Edit tour

Windows Analysis Report
A5815BC0-FA26-4ECC-9A97-EE9DB31273CA_12272024154104847.dll

Overview

General Information

Sample name:A5815BC0-FA26-4ECC-9A97-EE9DB31273CA_12272024154104847.dll
renamed because original name is a hash value
Original sample name:A5815BC0-FA26-4ECC-9A97-EE9DB31273CA_12272024154104847.old
Analysis ID:1587544
MD5:fd24cb5b446cc7a79d8e1613c1ec5379
SHA1:934ab58c4084a8ceccadc85349e203494449d143
SHA256:4f40a1038d72638de81648c9ce7904c93e413eebe4f02b972e69f5817acb65d0
Infos:

Detection

Score:60
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

AI detected suspicious sample
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to evade debugger and weak emulator (self modifying code)
AV process strings found (often used to terminate AV products)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Creates a process in suspended mode (likely to inject code)
Detected non-DNS traffic on DNS port
Entry point lies outside standard sections
One or more processes crash
PE file contains more sections than normal
PE file contains sections with non-standard names
Sample execution stops while process was sleeping (likely an evasion)
Uses 32bit PE files

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
  • System is w10x64
  • loaddll32.exe (PID: 7504 cmdline: loaddll32.exe "C:\Users\user\Desktop\A5815BC0-FA26-4ECC-9A97-EE9DB31273CA_12272024154104847.dll" MD5: 51E6071F9CBA48E79F10C84515AAE618)
    • conhost.exe (PID: 7512 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 7556 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\A5815BC0-FA26-4ECC-9A97-EE9DB31273CA_12272024154104847.dll",#1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • rundll32.exe (PID: 7580 cmdline: rundll32.exe "C:\Users\user\Desktop\A5815BC0-FA26-4ECC-9A97-EE9DB31273CA_12272024154104847.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)
        • WerFault.exe (PID: 7724 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7580 -s 616 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • rundll32.exe (PID: 7564 cmdline: rundll32.exe C:\Users\user\Desktop\A5815BC0-FA26-4ECC-9A97-EE9DB31273CA_12272024154104847.dll,Initialize MD5: 889B99C52A60DD49227C5E485A016679)
      • WerFault.exe (PID: 7744 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7564 -s 612 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • rundll32.exe (PID: 7900 cmdline: rundll32.exe "C:\Users\user\Desktop\A5815BC0-FA26-4ECC-9A97-EE9DB31273CA_12272024154104847.dll",Initialize MD5: 889B99C52A60DD49227C5E485A016679)
      • WerFault.exe (PID: 7936 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7900 -s 608 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • cleanup
No configs have been found
No yara matches
No Sigma rule has matched
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.7% probability
Source: A5815BC0-FA26-4ECC-9A97-EE9DB31273CA_12272024154104847.dllStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
Source: A5815BC0-FA26-4ECC-9A97-EE9DB31273CA_12272024154104847.dllStatic PE information: certificate valid
Source: A5815BC0-FA26-4ECC-9A97-EE9DB31273CA_12272024154104847.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
Source: global trafficTCP traffic: 192.168.2.7:57423 -> 162.159.36.2:53
Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficDNS traffic detected: DNS query: 241.42.69.40.in-addr.arpa
Source: A5815BC0-FA26-4ECC-9A97-EE9DB31273CA_12272024154104847.dllString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: A5815BC0-FA26-4ECC-9A97-EE9DB31273CA_12272024154104847.dllString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: A5815BC0-FA26-4ECC-9A97-EE9DB31273CA_12272024154104847.dllString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: A5815BC0-FA26-4ECC-9A97-EE9DB31273CA_12272024154104847.dllString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: A5815BC0-FA26-4ECC-9A97-EE9DB31273CA_12272024154104847.dllString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: A5815BC0-FA26-4ECC-9A97-EE9DB31273CA_12272024154104847.dllString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: A5815BC0-FA26-4ECC-9A97-EE9DB31273CA_12272024154104847.dllString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: A5815BC0-FA26-4ECC-9A97-EE9DB31273CA_12272024154104847.dllString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: A5815BC0-FA26-4ECC-9A97-EE9DB31273CA_12272024154104847.dllString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: A5815BC0-FA26-4ECC-9A97-EE9DB31273CA_12272024154104847.dllString found in binary or memory: http://ocsp.digicert.com0
Source: A5815BC0-FA26-4ECC-9A97-EE9DB31273CA_12272024154104847.dllString found in binary or memory: http://ocsp.digicert.com0A
Source: A5815BC0-FA26-4ECC-9A97-EE9DB31273CA_12272024154104847.dllString found in binary or memory: http://ocsp.digicert.com0C
Source: A5815BC0-FA26-4ECC-9A97-EE9DB31273CA_12272024154104847.dllString found in binary or memory: http://ocsp.digicert.com0X
Source: Amcache.hve.10.drString found in binary or memory: http://upx.sf.net
Source: A5815BC0-FA26-4ECC-9A97-EE9DB31273CA_12272024154104847.dllString found in binary or memory: http://www.digicert.com/CPS0

System Summary

barindex
Source: A5815BC0-FA26-4ECC-9A97-EE9DB31273CA_12272024154104847.dllStatic PE information: section name:
Source: A5815BC0-FA26-4ECC-9A97-EE9DB31273CA_12272024154104847.dllStatic PE information: section name:
Source: A5815BC0-FA26-4ECC-9A97-EE9DB31273CA_12272024154104847.dllStatic PE information: section name:
Source: A5815BC0-FA26-4ECC-9A97-EE9DB31273CA_12272024154104847.dllStatic PE information: section name:
Source: A5815BC0-FA26-4ECC-9A97-EE9DB31273CA_12272024154104847.dllStatic PE information: section name:
Source: A5815BC0-FA26-4ECC-9A97-EE9DB31273CA_12272024154104847.dllStatic PE information: section name:
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7580 -s 616
Source: A5815BC0-FA26-4ECC-9A97-EE9DB31273CA_12272024154104847.dllStatic PE information: Number of sections : 11 > 10
Source: A5815BC0-FA26-4ECC-9A97-EE9DB31273CA_12272024154104847.dllStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
Source: A5815BC0-FA26-4ECC-9A97-EE9DB31273CA_12272024154104847.dllStatic PE information: Section: ZLIB complexity 0.988875679347826
Source: A5815BC0-FA26-4ECC-9A97-EE9DB31273CA_12272024154104847.dllStatic PE information: Section: ZLIB complexity 0.9970703125
Source: A5815BC0-FA26-4ECC-9A97-EE9DB31273CA_12272024154104847.dllStatic PE information: Section: .boot ZLIB complexity 0.9940867532718829
Source: classification engineClassification label: mal60.evad.winDLL@13/13@1/0
Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7580
Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7564
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7512:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7900
Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\dde2407c-923b-4539-a257-750ef236e615Jump to behavior
Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\A5815BC0-FA26-4ECC-9A97-EE9DB31273CA_12272024154104847.dll,Initialize
Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\A5815BC0-FA26-4ECC-9A97-EE9DB31273CA_12272024154104847.dll"
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\A5815BC0-FA26-4ECC-9A97-EE9DB31273CA_12272024154104847.dll",#1
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\A5815BC0-FA26-4ECC-9A97-EE9DB31273CA_12272024154104847.dll,Initialize
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\A5815BC0-FA26-4ECC-9A97-EE9DB31273CA_12272024154104847.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7580 -s 616
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7564 -s 612
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\A5815BC0-FA26-4ECC-9A97-EE9DB31273CA_12272024154104847.dll",Initialize
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7900 -s 608
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\A5815BC0-FA26-4ECC-9A97-EE9DB31273CA_12272024154104847.dll",#1Jump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\A5815BC0-FA26-4ECC-9A97-EE9DB31273CA_12272024154104847.dll,InitializeJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\A5815BC0-FA26-4ECC-9A97-EE9DB31273CA_12272024154104847.dll",InitializeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\A5815BC0-FA26-4ECC-9A97-EE9DB31273CA_12272024154104847.dll",#1Jump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: A5815BC0-FA26-4ECC-9A97-EE9DB31273CA_12272024154104847.dllStatic PE information: certificate valid
Source: A5815BC0-FA26-4ECC-9A97-EE9DB31273CA_12272024154104847.dllStatic file information: File size 1884920 > 1048576
Source: A5815BC0-FA26-4ECC-9A97-EE9DB31273CA_12272024154104847.dllStatic PE information: Raw size of .boot is bigger than: 0x100000 < 0x1bc200
Source: A5815BC0-FA26-4ECC-9A97-EE9DB31273CA_12272024154104847.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
Source: initial sampleStatic PE information: section where entry point is pointing to: .boot
Source: A5815BC0-FA26-4ECC-9A97-EE9DB31273CA_12272024154104847.dllStatic PE information: section name:
Source: A5815BC0-FA26-4ECC-9A97-EE9DB31273CA_12272024154104847.dllStatic PE information: section name:
Source: A5815BC0-FA26-4ECC-9A97-EE9DB31273CA_12272024154104847.dllStatic PE information: section name:
Source: A5815BC0-FA26-4ECC-9A97-EE9DB31273CA_12272024154104847.dllStatic PE information: section name:
Source: A5815BC0-FA26-4ECC-9A97-EE9DB31273CA_12272024154104847.dllStatic PE information: section name:
Source: A5815BC0-FA26-4ECC-9A97-EE9DB31273CA_12272024154104847.dllStatic PE information: section name:
Source: A5815BC0-FA26-4ECC-9A97-EE9DB31273CA_12272024154104847.dllStatic PE information: section name: .wemod
Source: A5815BC0-FA26-4ECC-9A97-EE9DB31273CA_12272024154104847.dllStatic PE information: section name: .boot
Source: A5815BC0-FA26-4ECC-9A97-EE9DB31273CA_12272024154104847.dllStatic PE information: section name: entropy: 7.959611465365893
Source: A5815BC0-FA26-4ECC-9A97-EE9DB31273CA_12272024154104847.dllStatic PE information: section name: .boot entropy: 7.929755837502866
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Source: C:\Windows\System32\loaddll32.exeSystem information queried: FirmwareTableInformationJump to behavior
Source: C:\Windows\System32\loaddll32.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
Source: C:\Windows\System32\loaddll32.exeSpecial instruction interceptor: First address: 6CFB7784 instructions caused by: Self-modifying code
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\loaddll32.exeThread delayed: delay time: 120000Jump to behavior
Source: loaddll32.exe, 00000001.00000002.2550655004.000000000113E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1879651015.000000000326A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: Amcache.hve.10.drBinary or memory string: VMware
Source: Amcache.hve.10.drBinary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.10.drBinary or memory string: vmci.syshbin
Source: Amcache.hve.10.drBinary or memory string: VMware, Inc.
Source: Amcache.hve.10.drBinary or memory string: VMware20,1hbin@
Source: Amcache.hve.10.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.10.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.10.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.10.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.10.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.10.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.10.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.10.drBinary or memory string: vmci.sys
Source: Amcache.hve.10.drBinary or memory string: vmci.syshbin`
Source: Amcache.hve.10.drBinary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.10.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.10.drBinary or memory string: VMware20,1
Source: Amcache.hve.10.drBinary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.10.drBinary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.10.drBinary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.10.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.10.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.10.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.10.drBinary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.10.drBinary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.10.drBinary or memory string: VMware Virtual RAM
Source: Amcache.hve.10.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.10.drBinary or memory string: VMware-42 27 88 19 56 cc 59 1a-97 79 fb 8c bf a1 e2 9d
Source: Amcache.hve.10.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\A5815BC0-FA26-4ECC-9A97-EE9DB31273CA_12272024154104847.dll",#1Jump to behavior
Source: Amcache.hve.10.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.10.drBinary or memory string: msmpeng.exe
Source: Amcache.hve.10.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.10.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.10.drBinary or memory string: MsMpEng.exe
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
DLL Side-Loading
11
Process Injection
1
Rundll32
OS Credential Dumping331
Security Software Discovery
Remote ServicesData from Local System1
Non-Application Layer Protocol
Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading
121
Virtualization/Sandbox Evasion
LSASS Memory121
Virtualization/Sandbox Evasion
Remote Desktop ProtocolData from Removable Media1
Application Layer Protocol
Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)2
Software Packing
Security Account Manager11
System Information Discovery
SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
Process Injection
NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
DLL Side-Loading
LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
Obfuscated Files or Information
Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1587544 Sample: A5815BC0-FA26-4ECC-9A97-EE9... Startdate: 10/01/2025 Architecture: WINDOWS Score: 60 30 bg.microsoft.map.fastly.net 2->30 32 241.42.69.40.in-addr.arpa 2->32 34 PE file contains section with special chars 2->34 36 AI detected suspicious sample 2->36 9 loaddll32.exe 1 2->9         started        signatures3 process4 signatures5 40 Query firmware table information (likely to detect VMs) 9->40 42 Tries to evade debugger and weak emulator (self modifying code) 9->42 44 Tries to detect sandboxes / dynamic malware analysis system (registry check) 9->44 12 cmd.exe 1 9->12         started        14 rundll32.exe 9->14         started        17 rundll32.exe 9->17         started        19 conhost.exe 9->19         started        process6 signatures7 21 rundll32.exe 12->21         started        46 Tries to detect sandboxes / dynamic malware analysis system (registry check) 14->46 24 WerFault.exe 16 14->24         started        26 WerFault.exe 16 17->26         started        process8 signatures9 38 Tries to detect sandboxes / dynamic malware analysis system (registry check) 21->38 28 WerFault.exe 22 16 21->28         started        process10

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
A5815BC0-FA26-4ECC-9A97-EE9DB31273CA_12272024154104847.dll4%VirustotalBrowse
No Antivirus matches
No Antivirus matches
No Antivirus matches
No Antivirus matches

Download Network PCAP: filteredfull

NameIPActiveMaliciousAntivirus DetectionReputation
bg.microsoft.map.fastly.net
199.232.210.172
truefalse
    high
    241.42.69.40.in-addr.arpa
    unknown
    unknownfalse
      high
      NameSourceMaliciousAntivirus DetectionReputation
      http://upx.sf.netAmcache.hve.10.drfalse
        high
        No contacted IP infos
        Joe Sandbox version:42.0.0 Malachite
        Analysis ID:1587544
        Start date and time:2025-01-10 14:45:18 +01:00
        Joe Sandbox product:CloudBasic
        Overall analysis duration:0h 7m 21s
        Hypervisor based Inspection enabled:false
        Report type:full
        Cookbook file name:default.jbs
        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
        Run name:Run with higher sleep bypass
        Number of analysed new started processes analysed:21
        Number of new started drivers analysed:0
        Number of existing processes analysed:0
        Number of existing drivers analysed:0
        Number of injected processes analysed:0
        Technologies:
        • HCA enabled
        • EGA enabled
        • AMSI enabled
        Analysis Mode:default
        Analysis stop reason:Timeout
        Sample name:A5815BC0-FA26-4ECC-9A97-EE9DB31273CA_12272024154104847.dll
        renamed because original name is a hash value
        Original Sample Name:A5815BC0-FA26-4ECC-9A97-EE9DB31273CA_12272024154104847.old
        Detection:MAL
        Classification:mal60.evad.winDLL@13/13@1/0
        EGA Information:Failed
        HCA Information:Failed
        Cookbook Comments:
        • Found application associated with file extension: .dll
        • Sleeps bigger than 100000000ms are automatically reduced to 1000ms
        • Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored
        • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
        • Excluded IPs from analysis (whitelisted): 199.232.210.172, 52.168.117.173, 13.107.246.45, 20.190.160.17, 20.12.23.50, 40.69.42.241, 20.109.210.53
        • Excluded domains from analysis (whitelisted): onedsblobprdeus16.eastus.cloudapp.azure.com, otelrules.azureedge.net, login.live.com, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, time.windows.com, wu-b-net.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
        • Execution Graph export aborted for target rundll32.exe, PID 7564 because there are no executed function
        • Execution Graph export aborted for target rundll32.exe, PID 7580 because there are no executed function
        • Execution Graph export aborted for target rundll32.exe, PID 7900 because there are no executed function
        • Not all processes where analyzed, report is missing behavior information
        No simulations
        No context
        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
        bg.microsoft.map.fastly.net382215884163542302.jsGet hashmaliciousStrela DownloaderBrowse
        • 199.232.214.172
        2503475573085815370.jsGet hashmaliciousStrela DownloaderBrowse
        • 199.232.214.172
        17772451271118687.jsGet hashmaliciousStrela DownloaderBrowse
        • 199.232.210.172
        1353125634235611874.jsGet hashmaliciousStrela DownloaderBrowse
        • 199.232.214.172
        1947415746274847548.jsGet hashmaliciousStrela DownloaderBrowse
        • 199.232.210.172
        10848104561916132198.jsGet hashmaliciousStrela DownloaderBrowse
        • 199.232.214.172
        67073968285385405.jsGet hashmaliciousStrela DownloaderBrowse
        • 199.232.214.172
        3144522639186114061.jsGet hashmaliciousStrela DownloaderBrowse
        • 199.232.214.172
        random.exeGet hashmaliciousLummaC StealerBrowse
        • 199.232.210.172
        2012713416258531948.jsGet hashmaliciousStrela DownloaderBrowse
        • 199.232.210.172
        No context
        No context
        No context
        Process:C:\Windows\SysWOW64\WerFault.exe
        File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
        Category:modified
        Size (bytes):65536
        Entropy (8bit):0.850955653308338
        Encrypted:false
        SSDEEP:192:OniuOYZZ0BU/wjeTPIzuiFcnZ24IO8dci:+ivYkBU/wjeEzuiFcnY4IO8dci
        MD5:6D478CAE235747801BB08067166B5575
        SHA1:03C79DDFA885B4965EC808E355B8CC5C4278D3ED
        SHA-256:54EA2DE6B99D04AE72691738851B3CBD72D80680D140D57FBB259098CEFF79C7
        SHA-512:685D2D9C0B29249FA3C3DDA66A3F869D6F450BBDDD98812C55CF06B32FE7B278C8757423ABEEFCDE7538045978F32C26F48ED434C257860A5B297FC9C3420B04
        Malicious:false
        Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.0.9.9.0.3.7.9.1.6.8.2.4.0.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.8.0.9.9.0.3.8.0.8.7.1.3.6.7.8.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.b.9.9.9.e.5.4.-.7.9.9.5.-.4.5.a.9.-.a.c.d.6.-.5.5.b.7.1.b.1.5.2.3.b.5.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.b.d.d.d.3.9.2.-.2.1.f.5.-.4.0.0.0.-.a.5.e.c.-.a.9.4.b.9.d.7.1.1.f.0.1.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.d.9.c.-.0.0.0.1.-.0.0.1.4.-.6.0.8.7.-.8.7.0.6.6.6.6.3.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.8.f.a.8.8.9.e.4.5.6.a.a.6.4.6.a.4.d.0.a.4.3.4.9.9.7.7.4.3.0.c.e.5.f.a.5.e.
        Process:C:\Windows\SysWOW64\WerFault.exe
        File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
        Category:dropped
        Size (bytes):65536
        Entropy (8bit):0.8507853011592911
        Encrypted:false
        SSDEEP:192:siiGOsZZ0BU/wjeTPIzuiFcnZ24IO8dci:diHskBU/wjeEzuiFcnY4IO8dci
        MD5:D0D2DF1A2B43FCC071C2D789D233DFB9
        SHA1:658A99DBB8A9F2C7ADDC1185CDBC54F2CC15AC3E
        SHA-256:751F4A86F3704934B37254019AC9A2E737BDAC25C4717CE6D353F7EECA718C5B
        SHA-512:BACB301F9000A2E6A185401582E8D7CA2B21611BD9C265F6B01C753C1A828EC9B91C1699B93AFC87A142438B69DB65B233B17350FA0FFF29257A6E72C3C57854
        Malicious:false
        Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.0.9.9.0.3.8.2.1.3.9.5.8.0.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.8.0.9.9.0.3.8.2.5.3.0.1.8.4.9.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.1.3.4.f.4.2.e.-.6.a.7.a.-.4.a.0.f.-.9.9.c.5.-.e.4.1.a.9.8.3.b.9.3.5.4.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.4.0.6.7.7.b.6.-.f.9.1.4.-.4.3.7.c.-.b.f.f.c.-.6.a.7.9.0.5.0.5.4.1.6.6.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.e.d.c.-.0.0.0.1.-.0.0.1.4.-.b.4.d.0.-.7.1.0.8.6.6.6.3.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.8.f.a.8.8.9.e.4.5.6.a.a.6.4.6.a.4.d.0.a.4.3.4.9.9.7.7.4.3.0.c.e.5.f.a.5.e.
        Process:C:\Windows\SysWOW64\WerFault.exe
        File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
        Category:dropped
        Size (bytes):65536
        Entropy (8bit):0.8510536910460818
        Encrypted:false
        SSDEEP:192:gzSiKOuZZ0BU/wjeTPIzuiFcnZ24IO8dci:guirukBU/wjeEzuiFcnY4IO8dci
        MD5:55E21D22D4FDB31F8CA2AECE57139D31
        SHA1:3C304F4CE55A962CC9FF3698AB83A393181B9CC7
        SHA-256:F992B243292AA3B7A89DDDB7319DE1AB6962426857B70F9666AC67D5D7B3C0F5
        SHA-512:C71CD1FBC9D6B67195AE879091622D0FF79EAF5DFEB3E8E9299CF92B83DCBE2DA60A79D28ADC699021AEC576D98B2A96C6F5165A04C9FD9122816AD5F556126C
        Malicious:false
        Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.0.9.9.0.3.7.9.2.6.9.5.4.9.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.8.0.9.9.0.3.8.0.8.9.4.5.3.5.9.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.6.9.d.3.5.0.3.-.b.0.8.9.-.4.7.4.3.-.b.e.2.2.-.4.a.6.3.9.0.5.7.f.0.f.2.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.e.6.0.b.6.0.e.-.6.6.9.f.-.4.8.f.4.-.b.b.1.9.-.6.8.9.e.2.a.d.9.4.0.3.7.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.d.8.c.-.0.0.0.1.-.0.0.1.4.-.a.7.d.d.-.8.5.0.6.6.6.6.3.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.8.f.a.8.8.9.e.4.5.6.a.a.6.4.6.a.4.d.0.a.4.3.4.9.9.7.7.4.3.0.c.e.5.f.a.5.e.
        Process:C:\Windows\SysWOW64\WerFault.exe
        File Type:Mini DuMP crash report, 14 streams, Fri Jan 10 13:46:19 2025, 0x1205a4 type
        Category:dropped
        Size (bytes):43576
        Entropy (8bit):1.939344151224375
        Encrypted:false
        SSDEEP:192:hanhlia2XNmO5H4h6YTklNR3MGRiQpXNpsc:8LgNx5H78ciQT9
        MD5:C36093824D159BB2F3701A0BB6E4977E
        SHA1:1819EBC63AEF8AA61110D1EA39DA4E57FB77B8E1
        SHA-256:6244F444D39FFA4FA81DA192184C69BCBB8644BA3CFFFF5DB77189D2BEFBE933
        SHA-512:E242606E1B9B0871B946A9F9180B4C35C66FAC59256FAE050E63D468D39B8985BF31CC3C2837D1D871AE9291E05EFDD43B915C1CF322F35E777E59375D9DBB8D
        Malicious:false
        Preview:MDMP..a..... ........$.g........................\................'..........T.......8...........T.......................................................................................................................eJ......|.......GenuineIntel............T............$.g.............................0..=...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................
        Process:C:\Windows\SysWOW64\WerFault.exe
        File Type:Mini DuMP crash report, 14 streams, Fri Jan 10 13:46:19 2025, 0x1205a4 type
        Category:dropped
        Size (bytes):43228
        Entropy (8bit):1.9187569701436427
        Encrypted:false
        SSDEEP:192:hCnhlxa2XKqcO5H4h1p7Np5e30dALYlORpr:MLdV5H6e3mALr
        MD5:09BD0D245E0BD6EC29892E536EE94CAC
        SHA1:82525F8F35F930C9EFB06A16CEE95A79B76BDAE2
        SHA-256:BFD604D2108136BE249426BA42857A08D97653FE4C95A62AEAEEFBF5F15002DC
        SHA-512:5E454B67EB38D93A13E41CA7012B02BBA7C86DB58A6E495D948CBF2096B089256E5E07BFA25F3992CF52AE5E32B7BFB31F93C48825652E70A15DF6CCC29254BB
