Edit tour

Windows Analysis Report
file.dll

Overview

General Information

Sample name:	file.dll (renamed file extension from exe to dll)
Original sample name:	file.exe
Analysis ID:	1524234
MD5:	236785dd3660b770236eefbb30bdf596
SHA1:	a6e5d3a08186b9ba7be15b1fec74f3bc3a5be5dd
SHA256:	829c5935218ccbed94948cedcb2058b954776657b9cf72fe7d0fc01dd5f95e40
Tags:	dllexesignedx64user-jstrosch
Infos:

Detection

Score:	5
Range:	0 - 100
Whitelisted:	false
Confidence:	40%

Signatures

AV process strings found (often used to terminate AV products)

Checks if the current process is being debugged

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Classification

Process Tree

System is w10x64

loaddll64.exe (PID: 1412 cmdline: loaddll64.exe "C:\Users\user\Desktop\file.dll" MD5: 763455F9DCB24DFEECC2B9D9F8D46D52)

conhost.exe (PID: 6568 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 4872 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\file.dll",#1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

rundll32.exe (PID: 2356 cmdline: rundll32.exe "C:\Users\user\Desktop\file.dll",#1 MD5: EF3179D498793BF4234F708D3BE28633)

WerFault.exe (PID: 564 cmdline: C:\Windows\system32\WerFault.exe -u -p 2356 -s 332 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

rundll32.exe (PID: 5660 cmdline: rundll32.exe C:\Users\user\Desktop\file.dll,Java_com_sun_pisces_AbstractSurface_getRGBImpl MD5: EF3179D498793BF4234F708D3BE28633)

WerFault.exe (PID: 788 cmdline: C:\Windows\system32\WerFault.exe -u -p 5660 -s 332 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

rundll32.exe (PID: 7188 cmdline: rundll32.exe C:\Users\user\Desktop\file.dll,Java_com_sun_pisces_AbstractSurface_nativeFinalize MD5: EF3179D498793BF4234F708D3BE28633)

rundll32.exe (PID: 7244 cmdline: rundll32.exe C:\Users\user\Desktop\file.dll,Java_com_sun_pisces_AbstractSurface_setRGBImpl MD5: EF3179D498793BF4234F708D3BE28633)

WerFault.exe (PID: 7280 cmdline: C:\Windows\system32\WerFault.exe -u -p 7244 -s 332 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

rundll32.exe (PID: 7344 cmdline: rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_pisces_AbstractSurface_getRGBImpl MD5: EF3179D498793BF4234F708D3BE28633)

WerFault.exe (PID: 7480 cmdline: C:\Windows\system32\WerFault.exe -u -p 7344 -s 324 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

rundll32.exe (PID: 7352 cmdline: rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_pisces_AbstractSurface_nativeFinalize MD5: EF3179D498793BF4234F708D3BE28633)

rundll32.exe (PID: 7372 cmdline: rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_pisces_AbstractSurface_setRGBImpl MD5: EF3179D498793BF4234F708D3BE28633)

rundll32.exe (PID: 7396 cmdline: rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_pisces_Transform6_initialize MD5: EF3179D498793BF4234F708D3BE28633)

rundll32.exe (PID: 7428 cmdline: rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_pisces_PiscesRenderer_setTextureImpl MD5: EF3179D498793BF4234F708D3BE28633)

rundll32.exe (PID: 7460 cmdline: rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_pisces_PiscesRenderer_setRadialGradientImpl MD5: EF3179D498793BF4234F708D3BE28633)

rundll32.exe (PID: 7508 cmdline: rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_pisces_PiscesRenderer_setLinearGradientImpl MD5: EF3179D498793BF4234F708D3BE28633)

rundll32.exe (PID: 7544 cmdline: rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_pisces_PiscesRenderer_setLCDGammaCorrectionImpl MD5: EF3179D498793BF4234F708D3BE28633)

rundll32.exe (PID: 7560 cmdline: rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_pisces_PiscesRenderer_setCompositeRuleImpl MD5: EF3179D498793BF4234F708D3BE28633)

rundll32.exe (PID: 7608 cmdline: rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_pisces_PiscesRenderer_setColorImpl MD5: EF3179D498793BF4234F708D3BE28633)

rundll32.exe (PID: 7640 cmdline: rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_pisces_PiscesRenderer_setClipImpl MD5: EF3179D498793BF4234F708D3BE28633)

rundll32.exe (PID: 7664 cmdline: rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_pisces_PiscesRenderer_nativeFinalize MD5: EF3179D498793BF4234F708D3BE28633)

rundll32.exe (PID: 7680 cmdline: rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_pisces_PiscesRenderer_initialize MD5: EF3179D498793BF4234F708D3BE28633)

cleanup

Code function: 7_2_00007FFB1CA7ABF0 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

