Edit tour

Windows Analysis Report
SecuriteInfo.com.Trojan.Packed.16045.13418.dll

Overview

General Information

Sample name:	SecuriteInfo.com.Trojan.Packed.16045.13418.dll
Analysis ID:	1521518
MD5:	bab4d119880ede651e1edb7d5d891599
SHA1:	b06c29686d0fb77b9ece9d4c79b73859f3ab2495
SHA256:	2fe5db59a191c7a857c5863344e1293724ac64b79ae3c89dda5fe172fd181243
Tags:	dll
Infos:

Detection

Score:	48
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

AV process strings found (often used to terminate AV products)

Checks if the current process is being debugged

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found large amount of non-executed APIs

One or more processes crash

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

loaddll32.exe (PID: 4632 cmdline: loaddll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.16045.13418.dll" MD5: 51E6071F9CBA48E79F10C84515AAE618)

conhost.exe (PID: 6708 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 4920 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.16045.13418.dll",#1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

rundll32.exe (PID: 4884 cmdline: rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.16045.13418.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)

WerFault.exe (PID: 1936 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4884 -s 620 MD5: C31336C1EFC2CCB44B4326EA793040F2)

rundll32.exe (PID: 4388 cmdline: rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.16045.13418.dll,SetDllPathA MD5: 889B99C52A60DD49227C5E485A016679)

WerFault.exe (PID: 6048 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4388 -s 612 MD5: C31336C1EFC2CCB44B4326EA793040F2)

rundll32.exe (PID: 2720 cmdline: rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.16045.13418.dll,SetDllPathW MD5: 889B99C52A60DD49227C5E485A016679)

WerFault.exe (PID: 4196 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 2720 -s 612 MD5: C31336C1EFC2CCB44B4326EA793040F2)

rundll32.exe (PID: 5248 cmdline: rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.16045.13418.dll",SetDllPathA MD5: 889B99C52A60DD49227C5E485A016679)

WerFault.exe (PID: 6884 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5248 -s 612 MD5: C31336C1EFC2CCB44B4326EA793040F2)

rundll32.exe (PID: 592 cmdline: rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.16045.13418.dll",SetDllPathW MD5: 889B99C52A60DD49227C5E485A016679)

WerFault.exe (PID: 5948 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 592 -s 612 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Trojan.Packed.16045.13418.dll

ReversingLabs: Detection: 21%

Source: SecuriteInfo.com.Trojan.Packed.16045.13418.dll

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL

Source: Amcache.hve.9.dr

String found in binary or memory: http://upx.sf.net

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10001C40 wcslen,#800,wcscpy,#800,wcslen,#800,wcscpy,wcslen,#800,wcscpy,wcslen,#800,wcscpy,wcslen,#800,wcscpy,wcslen,#800,wcscpy,wcslen,#800,wcscpy,wcslen,#800,wcscpy,wcslen,#800,wcscpy,wcslen,#800,wcscpy,#800,NtQueryKey,	0_2_10001C40
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_100026D0 NtClose,	0_2_100026D0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10002120 wcslen,wcscpy,wcslen,wcscpy,wcslen,wcscpy,wcslen,wcscpy,_wcsicmp,_wcsicmp,_wcsicmp,wcslen,#800,wcscpy,wcslen,#800,wcscpy,#800,wcslen,wcslen,wcslen,#800,wcscpy,#800,wcslen,NtQueryValueKey,	0_2_10002120
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10001320 GetCurrentThread,NtOpenKeyEx,	0_2_10001320
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10002740 GetCurrentThread,NtOpenKeyEx,	0_2_10002740
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_100013B0 NtOpenKey,	0_2_100013B0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10001BF0 NtOpenKeyEx,	0_2_10001BF0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10001C40 wcslen,#800,wcscpy,#800,wcslen,#800,wcscpy,wcslen,#800,wcscpy,wcslen,#800,wcscpy,wcslen,#800,wcscpy,wcslen,#800,wcscpy,wcslen,#800,wcscpy,wcslen,#800,wcscpy,wcslen,#800,wcscpy,wcslen,#800,wcscpy,#800,NtQueryKey,	4_2_10001C40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_100026D0 NtClose,	4_2_100026D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10002120 wcslen,wcscpy,wcslen,wcscpy,wcslen,wcscpy,wcslen,wcscpy,_wcsicmp,_wcsicmp,_wcsicmp,wcslen,#800,wcscpy,wcslen,#800,wcscpy,#800,wcslen,wcslen,wcslen,#800,wcscpy,#800,wcslen,NtQueryValueKey,	4_2_10002120
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10001320 GetCurrentThread,NtOpenKeyEx,	4_2_10001320
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10002740 GetCurrentThread,NtOpenKeyEx,	4_2_10002740
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_100013B0 NtOpenKey,	4_2_100013B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10001BF0 NtOpenKeyEx,	4_2_10001BF0

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10003420		0_2_10003420
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10003420		4_2_10003420

Source: C:\Windows\SysWOW64\rundll32.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4884 -s 620

Source: SecuriteInfo.com.Trojan.Packed.16045.13418.dll

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL

Source: classification engine

Classification label: mal48.winDLL@19/21@0/0

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6708:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess592
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4884
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4388
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5248
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2720

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\eaa15d8c-f3c0-497c-b71d-872187e6d6e3

Jump to behavior

Source: SecuriteInfo.com.Trojan.Packed.16045.13418.dll

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.16045.13418.dll,SetDllPathA

Source: SecuriteInfo.com.Trojan.Packed.16045.13418.dll

ReversingLabs: Detection: 21%

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.16045.13418.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.16045.13418.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.16045.13418.dll,SetDllPathA
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.16045.13418.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4884 -s 620
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4388 -s 612
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.16045.13418.dll,SetDllPathW
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2720 -s 612
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.16045.13418.dll",SetDllPathA
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.16045.13418.dll",SetDllPathW
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 592 -s 612
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5248 -s 612
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.16045.13418.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.16045.13418.dll,SetDllPathA	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.16045.13418.dll,SetDllPathW	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.16045.13418.dll",SetDllPathA	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.16045.13418.dll",SetDllPathW	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.16045.13418.dll",#1	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: mfc42u.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: msvcp60.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_10001150 #540,LoadLibraryW,GetProcAddress,#823,#861,#825,FreeLibrary,#535,#800,

0_2_10001150

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10004A34 push eax; ret	0_2_10004A52
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10004A34 push eax; ret	4_2_10004A52
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0083CCBE pushfd ; iretd	5_2_0083CCF1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0083CF5C pushad ; iretd	5_2_0083CF5D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0083FA74 pushad ; retf	5_2_0083FA7A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_02FFCF4B pushad ; iretd	11_2_02FFCF5D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_02FFC230 push B0035A34h; ret	11_2_02FFC235
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_02FFC628 push eax; ret	11_2_02FFC629
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_02FCC8F0 pushad ; ret	14_2_02FCC8F1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_02FCCAEA push esp; retf	14_2_02FCCB0D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0019CB10 pushad ; ret	15_2_0019CB11
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0019C7D0 push esp; retf	15_2_0019C7D1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0019C7CC push esp; retf 0019h	15_2_0019C7CD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0019CB79 pushad ; ret	15_2_0019CBA1

Source: C:\Windows\System32\loaddll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	API coverage: 3.1 %
Source: C:\Windows\SysWOW64\rundll32.exe	API coverage: 3.8 %

Source: C:\Windows\SysWOW64\WerFault.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\SysWOW64\WerFault.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\System32\loaddll32.exe

Thread delayed: delay time: 120000

Jump to behavior

Source: Amcache.hve.9.dr	Binary or memory string: VMware
Source: Amcache.hve.9.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.9.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.9.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.9.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.9.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.9.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.9.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.9.dr	Binary or memory string: VMware-42 27 80 4d 99 30 0e 9c-c1 9b 2a 23 ea 1f c4 20
Source: Amcache.hve.9.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.9.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.9.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.9.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.9.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.9.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.9.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.9.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.9.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.9.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.9.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.9.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.9.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.9.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.9.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.9.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.9.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.9.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.9.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.9.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 14_2_02FCF487 LdrInitializeThunk,

14_2_02FCF487

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_10001150 #540,LoadLibraryW,GetProcAddress,#823,#861,#825,FreeLibrary,#535,#800,

0_2_10001150

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.16045.13418.dll",#1

Jump to behavior

Source: Amcache.hve.9.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.9.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.9.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.9.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.9.dr	Binary or memory string: MsMpEng.exe

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	11 Process Injection	1 Rundll32	OS Credential Dumping	21 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	Boot or Logon Initialization Scripts	1 DLL Side-Loading	11 Virtualization/Sandbox Evasion	LSASS Memory	11 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	11 Process Injection	Security Account Manager	11 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Obfuscated Files or Information	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.Trojan.Packed.16045.13418.dll	21%	ReversingLabs

Source	Detection	Scanner	Label	Link
http://upx.sf.net	0%	URL Reputation	safe

Name	Source	Malicious	Antivirus Detection	Reputation
http://upx.sf.net	Amcache.hve.9.dr	false	URL Reputation: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1521518
Start date and time:	2024-09-28 20:35:14 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 9s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	22
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SecuriteInfo.com.Trojan.Packed.16045.13418.dll
Detection:	MAL
Classification:	mal48.winDLL@19/21@0/0
EGA Information:	Successful, ratio: 33.3%
HCA Information:	Successful, ratio: 100% Number of executed functions: 5 Number of non-executed functions: 55
Cookbook Comments:	Found application associated with file extension: .dll

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.168.117.173, 20.189.173.20, 20.12.23.50, 20.242.39.171, 4.245.163.56, 52.165.164.15
Excluded domains from analysis (whitelisted): onedsblobprdeus16.eastus.cloudapp.azure.com, client.wns.windows.com, slscr.update.microsoft.com, onedsblobprdwus15.westus.cloudapp.azure.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com, fe3.delivery.mp.microsoft.com, ocsp.digicert.com, login.live.com, blobcollector.events.data.trafficmanager.net, glb.cws.prod.dcat.dsp.trafficmanager.net, sls.update.microsoft.com, umwatson.events.data.microsoft.com, glb.sls.prod.dcat.dsp.trafficmanager.net
Execution Graph export aborted for target rundll32.exe, PID 2720 because there are no executed function
Execution Graph export aborted for target rundll32.exe, PID 4884 because there are no executed function
Execution Graph export aborted for target rundll32.exe, PID 5248 because there are no executed function
Execution Graph export aborted for target rundll32.exe, PID 592 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
VT rate limit hit for: SecuriteInfo.com.Trojan.Packed.16045.13418.dll

Simulations

Behavior and APIs

Time	Type	Description
14:36:21	API Interceptor	5x Sleep call for process: WerFault.exe modified
14:36:22	API Interceptor	1x Sleep call for process: loaddll32.exe modified

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_40dfe4f969cbf4fc5de74dcb1b6270e6cee73c1c_7522e4b5_2f2b4a1c-35c5-4358-b8f2-1e2fbbb9e370\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.8557576564476563
Encrypted:	false
SSDEEP:	192:wniNOHgx+0BU/wjeT8zuiF1Z24IO8dci:QiEHgTBU/wjeIzuiF1Y4IO8dci
MD5:	E6E4A9B3D628C71451DB8FBBF3AB5626
SHA1:	5331BDA36E6E5C21BEC4A800EAA4585A3EA9D352
SHA-256:	E1EC8D7F0A1DAD5C42C27C692F45487EF08EBA771E7480B6A2A7C1989DB61693
SHA-512:	D643CEF5445569D52367ED4876A33E42B6ACD4737544CE3E478207490CF327DB822442DAF85C5B56B2624A83560F8CBA83E1215D3931D350B2CC364D3A7D70C1
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.2.0.2.2.1.8.3.0.6.9.7.1.3.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.2.0.2.2.1.8.4.1.6.3.4.6.9.2.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.f.2.b.4.a.1.c.-.3.5.c.5.-.4.3.5.8.-.b.8.f.2.-.1.e.2.f.b.b.b.9.e.3.7.0.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.4.9.1.6.9.7.d.-.4.e.3.c.-.4.1.e.f.-.8.4.2.e.-.6.d.a.5.3.e.1.b.2.9.d.d.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.4.8.0.-.0.0.0.1.-.0.0.1.5.-.c.c.3.5.-.4.2.5.1.d.5.1.1.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.8.f.a.8.8.9.e.4.5.6.a.a.6.4.6.a.4.d.0.a.4.3.4.9.9.7.7.4.3.0.c.e.5.f.a.5.e.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_40dfe4f969cbf4fc5de74dcb1b6270e6cee73c1c_7522e4b5_3445b430-5404-4f1d-ab9e-1623049dd6e3\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.855372649796258
Encrypted:	false
SSDEEP:	192:QeghiNOxQgx+0BU/wjeT8zuiF1Z24IO8dci:9yiEWgTBU/wjeIzuiF1Y4IO8dci
MD5:	2A4B41157284102919F373E558AF7557
SHA1:	928C1AADCD7D9516DE29E9AD4C29FCCD9BD0D75A
SHA-256:	761567C6B730167C16947989B2D9282E7548E4C9DFB37A76EFC6C7DC0F88DB04
SHA-512:	991C6327DD1C265C4F08231021891D7612DA4B5517571A4BCE159CEAEA0266E89CC6CFAE649973D9DCCC32821F855A3A65328A3BE536B9C657B7BAA73ADA9A89
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.2.0.2.2.1.7.7.1.0.4.8.7.7.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.2.0.2.2.1.7.8.5.7.3.6.4.0.4.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.4.4.5.b.4.3.0.-.5.4.0.4.-.4.f.1.d.-.a.b.9.e.-.1.6.2.3.0.4.9.d.d.6.e.3.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.9.2.1.6.0.c.f.-.4.e.0.5.-.4.2.1.c.-.a.c.0.3.-.a.f.1.e.1.7.1.8.0.f.2.6.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.1.2.4.-.0.0.0.1.-.0.0.1.5.-.b.c.7.d.-.a.4.4.d.d.5.1.1.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.8.f.a.8.8.9.e.4.5.6.a.a.6.4.6.a.4.d.0.a.4.3.4.9.9.7.7.4.3.0.c.e.5.f.a.5.e.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_40dfe4f969cbf4fc5de74dcb1b6270e6cee73c1c_7522e4b5_d1103713-8ae5-4de5-a329-aea6d2e3fe56\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.8556568359654201
Encrypted:	false
SSDEEP:	192:vFmiPOn7tgx+0BU/wjeT8zuiF1Z24IO8dci:Nmi27tgTBU/wjeIzuiF1Y4IO8dci
MD5:	0957A4FC7D7E29C912509F02BD0FCD4F
SHA1:	715C797B844DD2B2C2DD698E20F1A746202EA584
SHA-256:	B5A275A67CE5FAB3DD82F243B58F37135BEC1FD55A6F921F5D4C54EAE1A956DF
SHA-512:	3F2D9B29716FDCEA678BFC9E9930E5322B512EC22EE292C448A276EF75C376F6C1C04125CE318636E93E465FFF13F8773C27FB5A0336ED0693F868DAA7E5C879
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.2.0.2.2.1.7.7.1.6.0.2.1.0.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.2.0.2.2.1.7.8.5.8.2.1.0.6.2.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.1.1.0.3.7.1.3.-.8.a.e.5.-.4.d.e.5.-.a.3.2.9.-.a.e.a.6.d.2.e.3.f.e.5.6.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.1.b.3.8.4.c.e.-.a.d.8.a.-.4.e.8.d.-.8.6.0.d.-.6.e.b.7.c.7.2.9.3.9.5.6.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.3.1.4.-.0.0.0.1.-.0.0.1.5.-.1.9.6.9.-.a.b.4.d.d.5.1.1.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.8.f.a.8.8.9.e.4.5.6.a.a.6.4.6.a.4.d.0.a.4.3.4.9.9.7.7.4.3.0.c.e.5.f.a.5.e.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_8b99f381882e05a5abb1913aaf1cb4446d926b3_7522e4b5_0a457b11-ee37-4a85-8ac3-689d30f730fc\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.854895158919584
Encrypted:	false
SSDEEP:	192:l5AiXOlIT0BU/wjeT8zuiF1Z24IO8dcia:DAi+lXBU/wjeIzuiF1Y4IO8dci
MD5:	6DDF7D3EA6A3A858C5DB0C90A283D246
SHA1:	85E89464DAD6DE53CFB9BC8F8913BFA3A52AC337
SHA-256:	8133F3FFC3FA2A049905E4186C495617BF69238C0C125AADCCD4F5D8E8EAC387
SHA-512:	0FEE877F1A6AF2AB72E3D2204D0450C19D4159AF127D5C94A403FCB29E4F2E2E5A12F3CC0A006D8F03F3B75AFC0419BD74FE416B83CC36ADFFC0B42671862CC8
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.2.0.2.2.1.7.9.9.7.4.0.0.9.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.2.0.2.2.1.8.0.3.8.0.2.6.3.6.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.a.4.5.7.b.1.1.-.e.e.3.7.-.4.a.8.5.-.8.a.c.3.-.6.8.9.d.3.0.f.7.3.0.f.c.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.2.d.9.1.9.1.6.-.8.c.4.3.-.4.b.8.b.-.9.0.e.6.-.f.4.2.5.9.9.3.6.f.e.b.5.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.a.a.0.-.0.0.0.1.-.0.0.1.5.-.d.1.d.3.-.7.4.4.f.d.5.1.1.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.8.f.a.8.8.9.e.4.5.6.a.a.6.4.6.a.4.d.0.a.4.3.4.9.9.7.7.4.3.0.c.e.5.f.a.5.e.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_8b99f381882e05a5abb1913aaf1cb4446d926b3_7522e4b5_71784623-12fc-4600-a3bb-ceea5991a9f6\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.854814170993605
Encrypted:	false
SSDEEP:	192:z05iUO3IT0BU/wjeT8zuiF1Z24IO8dci:zmil3XBU/wjeIzuiF1Y4IO8dci
MD5:	CFA64605E126DE86FAB74A0C7A4DFD1F
SHA1:	68CFA47B80EDF36C75812B9B46021E00957C2269
SHA-256:	9FE55CB8BA9838C4F3DB3D967FE9CCA8C272D327AAB05515ED0EC944F95EC4D7
SHA-512:	C319561B76BF95BA63ABF9ACA9C62D1B67A6E59B5992794EE82BCD8DE8C09A05511120981473C4DFA0DC6083351525496897E7B3C5CE75D3235A37F384674380
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.2.0.2.2.1.8.3.0.2.1.4.8.4.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.2.0.2.2.1.8.4.0.9.9.6.0.2.5.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.1.7.8.4.6.2.3.-.1.2.f.c.-.4.6.0.0.-.a.3.b.b.-.c.e.e.a.5.9.9.1.a.9.f.6.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.1.3.1.3.3.e.b.-.5.6.4.8.-.4.a.8.8.-.8.f.c.2.-.7.b.3.a.b.0.6.9.0.8.c.8.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.2.5.0.-.0.0.0.1.-.0.0.1.5.-.2.f.b.2.-.4.3.5.1.d.5.1.1.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.8.f.a.8.8.9.e.4.5.6.a.a.6.4.6.a.4.d.0.a.4.3.4.9.9.7.7.4.3.0.c.e.5.f.a.5.e.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2B37.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Sat Sep 28 18:36:17 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	45180
Entropy (8bit):	1.8942417152083302
Encrypted:	false
SSDEEP:	192:VkIc0IVS7O5H4OZeoL1kpy/28fOh6fxXvj9:ehHl5HEZBAOgVj
MD5:	9CD3D7DF51637DAC8B4FCD3306C08B1A
SHA1:	BD046B6E5ACB7853244B845C785525E3B2E8D242
SHA-256:	D7DE99711860FE566FE4606AE58FC36CC176E95B0C2B14A6AF6EE4F17E70B38C
SHA-512:	F86AEE1AB88D5E2275BB3C41A78FAF761860D5B6C8C1AB74A1926092B24EC2D414B2C1BF3245402D3298EAED4CB7E0CC55B8F43BA5EE66CE1D39ABCD96C71BE0
Malicious:	false
Preview:	MDMP..a..... ........L.f........................4................(..........T.......8...........T...........p...........................................................................................................eJ......T.......GenuineIntel............T.......$....L.f.............................0..1...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2B66.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Sat Sep 28 18:36:17 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	51560
Entropy (8bit):	1.7626452770786227
Encrypted:	false
SSDEEP:	192:VUVUxlxtsXyx3F59O5H4wJIodqVD/gHtYfCb0:uoxk+nw5HYgqVD/gHWO
MD5:	5B8A6A77199B5775F4C0B88FD3C362FF
SHA1:	4EA80393D3189CEADB44C5C09CBA1E3CC83E274D
SHA-256:	3C90E434F6312BA7CB10B843EE2F3993D39583543EC94567891DEF2555C12C0B
SHA-512:	BC660143CF3F11358955FC0AD36C8AA884A5EE944E4CF87656015C220D7350DAAF4B2C0AE00CBE6A8D17A4A3F7E89BFD3510740BB0FF4AF5DD202E4E36DB5266
Malicious:	false
Preview:	MDMP..a..... ........L.f........................4................+..........T.......8...........T.......................................................................................................................eJ..............GenuineIntel............T............L.f.............................0..1...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2C42.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8270
Entropy (8bit):	3.691818947070973
Encrypted:	false
SSDEEP:	192:R6l7wVeJtn6Ijs6YkT6ogmfT648cO5prH89bHOsf4Nm:R6lXJN6Ijs6Y46ogmfT641O8HNf/
MD5:	BB7B95C964D40763B22798F1E82E86D8
SHA1:	454C5021D496D345697A3CACD6B53F6A5D571137
SHA-256:	E3EA23EB214A20D9B2C20AC98824E33B58B0C48709707671B19009036C63F6FB
SHA-512:	A7DAF985F166D6510ECD38EC8C3CB9CA132449AF807F20FB7423F6BF3773BBE5979C45503C1D1FD275BFBC06EB868845877F37E1D5ACB16328C62EF233C8A81D
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.8.8.4.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2C51.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8280
Entropy (8bit):	3.6941462634817337
Encrypted:	false
SSDEEP:	192:R6l7wVeJC36I3V6YBV6igmfT648cO5prB89bHYsfpg1Nm:R6lXJq6I3V6Yj6igmfT641OqHLfp1
MD5:	D3C7D51D7E7555E309ABB149DBDB53C2
SHA1:	77E1714CC0D24F26226D6F2BE057E430D6BA8E9F
SHA-256:	5802CA5B333DF10CD6B99E67FE3DAE216F7BDD3270DBD584ED4F53CA21A38A2C
SHA-512:	96A4B3C9C7864E7A7165DF9F6F02807BEB4CD2DCB13E1A6A7A09450258A86F2371DBF807BEE163387A2B83F099B8340C9CA21DA76CC829B2CC3896B9B37A509B
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.3.8.8.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2C62.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4666
Entropy (8bit):	4.477812041015737
Encrypted:	false
SSDEEP:	48:cvIwWl8zsEJg77aI92ioWpW8VYUYm8M4JCdP8Fs+q8/qJGScS5d:uIjfCI75B7VMJ2TJ35d
MD5:	41339016D5123B1CCF44309A31EE7594
SHA1:	29A08A0099E28E5167EC81B3CC2C6A689D59E714
SHA-256:	D0560A06CB7A6C2996E0F7826A2DECA6B3A082B4E378F7E0D53DF6FC2D33F91D
SHA-512:	8423D10F4140CA281E034782ECE360BB70975227E2BB804C5925BA38C88E7CF0C13588C821D3FC8412C9744703696EF83F000A79C3D4F39BBD501327EE8F5671
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="520418" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2C72.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4666
Entropy (8bit):	4.475204095420498
Encrypted:	false
SSDEEP:	48:cvIwWl8zsEJg77aI92ioWpW8VYoYm8M4JCdP8FuW+q8/qhlGScS2d:uIjfCI75B7VsJftJ32d
MD5:	0474921934F4DE123E7811A0844BBC17
SHA1:	680AFAD3E0F2799730DA8FBC01CC3E5BB87EE2E4
SHA-256:	082780AD7A91D0F1FBE28A59E0467FDD25FA830E6061B5419C9FBF6C7DABB988
SHA-512:	FAB8E5E94D2C77BD087C5F4B03B9590AF8162FF2CEB0C4F07C60C6D3B419D450F38F5860855B4AD088CA31A5217BEEBE532D89DF5BC40144C1864D971E5032F5
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="520418" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3691.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Sat Sep 28 18:36:20 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	46252
Entropy (8bit):	1.939021395867495
Encrypted:	false
SSDEEP:	192:okXc0IAKEXLndO5H4agIpHY04AOLXyHtn7oG2T7o5Cb8xjK2It2:ZsHa7Q5HNYbrLXyHt7a1bCm
MD5:	5A663446439F1A312D9C86C7AA7F4FAA
SHA1:	3FF6B17232C21AB2C08DC0ED5D4BAB8F6208454C
SHA-256:	294ECB8B5B11D6CAD2BBDD99353C15E3ABED58DF5F7F01DB65B634B3C80C730F
SHA-512:	92F053D1B492C9E1757485E1BF8A7975B80D14FEA556C782D5F4F69664CC4B81F22687BFB08EE74D4FC962BF8773177FBE601E3CE5B37F75F134BCDCA7E436CB
Malicious:	false
Preview:	MDMP..a..... ........L.f........................4................(..........T.......8...........T...........p...<.......................................................................................................eJ......T.......GenuineIntel............T............L.f.............................0..1...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER372F.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8266
Entropy (8bit):	3.6906204323842604
Encrypted:	false
SSDEEP:	192:R6l7wVeJCL6I3v6YB06xgmfT2LO5pr089b7Asfipm:R6lXJm6I3v6Yy6xgmfToOV7TfV
MD5:	10D5C39013ABF529A5B2E9D77B99817A
SHA1:	29688952EE6D67D28CBB2CF0762E4852D45413E2
SHA-256:	C29BD2D1AC4DDCC4C96AA191A67F9B5251F411D2138DEFD0BA8BB4FC44040400
SHA-512:	584ACEBB5C6AA1DE8BD2783CF13EEB106AD5D05F2EF33438550759198614EBE3D2C669E34CA42F1384186BA7A7DE2DE2DB31D883129BE8601A7242A787C519BC
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.2.7.2.0.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER376E.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4654
Entropy (8bit):	4.459100349252224
Encrypted:	false
SSDEEP:	48:cvIwWl8zszJg77aI92ioWpW8VY+5Ym8M4JCdPDFbY+q8/AbaGScSEd:uIjfNI75B7VRoJMYDaJ3Ed
MD5:	465B9622AB858AA26D4C1810B791BAC6
SHA1:	C0335737C0B43D6E293BBEFE2D305FBC99E2B78A
SHA-256:	9D18B92289F1A1FB18B81AFE5FC6C7D8AAA246137D73076C07C4830A044D4E81
SHA-512:	BBEC18D30AB14A1D2B3D0C12A368D0DB8292AEA3346D75DE15EDBB5952AB56D3286AEEDD3F089FF8D38356EBC1CAABFA7467CA4BE6E93EBAA8FBC2B26D4C0C91
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="520419" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WER4249.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Sat Sep 28 18:36:23 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	44120
Entropy (8bit):	1.9760665289365158
Encrypted:	false
SSDEEP:	192:PkvW0IiPVO5H4i87nFOuZ1NitYrEEy3O2l1e/Vx:8OHD5Hi7k6NitYrFy3Oui
MD5:	B09F0291FF07516795CA53E0E597F6A1
SHA1:	12734BF882AB8372F3FCAB7A74B0F5D6F805B90E
SHA-256:	B2D6385CFF959BDB3ECE1D6CAF1806C8C8809069C04665C6B4DBD3C9946AB14E
SHA-512:	8E452933C4535941EC97EAAB2C09AAD6DA78119190ADB9F6DB2CDE756ED3EA5540946423B45D587DFAD2F514640CBC312F4EEFE4EEEE9C8CCE702050FC4A843F
Malicious:	false
Preview:	MDMP..a..... ........L.f........................4................(..........T.......8...........T...........p..........................................................................................................eJ......T.......GenuineIntel............T.......P....L.f.............................0..1...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER42A7.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Sat Sep 28 18:36:23 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	44524
Entropy (8bit):	1.9248150151176648
Encrypted:	false
SSDEEP:	192:PkUVw7W0IQyZO5H43MlZov8qF/lbw2bl+YoRr5+L:8U+6HU5HEiZo8q3bw2bls
MD5:	73531136CCB2CE7A746717155FB8FD86
SHA1:	DCB0CFA86807C30583C7EE0AB014B4742873B65D
SHA-256:	9BAC0538B85D6C2204EDC3D55077967F6D983AC6295736A4109123D9A4D88BD6
SHA-512:	64AD79D90AA7AC89979459174AA9AEB75CD73F7FA3E4419B3F004A749AD05F00D493431312D3E8F1C21F69A7FFDCCEDD87DC79D414B681BCF0AE0AE3D201D16F
Malicious:	false
Preview:	MDMP..a..... ........L.f........................4................(..........T.......8...........T...........p...\|.......................................................................................................eJ......T.......GenuineIntel............T............L.f.............................0..1...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER4306.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8252
Entropy (8bit):	3.6900816832803165
Encrypted:	false
SSDEEP:	192:R6l7wVeJptS6I3N6YZ+66KgmfT2LO5prT89bAtsfxAm:R6lXJpo6I3N6Yw66KgmfToOgAmfj
MD5:	D45FB75D39764E7A8898AB55A550106A
SHA1:	36680B316F5EC5360FD527DD6367513DD2D68B86
SHA-256:	965C5B51BF91BB43FC9676763C86D125831096A6C170110372B293417B1716C6
SHA-512:	0920F7E942775EF1DD2178EC0F5C0E50DA6E97741429A64CDD69F704C49EC603E8C19D0E37C8BAEB7B1DC0DF8FAFE897E0624F3F6A0FE3F9700E8AB8FCBB10A2
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.9.2.<./.P.i.d.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER4336.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4654
Entropy (8bit):	4.459530249296044
Encrypted:	false
SSDEEP:	48:cvIwWl8zszJg77aI92ioWpW8VYuvYm8M4JCdPDFXMj+q8/A7GScSid:uIjfNI75B7ViJyMjTJ3id
MD5:	C2100CB202CF272FBFBFA37165A39D4E
SHA1:	455492EB7022DD681F92EBC98CDBE1BA25C1E84C
SHA-256:	483FF484430167E2620A686CD0029911910718B31663B9F581EEDE73BC54C817
SHA-512:	D4BAF88C6D05F7E5A7EC95DABE5BFE0922E3254F358DE84FEADDE62B9EF324224DA0C7D6035DABD35914FCEB74857F0E47184B344D7E0C74DC1265EB425B42B1
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="520419" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WER43E1.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8268
Entropy (8bit):	3.6948844111406194
Encrypted:	false
SSDEEP:	192:R6l7wVeJmW6I3/6YZH66KgmfT648cO5pr089bAjsf0Am:R6lXJf6I3/6YJ66KgmfT641OVAIfy
MD5:	ED557AD67E0404A36A760D3A193C11FC
SHA1:	F7116D8AFF62FFE30E68CA879E34A77CBCAB707A
SHA-256:	F33A0D5D600D05B193272F60AC7E7C72938017A5CE93E365437681526C0748DB
SHA-512:	0406FF785DED8AAFC64567DEA12762A44736F92CD833E7F23A41DE8DCD112E2FD3141B5D8292833F638D2DFB777A7C99FB4CA8CBE8098A828FC6220C99527F18
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.2.4.8.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER4411.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4666
Entropy (8bit):	4.475762693257893
Encrypted:	false
SSDEEP:	48:cvIwWl8zszJg77aI92ioWpW8VYunYm8M4JCdP8Fc6P+q8/qxGScSvd:uIjfNI75B7VqJNfJ3vd
MD5:	53361691999184B6C3F1E6CC83B3B8CB
SHA1:	2849FD3FA7237D08EA0D3D8D0661C50A788F15BB
SHA-256:	6E958D92D7E0BB76DC6EAFBFEFCBF89D87B9F88EB1B5F8E3CA715AF8FFE15FCF
SHA-512:	45C5BBB9CD54B0B0FB33DC05E9EFF08F4BC42D0DE9949A5FF5A42294201A7988D6820D78A46478376202FD81DFE0F7EE995D6CC339D0FF507D97DCB0426FA183
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="520419" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.469383663571447
Encrypted:	false
SSDEEP:	6144:vzZfpi6ceLPx9skLmb0fYZWSP3aJG8nAgeiJRMMhA2zX4WABluuNFjDH5S:7ZHtYZWOKnMM6bFpHj4
MD5:	2BBB84C890CCBE3F294D727C3F93DE2D
SHA1:	A047D7E489861F34034BA413E1BDC1B4C7133979
SHA-256:	185C12EE60419BD4CBF9ED01D22203BD5C7CC48770DDC1185DA91BE1CEEBD721
SHA-512:	11406199B2D0DC2CBF8E8A55C9D835BE30612E7B3C56BF69EC77A7DF81667AC669A09BFCF3BD9C49430AC5C89E7BA938437987D3932D6FB81DBE719BEFBF0200
Malicious:	false
Preview:	regfI...I....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm...M...................................................................................................................................................................................................................................................................................................................................................y........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	4.86992030446349
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	SecuriteInfo.com.Trojan.Packed.16045.13418.dll
File size:	49'152 bytes
MD5:	bab4d119880ede651e1edb7d5d891599
SHA1:	b06c29686d0fb77b9ece9d4c79b73859f3ab2495
SHA256:	2fe5db59a191c7a857c5863344e1293724ac64b79ae3c89dda5fe172fd181243
SHA512:	1d91957778318d3aae28776c18644ae84fafd97f38bb57c65b408fa91775bec0272e9e93eac330b0b0cc0bf33db1588ae0b5f300749212e6fb7063f354a06b72
SSDEEP:	768:1jY5P1mAzVOBuiPn5EnsiWGFwlHZB8QACoOOy8:1GPNTA5n/lHwQdory8
TLSH:	46230904A60D08A4C77D5E7CEC6B7B3B532D58CC16D90BC35B75ED78EC23422AE12A65
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........C..G"..G"..G"..%=..C"..(=..F"...>..E"..(=..C"..(=..C"..q...D"..G"..."..q...M"...$..F"......F"..RichG".........................

File Icon


Icon Hash:	7ae282899bbab082

Static PE Info

General

Entrypoint:	0x1000497b
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x10000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL
DLL Characteristics:
Time Stamp:	0x5628BB32 [Thu Oct 22 10:32:18 2015 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	a6401b477c5abcd084d69b0577575fd8

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
push ebx
mov ebx, dword ptr [ebp+08h]
push esi
mov esi, dword ptr [ebp+0Ch]
push edi
mov edi, dword ptr [ebp+10h]
test esi, esi
jne 00007EFE10BA9A2Bh
cmp dword ptr [1000BF34h], 00000000h
jmp 00007EFE10BA9A48h
cmp esi, 01h
je 00007EFE10BA9A27h
cmp esi, 02h
jne 00007EFE10BA9A44h
mov eax, dword ptr [1000928Ch]
test eax, eax
je 00007EFE10BA9A2Bh
push edi
push esi
push ebx
call eax
test eax, eax
je 00007EFE10BA9A2Eh
push edi
push esi
push ebx
call 00007EFE10BA993Ah
test eax, eax
jne 00007EFE10BA9A26h
xor eax, eax
jmp 00007EFE10BA9A70h
push edi
push esi
push ebx
call 00007EFE10BA9757h
cmp esi, 01h
mov dword ptr [ebp+0Ch], eax
jne 00007EFE10BA9A2Eh
test eax, eax
jne 00007EFE10BA9A59h
push edi
push eax
push ebx
call 00007EFE10BA9916h
test esi, esi
je 00007EFE10BA9A27h
cmp esi, 03h
jne 00007EFE10BA9A48h
push edi
push esi
push ebx
call 00007EFE10BA9905h
test eax, eax
jne 00007EFE10BA9A25h
and dword ptr [ebp+0Ch], eax
cmp dword ptr [ebp+0Ch], 00000000h
je 00007EFE10BA9A33h
mov eax, dword ptr [1000928Ch]
test eax, eax
je 00007EFE10BA9A2Ah
push edi
push esi
push ebx
call eax
mov dword ptr [ebp+0Ch], eax
mov eax, dword ptr [ebp+0Ch]
pop edi
pop esi
pop ebx
pop ebp
retn 000Ch
push esi
mov esi, ecx
call 00007EFE10BA9A65h
test byte ptr [esp+08h], 00000001h
je 00007EFE10BA9A29h
push esi
call 00007EFE10BA95FAh
pop ecx
mov eax, esi
pop esi
retn 0004h
push FFFFFFFFh
push eax
mov eax, dword ptr fs:[00000000h]
push eax
mov eax, dword ptr [esp+0Ch]

Rich Headers

Programming Language:

[C++] VS98 (6.0) SP6 build 8804
[EXP] VC++ 6.0 SP5 build 8804
[LNK] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x8d70	0x60	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8778	0x64	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd000	0x10	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xe000	0x99c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x7000	0x1f0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x559e	0x6000	c644e798c2802372fff661e4a49f754d	False	0.4974772135416667	data	6.0411501550711675	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x7000	0x1dd0	0x2000	bd02655cb813c0446d034e916a43221c	False	0.3111572265625	data	4.367028796891495	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x9000	0x31e4	0x1000	a82036b956d903da7f02d5932e6b3cfc	False	0.162353515625	data	1.459255981071059	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd000	0x10	0x1000	620f0b67a91f7f74151bc5be745b7110	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xe000	0xcaa	0x1000	013e90c93df49efa57b60744b86f895a	False	0.5048828125	data	4.706467340542258	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLL	Import
MFC42u.DLL
MSVCRT.dll	_except_handler3, ftell, fopen, strchr, sprintf, ??1type_info@@UAE@XZ, _adjust_fdiv, malloc, _initterm, free, _onexit, __dllonexit, memmove, fseek, fread, fclose, wcscat, wcscpy, wcslen, _wcsicmp, __CxxFrameHandler, _wfopen
KERNEL32.dll	CreateFileA, LocalAlloc, LocalFree, MultiByteToWideChar, GetModuleHandleW, EnterCriticalSection, LeaveCriticalSection, GetCurrentThread, InitializeCriticalSection, GetModuleHandleA, GetCurrentProcess, GetProcAddress, FreeLibrary, GetModuleFileNameW, LoadLibraryW, VirtualQuery, InterlockedCompareExchange, GetCurrentThreadId, ResumeThread, FlushInstructionCache, GetThreadContext, SetThreadContext, GetLastError, SuspendThread, VirtualAlloc, SetLastError, GetSystemDirectoryA, VirtualFree, CloseHandle, WriteFile
MSVCP60.dll	?_Xran@std@@YAXXZ, ?_Xlen@std@@YAXXZ

Exports

Name	Ordinal	Address
SetDllPathA	1	0x100031b0
SetDllPathW	2	0x100027e0

Target ID:	0
Start time:	14:36:16
Start date:	28/09/2024
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.16045.13418.dll"
Imagebase:	0x770000
File size:	126'464 bytes
MD5 hash:	51E6071F9CBA48E79F10C84515AAE618
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	14:36:16
Start date:	28/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	14:36:16
Start date:	28/09/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.16045.13418.dll",#1
Imagebase:	0x1c0000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	14:36:16
Start date:	28/09/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.16045.13418.dll,SetDllPathA
Imagebase:	0xcb0000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	14:36:16
Start date:	28/09/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.16045.13418.dll",#1
Imagebase:	0xcb0000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	14:36:16
Start date:	28/09/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 4884 -s 620
Imagebase:	0xd80000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	14:36:16
Start date:	28/09/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 4388 -s 612
Imagebase:	0xd80000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	14:36:19
Start date:	28/09/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.16045.13418.dll,SetDllPathW
Imagebase:	0xcb0000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	14:36:19
Start date:	28/09/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 2720 -s 612
Imagebase:	0xd80000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	14:36:22
Start date:	28/09/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.16045.13418.dll",SetDllPathA
Imagebase:	0xcb0000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	14:36:22
Start date:	28/09/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.16045.13418.dll",SetDllPathW
Imagebase:	0xcb0000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	14:36:22
Start date:	28/09/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 592 -s 612
Imagebase:	0xd80000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	14:36:22
Start date:	28/09/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 5248 -s 612
Imagebase:	0xd80000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	1.2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	27.1%
Total number of Nodes:	608
Total number of Limit Nodes:	5

Executed Functions

Function 100046FD Relevance: 31.6, APIs: 21, Instructions: 99
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

#1115.MFC42U(?,?,?,?,?,?,100049CB,?,?,?,?,?,?), ref: 10004714
#1173.MFC42U(?,?,?,?,?,?,100049CB,?,?,?,?,?,?), ref: 10004719
#1568.MFC42U(?,00000000,10009E80,00000000,?,?,?,?,?,?,100049CB,?,?,?,?,?), ref: 1000472D
#1165.MFC42U(?,00000000,10009E80,00000000,?,?,?,?,?,?,100049CB,?,?,?,?,?), ref: 10004736
#1570.MFC42U(?,00000000,10009E80,00000000,?,?,?,?,?,?,100049CB,?,?,?,?,?), ref: 10004754
#1179.MFC42U(1000BF18,?,?,00000000,10009E80,00000000,?,?,?,?,?,?,100049CB,?,?,?), ref: 10004767
#823.MFC42U(00000040,1000BF18,?,?,00000000,10009E80,00000000,?,?,?,?,?,?,100049CB,?,?), ref: 1000476E
#342.MFC42U(1000BF18,00000000,1000BF18,?,?,00000000,10009E80,00000000,?,?,?,?,?,?,100049CB,?), ref: 1000477D
#1173.MFC42U(?,00000000,10009E80,00000000,?,?,?,?,?,?,100049CB,?,?,?,?,?), ref: 1000478C
#1240.MFC42U(?,?,00000000,10009E80,00000000,?,?,?,?,?,?,100049CB,?,?,?,?), ref: 10004794
#1240.MFC42U(10009E88,?,?,?,?,100049CB,?,?,?,?,?,?), ref: 100047AB
#1173.MFC42U(10009E88,?,?,?,?,100049CB,?,?,?,?,?,?), ref: 100047B2
#1165.MFC42U(10009E88,?,?,?,?,100049CB,?,?,?,?,?,?), ref: 100047BA
#1194.MFC42U(10009E88,?,?,?,?,100049CB,?,?,?,?,?,?), ref: 100047CD
#1563.MFC42U(000000FF,10009E88,?,?,?,?,100049CB,?,?,?,?,?,?), ref: 100047D4
#1570.MFC42U(000000FF,10009E88,?,?,?,?,100049CB,?,?,?,?,?,?), ref: 100047D9
#1248.MFC42U(1000BF18,00000001,000000FF,10009E88,?,?,?,?,100049CB,?,?,?,?,?,?), ref: 100047E5
#6466.MFC42U(10009E88,?,?,?,?,100049CB,?,?,?,?,?,?), ref: 100047FA
#1194.MFC42U(10009E88,?,?,?,?,100049CB,?,?,?,?,?,?), ref: 100047FF
#1563.MFC42U(000000FF,10009E88,?,?,?,?,100049CB,?,?,?,?,?,?), ref: 10004806
#1250.MFC42U(?,000000FF,10009E88,?,?,?,?,100049CB,?,?,?,?,?,?), ref: 1000480E

Memory Dump Source

Source File: 00000000.00000002.2276098499.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2276078008.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276118813.0000000010007000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276140126.0000000010009000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276160556.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Similarity

API ID: #1173$#1165#1194#1240#1563#1570$#1115#1179#1248#1250#1568#342#6466#823
String ID:
API String ID: 933591048-0
Opcode ID: 7f323cdebafc7876504ee1737dfc2f78bcaa5341956db8968ccd7249556f25ef
Instruction ID: 42ede1d6eba9dc7262db5c255ebf041a762cd8e3cbd004f8f20c7d1455e4ffb0
Opcode Fuzzy Hash: 7f323cdebafc7876504ee1737dfc2f78bcaa5341956db8968ccd7249556f25ef
Instruction Fuzzy Hash: 3931B278100240AFFB10DFA1CC85A9D77A6EF853D0F228519F9285B26ACF70FE419A95

Function 10004824 Relevance: 9.0, APIs: 6, Instructions: 25
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LocalAlloc.KERNELBASE(00000000,00002000), ref: 10004832
LocalFree.KERNEL32(00000000), ref: 1000483E
#1173.MFC42U ref: 10004844
#1240.MFC42U(10009E88), ref: 10004850
#1173.MFC42U ref: 10004862
#1240.MFC42U(?), ref: 1000486A

Memory Dump Source

Source File: 00000000.00000002.2276098499.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2276078008.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276118813.0000000010007000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276140126.0000000010009000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276160556.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Similarity

API ID: #1173#1240Local$AllocFree
String ID:
API String ID: 762571471-0
Opcode ID: ad6df8680ab0087f5d550da1c51120c5d9966c5a9941d94eac5dffd23f89fe7e
Instruction ID: 4b1118c17bfbf70476295644f1baa115cc6297c41b66d740b9089c34fbbeaa8b
Opcode Fuzzy Hash: ad6df8680ab0087f5d550da1c51120c5d9966c5a9941d94eac5dffd23f89fe7e
Instruction Fuzzy Hash: 85E09270904391AAF220DB60CC4AB4E66D5EB453D2F22C828F708A50A9CF70E880C794

Non-executed Functions

Function 10001C40 Relevance: 70.4, APIs: 33, Strings: 7, Instructions: 380
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wcslen.MSVCRT ref: 10001C89
wcscpy.MSVCRT ref: 10001CCC
#800.MFC42U ref: 10001C9A

Part of subcall function 10001930: #538.MFC42U(10009064,?,?,?,1000646F,000000FF,10001D7D,?,CurVer), ref: 1000198C
Part of subcall function 10001930: #942.MFC42U(\Wow6432Node,10009064,?,?,?,1000646F,000000FF), ref: 100019A6
Part of subcall function 10001930: #942.MFC42U(10009188,10009064,?,?,?,1000646F,000000FF), ref: 100019B4
Part of subcall function 10001930: #942.MFC42U(00000000,10009188,10009064,?,?,?,1000646F,000000FF), ref: 100019C4
Part of subcall function 10001930: wcslen.MSVCRT ref: 100019CE
Part of subcall function 10001930: #942.MFC42U(10009188), ref: 100019E4
Part of subcall function 10001930: #942.MFC42U(?,10009188), ref: 100019EE
Part of subcall function 10001930: #535.MFC42U(?), ref: 100019FE
Part of subcall function 10001930: #800.MFC42U ref: 10001A14

#800.MFC42U ref: 10001CD9
wcslen.MSVCRT ref: 10001D10
#800.MFC42U ref: 10001D21
wcscpy.MSVCRT ref: 10001D53

Part of subcall function 10001930: #538.MFC42U(xyxyoorljfoleuwrljfoulerfksdor,?,?,?,1000646F,000000FF,10001D7D,?,CurVer), ref: 1000196B

wcslen.MSVCRT ref: 10001D80
#800.MFC42U ref: 10001D91
wcscpy.MSVCRT ref: 10001DC3
wcslen.MSVCRT ref: 10001DF0
#800.MFC42U ref: 10001E01
wcscpy.MSVCRT ref: 10001E33
wcslen.MSVCRT ref: 10001E60
wcscpy.MSVCRT ref: 10001EA3
#800.MFC42U ref: 10001E71

Part of subcall function 10001A30: #538.MFC42U(10009064,?,?,?,1000649F,000000FF,10001ECD,?,ProgID), ref: 10001A8C
Part of subcall function 10001A30: #942.MFC42U(\Wow6432Node,10009064,?,?,?,1000649F,000000FF), ref: 10001AA6
Part of subcall function 10001A30: #942.MFC42U(\CLSID\,10009064,?,?,?,1000649F,000000FF), ref: 10001AB4
Part of subcall function 10001A30: #942.MFC42U(00000000,\CLSID\,10009064,?,?,?,1000649F,000000FF), ref: 10001AC4
Part of subcall function 10001A30: wcslen.MSVCRT ref: 10001ACE
Part of subcall function 10001A30: #942.MFC42U(10009188), ref: 10001AE4
Part of subcall function 10001A30: #942.MFC42U(?,10009188), ref: 10001AEE
Part of subcall function 10001A30: #535.MFC42U(?), ref: 10001AFE
Part of subcall function 10001A30: #800.MFC42U ref: 10001B14

wcslen.MSVCRT ref: 10001ED0
#800.MFC42U ref: 10001EE1
wcscpy.MSVCRT ref: 10001F13

Part of subcall function 10001A30: #538.MFC42U(xyxyoorljfoleuwrljfoulerfksdor,?,?,?,1000649F,000000FF,10001ECD,?,ProgID), ref: 10001A6B

NtQueryKey.NTDLL(?,?,?,?,?), ref: 10002108

Strings

1.0\0\win32, xrefs: 10002078, 100020AB
InprocServer32, xrefs: 10001E52, 10001E8F
1.0, xrefs: 10001F9C, 10001FD7
1.0\0, xrefs: 10002008, 10002043
CLSID, xrefs: 10001D02, 10001D3F
ProgID, xrefs: 10001EC2, 10001EFF
CurVer, xrefs: 10001D72, 10001DAF

Memory Dump Source

Source File: 00000000.00000002.2276098499.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2276078008.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276118813.0000000010007000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276140126.0000000010009000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276160556.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Similarity

API ID: #942$#800$wcslen$wcscpy$#538$#535$Query
String ID: 1.0$1.0\0$1.0\0\win32$CLSID$CurVer$InprocServer32$ProgID
API String ID: 3364588600-3032651770
Opcode ID: c6407b952052ce94e40f9a31da8d2529fe4a30389a6ec89255647bc4872f7d82
Instruction ID: e210364aa1a478c15cfc260ae6af40ed4357581bce4cc658cafd6358c502b614
Opcode Fuzzy Hash: c6407b952052ce94e40f9a31da8d2529fe4a30389a6ec89255647bc4872f7d82
Instruction Fuzzy Hash: 9CD1A071900301AFF710DF58CC84EDBB7A8EF842C8F414958F6859715AEB35EA58CBA2

Function 10002120 Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 346
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wcslen.MSVCRT ref: 10002158
wcscpy.MSVCRT ref: 10002192
wcslen.MSVCRT ref: 100021C0
wcscpy.MSVCRT ref: 100021FA
wcslen.MSVCRT ref: 1000255D
NtQueryValueKey.NTDLL(?,?,?,?,?,?), ref: 100025A1

Strings

InprocServer32, xrefs: 1000230A
+8w`+8w, xrefs: 100025A1
ThreadingModel, xrefs: 10002321

Memory Dump Source

Source File: 00000000.00000002.2276098499.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2276078008.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276118813.0000000010007000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276140126.0000000010009000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276160556.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Similarity

API ID: wcslen$wcscpy$QueryValue
String ID: InprocServer32$ThreadingModel$+8w`+8w
API String ID: 3495438468-3456325871
Opcode ID: c4260f03a4103386327f907f49e4696b6fc99d7f62d9331459b1c1bf3e83a945
Instruction ID: 2ef2c71096b13ae9e457a76c590163092a74dd924769b1517c816b7175000df9
Opcode Fuzzy Hash: c4260f03a4103386327f907f49e4696b6fc99d7f62d9331459b1c1bf3e83a945
Instruction Fuzzy Hash: D7C1D171900A118FE720DF58DCD8A9BB7E4EF443C9F01881DEC4997259E775E984CBA1

Function 10001150 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 88
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

#540.MFC42U(?,?,?,?,?,?), ref: 10001176
LoadLibraryW.KERNEL32(ntdll.dll,?,?,?,?,?,?,?,?,?), ref: 10001194
GetProcAddress.KERNEL32(00000000,ZwQueryKey), ref: 100011AF
#823.MFC42U(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 100011E7
#861.MFC42U(00000004), ref: 1000121B
#825.MFC42U(00000000), ref: 10001221
FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 1000122E
#535.MFC42U(?,?,?,?,?,?,?,?,?,?), ref: 10001240
#800.MFC42U(?,?,?,?,?,?,?,?,?,?), ref: 10001256

Strings

ntdll.dll, xrefs: 1000118F
ZwQueryKey, xrefs: 100011A9
#v, xrefs: 1000122E

Memory Dump Source

Source File: 00000000.00000002.2276098499.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2276078008.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276118813.0000000010007000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276140126.0000000010009000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276160556.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Similarity

API ID: Library$#535#540#800#823#825#861AddressFreeLoadProc
String ID: ZwQueryKey$ntdll.dll$#v
API String ID: 2613158826-532945629
Opcode ID: bc5bbe6214aa5001c3c70daa38219ac9ccd12220b36cb51efc90beb907280d54
Instruction ID: d3dea8be48ffa99f9d5f34d600dd3274f25f708f68bf231c1563c345e68523fd
Opcode Fuzzy Hash: bc5bbe6214aa5001c3c70daa38219ac9ccd12220b36cb51efc90beb907280d54
Instruction Fuzzy Hash: 5D31BCB1404711AFE311DF24D810B9FB7E8EF84794F014A1CF899A3284EB78AA058B92

Function 10001320 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 33threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 1000132E

Part of subcall function 10005000: GetCurrentThread.KERNEL32 ref: 1000500B
Part of subcall function 10005000: #823.MFC42U(00000008,?,?,1000133A,00000000), ref: 1000501B

Strings

+8w`+8w, xrefs: 1000137D

Memory Dump Source

Source File: 00000000.00000002.2276098499.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2276078008.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276118813.0000000010007000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276140126.0000000010009000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276160556.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Similarity

API ID: CurrentThread$#823
String ID: +8w`+8w
API String ID: 2256706878-1206657199
Opcode ID: c41dc582fd7d3d25659f81c57e003db572b79c8ce65fd5bf5e1237c1e7517899
Instruction ID: 1c844b3ada017ffef8954220178e01bb0eba6057380872ac48717b903644d3b2
Opcode Fuzzy Hash: c41dc582fd7d3d25659f81c57e003db572b79c8ce65fd5bf5e1237c1e7517899
Instruction Fuzzy Hash: B4F0C9386C42417AF620EBE18CAAFDE7294EB047C2FA00100F3C17549EDF56B80442AF

Function 10002740 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 33threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 1000274E

Part of subcall function 10005000: GetCurrentThread.KERNEL32 ref: 1000500B
Part of subcall function 10005000: #823.MFC42U(00000008,?,?,1000133A,00000000), ref: 1000501B

Part of subcall function 10005690: GetCurrentThreadId.KERNEL32 ref: 10005695

Strings

+8w`+8w, xrefs: 1000279D

Memory Dump Source

Source File: 00000000.00000002.2276098499.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2276078008.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276118813.0000000010007000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276140126.0000000010009000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276160556.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Similarity

API ID: CurrentThread$#823
String ID: +8w`+8w
API String ID: 2256706878-1206657199
Opcode ID: ef6cfeca544553a4b11261b592324b11a2f61a3ae37f80f60449017bf63b78fa
Instruction ID: dae003e1be8c417d5ea86d2a72ceb7b366742516b4632fbbe64b49f091171ea8
Opcode Fuzzy Hash: ef6cfeca544553a4b11261b592324b11a2f61a3ae37f80f60449017bf63b78fa
Instruction Fuzzy Hash: DCF0C0386C424176F660EFF18C8AFCA7198DB046D2FE10104F345760DDDF66B800452E

Function 100026D0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 32nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(?), ref: 10002725

Strings

`+8w, xrefs: 10002725

Memory Dump Source

Source File: 00000000.00000002.2276098499.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2276078008.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276118813.0000000010007000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276140126.0000000010009000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276160556.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Similarity

API ID: Close
String ID: `+8w
API String ID: 3535843008-4152678778
Opcode ID: e3c92ded4a8899102a8526a9b3a3cb14f1cb9637af0b23d7e3f82045eea80f8d
Instruction ID: d58ee0143c4e84a4a31dd44e0198682171cedcd0fe59b2b7354f87470e681304
Opcode Fuzzy Hash: e3c92ded4a8899102a8526a9b3a3cb14f1cb9637af0b23d7e3f82045eea80f8d
Instruction Fuzzy Hash: E8F07E62C0D4A899F8E3D514E4C4BEE61F4DB541D0F208C13E00BD1AEDD924DCD9C197

Function 10001BF0 Relevance: 1.5, APIs: 1, Instructions: 30nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 10001400: wcslen.MSVCRT ref: 10001444
Part of subcall function 10001400: #942.MFC42U(10009188), ref: 1000145A
Part of subcall function 10001400: #942.MFC42U(?,10009188), ref: 10001464
Part of subcall function 10001400: _wcsicmp.MSVCRT ref: 100014A0
Part of subcall function 10001400: _wcsicmp.MSVCRT ref: 100014C2
Part of subcall function 10001400: #800.MFC42U ref: 100014D0
Part of subcall function 10001400: #800.MFC42U ref: 100014E4
Part of subcall function 10001400: #800.MFC42U ref: 100018F7

NtOpenKeyEx.NTDLL(?,?,?,?), ref: 10001C2C

Memory Dump Source

Source File: 00000000.00000002.2276098499.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2276078008.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276118813.0000000010007000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276140126.0000000010009000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276160556.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Similarity

API ID: #800$#942_wcsicmp$Openwcslen
String ID:
API String ID: 700594209-0
Opcode ID: 9f983699acc519ee4bead459c80209239c48a1bd57f530d88279fbcdf2017b4b
Instruction ID: a5e23e891e6b2d8738890c2112a89ae3c7bba218bb169498b29d81a7e0fae048
Opcode Fuzzy Hash: 9f983699acc519ee4bead459c80209239c48a1bd57f530d88279fbcdf2017b4b
Instruction Fuzzy Hash: E1F0F87A204211AF9200DA59D844DABB7A9EBC82A0B058D1EF59983205D370E806CBA1

Function 100013B0 Relevance: 1.5, APIs: 1, Instructions: 28nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 10001400: wcslen.MSVCRT ref: 10001444
Part of subcall function 10001400: #942.MFC42U(10009188), ref: 1000145A
Part of subcall function 10001400: #942.MFC42U(?,10009188), ref: 10001464
Part of subcall function 10001400: _wcsicmp.MSVCRT ref: 100014A0
Part of subcall function 10001400: _wcsicmp.MSVCRT ref: 100014C2
Part of subcall function 10001400: #800.MFC42U ref: 100014D0
Part of subcall function 10001400: #800.MFC42U ref: 100014E4
Part of subcall function 10001400: #800.MFC42U ref: 100018F7

NtOpenKey.NTDLL(?,?,?), ref: 100013E7

Memory Dump Source

Source File: 00000000.00000002.2276098499.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2276078008.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276118813.0000000010007000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276140126.0000000010009000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276160556.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Similarity

API ID: #800$#942_wcsicmp$Openwcslen
String ID:
API String ID: 700594209-0
Opcode ID: 22737021b9962da16d3a98351a932d14bc8c8bb6a6554cde58d0721a2b0cb1c1
Instruction ID: d080ee723748a318de7459404146d2f74d56df26b67cf6699924f63836542ac6
Opcode Fuzzy Hash: 22737021b9962da16d3a98351a932d14bc8c8bb6a6554cde58d0721a2b0cb1c1
Instruction Fuzzy Hash: F9E0C97A204251AF9604DB59D884DABF7ECEBD92A0B05891EF69983205D770F806CBA1

Function 10003420 Relevance: .9, Instructions: 851COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2276098499.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2276078008.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276118813.0000000010007000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276140126.0000000010009000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276160556.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 312f36b74284c62cda4085ceaa7982b1103cabd41ffa0d322e40a81b5375018f
Instruction ID: 34d6032b85ffee70737b1779ab684f7f6e397ec16cb9da23845eb6496991dcfc
Opcode Fuzzy Hash: 312f36b74284c62cda4085ceaa7982b1103cabd41ffa0d322e40a81b5375018f
Instruction Fuzzy Hash: 4752B13774470A4BE70CCE9ACCD11A9B3D3ABC8354B4D863C9A56C3346EDF8A91B8644

Function 10002900 Relevance: 77.3, APIs: 16, Strings: 28, Instructions: 286
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EnterCriticalSection.KERNEL32(10009528), ref: 1000290C
wcscpy.MSVCRT ref: 1000291F
LeaveCriticalSection.KERNEL32(10009528), ref: 1000292D
_wfopen.MSVCRT ref: 10002939
fseek.MSVCRT ref: 10002962
fread.MSVCRT ref: 10002977
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,10009654,0000000B), ref: 100029C3
fseek.MSVCRT ref: 10002A0A
fread.MSVCRT ref: 10002A19
fseek.MSVCRT ref: 10002A20
fread.MSVCRT ref: 10002A32
fclose.MSVCRT ref: 10002E7F

Strings

o, xrefs: 10002BA4
{, xrefs: 10002ACE
C, xrefs: 10002C5A
}, xrefs: 10002B52
9, xrefs: 10002C7C
E, xrefs: 10002DC1
E, xrefs: 10002DDB
E, xrefs: 10002B12
1, xrefs: 10002CC0
{, xrefs: 10002CEA
E, xrefs: 10002C49
}, xrefs: 10002E3F
5, xrefs: 10002C96
B, xrefs: 10002C61
C, xrefs: 10002DE5
., xrefs: 10002B91
t, xrefs: 10002BB2
0, xrefs: 10002DAF
f, xrefs: 10002BAB
C, xrefs: 10002B19
3, xrefs: 10002C8A
3, xrefs: 10002C36
}, xrefs: 10002CCC
B, xrefs: 10002D3C
A, xrefs: 10002C42
s, xrefs: 10002B9D
C, xrefs: 10002C83
{, xrefs: 10002C2A

Memory Dump Source

Source File: 00000000.00000002.2276098499.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2276078008.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276118813.0000000010007000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276140126.0000000010009000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276160556.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Similarity

API ID: freadfseek$CriticalSection$ByteCharEnterLeaveMultiWide_wfopenfclosewcscpy
String ID: .$0$1$3$3$5$9$A$B$B$C$C$C$C$E$E$E$E$f$o$s$t${${${$}$}$}
API String ID: 1882367194-101255485
Opcode ID: b8d023a21bba30e2febaa6ecf4fe958fbf8d5c5ec60a7b436212acfc3dcec398
Instruction ID: d748a7da786b6bfea15dfe591960893aee9ae8f6c3cef3ff43216ee8acc7db6a
Opcode Fuzzy Hash: b8d023a21bba30e2febaa6ecf4fe958fbf8d5c5ec60a7b436212acfc3dcec398
Instruction Fuzzy Hash: 69D1C52052D38096E321CF61C894B9BB3F4FFA4384F44691EE69897361E7BA8548C75F

Function 10001400 Relevance: 73.9, APIs: 36, Strings: 6, Instructions: 394
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 10001150: #540.MFC42U(?,?,?,?,?,?), ref: 10001176
Part of subcall function 10001150: LoadLibraryW.KERNEL32(ntdll.dll,?,?,?,?,?,?,?,?,?), ref: 10001194
Part of subcall function 10001150: GetProcAddress.KERNEL32(00000000,ZwQueryKey), ref: 100011AF
Part of subcall function 10001150: #823.MFC42U(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 100011E7
Part of subcall function 10001150: #861.MFC42U(00000004), ref: 1000121B
Part of subcall function 10001150: #825.MFC42U(00000000), ref: 10001221
Part of subcall function 10001150: FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 1000122E
Part of subcall function 10001150: #535.MFC42U(?,?,?,?,?,?,?,?,?,?), ref: 10001240
Part of subcall function 10001150: #800.MFC42U(?,?,?,?,?,?,?,?,?,?), ref: 10001256

wcslen.MSVCRT ref: 10001444
#942.MFC42U(10009188), ref: 1000145A
#942.MFC42U(?,10009188), ref: 10001464

Part of subcall function 10001930: #538.MFC42U(xyxyoorljfoleuwrljfoulerfksdor,?,?,?,1000646F,000000FF,10001D7D,?,CurVer), ref: 1000196B

#861.MFC42U(?), ref: 1000146F
_wcsicmp.MSVCRT ref: 100014A0
_wcsicmp.MSVCRT ref: 100014C2
#800.MFC42U ref: 100014D0
#800.MFC42U ref: 100014E4
_wcsicmp.MSVCRT ref: 10001530
_wcsicmp.MSVCRT ref: 10001552
#800.MFC42U ref: 10001560
#800.MFC42U ref: 10001574
_wcsicmp.MSVCRT ref: 100015B4
#800.MFC42U ref: 100015F8

Part of subcall function 10001930: #538.MFC42U(10009064,?,?,?,1000646F,000000FF,10001D7D,?,CurVer), ref: 1000198C
Part of subcall function 10001930: #942.MFC42U(\Wow6432Node,10009064,?,?,?,1000646F,000000FF), ref: 100019A6
Part of subcall function 10001930: #942.MFC42U(10009188,10009064,?,?,?,1000646F,000000FF), ref: 100019B4
Part of subcall function 10001930: #942.MFC42U(00000000,10009188,10009064,?,?,?,1000646F,000000FF), ref: 100019C4
Part of subcall function 10001930: wcslen.MSVCRT ref: 100019CE
Part of subcall function 10001930: #942.MFC42U(10009188), ref: 100019E4
Part of subcall function 10001930: #942.MFC42U(?,10009188), ref: 100019EE
Part of subcall function 10001930: #535.MFC42U(?), ref: 100019FE
Part of subcall function 10001930: #800.MFC42U ref: 10001A14

_wcsicmp.MSVCRT ref: 100015D6
#800.MFC42U ref: 100015E4
_wcsicmp.MSVCRT ref: 1000163A
_wcsicmp.MSVCRT ref: 1000165C
#800.MFC42U ref: 1000166A
#800.MFC42U ref: 1000167E
_wcsicmp.MSVCRT ref: 100016CA
#800.MFC42U ref: 1000170E

Part of subcall function 10001A30: #538.MFC42U(10009064,?,?,?,1000649F,000000FF,10001ECD,?,ProgID), ref: 10001A8C
Part of subcall function 10001A30: #942.MFC42U(\Wow6432Node,10009064,?,?,?,1000649F,000000FF), ref: 10001AA6
Part of subcall function 10001A30: #942.MFC42U(\CLSID\,10009064,?,?,?,1000649F,000000FF), ref: 10001AB4
Part of subcall function 10001A30: #942.MFC42U(00000000,\CLSID\,10009064,?,?,?,1000649F,000000FF), ref: 10001AC4
Part of subcall function 10001A30: wcslen.MSVCRT ref: 10001ACE
Part of subcall function 10001A30: #942.MFC42U(10009188), ref: 10001AE4
Part of subcall function 10001A30: #942.MFC42U(?,10009188), ref: 10001AEE
Part of subcall function 10001A30: #535.MFC42U(?), ref: 10001AFE
Part of subcall function 10001A30: #800.MFC42U ref: 10001B14

_wcsicmp.MSVCRT ref: 100016EC
#800.MFC42U ref: 100016FA
_wcsicmp.MSVCRT ref: 1000174E
_wcsicmp.MSVCRT ref: 10001770
#800.MFC42U ref: 1000177E
#800.MFC42U ref: 10001792
_wcsicmp.MSVCRT ref: 100017D4
_wcsicmp.MSVCRT ref: 100017F4
#800.MFC42U ref: 10001802
_wcsicmp.MSVCRT ref: 1000181D

Part of subcall function 10001A30: #538.MFC42U(xyxyoorljfoleuwrljfoulerfksdor,?,?,?,1000649F,000000FF,10001ECD,?,ProgID), ref: 10001A6B

#800.MFC42U ref: 100018F7

Strings

win32, xrefs: 1000186E
InprocServer32, xrefs: 100016B2, 100016D9
1.0, xrefs: 10001817
CLSID, xrefs: 10001518, 1000153F
ProgID, xrefs: 10001736, 1000175D
CurVer, xrefs: 1000159C, 100015C3

Memory Dump Source

Source File: 00000000.00000002.2276098499.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2276078008.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276118813.0000000010007000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276140126.0000000010009000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276160556.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Similarity

API ID: #800$_wcsicmp$#942$#538$#535wcslen$#861Library$#540#823#825AddressFreeLoadProc
String ID: 1.0$CLSID$CurVer$InprocServer32$ProgID$win32
API String ID: 2745223314-3815763076
Opcode ID: f4d5b1f6c3545d255a4fc4fa84683b3a68eea10578ae6f7c742b8a78975376ec
Instruction ID: e587bc50812e586e2bd60427c8c21f55630403218c68574d11df9dc8f3e29d0e
Opcode Fuzzy Hash: f4d5b1f6c3545d255a4fc4fa84683b3a68eea10578ae6f7c742b8a78975376ec
Instruction Fuzzy Hash: 1CD16F74209341AFE300DF64CD90BDBB7E8EF896C4F444948F98597295EB35EA05CBA2

Function 10001270 Relevance: 40.3, APIs: 14, Strings: 9, Instructions: 54
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InitializeCriticalSection.KERNEL32(10009528,?,?,?,100010DF), ref: 10001278
GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,100010DF), ref: 1000128E
GetProcAddress.KERNEL32(00000000), ref: 10001297
GetCurrentProcess.KERNEL32(10009540,?,?,?,100010DF), ref: 100012A4
GetModuleHandleA.KERNEL32(ntdll.dll,ZwOpenKey,?,?,?,100010DF), ref: 100012B7
GetProcAddress.KERNEL32(00000000), ref: 100012BA
GetModuleHandleA.KERNEL32(ntdll.dll,ZwOpenKeyEx,?,?,?,100010DF), ref: 100012CB
GetProcAddress.KERNEL32(00000000), ref: 100012CE
GetModuleHandleA.KERNEL32(ntdll.dll,ZwQueryKey,?,?,?,100010DF), ref: 100012DF
GetProcAddress.KERNEL32(00000000), ref: 100012E2
GetModuleHandleA.KERNEL32(ntdll.dll,ZwQueryValueKey,?,?,?,100010DF), ref: 100012F3
GetProcAddress.KERNEL32(00000000), ref: 100012F6
GetModuleHandleA.KERNEL32(ntdll.dll,ZwClose,?,?,?,100010DF), ref: 10001307
GetProcAddress.KERNEL32(00000000), ref: 1000130A

Strings

ZwQueryValueKey, xrefs: 100012E4
ntdll.dll, xrefs: 100012B2, 100012C1, 100012D5, 100012E9, 100012FD
ZwQueryKey, xrefs: 100012D0
+8w`+8w, xrefs: 10001302
ZwOpenKey, xrefs: 100012AD
IsWow64Process, xrefs: 10001284
kernel32, xrefs: 10001289
ZwOpenKeyEx, xrefs: 100012BC
ZwClose, xrefs: 100012F8

Memory Dump Source

Source File: 00000000.00000002.2276098499.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2276078008.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276118813.0000000010007000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276140126.0000000010009000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276160556.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Similarity

API ID: AddressHandleModuleProc$CriticalCurrentInitializeProcessSection
String ID: IsWow64Process$ZwClose$ZwOpenKey$ZwOpenKeyEx$ZwQueryKey$ZwQueryValueKey$kernel32$ntdll.dll$+8w`+8w
API String ID: 2663015719-2529589178
Opcode ID: 172811b13e48408ddf2b8ab4dbaa0b3c0a2e83ca9b17fe80b06286a38d0ff660
Instruction ID: bc393e3598cc65d04037417f7a1f03f3b783a77bcc05561d6fd32471d0030434
Opcode Fuzzy Hash: 172811b13e48408ddf2b8ab4dbaa0b3c0a2e83ca9b17fe80b06286a38d0ff660
Instruction Fuzzy Hash: 42019EA1D042A9AAFA20FBF68C9CDCB7E5CDB842D53110526F7049351ADB798841CFA1

Function 10002F00 Relevance: 39.2, APIs: 26, Instructions: 208
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000100,?,?,?,?,00000000,75C296C0,75C29430), ref: 10002FF9
#538.MFC42U(?,?,?,00000000,75C296C0,75C29430), ref: 1000300B
#4199.MFC42U ref: 1000301C
wcscpy.MSVCRT ref: 10003031
#4273.MFC42U(?,00000000,00000008,75C296C0,75C29430), ref: 10003046
wcscat.MSVCRT ref: 10003055
#800.MFC42U ref: 1000305E
wcscat.MSVCRT ref: 10003069
#4273.MFC42U(?,00000008,00000004), ref: 1000307B
wcscat.MSVCRT ref: 10003084
#800.MFC42U ref: 1000308D
wcscat.MSVCRT ref: 10003098
#4273.MFC42U(?,0000000C,00000004), ref: 100030AA
wcscat.MSVCRT ref: 100030B3
#800.MFC42U ref: 100030BC
wcscat.MSVCRT ref: 100030C7
#4273.MFC42U(?,00000010,00000004), ref: 100030D9
wcscat.MSVCRT ref: 100030E2
#800.MFC42U ref: 100030EB
wcscat.MSVCRT ref: 100030F6
#4273.MFC42U(?,00000014,0000000C), ref: 10003108
wcscat.MSVCRT ref: 10003111
#800.MFC42U ref: 1000311A
wcscat.MSVCRT ref: 10003125
#800.MFC42U ref: 10003135
#825.MFC42U(?), ref: 10003152

Memory Dump Source

Source File: 00000000.00000002.2276098499.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2276078008.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276118813.0000000010007000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276140126.0000000010009000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276160556.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Similarity

API ID: wcscat$#800$#4273$#4199#538#825ByteCharMultiWidewcscpy
String ID:
API String ID: 3218086493-0
Opcode ID: 70c7c4ec569e9afcec2c189fa726a6d1e9966894626a76c1a1deb38a02fb74fc
Instruction ID: 09f04f280ac1a6942a0064386c88c85055bd1199c361a2afb61791185c8fa687
Opcode Fuzzy Hash: 70c7c4ec569e9afcec2c189fa726a6d1e9966894626a76c1a1deb38a02fb74fc
Instruction Fuzzy Hash: 3461B271108781ABE715DF24CC91FAFB3A8EF95384F01092CF59583195EF25A909C7A7

Function 10001A30 Relevance: 22.8, APIs: 10, Strings: 3, Instructions: 68
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

#538.MFC42U(xyxyoorljfoleuwrljfoulerfksdor,?,?,?,1000649F,000000FF,10001ECD,?,ProgID), ref: 10001A6B
#538.MFC42U(10009064,?,?,?,1000649F,000000FF,10001ECD,?,ProgID), ref: 10001A8C
#942.MFC42U(\Wow6432Node,10009064,?,?,?,1000649F,000000FF), ref: 10001AA6
#942.MFC42U(\CLSID\,10009064,?,?,?,1000649F,000000FF), ref: 10001AB4
#942.MFC42U(00000000,\CLSID\,10009064,?,?,?,1000649F,000000FF), ref: 10001AC4
wcslen.MSVCRT ref: 10001ACE
#942.MFC42U(10009188), ref: 10001AE4
#942.MFC42U(?,10009188), ref: 10001AEE
#535.MFC42U(?), ref: 10001AFE
#800.MFC42U ref: 10001B14

