14.39.7	192.168.2.3
Jun 6, 2023 23:43:20.779665947 CEST	2222	49733	74.14.39.7	192.168.2.3
Jun 6, 2023 23:43:20.779896021 CEST	49733	2222	192.168.2.3	74.14.39.7
Jun 6, 2023 23:43:25.633733988 CEST	49734	2078	192.168.2.3	92.184.102.115
Jun 6, 2023 23:43:28.643013954 CEST	49734	2078	192.168.2.3	92.184.102.115
Jun 6, 2023 23:43:34.659097910 CEST	49734	2078	192.168.2.3	92.184.102.115
Jun 6, 2023 23:43:41.730359077 CEST	49735	2078	192.168.2.3	92.184.102.115
Jun 6, 2023 23:43:44.738003016 CEST	49735	2078	192.168.2.3	92.184.102.115
Jun 6, 2023 23:43:50.738643885 CEST	49735	2078	192.168.2.3	92.184.102.115
Jun 6, 2023 23:43:59.805025101 CEST	49736	2078	192.168.2.3	92.184.102.115
Jun 6, 2023 23:44:02.802022934 CEST	49736	2078	192.168.2.3	92.184.102.115
Jun 6, 2023 23:44:08.802586079 CEST	49736	2078	192.168.2.3	92.184.102.115

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 6, 2023 23:43:13.346805096 CEST	60582	53	192.168.2.3	8.8.8.8
Jun 6, 2023 23:43:13.762238026 CEST	53	60582	8.8.8.8	192.168.2.3
Jun 6, 2023 23:43:14.559228897 CEST	57134	53	192.168.2.3	8.8.8.8

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jun 6, 2023 23:43:13.346805096 CEST	192.168.2.3	8.8.8.8	0x38fa	Standard query (0)	irs.gov	A (IP address)	IN (0x0001)	false
Jun 6, 2023 23:43:14.559228897 CEST	192.168.2.3	8.8.8.8	0x610a	Standard query (0)	www.irs.gov	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jun 6, 2023 23:43:13.762238026 CEST	8.8.8.8	192.168.2.3	0x38fa	No error (0)	irs.gov		152.216.7.110	A (IP address)	IN (0x0001)	false
Jun 6, 2023 23:43:13.762238026 CEST	8.8.8.8	192.168.2.3	0x38fa	No error (0)	irs.gov		152.216.11.110	A (IP address)	IN (0x0001)	false
Jun 6, 2023 23:43:14.608652115 CEST	8.8.8.8	192.168.2.3	0x610a	No error (0)	www.irs.gov	www.irs.gov.edgekey.net		CNAME (Canonical name)	IN (0x0001)	false

HTTP Request Dependency Graph

irs.gov

Target ID:	0
Start time:	23:40:00
Start date:	06/06/2023
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe "C:\Users\user\Desktop\batteryacid.dat.dll"
Imagebase:	0x1240000
File size:	126464 bytes
MD5 hash:	3B4636AE519868037940CA5C4272091B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Analysis Process: conhost.exePID: 5908, Parent PID: 676

General

Target ID:	1
Start time:	23:40:00
Start date:	06/06/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff745070000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: cmd.exePID: 5680, Parent PID: 676

General

Target ID:	2
Start time:	23:40:00
Start date:	06/06/2023
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\batteryacid.dat.dll",#1
Imagebase:	0xb0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: rundll32.exePID: 3112, Parent PID: 676

General

Target ID:	3
Start time:	23:40:00
Start date:	06/06/2023
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\batteryacid.dat.dll,l_cmsComputeInterpParams@24
Imagebase:	0xc30000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: rundll32.exePID: 6044, Parent PID: 5680

General

Target ID:	4
Start time:	23:40:00
Start date:	06/06/2023
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\batteryacid.dat.dll",#1
Imagebase:	0xc30000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: rundll32.exePID: 6064, Parent PID: 676

