Edit tour

Windows Analysis Report
IzFEtXcext.dll

Overview

General Information

Sample name:	IzFEtXcext.dll renamed because original name is a hash value
Original sample name:	932d230145cf8e5e9ca547606a6db8780eccc235.dll
Analysis ID:	1578342
MD5:	4515c43cca35f7436a01b8d8b795000b
SHA1:	932d230145cf8e5e9ca547606a6db8780eccc235
SHA256:	dde0053e594c5d97aa8c0030938a6c245b4516483cb401d785f91f8d621ff0fd
Tags:	dlluser-NDA0E
Infos:

Detection

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

AI detected suspicious sample

Machine Learning detection for sample

AV process strings found (often used to terminate AV products)

Checks if the current process is being debugged

Contains functionality to dynamically determine API calls

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Found large amount of non-executed APIs

One or more processes crash

Registers a DLL

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

loaddll32.exe (PID: 2968 cmdline: loaddll32.exe "C:\Users\user\Desktop\IzFEtXcext.dll" MD5: 51E6071F9CBA48E79F10C84515AAE618)

conhost.exe (PID: 5040 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 6200 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\IzFEtXcext.dll",#1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

rundll32.exe (PID: 6716 cmdline: rundll32.exe "C:\Users\user\Desktop\IzFEtXcext.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)

WerFault.exe (PID: 6284 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6716 -s 632 MD5: C31336C1EFC2CCB44B4326EA793040F2)

regsvr32.exe (PID: 1416 cmdline: regsvr32.exe /s C:\Users\user\Desktop\IzFEtXcext.dll MD5: 878E47C8656E53AE8A8A21E927C6F7E0)

rundll32.exe (PID: 6728 cmdline: rundll32.exe C:\Users\user\Desktop\IzFEtXcext.dll,AlgUninstall MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 7296 cmdline: rundll32.exe C:\Users\user\Desktop\IzFEtXcext.dll,DllCanUnloadNow MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 7524 cmdline: rundll32.exe C:\Users\user\Desktop\IzFEtXcext.dll,DllGetClassObject MD5: 889B99C52A60DD49227C5E485A016679)

WerFault.exe (PID: 7560 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7524 -s 652 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
IzFEtXcext.dll	Equation_Kaspersky_TripleFantasy_Loader	Equation Group Malware - TripleFantasy Loader	Florian Roth	0x0:$mz: 4D 5A 0x2714:$x1: Original Innovations, LLC 0x2850:$x1: Original Innovations, LLC 0x2770:$x2: Moniter Resource Protocol 0x28f0:$x2: Moniter Resource Protocol 0x27f4:$x3: ahlhcib.dll 0x28b0:$x3: ahlhcib.dll 0x32e5:$s0: hnetcfg.HNetGetSharingServicesPage 0x34fc:$s1: hnetcfg.IcfGetOperationalMode 0x34df:$s2: hnetcfg.IcfGetDynamicFwPorts 0x324f:$s3: hnetcfg.HNetFreeFirewallLoggingSettings 0x32bf:$s4: hnetcfg.HNetGetShareAndBridgeSettings 0x329b:$s5: hnetcfg.HNetGetFirewallSettingsPage

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: IzFEtXcext.dll

Avira: detected

Multi AV Scanner detection for submitted file

Source: IzFEtXcext.dll

ReversingLabs: Detection: 68%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 88.3% probability

Machine Learning detection for sample

Source: IzFEtXcext.dll

Joe Sandbox ML: detected

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_7002145D GetProcessHeap,CryptAcquireContextA,CryptAcquireContextA,GetLastError,GetLastError,CryptAcquireContextA,GetLastError,RtlAllocateHeap,memcpy,CryptImportKey,CryptDecrypt,GetLastError,GetLastError,HeapFree,		4_2_7002145D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_7002145D GetProcessHeap,CryptAcquireContextA,CryptAcquireContextA,GetLastError,GetLastError,CryptAcquireContextA,GetLastError,RtlAllocateHeap,memcpy,CryptImportKey,CryptDecrypt,GetLastError,GetLastError,HeapFree,		15_2_7002145D

Source: IzFEtXcext.dll

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL

Source: IzFEtXcext.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: Amcache.hve.10.dr

String found in binary or memory: http://upx.sf.net

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_7002145D GetProcessHeap,CryptAcquireContextA,CryptAcquireContextA,GetLastError,GetLastError,CryptAcquireContextA,GetLastError,RtlAllocateHeap,memcpy,CryptImportKey,CryptDecrypt,GetLastError,GetLastError,HeapFree,		4_2_7002145D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_7002145D GetProcessHeap,CryptAcquireContextA,CryptAcquireContextA,GetLastError,GetLastError,CryptAcquireContextA,GetLastError,RtlAllocateHeap,memcpy,CryptImportKey,CryptDecrypt,GetLastError,GetLastError,HeapFree,		15_2_7002145D

System Summary

Malicious sample detected (through community Yara rule)

Source: IzFEtXcext.dll, type: SAMPLE

Matched rule: Equation Group Malware - TripleFantasy Loader Author: Florian Roth

Source: C:\Windows\SysWOW64\rundll32.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6716 -s 632

Source: IzFEtXcext.dll

Binary or memory string: OriginalFilenameahlhcib.dllT vs IzFEtXcext.dll

Source: IzFEtXcext.dll

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL

Source: IzFEtXcext.dll, type: SAMPLE

Matched rule: Equation_Kaspersky_TripleFantasy_Loader date = 2015/02/16, author = Florian Roth, description = Equation Group Malware - TripleFantasy Loader, reference = http://goo.gl/ivt8EW, hash = 4ce6e77a11b443cc7cbe439b71bf39a39d3d7fa3

Source: classification engine

Classification label: mal72.winDLL@16/9@0/0

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5040:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6716
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7524

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\d6241a85-f2f5-44f5-b598-e52ed0d5f638

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\IzFEtXcext.dll",#1

Source: IzFEtXcext.dll

ReversingLabs: Detection: 68%

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\IzFEtXcext.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\IzFEtXcext.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\IzFEtXcext.dll
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\IzFEtXcext.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\IzFEtXcext.dll,AlgUninstall
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6716 -s 632
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\IzFEtXcext.dll,DllCanUnloadNow
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\IzFEtXcext.dll,DllGetClassObject
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7524 -s 652
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\IzFEtXcext.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\IzFEtXcext.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\IzFEtXcext.dll,AlgUninstall	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\IzFEtXcext.dll,DllCanUnloadNow	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\IzFEtXcext.dll,DllGetClassObject	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\IzFEtXcext.dll",#1	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: hnetcfg.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: hnetcfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: gpapi.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: IzFEtXcext.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_70039EF0 EntryPoint,LoadLibraryA,GetProcAddress,VirtualProtect,VirtualProtect,VirtualProtect,

4_2_70039EF0

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\IzFEtXcext.dll

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_7002290B push ecx; ret	4_2_7002291B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_7003922F push esp; ret	4_2_70039231
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_70022C4D push ecx; ret	4_2_70022C60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_700251A0 push eax; ret	4_2_70025151
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_700250F0 push eax; ret	4_2_70025151
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_700398FD push eax; ret	4_2_700398FE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_7002290B push ecx; ret	15_2_7002291B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_7003922F push esp; ret	15_2_70039231
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_70022C4D push ecx; ret	15_2_70022C60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_700251A0 push eax; ret	15_2_70025151
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_700250F0 push eax; ret	15_2_70025151
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_700398FD push eax; ret	15_2_700398FE

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	API coverage: 8.1 %
Source: C:\Windows\SysWOW64\rundll32.exe	API coverage: 8.1 %

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\System32\loaddll32.exe

Thread delayed: delay time: 120000

Jump to behavior

Source: Amcache.hve.10.dr	Binary or memory string: VMware
Source: Amcache.hve.10.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.10.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.10.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.10.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.10.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.10.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.10.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.10.dr	Binary or memory string: VMware-42 27 80 4d 99 30 0e 9c-c1 9b 2a 23 ea 1f c4 20
Source: Amcache.hve.10.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.10.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.10.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.10.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.10.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.10.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.10.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.10.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.10.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.10.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.10.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.10.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.10.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.10.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.10.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.10.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.10.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.10.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.10.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.10.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_70039EF0 EntryPoint,LoadLibraryA,GetProcAddress,VirtualProtect,VirtualProtect,VirtualProtect,

4_2_70039EF0

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_70021AF8 GetProcessHeap,GetLastError,LoadLibraryW,memset,GetProcAddress,HeapFree,

4_2_70021AF8

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_7002291C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		4_2_7002291C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_7002291C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		15_2_7002291C

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\IzFEtXcext.dll",#1

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_70022C86 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

4_2_70022C86

Source: Amcache.hve.10.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.10.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.10.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.10.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.10.dr	Binary or memory string: MsMpEng.exe

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	11 Process Injection	11 Virtualization/Sandbox Evasion	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	1 Data Encrypted for Impact
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	11 Process Injection	LSASS Memory	31 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	11 Obfuscated Files or Information	Security Account Manager	11 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Regsvr32	NTDS	2 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Rundll32	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Software Packing	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
IzFEtXcext.dll	68%	ReversingLabs	Win32.Backdoor.Tripfant
IzFEtXcext.dll	100%	Avira	HEUR/AGEN.1303018
IzFEtXcext.dll	100%	Joe Sandbox ML

Name	IP	Active	Malicious	Antivirus Detection	Reputation
ax-0001.ax-msedge.net	150.171.27.10	true	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://upx.sf.net	Amcache.hve.10.dr	false		high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1578342
Start date and time:	2024-12-19 15:47:37 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 35s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	30
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	IzFEtXcext.dll renamed because original name is a hash value
Original Sample Name:	932d230145cf8e5e9ca547606a6db8780eccc235.dll
Detection:	MAL
Classification:	mal72.winDLL@16/9@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 6 Number of non-executed functions: 18
Cookbook Comments:	Found application associated with file extension: .dll