        Malicious:false
        Preview:MDMP..a..... ........$.g........................\................'..........T.......8...........T...........H...........................................................................................................eJ......|.......GenuineIntel............T............$.g.............................0..=...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................
        Process:C:\Windows\SysWOW64\WerFault.exe
        File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
        Category:dropped
        Size (bytes):8350
        Entropy (8bit):3.705825551017608
        Encrypted:false
        SSDEEP:192:R6l7wVeJPX6Ip96YqT6YgmfTHp3prt89bPYsfvlm:R6lXJP6Ip96Ym6YgmfTJgPLfQ
        MD5:EF7E279830F1BF393F657183BE08C8C1
        SHA1:B111E842850603811FEBF7AEC81F439146761A56
        SHA-256:CF2D48FAA1DF30823DEDC691C533EC27BBD31BD6DB2988BB8ABDCF0DF8139252
        SHA-512:1385AB67D08B6D1ABCCBEEEDFA2C48805769FC6DDD529635E68021C895BB18720D816FDFF710DEA38D8FA6F654B69AD4D4587192738C9E5E4583439E0E92C664
        Malicious:false
        Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.5.8.0.<./.P.i.
        Process:C:\Windows\SysWOW64\WerFault.exe
        File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
        Category:dropped
        Size (bytes):8362
        Entropy (8bit):3.7038047433907604
        Encrypted:false
        SSDEEP:192:R6l7wVeJFj/6IoQ6Y4rZ6mZgmfTHp3pru89bPLsfIlm:R6lXJ5/6IoQ6Y66ggmfTJ9PQfn
        MD5:25ABE3A196588B3E15D7AEA4D1951B14
        SHA1:F28F470E71E2836CF6C09D23F470D98A73030DC1
        SHA-256:23421151DF35648C00C539E4AD28227A47081414317493B0D0D91F0FA973F4C2
        SHA-512:1FEADE52AA861CD0232227EE94E29E5FFE54FFA3DDBCAF0B962F03D0B11E4C939D08B24414FE3BCAD3B655C671ED3E234AB844B54E8CD22D0705276E58141017
        Malicious:false
        Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.5.6.4.<./.P.i.
        Process:C:\Windows\SysWOW64\WerFault.exe
        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):4738
        Entropy (8bit):4.520346982044893
        Encrypted:false
        SSDEEP:48:cvIwWl8zs4Jg77aI9PC1WpW8VYxPYm8M4JCdPUry+FAv+q8/mHqPpGScSNd:uIjf+I7IE7V1JIvvapJ3Nd
        MD5:33D91E9EF1E04A34438C0E2054E1C97B
        SHA1:3B56273BA075AD9C804D11714D44090B3EAFED76
        SHA-256:61714BD0FFC3B969876FD4D8587F0DE1B73E8A3392E581B966C4B23F9DAA64C0
        SHA-512:27F5179952894089B6546F35158DF4FF41D10BF7BAB64A85ED8379DF1C63BB5F6CA2155D977C0F948FA07F2492EC9C6A3B29FE13E1ED1F7B7B41F33BF15E5A6C
        Malicious:false
        Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="669889" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409
        Process:C:\Windows\SysWOW64\WerFault.exe
        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):4738
        Entropy (8bit):4.521841968583321
        Encrypted:false
        SSDEEP:48:cvIwWl8zs4Jg77aI9PC1WpW8VYxqYm8M4JCdPUry+FXe+q8/mHqPTGScS6d:uIjf+I7IE7VQJI0eaTJ36d
        MD5:0938B56F1BEEA195A941C0CA221B9045
        SHA1:C3CB887460C2589785AA70D4032F7E44E3D15FE7
        SHA-256:E8969AC4A68863EE1FA1B2EB6BB6C4D70160A9585320172141D1329B7E236F4C
        SHA-512:5A31BC410F2587977FF93D171224334796A7EA04B30238D7F56BE5F9D7F0666A80AB70F734F326A52C2ECDF2522F9633213FE1D0B6D7668B8EB7BAD64C1C85E8
        Malicious:false
        Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="669889" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409
        Process:C:\Windows\SysWOW64\WerFault.exe
        File Type:Mini DuMP crash report, 14 streams, Fri Jan 10 13:46:22 2025, 0x1205a4 type
        Category:dropped
        Size (bytes):43896
        Entropy (8bit):1.926178295986295
        Encrypted:false
        SSDEEP:96:5B8QEYj88WyhY4ofzLUmbUT2OwJZ08bugoi75I4v4avEXJi5cvwA/IGLZ4MPBp2V:w4jnhl6a2Xjb6O5H4hRwIN1OB61Bj8Y
        MD5:E9A66116D33470F5E182B469418CC9D0
        SHA1:7A7DA5B7BB7DE2A3B2D56616AF32A3C9F6EA0A90
        SHA-256:EF687CA475F496B9A79F207E0CAB294EDA414936A9A134608636B9D9519ACF41
        SHA-512:C8094050162C670A2BBD30A6500C1066C09F6888AC01AECD7BB593DF09FF8E579B02150288F974A2C593B824D30C8EE4C5A9A70E6829CB6F550ABDBFD1620E68
        Malicious:false
        Preview:MDMP..a..... ........$.g........................\................'..........T.......8...........T...........H...0.......................................................................................................eJ......|.......GenuineIntel............T............$.g.............................0..=...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................
        Process:C:\Windows\SysWOW64\WerFault.exe
        File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
        Category:dropped
        Size (bytes):8372
        Entropy (8bit):3.7017145957364095
        Encrypted:false
        SSDEEP:192:R6l7wVeJbV6Ipe6Y4rJ6OxJgmfTHp3prw89b//sfuVm:R6lXJ56Ipe6YK6O/gmfTJH/kf9