7_2_00007FFB1CA7ABF0

Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_00007FFB1CA7A620 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		7_2_00007FFB1CA7A620
Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_00007FFB1CA7ABF0 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		7_2_00007FFB1CA7ABF0

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",#1

Jump to behavior

Source: C:\Windows\System32\rundll32.exe

Code function: 7_2_00007FFB1CA7A79C GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

7_2_00007FFB1CA7A79C

Source: Amcache.hve.12.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.12.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.12.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.12.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.12.dr	Binary or memory string: MsMpEng.exe

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	11 Process Injection	1 Rundll32	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	21 Virtualization/Sandbox Evasion	LSASS Memory	31 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	11 Process Injection	Security Account Manager	21 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	2 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.dll	0%	ReversingLabs

Source	Detection	Scanner	Label	Link
http://upx.sf.net	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
15.164.165.52.in-addr.arpa	unknown	unknown	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://upx.sf.net	Amcache.hve.12.dr	false	URL Reputation: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1524234
Start date and time:	2024-10-02 17:18:20 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 53s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	42
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.dll (renamed file extension from exe to dll)
Original Sample Name:	file.exe
Detection:	CLEAN
Classification:	clean5.winDLL@49/17@1/0
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 11

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.42.65.92
Excluded domains from analysis (whitelisted): onedsblobprdeus17.eastus.cloudapp.azure.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target rundll32.exe, PID 5660 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
VT rate limit hit for: file.dll

Simulations

Behavior and APIs

Time	Type	Description
11:19:32	API Interceptor	1x Sleep call for process: loaddll64.exe modified
11:19:48	API Interceptor	4x Sleep call for process: WerFault.exe modified