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, BackgroundTransferHost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.189.173.22, 23.50.252.137, 23.50.131.196, 20.190.147.2, 13.107.246.63, 20.190.177.85, 20.199.58.43, 2.16.158.43, 20.12.23.50, 150.171.27.10, 2.16.158.187, 20.223.35.26
Excluded domains from analysis (whitelisted): www.bing.com, client.wns.windows.com, fs.microsoft.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, onedsblobprdwus17.westus.cloudapp.azure.com, tse1.mm.bing.net, ctldl.windowsupdate.com, g.bing.com, a767.dspw65.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, fe3cr.delivery.mp.microsoft.com, download.windowsupdate.com.edgesuite.net, ocsp.digicert.com, login.live.com, e16604.g.akamaiedge.net, blobcollector.events.data.trafficmanager.net, umwatson.events.data.microsoft.com, prod.fs.microsoft.com.akadns.net, wu-b-net.trafficmanager.net
Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: IzFEtXcext.dll

Simulations

Behavior and APIs

Time	Type	Description
09:48:40	API Interceptor	2x Sleep call for process: WerFault.exe modified
09:48:42	API Interceptor	1x Sleep call for process: loaddll32.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ax-0001.ax-msedge.net	slifdgjsidfg19.bat	Get hash	malicious	Abobus Obfuscator, Braodo	Browse	150.171.28.10
	1AqzGcCKey.exe	Get hash	malicious	Quasar	Browse	150.171.27.10
	kqeGVKtpy2.exe	Get hash	malicious	Quasar	Browse	150.171.28.10
	22054200882739718047.js	Get hash	malicious	Strela Downloader	Browse	150.171.27.10
	bPkG0wTVon.exe	Get hash	malicious	Unknown	Browse	150.171.27.10
	https://pdf.ac/4lLzbt	Get hash	malicious	Unknown	Browse	150.171.28.10
	https://www.bing.com/ck/a?!&&p=24da94b1cbc4e30be5abd9acb5737b3bdb775a56c39aac0141dd9c17c937dea1JmltdHM9MTczMzI3MDQwMA&ptn=3&ver=2&hsh=4&fclid=1bf8b81c-3b95-652f-24ec-ad573a81643b&u=a1aHR0cHM6Ly93d3cueXV4aW5na2V0YW5nLmNvbS9jb2xsZWN0aW9ucy90aHJvdy1ibGFua2V0cw#aHR0cHM6Ly9Uby5lZW1qaGl1bHoucnUvek83UkZORy8=	Get hash	malicious	Unknown	Browse	150.171.28.10
	vOizfcQSGf.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	150.171.27.10
	tasktow.exe	Get hash	malicious	Unknown	Browse	150.171.27.10
	R4qP4YM0QX.lnk	Get hash	malicious	Unknown	Browse	150.171.27.10

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_255419d945c1e89cc97b96e830561efe4d641b3_7522e4b5_716053aa-568c-4701-99cd-fab61842df58\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.8712161294243119
Encrypted:	false
SSDEEP:	96:V8qFj86iawhVyjsj94sWKYfXQXIDcQvc6QcEVcw3cE/O/a/z+HbHg/BQAS/YyNlR:VXzibOj60BU/wjeTnzuiFXZ24IO8dci
MD5:	D5820A0B8FA574E093D963B80557918C
SHA1:	D7B2D13737FC57A3672C0EB845C35813B82F3912
SHA-256:	150D85CEB9529D07EB565268D04A259C28CA3F523245F468F2608C12AC938F0E
SHA-512:	42A30FABDD645FBF4024A6FC12BC499F37295E2D39FBB95768B487D9A02EB5F56226C4E7BA246B6B83955927A45C386BCE6FF58D781534B80FD6C2E668273834
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.9.0.9.3.3.1.4.6.8.3.9.1.0.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.9.0.9.3.3.1.5.3.5.5.7.8.6.6.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.1.6.0.5.3.a.a.-.5.6.8.c.-.4.7.0.1.-.9.9.c.d.-.f.a.b.6.1.8.4.2.d.f.5.8.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.b.e.9.1.0.4.9.-.e.1.9.3.-.4.f.a.3.-.8.2.6.9.-.f.d.8.d.5.d.d.e.3.4.6.9.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.a.3.c.-.0.0.0.1.-.0.0.1.5.-.a.7.6.4.-.e.5.1.3.2.5.5.2.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.8.f.a.8.8.9.e.4.5.6.a.a.6.4.6.a.4.d.0.a.4.3.4.9.9.7.7.4.3.0.c.e.5.f.a.5.e.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_bfc594c9b5e6635f267b4433069414ad87bb028_7522e4b5_5b657a5b-e1f6-4fa0-9d95-ed9954c6a13c\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.8713598234561436
Encrypted:	false
SSDEEP:	96:JaF5u6i7hVyVsj94svyeUfgQXIDcQvc6QcEVcw3cE/O/a/z+HbHg/BQAS/YyNl4M:Q/i7OVKM0BU/wjeTnzuiFXZ24IO8dci
MD5:	7E924E3F97AB661AE90D09040ED42793
SHA1:	B1C1772CD61F226E3EA1AFC8FB2680242797A8CD
SHA-256:	4E07C86A6DCC62AF10BB6871276870CB7129D96E7953D7344E82F169C731F293
SHA-512:	E2F0DE5CB47952550634550F9EC202458E32BC15726396011889EE53D6E50FB48EA5F8A62A4F4631FCF93830D116481B7E0063DA4116620B50B12113671EFD00
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.9.0.9.3.3.2.0.2.0.6.2.8.1.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.9.0.9.3.3.2.0.5.1.8.7.8.0.1.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.b.6.5.7.a.5.b.-.e.1.f.6.-.4.f.a.0.-.9.d.9.5.-.e.d.9.9.5.4.c.6.a.1.3.c.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.4.9.b.b.7.8.7.-.e.6.7.d.-.4.e.1.d.-.9.4.4.a.-.d.3.3.a.3.2.e.8.3.f.d.f.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.d.6.4.-.0.0.0.1.-.0.0.1.5.-.0.e.0.3.-.7.f.1.7.2.5.5.2.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.8.f.a.8.8.9.e.4.5.6.a.a.6.4.6.a.4.d.0.a.4.3.4.9.9.7.7.4.3.0.c.e.5.f.a.5.e.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER662B.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Thu Dec 19 14:48:34 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	42536
Entropy (8bit):	2.0149278252846283
Encrypted:	false
SSDEEP:	192:XFlBTYO5H4xmqICk5/eX6DH9I2R+ZyCqYWS1wIANp:55HaInl6OdI8wyCkI
MD5:	796648BA43565E158323CAF1FFA06DAF
SHA1:	64EBFA95D91CC69EBB8F13F708E8CAA314C3FED4
SHA-256:	2C042C40FB44B0A5C16F54C5D0CB845AB92BF1D0E840EE52DE44A51F541FF240
SHA-512:	FE926C7729D4C0A025B5E78646E181D00601A36BAAA26E96CD2A6458E13AF9E8AC51578D431DAD690A7C1616516B849FB474A2EF12CBA0A58B1046B95AD62201
Malicious:	false
Preview:	MDMP..a..... .......B2dg........................x................*..........T.......8...........T...........8...........................................................................................................eJ..............GenuineIntel............T.......<...A2dg.............................0..=...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER66D8.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8270
Entropy (8bit):	3.6890324148615474
Encrypted:	false
SSDEEP:	192:R6l7wVeJDjX6INrT6YPDF6kgmfToRFprG89bLFsfD5m:R6lXJvX6INv6Y7F6kgmfToRnLefg
MD5:	CF766BDA49942A7957683E841313567A
SHA1:	3AE45A7E82E03587F136FF6F25CB62E54ECAF87A
SHA-256:	50558730CBB6AFBC49D60D0D1A3CA27D8576E242C4CF42C5D8F1FA0107BDE33F
SHA-512:	440421EA7B29ECB0A8BED929D2E473925BD32DB88B2354ADB3FF40CAD1E193EEDA99835D09D06C57597CBA50F07ECFFE8833CC5B0E63DC70151858F058022C72
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.7.1.6.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6708.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4658
Entropy (8bit):	4.458644910919505
Encrypted:	false
SSDEEP:	48:cvIwWl8zsLJg77aI9aNWpW8VYy+Ym8M4JCdPPFDoP+q8/4V2GScSQd:uIjflI7c87VFJvx2J3Qd
MD5:	EB9273035F36F1BE41F2C717ED20288E
SHA1:	66DCFF1EB97DEEB42E719D2A6F43470446210517
SHA-256:	EF0157CDF0C5842E0386730170A3CB5A1AF3AB0A19A72C5F1CDAA7CD11750D05
SHA-512:	8D9754E566D7BC468B0490959A107B16D0190B4789AFCF6F9FE0DF1082A09C26A9BF0D9BFD0389DB1D9C551F297D13594F52DFDB1733AF01951DBDE5D1C38EE2
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="638271" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7BB6.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Thu Dec 19 14:48:40 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	43096
Entropy (8bit):	1.9909085218283005
Encrypted:	false
SSDEEP:	192:1ilUACXO5H4r+C4uKC2ypwbN2/rLjJ/OZR7N1:T+5H+UyGbN2D2R7
MD5:	E1D8B3318E1639211E028526F6A62691
SHA1:	C90237D8EFB7C31A731571223D60CBACBDC3F82D
SHA-256:	A49E759DC6C57BCEF3CEAF0F6C4201D99FCE084C46263D24053C4D855F66B270
SHA-512:	320E6964379AC3D7A701C971C020381ACD2ECFF970CE58C802E5868C9ABD51F7FFC3C77B3AECD23A2F61A0FA68AD1684B14664227B7CD32BA6695893F2C23655
Malicious:	false
Preview:	MDMP..a..... .......H2dg........................x................*..........T.......8...........T......................................................................................................................eJ..............GenuineIntel............T.......d...G2dg.............................0..=...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7C25.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8272
Entropy (8bit):	3.6908295696004862
Encrypted:	false
SSDEEP:	192:R6l7wVeJBC6INQ6YvF6dgmfTDasFprG89bYosf1Im:R6lXJU6INQ6Yt6dgmfTDasHYbff
MD5:	ACBCB89C20337424FF933D41C276E20E
SHA1:	C47C6BB65A42AE24CEE7C540D934606F45B564EA
SHA-256:	2F877CDA13E00927105C859B4047FD6669F12E03752C90FDE338BCAF34F29C5F
SHA-512:	9B8D46A4696E96D7C1B5E9A9AECE434B35D8D69F500C7F4A9A96040D46ED9A0D7140AF010FCA5312FA2F8114459E48614ED0F3DC1389819966D6C47354E9F290
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.5.2.4.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7C45.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4660
Entropy (8bit):	4.461997528110649
Encrypted:	false
SSDEEP:	48:cvIwWl8zsLJg77aI9aNWpW8VYAFYm8M4JCdPEFa+q8/khGScSrd:uIjflI7c87VgJOjJ3rd
MD5:	65F5E0D1581BCB9FA742F7224E37C0A8
SHA1:	2E4074B890EAA8A62AE99F66BBACC29023B3A750
SHA-256:	E5E7C078309E590253D427B704FF78615843EB7A381FB8D156C3FFEA62D6E84B
SHA-512:	A9951A466D5AFD34AFE7C57EFA4763A4376FA45A5F3246D25557696BCA794C5D1B6F77C99B585E85E14EDF6099144886EE7822E7ACC68303873271FEABC21BA7
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="638271" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.46938292780555
Encrypted:	false
SSDEEP:	6144:azZfpi6ceLPx9skLmb0fYZWSP3aJG8nAgeiJRMMhA2zX4WABluuNFjDH5S:8ZHtYZWOKnMM6bFpHj4
MD5:	8D585BCFD6F6549B23D833989ADD5112
SHA1:	2DD5422F95CA7F0BEBAF09A597BE9E4DB806D7CA
SHA-256:	CAB02F466319F077F26B6DBF7D64A34ED029B8F16232460AB307E48BECC2BF2D
SHA-512:	7632426F69B8D4495CD77C6EBCB3C303164FE8612BB874FE9C16F803951916358B3889A05047BD74C0784B30E2093B41DB37E125F496C041C3598E72292F9BE3
Malicious:	false
Preview:	regfH...H....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtmR\|O.%R...............................................................................................................................................................................................................................................................................................................................................DY ........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, UPX compressed
Entropy (8bit):	6.949016542225932
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 96.66% UPX compressed Win32 Executable (30571/9) 2.95% Generic Win/DOS Executable (2004/3) 0.19% DOS Executable Generic (2002/1) 0.19% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	IzFEtXcext.dll
File size:	14'375 bytes
MD5:	4515c43cca35f7436a01b8d8b795000b
SHA1:	932d230145cf8e5e9ca547606a6db8780eccc235
SHA256:	dde0053e594c5d97aa8c0030938a6c245b4516483cb401d785f91f8d621ff0fd
SHA512:	e3c036a5f5cb56a6e4806300f9e8bda1acad5620d4fe173860db7f53231a426e6dee20f74775b9e156279c4ea9750ad77bdf32798263647a106f889b083b58f1
SSDEEP:	192:/GomsOhWi4ai7+YtjrT8Z22QGmhSJHEVEA0s9k4eUOAYReqOwTNYv1eok27:/G7rHiM22XOP9kDUoW
TLSH:	35526BCDB27A4516F29F6F346BFB1366812AB50051634FDF39AA400D98D26AC8FE1311
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........;.S.UQS.UQS.UQ.L+QR.UQtN(QU.UQtN.QQ.UQtN;Q\.UQtN8Qm.UQS.UQQ.UQ..FQT.UQS.TQ>.UQ<..QT.UQtN+QR.UQ<..QR.UQ<..QR.UQ<..QR.UQRichS.U