General

Target ID:	5
Start time:	23:40:03
Start date:	06/06/2023
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\batteryacid.dat.dll,l_cmsFloat2Half@4
Imagebase:	0x7ff745070000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: rundll32.exePID: 3780, Parent PID: 676

General

Target ID:	6
Start time:	23:40:06
Start date:	06/06/2023
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\batteryacid.dat.dll,l_cmsFreeInterpParams@4
Imagebase:	0xc30000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: WerFault.exePID: 128, Parent PID: 3780

General

Target ID:	9
Start time:	23:40:07
Start date:	06/06/2023
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 3780 -s 652
Imagebase:	0xa30000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: rundll32.exePID: 812, Parent PID: 676

General

Target ID:	10
Start time:	23:40:09
Start date:	06/06/2023
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\batteryacid.dat.dll",l_cmsComputeInterpParams@24
Imagebase:	0xc30000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: rundll32.exePID: 5640, Parent PID: 676

General

Target ID:	11
Start time:	23:40:09
Start date:	06/06/2023
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\batteryacid.dat.dll",l_cmsFloat2Half@4
Imagebase:	0xc30000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: rundll32.exePID: 5692, Parent PID: 676

General

Target ID:	12
Start time:	23:40:09
Start date:	06/06/2023
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\batteryacid.dat.dll",l_cmsFreeInterpParams@4
Imagebase:	0xc30000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: rundll32.exePID: 1396, Parent PID: 676

General

Target ID:	13
Start time:	23:40:09
Start date:	06/06/2023
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\batteryacid.dat.dll",next
Imagebase:	0xc30000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Qbot_1, Description: Yara detected Qbot, Source: 0000000D.00000002.395308492.0000000004740000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Qbot_1, Description: Yara detected Qbot, Source: 0000000D.00000002.392769153.000000000096A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security

Analysis Process: rundll32.exePID: 1916, Parent PID: 676

General

Target ID:	14
Start time:	23:40:09
Start date:	06/06/2023
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\batteryacid.dat.dll",lmsstrcasecmp
Imagebase:	0xc30000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: rundll32.exePID: 4364, Parent PID: 676

General

Target ID:	15
Start time:	23:40:09
Start date:	06/06/2023
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\batteryacid.dat.dll",lmsfilelength
Imagebase:	0xc30000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: WerFault.exePID: 7224, Parent PID: 5692

General

Target ID:	19
Start time:	23:40:10
Start date:	06/06/2023
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 5692 -s 652
Imagebase:	0xa30000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: WerFault.exePID: 7236, Parent PID: 1916

General

Target ID:	20
Start time:	23:40:10
Start date:	06/06/2023
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 1916 -s 652
Imagebase:	0xa30000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: WerFault.exePID: 7244, Parent PID: 4364

General

Target ID:	21
Start time:	23:40:10
Start date:	06/06/2023
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 4364 -s 652
Imagebase:	0xa30000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: wermgr.exePID: 7404, Parent PID: 1396

General

Target ID:	22
Start time:	23:40:14
Start date:	06/06/2023
Path:	C:\Windows\SysWOW64\wermgr.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\wermgr.exe
Imagebase:	0x1140000
File size:	191904 bytes
MD5 hash:	CCF15E662ED5CE77B5FF1A7AAE305233
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Disassembly

⊘No disassembly

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Loaded DLLs, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report batteryacid.dat.dll

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Qbot

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Data Obfuscation

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_1771c62af96114fb83baec5ef424ae1819cb3650_82810a17_00d61356\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_1771c62af96114fb83baec5ef424ae1819cb3650_82810a17_1c6e13d3\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_26a6cc57e4ced2c19f09ae278ade2876040a245_82810a17_1c1a1441\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_7ec94696d4f5167a22d8d01ba83c94e0c28d4894_82810a17_1c121402\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1A4.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1D.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1E4.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER212.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER270.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER34A.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3A9.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5B.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF3D8.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF56F.tmp.WERInternalMetadata.xml

Windows Analysis Report
batteryacid.dat.dll

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre