Edit tour

Windows Analysis Report
VF.dll

Overview

General Information

Sample name:	VF.dll
Analysis ID:	1467983
MD5:	4c9345b4819695c678d2ce9688d95ffb
SHA1:	805fb11f46e71cd5ae00d489f3eb7385bd55df63
SHA256:	6522c2a699b499b0e84e13d6d3a88d0c78a4ea59af2b0fd3f0fbc22644a73751
Tags:	blackmoondll
Infos:

Detection

BlackMoon

Score:	68
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected BlackMoon Ransomware

AI detected suspicious sample

AV process strings found (often used to terminate AV products)

Checks if the current process is being debugged

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to query CPU information (cpuid)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

One or more processes crash

PE file contains sections with non-standard names

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

loaddll32.exe (PID: 6360 cmdline: loaddll32.exe "C:\Users\user\Desktop\VF.dll" MD5: 51E6071F9CBA48E79F10C84515AAE618)

conhost.exe (PID: 6080 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 6148 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\VF.dll",#1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

rundll32.exe (PID: 5548 cmdline: rundll32.exe "C:\Users\user\Desktop\VF.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)

WerFault.exe (PID: 1868 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5548 -s 600 MD5: C31336C1EFC2CCB44B4326EA793040F2)

rundll32.exe (PID: 5476 cmdline: rundll32.exe C:\Users\user\Desktop\VF.dll,VF_CopyFile MD5: 889B99C52A60DD49227C5E485A016679)

WerFault.exe (PID: 3232 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5476 -s 592 MD5: C31336C1EFC2CCB44B4326EA793040F2)

rundll32.exe (PID: 3272 cmdline: rundll32.exe C:\Users\user\Desktop\VF.dll,VF_GetFileMD5 MD5: 889B99C52A60DD49227C5E485A016679)

WerFault.exe (PID: 1272 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 3272 -s 596 MD5: C31336C1EFC2CCB44B4326EA793040F2)

rundll32.exe (PID: 4132 cmdline: rundll32.exe "C:\Users\user\Desktop\VF.dll",VF_CopyFile MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 3952 cmdline: rundll32.exe "C:\Users\user\Desktop\VF.dll",VF_GetFileMD5 MD5: 889B99C52A60DD49227C5E485A016679)

WerFault.exe (PID: 4464 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 3952 -s 600 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
KrBanker, BlackMoon	ThreatPost describes KRBanker (Blackmoon) as a banking Trojan designed to steal user credentials from various South Korean banking institutions. It was discovered in early 2014 and since then has adopted a variety of infection and credential stealing techniques.	No Attribution	http://researchcenter.paloaltonetworks.com/2016/05/unit42-krbanker-targets-south-korea-through-adware-and-exploit-kits-2/ https://fidelissecurity.com/threatgeek/threat-intelligence/blackmoon-banking-trojan-new-framework/ https://www.peppermalware.com/2019/03/analysis-of-blackmoon-banking-trojans.html https://www.proofpoint.com/us/threat-insight/post/Updated-Blackmoon-Banking-Trojan https://www.rapid7.com/blog/post/2023/07/13/old-blackmoon-trojan-new-monetization-approach/	https://malpedia.caad.fkie.fraunhofer.de/details/win.krbanker

Malware Configuration

⊘No configs have been found

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000004.00000002.1490901642.000000001000A000.00000040.00000001.01000000.00000003.sdmp	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
0000000C.00000002.1490901014.000000001000A000.00000040.00000001.01000000.00000003.sdmp	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
0000000F.00000002.1461552167.000000001000A000.00000040.00000001.01000000.00000003.sdmp	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
00000005.00000002.1490893505.000000001000A000.00000040.00000001.01000000.00000003.sdmp	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
00000010.00000002.1514288945.000000001000A000.00000040.00000001.01000000.00000003.sdmp	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
Process Memory Space: rundll32.exe PID: 5476	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
Process Memory Space: rundll32.exe PID: 5548	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
Process Memory Space: rundll32.exe PID: 3272	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
Process Memory Space: rundll32.exe PID: 4132	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
Process Memory Space: rundll32.exe PID: 3952	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
Click to see the 5 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
12.2.rundll32.exe.10000000.0.unpack	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
12.2.rundll32.exe.10000000.0.unpack	MALWARE_Win_BlackMoon	Detects executables using BlackMoon RunTime	ditekSHen	0xa500:$s1: blackmoon 0x1dfce:$s1: blackmoon 0xa540:$s2: BlackMoon RunTime Error:
4.2.rundll32.exe.10000000.0.unpack	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
4.2.rundll32.exe.10000000.0.unpack	MALWARE_Win_BlackMoon	Detects executables using BlackMoon RunTime	ditekSHen	0xa500:$s1: blackmoon 0x1dfce:$s1: blackmoon 0xa540:$s2: BlackMoon RunTime Error:
5.2.rundll32.exe.10000000.0.unpack	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
5.2.rundll32.exe.10000000.0.unpack	MALWARE_Win_BlackMoon	Detects executables using BlackMoon RunTime	ditekSHen	0xa500:$s1: blackmoon 0x1dfce:$s1: blackmoon 0xa540:$s2: BlackMoon RunTime Error:
16.2.rundll32.exe.10000000.0.unpack	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
16.2.rundll32.exe.10000000.0.unpack	MALWARE_Win_BlackMoon	Detects executables using BlackMoon RunTime	ditekSHen	0xa500:$s1: blackmoon 0x1dfce:$s1: blackmoon 0xa540:$s2: BlackMoon RunTime Error:
15.2.rundll32.exe.10000000.0.unpack	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
15.2.rundll32.exe.10000000.0.unpack	MALWARE_Win_BlackMoon	Detects executables using BlackMoon RunTime	ditekSHen	0xa500:$s1: blackmoon 0x1dfce:$s1: blackmoon 0xa540:$s2: BlackMoon RunTime Error:
Click to see the 5 entries

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: VF.dll	ReversingLabs: Detection: 26%
Source: VF.dll	Virustotal: Detection: 31%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 88.8% probability

Source: VF.dll

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL

Source: C:\Windows\SysWOW64\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_56181ede0d43edd16fd2f5c205ffd37b12c4b76_7522e4b5_08c1258f-65b5-469b-92ba-e8e4954194b9\	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_d66a9d3f657c6446ca14a6fa8b15b6c6c8a244a9_7522e4b5_17378f54-db41-48b9-93aa-2ee9f3453ff8\	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4x nop then push esi

4_2_10003EF2

Source: Amcache.hve.10.dr

String found in binary or memory: http://upx.sf.net

Spam, unwanted Advertisements and Ransom Demands

Yara detected BlackMoon Ransomware

Source: Yara match	File source: 12.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.1490901642.000000001000A000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.1490901014.000000001000A000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.1461552167.000000001000A000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1490893505.000000001000A000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.1514288945.000000001000A000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 5476, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 5548, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 3272, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 4132, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 3952, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: 12.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 4.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 5.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 16.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 15.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10005510	4_2_10005510
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10007130	4_2_10007130
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10006BB0	4_2_10006BB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_100059B0	4_2_100059B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10005DE0	4_2_10005DE0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_100044F0	4_2_100044F0

Source: C:\Windows\SysWOW64\rundll32.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5548 -s 600

Source: VF.dll

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL

Source: 12.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 4.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 5.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 16.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 15.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime

Source: classification engine

Classification label: mal68.rans.winDLL@18/17@0/0

Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3272
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5476
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6080:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5548
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3952

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\2db35911-9d9a-42a1-9880-6e8d81d53a79

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\VF.dll,VF_CopyFile

Source: VF.dll	ReversingLabs: Detection: 26%
Source: VF.dll	Virustotal: Detection: 31%

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\VF.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\VF.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\VF.dll,VF_CopyFile
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\VF.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5548 -s 600
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5476 -s 592
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\VF.dll,VF_GetFileMD5
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3272 -s 596
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\VF.dll",VF_CopyFile
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\VF.dll",VF_GetFileMD5
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3952 -s 600
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\VF.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\VF.dll,VF_CopyFile	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\VF.dll,VF_GetFileMD5	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\VF.dll",VF_CopyFile	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\VF.dll",VF_GetFileMD5	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\VF.dll",#1	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: VF.dll

Static PE information: section name: UPX2

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_10007BD0 push eax; ret

4_2_10007BFE

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

API coverage: 0.0 %

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\System32\loaddll32.exe

Thread delayed: delay time: 120000

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_56181ede0d43edd16fd2f5c205ffd37b12c4b76_7522e4b5_08c1258f-65b5-469b-92ba-e8e4954194b9\	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_d66a9d3f657c6446ca14a6fa8b15b6c6c8a244a9_7522e4b5_17378f54-db41-48b9-93aa-2ee9f3453ff8\	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue	Jump to behavior

Source: Amcache.hve.10.dr	Binary or memory string: VMware
Source: Amcache.hve.10.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.10.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.10.dr	Binary or memory string: VMware-42 27 c5 9a 47 85 d6 84-53 49 ec ec 87 a6 6d 67
Source: Amcache.hve.10.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.10.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.10.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.10.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.10.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.10.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.10.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.10.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.10.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.10.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.10.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.10.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.10.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.10.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.10.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.10.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.10.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.10.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.10.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.10.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.10.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.10.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.10.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.10.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.10.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Windows\SysWOW64\rundll32.exe	API call chain: ExitProcess graph end node	graph_4-2221
Source: C:\Windows\SysWOW64\rundll32.exe	API call chain: ExitProcess graph end node	graph_4-2107
Source: C:\Windows\SysWOW64\rundll32.exe	API call chain: ExitProcess graph end node	graph_4-2212
Source: C:\Windows\SysWOW64\rundll32.exe	API call chain: ExitProcess graph end node	graph_4-2170
Source: C:\Windows\SysWOW64\rundll32.exe	API call chain: ExitProcess graph end node	graph_4-2371

Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_10001B88 LdrResolveDelayLoadedAPI,

4_2_10001B88

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_10001D00 GetProcessHeap,

4_2_10001D00

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\VF.dll",#1

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_10003460 cpuid

4_2_10003460

Source: Amcache.hve.10.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.10.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.10.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.10.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.10.dr	Binary or memory string: MsMpEng.exe

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	11 Process Injection	1 Rundll32	OS Credential Dumping	31 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	11 Virtualization/Sandbox Evasion	LSASS Memory	11 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Software Packing	Security Account Manager	1 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Process Injection	NTDS	11 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	21 Obfuscated Files or Information	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
VF.dll	26%	ReversingLabs
VF.dll	31%	Virustotal		Browse

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://upx.sf.net	0%	URL Reputation	safe
http://upx.sf.net	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://upx.sf.net	Amcache.hve.10.dr	false	URL Reputation: safe URL Reputation: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1467983
Start date and time:	2024-07-05 07:59:09 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 48s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	26
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	VF.dll
Detection:	MAL
Classification:	mal68.rans.winDLL@18/17@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .dll

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.42.65.92
Excluded domains from analysis (whitelisted): onedsblobprdeus17.eastus.cloudapp.azure.com, ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

Time	Type	Description
02:00:12	API Interceptor	1x Sleep call for process: loaddll32.exe modified
02:00:15	API Interceptor	4x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_56181ede0d43edd16fd2f5c205ffd37b12c4b76_7522e4b5_08c1258f-65b5-469b-92ba-e8e4954194b9\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.8271214654532402
Encrypted:	false
SSDEEP:	192:OtAsinOCmR0BU/wjeTVzuiFVZ24IO8dci:oAsiOCmSBU/wjehzuiFVY4IO8dci
MD5:	B113C860E9EEDA0D7A3E5EE6FF227881
SHA1:	35EEB85422E8CF515101B616566DC65DFAD13CFB
SHA-256:	457CEA9429893A62A62011E10A6869C0FEDA87AA31ADE2CAC4A20CBE8C326E4D
SHA-512:	11056E2D2939B72D77C9A1E156D1213BB13635A64C5C1A76AEF2A21B7200F7AE07FB6294643439A43BDDE977971B07AA70FDBFDEA4341B28AA7FEEE0C020BE86
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.4.6.3.2.8.0.9.5.8.3.4.7.1.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.4.6.3.2.8.0.9.9.2.7.2.0.6.2.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.8.c.1.2.5.8.f.-.6.5.b.5.-.4.6.9.b.-.9.2.b.a.-.e.8.e.4.9.5.4.1.9.4.b.9.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.d.8.9.9.a.0.0.-.5.f.3.a.-.4.5.d.4.-.a.3.8.1.-.3.a.c.e.c.f.b.e.9.d.0.4.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.c.c.8.-.0.0.0.1.-.0.0.1.4.-.d.1.4.7.-.8.7.9.7.a.0.c.e.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.8.f.a.8.8.9.e.4.5.6.a.a.6.4.6.a.4.d.0.a.4.3.4.9.9.7.7.4.3.0.c.e.5.f.a.5.e.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_56181ede0d43edd16fd2f5c205ffd37b12c4b76_7522e4b5_3a5b0d75-be14-4ffc-bfc4-c5eff016e690\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.827253312830611
Encrypted:	false
SSDEEP:	192:YCTziAObmR0BU/wjeTVzuiFVZ24IO8dci:9zixbmSBU/wjehzuiFVY4IO8dci
MD5:	F2DA340EF1542A19B9D0703596CD910A
SHA1:	23FA8B669A8884359E263F1C101F0D56F388A680
SHA-256:	6647302BCB938BC2FB782CC060246BCA31ADABE022F2D5A72B1F735340196819
SHA-512:	ACE5F26F633C9F7FE4F12C107DE44D6D92DBCD6737621D680E077DD11DED07B7EB45C3DCA5975F63E1D6C8BA976B2D4D6E1933ED7C641164262E53F988D882B1
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.4.6.3.2.8.0.6.9.4.7.6.6.6.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.4.6.3.2.8.0.8.0.1.0.1.6.2.9.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.a.5.b.0.d.7.5.-.b.e.1.4.-.4.f.f.c.-.b.f.c.4.-.c.5.e.f.f.0.1.6.e.6.9.0.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.b.1.d.5.a.7.3.-.d.4.2.3.-.4.2.6.3.-.a.8.5.4.-.2.c.7.8.8.b.f.c.b.1.0.a.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.5.a.c.-.0.0.0.1.-.0.0.1.4.-.5.5.e.6.-.b.c.9.5.a.0.c.e.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.8.f.a.8.8.9.e.4.5.6.a.a.6.4.6.a.4.d.0.a.4.3.4.9.9.7.7.4.3.0.c.e.5.f.a.5.e.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_56181ede0d43edd16fd2f5c205ffd37b12c4b76_7522e4b5_a1bd80b4-8075-4fe5-8fe0-998375c7d994\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.8270734829426102
Encrypted:	false
SSDEEP:	192:CzHiL5O2mR0BU/wjeTVzuiFVZ24IO8dci:uHiM2mSBU/wjehzuiFVY4IO8dci
MD5:	B9603FED80C33484FC25F6C73C63020E
SHA1:	8BB4772F5366A5D9FFD9EDE366EF478596F2D381
SHA-256:	08097252505B0197A11C7C65B1283FAF7C2F8AC9888ED916CD22296B844AB4A1
SHA-512:	E860481CB545839983F6CFE0423ACF64759866500D66B483A6694439B2D59C9623E7E754306FA4494A8725CF564E750016F63C036629B8352370B61A4807C109
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.4.6.3.2.8.1.2.7.2.7.6.1.8.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.4.6.3.2.8.1.3.0.4.0.1.1.7.6.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.1.b.d.8.0.b.4.-.8.0.7.5.-.4.f.e.5.-.8.f.e.0.-.9.9.8.3.7.5.c.7.d.9.9.4.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.7.a.5.6.a.4.8.-.7.7.3.c.-.4.c.0.5.-.9.f.f.d.-.2.c.a.d.6.3.8.6.2.9.c.f.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.f.7.0.-.0.0.0.1.-.0.0.1.4.-.3.8.9.2.-.5.a.9.9.a.0.c.e.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.8.f.a.8.8.9.e.4.5.6.a.a.6.4.6.a.4.d.0.a.4.3.4.9.9.7.7.4.3.0.c.e.5.f.a.5.e.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_d66a9d3f657c6446ca14a6fa8b15b6c6c8a244a9_7522e4b5_17378f54-db41-48b9-93aa-2ee9f3453ff8\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.8271491213401128
Encrypted:	false
SSDEEP:	192:ZkviiOymL0BU/wjeTVzuiFVZ24IO8dci:uiDymYBU/wjehzuiFVY4IO8dci
MD5:	8A3F7B3625E08D819C50992E45AC656A
SHA1:	0F402187EAE2385DF0687160D9188B316C6D945D
SHA-256:	04C0E2A6CEFE13A53E1105C117473266CBEFE6E492D22EE0718AC969E7E49F35
SHA-512:	FCF65F1B66731EF8CC84216EFD361341DB310118E9BBEB554827726993CC1D831E52C57392BE048322C966F96AE51697877F2C81ACDE527077B1C56873282EF8
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.4.6.3.2.8.0.6.9.0.0.2.9.6.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.4.6.3.2.8.0.8.0.2.5.3.0.1.3.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.7.3.7.8.f.5.4.-.d.b.4.1.-.4.8.b.9.-.9.3.a.a.-.2.e.e.9.f.3.4.5.3.f.f.8.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.1.a.1.3.e.8.b.-.3.7.d.7.-.4.2.9.a.-.a.2.b.6.-.d.f.2.5.5.7.4.d.5.4.b.a.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.5.6.4.-.0.0.0.1.-.0.0.1.4.-.a.d.9.7.-.b.a.9.5.a.0.c.e.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.8.f.a.8.8.9.e.4.5.6.a.a.6.4.6.a.4.d.0.a.4.3.4.9.9.7.7.4.3.0.c.e.5.f.a.5.e.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA274.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Fri Jul 5 06:00:07 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	41368
Entropy (8bit):	1.9446097007693102
Encrypted:	false
SSDEEP:	192:FjRCSrnxlK+O5H4XXGw/nOIvXZVocsD6O3EvY:PC2xlq5H6XGwJvXZVTK
MD5:	CA97D438E867A9BCDEB85924D580CF16
SHA1:	A73AD97407CB258CC6AF313C7E4E151086ADC860
SHA-256:	2838F5A641D86FC66F0035454A4A4B1D2845F42076252FF9DF22E5C4E6B12341
SHA-512:	87A66859274D5872DFDDA6B68C5DA41E4A81A0F3AB4F21E3AC33951B450F8124748C873F70F32FD631C9BE8A686FD80997C330AAB7FE974840DFE63CBB9C478D
Malicious:	false
Preview:	MDMP..a..... ........f.........................................&..........T.......8...........T.......................................x...............................................................................eJ..............GenuineIntel............T.......d....f.............................0..1...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA2C2.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Fri Jul 5 06:00:07 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	42248
Entropy (8bit):	1.923518320360052
Encrypted:	false
SSDEEP:	192:FaR0SHrtO5H40n7IYu5b4P2q9KLV8w+m:c0arg5HFEYu50P2n+m
MD5:	FCE6211AC6A88A7BED402C40996517E7
SHA1:	823FBEDE68489CF046EF9B1DF0CDB3AC5AB43633
SHA-256:	90D2FA926B0B594D5C0D127E22FC409FFC3B4257052B45CAD2D3516EEDE8E49C
SHA-512:	C49BAE880D08C19DC59CBA89D578F183C815D5DD6F3E50B5EB3F5FD2B34028AF536AA3F5497C55FA83881592114234284246B8D7209810E91B27F8383530BDDF
Malicious:	false
Preview:	MDMP..a..... ........f.........................................&..........T.......8...........T.......................................x...............................................................................eJ..............GenuineIntel............T............f.............................0..1...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA35F.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8240
Entropy (8bit):	3.6930294054293995
Encrypted:	false
SSDEEP:	192:R6l7wVeJdz646YJC6mgmfToBypru89bZbUsfqzjm:R6lXJp646Yc6mgmfToBwZbHf+6
MD5:	F5FF1BFE6E20DD07ACEEC747598F8B63
SHA1:	BC423BBFE41A117B59569BC66C047DFE242F3159
SHA-256:	5C6B3E79F3B9E36D1F7ACEEFAE0457FA6DF05BB7E40B5457E07AFD2A7149F00E
SHA-512:	12FADE83025B3A9F33DCCF5DACD14E608889B88DB533DD21ECEAB2AF20B7C552C47A35125C76A62D2323E6E452E1A21511781ACC3545FF68C95AEDDA78048C25
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.4.7.6.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA38E.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8234
Entropy (8bit):	3.691685617991036
Encrypted:	false
SSDEEP:	192:R6l7wVeJZh60n6YAU6kugmfTWByprp89bZbhsfOzjm:R6lXJv6s6Y76kugmfTWBRZbafa6
MD5:	E557D8970EABC81C91B0B9229A484CA7
SHA1:	98F81C3F764D2F4CDBEF7A5A40C050F7C868AEF6
SHA-256:	4374DF4D3538E06BE415D0C8378D2AC3D5228842D832CE49C1476DF3FCFCD55B
SHA-512:	C306D3E08C4D2B8AD0F75DEB32726CB7FB68FCD5D2ED1721FB98D7FE2ED97AB08E74B40E7D609770A95C6EC6B71BD71C3F19DE331C8C58C7901454EC12BBD4D6
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.5.4.8.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA38F.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4634
Entropy (8bit):	4.4535434577080215
Encrypted:	false
SSDEEP:	48:cvIwWl8zslZJg77aI9+xWpW8VYRYm8M4JCdP3fzF8+q8/r/nIGScSzd:uIjfZI78g7VVJZlJ3zd
MD5:	5C14426AA33CE407CBA1826A223B3EB8
SHA1:	57CB42D6FB7D3ABC41D285C7E2BC7B4ABBEDB6E1
SHA-256:	8D22A4B956E7EEE566065F377DA3E3857F5CBE33265D20F3CCBE83B0B9FA5C23
SHA-512:	A91BF3ECE0D5F96CAB794A5B6A72F601B163DA252CB82277548879B43B35EA34D2BD1C2B74F4991DC9729F39D58D3BFCFD109CF04B6ACCCFBB0947F94C3E7179
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="397262" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA3AE.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4634
Entropy (8bit):	4.453729521383179
Encrypted:	false
SSDEEP:	48:cvIwWl8zslZJg77aI9+xWpW8VYNeYm8M4JCdP3fbFa2j+q8/r/n+XGScSh6d:uIjfZI78g7V6XJQNJ3h6d
MD5:	7DA330E697280D699D61494C9E5475FA
SHA1:	0CCD26A4CC924E114098B5E5D61FF7D1E64ADEB9
SHA-256:	3803EE666FE883528A014D3708AE991C494172D658A6E68F587AE7ADFBED8EB6
SHA-512:	7B809E082A803C572B8B67E2060CD795469CFAEB9933BFACE3418C220B39E474C67F0405E8FD8D06B106E2AAA1725991933C02AD93F53BC2DA16D04D46E5149E
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="397262" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WERAD03.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Fri Jul 5 06:00:09 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	41376
Entropy (8bit):	1.9728162966507188
Encrypted:	false
SSDEEP:	96:5K8NWrkL/UjhguYN0Rv/dSklj+CD3sCzkQoi75I4v4EvzP1FKocYR6Bv+4X0qoXd:TMlRdSskdO5H4kP4XwoD8WnqMIWhlCQ
MD5:	F716F4C1E43ADBA40E2776C58D8FEFBB
SHA1:	8B3FA27B1895EAC3F4905C83CEDEB9C7D56DBB1A
SHA-256:	7F3871A4B7581D553AE38A603F077739F3F6B33C24B17E8A5FD0064CEEC0935D
SHA-512:	9731F032E8A2E8BB8A01B52C3E6F35B452F287722EBE5BACFCD446811608E9C7AFC160EE09C90F6BBEDD8F962333020497F50AAE75669B01EB07EC810ED8872D
Malicious:	false
Preview:	MDMP..a..... ........f.........................................&..........T.......8...........T.......................................x...............................................................................eJ..............GenuineIntel............T............f.............................0..1...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERAD61.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8242
Entropy (8bit):	3.6929634068200525
Encrypted:	false
SSDEEP:	192:R6l7wVeJpH6T6YJn6VgmfTWBypra89bLusfcZm:R6lXJJ6T6Yp6VgmfTWB0Ltfv
MD5:	FB1802E412B74B9E57088EAFF3012D6D
SHA1:	42B2D80D27A201B60C3B22245C8AC7F0D7EA4895
SHA-256:	EFE82360BCA5C8F10C5B1CE560D84C6E8E9BE2652721FFCE1AC7799C2322B304
SHA-512:	0C7775518ADAE576B52C3E9EE676B3F25F8A23082675213180BD57A3532C99A6D3A535049AEAE092CA2CDB94C384DFC36C41D1F693FE05CDE8FFD1EF742B49CE
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.3.2.7.2.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERAD82.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4634
Entropy (8bit):	4.451689281537518
Encrypted:	false
SSDEEP:	48:cvIwWl8zslZJg77aI9+xWpW8VY2Ym8M4JCdP3fbFq3TI+q8/r/n2qGScSLd:uIjfZI78g7VqJHDIdqJ3Ld
MD5:	344433D8D61EAACC2E0EF48360F29372
SHA1:	9D8A62232150D30DDD045090A98B03B6380DEE06
SHA-256:	C1712DDBCCB8DEF26EC095FB723A3BC1DC92E7E7804151260934E984F355C7C5
SHA-512:	944AA6C3A005A7E2681C026CB50C4A3471D12D944931CA4A12E64928BFBC1F39D8CF2349FCBBB7600E080B392F4E7AA34978433B0AD75E1532D64B012C4DC2E3
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="397262" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB938.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Fri Jul 5 06:00:12 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	41204
Entropy (8bit):	1.9873052186072686
Encrypted:	false
SSDEEP:	192:uZFZRqSgNO5H4XnEa6K8daeyG3CIkjSCo5g0:mfqnA5HcE5JdaTG3dk+H
MD5:	BE715B26E6455B769DE930A21BA92380
SHA1:	BB3334086FED78DB3FE70F5B548CE00D6CA64F3A
SHA-256:	A41D52E6F748764C38C41E271F659C4C73B4CE001E65266A75095F0521260261
SHA-512:	645DEF6189E95B8EF2F8FB7B19B7459B529E97B8F499F901208BBC9A8162C60766FE046F1BA4AA58EDF61B223EDFBA53143CBA20252C3E652F4F8490F1956C64
Malicious:	false
Preview:	MDMP..a..... ........f.........................................&..........T.......8...........T...............L.......................x...............................................................................eJ..............GenuineIntel............T.......p....f.............................0..1...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB9B6.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8232
Entropy (8bit):	3.691520125574412
Encrypted:	false
SSDEEP:	192:R6l7wVeJ4h6pm6YBq6UAzFgmfTWByprt89b55sf00Tm:R6lXJm646Ys6VgmfTWBN5SfE
MD5:	4D9CD3ECD8DBDDA78FFAFCB2B5D188A3
SHA1:	4CA8B9F40BF0F1081E4796F359ABBD98C810329F
SHA-256:	E17EC13956CEBC5FE597C5CF5A0133A628F2833BD7342AE996DD72F5B961A8FA
SHA-512:	2047DF76D070E756251C78E0369ED2EDA3778784BE9A247BB60E0F6FC1115C8EE82E2309454E7B526C7421B91A843013E5390CE49FFB4E30C19A201B0DFECE2A
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.3.9.5.2.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB9D6.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4634
Entropy (8bit):	4.453569392982591
Encrypted:	false
SSDEEP:	48:cvIwWl8zslZJg77aI9+xWpW8VY7Ym8M4JCdP3fbFk+q8/r/nBGScSDd:uIjfZI78g7VvJl0J3Dd
MD5:	B90A357CDB374802D62ED1F21D67C4D1
SHA1:	78F0E91C4B40F6C15D3CBB9B356602784330A7B7
SHA-256:	676C9B02057B115ED35847CB9A0880BFDAF5F79334DE3487897F59B3E6D759FD
SHA-512:	F38F5F6F8EEB502E56F576A6B19061EA292D26CBE9B8C0AAD1691DA5D7BBC77247CA9204654BBE9B0AE0D4694EC72E40B228FF039B86CE1A387EE52011995B14
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="397262" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.372882984214932
Encrypted:	false
SSDEEP:	6144:CFVfpi6ceLP/9skLmb0ayWWSPtaJG8nAge35OlMMhA2AX4WABlguNEiL:KV1QyWWI/glMM6kF7Kq
MD5:	EC00D1B6EB09D18988586B1F918D229F
SHA1:	774E99B9BACC09D917B975481E3E351B26403FA9
SHA-256:	2CE4C13E42457654F6C636D6140F86F5281D578065F007A8A792B613A07D3F6E
SHA-512:	8CDF4AFC5557AA72CD214949535FE8DCBCC0C7E5B31761FF25D764D4B0E439C921292942A1F58507E2C78CD767B9CD7CE9324A304009AB1FCCAE1AD43E056DB6
Malicious:	false
Preview:	regfC...C....\.Z.................... ....0......\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, UPX compressed
Entropy (8bit):	7.587194257344362
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 96.66% UPX compressed Win32 Executable (30571/9) 2.95% Generic Win/DOS Executable (2004/3) 0.19% DOS Executable Generic (2002/1) 0.19% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	VF.dll
File size:	23'040 bytes
MD5:	4c9345b4819695c678d2ce9688d95ffb
SHA1:	805fb11f46e71cd5ae00d489f3eb7385bd55df63
SHA256:	6522c2a699b499b0e84e13d6d3a88d0c78a4ea59af2b0fd3f0fbc22644a73751
SHA512:	6c115342ccfe01fe529ac8c4f448531fd6912b55e941c36a943c7bae484230beda11ee5deeea816e263bf1d54e989b9cfc0d90ae24e2d77b887e6af4de36f82d
SSDEEP:	384:CO90QQ/D91ZSH+chn7N6VDLvqEot7czwGQZbxEu47VP5bBSg5pxeKg:C1QM5Czz6VaEY7czwouehlfjQKg
TLSH:	1DA2BF74EA9A05E7D6833D31638945F7BBBC2D23F8D80B2FAF41141526619480C61BBC
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......e...!mw.!mw.!mw.Zq{. mw..qy.#mw.Nrs.#mw..r}.#mw..K}..mw..b*.(mw.!mv..mw..K\|.?mw.!mw. mw..r\|."mw..rs. mw.Rich!mw.........PE..L..

File Icon


Icon Hash:	7ae282899bbab082

Static PE Info

General

Entrypoint:	0x1001ec30
Entrypoint Section:	UPX1
Digitally signed:	false
Imagebase:	0x10000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL
DLL Characteristics:
Time Stamp:	0x5FF4065A [Tue Jan 5 06:25:30 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	e83f4ebaf2b8b52e97388ac9ae41624b

Entrypoint Preview

Instruction
cmp byte ptr [esp+08h], 00000001h
jne 00007F50E89369E5h
pushad
mov esi, 1001A000h
lea edi, dword ptr [esi-00019000h]
push edi
or ebp, FFFFFFFFh
jmp 00007F50E89367FFh
nop
nop
nop
mov al, byte ptr [esi]
inc esi
mov byte ptr [edi], al
inc edi
add ebx, ebx
jne 00007F50E89367F9h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007F50E89367DFh
mov eax, 00000001h
add ebx, ebx
jne 00007F50E89367F9h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc eax, eax
add ebx, ebx
jnc 00007F50E89367FDh
jne 00007F50E893681Ah
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007F50E8936811h
dec eax
add ebx, ebx
jne 00007F50E89367F9h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc eax, eax
jmp 00007F50E89367C6h
add ebx, ebx
jne 00007F50E89367F9h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc ecx, ecx
jmp 00007F50E8936844h
xor ecx, ecx
sub eax, 03h
jc 00007F50E8936803h
shl eax, 08h
mov al, byte ptr [esi]
inc esi
xor eax, FFFFFFFFh
je 00007F50E8936867h
sar eax, 1
mov ebp, eax
jmp 00007F50E89367FDh
add ebx, ebx
jne 00007F50E89367F9h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007F50E89367BEh
inc ecx
add ebx, ebx
jne 00007F50E89367F9h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007F50E89367B0h
add ebx, ebx
jne 00007F50E89367F9h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc ecx, ecx
add ebx, ebx
jnc 00007F50E89367E1h
jne 00007F50E89367FBh
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jnc 00007F50E89367D6h
add ecx, 02h
cmp ebp, 00000000h

Rich Headers

Programming Language:

[ C ] VS98 (6.0) build 8168
[ C ] VS98 (6.0) SP6 build 8804
[C++] VS98 (6.0) SP6 build 8804
[C++] VS98 (6.0) build 8168
[LNK] VS98 (6.0) imp/exp build 8168

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x1f0d4	0x60	UPX2
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1f000	0xd4	UPX2
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x20000	0x2a8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x1f134	0xc	UPX2
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
UPX0	0x1000	0x19000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
UPX1	0x1a000	0x5000	0x5000	0c2df5fd8b06b009eb4844ced4fc61cf	False	0.95703125	data	7.8342356834224445	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
UPX2	0x1f000	0x1000	0x200	4000d770e0fff65c4bffbbb4fa70db94	False	0.427734375	data	2.965198167683816	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x20000	0x2a8	0x400	b948c92300947416be85a320bbb8313d	False	0.3154296875	data	3.8077230178513473	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x20058	0x250	data	Chinese	China	0.46114864864864863

Imports

DLL	Import
KERNEL32.DLL	LoadLibraryA, GetProcAddress, VirtualProtect
MSVCRT.dll	atoi
USER32.dll	wsprintfA

Exports

Name	Ordinal	Address
VF_CopyFile	1	0x10001c12
VF_GetFileMD5	2	0x10001baf

Possible Origin

Language of compilation system	Country where language is spoken	Map
Chinese	China

Network Behavior

⊘No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: loaddll32.exePID: 6360, Parent PID: 4084

General

Target ID:	0
Start time:	02:00:06
Start date:	05/07/2024
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe "C:\Users\user\Desktop\VF.dll"
Imagebase:	0x1b0000
File size:	126'464 bytes
MD5 hash:	51E6071F9CBA48E79F10C84515AAE618
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 6080, Parent PID: 6360

General

Target ID:	2
Start time:	02:00:06
Start date:	05/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: cmd.exePID: 6148, Parent PID: 6360

General

Target ID:	3
Start time:	02:00:06
Start date:	05/07/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\VF.dll",#1
Imagebase:	0xa40000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: rundll32.exePID: 5476, Parent PID: 6360

General

Target ID:	4
Start time:	02:00:06
Start date:	05/07/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\VF.dll,VF_CopyFile
Imagebase:	0x6b0000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_blackmoon, Description: Yara detected BlackMoon Ransomware, Source: 00000004.00000002.1490901642.000000001000A000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: rundll32.exePID: 5548, Parent PID: 6148

General

Target ID:	5
Start time:	02:00:06
Start date:	05/07/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\VF.dll",#1
Imagebase:	0x6b0000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_blackmoon, Description: Yara detected BlackMoon Ransomware, Source: 00000005.00000002.1490893505.000000001000A000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: WerFault.exePID: 1868, Parent PID: 5548

General

Target ID:	9
Start time:	02:00:06
Start date:	05/07/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 5548 -s 600
Imagebase:	0x2d0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: WerFault.exePID: 3232, Parent PID: 5476

General

Target ID:	10
Start time:	02:00:06
Start date:	05/07/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 5476 -s 592
Imagebase:	0x2d0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: rundll32.exePID: 3272, Parent PID: 6360

General

Target ID:	12
Start time:	02:00:09
Start date:	05/07/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\VF.dll,VF_GetFileMD5
Imagebase:	0x6b0000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_blackmoon, Description: Yara detected BlackMoon Ransomware, Source: 0000000C.00000002.1490901014.000000001000A000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: WerFault.exePID: 1272, Parent PID: 3272

General

Target ID:	14
Start time:	02:00:09
Start date:	05/07/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 3272 -s 596
Imagebase:	0x2d0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: rundll32.exePID: 4132, Parent PID: 6360

General

Target ID:	15
Start time:	02:00:12
Start date:	05/07/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\VF.dll",VF_CopyFile
Imagebase:	0x6b0000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_blackmoon, Description: Yara detected BlackMoon Ransomware, Source: 0000000F.00000002.1461552167.000000001000A000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: rundll32.exePID: 3952, Parent PID: 6360

General

Target ID:	16
Start time:	02:00:12
Start date:	05/07/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\VF.dll",VF_GetFileMD5
Imagebase:	0x6b0000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_blackmoon, Description: Yara detected BlackMoon Ransomware, Source: 00000010.00000002.1514288945.000000001000A000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: WerFault.exePID: 4464, Parent PID: 3952

General

Target ID:	19
Start time:	02:00:12
Start date:	05/07/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 3952 -s 600
Imagebase:	0x2d0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: rundll32.exePID: 5476, Parent PID: 6360COMMON

Execution Graph

Execution Coverage:	0.2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	1.8%
Total number of Nodes:	394
Total number of Limit Nodes:	0

Executed Functions

Function 10001B88 Relevance: .0, Instructions: 22
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000004.00000002.1490901642.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.1490875337.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1490901642.000000001000A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1490901642.000000001001D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1490979013.000000001001E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1491011106.000000001001F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1491037810.0000000010020000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7407d737f56514166f7da273d515ef1d285b92db4765a1ffa11225f76f1e7301
Instruction ID: edc90fc72bed4a98fd546a8f6564dd8288f7c45729d5501c1300fff41df1ace2
Opcode Fuzzy Hash: 7407d737f56514166f7da273d515ef1d285b92db4765a1ffa11225f76f1e7301
Instruction Fuzzy Hash: 73D012566091592EBA00E17E3C89EDB06CDEBC90F53D10562F650C310AF959DC428160

Non-executed Functions

Function 10003EF2 Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT ref: 10003F16

Memory Dump Source

Source File: 00000004.00000002.1490901642.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.1490875337.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1490901642.000000001000A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1490901642.000000001001D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1490979013.000000001001E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1491011106.000000001001F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1491037810.0000000010020000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: ??3@
String ID:
API String ID: 613200358-0
Opcode ID: ba413ab6d4f8bc987ca0994f6b9819aff9e1b9b0c612e58f3684a9c582c3456a
Instruction ID: 7ef47cc92b2b30ffd56e5f114f18e9c92f43da5cc89ed6a96ede97a2a0c19135
Opcode Fuzzy Hash: ba413ab6d4f8bc987ca0994f6b9819aff9e1b9b0c612e58f3684a9c582c3456a
Instruction Fuzzy Hash: BCD0A7F1C182D501E296CE142C017E6AEF99F172C4F055429F8D49720BCA65D598C39B

Function 10001D00 Relevance: 1.3, APIs: 1, Instructions: 19memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(10001CDA), ref: 10001D00

Memory Dump Source

Source File: 00000004.00000002.1490901642.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.1490875337.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1490901642.000000001000A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1490901642.000000001001D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1490979013.000000001001E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1491011106.000000001001F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1491037810.0000000010020000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 4f539b3326bd076799e99bc05768c580a9a82b5a34e481341541af8cc0fa585f
Instruction ID: 77bc00a3f275fcdd50627efed700517611f170b2615d276c6fdd4d552512aa06
Opcode Fuzzy Hash: 4f539b3326bd076799e99bc05768c580a9a82b5a34e481341541af8cc0fa585f
Instruction Fuzzy Hash: DCE01731A40735AFF350CB58DD84F5632D4EB097C0F058124EE0AC72AEE266AC81CBA4

Function 100044F0 Relevance: .9, Instructions: 903COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1490901642.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.1490875337.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1490901642.000000001000A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1490901642.000000001001D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1490979013.000000001001E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1491011106.000000001001F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1491037810.0000000010020000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7588268db9ad160e2392b48f534035be178d540a008719f74208fe9ed0531eb1
Instruction ID: a70778d6e45509d0a44fe0bb72c364c31e3d9338d8579bf36051556b20a1267e
Opcode Fuzzy Hash: 7588268db9ad160e2392b48f534035be178d540a008719f74208fe9ed0531eb1
Instruction Fuzzy Hash: 9B52B8767447094BD308CE9ACC9159EF3E3ABC8304F498A3CE955C3346EEB8E90A8655

Function 10006BB0 Relevance: .4, Instructions: 379COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1490901642.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.1490875337.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1490901642.000000001000A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1490901642.000000001001D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1490979013.000000001001E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1491011106.000000001001F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1491037810.0000000010020000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4bfdb248b3fb90f8076a3fe4a1e75f7bd1b50aa5aafde52d762773f77742459
Instruction ID: 309606cb97307fb1fec2b874e7b44d24a3d766d530696baa6b42a1f75b967e98
Opcode Fuzzy Hash: d4bfdb248b3fb90f8076a3fe4a1e75f7bd1b50aa5aafde52d762773f77742459
Instruction Fuzzy Hash: 6AF1BD725082818FC309CF18D9989E27BE2FFA8754B1F42F9D4499B367D732A841CB91

Function 100059B0 Relevance: .3, Instructions: 346COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1490901642.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.1490875337.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1490901642.000000001000A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1490901642.000000001001D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1490979013.000000001001E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1491011106.000000001001F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1491037810.0000000010020000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f34ecc36813702e18b76f028753ff5ddf9d07756c03771e1f7bae05f136c8da
Instruction ID: 6f2d2a86e5dd8db9a57a21b2df55b7bd15b626ebd932cdc5b6a27e34ebd3f064
Opcode Fuzzy Hash: 2f34ecc36813702e18b76f028753ff5ddf9d07756c03771e1f7bae05f136c8da
Instruction Fuzzy Hash: 6BD11479214B418FE324CF29C984AA7B7E6FF89345B14892ED8D687B55DB32F841CB40

Function 10007130 Relevance: .3, Instructions: 295COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1490901642.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.1490875337.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1490901642.000000001000A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1490901642.000000001001D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1490979013.000000001001E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1491011106.000000001001F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1491037810.0000000010020000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ce80d1a53aa7a3a508110d3d59c207b4dc73eca99c8748728bab94de493762f
Instruction ID: e5167f4d1db7e0d9de43b459b56816ad690c9698c81ca3800cca64c12913ffa3
Opcode Fuzzy Hash: 8ce80d1a53aa7a3a508110d3d59c207b4dc73eca99c8748728bab94de493762f
Instruction Fuzzy Hash: EFD189716082518FC319CF28E9D88E67BE1FFA8780B0E42F8C9898B327D7359941CB55

Function 10005510 Relevance: .3, Instructions: 274COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1490901642.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.1490875337.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1490901642.000000001000A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1490901642.000000001001D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1490979013.000000001001E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1491011106.000000001001F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1491037810.0000000010020000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d078c43817de848db57cfcdc3eee61c4f5998b4728861276352ebc94a7f9da52
Instruction ID: 31b52a9dd9392a70a1407452b4c7d32055d8a66d6a715df99a10cea97bbb8ab3
Opcode Fuzzy Hash: d078c43817de848db57cfcdc3eee61c4f5998b4728861276352ebc94a7f9da52
Instruction Fuzzy Hash: 80B11575215B418FD328CF28D9909A7B7E6FF89345B18892DD8CAC7B55EA32F841CB40

Function 10005DE0 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1490901642.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.1490875337.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1490901642.000000001000A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1490901642.000000001001D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1490979013.000000001001E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1491011106.000000001001F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1491037810.0000000010020000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b4f27dd10139f30faea009d98bf7d04ad43b169fe1efa635cf320682f8d45aa
Instruction ID: bf977713c1aa96bb2c1f761dd9ee79ef989d43dc029455462c82b9c6e58d1ad9
Opcode Fuzzy Hash: 0b4f27dd10139f30faea009d98bf7d04ad43b169fe1efa635cf320682f8d45aa
Instruction Fuzzy Hash: 6E31403374558203F71DCA2F8CA12BAEBD34FC526872ED47E99C58B35AECFA45164144

Function 10003460 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1490901642.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.1490875337.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1490901642.000000001000A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1490901642.000000001001D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1490979013.000000001001E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1491011106.000000001001F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1491037810.0000000010020000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6565b83ea56570f90e29b813c4ba4bd4f1115fa2be481ef6f91c41094bd366b2
Instruction ID: b40ed2133f6396ccbd0e58348be659f324c0b454b82a1182ccbe76e846c8f4b5
Opcode Fuzzy Hash: 6565b83ea56570f90e29b813c4ba4bd4f1115fa2be481ef6f91c41094bd366b2
Instruction Fuzzy Hash: 6DE04FB1A0570C9BF720CF49D980B55B7ECE708384F208199E80CD3354E777DD448680

Function 10002D20 Relevance: 37.2, APIs: 18, Strings: 3, Instructions: 426
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameA.KERNEL32(00000000,1000C528,00000104), ref: 10002D9E
strrchr.MSVCRT ref: 10002DAF
_ftol.MSVCRT ref: 10002EEE
GetCommandLineA.KERNEL32 ref: 10002F14
PeekMessageA.USER32(00000000,00000000,00000000,00000000,00000000), ref: 10002F81
GetMessageA.USER32(?,00000000,00000000,00000000), ref: 10002FB3
TranslateMessage.USER32(?), ref: 10002FBA
DispatchMessageA.USER32(?), ref: 10002FC1
PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 10002FD0
wsprintfA.USER32 ref: 10003213
MessageBoxA.USER32(00000000,?,blackmoon,00000010), ref: 1000322A

Strings

ERROR, xrefs: 100031B0
blackmoon, xrefs: 10003222
BlackMoon RunTime Error:%s, xrefs: 10003198

Memory Dump Source

Source File: 00000004.00000002.1490901642.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.1490875337.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1490901642.000000001000A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1490901642.000000001001D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1490979013.000000001001E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1491011106.000000001001F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1491037810.0000000010020000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: Message$Peek$CommandDispatchFileLineModuleNameTranslate_ftolstrrchrwsprintf
String ID: BlackMoon RunTime Error:%s$ERROR$blackmoon
API String ID: 3335176381-532175377
Opcode ID: 8088aa845cae719ded4129fcdaf6e409d5b142e6576664fdd162948d1be09158
Instruction ID: 26939bec827efbcc702376da814159073543130077bb4bf3a5dbaa19e04b1987
Opcode Fuzzy Hash: 8088aa845cae719ded4129fcdaf6e409d5b142e6576664fdd162948d1be09158
Instruction Fuzzy Hash: 0EC11637B806445AF220D768BC41BFF77C4E7D13F2F50413AEA45C61D8D92BAA498A62

Function 100023A0 Relevance: 13.7, APIs: 9, Instructions: 174
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000004.00000002.1490901642.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.1490875337.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1490901642.000000001000A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1490901642.000000001001D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1490979013.000000001001E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1491011106.000000001001F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1491037810.0000000010020000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7a21d19b59c350098c805f3af552dabc0777c66890c146e2eb02242b023d7e0
Instruction ID: d0bef142230f262056ff0b3c39f5d772e11ed924ffe38e3f8a71b57cea3cd31f
Opcode Fuzzy Hash: e7a21d19b59c350098c805f3af552dabc0777c66890c146e2eb02242b023d7e0
Instruction Fuzzy Hash: 4241E6B77052152FF200DA65BC81EABF39CEB842F9B14453AF509C3506EB26F91582A2

Function 10002980 Relevance: 9.2, APIs: 6, Instructions: 193
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000004.00000002.1490901642.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.1490875337.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1490901642.000000001000A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1490901642.000000001001D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1490979013.000000001001E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1491011106.000000001001F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1491037810.0000000010020000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07628b4ee72d7111cd7a9631a98afa0f9b0ffc9fe399dab86973989583107886
Instruction ID: 857665823ffce5b063985f2e2028a7e58ed4ffc08ae4d3d95d3dbbf98ef7c23a
Opcode Fuzzy Hash: 07628b4ee72d7111cd7a9631a98afa0f9b0ffc9fe399dab86973989583107886
Instruction Fuzzy Hash: DF51AD756043069FE710DF18CC80A9AB3E9FBC8394F85892DF94997315E770EE098B92

Function 10001DB0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 70
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wsprintfA.USER32 ref: 10001E16
wsprintfA.USER32 ref: 10001E2D
MessageBoxA.USER32(00000000,?,error,00000010), ref: 10001E77

Strings

error, xrefs: 10001E6F
program internal error number is %d. %s, xrefs: 10001E27

Memory Dump Source

Source File: 00000004.00000002.1490901642.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.1490875337.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1490901642.000000001000A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1490901642.000000001001D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1490979013.000000001001E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1491011106.000000001001F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1491037810.0000000010020000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: wsprintf$Message
String ID: error$program internal error number is %d. %s
API String ID: 386942524-1911117719
Opcode ID: 724e687f3b4407d52f95e225f60976656b636d89e579579481e7ec5a80fdd677
Instruction ID: 166322ed2271cc4e75ba6a4df270849a14b0df3fe62211fb83060bc59e65a108
Opcode Fuzzy Hash: 724e687f3b4407d52f95e225f60976656b636d89e579579481e7ec5a80fdd677
Instruction Fuzzy Hash: A021D275604251AFF750CB64DC95FEB33E8EF853C0F058518FA8487289E7B4DA888B62