File Icon


Icon Hash:	7ae282899bbab082

Static PE Info

General

Entrypoint:	0x10019ef0
Entrypoint Section:	UPX1
Digitally signed:	false
Imagebase:	0x10000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x4987029F [Mon Feb 2 14:26:39 2009 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	6bd2700562ffdb62092d7dd437dc94b3

Entrypoint Preview

Instruction
cmp byte ptr [esp+08h], 00000001h
jne 00007F075CC2ED1Fh
pushad
mov esi, 10018000h
lea edi, dword ptr [esi-00017000h]
push edi
jmp 00007F075CC2EB72h
nop
nop
nop
nop
nop
nop
mov al, byte ptr [esi]
inc esi
mov byte ptr [edi], al
inc edi
add ebx, ebx
jne 00007F075CC2EB69h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007F075CC2EB4Fh
mov eax, 00000001h
add ebx, ebx
jne 00007F075CC2EB69h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc eax, eax
add ebx, ebx
jnc 00007F075CC2EB51h
jne 00007F075CC2EB6Bh
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jnc 00007F075CC2EB46h
xor ecx, ecx
sub eax, 03h
jc 00007F075CC2EB6Fh
shl eax, 08h
mov al, byte ptr [esi]
inc esi
xor eax, FFFFFFFFh
je 00007F075CC2EBD6h
mov ebp, eax
add ebx, ebx
jne 00007F075CC2EB69h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc ecx, ecx
add ebx, ebx
jne 00007F075CC2EB69h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc ecx, ecx
jne 00007F075CC2EB82h
inc ecx
add ebx, ebx
jne 00007F075CC2EB69h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc ecx, ecx
add ebx, ebx
jnc 00007F075CC2EB51h
jne 00007F075CC2EB6Bh
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jnc 00007F075CC2EB46h
add ecx, 02h
cmp ebp, FFFFF300h
adc ecx, 01h
lea edx, dword ptr [edi+ebp]
cmp ebp, FFFFFFFCh
jbe 00007F075CC2EB71h
mov al, byte ptr [edx]
inc edx
mov byte ptr [edi], al
inc edi
dec ecx
jne 00007F075CC2EB59h
jmp 00007F075CC2EAC8h
nop
mov eax, dword ptr [edx]
add edx, 00000000h

Rich Headers

Programming Language:

[ASM] VS2005 build 50727
[IMP] VS2005 build 50727
[C++] VS2005 build 50727
[ C ] VS2005 build 50727
[ C ] VS2010 build 30319
[ASM] VS2010 build 30319
[EXP] VS2010 build 30319
[LNK] VS2010 build 30319

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x1b4d4	0xc74	.rsrc
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1b3cc	0x108	.rsrc
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x1b000	0x3cc	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x1c148	0xc	.rsrc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
UPX0	0x1000	0x17000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
UPX1	0x18000	0x3000	0x2200	6458836e1e22fdadf6e2bbd0f4c9374b	False	0.9401424632352942	data	7.702461371549278	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x1b000	0x2000	0x1200	94731cef3ac522f95dbeaffb662efb25	False	0.3528645833333333	data	4.9186824754753244	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x1b05c	0x370	data			0.41704545454545455

Imports

DLL	Import
ADVAPI32.dll	CryptDecrypt
KERNEL32.DLL	LoadLibraryA, GetProcAddress, VirtualProtect
msvcrt.dll	free
ntdll.dll	memcpy

Exports

Name	Ordinal	Address
AlgUninstall	49	0x1001bbb2
DllCanUnloadNow	50	0x1001bbc7
DllGetClassObject	51	0x1001bbdf
DllRegisterServer	52	0x1001bbf9
DllUnregisterServer	53	0x1001bc13
HNetDeleteRasConnection	54	0x1001bc2f
HNetFreeFirewallLoggingSettings	55	0x1001bc4f
HNetFreeSharingServicesPage	56	0x1001bc77
HNetGetFirewallSettingsPage	57	0x1001bc9b
HNetGetShareAndBridgeSettings	58	0x1001bcbf
HNetGetSharingServicesPage	59	0x1001bce5
HNetSetShareAndBridgeSettings	60	0x1001bd08
HNetSharedAccessSettingsDlg	61	0x1001bd2e
HNetSharingAndFirewallSettingsDlg	62	0x1001bd52
IcfChangeNotificationCreate	63	0x1001bd7c
IcfChangeNotificationDestroy	64	0x1001bda0
IcfCheckAppAuthorization	65	0x1001bdc5
IcfCloseDynamicFwPort	66	0x1001bde6
IcfConnect	67	0x1001be04
IcfDisconnect	68	0x1001be17
IcfFreeAdapters	69	0x1001be2d
IcfFreeDynamicFwPorts	70	0x1001be45
IcfFreeProfile	71	0x1001be63
IcfFreeString	72	0x1001be7a
IcfFreeTickets	73	0x1001be90
IcfGetAdapters	74	0x1001bea7
IcfGetCurrentProfileType	75	0x1001bebe
IcfGetDynamicFwPorts	76	0x1001bedf
IcfGetOperationalMode	77	0x1001befc
IcfGetProfile	78	0x1001bf1a
IcfGetTickets	79	0x1001bf30
IcfIsIcmpTypeAllowed	80	0x1001bf46
IcfIsPortAllowed	81	0x1001bf63
IcfOpenDynamicFwPort	82	0x1001bf7c
IcfOpenDynamicFwPortWithoutSocket	83	0x1001bf99
IcfOpenFileSharingPorts	84	0x1001bfc3
IcfRefreshPolicy	85	0x1001bfe3
IcfRemoveDisabledAuthorizedApp	86	0x1001bffc
IcfSetProfile	87	0x1001c023
IcfSetServicePermission	88	0x1001c039
IcfSubNetsGetScope	89	0x1001c059
IcfSubNetsIsStringValid	90	0x1001c074
IcfSubNetsToString	91	0x1001c094
RegisterClassObjects	92	0x1001c0af
ReleaseSingletons	93	0x1001c0cc
RevokeClassObjects	94	0x1001c0e6
WinBomConfigureHomeNet	95	0x1001c101
WinBomConfigureWindowsFirewall	96	0x1001c120

Network Behavior

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 19, 2024 15:48:59.805536985 CET	1.1.1.1	192.168.2.6	0x4542	No error (0)	g-bing-com.ax-0001.ax-msedge.net	ax-0001.ax-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 19, 2024 15:48:59.805536985 CET	1.1.1.1	192.168.2.6	0x4542	No error (0)	ax-0001.ax-msedge.net		150.171.27.10	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:48:59.805536985 CET	1.1.1.1	192.168.2.6	0x4542	No error (0)	ax-0001.ax-msedge.net		150.171.28.10	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	09:48:33
Start date:	19/12/2024
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe "C:\Users\user\Desktop\IzFEtXcext.dll"
Imagebase:	0x390000
File size:	126'464 bytes
MD5 hash:	51E6071F9CBA48E79F10C84515AAE618
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	09:48:33
Start date:	19/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	09:48:33
Start date:	19/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\IzFEtXcext.dll",#1
Imagebase:	0x1c0000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	09:48:33
Start date:	19/12/2024
Path:	C:\Windows\SysWOW64\regsvr32.exe
Wow64 process (32bit):	true
Commandline:	regsvr32.exe /s C:\Users\user\Desktop\IzFEtXcext.dll
Imagebase:	0x2e0000
File size:	20'992 bytes
MD5 hash:	878E47C8656E53AE8A8A21E927C6F7E0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	09:48:33
Start date:	19/12/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\IzFEtXcext.dll",#1
Imagebase:	0x280000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	09:48:33
Start date:	19/12/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\IzFEtXcext.dll,AlgUninstall
Imagebase:	0x280000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	09:48:34
Start date:	19/12/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 6716 -s 632
Imagebase:	0x920000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	09:48:36
Start date:	19/12/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\IzFEtXcext.dll,DllCanUnloadNow
Imagebase:	0x280000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	09:48:39
Start date:	19/12/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\IzFEtXcext.dll,DllGetClassObject
Imagebase:	0x280000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	09:48:40
Start date:	19/12/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7524 -s 652
Imagebase:	0x920000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	7.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	14.6%
Total number of Nodes:	302
Total number of Limit Nodes:	7

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 70021AF8 Relevance: 9.1, APIs: 6, Instructions: 65
memorylibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(70023140,00000018,700211E2), ref: 70021B12
GetLastError.KERNEL32 ref: 70021B1F
LoadLibraryW.KERNELBASE(?), ref: 70021B68
memset.NTDLL ref: 70021B88
GetProcAddress.KERNEL32(00000000,00000030), ref: 70021BA2
HeapFree.KERNEL32(?,00000000,?), ref: 70021BCB

Memory Dump Source

Source File: 00000004.00000002.2237037908.0000000070021000.00000040.00000001.01000000.00000003.sdmp, Offset: 70020000, based on PE: true

Associated: 00000004.00000002.2237020495.0000000070020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2237037908.0000000070038000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2237090067.0000000070039000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2237110280.000000007003B000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_70020000_rundll32.jbxd

Similarity

API ID: Heap$AddressErrorFreeLastLibraryLoadProcProcessmemset
String ID:
API String ID: 2140647643-0
Opcode ID: 14acff810782e71c14224ff260e87a868309313b422d00374aa60877441a24ce
Instruction ID: e79b9779fb92b3ce18c0766488f1603c043ea4e33a0d59d7e591b0056d27b24e
Opcode Fuzzy Hash: 14acff810782e71c14224ff260e87a868309313b422d00374aa60877441a24ce
Instruction Fuzzy Hash: 60213E71D00214DFDB129FA2AC46AEDFAF5FF58B73F30051AE551A2261E7750A428F60

Function 70039EF0 Relevance: 6.2, APIs: 4, Instructions: 188
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000004.00000002.2237090067.0000000070039000.00000080.00000001.01000000.00000003.sdmp, Offset: 70020000, based on PE: true

Associated: 00000004.00000002.2237020495.0000000070020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2237037908.0000000070021000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2237037908.0000000070038000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2237110280.000000007003B000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_70020000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67ab821521b22a61d0f9c30bdfd193e4fda862af6fb7720b3fb97f9bf772daf2
Instruction ID: 236dce6cd106e0db8358fe983b89641dd764f37ff08c0d24f007ec16dfb1ab46
Opcode Fuzzy Hash: 67ab821521b22a61d0f9c30bdfd193e4fda862af6fb7720b3fb97f9bf772daf2
Instruction Fuzzy Hash: 645105716042525FD3139AB8CC80799FBE6EB42A74FA8073CD5E6C73C9E7A4580687A0

Function 700211C8 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 87
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 70021AF8: GetProcessHeap.KERNEL32(70023140,00000018,700211E2), ref: 70021B12
Part of subcall function 70021AF8: GetLastError.KERNEL32 ref: 70021B1F
Part of subcall function 70021AF8: HeapFree.KERNEL32(?,00000000,?), ref: 70021BCB

GetModuleFileNameW.KERNEL32(00000000,c:\windows\syswow64\rundll32.exe,00008000), ref: 7002120A
GetLastError.KERNEL32 ref: 70021214

Strings

c:\windows\syswow64\rundll32.exe, xrefs: 700211FC, 70021201, 70021222, 70021239
/, xrefs: 7002127F

Memory Dump Source

Source File: 00000004.00000002.2237037908.0000000070021000.00000040.00000001.01000000.00000003.sdmp, Offset: 70020000, based on PE: true

Associated: 00000004.00000002.2237020495.0000000070020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2237037908.0000000070038000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2237090067.0000000070039000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2237110280.000000007003B000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_70020000_rundll32.jbxd

Similarity

API ID: ErrorHeapLast$FileFreeModuleNameProcess
String ID: /$c:\windows\syswow64\rundll32.exe
API String ID: 1384422278-378053207
Opcode ID: f4120d827ec82d291f5f4c23126745437c2036600ec98bfecc7bf404677898d8
Instruction ID: 7190e14b37b1b6236759c01c43043a3f47a2661c00b8fbc48be92d2c46aa4321
Opcode Fuzzy Hash: f4120d827ec82d291f5f4c23126745437c2036600ec98bfecc7bf404677898d8
Instruction Fuzzy Hash: 2921DE72600105EEE7009B65AD85BDFB2EEAF35BBB7700129F602D2341E7308E5A8664

Non-executed Functions

Function 7002145D Relevance: 18.1, APIs: 12, Instructions: 127
memoryencryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(?,?,00000000,?,?,00000000), ref: 7002148D
CryptAcquireContextA.ADVAPI32(00000000,00000000,00000000,00000001,00000040,?,?,00000000,?,?,00000000), ref: 700214AE
GetLastError.KERNEL32(?,?,00000000,?,?,00000000), ref: 700214BA
CryptAcquireContextA.ADVAPI32(00000000,00000000,00000000,00000001,00000048,?,?,00000000,?,?,00000000), ref: 700214CD
GetLastError.KERNEL32(?,?,00000000,?,?,00000000), ref: 700214D4
RtlAllocateHeap.NTDLL(?,00000008,?), ref: 70021507
memcpy.NTDLL(0000000C,?,?,?,?,00000000,?,?,00000000), ref: 7002152E
CryptImportKey.ADVAPI32(00000000,00000000,?,00000000,00000001,?,?,?,00000000,?,?,00000000), ref: 70021543
CryptDecrypt.ADVAPI32(?,00000000,00000000,00000000,?,?,?,?,00000000,?,?,00000000), ref: 7002155C
GetLastError.KERNEL32(?,?,00000000,?,?,00000000), ref: 70021575
GetLastError.KERNEL32(?,?,00000000,?,?,00000000), ref: 7002157F
HeapFree.KERNEL32(?,00000000,00000000,?,?,00000000,?,?,00000000), ref: 700215A6

Memory Dump Source

Source File: 00000004.00000002.2237037908.0000000070021000.00000040.00000001.01000000.00000003.sdmp, Offset: 70020000, based on PE: true

Associated: 00000004.00000002.2237020495.0000000070020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2237037908.0000000070038000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2237090067.0000000070039000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2237110280.000000007003B000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_70020000_rundll32.jbxd

Similarity

API ID: CryptErrorLast$Heap$AcquireContext$AllocateDecryptFreeImportProcessmemcpy
String ID:
API String ID: 1755895236-0
Opcode ID: d51fbb49215f81f6da2d7d3adee05bb00a1167204d42b8f992171681b330320d
Instruction ID: c64bbb4e0cda2c7b3a83edabc1f09f468d339b81105af104d079fdba3ffd4708
Opcode Fuzzy Hash: d51fbb49215f81f6da2d7d3adee05bb00a1167204d42b8f992171681b330320d
Instruction Fuzzy Hash: 4541A371D00629EFDB119F91DDC4ADDBBBAFB54B66F2044A9E607A7210D3309E418B60

Function 70022C86 Relevance: 7.5, APIs: 5, Instructions: 44
timethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 70022CBA
GetCurrentProcessId.KERNEL32 ref: 70022CC6
GetCurrentThreadId.KERNEL32 ref: 70022CCE
GetTickCount.KERNEL32 ref: 70022CD6
QueryPerformanceCounter.KERNEL32(?), ref: 70022CE2

Memory Dump Source

Source File: 00000004.00000002.2237037908.0000000070021000.00000040.00000001.01000000.00000003.sdmp, Offset: 70020000, based on PE: true

Associated: 00000004.00000002.2237020495.0000000070020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2237037908.0000000070038000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2237090067.0000000070039000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2237110280.000000007003B000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_70020000_rundll32.jbxd

Similarity

API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
String ID:
API String ID: 1445889803-0
Opcode ID: 45c2a7b538529b5e88aa009e70076c8ccff8047cf1876331daccd2f795eb5a42
Instruction ID: 15aeb10c9ecf14f32a9a8b4ed8c02d0ca7528da8134d5da13857d9d66a64b29b
Opcode Fuzzy Hash: 45c2a7b538529b5e88aa009e70076c8ccff8047cf1876331daccd2f795eb5a42
Instruction Fuzzy Hash: 24014073C00214AFDB209BF9DC8879EB7F9FB48366F720555D802E7111D7309A428B94

Function 70021CE1 Relevance: 24.2, APIs: 16, Instructions: 202
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(?,?,?,?,?,?,700211A5,70021820,00000000), ref: 70021D06
RtlAllocateHeap.NTDLL(00000000,00000008,00000039), ref: 70021D1C
RtlAllocateHeap.NTDLL(?,00000008,?), ref: 70021D4F
memcpy.NTDLL(?,?,?,?,?,?,?,?,?,700211A5,70021820,00000000), ref: 70021D64
RtlAllocateHeap.NTDLL(?,00000008,?), ref: 70021D8D
memcpy.NTDLL(?,?,?,?,?,?,?,?,?,700211A5,70021820,00000000), ref: 70021DA2
RtlAllocateHeap.NTDLL(?,00000008,?), ref: 70021DCB
memcpy.NTDLL(?,?,?,?,?,?,?,?,?,700211A5,70021820,00000000), ref: 70021DE0
RtlAllocateHeap.NTDLL(?,00000008,?), ref: 70021E09
memcpy.NTDLL(?,?,?,?,?,?,?,?,?,700211A5,70021820,00000000), ref: 70021E1E
RtlAllocateHeap.NTDLL(?,00000008,?), ref: 70021E47
memcpy.NTDLL(?,?,?,?,?,?,?,?,?,700211A5,70021820,00000000), ref: 70021E5C
RtlAllocateHeap.NTDLL(?,00000008,?), ref: 70021E85
memcpy.NTDLL(?,?,?,?,?,?,?,?,?,700211A5,70021820,00000000), ref: 70021E9A
GetLastError.KERNEL32(?,?,?,?,?,?,700211A5,70021820,00000000), ref: 70021EAD
HeapFree.KERNEL32(?,00000000,?,?,?,?,?,?,?,700211A5,70021820,00000000), ref: 70021ED6

Memory Dump Source

Source File: 00000004.00000002.2237037908.0000000070021000.00000040.00000001.01000000.00000003.sdmp, Offset: 70020000, based on PE: true

Associated: 00000004.00000002.2237020495.0000000070020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2237037908.0000000070038000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2237090067.0000000070039000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2237110280.000000007003B000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_70020000_rundll32.jbxd

Similarity

API ID: Heap$Allocate$memcpy$ErrorFreeLastProcess
String ID:
API String ID: 3236361993-0
Opcode ID: 6edcf7b8c769d60f924944f156100f837ee0bf068b37502f061bdea09cf28303
Instruction ID: bb68cad212365f0c5b6aefef2e52ee5730e588a549c1adcfe4c1073aea12ce1b
Opcode Fuzzy Hash: 6edcf7b8c769d60f924944f156100f837ee0bf068b37502f061bdea09cf28303
Instruction Fuzzy Hash: 57714670A01214EFDF18CF54DD94F9E7BB6AF18B22F22409CE802AB365C771AA45DB10

Function 700224C8 Relevance: 16.6, APIs: 11, Instructions: 131
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(000003E8), ref: 70022528
InterlockedCompareExchange.KERNEL32(700357EC,?,00000000), ref: 70022532
_amsg_exit.MSVCRT ref: 7002254F
__initterm_e.LIBCMT ref: 7002256A
_initterm.MSVCRT ref: 70022586
InterlockedExchange.KERNEL32(700357EC,00000000), ref: 7002259C
Sleep.KERNEL32(000003E8), ref: 700225ED
InterlockedCompareExchange.KERNEL32(700357EC,00000001,00000000), ref: 700225F8
_amsg_exit.MSVCRT ref: 7002260A
free.MSVCRT ref: 70022637
InterlockedExchange.KERNEL32(700357EC,00000000), ref: 70022659

Memory Dump Source

Source File: 00000004.00000002.2237037908.0000000070021000.00000040.00000001.01000000.00000003.sdmp, Offset: 70020000, based on PE: true

Associated: 00000004.00000002.2237020495.0000000070020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2237037908.0000000070038000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2237090067.0000000070039000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2237110280.000000007003B000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_70020000_rundll32.jbxd

Similarity

API ID: ExchangeInterlocked$CompareSleep_amsg_exit$__initterm_e_inittermfree
String ID:
API String ID: 293963189-0
Opcode ID: 0fd5a9c3fbe3d8822e861f2995a75c6ef9bd6f87cefe8c9e9905cfb0378d5d1a
Instruction ID: 4130a5bd196add67c0e9f268afd4045757259e08db433cae2023839b579c5b9e
Opcode Fuzzy Hash: 0fd5a9c3fbe3d8822e861f2995a75c6ef9bd6f87cefe8c9e9905cfb0378d5d1a
Instruction Fuzzy Hash: AF41A133604201FFE7129FB6FC95B1D77AAEB40B77F30802DF906891A1DB7499418A60

Function 70021BDA Relevance: 13.6, APIs: 9, Instructions: 92
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00000000,?,00000000,?,?,70021AB6,?,?), ref: 70021C24
RtlAllocateHeap.NTDLL(00000000,00000008,?), ref: 70021C3A
memcpy.NTDLL(-00000021,?,00000000,?,?,70021AB6,?,?), ref: 70021C5D
memcpy.NTDLL(00000000,?,?,-00000021,?,00000000,?,?,70021AB6,?,?), ref: 70021C6F
memcpy.NTDLL(?,?,?,00000000,?,?,-00000021,?,00000000,?,?,70021AB6,?,?), ref: 70021C7E
memcpy.NTDLL(?,?,?,?,?,?,00000000,?,?,-00000021,?,00000000,?,?,70021AB6,?), ref: 70021C8D
memcpy.NTDLL(?,?,?,?,?,?,?,?,?,00000000,?,?,-00000021,?,00000000), ref: 70021C9C
memcpy.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?,-00000021), ref: 70021CAD
GetLastError.KERNEL32(?,?,70021AB6,?,?), ref: 70021CC7

Memory Dump Source

Source File: 00000004.00000002.2237037908.0000000070021000.00000040.00000001.01000000.00000003.sdmp, Offset: 70020000, based on PE: true

Associated: 00000004.00000002.2237020495.0000000070020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2237037908.0000000070038000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2237090067.0000000070039000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2237110280.000000007003B000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_70020000_rundll32.jbxd

Similarity

API ID: memcpy$Heap$AllocateErrorLastProcess
String ID:
API String ID: 3271386352-0
Opcode ID: d7349cab97d0b1fa9266ab912c592eba20f318ced029c39187618c9dc58683f5
Instruction ID: f59bb803cbd0afb2dcffc75edb518eb9017ac6fa1c99299adf7220363da91aa4
Opcode Fuzzy Hash: d7349cab97d0b1fa9266ab912c592eba20f318ced029c39187618c9dc58683f5
Instruction Fuzzy Hash: B3313C76500204EFCF118FA5EDC1A8A7BB5FF08B65B254094ED0AAF21BC731E960DB64

Function 700215BB Relevance: 10.6, APIs: 7, Instructions: 87
memoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00000000,?,00000000,?,?,?,70021A89,?,00000000,?,00000000,?,00000000), ref: 700215F4
CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,00000000,00000000,?,70021A89,?,00000000,?,00000000,?,00000000), ref: 7002160F
GetFileSize.KERNEL32(00000000,00000000,?,70021A89,?,00000000,?,00000000,?,00000000), ref: 70021621
RtlAllocateHeap.NTDLL(?,00000008,00000000), ref: 70021634
ReadFile.KERNEL32(70021A89,00000000,?,00000000,00000000,?,70021A89,?,00000000,?,00000000,?,00000000), ref: 7002164D
HeapFree.KERNEL32(?,00000000,00000000,?,70021A89,?,00000000,?,00000000,?,00000000), ref: 70021668
GetLastError.KERNEL32(?,70021A89,?,00000000,?,00000000,?,00000000), ref: 70021672

Memory Dump Source

Source File: 00000004.00000002.2237037908.0000000070021000.00000040.00000001.01000000.00000003.sdmp, Offset: 70020000, based on PE: true

Associated: 00000004.00000002.2237020495.0000000070020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2237037908.0000000070038000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2237090067.0000000070039000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2237110280.000000007003B000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_70020000_rundll32.jbxd

Similarity

API ID: FileHeap$AllocateCreateErrorFreeLastProcessReadSize
String ID:
API String ID: 3933022082-0
Opcode ID: a086982794e01a2890ea47983f42d651e29e94475284d6378b5c32a39a9ded34
Instruction ID: c9d25fd044c06dd307ab4b0a6587b4bbd6cf54c5ec4d5c2bb22f361f847ee6ad
Opcode Fuzzy Hash: a086982794e01a2890ea47983f42d651e29e94475284d6378b5c32a39a9ded34
Instruction Fuzzy Hash: 3E217A70201224AFDB128F65DC8CADE7BBAEF15F72B250408F803D62A4D3309D61CBA0

Function 70021F0E Relevance: 10.6, APIs: 7, Instructions: 66
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExpandEnvironmentStringsW.KERNEL32(?,00000000,00000000,00000000,?,00000000,?,?,70021A6D,?,?,?,00000000), ref: 70021F2C
GetProcessHeap.KERNEL32(?,?,70021A6D,?,?,?,00000000), ref: 70021F38
RtlAllocateHeap.NTDLL(00000000,00000008,00000000), ref: 70021F4C
ExpandEnvironmentStringsW.KERNEL32(?,00000000,00000000,?,?,70021A6D,?,?,?,00000000), ref: 70021F5D
GetLastError.KERNEL32(?,?,70021A6D,?,?,?,00000000), ref: 70021F6B
HeapFree.KERNEL32(?,00000000,70021A6D,?,?,70021A6D,?,?,?,00000000), ref: 70021F87
GetLastError.KERNEL32(?,?,70021A6D,?,?,?,00000000), ref: 70021F99