Strings

xyxyoorljfoleuwrljfoulerfksdor, xrefs: 10001A64
\Wow6432Node, xrefs: 10001A9D
\CLSID\, xrefs: 10001AAB

Memory Dump Source

Source File: 00000000.00000002.2276098499.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2276078008.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276118813.0000000010007000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276140126.0000000010009000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276160556.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Similarity

API ID: #942$#538$#535#800wcslen
String ID: \CLSID\$\Wow6432Node$xyxyoorljfoleuwrljfoulerfksdor
API String ID: 3153432097-3768299153
Opcode ID: b22a3667cfbcf49f25b70c07b9256f71891a999a466759d11f549b470e779f78
Instruction ID: 08f889d4e3fb4bb5565a251bfb2ab1b94d4e6ba08e5119c4d5b5a8b23de7f138
Opcode Fuzzy Hash: b22a3667cfbcf49f25b70c07b9256f71891a999a466759d11f549b470e779f78
Instruction Fuzzy Hash: 1221B0766046619BE300CF14CD51BDAB3E4FF8AA84F40095CF58563299EF79AE04CB93

Function 10001930 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 68
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

#538.MFC42U(xyxyoorljfoleuwrljfoulerfksdor,?,?,?,1000646F,000000FF,10001D7D,?,CurVer), ref: 1000196B
#538.MFC42U(10009064,?,?,?,1000646F,000000FF,10001D7D,?,CurVer), ref: 1000198C
#942.MFC42U(\Wow6432Node,10009064,?,?,?,1000646F,000000FF), ref: 100019A6
#942.MFC42U(10009188,10009064,?,?,?,1000646F,000000FF), ref: 100019B4
#942.MFC42U(00000000,10009188,10009064,?,?,?,1000646F,000000FF), ref: 100019C4
wcslen.MSVCRT ref: 100019CE
#942.MFC42U(10009188), ref: 100019E4
#942.MFC42U(?,10009188), ref: 100019EE
#535.MFC42U(?), ref: 100019FE
#800.MFC42U ref: 10001A14

Strings

xyxyoorljfoleuwrljfoulerfksdor, xrefs: 10001964
\Wow6432Node, xrefs: 1000199D

Memory Dump Source

Source File: 00000000.00000002.2276098499.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2276078008.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276118813.0000000010007000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276140126.0000000010009000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276160556.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Similarity

API ID: #942$#538$#535#800wcslen
String ID: \Wow6432Node$xyxyoorljfoleuwrljfoulerfksdor
API String ID: 3153432097-2372900209
Opcode ID: 613f91e10275ba28aa624325a3d1f2c5f689fcc5d62542d8c4307f18b8cd6432
Instruction ID: 74bfcef7c59b22db7e0450e734908b9134bfe74a189a17882b269429263cd8d2
Opcode Fuzzy Hash: 613f91e10275ba28aa624325a3d1f2c5f689fcc5d62542d8c4307f18b8cd6432
Instruction Fuzzy Hash: E721B376504661ABE300CF14CD51BDAB3E4FF89A84F41095CF58553299EF79AE08CB93

Function 10001B30 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

#538.MFC42U ref: 10001B5B
#942.MFC42U(?,?,\TypeLib\), ref: 10001B71
#942.MFC42U(00000000,?,?,\TypeLib\), ref: 10001B81
wcslen.MSVCRT ref: 10001B8B
#942.MFC42U(10009188,?,?,1.0\0\win32), ref: 10001BA1
#942.MFC42U(?,10009188,?,?,1.0\0\win32), ref: 10001BAB
#535.MFC42U(?,?,?,1.0\0\win32), ref: 10001BBB
#800.MFC42U ref: 10001BD1

Strings

\TypeLib\, xrefs: 10001B60

Memory Dump Source

Source File: 00000000.00000002.2276098499.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2276078008.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276118813.0000000010007000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276140126.0000000010009000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276160556.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Similarity

API ID: #942$#535#538#800wcslen
String ID: \TypeLib\
API String ID: 3775937953-600913956
Opcode ID: d121028880f9f37c00128435c4e701899b645a4f73339be2d57e9d9c91fc371a
Instruction ID: 97af8a2b816642cbf3e83e4987fe7457cadacbba3d3d35339a73e1d59943db42
Opcode Fuzzy Hash: d121028880f9f37c00128435c4e701899b645a4f73339be2d57e9d9c91fc371a
Instruction Fuzzy Hash: 4511A3B5108651AFE300DF14CC50B9BBBA4EF85691F00891CF48943299EF35A509CB97

Function 100027E0 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 76
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wcscpy.MSVCRT ref: 10002813
GetModuleHandleW.KERNEL32(00000000,?,00000200), ref: 10002834
GetModuleFileNameW.KERNEL32(00000000,?,00000200), ref: 1000283B
wcslen.MSVCRT ref: 10002846
wcscat.MSVCRT ref: 1000287A

Strings

Both, xrefs: 100028D7
Apartment, xrefs: 100028D0
., xrefs: 1000281C

Memory Dump Source

Source File: 00000000.00000002.2276098499.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2276078008.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276118813.0000000010007000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276140126.0000000010009000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276160556.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Similarity

API ID: Module$FileHandleNamewcscatwcscpywcslen
String ID: .$Apartment$Both
API String ID: 2054667532-1695967614
Opcode ID: e66a015e92e41beedde033933ee022f76622b8e0d2b7561b036895c08a9c1864
Instruction ID: 8dc09df306f3aeac2cb15477358e42074c0e142bab5dd9a3ac3a12d3aa31bc2b
Opcode Fuzzy Hash: e66a015e92e41beedde033933ee022f76622b8e0d2b7561b036895c08a9c1864
Instruction Fuzzy Hash: 6C21A4B95042819BF360E764DC45BAB73E8FF80384F40882CEB8992059FB75955DC7A3

Function 10005900 Relevance: 13.6, APIs: 9, Instructions: 119
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

strchr.MSVCRT ref: 10005922
GetSystemDirectoryA.KERNEL32(?,00000200), ref: 10005939
fopen.MSVCRT ref: 100059C0
fseek.MSVCRT ref: 100059DA
ftell.MSVCRT ref: 100059DD
fseek.MSVCRT ref: 100059EA
malloc.MSVCRT ref: 100059ED
fread.MSVCRT ref: 10005A04
fclose.MSVCRT ref: 10005A0E

Memory Dump Source

Source File: 00000000.00000002.2276098499.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2276078008.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276118813.0000000010007000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276140126.0000000010009000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276160556.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Similarity

API ID: fseek$DirectorySystemfclosefopenfreadftellmallocstrchr
String ID:
API String ID: 1390157628-0
Opcode ID: e506fa6d25c0440c55aefb787ab431d84a08c89064c8190344b0abc9546546ad
Instruction ID: ebbcbae6c0e7c7988dd8aaf0e80484ee13c507c82097ae489073b65b346a024c
Opcode Fuzzy Hash: e506fa6d25c0440c55aefb787ab431d84a08c89064c8190344b0abc9546546ad
Instruction Fuzzy Hash: FF31083260061017E7288B789C89BAF76C5FBC53B1F54072DFA2A872C4DEA99D09C295

Function 10002640 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 33COMMON

Download Yara Rule

APIs

#540.MFC42U ref: 10002665
EnterCriticalSection.KERNEL32(?,?,?,10009528), ref: 10002677
#861.MFC42U(Apartment,?,?,?,10009528), ref: 10002686
LeaveCriticalSection.KERNEL32(10009528,Apartment,?,?,?,10009528), ref: 10002690
#535.MFC42U(?,?,?,?,10009528), ref: 100026A1
#800.MFC42U(?,?,?,?,10009528), ref: 100026B7

Strings

Apartment, xrefs: 1000267D

Memory Dump Source

Source File: 00000000.00000002.2276098499.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2276078008.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276118813.0000000010007000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276140126.0000000010009000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276160556.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Similarity

API ID: CriticalSection$#535#540#800#861EnterLeave
String ID: Apartment
API String ID: 2659518386-3482315511
Opcode ID: 30f678aa10425c0768487384b688df8f5f3383e2401929aacce373796505cbe5
Instruction ID: 62e887f79e0c6814c4870c848619d622f785478aaf9b2f642893a6cad553d807
Opcode Fuzzy Hash: 30f678aa10425c0768487384b688df8f5f3383e2401929aacce373796505cbe5
Instruction Fuzzy Hash: 7501F4B4408641EFE300DF54DD54B8EBBE4FB85792F40890CF54943298DB389908CBA7

Function 10004D50 Relevance: 12.2, APIs: 8, Instructions: 225threadinjectionCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 10004D69
GetThreadContext.KERNEL32 ref: 10004E8F
SetThreadContext.KERNEL32(?,?), ref: 10004F00
GetCurrentProcess.KERNEL32 ref: 10004F1B

Part of subcall function 10004C30: GetCurrentThreadId.KERNEL32 ref: 10004C31

Memory Dump Source

Source File: 00000000.00000002.2276098499.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2276078008.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276118813.0000000010007000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276140126.0000000010009000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276160556.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Similarity

API ID: Thread$Current$Context$Process
String ID:
API String ID: 2043380635-0
Opcode ID: e3fd9327122e1a0b5100c2a9f97ad9caffe351a76243ecf282890f97c32ddb3c
Instruction ID: 00b7f0c0d3398a48c3e32b856f74d171efe319d2e2ef352bbe66c176b0606302
Opcode Fuzzy Hash: e3fd9327122e1a0b5100c2a9f97ad9caffe351a76243ecf282890f97c32ddb3c
Instruction Fuzzy Hash: 6D8183B56007528FE324CF69C884967B3E6FB88380B16896DE89987759DF30FC45CB54

Function 10005AD0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 70librarymemoryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(ntdll.dll,ZwProtectVirtualMemory,00000000,10005BDE,?,?,?,?,000000FF,10005CE8,000000FF,?,?,?,?), ref: 10005AE4
GetProcAddress.KERNEL32(00000000), ref: 10005AEB

Part of subcall function 10005A40: GetModuleHandleA.KERNEL32(00000000,?,00000000,?,10005B05,00000000,ntdll.dll,1000BFA4,00000005), ref: 10005A48

VirtualAlloc.KERNEL32(00000000,0000000B,00003000,00000040,00000000,10005BDE,?,?,?,?,000000FF,10005CE8,000000FF,?,?,?), ref: 10005B38
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 10005BA8

Strings

ntdll.dll, xrefs: 10005ADF, 10005AFA
ZwProtectVirtualMemory, xrefs: 10005ADA

Memory Dump Source

Source File: 00000000.00000002.2276098499.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2276078008.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276118813.0000000010007000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276140126.0000000010009000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276160556.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Similarity

API ID: HandleModuleVirtual$AddressAllocFreeProc
String ID: ZwProtectVirtualMemory$ntdll.dll
API String ID: 388322139-613508025
Opcode ID: 3f2e333342cacb2edc7985fbc541f57f2e2b50b9c22888553d4749b7b8733c30
Instruction ID: 24d9de40e1ec38948f0626ff2d0eb67c681e120d5b9cbc94a272e34673a50bb4
Opcode Fuzzy Hash: 3f2e333342cacb2edc7985fbc541f57f2e2b50b9c22888553d4749b7b8733c30
Instruction Fuzzy Hash: 28214CB1A046229FF214CF289C94F677AA4EF497D1F018665FA08973E9D771E801CB72

Function 10003FC0 Relevance: 9.2, APIs: 6, Instructions: 205COMMON

Download Yara Rule

APIs

?_Xran@std@@YAXXZ.MSVCP60(?,?,00000000,00000000,10003F53,?,00000000,FFFFFFFF,?,?,?,?), ref: 10003FD3
?_Xran@std@@YAXXZ.MSVCP60(?,?,00000000,00000000,10003F53,?,00000000,FFFFFFFF,?,?,?,?), ref: 10004001
memmove.MSVCRT(?,?,?,?,?,00000000,00000000,10003F53,?,00000000,FFFFFFFF,?,?,?,?), ref: 1000402A
memmove.MSVCRT(?,?,?,?,?,00000000,00000000,10003F53,?,00000000,FFFFFFFF,?,?,?,?), ref: 10004079
#825.MFC42U(?,?,?,00000000,00000000,10003F53,?,00000000,FFFFFFFF,?,?,?,?), ref: 100040E2
?_Xlen@std@@YAXXZ.MSVCP60(?,?,00000000,00000000,10003F53,?,00000000,FFFFFFFF,?,?,?,?), ref: 1000412C

Memory Dump Source

Source File: 00000000.00000002.2276098499.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2276078008.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276118813.0000000010007000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276140126.0000000010009000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276160556.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Similarity

API ID: Xran@std@@memmove$#825Xlen@std@@
String ID:
API String ID: 1058695723-0
Opcode ID: c99c899000f3e845d934672dc8fa5a44403cf90caa0ca127342bf30a0f941e39
Instruction ID: 030e978d56c2ab623cdcb170f7569a7b32d6d92317d5ad0df148ab8d32bc1acc
Opcode Fuzzy Hash: c99c899000f3e845d934672dc8fa5a44403cf90caa0ca127342bf30a0f941e39
Instruction Fuzzy Hash: 9A5124B13002459BEB04CF68D8946AEB7E6EF942D0B12816DFD09CB349DF32ED848784

Function 100025B0 Relevance: 9.0, APIs: 6, Instructions: 33COMMON

Download Yara Rule

APIs

#540.MFC42U ref: 100025D5
EnterCriticalSection.KERNEL32(?,?,?,10009528), ref: 100025E7
#861.MFC42U(1000966C,?,?,?,10009528), ref: 100025F6
LeaveCriticalSection.KERNEL32(10009528,1000966C,?,?,?,10009528), ref: 10002600
#535.MFC42U(?,?,?,?,10009528), ref: 10002611
#800.MFC42U(?,?,?,?,10009528), ref: 10002627

Memory Dump Source

Source File: 00000000.00000002.2276098499.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2276078008.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276118813.0000000010007000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276140126.0000000010009000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276160556.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Similarity

API ID: CriticalSection$#535#540#800#861EnterLeave
String ID:
API String ID: 2659518386-0
Opcode ID: ada13aba084fd554437abbf018868ea6530f0b1f331527b19768b0ad6ad6d98d
Instruction ID: fd7d3a6004d433891c5c411062b12546cca0578b90f5abe4cccb98c8943f4945
Opcode Fuzzy Hash: ada13aba084fd554437abbf018868ea6530f0b1f331527b19768b0ad6ad6d98d
Instruction Fuzzy Hash: 7001F4B4408640EFE300DF54CD40B8EBBE4FB85792F40891CF68943294DB789908CB97

Function 10005000 Relevance: 7.5, APIs: 5, Instructions: 40threadinjectionCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 1000500B
#823.MFC42U(00000008,?,?,1000133A,00000000), ref: 1000501B
SuspendThread.KERNEL32(?,00000000), ref: 10005031
GetLastError.KERNEL32 ref: 1000503C
#825.MFC42U(00000000), ref: 10005045

Memory Dump Source

Source File: 00000000.00000002.2276098499.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2276078008.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276118813.0000000010007000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276140126.0000000010009000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276160556.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Similarity

API ID: Thread$#823#825CurrentErrorLastSuspend
String ID:
API String ID: 3974497259-0
Opcode ID: cc5c28da0ed3cb80a9ca6d922b5efe33ea86db9f6fba49d33db0ad4a55a296ef
Instruction ID: 18245ed321afc0d90b876c41bab88f2370897c18db3d6b37bb0b96d684dff324
Opcode Fuzzy Hash: cc5c28da0ed3cb80a9ca6d922b5efe33ea86db9f6fba49d33db0ad4a55a296ef
Instruction Fuzzy Hash: 66F0A4B2900A62CBF320DF689C8465F77D4EB903E1F124636EA44C729CDB35D8458FA1

Function 10005D10 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114fileCOMMON

Download Yara Rule

APIs

sprintf.MSVCRT ref: 10005D8F
CreateFileA.KERNEL32(?,C0000000,00000001,00000000,00000003,00000080,00000000), ref: 10005DAB

Strings

\\.\%c%c%d, xrefs: 10005D89

Memory Dump Source

Source File: 00000000.00000002.2276098499.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2276078008.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276118813.0000000010007000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276140126.0000000010009000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276160556.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Similarity

API ID: CreateFilesprintf
String ID: \\.\%c%c%d
API String ID: 3122967319-720341438
Opcode ID: fb3a7a8b64182b26fca6dd2dcfa44545cef07e93377b4d4170262b454fe4ac0d
Instruction ID: 8abcecb530939a06ff02b4e79d9815dd8bad28e7ee65b7157aecf8ed02193d27
Opcode Fuzzy Hash: fb3a7a8b64182b26fca6dd2dcfa44545cef07e93377b4d4170262b454fe4ac0d
Instruction Fuzzy Hash: 57314C326042050BE728CA38EC457BB7BD1FBC07B0F95072EF996832D4CAB99D09C691

Function 100050A0 Relevance: 6.3, APIs: 4, Instructions: 270threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 100050CB

Memory Dump Source

Source File: 00000000.00000002.2276098499.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2276078008.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276118813.0000000010007000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276140126.0000000010009000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276160556.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: c516182049691b8fd8390c59d55166f2577fabcdafe1b531d33eb2f9755230c7
Instruction ID: 1994d0de1a42c22369135885ee02961ea05c59e3f84e2c7875db4395ffa74dba
Opcode Fuzzy Hash: c516182049691b8fd8390c59d55166f2577fabcdafe1b531d33eb2f9755230c7
Instruction Fuzzy Hash: 929111B16047468FE710CF18D880B5BB7E1FF862D1F41462EE94587298E772EE48CB92

Function 100053C0 Relevance: 6.2, APIs: 4, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32(?,?,0000001C), ref: 1000549E
VirtualAlloc.KERNEL32(?,00010000,00003000,00000040), ref: 100054D4
VirtualQuery.KERNEL32(?,?,0000001C), ref: 10005508
VirtualAlloc.KERNEL32(?,00010000,00003000,00000040), ref: 1000554C

Memory Dump Source

Source File: 00000000.00000002.2276098499.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2276078008.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276118813.0000000010007000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276140126.0000000010009000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276160556.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Similarity

API ID: Virtual$AllocQuery
String ID:
API String ID: 31662377-0
Opcode ID: b6d64277b744421d1ccbfd1fd9a04d209526ad95b39b0fa185daa15fb1c8d727
Instruction ID: 61e2964d8fc8964c7a371095edf98da1f1874e119c01a5abccf401dd21d6e409
Opcode Fuzzy Hash: b6d64277b744421d1ccbfd1fd9a04d209526ad95b39b0fa185daa15fb1c8d727
Instruction Fuzzy Hash: BD519F31A047128BEB14CF19C8D076BB7E2FB886C6F664529E844A7358E331ED818B51

Function 10005690 Relevance: 6.1, APIs: 4, Instructions: 113threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 10005695

Memory Dump Source

Source File: 00000000.00000002.2276098499.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2276078008.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276118813.0000000010007000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276140126.0000000010009000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276160556.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: 3549d485cfd7cc12aa0032a44624f96d3d22b46faada2d7fece3d50849546f10
Instruction ID: 39fa3f4efa6b89b053462ff4677e5b8989544524c2f6e52f439509726f00a3e8
Opcode Fuzzy Hash: 3549d485cfd7cc12aa0032a44624f96d3d22b46faada2d7fece3d50849546f10
Instruction Fuzzy Hash: FB31B0B6609312CBF320CF19EC80B6BB3D4EB803E2F11413EE90987248DB36A8459B55

Function 10004C30 Relevance: 6.1, APIs: 4, Instructions: 67threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 10004C31
#825.MFC42U(?,?,?,?,?,?,?,00000000,?,10004D93), ref: 10004C8B
ResumeThread.KERNEL32(?,?,?,?,00000000,?,10004D93), ref: 10004CB9
#825.MFC42U(?,?,?,?,00000000,?,10004D93), ref: 10004CBE

Memory Dump Source

Source File: 00000000.00000002.2276098499.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2276078008.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276118813.0000000010007000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276140126.0000000010009000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276160556.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Similarity

API ID: #825Thread$CurrentResume
String ID:
API String ID: 2499501605-0
Opcode ID: c46582828a6bc86dbf2a66cb05b46b38f77553a760397b5702bdaa6a191d9bc6
Instruction ID: 52e0d458e9b236fbdc740bc952d7d616ba79252a119376830c2f6ac1994e4aa9
Opcode Fuzzy Hash: c46582828a6bc86dbf2a66cb05b46b38f77553a760397b5702bdaa6a191d9bc6
Instruction Fuzzy Hash: E81190F6902A559BF360DF689D8081BB3E9EB442D03530A6EE55A93608DF35FC408B95

Function 10003180 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 11COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(10009528,100028E1,Both), ref: 10003185
wcscpy.MSVCRT ref: 10003195
LeaveCriticalSection.KERNEL32(10009528), ref: 100031A3

Strings

Apartment, xrefs: 10003190

Memory Dump Source

Source File: 00000000.00000002.2276098499.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2276078008.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276118813.0000000010007000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276140126.0000000010009000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2276160556.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Similarity

API ID: CriticalSection$EnterLeavewcscpy
String ID: Apartment
API String ID: 3852819969-3482315511
Opcode ID: 5582def3bbfb7492c8b3bcb0e8ad3b42720def95b2590fb4b905f7b3638b339f
Instruction ID: 98de487c64ddbc34172ffb55b37b1c67c298462f3fae1c2ed628f0bd2cb6bf1c
Opcode Fuzzy Hash: 5582def3bbfb7492c8b3bcb0e8ad3b42720def95b2590fb4b905f7b3638b339f
Instruction Fuzzy Hash: 31C002B8D00510ABF2119B99CD8CAD93A64FB85797FC44590FB0981268C72D59549B72

Analysis Process: rundll32.exePID: 4388, Parent PID: 4632COMMON

Execution Graph

Execution Coverage:	1.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	608
Total number of Limit Nodes:	5

Executed Functions

Function 100046FD Relevance: 31.6, APIs: 21, Instructions: 99
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

#1115.MFC42U(?,?,?,?,?,?,100049CB,?,?,?,?,?,?), ref: 10004714
#1173.MFC42U(?,?,?,?,?,?,100049CB,?,?,?,?,?,?), ref: 10004719
#1568.MFC42U(?,00000000,10009E80,00000000,?,?,?,?,?,?,100049CB,?,?,?,?,?), ref: 1000472D
#1165.MFC42U(?,00000000,10009E80,00000000,?,?,?,?,?,?,100049CB,?,?,?,?,?), ref: 10004736
#1570.MFC42U(?,00000000,10009E80,00000000,?,?,?,?,?,?,100049CB,?,?,?,?,?), ref: 10004754
#1179.MFC42U(1000BF18,?,?,00000000,10009E80,00000000,?,?,?,?,?,?,100049CB,?,?,?), ref: 10004767
#823.MFC42U(00000040,1000BF18,?,?,00000000,10009E80,00000000,?,?,?,?,?,?,100049CB,?,?), ref: 1000476E
#342.MFC42U(1000BF18,00000000,1000BF18,?,?,00000000,10009E80,00000000,?,?,?,?,?,?,100049CB,?), ref: 1000477D
#1173.MFC42U(?,00000000,10009E80,00000000,?,?,?,?,?,?,100049CB,?,?,?,?,?), ref: 1000478C
#1240.MFC42U(?,?,00000000,10009E80,00000000,?,?,?,?,?,?,100049CB,?,?,?,?), ref: 10004794
#1240.MFC42U(10009E88,?,?,?,?,100049CB,?,?,?,?,?,?), ref: 100047AB
#1173.MFC42U(10009E88,?,?,?,?,100049CB,?,?,?,?,?,?), ref: 100047B2
#1165.MFC42U(10009E88,?,?,?,?,100049CB,?,?,?,?,?,?), ref: 100047BA
#1194.MFC42U(10009E88,?,?,?,?,100049CB,?,?,?,?,?,?), ref: 100047CD
#1563.MFC42U(000000FF,10009E88,?,?,?,?,100049CB,?,?,?,?,?,?), ref: 100047D4
#1570.MFC42U(000000FF,10009E88,?,?,?,?,100049CB,?,?,?,?,?,?), ref: 100047D9
#1248.MFC42U(1000BF18,00000001,000000FF,10009E88,?,?,?,?,100049CB,?,?,?,?,?,?), ref: 100047E5
#6466.MFC42U(10009E88,?,?,?,?,100049CB,?,?,?,?,?,?), ref: 100047FA
#1194.MFC42U(10009E88,?,?,?,?,100049CB,?,?,?,?,?,?), ref: 100047FF
#1563.MFC42U(000000FF,10009E88,?,?,?,?,100049CB,?,?,?,?,?,?), ref: 10004806
#1250.MFC42U(?,000000FF,10009E88,?,?,?,?,100049CB,?,?,?,?,?,?), ref: 1000480E

Memory Dump Source

Source File: 00000004.00000002.2261648321.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.2261612792.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2261707000.0000000010007000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2261751201.0000000010009000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2261863396.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: #1173$#1165#1194#1240#1563#1570$#1115#1179#1248#1250#1568#342#6466#823
String ID:
API String ID: 933591048-0
Opcode ID: 7f323cdebafc7876504ee1737dfc2f78bcaa5341956db8968ccd7249556f25ef
Instruction ID: 42ede1d6eba9dc7262db5c255ebf041a762cd8e3cbd004f8f20c7d1455e4ffb0
Opcode Fuzzy Hash: 7f323cdebafc7876504ee1737dfc2f78bcaa5341956db8968ccd7249556f25ef
Instruction Fuzzy Hash: 3931B278100240AFFB10DFA1CC85A9D77A6EF853D0F228519F9285B26ACF70FE419A95

Function 10004824 Relevance: 9.0, APIs: 6, Instructions: 25
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LocalAlloc.KERNELBASE(00000000,00002000), ref: 10004832
LocalFree.KERNEL32(00000000), ref: 1000483E
#1173.MFC42U ref: 10004844
#1240.MFC42U(10009E88), ref: 10004850
#1173.MFC42U ref: 10004862
#1240.MFC42U(?), ref: 1000486A

Memory Dump Source

Source File: 00000004.00000002.2261648321.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.2261612792.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2261707000.0000000010007000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2261751201.0000000010009000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2261863396.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: #1173#1240Local$AllocFree
String ID:
API String ID: 762571471-0
Opcode ID: ad6df8680ab0087f5d550da1c51120c5d9966c5a9941d94eac5dffd23f89fe7e
Instruction ID: 4b1118c17bfbf70476295644f1baa115cc6297c41b66d740b9089c34fbbeaa8b
Opcode Fuzzy Hash: ad6df8680ab0087f5d550da1c51120c5d9966c5a9941d94eac5dffd23f89fe7e
Instruction Fuzzy Hash: 85E09270904391AAF220DB60CC4AB4E66D5EB453D2F22C828F708A50A9CF70E880C794

Function 100031B0 Relevance: 3.0, APIs: 2, Instructions: 25
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL(00000000,00000000,?,000000FF,00000200,00000200), ref: 100031E5
SetDllPathW.SECURITEINFO.COM.TROJAN.PACKED.16045.13418(00000000,?), ref: 100031F8

Part of subcall function 100027E0: wcscpy.MSVCRT ref: 10002813
Part of subcall function 100027E0: GetModuleHandleW.KERNEL32(00000000,?,00000200), ref: 10002834
Part of subcall function 100027E0: GetModuleFileNameW.KERNEL32(00000000,?,00000200), ref: 1000283B
Part of subcall function 100027E0: wcslen.MSVCRT ref: 10002846
Part of subcall function 100027E0: wcscat.MSVCRT ref: 1000287A

Memory Dump Source

Source File: 00000004.00000002.2261648321.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.2261612792.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2261707000.0000000010007000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2261751201.0000000010009000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2261863396.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: Module$D.16045DispatcherExceptionFileHandleNamePathUserwcscatwcscpywcslen
String ID:
API String ID: 3027356398-0
Opcode ID: 867b27870a5386e78fcd514d66f990f3c5f1a1412bd7dabaeaab08d45bfa72ec
Instruction ID: 37527c94ce8cc6bf4f2c48f5b2c910f77f7526f746cff65156f8c7d6ad573cf1
Opcode Fuzzy Hash: 867b27870a5386e78fcd514d66f990f3c5f1a1412bd7dabaeaab08d45bfa72ec
Instruction Fuzzy Hash: 91E09275208301BBF320C704CC86FABB3E9AFC4B14F108B2DB358A22D0D574A909866A

Non-executed Functions

Function 10001C40 Relevance: 70.4, APIs: 33, Strings: 7, Instructions: 380
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wcslen.MSVCRT ref: 10001C89
wcscpy.MSVCRT ref: 10001CCC
#800.MFC42U ref: 10001C9A

Part of subcall function 10001930: #538.MFC42U(10009064,?,?,?,1000646F,000000FF,10001D7D,?,CurVer), ref: 1000198C
Part of subcall function 10001930: #942.MFC42U(\Wow6432Node,10009064,?,?,?,1000646F,000000FF), ref: 100019A6
Part of subcall function 10001930: #942.MFC42U(10009188,10009064,?,?,?,1000646F,000000FF), ref: 100019B4
Part of subcall function 10001930: #942.MFC42U(00000000,10009188,10009064,?,?,?,1000646F,000000FF), ref: 100019C4
Part of subcall function 10001930: wcslen.MSVCRT ref: 100019CE
Part of subcall function 10001930: #942.MFC42U(10009188), ref: 100019E4
Part of subcall function 10001930: #942.MFC42U(?,10009188), ref: 100019EE
Part of subcall function 10001930: #535.MFC42U(?), ref: 100019FE
Part of subcall function 10001930: #800.MFC42U ref: 10001A14

#800.MFC42U ref: 10001CD9
wcslen.MSVCRT ref: 10001D10
#800.MFC42U ref: 10001D21
wcscpy.MSVCRT ref: 10001D53

Part of subcall function 10001930: #538.MFC42U(xyxyoorljfoleuwrljfoulerfksdor,?,?,?,1000646F,000000FF,10001D7D,?,CurVer), ref: 1000196B

wcslen.MSVCRT ref: 10001D80
#800.MFC42U ref: 10001D91
wcscpy.MSVCRT ref: 10001DC3
wcslen.MSVCRT ref: 10001DF0
#800.MFC42U ref: 10001E01
wcscpy.MSVCRT ref: 10001E33
wcslen.MSVCRT ref: 10001E60
wcscpy.MSVCRT ref: 10001EA3
#800.MFC42U ref: 10001E71

Part of subcall function 10001A30: #538.MFC42U(10009064,?,?,?,1000649F,000000FF,10001ECD,?,ProgID), ref: 10001A8C
Part of subcall function 10001A30: #942.MFC42U(\Wow6432Node,10009064,?,?,?,1000649F,000000FF), ref: 10001AA6
Part of subcall function 10001A30: #942.MFC42U(\CLSID\,10009064,?,?,?,1000649F,000000FF), ref: 10001AB4
Part of subcall function 10001A30: #942.MFC42U(00000000,\CLSID\,10009064,?,?,?,1000649F,000000FF), ref: 10001AC4
Part of subcall function 10001A30: wcslen.MSVCRT ref: 10001ACE
Part of subcall function 10001A30: #942.MFC42U(10009188), ref: 10001AE4
Part of subcall function 10001A30: #942.MFC42U(?,10009188), ref: 10001AEE
Part of subcall function 10001A30: #535.MFC42U(?), ref: 10001AFE
Part of subcall function 10001A30: #800.MFC42U ref: 10001B14

wcslen.MSVCRT ref: 10001ED0
#800.MFC42U ref: 10001EE1
wcscpy.MSVCRT ref: 10001F13

Part of subcall function 10001A30: #538.MFC42U(xyxyoorljfoleuwrljfoulerfksdor,?,?,?,1000649F,000000FF,10001ECD,?,ProgID), ref: 10001A6B

NtQueryKey.NTDLL(?,?,?,?,?), ref: 10002108

Strings

1.0, xrefs: 10001F9C, 10001FD7
InprocServer32, xrefs: 10001E52, 10001E8F
CurVer, xrefs: 10001D72, 10001DAF
1.0\0\win32, xrefs: 10002078, 100020AB
CLSID, xrefs: 10001D02, 10001D3F
ProgID, xrefs: 10001EC2, 10001EFF
1.0\0, xrefs: 10002008, 10002043

Memory Dump Source

Source File: 00000004.00000002.2261648321.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.2261612792.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2261707000.0000000010007000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2261751201.0000000010009000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2261863396.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: #942$#800$wcslen$wcscpy$#538$#535$Query
String ID: 1.0$1.0\0$1.0\0\win32$CLSID$CurVer$InprocServer32$ProgID
API String ID: 3364588600-3032651770
Opcode ID: c6407b952052ce94e40f9a31da8d2529fe4a30389a6ec89255647bc4872f7d82
Instruction ID: e210364aa1a478c15cfc260ae6af40ed4357581bce4cc658cafd6358c502b614
Opcode Fuzzy Hash: c6407b952052ce94e40f9a31da8d2529fe4a30389a6ec89255647bc4872f7d82
Instruction Fuzzy Hash: 9CD1A071900301AFF710DF58CC84EDBB7A8EF842C8F414958F6859715AEB35EA58CBA2

Function 10002120 Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 346
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wcslen.MSVCRT ref: 10002158
wcscpy.MSVCRT ref: 10002192
wcslen.MSVCRT ref: 100021C0
wcscpy.MSVCRT ref: 100021FA
wcslen.MSVCRT ref: 1000255D
NtQueryValueKey.NTDLL(?,?,?,?,?,?), ref: 100025A1

Strings

ThreadingModel, xrefs: 10002321
+8w`+8w, xrefs: 100025A1
InprocServer32, xrefs: 1000230A

Memory Dump Source

Source File: 00000004.00000002.2261648321.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.2261612792.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2261707000.0000000010007000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2261751201.0000000010009000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2261863396.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: wcslen$wcscpy$QueryValue
String ID: InprocServer32$ThreadingModel$+8w`+8w
API String ID: 3495438468-3456325871
Opcode ID: c4260f03a4103386327f907f49e4696b6fc99d7f62d9331459b1c1bf3e83a945
Instruction ID: 2ef2c71096b13ae9e457a76c590163092a74dd924769b1517c816b7175000df9
Opcode Fuzzy Hash: c4260f03a4103386327f907f49e4696b6fc99d7f62d9331459b1c1bf3e83a945
Instruction Fuzzy Hash: D7C1D171900A118FE720DF58DCD8A9BB7E4EF443C9F01881DEC4997259E775E984CBA1

Function 10002900 Relevance: 77.3, APIs: 16, Strings: 28, Instructions: 286
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EnterCriticalSection.KERNEL32(10009528), ref: 1000290C
wcscpy.MSVCRT ref: 1000291F
LeaveCriticalSection.KERNEL32(10009528), ref: 1000292D
_wfopen.MSVCRT ref: 10002939
fseek.MSVCRT ref: 10002962
fread.MSVCRT ref: 10002977
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,10009654,0000000B), ref: 100029C3
fseek.MSVCRT ref: 10002A0A
fread.MSVCRT ref: 10002A19
fseek.MSVCRT ref: 10002A20
fread.MSVCRT ref: 10002A32
fclose.MSVCRT ref: 10002E7F

Strings

{, xrefs: 10002ACE
B, xrefs: 10002C61
f, xrefs: 10002BAB
A, xrefs: 10002C42
3, xrefs: 10002C8A
t, xrefs: 10002BB2
C, xrefs: 10002DE5
o, xrefs: 10002BA4
., xrefs: 10002B91
}, xrefs: 10002CCC
E, xrefs: 10002C49
s, xrefs: 10002B9D
{, xrefs: 10002CEA
5, xrefs: 10002C96
1, xrefs: 10002CC0
3, xrefs: 10002C36
}, xrefs: 10002B52
{, xrefs: 10002C2A
C, xrefs: 10002C83
C, xrefs: 10002B19
E, xrefs: 10002DC1
}, xrefs: 10002E3F
E, xrefs: 10002DDB
B, xrefs: 10002D3C
C, xrefs: 10002C5A
9, xrefs: 10002C7C
E, xrefs: 10002B12
0, xrefs: 10002DAF

Memory Dump Source

Source File: 00000004.00000002.2261648321.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.2261612792.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2261707000.0000000010007000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2261751201.0000000010009000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2261863396.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: freadfseek$CriticalSection$ByteCharEnterLeaveMultiWide_wfopenfclosewcscpy
String ID: .$0$1$3$3$5$9$A$B$B$C$C$C$C$E$E$E$E$f$o$s$t${${${$}$}$}
API String ID: 1882367194-101255485
Opcode ID: b8d023a21bba30e2febaa6ecf4fe958fbf8d5c5ec60a7b436212acfc3dcec398
Instruction ID: d748a7da786b6bfea15dfe591960893aee9ae8f6c3cef3ff43216ee8acc7db6a
Opcode Fuzzy Hash: b8d023a21bba30e2febaa6ecf4fe958fbf8d5c5ec60a7b436212acfc3dcec398
Instruction Fuzzy Hash: 69D1C52052D38096E321CF61C894B9BB3F4FFA4384F44691EE69897361E7BA8548C75F

Function 10001400 Relevance: 73.9, APIs: 36, Strings: 6, Instructions: 394
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 10001150: #540.MFC42U(?,?,?,?,?,?), ref: 10001176
Part of subcall function 10001150: LoadLibraryW.KERNEL32(ntdll.dll,?,?,?,?,?,?,?,?,?), ref: 10001194
Part of subcall function 10001150: GetProcAddress.KERNEL32(00000000,ZwQueryKey), ref: 100011AF
Part of subcall function 10001150: #823.MFC42U(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 100011E7
Part of subcall function 10001150: #861.MFC42U(00000004), ref: 1000121B
Part of subcall function 10001150: #825.MFC42U(00000000), ref: 10001221
Part of subcall function 10001150: FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 1000122E
Part of subcall function 10001150: #535.MFC42U(?,?,?,?,?,?,?,?,?,?), ref: 10001240
Part of subcall function 10001150: #800.MFC42U(?,?,?,?,?,?,?,?,?,?), ref: 10001256

wcslen.MSVCRT ref: 10001444
#942.MFC42U(10009188), ref: 1000145A
#942.MFC42U(?,10009188), ref: 10001464

Part of subcall function 10001930: #538.MFC42U(xyxyoorljfoleuwrljfoulerfksdor,?,?,?,1000646F,000000FF,10001D7D,?,CurVer), ref: 1000196B

#861.MFC42U(?), ref: 1000146F
_wcsicmp.MSVCRT ref: 100014A0
_wcsicmp.MSVCRT ref: 100014C2
#800.MFC42U ref: 100014D0
#800.MFC42U ref: 100014E4
_wcsicmp.MSVCRT ref: 10001530
_wcsicmp.MSVCRT ref: 10001552
#800.MFC42U ref: 10001560
#800.MFC42U ref: 10001574
_wcsicmp.MSVCRT ref: 100015B4
#800.MFC42U ref: 100015F8

Part of subcall function 10001930: #538.MFC42U(10009064,?,?,?,1000646F,000000FF,10001D7D,?,CurVer), ref: 1000198C
Part of subcall function 10001930: #942.MFC42U(\Wow6432Node,10009064,?,?,?,1000646F,000000FF), ref: 100019A6
Part of subcall function 10001930: #942.MFC42U(10009188,10009064,?,?,?,1000646F,000000FF), ref: 100019B4
Part of subcall function 10001930: #942.MFC42U(00000000,10009188,10009064,?,?,?,1000646F,000000FF), ref: 100019C4
Part of subcall function 10001930: wcslen.MSVCRT ref: 100019CE
Part of subcall function 10001930: #942.MFC42U(10009188), ref: 100019E4
Part of subcall function 10001930: #942.MFC42U(?,10009188), ref: 100019EE
Part of subcall function 10001930: #535.MFC42U(?), ref: 100019FE
Part of subcall function 10001930: #800.MFC42U ref: 10001A14

_wcsicmp.MSVCRT ref: 100015D6
#800.MFC42U ref: 100015E4
_wcsicmp.MSVCRT ref: 1000163A
_wcsicmp.MSVCRT ref: 1000165C
#800.MFC42U ref: 1000166A
#800.MFC42U ref: 1000167E
_wcsicmp.MSVCRT ref: 100016CA
#800.MFC42U ref: 1000170E

Part of subcall function 10001A30: #538.MFC42U(10009064,?,?,?,1000649F,000000FF,10001ECD,?,ProgID), ref: 10001A8C
Part of subcall function 10001A30: #942.MFC42U(\Wow6432Node,10009064,?,?,?,1000649F,000000FF), ref: 10001AA6
Part of subcall function 10001A30: #942.MFC42U(\CLSID\,10009064,?,?,?,1000649F,000000FF), ref: 10001AB4
Part of subcall function 10001A30: #942.MFC42U(00000000,\CLSID\,10009064,?,?,?,1000649F,000000FF), ref: 10001AC4
Part of subcall function 10001A30: wcslen.MSVCRT ref: 10001ACE
Part of subcall function 10001A30: #942.MFC42U(10009188), ref: 10001AE4
Part of subcall function 10001A30: #942.MFC42U(?,10009188), ref: 10001AEE
Part of subcall function 10001A30: #535.MFC42U(?), ref: 10001AFE
Part of subcall function 10001A30: #800.MFC42U ref: 10001B14

_wcsicmp.MSVCRT ref: 100016EC
#800.MFC42U ref: 100016FA
_wcsicmp.MSVCRT ref: 1000174E
_wcsicmp.MSVCRT ref: 10001770
#800.MFC42U ref: 1000177E
#800.MFC42U ref: 10001792
_wcsicmp.MSVCRT ref: 100017D4
_wcsicmp.MSVCRT ref: 100017F4
#800.MFC42U ref: 10001802
_wcsicmp.MSVCRT ref: 1000181D

Part of subcall function 10001A30: #538.MFC42U(xyxyoorljfoleuwrljfoulerfksdor,?,?,?,1000649F,000000FF,10001ECD,?,ProgID), ref: 10001A6B

#800.MFC42U ref: 100018F7

Strings

1.0, xrefs: 10001817
InprocServer32, xrefs: 100016B2, 100016D9
CurVer, xrefs: 1000159C, 100015C3
CLSID, xrefs: 10001518, 1000153F
ProgID, xrefs: 10001736, 1000175D
win32, xrefs: 1000186E

Memory Dump Source

Source File: 00000004.00000002.2261648321.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.2261612792.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2261707000.0000000010007000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2261751201.0000000010009000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2261863396.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: #800$_wcsicmp$#942$#538$#535wcslen$#861Library$#540#823#825AddressFreeLoadProc
String ID: 1.0$CLSID$CurVer$InprocServer32$ProgID$win32
API String ID: 2745223314-3815763076
Opcode ID: f4d5b1f6c3545d255a4fc4fa84683b3a68eea10578ae6f7c742b8a78975376ec
Instruction ID: e587bc50812e586e2bd60427c8c21f55630403218c68574d11df9dc8f3e29d0e
Opcode Fuzzy Hash: f4d5b1f6c3545d255a4fc4fa84683b3a68eea10578ae6f7c742b8a78975376ec
Instruction Fuzzy Hash: 1CD16F74209341AFE300DF64CD90BDBB7E8EF896C4F444948F98597295EB35EA05CBA2

Function 10001270 Relevance: 40.3, APIs: 14, Strings: 9, Instructions: 54
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InitializeCriticalSection.KERNEL32(10009528,?,?,?,100010DF), ref: 10001278
GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,100010DF), ref: 1000128E
GetProcAddress.KERNEL32(00000000), ref: 10001297
GetCurrentProcess.KERNEL32(10009540,?,?,?,100010DF), ref: 100012A4
GetModuleHandleA.KERNEL32(ntdll.dll,ZwOpenKey,?,?,?,100010DF), ref: 100012B7
GetProcAddress.KERNEL32(00000000), ref: 100012BA
GetModuleHandleA.KERNEL32(ntdll.dll,ZwOpenKeyEx,?,?,?,100010DF), ref: 100012CB
GetProcAddress.KERNEL32(00000000), ref: 100012CE
GetModuleHandleA.KERNEL32(ntdll.dll,ZwQueryKey,?,?,?,100010DF), ref: 100012DF
GetProcAddress.KERNEL32(00000000), ref: 100012E2
GetModuleHandleA.KERNEL32(ntdll.dll,ZwQueryValueKey,?,?,?,100010DF), ref: 100012F3
GetProcAddress.KERNEL32(00000000), ref: 100012F6
GetModuleHandleA.KERNEL32(ntdll.dll,ZwClose,?,?,?,100010DF), ref: 10001307
GetProcAddress.KERNEL32(00000000), ref: 1000130A

Strings

+8w`+8w, xrefs: 10001302
kernel32, xrefs: 10001289
ZwQueryKey, xrefs: 100012D0
ZwOpenKeyEx, xrefs: 100012BC
ntdll.dll, xrefs: 100012B2, 100012C1, 100012D5, 100012E9, 100012FD
ZwOpenKey, xrefs: 100012AD
ZwQueryValueKey, xrefs: 100012E4
IsWow64Process, xrefs: 10001284
ZwClose, xrefs: 100012F8

Memory Dump Source

Source File: 00000004.00000002.2261648321.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.2261612792.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2261707000.0000000010007000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2261751201.0000000010009000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2261863396.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: AddressHandleModuleProc$CriticalCurrentInitializeProcessSection
String ID: IsWow64Process$ZwClose$ZwOpenKey$ZwOpenKeyEx$ZwQueryKey$ZwQueryValueKey$kernel32$ntdll.dll$+8w`+8w
API String ID: 2663015719-2529589178
Opcode ID: 172811b13e48408ddf2b8ab4dbaa0b3c0a2e83ca9b17fe80b06286a38d0ff660
Instruction ID: bc393e3598cc65d04037417f7a1f03f3b783a77bcc05561d6fd32471d0030434
Opcode Fuzzy Hash: 172811b13e48408ddf2b8ab4dbaa0b3c0a2e83ca9b17fe80b06286a38d0ff660
Instruction Fuzzy Hash: 42019EA1D042A9AAFA20FBF68C9CDCB7E5CDB842D53110526F7049351ADB798841CFA1

Function 10002F00 Relevance: 39.2, APIs: 26, Instructions: 208
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000100,?,?,?,?,00000000,75C296C0,75C29430), ref: 10002FF9
#538.MFC42U(?,?,?,00000000,75C296C0,75C29430), ref: 1000300B
#4199.MFC42U ref: 1000301C
wcscpy.MSVCRT ref: 10003031
#4273.MFC42U(?,00000000,00000008,75C296C0,75C29430), ref: 10003046
wcscat.MSVCRT ref: 10003055
#800.MFC42U ref: 1000305E
wcscat.MSVCRT ref: 10003069
#4273.MFC42U(?,00000008,00000004), ref: 1000307B
wcscat.MSVCRT ref: 10003084
#800.MFC42U ref: 1000308D
wcscat.MSVCRT ref: 10003098
#4273.MFC42U(?,0000000C,00000004), ref: 100030AA
wcscat.MSVCRT ref: 100030B3
#800.MFC42U ref: 100030BC
wcscat.MSVCRT ref: 100030C7
#4273.MFC42U(?,00000010,00000004), ref: 100030D9
wcscat.MSVCRT ref: 100030E2
#800.MFC42U ref: 100030EB
wcscat.MSVCRT ref: 100030F6
#4273.MFC42U(?,00000014,0000000C), ref: 10003108
wcscat.MSVCRT ref: 10003111
#800.MFC42U ref: 1000311A
wcscat.MSVCRT ref: 10003125
#800.MFC42U ref: 10003135
#825.MFC42U(?), ref: 10003152

Memory Dump Source

Source File: 00000004.00000002.2261648321.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.2261612792.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2261707000.0000000010007000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2261751201.0000000010009000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2261863396.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: wcscat$#800$#4273$#4199#538#825ByteCharMultiWidewcscpy
String ID:
API String ID: 3218086493-0
Opcode ID: 70c7c4ec569e9afcec2c189fa726a6d1e9966894626a76c1a1deb38a02fb74fc
Instruction ID: 09f04f280ac1a6942a0064386c88c85055bd1199c361a2afb61791185c8fa687
Opcode Fuzzy Hash: 70c7c4ec569e9afcec2c189fa726a6d1e9966894626a76c1a1deb38a02fb74fc
Instruction Fuzzy Hash: 3461B271108781ABE715DF24CC91FAFB3A8EF95384F01092CF59583195EF25A909C7A7

Function 10001A30 Relevance: 22.8, APIs: 10, Strings: 3, Instructions: 68
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

#538.MFC42U(xyxyoorljfoleuwrljfoulerfksdor,?,?,?,1000649F,000000FF,10001ECD,?,ProgID), ref: 10001A6B
#538.MFC42U(10009064,?,?,?,1000649F,000000FF,10001ECD,?,ProgID), ref: 10001A8C
#942.MFC42U(\Wow6432Node,10009064,?,?,?,1000649F,000000FF), ref: 10001AA6
#942.MFC42U(\CLSID\,10009064,?,?,?,1000649F,000000FF), ref: 10001AB4
#942.MFC42U(00000000,\CLSID\,10009064,?,?,?,1000649F,000000FF), ref: 10001AC4
wcslen.MSVCRT ref: 10001ACE
#942.MFC42U(10009188), ref: 10001AE4
#942.MFC42U(?,10009188), ref: 10001AEE
#535.MFC42U(?), ref: 10001AFE
#800.MFC42U ref: 10001B14

Strings

xyxyoorljfoleuwrljfoulerfksdor, xrefs: 10001A64
\Wow6432Node, xrefs: 10001A9D
\CLSID\, xrefs: 10001AAB

Memory Dump Source

Source File: 00000004.00000002.2261648321.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.2261612792.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2261707000.0000000010007000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2261751201.0000000010009000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2261863396.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: #942$#538$#535#800wcslen
String ID: \CLSID\$\Wow6432Node$xyxyoorljfoleuwrljfoulerfksdor
API String ID: 3153432097-3768299153
Opcode ID: b22a3667cfbcf49f25b70c07b9256f71891a999a466759d11f549b470e779f78
Instruction ID: 08f889d4e3fb4bb5565a251bfb2ab1b94d4e6ba08e5119c4d5b5a8b23de7f138
Opcode Fuzzy Hash: b22a3667cfbcf49f25b70c07b9256f71891a999a466759d11f549b470e779f78
Instruction Fuzzy Hash: 1221B0766046619BE300CF14CD51BDAB3E4FF8AA84F40095CF58563299EF79AE04CB93

Function 10001150 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 88
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

#540.MFC42U(?,?,?,?,?,?), ref: 10001176
LoadLibraryW.KERNEL32(ntdll.dll,?,?,?,?,?,?,?,?,?), ref: 10001194
GetProcAddress.KERNEL32(00000000,ZwQueryKey), ref: 100011AF
#823.MFC42U(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 100011E7
#861.MFC42U(00000004), ref: 1000121B
#825.MFC42U(00000000), ref: 10001221
FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 1000122E
#535.MFC42U(?,?,?,?,?,?,?,?,?,?), ref: 10001240
#800.MFC42U(?,?,?,?,?,?,?,?,?,?), ref: 10001256

Strings

ZwQueryKey, xrefs: 100011A9
#v, xrefs: 1000122E
ntdll.dll, xrefs: 1000118F

Memory Dump Source

Source File: 00000004.00000002.2261648321.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.2261612792.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2261707000.0000000010007000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2261751201.0000000010009000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2261863396.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: Library$#535#540#800#823#825#861AddressFreeLoadProc
String ID: ZwQueryKey$ntdll.dll$#v
API String ID: 2613158826-532945629
Opcode ID: bc5bbe6214aa5001c3c70daa38219ac9ccd12220b36cb51efc90beb907280d54
Instruction ID: d3dea8be48ffa99f9d5f34d600dd3274f25f708f68bf231c1563c345e68523fd
Opcode Fuzzy Hash: bc5bbe6214aa5001c3c70daa38219ac9ccd12220b36cb51efc90beb907280d54
Instruction Fuzzy Hash: 5D31BCB1404711AFE311DF24D810B9FB7E8EF84794F014A1CF899A3284EB78AA058B92

Function 10001930 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 68
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

#538.MFC42U(xyxyoorljfoleuwrljfoulerfksdor,?,?,?,1000646F,000000FF,10001D7D,?,CurVer), ref: 1000196B
#538.MFC42U(10009064,?,?,?,1000646F,000000FF,10001D7D,?,CurVer), ref: 1000198C
#942.MFC42U(\Wow6432Node,10009064,?,?,?,1000646F,000000FF), ref: 100019A6
#942.MFC42U(10009188,10009064,?,?,?,1000646F,000000FF), ref: 100019B4
#942.MFC42U(00000000,10009188,10009064,?,?,?,1000646F,000000FF), ref: 100019C4
wcslen.MSVCRT ref: 100019CE
#942.MFC42U(10009188), ref: 100019E4
#942.MFC42U(?,10009188), ref: 100019EE
#535.MFC42U(?), ref: 100019FE
#800.MFC42U ref: 10001A14

Strings

xyxyoorljfoleuwrljfoulerfksdor, xrefs: 10001964
\Wow6432Node, xrefs: 1000199D

Memory Dump Source

Source File: 00000004.00000002.2261648321.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.2261612792.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2261707000.0000000010007000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2261751201.0000000010009000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2261863396.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: #942$#538$#535#800wcslen
String ID: \Wow6432Node$xyxyoorljfoleuwrljfoulerfksdor
API String ID: 3153432097-2372900209
Opcode ID: 613f91e10275ba28aa624325a3d1f2c5f689fcc5d62542d8c4307f18b8cd6432
Instruction ID: 74bfcef7c59b22db7e0450e734908b9134bfe74a189a17882b269429263cd8d2
Opcode Fuzzy Hash: 613f91e10275ba28aa624325a3d1f2c5f689fcc5d62542d8c4307f18b8cd6432
Instruction Fuzzy Hash: E721B376504661ABE300CF14CD51BDAB3E4FF89A84F41095CF58553299EF79AE08CB93

Function 10001B30 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

#538.MFC42U ref: 10001B5B
#942.MFC42U(?,?,\TypeLib\), ref: 10001B71
#942.MFC42U(00000000,?,?,\TypeLib\), ref: 10001B81
wcslen.MSVCRT ref: 10001B8B
#942.MFC42U(10009188,?,?,1.0\0\win32), ref: 10001BA1
#942.MFC42U(?,10009188,?,?,1.0\0\win32), ref: 10001BAB
#535.MFC42U(?,?,?,1.0\0\win32), ref: 10001BBB
#800.MFC42U ref: 10001BD1

Strings

\TypeLib\, xrefs: 10001B60

Memory Dump Source

Source File: 00000004.00000002.2261648321.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.2261612792.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2261707000.0000000010007000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2261751201.0000000010009000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2261863396.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: #942$#535#538#800wcslen
String ID: \TypeLib\
API String ID: 3775937953-600913956
Opcode ID: d121028880f9f37c00128435c4e701899b645a4f73339be2d57e9d9c91fc371a
Instruction ID: 97af8a2b816642cbf3e83e4987fe7457cadacbba3d3d35339a73e1d59943db42
Opcode Fuzzy Hash: d121028880f9f37c00128435c4e701899b645a4f73339be2d57e9d9c91fc371a
Instruction Fuzzy Hash: 4511A3B5108651AFE300DF14CC50B9BBBA4EF85691F00891CF48943299EF35A509CB97

Function 100027E0 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 76
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wcscpy.MSVCRT ref: 10002813
GetModuleHandleW.KERNEL32(00000000,?,00000200), ref: 10002834
GetModuleFileNameW.KERNEL32(00000000,?,00000200), ref: 1000283B
wcslen.MSVCRT ref: 10002846
wcscat.MSVCRT ref: 1000287A

Strings

Both, xrefs: 100028D7
., xrefs: 1000281C
Apartment, xrefs: 100028D0

Memory Dump Source

Source File: 00000004.00000002.2261648321.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.2261612792.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2261707000.0000000010007000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2261751201.0000000010009000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2261863396.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: Module$FileHandleNamewcscatwcscpywcslen
String ID: .$Apartment$Both
API String ID: 2054667532-1695967614
Opcode ID: e66a015e92e41beedde033933ee022f76622b8e0d2b7561b036895c08a9c1864
Instruction ID: 8dc09df306f3aeac2cb15477358e42074c0e142bab5dd9a3ac3a12d3aa31bc2b
Opcode Fuzzy Hash: e66a015e92e41beedde033933ee022f76622b8e0d2b7561b036895c08a9c1864
Instruction Fuzzy Hash: 6C21A4B95042819BF360E764DC45BAB73E8FF80384F40882CEB8992059FB75955DC7A3

Function 10005900 Relevance: 13.6, APIs: 9, Instructions: 119filestringCOMMON

Download Yara Rule

APIs

strchr.MSVCRT ref: 10005922
GetSystemDirectoryA.KERNEL32(?,00000200), ref: 10005939
fopen.MSVCRT ref: 100059C0
fseek.MSVCRT ref: 100059DA
ftell.MSVCRT ref: 100059DD
fseek.MSVCRT ref: 100059EA
malloc.MSVCRT ref: 100059ED
fread.MSVCRT ref: 10005A04
fclose.MSVCRT ref: 10005A0E

Memory Dump Source

Source File: 00000004.00000002.2261648321.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.2261612792.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2261707000.0000000010007000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2261751201.0000000010009000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2261863396.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: fseek$DirectorySystemfclosefopenfreadftellmallocstrchr
String ID:
API String ID: 1390157628-0
Opcode ID: e506fa6d25c0440c55aefb787ab431d84a08c89064c8190344b0abc9546546ad
Instruction ID: ebbcbae6c0e7c7988dd8aaf0e80484ee13c507c82097ae489073b65b346a024c
Opcode Fuzzy Hash: e506fa6d25c0440c55aefb787ab431d84a08c89064c8190344b0abc9546546ad
Instruction Fuzzy Hash: FF31083260061017E7288B789C89BAF76C5FBC53B1F54072DFA2A872C4DEA99D09C295

Function 10002640 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 33COMMON

Download Yara Rule

APIs

#540.MFC42U ref: 10002665
EnterCriticalSection.KERNEL32(?,?,?,10009528), ref: 10002677
#861.MFC42U(Apartment,?,?,?,10009528), ref: 10002686
LeaveCriticalSection.KERNEL32(10009528,Apartment,?,?,?,10009528), ref: 10002690
#535.MFC42U(?,?,?,?,10009528), ref: 100026A1
#800.MFC42U(?,?,?,?,10009528), ref: 100026B7

Strings

Apartment, xrefs: 1000267D

Memory Dump Source

Source File: 00000004.00000002.2261648321.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.2261612792.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2261707000.0000000010007000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2261751201.0000000010009000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2261863396.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: CriticalSection$#535#540#800#861EnterLeave
String ID: Apartment
API String ID: 2659518386-3482315511
Opcode ID: 30f678aa10425c0768487384b688df8f5f3383e2401929aacce373796505cbe5
Instruction ID: 62e887f79e0c6814c4870c848619d622f785478aaf9b2f642893a6cad553d807
Opcode Fuzzy Hash: 30f678aa10425c0768487384b688df8f5f3383e2401929aacce373796505cbe5
Instruction Fuzzy Hash: 7501F4B4408641EFE300DF54DD54B8EBBE4FB85792F40890CF54943298DB389908CBA7

Function 10004D50 Relevance: 12.2, APIs: 8, Instructions: 225threadinjectionCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 10004D69
GetThreadContext.KERNEL32 ref: 10004E8F
SetThreadContext.KERNEL32(?,?), ref: 10004F00
GetCurrentProcess.KERNEL32 ref: 10004F1B

Part of subcall function 10004C30: GetCurrentThreadId.KERNEL32 ref: 10004C31

Memory Dump Source

Source File: 00000004.00000002.2261648321.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.2261612792.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2261707000.0000000010007000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2261751201.0000000010009000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2261863396.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: Thread$Current$Context$Process
String ID:
API String ID: 2043380635-0
Opcode ID: e3fd9327122e1a0b5100c2a9f97ad9caffe351a76243ecf282890f97c32ddb3c
Instruction ID: 00b7f0c0d3398a48c3e32b856f74d171efe319d2e2ef352bbe66c176b0606302
Opcode Fuzzy Hash: e3fd9327122e1a0b5100c2a9f97ad9caffe351a76243ecf282890f97c32ddb3c
Instruction Fuzzy Hash: 6D8183B56007528FE324CF69C884967B3E6FB88380B16896DE89987759DF30FC45CB54

Function 10005AD0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 70librarymemoryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(ntdll.dll,ZwProtectVirtualMemory,00000000,10005BDE,?,?,?,?,000000FF,10005CE8,000000FF,?,?,?,?), ref: 10005AE4
GetProcAddress.KERNEL32(00000000), ref: 10005AEB

Part of subcall function 10005A40: GetModuleHandleA.KERNEL32(00000000,?,00000000,?,10005B05,00000000,ntdll.dll,1000BFA4,00000005), ref: 10005A48

VirtualAlloc.KERNEL32(00000000,0000000B,00003000,00000040,00000000,10005BDE,?,?,?,?,000000FF,10005CE8,000000FF,?,?,?), ref: 10005B38
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 10005BA8

Strings

ntdll.dll, xrefs: 10005ADF, 10005AFA
ZwProtectVirtualMemory, xrefs: 10005ADA

Memory Dump Source

Source File: 00000004.00000002.2261648321.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.2261612792.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2261707000.0000000010007000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2261751201.0000000010009000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2261863396.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: HandleModuleVirtual$AddressAllocFreeProc
String ID: ZwProtectVirtualMemory$ntdll.dll
API String ID: 388322139-613508025
Opcode ID: 3f2e333342cacb2edc7985fbc541f57f2e2b50b9c22888553d4749b7b8733c30
Instruction ID: 24d9de40e1ec38948f0626ff2d0eb67c681e120d5b9cbc94a272e34673a50bb4
Opcode Fuzzy Hash: 3f2e333342cacb2edc7985fbc541f57f2e2b50b9c22888553d4749b7b8733c30
Instruction Fuzzy Hash: 28214CB1A046229FF214CF289C94F677AA4EF497D1F018665FA08973E9D771E801CB72

Function 10003FC0 Relevance: 9.2, APIs: 6, Instructions: 205COMMON

Download Yara Rule

APIs

?_Xran@std@@YAXXZ.MSVCP60(?,?,00000000,00000000,10003F53,?,00000000,FFFFFFFF,?,?,?,?), ref: 10003FD3
?_Xran@std@@YAXXZ.MSVCP60(?,?,00000000,00000000,10003F53,?,00000000,FFFFFFFF,?,?,?,?), ref: 10004001
memmove.MSVCRT(?,?,?,?,?,00000000,00000000,10003F53,?,00000000,FFFFFFFF,?,?,?,?), ref: 1000402A
memmove.MSVCRT(?,?,?,?,?,00000000,00000000,10003F53,?,00000000,FFFFFFFF,?,?,?,?), ref: 10004079
#825.MFC42U(?,?,?,00000000,00000000,10003F53,?,00000000,FFFFFFFF,?,?,?,?), ref: 100040E2
?_Xlen@std@@YAXXZ.MSVCP60(?,?,00000000,00000000,10003F53,?,00000000,FFFFFFFF,?,?,?,?), ref: 1000412C

Memory Dump Source

Source File: 00000004.00000002.2261648321.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.2261612792.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2261707000.0000000010007000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2261751201.0000000010009000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2261863396.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: Xran@std@@memmove$#825Xlen@std@@
String ID:
API String ID: 1058695723-0
Opcode ID: c99c899000f3e845d934672dc8fa5a44403cf90caa0ca127342bf30a0f941e39
Instruction ID: 030e978d56c2ab623cdcb170f7569a7b32d6d92317d5ad0df148ab8d32bc1acc
Opcode Fuzzy Hash: c99c899000f3e845d934672dc8fa5a44403cf90caa0ca127342bf30a0f941e39
Instruction Fuzzy Hash: 9A5124B13002459BEB04CF68D8946AEB7E6EF942D0B12816DFD09CB349DF32ED848784

Function 100025B0 Relevance: 9.0, APIs: 6, Instructions: 33COMMON

Download Yara Rule

APIs

#540.MFC42U ref: 100025D5
EnterCriticalSection.KERNEL32(?,?,?,10009528), ref: 100025E7
#861.MFC42U(1000966C,?,?,?,10009528), ref: 100025F6
LeaveCriticalSection.KERNEL32(10009528,1000966C,?,?,?,10009528), ref: 10002600
#535.MFC42U(?,?,?,?,10009528), ref: 10002611
#800.MFC42U(?,?,?,?,10009528), ref: 10002627

Memory Dump Source

Source File: 00000004.00000002.2261648321.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.2261612792.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2261707000.0000000010007000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2261751201.0000000010009000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2261863396.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: CriticalSection$#535#540#800#861EnterLeave
String ID:
API String ID: 2659518386-0
Opcode ID: ada13aba084fd554437abbf018868ea6530f0b1f331527b19768b0ad6ad6d98d
Instruction ID: fd7d3a6004d433891c5c411062b12546cca0578b90f5abe4cccb98c8943f4945
Opcode Fuzzy Hash: ada13aba084fd554437abbf018868ea6530f0b1f331527b19768b0ad6ad6d98d
Instruction Fuzzy Hash: 7001F4B4408640EFE300DF54CD40B8EBBE4FB85792F40891CF68943294DB789908CB97

Function 10005000 Relevance: 7.5, APIs: 5, Instructions: 40threadinjectionCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 1000500B
#823.MFC42U(00000008,?,?,1000133A,00000000), ref: 1000501B
SuspendThread.KERNEL32(?,00000000), ref: 10005031
GetLastError.KERNEL32 ref: 1000503C
#825.MFC42U(00000000), ref: 10005045

Memory Dump Source

Source File: 00000004.00000002.2261648321.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.2261612792.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2261707000.0000000010007000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2261751201.0000000010009000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2261863396.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: Thread$#823#825CurrentErrorLastSuspend
String ID:
API String ID: 3974497259-0
Opcode ID: cc5c28da0ed3cb80a9ca6d922b5efe33ea86db9f6fba49d33db0ad4a55a296ef
Instruction ID: 18245ed321afc0d90b876c41bab88f2370897c18db3d6b37bb0b96d684dff324
Opcode Fuzzy Hash: cc5c28da0ed3cb80a9ca6d922b5efe33ea86db9f6fba49d33db0ad4a55a296ef
Instruction Fuzzy Hash: 66F0A4B2900A62CBF320DF689C8465F77D4EB903E1F124636EA44C729CDB35D8458FA1

Function 10005D10 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114fileCOMMON

Download Yara Rule

APIs

sprintf.MSVCRT ref: 10005D8F
CreateFileA.KERNEL32(?,C0000000,00000001,00000000,00000003,00000080,00000000), ref: 10005DAB

Strings

\\.\%c%c%d, xrefs: 10005D89

Memory Dump Source

Source File: 00000004.00000002.2261648321.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.2261612792.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2261707000.0000000010007000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2261751201.0000000010009000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2261863396.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: CreateFilesprintf
String ID: \\.\%c%c%d
API String ID: 3122967319-720341438
Opcode ID: fb3a7a8b64182b26fca6dd2dcfa44545cef07e93377b4d4170262b454fe4ac0d
Instruction ID: 8abcecb530939a06ff02b4e79d9815dd8bad28e7ee65b7157aecf8ed02193d27
Opcode Fuzzy Hash: fb3a7a8b64182b26fca6dd2dcfa44545cef07e93377b4d4170262b454fe4ac0d
Instruction Fuzzy Hash: 57314C326042050BE728CA38EC457BB7BD1FBC07B0F95072EF996832D4CAB99D09C691

Function 100050A0 Relevance: 6.3, APIs: 4, Instructions: 270threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 100050CB

Memory Dump Source

Source File: 00000004.00000002.2261648321.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.2261612792.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2261707000.0000000010007000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2261751201.0000000010009000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2261863396.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: c516182049691b8fd8390c59d55166f2577fabcdafe1b531d33eb2f9755230c7
Instruction ID: 1994d0de1a42c22369135885ee02961ea05c59e3f84e2c7875db4395ffa74dba
Opcode Fuzzy Hash: c516182049691b8fd8390c59d55166f2577fabcdafe1b531d33eb2f9755230c7
Instruction Fuzzy Hash: 929111B16047468FE710CF18D880B5BB7E1FF862D1F41462EE94587298E772EE48CB92

Function 100053C0 Relevance: 6.2, APIs: 4, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32(?,?,0000001C), ref: 1000549E
VirtualAlloc.KERNEL32(?,00010000,00003000,00000040), ref: 100054D4
VirtualQuery.KERNEL32(?,?,0000001C), ref: 10005508
VirtualAlloc.KERNEL32(?,00010000,00003000,00000040), ref: 1000554C

Memory Dump Source

Source File: 00000004.00000002.2261648321.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.2261612792.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2261707000.0000000010007000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2261751201.0000000010009000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2261863396.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: Virtual$AllocQuery
String ID:
API String ID: 31662377-0
Opcode ID: b6d64277b744421d1ccbfd1fd9a04d209526ad95b39b0fa185daa15fb1c8d727
Instruction ID: 61e2964d8fc8964c7a371095edf98da1f1874e119c01a5abccf401dd21d6e409
Opcode Fuzzy Hash: b6d64277b744421d1ccbfd1fd9a04d209526ad95b39b0fa185daa15fb1c8d727
Instruction Fuzzy Hash: BD519F31A047128BEB14CF19C8D076BB7E2FB886C6F664529E844A7358E331ED818B51

Function 10005690 Relevance: 6.1, APIs: 4, Instructions: 113threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 10005695

Memory Dump Source

Source File: 00000004.00000002.2261648321.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.2261612792.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2261707000.0000000010007000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2261751201.0000000010009000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2261863396.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: 3549d485cfd7cc12aa0032a44624f96d3d22b46faada2d7fece3d50849546f10
Instruction ID: 39fa3f4efa6b89b053462ff4677e5b8989544524c2f6e52f439509726f00a3e8
Opcode Fuzzy Hash: 3549d485cfd7cc12aa0032a44624f96d3d22b46faada2d7fece3d50849546f10
Instruction Fuzzy Hash: FB31B0B6609312CBF320CF19EC80B6BB3D4EB803E2F11413EE90987248DB36A8459B55

Function 10004C30 Relevance: 6.1, APIs: 4, Instructions: 67threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 10004C31
#825.MFC42U(?,?,?,?,?,?,?,00000000,?,10004D93), ref: 10004C8B
ResumeThread.KERNEL32(?,?,?,?,00000000,?,10004D93), ref: 10004CB9
#825.MFC42U(?,?,?,?,00000000,?,10004D93), ref: 10004CBE

Memory Dump Source

Source File: 00000004.00000002.2261648321.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.2261612792.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2261707000.0000000010007000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2261751201.0000000010009000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2261863396.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: #825Thread$CurrentResume
String ID:
API String ID: 2499501605-0
Opcode ID: c46582828a6bc86dbf2a66cb05b46b38f77553a760397b5702bdaa6a191d9bc6
Instruction ID: 52e0d458e9b236fbdc740bc952d7d616ba79252a119376830c2f6ac1994e4aa9
Opcode Fuzzy Hash: c46582828a6bc86dbf2a66cb05b46b38f77553a760397b5702bdaa6a191d9bc6
Instruction Fuzzy Hash: E81190F6902A559BF360DF689D8081BB3E9EB442D03530A6EE55A93608DF35FC408B95

Function 10003180 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 11COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(10009528,100028E1,Both), ref: 10003185
wcscpy.MSVCRT ref: 10003195
LeaveCriticalSection.KERNEL32(10009528), ref: 100031A3

Strings

Apartment, xrefs: 10003190

Memory Dump Source

Source File: 00000004.00000002.2261648321.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.2261612792.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2261707000.0000000010007000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2261751201.0000000010009000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2261863396.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: CriticalSection$EnterLeavewcscpy
String ID: Apartment
API String ID: 3852819969-3482315511
Opcode ID: 5582def3bbfb7492c8b3bcb0e8ad3b42720def95b2590fb4b905f7b3638b339f
Instruction ID: 98de487c64ddbc34172ffb55b37b1c67c298462f3fae1c2ed628f0bd2cb6bf1c
Opcode Fuzzy Hash: 5582def3bbfb7492c8b3bcb0e8ad3b42720def95b2590fb4b905f7b3638b339f
Instruction Fuzzy Hash: 31C002B8D00510ABF2119B99CD8CAD93A64FB85797FC44590FB0981268C72D59549B72

Analysis Process: rundll32.exePID: 5248, Parent PID: 4632COMMON

Non-executed Functions

Function 02FCF487 Relevance: .6, Instructions: 577COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2302096612.0000000002FCC000.00000004.00000010.00020000.00000000.sdmp, Offset: 02FCC000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2fcc000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4460e90c84f2468d3704331029508a409139f2c3f3c8a10d4ea4275dfacbf156
Instruction ID: 6b73d65499fff465c1433ee920a113eb07ea13a29ae0b5816885ca048405bbde
Opcode Fuzzy Hash: 4460e90c84f2468d3704331029508a409139f2c3f3c8a10d4ea4275dfacbf156
Instruction Fuzzy Hash: 65F092A244F3C14FC3178B7498BA5967F749D5719475F81DBD0C18F0A3D548484BC722

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: `rundll32.exe {DLLname, DLLfunction}` ).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.Trojan.Packed.16045.13418.dll

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_40dfe4f969cbf4fc5de74dcb1b6270e6cee73c1c_7522e4b5_2f2b4a1c-35c5-4358-b8f2-1e2fbbb9e370\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_40dfe4f969cbf4fc5de74dcb1b6270e6cee73c1c_7522e4b5_3445b430-5404-4f1d-ab9e-1623049dd6e3\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_40dfe4f969cbf4fc5de74dcb1b6270e6cee73c1c_7522e4b5_d1103713-8ae5-4de5-a329-aea6d2e3fe56\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_8b99f381882e05a5abb1913aaf1cb4446d926b3_7522e4b5_0a457b11-ee37-4a85-8ac3-689d30f730fc\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_8b99f381882e05a5abb1913aaf1cb4446d926b3_7522e4b5_71784623-12fc-4600-a3bb-ceea5991a9f6\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2B37.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2B66.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2C42.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2C51.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2C62.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2C72.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3691.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER372F.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER376E.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER4249.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER42A7.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER4306.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER4336.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER43E1.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER4411.tmp.xml

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Windows Analysis Report
SecuriteInfo.com.Trojan.Packed.16045.13418.dll

Function 100046FD Relevance: 31.6, APIs: 21, Instructions: 99
COMMON

Function 10004824 Relevance: 9.0, APIs: 6, Instructions: 25
memoryCOMMON

Function 10001C40 Relevance: 70.4, APIs: 33, Strings: 7, Instructions: 380
nativeCOMMON

Function 10002120 Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 346
nativeCOMMON

Function 10001150 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 88
libraryloaderCOMMON