Function 10001F30 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35
memorywindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32 ref: 10001F39
RtlReAllocateHeap.NTDLL(00570000,00000000,?,?), ref: 10001F56
RtlAllocateHeap.NTDLL(00570000,00000008,?), ref: 10001F66
MessageBoxA.USER32(00000000,1000A4F0,error,00000010), ref: 10001F7F

Strings

error, xrefs: 10001F74

Memory Dump Source

Source File: 00000004.00000002.1490901642.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.1490875337.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1490901642.000000001000A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1490901642.000000001001D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1490979013.000000001001E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1491011106.000000001001F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1491037810.0000000010020000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: Heap$Allocate$MessageProcess
String ID: error
API String ID: 2868346564-1574812785
Opcode ID: 4c64006d5438db1181aa1e0bfffb4f4df65995b3f104e5c75a667043da0b28e1
Instruction ID: 64e84e69fbcbc59099e589629cfbd18fd6322677d63f43e3ccaf759687877819
Opcode Fuzzy Hash: 4c64006d5438db1181aa1e0bfffb4f4df65995b3f104e5c75a667043da0b28e1
Instruction Fuzzy Hash: 46F0B475640622BFF250C7608C89FAB3358FB847C0F008128FA859224CDB70AD448B55

Function 10001E90 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 25
memorywindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32 ref: 10001E99
RtlAllocateHeap.NTDLL(00570000,00000008,?), ref: 10001EAD
MessageBoxA.USER32(00000000,1000A4F0,error,00000010), ref: 10001EC6

Strings

error, xrefs: 10001EBB

Memory Dump Source

Source File: 00000004.00000002.1490901642.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.1490875337.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1490901642.000000001000A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1490901642.000000001001D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1490979013.000000001001E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1491011106.000000001001F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1491037810.0000000010020000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: Heap$AllocateMessageProcess
String ID: error
API String ID: 2992861138-1574812785
Opcode ID: f1358109da77e21d6e94303b040e8f9a08a836b558b7be48026413da71c19e42
Instruction ID: b2607e65acb529ffb868ed3d72e53af95a2fabe33535cbd14c3b7701de61cb69
Opcode Fuzzy Hash: f1358109da77e21d6e94303b040e8f9a08a836b558b7be48026413da71c19e42
Instruction Fuzzy Hash: D0E0D875A406316BF250C7709C8CFCA3654FF456C0F008120FE85D2248EB70AD488B91

Function 10001EE0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 25
memorywindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(10003B27,10002902,00000000,00000001,100028FA,00000000,?,?,?,?,?,00000000,80000004), ref: 10001EE9
RtlAllocateHeap.NTDLL(00570000,00000000,?), ref: 10001EFD
MessageBoxA.USER32(00000000,1000A4F0,error,00000010), ref: 10001F16

Strings

error, xrefs: 10001F0B

Memory Dump Source

Source File: 00000004.00000002.1490901642.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.1490875337.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1490901642.000000001000A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1490901642.000000001001D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1490979013.000000001001E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1491011106.000000001001F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1491037810.0000000010020000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: Heap$AllocateMessageProcess
String ID: error
API String ID: 2992861138-1574812785
Opcode ID: c760f02dc7f1dcd9c24370a1ab235705deecc3d0a59bc2cbd99428b038e24608
Instruction ID: 905b796b1006c3dc7f6810519533650a6fc6a7700f97f0b6cd97c5451d405672
Opcode Fuzzy Hash: c760f02dc7f1dcd9c24370a1ab235705deecc3d0a59bc2cbd99428b038e24608
Instruction Fuzzy Hash: E4E0D8756402316BF210C7709C8CFCA3654FB456C0F008134FE84D2298E770AD848B90

Function 10002210 Relevance: 6.1, APIs: 4, Instructions: 142
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000004.00000002.1490901642.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.1490875337.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1490901642.000000001000A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1490901642.000000001001D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1490979013.000000001001E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1491011106.000000001001F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1491037810.0000000010020000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1a985c0ef3129679f2a64f940742c7bbddd5e8f338715cc39ed2ab0989606ef
Instruction ID: bc9f3f8a8f7291b2387f293409c9189d340f2a3c5cab7d3895da7c8d9044da7b
Opcode Fuzzy Hash: b1a985c0ef3129679f2a64f940742c7bbddd5e8f338715cc39ed2ab0989606ef
Instruction Fuzzy Hash: D1419F713003066BF710DF68CC80BAEB3E8EF85794F810959F5949B245DB75EE468B92

Function 10003B50 Relevance: 6.1, APIs: 4, Instructions: 78
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

malloc.MSVCRT ref: 10003BB0
LCMapStringA.KERNEL32(00000804,00400000,?,?,00000000,00000001), ref: 10003BE4
??3@YAXPAX@Z.MSVCRT ref: 10003BF3
??3@YAXPAX@Z.MSVCRT ref: 10003C0C

Memory Dump Source

Source File: 00000004.00000002.1490901642.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.1490875337.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1490901642.000000001000A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1490901642.000000001001D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1490979013.000000001001E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1491011106.000000001001F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1491037810.0000000010020000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: ??3@$Stringmalloc
String ID:
API String ID: 1006641717-0
Opcode ID: e0a1510b140cb79b9dfec76fb83280e5c08aa66f994ef1d46e45e6e3958bf3e6
Instruction ID: 04d1d543f12b8c492832f5ed44df4c6af09087946df147ee179aa0220df44e69
Opcode Fuzzy Hash: e0a1510b140cb79b9dfec76fb83280e5c08aa66f994ef1d46e45e6e3958bf3e6
Instruction Fuzzy Hash: 3F11D3B26086146FF204DB64DC85F6B73EDEB89585F00C62DF74A93205EB34EA0587A2

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: `rundll32.exe {DLLname, DLLfunction}` ).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report VF.dll

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_56181ede0d43edd16fd2f5c205ffd37b12c4b76_7522e4b5_08c1258f-65b5-469b-92ba-e8e4954194b9\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_56181ede0d43edd16fd2f5c205ffd37b12c4b76_7522e4b5_3a5b0d75-be14-4ffc-bfc4-c5eff016e690\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_56181ede0d43edd16fd2f5c205ffd37b12c4b76_7522e4b5_a1bd80b4-8075-4fe5-8fe0-998375c7d994\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_d66a9d3f657c6446ca14a6fa8b15b6c6c8a244a9_7522e4b5_17378f54-db41-48b9-93aa-2ee9f3453ff8\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA274.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA2C2.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA35F.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA38E.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA38F.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA3AE.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERAD03.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERAD61.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERAD82.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB938.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB9B6.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB9D6.tmp.xml

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

Windows Analysis Report
VF.dll

Function 10001B88 Relevance: .0, Instructions: 22
COMMON