Memory Dump Source

Source File: 00000004.00000002.2237037908.0000000070021000.00000040.00000001.01000000.00000003.sdmp, Offset: 70020000, based on PE: true

Associated: 00000004.00000002.2237020495.0000000070020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2237037908.0000000070038000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2237090067.0000000070039000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2237110280.000000007003B000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_70020000_rundll32.jbxd

Similarity

API ID: Heap$EnvironmentErrorExpandLastStrings$AllocateFreeProcess
String ID:
API String ID: 4255420659-0
Opcode ID: e8027c9dcacad6fe719729571e1321909a090a3d8d230b2d79cf9303c7c678d0
Instruction ID: 3256f14598197a1ac38d44f4a251c5148d9bc9a9f0318d5d9c1334a26dac07cc
Opcode Fuzzy Hash: e8027c9dcacad6fe719729571e1321909a090a3d8d230b2d79cf9303c7c678d0
Instruction Fuzzy Hash: B511B231600200AFE7625F65DE88B9E7AF9FF98B62F304038B956D6351D7748C418A70

Function 7002169B Relevance: 8.9, APIs: 7, Instructions: 103
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00000000,?,?,?,70021ECF,00000000,?,?,?,?,?,?,700211A5,70021820,00000000), ref: 700216B7
HeapFree.KERNEL32(?,00000000,?,?,?,?,70021ECF,00000000,?,?,?,?,?,?,700211A5,70021820), ref: 700216EA
HeapFree.KERNEL32(?,00000000,?,?,?,?,70021ECF,00000000,?,?,?,?,?,?,700211A5,70021820), ref: 70021707
HeapFree.KERNEL32(?,00000000,?,?,?,?,70021ECF,00000000,?,?,?,?,?,?,700211A5,70021820), ref: 70021724
HeapFree.KERNEL32(?,00000000,?,?,?,?,70021ECF,00000000,?,?,?,?,?,?,700211A5,70021820), ref: 70021741
HeapFree.KERNEL32(?,00000000,?,?,?,?,70021ECF,00000000,?,?,?,?,?,?,700211A5,70021820), ref: 7002175E

Memory Dump Source

Source File: 00000004.00000002.2237037908.0000000070021000.00000040.00000001.01000000.00000003.sdmp, Offset: 70020000, based on PE: true

Associated: 00000004.00000002.2237020495.0000000070020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2237037908.0000000070038000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2237090067.0000000070039000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2237110280.000000007003B000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_70020000_rundll32.jbxd

Similarity

API ID: Heap$Free$Process
String ID:
API String ID: 2719409998-0
Opcode ID: a3bf90a1c613f77d26156df95df6720141e13b8691b88f963a188f5158d1edeb
Instruction ID: 7aa43be940aa377f2528f6c39e5040ec6be48b7e9f22baf724df6496d53cc487
Opcode Fuzzy Hash: a3bf90a1c613f77d26156df95df6720141e13b8691b88f963a188f5158d1edeb
Instruction Fuzzy Hash: 0931D531208649AFCB128F95EDD08ADBBFBEFB4A65760052DE18786B20C331AC45CB50

Function 7002177C Relevance: 6.3, APIs: 5, Instructions: 75
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00000000,?,?,?,700211BF,00000000,00000000), ref: 70021798
HeapFree.KERNEL32(?,00000000,?,?,?,?,?,700211BF,00000000,00000000), ref: 700217C7
HeapFree.KERNEL32(?,00000000,?,?,?,?,?,700211BF,00000000,00000000), ref: 700217E4
HeapFree.KERNEL32(?,00000000,?,?,?,?,?,700211BF,00000000,00000000), ref: 70021801

Memory Dump Source

Source File: 00000004.00000002.2237037908.0000000070021000.00000040.00000001.01000000.00000003.sdmp, Offset: 70020000, based on PE: true

Associated: 00000004.00000002.2237020495.0000000070020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2237037908.0000000070038000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2237090067.0000000070039000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2237110280.000000007003B000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_70020000_rundll32.jbxd

Similarity

API ID: Heap$Free$Process
String ID:
API String ID: 2719409998-0
Opcode ID: b9e4f109976dd7628ad279cb3e808e2ea696357d44cfa643136886fad7c03fbf
Instruction ID: 56cdb7f88d5dc377d70ba9e65414dfcb295b49ec61f8c1ebc3c38e11fa3051d0
Opcode Fuzzy Hash: b9e4f109976dd7628ad279cb3e808e2ea696357d44cfa643136886fad7c03fbf
Instruction Fuzzy Hash: 7721E732108149AFDB118F99EDD08AEBBFBEF64A66720483DE14797B20C331AD45CB50

Analysis Process: rundll32.exePID: 7524, Parent PID: 2968COMMON

Execution Graph

Execution Coverage:	7.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	302
Total number of Limit Nodes:	7

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 700211C8 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 87
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 70021AF8: GetProcessHeap.KERNEL32(70023140,00000018,700211E2), ref: 70021B12
Part of subcall function 70021AF8: GetLastError.KERNEL32 ref: 70021B1F
Part of subcall function 70021AF8: HeapFree.KERNEL32(?,00000000,?), ref: 70021BCB

GetModuleFileNameW.KERNEL32(00000000,c:\windows\syswow64\rundll32.exe,00008000), ref: 7002120A
GetLastError.KERNEL32 ref: 70021214

Strings

c:\windows\syswow64\rundll32.exe, xrefs: 700211FC, 70021201, 70021222, 70021239
/, xrefs: 7002127F

Memory Dump Source

Source File: 0000000F.00000002.2255814130.0000000070021000.00000040.00000001.01000000.00000003.sdmp, Offset: 70020000, based on PE: true

Associated: 0000000F.00000002.2255783568.0000000070020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2255814130.0000000070038000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2255872765.0000000070039000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2255897494.000000007003B000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_70020000_rundll32.jbxd

Similarity

API ID: ErrorHeapLast$FileFreeModuleNameProcess
String ID: /$c:\windows\syswow64\rundll32.exe
API String ID: 1384422278-378053207
Opcode ID: f4120d827ec82d291f5f4c23126745437c2036600ec98bfecc7bf404677898d8
Instruction ID: 7190e14b37b1b6236759c01c43043a3f47a2661c00b8fbc48be92d2c46aa4321
Opcode Fuzzy Hash: f4120d827ec82d291f5f4c23126745437c2036600ec98bfecc7bf404677898d8
Instruction Fuzzy Hash: 2921DE72600105EEE7009B65AD85BDFB2EEAF35BBB7700129F602D2341E7308E5A8664

Function 70021AF8 Relevance: 9.1, APIs: 6, Instructions: 65
memorylibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(70023140,00000018,700211E2), ref: 70021B12
GetLastError.KERNEL32 ref: 70021B1F
LoadLibraryW.KERNELBASE(?), ref: 70021B68
memset.NTDLL ref: 70021B88
GetProcAddress.KERNEL32(00000000,00000030), ref: 70021BA2
HeapFree.KERNEL32(?,00000000,?), ref: 70021BCB

Memory Dump Source

Source File: 0000000F.00000002.2255814130.0000000070021000.00000040.00000001.01000000.00000003.sdmp, Offset: 70020000, based on PE: true

Associated: 0000000F.00000002.2255783568.0000000070020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2255814130.0000000070038000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2255872765.0000000070039000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2255897494.000000007003B000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_70020000_rundll32.jbxd

Similarity

API ID: Heap$AddressErrorFreeLastLibraryLoadProcProcessmemset
String ID:
API String ID: 2140647643-0
Opcode ID: 14acff810782e71c14224ff260e87a868309313b422d00374aa60877441a24ce
Instruction ID: e79b9779fb92b3ce18c0766488f1603c043ea4e33a0d59d7e591b0056d27b24e
Opcode Fuzzy Hash: 14acff810782e71c14224ff260e87a868309313b422d00374aa60877441a24ce
Instruction Fuzzy Hash: 60213E71D00214DFDB129FA2AC46AEDFAF5FF58B73F30051AE551A2261E7750A428F60

Function 70039EF0 Relevance: 6.2, APIs: 4, Instructions: 188
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000F.00000002.2255872765.0000000070039000.00000080.00000001.01000000.00000003.sdmp, Offset: 70020000, based on PE: true

Associated: 0000000F.00000002.2255783568.0000000070020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2255814130.0000000070021000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2255814130.0000000070038000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2255897494.000000007003B000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_70020000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67ab821521b22a61d0f9c30bdfd193e4fda862af6fb7720b3fb97f9bf772daf2
Instruction ID: 236dce6cd106e0db8358fe983b89641dd764f37ff08c0d24f007ec16dfb1ab46
Opcode Fuzzy Hash: 67ab821521b22a61d0f9c30bdfd193e4fda862af6fb7720b3fb97f9bf772daf2
Instruction Fuzzy Hash: 645105716042525FD3139AB8CC80799FBE6EB42A74FA8073CD5E6C73C9E7A4580687A0

Non-executed Functions

Function 7002145D Relevance: 18.1, APIs: 12, Instructions: 127
memoryencryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(?,?,00000000,?,?,00000000), ref: 7002148D
CryptAcquireContextA.ADVAPI32(00000000,00000000,00000000,00000001,00000040,?,?,00000000,?,?,00000000), ref: 700214AE
GetLastError.KERNEL32(?,?,00000000,?,?,00000000), ref: 700214BA
CryptAcquireContextA.ADVAPI32(00000000,00000000,00000000,00000001,00000048,?,?,00000000,?,?,00000000), ref: 700214CD
GetLastError.KERNEL32(?,?,00000000,?,?,00000000), ref: 700214D4
RtlAllocateHeap.NTDLL(?,00000008,?), ref: 70021507
memcpy.NTDLL(0000000C,?,?,?,?,00000000,?,?,00000000), ref: 7002152E
CryptImportKey.ADVAPI32(00000000,00000000,?,00000000,00000001,?,?,?,00000000,?,?,00000000), ref: 70021543
CryptDecrypt.ADVAPI32(?,00000000,00000000,00000000,?,?,?,?,00000000,?,?,00000000), ref: 7002155C
GetLastError.KERNEL32(?,?,00000000,?,?,00000000), ref: 70021575
GetLastError.KERNEL32(?,?,00000000,?,?,00000000), ref: 7002157F
HeapFree.KERNEL32(?,00000000,00000000,?,?,00000000,?,?,00000000), ref: 700215A6

Memory Dump Source

Source File: 0000000F.00000002.2255814130.0000000070021000.00000040.00000001.01000000.00000003.sdmp, Offset: 70020000, based on PE: true

Associated: 0000000F.00000002.2255783568.0000000070020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2255814130.0000000070038000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2255872765.0000000070039000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2255897494.000000007003B000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_70020000_rundll32.jbxd

Similarity

API ID: CryptErrorLast$Heap$AcquireContext$AllocateDecryptFreeImportProcessmemcpy
String ID:
API String ID: 1755895236-0
Opcode ID: d51fbb49215f81f6da2d7d3adee05bb00a1167204d42b8f992171681b330320d
Instruction ID: c64bbb4e0cda2c7b3a83edabc1f09f468d339b81105af104d079fdba3ffd4708
Opcode Fuzzy Hash: d51fbb49215f81f6da2d7d3adee05bb00a1167204d42b8f992171681b330320d
Instruction Fuzzy Hash: 4541A371D00629EFDB119F91DDC4ADDBBBAFB54B66F2044A9E607A7210D3309E418B60

Function 70021CE1 Relevance: 24.2, APIs: 16, Instructions: 202
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(?,?,?,?,?,?,700211A5,70021820,00000000), ref: 70021D06
RtlAllocateHeap.NTDLL(00000000,00000008,00000039), ref: 70021D1C
RtlAllocateHeap.NTDLL(?,00000008,?), ref: 70021D4F
memcpy.NTDLL(?,?,?,?,?,?,?,?,?,700211A5,70021820,00000000), ref: 70021D64
RtlAllocateHeap.NTDLL(?,00000008,?), ref: 70021D8D
memcpy.NTDLL(?,?,?,?,?,?,?,?,?,700211A5,70021820,00000000), ref: 70021DA2
RtlAllocateHeap.NTDLL(?,00000008,?), ref: 70021DCB
memcpy.NTDLL(?,?,?,?,?,?,?,?,?,700211A5,70021820,00000000), ref: 70021DE0
RtlAllocateHeap.NTDLL(?,00000008,?), ref: 70021E09
memcpy.NTDLL(?,?,?,?,?,?,?,?,?,700211A5,70021820,00000000), ref: 70021E1E
RtlAllocateHeap.NTDLL(?,00000008,?), ref: 70021E47
memcpy.NTDLL(?,?,?,?,?,?,?,?,?,700211A5,70021820,00000000), ref: 70021E5C
RtlAllocateHeap.NTDLL(?,00000008,?), ref: 70021E85
memcpy.NTDLL(?,?,?,?,?,?,?,?,?,700211A5,70021820,00000000), ref: 70021E9A
GetLastError.KERNEL32(?,?,?,?,?,?,700211A5,70021820,00000000), ref: 70021EAD
HeapFree.KERNEL32(?,00000000,?,?,?,?,?,?,?,700211A5,70021820,00000000), ref: 70021ED6

Memory Dump Source

Source File: 0000000F.00000002.2255814130.0000000070021000.00000040.00000001.01000000.00000003.sdmp, Offset: 70020000, based on PE: true

Associated: 0000000F.00000002.2255783568.0000000070020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2255814130.0000000070038000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2255872765.0000000070039000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2255897494.000000007003B000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_70020000_rundll32.jbxd

Similarity

API ID: Heap$Allocate$memcpy$ErrorFreeLastProcess
String ID:
API String ID: 3236361993-0
Opcode ID: 6edcf7b8c769d60f924944f156100f837ee0bf068b37502f061bdea09cf28303
Instruction ID: bb68cad212365f0c5b6aefef2e52ee5730e588a549c1adcfe4c1073aea12ce1b
Opcode Fuzzy Hash: 6edcf7b8c769d60f924944f156100f837ee0bf068b37502f061bdea09cf28303
Instruction Fuzzy Hash: 57714670A01214EFDF18CF54DD94F9E7BB6AF18B22F22409CE802AB365C771AA45DB10

Function 700224C8 Relevance: 16.6, APIs: 11, Instructions: 131
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(000003E8), ref: 70022528
InterlockedCompareExchange.KERNEL32(700357EC,?,00000000), ref: 70022532
_amsg_exit.MSVCRT ref: 7002254F
__initterm_e.LIBCMT ref: 7002256A
_initterm.MSVCRT ref: 70022586
InterlockedExchange.KERNEL32(700357EC,00000000), ref: 7002259C
Sleep.KERNEL32(000003E8), ref: 700225ED
InterlockedCompareExchange.KERNEL32(700357EC,00000001,00000000), ref: 700225F8
_amsg_exit.MSVCRT ref: 7002260A
free.MSVCRT ref: 70022637
InterlockedExchange.KERNEL32(700357EC,00000000), ref: 70022659

Memory Dump Source

Source File: 0000000F.00000002.2255814130.0000000070021000.00000040.00000001.01000000.00000003.sdmp, Offset: 70020000, based on PE: true

Associated: 0000000F.00000002.2255783568.0000000070020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2255814130.0000000070038000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2255872765.0000000070039000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2255897494.000000007003B000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_70020000_rundll32.jbxd

Similarity

API ID: ExchangeInterlocked$CompareSleep_amsg_exit$__initterm_e_inittermfree
String ID:
API String ID: 293963189-0
Opcode ID: 0fd5a9c3fbe3d8822e861f2995a75c6ef9bd6f87cefe8c9e9905cfb0378d5d1a
Instruction ID: 4130a5bd196add67c0e9f268afd4045757259e08db433cae2023839b579c5b9e
Opcode Fuzzy Hash: 0fd5a9c3fbe3d8822e861f2995a75c6ef9bd6f87cefe8c9e9905cfb0378d5d1a
Instruction Fuzzy Hash: AF41A133604201FFE7129FB6FC95B1D77AAEB40B77F30802DF906891A1DB7499418A60

Function 70021BDA Relevance: 13.6, APIs: 9, Instructions: 92
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00000000,?,00000000,?,?,70021AB6,?,?), ref: 70021C24
RtlAllocateHeap.NTDLL(00000000,00000008,?), ref: 70021C3A
memcpy.NTDLL(-00000021,?,00000000,?,?,70021AB6,?,?), ref: 70021C5D
memcpy.NTDLL(00000000,?,?,-00000021,?,00000000,?,?,70021AB6,?,?), ref: 70021C6F
memcpy.NTDLL(?,?,?,00000000,?,?,-00000021,?,00000000,?,?,70021AB6,?,?), ref: 70021C7E
memcpy.NTDLL(?,?,?,?,?,?,00000000,?,?,-00000021,?,00000000,?,?,70021AB6,?), ref: 70021C8D
memcpy.NTDLL(?,?,?,?,?,?,?,?,?,00000000,?,?,-00000021,?,00000000), ref: 70021C9C
memcpy.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?,-00000021), ref: 70021CAD
GetLastError.KERNEL32(?,?,70021AB6,?,?), ref: 70021CC7

Memory Dump Source

Source File: 0000000F.00000002.2255814130.0000000070021000.00000040.00000001.01000000.00000003.sdmp, Offset: 70020000, based on PE: true

Associated: 0000000F.00000002.2255783568.0000000070020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2255814130.0000000070038000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2255872765.0000000070039000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2255897494.000000007003B000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_70020000_rundll32.jbxd

Similarity

API ID: memcpy$Heap$AllocateErrorLastProcess
String ID:
API String ID: 3271386352-0
Opcode ID: d7349cab97d0b1fa9266ab912c592eba20f318ced029c39187618c9dc58683f5
Instruction ID: f59bb803cbd0afb2dcffc75edb518eb9017ac6fa1c99299adf7220363da91aa4
Opcode Fuzzy Hash: d7349cab97d0b1fa9266ab912c592eba20f318ced029c39187618c9dc58683f5
Instruction Fuzzy Hash: B3313C76500204EFCF118FA5EDC1A8A7BB5FF08B65B254094ED0AAF21BC731E960DB64

Function 700215BB Relevance: 10.6, APIs: 7, Instructions: 87
memoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00000000,?,00000000,?,?,?,70021A89,?,00000000,?,00000000,?,00000000), ref: 700215F4
CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,00000000,00000000,?,70021A89,?,00000000,?,00000000,?,00000000), ref: 7002160F
GetFileSize.KERNEL32(00000000,00000000,?,70021A89,?,00000000,?,00000000,?,00000000), ref: 70021621
RtlAllocateHeap.NTDLL(?,00000008,00000000), ref: 70021634
ReadFile.KERNEL32(70021A89,00000000,?,00000000,00000000,?,70021A89,?,00000000,?,00000000,?,00000000), ref: 7002164D
HeapFree.KERNEL32(?,00000000,00000000,?,70021A89,?,00000000,?,00000000,?,00000000), ref: 70021668
GetLastError.KERNEL32(?,70021A89,?,00000000,?,00000000,?,00000000), ref: 70021672

Memory Dump Source

Source File: 0000000F.00000002.2255814130.0000000070021000.00000040.00000001.01000000.00000003.sdmp, Offset: 70020000, based on PE: true