        MD5:EE57621FEBB0F01C13F3ACA3B7FBA1F0
        SHA1:B3299E786175A6A6B2E4C407358FFF3D20B54A79
        SHA-256:0EC6857D27E78B308C62219DBD4C8FBD4A6FD4312DB39C2DE9E03B6432DF6D88
        SHA-512:CA51B698D12617A0D87D951205940DDB70E3571BC8DA5EE6E84D6A139788C066F8FD43933EA95D3977D87116A397BEC7B95C707BD53F3AE63649EF25C9E6A726
        Malicious:false
        Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.9.0.0.<./.P.i.
        Process:C:\Windows\SysWOW64\WerFault.exe
        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):4738
        Entropy (8bit):4.522487570417745
        Encrypted:false
        SSDEEP:48:cvIwWl8zs4Jg77aI9PC1WpW8VYxaYm8M4JCdPUry+FPS+q8/mHqPjGScSid:uIjf+I7IE7VcJIBajJ3id
        MD5:2C82DEBB52DFCA4849DE637A5E9456D5
        SHA1:9C830CBD6449236E13F23E23FBC52159EF6CFB01
        SHA-256:2DBC60A50FBACB955676281E9D8663709F3789AA80D5594E1316615025EEE511
        SHA-512:D545BCBD8B882F66A284647DAC4084E6E1FEA95E6D49CF28817E63917511693DB97FC75A9B4A6D69BB470875A8D4CA800B1CBC39046408AEC4C93165B418A3D3
        Malicious:false
        Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="669889" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409
        Process:C:\Windows\SysWOW64\WerFault.exe
        File Type:MS Windows registry file, NT/2000 or above
        Category:dropped
        Size (bytes):1835008
        Entropy (8bit):4.417440877241827
        Encrypted:false
        SSDEEP:6144:Dcifpi6ceLPL9skLmb0moSWSPtaJG8nAgex285i2MMhA20X4WABlGuNo5+:4i58oSWIZBk2MM6AFBWo
        MD5:6BFCC2B7AAC6C5ECA4B0C9117CAEC4F7
        SHA1:45C2B23135D5797580CCE949E8472CEA4475FCA6
        SHA-256:F29DC08F2C2C6D67795D1421EB60D67A9135C937AAF31610D566C3B89FD6B8E5
        SHA-512:C774975A2813379E1634AE6BF11688EBD36D1050F4FAF38C5DD610919DA3F58169032084EC45EEFF410D0362019CD02D3FC348ED3640B446A366E7B582F8B326
        Malicious:false
        Preview:regfE...E....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm....fc...............................................................................................................................................................................................................................................................................................................................................x.2........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
        File type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
        Entropy (8bit):7.929062252311108
        TrID:
        • Win32 Dynamic Link Library (generic) (1002004/3) 99.60%
        • Generic Win/DOS Executable (2004/3) 0.20%
        • DOS Executable Generic (2002/1) 0.20%
        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
        File name:A5815BC0-FA26-4ECC-9A97-EE9DB31273CA_12272024154104847.dll
        File size:1'884'920 bytes
        MD5:fd24cb5b446cc7a79d8e1613c1ec5379
        SHA1:934ab58c4084a8ceccadc85349e203494449d143
        SHA256:4f40a1038d72638de81648c9ce7904c93e413eebe4f02b972e69f5817acb65d0
        SHA512:f8ea8023c95846ed4a7607915cbcee16ce33862ab92ab5ea43e8f48a5edfd9923a1c42d09ed3b5f72e4f8edc0b0787e881a27eaebad9acf307b1509af89af41a
        SSDEEP:49152:lkuS+piUmtOswQDL+qAFqNrayY0Qc0mx6DaDlU:7S+MU3sTOqAFUXXQjc6olU
        TLSH:299533F5B5C8F15BC896DC7AC9B9811764B8180188FDC3EC686CE6C7E955A3D03E62C8
        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......}.8$9.Vw9.Vw9.VwK3Uv2.VwK3Sv..VwK3Rv*.Vw(4Uv-.Vw(4Rv6.Vw(4Sv..VwK3Wv:.Vw9.Wwa.Vw.4_v8.Vw.4Vv8.Vw.4.w8.Vw.4Tv8.VwRich9.Vw.......
        Icon Hash:7ae282899bbab082
        Entrypoint:0x102ac058
        Entrypoint Section:.boot
        Digitally signed:true
        Imagebase:0x10000000
        Subsystem:windows gui
        Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
        DLL Characteristics:DYNAMIC_BASE, NX_COMPAT
        Time Stamp:0x676670F3 [Sat Dec 21 07:40:35 2024 UTC]
        TLS Callbacks:
        CLR (.Net) Version:
        OS Version Major:6
        OS Version Minor:0
        File Version Major:6
        File Version Minor:0
        Subsystem Version Major:6
        Subsystem Version Minor:0
        Import Hash:a56f115ee5ef2625bd949acaeec66b76
        Signature Valid:true
        Signature Issuer:CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
        Signature Validation Error:The operation completed successfully
        Error Number:0
        Not Before, Not After
        • 25/03/2024 01:00:00 28/04/2025 01:59:59
        Subject Chain
        • CN=WeMod LLC, O=WeMod LLC, L=Boston, S=Massachusetts, C=US
        Version:3
        Thumbprint MD5:A7CD84C41EE06DB0DAFCA785A17E4DAC
        Thumbprint SHA-1:519E11C560A4A2A641CBEE67AD06B098D45C3ECA
        Thumbprint SHA-256:FEBD20DCECC00083FDD7BCD1627DF973C6D80FF2405301BB987D4108ABE52D46
        Serial:0D8BA5F7457123DB75515AD17F6375F5
        Instruction