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_fil_163b281bc03766b9d229495832e480b11c6631eb_d75f6fa5_1ac289ff-28d1-4d50-907b-2997462c5727\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.7595946993884102
Encrypted:	false
SSDEEP:	96:RGFjMdFieyKyksjds4RvSmmOf9QXIDcQ2c63bcE4cw30XaXz+HbHgSQgJjz67FI5:MAFieyko0L0IvCujeMLzuiF3Z24lO8V
MD5:	19B76822100B34B50A939474D6DDCFF9
SHA1:	45967DB507350768C5067F3BC00C1D2C234D3B91
SHA-256:	91F4B2387DC976C0309349CAF4AFF35E5FD4FA8C863D69A47804B9F17BB843F1
SHA-512:	4CD33783009C0893014177DBE0042E49645495E80671B6BF82E538419BFA692EADB2FC5A582B4D5EA978B86A76199DE8B51269FA20E531FD7618279FDF4F45B1
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.2.3.5.5.9.6.2.9.0.8.5.4.4.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.2.3.5.5.9.6.3.6.4.2.9.1.1.8.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.a.c.2.8.9.f.f.-.2.8.d.1.-.4.d.5.0.-.9.0.7.b.-.2.9.9.7.4.6.2.c.5.7.2.7.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.4.3.3.4.e.4.b.-.2.2.2.b.-.4.1.8.a.-.a.d.2.c.-.8.6.4.e.5.a.0.2.e.e.a.b.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e._.f.i.l.e...d.l.l.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.9.3.4.-.0.0.0.1.-.0.0.1.4.-.3.0.7.e.-.8.3.7.5.d.e.1.4.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.d.d.3.9.9.a.e.4.6.3.0.3.3.4.3.f.9.f.0.d.a.1.8.9.a.e.e.1.1.c.6.7.b.d.8.6.8.2.2.2.!.r.u.n.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_fil_163b281bc03766b9d229495832e480b11c6631eb_d75f6fa5_527bf8e3-915d-4f0a-a5f5-0f3120f0c5d6\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.7593942732151083
Encrypted:	false
SSDEEP:	96:klFNBdFiezyKy3sjds4RvSmmOf9QXIDcQ2c63bcE4cw30XaXz+HbHgSQgJjz67FW:07Fiay3o0L0IvCujeMLzuiF3Z24lO8V
MD5:	70A50727EA1259AABCEB7B139F59B63E
SHA1:	B5DE2415AA3E0A0E405B1627132ADB6C806666FB
SHA-256:	FA30EC3A393AD69406E7355243BDFCA812B5569B837CEAA9D3162F4B8CA31348
SHA-512:	348226A1685D17669D2456F82A3C524732909B4DB6A36C87529BC83FCBD68C6A28DB2C0EF4AB5371E3AB32CD4CF30DFA70564BFC359268E4AAB5B8F33EE0DAB7
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.2.3.5.5.9.6.2.8.7.2.2.9.9.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.2.3.5.5.9.6.3.6.3.7.9.0.2.5.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.2.7.b.f.8.e.3.-.9.1.5.d.-.4.f.0.a.-.a.5.f.5.-.0.f.3.1.2.0.f.0.c.5.d.6.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.c.7.f.2.d.6.d.-.4.e.5.d.-.4.f.1.7.-.b.a.6.f.-.e.4.9.0.6.2.f.7.f.b.3.5.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e._.f.i.l.e...d.l.l.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.6.1.c.-.0.0.0.1.-.0.0.1.4.-.3.4.b.1.-.8.1.7.5.d.e.1.4.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.d.d.3.9.9.a.e.4.6.3.0.3.3.4.3.f.9.f.0.d.a.1.8.9.a.e.e.1.1.c.6.7.b.d.8.6.8.2.2.2.!.r.u.n.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_fil_163b281bc03766b9d229495832e480b11c6631eb_d75f6fa5_75b49cbe-11f1-4246-8ee2-53a4fbf46332\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.7623380743755666
Encrypted:	false
SSDEEP:	192:COAFi0yGo0L0IvCujeMLzuiF3Z24lO8V:dOi5GMIvCujvzuiF3Y4lO8V
MD5:	34ED39377BAC6B45D6F1647EEE44A0C0
SHA1:	9AEA47C23983909191CFC189E13522E272AE59CF
SHA-256:	22F7D3020C5C92583508DEE6A30F62228BB0D5A719605633BA396AD60392D6C9
SHA-512:	FEF325BB2ECAA2CC1A3D947A89F25BE84ED7D78EC860EDD22CD26D689A2D094700DD1A92116AA00851F2D126032D7CDFE7D2BCD77819D4E04715345CE8833D08
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.2.3.5.5.9.7.2.0.3.4.6.7.1.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.2.3.5.5.9.7.4.0.0.3.4.2.4.6.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.5.b.4.9.c.b.e.-.1.1.f.1.-.4.2.4.6.-.8.e.e.2.-.5.3.a.4.f.b.f.4.6.3.3.2.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.9.a.d.d.5.9.c.-.1.6.6.9.-.4.d.8.7.-.8.d.2.7.-.3.e.3.3.f.d.5.d.0.4.6.1.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e._.f.i.l.e...d.l.l.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.c.b.0.-.0.0.0.1.-.0.0.1.4.-.2.c.a.f.-.e.a.7.a.d.e.1.4.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.d.d.3.9.9.a.e.4.6.3.0.3.3.4.3.f.9.f.0.d.a.1.8.9.a.e.e.1.1.c.6.7.b.d.8.6.8.2.2.2.!.r.u.n.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_fil_f365a289cde21bdad085295fbeb3d421d2947397_d75f6fa5_131b5758-8b7a-4ded-a65f-584aa0c3c453\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.7625929262617398
Encrypted:	false
SSDEEP:	192:TCtFiiyio0F0Iv8Dz6jeMLzuiF3Z24lO8V:8i/iyIv8n6jvzuiF3Y4lO8V
MD5:	25A06DD2FC72A7B0B77D1EEA1B912CFC
SHA1:	1621C4E197D2277A1CCD890A3F5F6B589E33F47B
SHA-256:	9CA31091559E6BE36EEE72C2B0CA1FDD66CB6BF1E0AA4B35EB0EFD63A6AD7E52
SHA-512:	4191C42C1C6E98ECED30E013CED01FADBBE559DB18527EDB0064A647363EF7595983CDD7AAD5DB0FF424F19AECF5A57E57F5F955E1F226645DAA1C195F241844