Associated: 0000000F.00000002.2255783568.0000000070020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2255814130.0000000070038000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2255872765.0000000070039000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2255897494.000000007003B000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_70020000_rundll32.jbxd

Similarity

API ID: FileHeap$AllocateCreateErrorFreeLastProcessReadSize
String ID:
API String ID: 3933022082-0
Opcode ID: a086982794e01a2890ea47983f42d651e29e94475284d6378b5c32a39a9ded34
Instruction ID: c9d25fd044c06dd307ab4b0a6587b4bbd6cf54c5ec4d5c2bb22f361f847ee6ad
Opcode Fuzzy Hash: a086982794e01a2890ea47983f42d651e29e94475284d6378b5c32a39a9ded34
Instruction Fuzzy Hash: 3E217A70201224AFDB128F65DC8CADE7BBAEF15F72B250408F803D62A4D3309D61CBA0

Function 70021F0E Relevance: 10.6, APIs: 7, Instructions: 66
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExpandEnvironmentStringsW.KERNEL32(?,00000000,00000000,00000000,?,00000000,?,?,70021A6D,?,?,?,00000000), ref: 70021F2C
GetProcessHeap.KERNEL32(?,?,70021A6D,?,?,?,00000000), ref: 70021F38
RtlAllocateHeap.NTDLL(00000000,00000008,00000000), ref: 70021F4C
ExpandEnvironmentStringsW.KERNEL32(?,00000000,00000000,?,?,70021A6D,?,?,?,00000000), ref: 70021F5D
GetLastError.KERNEL32(?,?,70021A6D,?,?,?,00000000), ref: 70021F6B
HeapFree.KERNEL32(?,00000000,70021A6D,?,?,70021A6D,?,?,?,00000000), ref: 70021F87
GetLastError.KERNEL32(?,?,70021A6D,?,?,?,00000000), ref: 70021F99

Memory Dump Source

Source File: 0000000F.00000002.2255814130.0000000070021000.00000040.00000001.01000000.00000003.sdmp, Offset: 70020000, based on PE: true

Associated: 0000000F.00000002.2255783568.0000000070020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2255814130.0000000070038000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2255872765.0000000070039000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2255897494.000000007003B000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_70020000_rundll32.jbxd

Similarity

API ID: Heap$EnvironmentErrorExpandLastStrings$AllocateFreeProcess
String ID:
API String ID: 4255420659-0
Opcode ID: e8027c9dcacad6fe719729571e1321909a090a3d8d230b2d79cf9303c7c678d0
Instruction ID: 3256f14598197a1ac38d44f4a251c5148d9bc9a9f0318d5d9c1334a26dac07cc
Opcode Fuzzy Hash: e8027c9dcacad6fe719729571e1321909a090a3d8d230b2d79cf9303c7c678d0
Instruction Fuzzy Hash: B511B231600200AFE7625F65DE88B9E7AF9FF98B62F304038B956D6351D7748C418A70

Function 7002169B Relevance: 8.9, APIs: 7, Instructions: 103
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00000000,?,?,?,70021ECF,00000000,?,?,?,?,?,?,700211A5,70021820,00000000), ref: 700216B7
HeapFree.KERNEL32(?,00000000,?,?,?,?,70021ECF,00000000,?,?,?,?,?,?,700211A5,70021820), ref: 700216EA
HeapFree.KERNEL32(?,00000000,?,?,?,?,70021ECF,00000000,?,?,?,?,?,?,700211A5,70021820), ref: 70021707
HeapFree.KERNEL32(?,00000000,?,?,?,?,70021ECF,00000000,?,?,?,?,?,?,700211A5,70021820), ref: 70021724
HeapFree.KERNEL32(?,00000000,?,?,?,?,70021ECF,00000000,?,?,?,?,?,?,700211A5,70021820), ref: 70021741
HeapFree.KERNEL32(?,00000000,?,?,?,?,70021ECF,00000000,?,?,?,?,?,?,700211A5,70021820), ref: 7002175E

Memory Dump Source

Source File: 0000000F.00000002.2255814130.0000000070021000.00000040.00000001.01000000.00000003.sdmp, Offset: 70020000, based on PE: true

Associated: 0000000F.00000002.2255783568.0000000070020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2255814130.0000000070038000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2255872765.0000000070039000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2255897494.000000007003B000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_70020000_rundll32.jbxd

Similarity

API ID: Heap$Free$Process
String ID:
API String ID: 2719409998-0
Opcode ID: a3bf90a1c613f77d26156df95df6720141e13b8691b88f963a188f5158d1edeb
Instruction ID: 7aa43be940aa377f2528f6c39e5040ec6be48b7e9f22baf724df6496d53cc487
Opcode Fuzzy Hash: a3bf90a1c613f77d26156df95df6720141e13b8691b88f963a188f5158d1edeb
Instruction Fuzzy Hash: 0931D531208649AFCB128F95EDD08ADBBFBEFB4A65760052DE18786B20C331AC45CB50

Function 70022C86 Relevance: 7.5, APIs: 5, Instructions: 44
timethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 70022CBA
GetCurrentProcessId.KERNEL32 ref: 70022CC6
GetCurrentThreadId.KERNEL32 ref: 70022CCE
GetTickCount.KERNEL32 ref: 70022CD6
QueryPerformanceCounter.KERNEL32(?), ref: 70022CE2

Memory Dump Source

Source File: 0000000F.00000002.2255814130.0000000070021000.00000040.00000001.01000000.00000003.sdmp, Offset: 70020000, based on PE: true

Associated: 0000000F.00000002.2255783568.0000000070020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2255814130.0000000070038000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2255872765.0000000070039000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2255897494.000000007003B000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_70020000_rundll32.jbxd

Similarity

API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
String ID:
API String ID: 1445889803-0
Opcode ID: 45c2a7b538529b5e88aa009e70076c8ccff8047cf1876331daccd2f795eb5a42
Instruction ID: 15aeb10c9ecf14f32a9a8b4ed8c02d0ca7528da8134d5da13857d9d66a64b29b
Opcode Fuzzy Hash: 45c2a7b538529b5e88aa009e70076c8ccff8047cf1876331daccd2f795eb5a42
Instruction Fuzzy Hash: 24014073C00214AFDB209BF9DC8879EB7F9FB48366F720555D802E7111D7309A428B94

Function 7002177C Relevance: 6.3, APIs: 5, Instructions: 75
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00000000,?,?,?,700211BF,00000000,00000000), ref: 70021798
HeapFree.KERNEL32(?,00000000,?,?,?,?,?,700211BF,00000000,00000000), ref: 700217C7
HeapFree.KERNEL32(?,00000000,?,?,?,?,?,700211BF,00000000,00000000), ref: 700217E4
HeapFree.KERNEL32(?,00000000,?,?,?,?,?,700211BF,00000000,00000000), ref: 70021801

Memory Dump Source

Source File: 0000000F.00000002.2255814130.0000000070021000.00000040.00000001.01000000.00000003.sdmp, Offset: 70020000, based on PE: true

Associated: 0000000F.00000002.2255783568.0000000070020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2255814130.0000000070038000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2255872765.0000000070039000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2255897494.000000007003B000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_70020000_rundll32.jbxd

Similarity

API ID: Heap$Free$Process
String ID:
API String ID: 2719409998-0
Opcode ID: b9e4f109976dd7628ad279cb3e808e2ea696357d44cfa643136886fad7c03fbf
Instruction ID: 56cdb7f88d5dc377d70ba9e65414dfcb295b49ec61f8c1ebc3c38e11fa3051d0
Opcode Fuzzy Hash: b9e4f109976dd7628ad279cb3e808e2ea696357d44cfa643136886fad7c03fbf
Instruction Fuzzy Hash: 7721E732108149AFDB118F99EDD08AEBBFBEF64A66720483DE14797B20C331AD45CB50

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Regsvr32.exe to proxy execution of malicious code. Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including dynamic link libraries (DLLs), on Windows systems. The Regsvr32.exe binary may also be signed by Microsoft.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Module: Module Load, Network Traffic: Network Connection Creation, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: `rundll32.exe {DLLname, DLLfunction}` ).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.
Tactics:	Impact
Data Sources:	Cloud Storage: Cloud Storage Modification, Command: Command Execution, File: File Creation, File: File Modification, Network Share: Network Share Access, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report IzFEtXcext.dll

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Initial Sample

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Networking

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_255419d945c1e89cc97b96e830561efe4d641b3_7522e4b5_716053aa-568c-4701-99cd-fab61842df58\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_bfc594c9b5e6635f267b4433069414ad87bb028_7522e4b5_5b657a5b-e1f6-4fa0-9d95-ed9954c6a13c\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER662B.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER66D8.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6708.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7BB6.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7C25.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7C45.tmp.xml

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Exports

Network Behavior

Windows Analysis Report
IzFEtXcext.dll

Function 70021AF8 Relevance: 9.1, APIs: 6, Instructions: 65
memorylibraryloaderCOMMON

Function 70039EF0 Relevance: 6.2, APIs: 4, Instructions: 188
COMMON

Function 700211C8 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 87
COMMON

Function 7002145D Relevance: 18.1, APIs: 12, Instructions: 127
memoryencryptionCOMMON

Function 70022C86 Relevance: 7.5, APIs: 5, Instructions: 44
timethreadCOMMON

Function 70021CE1 Relevance: 24.2, APIs: 16, Instructions: 202
memoryCOMMON

Function 700224C8 Relevance: 16.6, APIs: 11, Instructions: 131
sleepCOMMON

Function 70021BDA Relevance: 13.6, APIs: 9, Instructions: 92
memoryCOMMON

Function 700215BB Relevance: 10.6, APIs: 7, Instructions: 87
memoryfileCOMMON

Function 70021F0E Relevance: 10.6, APIs: 7, Instructions: 66
memoryCOMMON

Function 7002169B Relevance: 8.9, APIs: 7, Instructions: 103
memoryCOMMON

Function 7002177C Relevance: 6.3, APIs: 5, Instructions: 75
memoryCOMMON