        call 00007F270CB08110h
        push ebx
        mov ebx, esp
        push ebx
        mov esi, dword ptr [ebx+08h]
        mov edi, dword ptr [ebx+10h]
        cld
        mov dl, 80h
        mov al, byte ptr [esi]
        inc esi
        mov byte ptr [edi], al
        inc edi
        mov ebx, 00000002h
        add dl, dl
        jne 00007F270CB07FC7h
        mov dl, byte ptr [esi]
        inc esi
        adc dl, dl
        jnc 00007F270CB07FACh
        add dl, dl
        jne 00007F270CB07FC7h
        mov dl, byte ptr [esi]
        inc esi
        adc dl, dl
        jnc 00007F270CB08013h
        xor eax, eax
        add dl, dl
        jne 00007F270CB07FC7h
        mov dl, byte ptr [esi]
        inc esi
        adc dl, dl
        jnc 00007F270CB080A7h
        add dl, dl
        jne 00007F270CB07FC7h
        mov dl, byte ptr [esi]
        inc esi
        adc dl, dl
        adc eax, eax
        add dl, dl
        jne 00007F270CB07FC7h
        mov dl, byte ptr [esi]
        inc esi
        adc dl, dl
        adc eax, eax
        add dl, dl
        jne 00007F270CB07FC7h
        mov dl, byte ptr [esi]
        inc esi
        adc dl, dl
        adc eax, eax
        add dl, dl
        jne 00007F270CB07FC7h
        mov dl, byte ptr [esi]
        inc esi
        adc dl, dl
        adc eax, eax
        je 00007F270CB07FCAh
        push edi
        mov eax, eax
        sub edi, eax
        mov al, byte ptr [edi]
        pop edi
        mov byte ptr [edi], al
        inc edi
        mov ebx, 00000002h
        jmp 00007F270CB07F5Bh
        mov eax, 00000001h
        add dl, dl
        jne 00007F270CB07FC7h
        mov dl, byte ptr [esi]
        inc esi
        adc dl, dl
        adc eax, eax
        add dl, dl
        jne 00007F270CB07FC7h
        mov dl, byte ptr [esi]
        inc esi
        adc dl, dl
        jc 00007F270CB07FACh
        sub eax, ebx
        mov ebx, 00000001h
        jne 00007F270CB07FEAh
        mov ecx, 00000001h
        add dl, dl
        jne 00007F270CB07FC7h
        mov dl, byte ptr [esi]
        inc esi
        adc dl, dl
        adc ecx, ecx
        add dl, dl
        jne 00007F270CB07FC7h
        mov dl, byte ptr [esi]
        inc esi
        adc dl, dl
        jc 00007F270CB07FACh
        push esi
        mov esi, edi
        sub esi, ebp
        NameVirtual AddressVirtual Size Is in Section
        IMAGE_DIRECTORY_ENTRY_EXPORT0x1f0000x49.edata
        IMAGE_DIRECTORY_ENTRY_IMPORT0x200200x34.idata
        IMAGE_DIRECTORY_ENTRY_RESOURCE0x210000x1d8.rsrc
        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
        IMAGE_DIRECTORY_ENTRY_SECURITY0x1c9c000x26f8.wemod
        IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
        IMAGE_DIRECTORY_ENTRY_IAT0x00x0
        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
        0x10000xe9490x8a00eae6c96dfc9f22e38008ae706d29670eFalse0.988875679347826data7.959611465365893IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
        0x100000x81fa0x2e00eee6e0a86c91828da0980071cea1d0cdFalse0.9858186141304348data7.892359903119882IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
        0x190000x15c00x400064cd50f16b7ce89240e0ce56fcc9091False0.619140625data5.3761717928772494IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
        0x1b0000x800x200c5f8b924da0b4c2bc0533079849018c9False0.525390625data3.4081500494081083IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
        0x1c0000x1e00x2004ce15926ccab8ec88ac94da7d98d6359False0.900390625data6.6940262969367845IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
        0x1d0000x12380x100004788fc2d0f5b9936c93d120971d74b9False0.9970703125data7.8514926357312085IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
        .edata0x1f0000x10000x200544c5eab7820086fa3d9b5c7f0816b86False0.134765625data0.7863599620683352IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
        .idata0x200000x10000x200f23d42a2f5ed2acbc3aaf845cbcea5afFalse0.107421875data0.5982647264436897IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
        .rsrc0x210000x10000x20090c2ca9daed06afbfb6effc89c6999bbFalse0.525390625data4.720822661998389IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
        .wemod0x220000x28a0000x0d41d8cd98f00b204e9800998ecf8427eunknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
        .boot0x2ac0000x1bc2000x1bc200c17f921028b72273768ddae6037ee9e3False0.9940867532718829data7.929755837502866IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
        NameRVASizeTypeLanguageCountryZLIB Complexity
        RT_MANIFEST0x210580x17dXML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.5931758530183727
        DLLImport
        kernel32.dllGetModuleHandleA
        NameOrdinalAddress
        Initialize10x10001bd0
        Language of compilation systemCountry where language is spokenMap
        EnglishUnited States

        Download Network PCAP: filteredfull

        TimestampSource PortDest PortSource IPDest IP
        Jan 10, 2025 14:46:52.314333916 CET5742353192.168.2.7162.159.36.2
        Jan 10, 2025 14:46:52.319183111 CET5357423162.159.36.2192.168.2.7
        Jan 10, 2025 14:46:52.319257021 CET5742353192.168.2.7162.159.36.2
        Jan 10, 2025 14:46:52.324153900 CET5357423162.159.36.2192.168.2.7
        Jan 10, 2025 14:46:52.802062035 CET5742353192.168.2.7162.159.36.2
        Jan 10, 2025 14:46:52.807073116 CET5357423162.159.36.2192.168.2.7
        Jan 10, 2025 14:46:52.807131052 CET5742353192.168.2.7162.159.36.2
        TimestampSource PortDest PortSource IPDest IP
        Jan 10, 2025 14:46:52.313828945 CET5354730162.159.36.2192.168.2.7
        Jan 10, 2025 14:46:52.853636026 CET5751353192.168.2.71.1.1.1
        Jan 10, 2025 14:46:52.860894918 CET53575131.1.1.1192.168.2.7
        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
        Jan 10, 2025 14:46:52.853636026 CET192.168.2.71.1.1.10xddd1Standard query (0)241.42.69.40.in-addr.arpaPTR (Pointer record)IN (0x0001)false
        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
        Jan 10, 2025 14:46:23.815408945 CET1.1.1.1192.168.2.70x8a2fNo error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
        Jan 10, 2025 14:46:23.815408945 CET1.1.1.1192.168.2.70x8a2fNo error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
        Jan 10, 2025 14:46:41.842065096 CET1.1.1.1192.168.2.70x4eaNo error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
        Jan 10, 2025 14:46:41.842065096 CET1.1.1.1192.168.2.70x4eaNo error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
        Jan 10, 2025 14:46:52.860894918 CET1.1.1.1192.168.2.70xddd1Name error (3)241.42.69.40.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false
        Jan 10, 2025 14:46:56.503145933 CET1.1.1.1192.168.2.70xa165No error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
        Jan 10, 2025 14:46:56.503145933 CET1.1.1.1192.168.2.70xa165No error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
        Jan 10, 2025 14:47:36.900595903 CET1.1.1.1192.168.2.70x578bNo error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
        Jan 10, 2025 14:47:36.900595903 CET1.1.1.1192.168.2.70x578bNo error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
        Target ID:1
        Start time:08:46:18
        Start date:10/01/2025
        Path:C:\Windows\System32\loaddll32.exe
        Wow64 process (32bit):true
        Commandline:loaddll32.exe "C:\Users\user\Desktop\A5815BC0-FA26-4ECC-9A97-EE9DB31273CA_12272024154104847.dll"
        Imagebase:0xd20000
        File size:126'464 bytes
        MD5 hash:51E6071F9CBA48E79F10C84515AAE618
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:high
        Has exited:true

        Target ID:2
        Start time:08:46:18
        Start date:10/01/2025
        Path:C:\Windows\System32\conhost.exe
        Wow64 process (32bit):false
        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Imagebase:0x7ff75da10000
        File size:862'208 bytes
        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:high
        Has exited:true

        Target ID:3
        Start time:08:46:18
        Start date:10/01/2025
        Path:C:\Windows\SysWOW64\cmd.exe
        Wow64 process (32bit):true
        Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\A5815BC0-FA26-4ECC-9A97-EE9DB31273CA_12272024154104847.dll",#1
        Imagebase:0x410000
        File size:236'544 bytes
        MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:high
        Has exited:true

        Target ID:4
        Start time:08:46:18
        Start date:10/01/2025
        Path:C:\Windows\SysWOW64\rundll32.exe
        Wow64 process (32bit):true
        Commandline:rundll32.exe C:\Users\user\Desktop\A5815BC0-FA26-4ECC-9A97-EE9DB31273CA_12272024154104847.dll,Initialize
        Imagebase:0x640000
        File size:61'440 bytes
        MD5 hash:889B99C52A60DD49227C5E485A016679
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:high
        Has exited:true

        Target ID:5
        Start time:08:46:18
        Start date:10/01/2025
        Path:C:\Windows\SysWOW64\rundll32.exe
        Wow64 process (32bit):true
        Commandline:rundll32.exe "C:\Users\user\Desktop\A5815BC0-FA26-4ECC-9A97-EE9DB31273CA_12272024154104847.dll",#1
        Imagebase:0x640000
        File size:61'440 bytes
        MD5 hash:889B99C52A60DD49227C5E485A016679
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:high
        Has exited:true

        Target ID:10
        Start time:08:46:18
        Start date:10/01/2025
        Path:C:\Windows\SysWOW64\WerFault.exe
        Wow64 process (32bit):true
        Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7580 -s 616
        Imagebase:0xf90000
        File size:483'680 bytes
        MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:high
        Has exited:true
        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

        Target ID:11
        Start time:08:46:19
        Start date:10/01/2025
        Path:C:\Windows\SysWOW64\WerFault.exe
        Wow64 process (32bit):true
        Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7564 -s 612
        Imagebase:0xf90000
        File size:483'680 bytes
        MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:high
        Has exited:true
        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

        Target ID:13
        Start time:08:46:21
        Start date:10/01/2025
        Path:C:\Windows\SysWOW64\rundll32.exe
        Wow64 process (32bit):true
        Commandline:rundll32.exe "C:\Users\user\Desktop\A5815BC0-FA26-4ECC-9A97-EE9DB31273CA_12272024154104847.dll",Initialize
        Imagebase:0x640000
        File size:61'440 bytes
        MD5 hash:889B99C52A60DD49227C5E485A016679
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:high
        Has exited:true

        Target ID:15
        Start time:08:46:22
        Start date:10/01/2025
        Path:C:\Windows\SysWOW64\WerFault.exe
        Wow64 process (32bit):true
        Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7900 -s 608
        Imagebase:0xf90000
        File size:483'680 bytes
        MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:high
        Has exited:true
        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

        No disassembly