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.2.3.5.5.9.6.8.7.3.0.7.8.4.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.2.3.5.5.9.6.9.0.2.7.6.7.6.9.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.3.1.b.5.7.5.8.-.8.b.7.a.-.4.d.e.d.-.a.6.5.f.-.5.8.4.a.a.0.c.3.c.4.5.3.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.c.d.4.9.c.4.a.-.d.5.c.4.-.4.f.e.2.-.9.7.4.e.-.8.f.a.a.2.2.7.e.6.5.1.7.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e._.f.i.l.e...d.l.l.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.c.4.c.-.0.0.0.1.-.0.0.1.4.-.e.f.7.5.-.1.9.7.9.d.e.1.4.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.d.d.3.9.9.a.e.4.6.3.0.3.3.4.3.f.9.f.0.d.a.1.8.9.a.e.e.1.1.c.6.7.b.d.8.6.8.2.2.2.!.r.u.n.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERCF37.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Wed Oct 2 15:19:23 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	56042
Entropy (8bit):	1.6492349416579417
Encrypted:	false
SSDEEP:	192:WxlZiQRgMOMxxPpPp4uQSla8FagaLNA4UtZPJ/:6ZtRgDGPpPZA1fLNA4U3
MD5:	8A96C2AACE3C97AC50D1C912BFABD041
SHA1:	52B37ADBCEB65DD91CF4F00BB8C129746FB29471
SHA-256:	EC295AF861A8AC85CBA4A34E3EDDAF4F64D635F6C08D1262EA1F0098331DB61E
SHA-512:	9CC5ABB709FC1005EF215111B134132E6E8CF03154F63D3F763511EE7349485178AD4D0C41E13925D735E50F357C195242006CA259733B870109D0A41578A382
Malicious:	false
Preview:	MDMP..a..... .......{d.f........................L................)..........T.......8...........T...............j.......................................................................................................eJ......l.......Lw......................T.......4...zd.f.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERCFA5.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Wed Oct 2 15:19:23 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	55822
Entropy (8bit):	1.6494529743871305
Encrypted:	false
SSDEEP:	192:WOmziReLsOMxdPCiOVGqlq+Q9Ha5j5aHaRcnqBcP5c:/mzIeLjSPCiOnl665jE6R0P5
MD5:	DB1C0D60D3452F978D23DF7C578B12CB
SHA1:	0CE739EFFBB4B6DBF0FDB118AB610DDDCBA34BB8
SHA-256:	7F374F62A7158ACD0F4A823B4C2A05AA9AF9D8C26D0F070CD8FC682B50D4E338
SHA-512:	5CBA17CFE0C2B1BC72289E24A3D4FA8B6B85AE7A136A46077EA9F718B8669A46D96DBE5A6D10F69B28BF03A4ED1AFF9786D7F4A92FBD9A3923C0E466DA17E982
Malicious:	false
Preview:	MDMP..a..... .......{d.f........................L................)..........T.......8...........T...........0...........................................................................................................eJ......l.......Lw......................T...........zd.f.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD022.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8498
Entropy (8bit):	3.6949886307862787
Encrypted:	false
SSDEEP:	192:R6l7wVeJn5dUs6YaxCfgmfiL0bYbprw89bgUbfKgm:R6lXJ5dUs6YcigmfGQcgQf8
MD5:	9ECD205014E9C6936E8ED802776FD5BF
SHA1:	E7959E639FBB7C5ED19C4ADDE4FDFDEE947BC418
SHA-256:	5B62D1FB27A252019D04EF4D6202C7BE998DC0F63825B87E92DE82F8880D621F
SHA-512:	AD93F48085DFF0BC346944B481A4EF915C3FA891579F1F78D98B319FDFD4B107B6640CB0C70BF8DBAE535BD623FF42DD869409E2B3765E97A70C3EF01A4BDF21
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.2.3.5.6.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD023.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8490
Entropy (8bit):	3.693348741193146
Encrypted:	false
SSDEEP:	192:R6l7wVeJodTUV6Y3kscgmfiL0bYbpr089bgYbfegm:R6lXJiTUV6Y0vgmfGQAg8fQ
MD5:	FD7AC115CB56DB848972C7576BD9DC44
SHA1:	604683C5ADA1409D70D3734404966978FFC9E249
SHA-256:	AC00D56822E64E2F972FEABF5CBBB17DED4C3967FCCF5F7A8512F4AA847E0E31
SHA-512:	5D6148ACEF70A86186E7CB70DE79823C15BBFD6CD2DE2BE5F83ED3961A4935CDA68BB1854AFEDE44AEDDC7C999DCF9135EC82AA6E3FD2FC087B7F6A872B6FB59
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.6.6.0.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD072.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4729
Entropy (8bit):	4.465194031755731
Encrypted:	false
SSDEEP:	48:cvIwWl8zsFJg771I9/4VWpW8VYpYm8M4JCFCtsN7FPWYyq85m4zmHlptSTSCd:uIjffI7wl7V5Ji9xGAlpoOCd
MD5:	1386C71D065B1C5BFA4FE3C97F0DD102
SHA1:	437498199D7984DA4F8BADE7017FE8F075A878DD
SHA-256:	BFA6E17C47738A81A20B4B58209EE074CDA632F5766A8B005CF4AE6105E68223
SHA-512:	60121957DE26EAEC2E58D190A6053C510E3F4BC29B62411EA1C034DAA340C978D1BCDAEECCB7A6EDCFAEB3217C048232C6CD95DDFF8CACFB234AAC31FA5D595D
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="525982" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD081.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4729
Entropy (8bit):	4.462092920649685
Encrypted:	false
SSDEEP:	48:cvIwWl8zsFJg771I9/4VWpW8VYEYm8M4JCFCtsN7Fyyq85m4zmnptSTSy6d:uIjffI7wl7V8JiYGEpoOy6d
MD5:	C31465651E96EF9F9AB866C4C9ED12CA
SHA1:	832BC3117E650B16A15E57EFC4791A78B25CCE9A
SHA-256:	2C30968D32BB1405FF7CE39DFCC81576CCE23E902500CDD9A00CEC77EF4019FD
SHA-512:	D6EC008A7FB72B29435C2B20238EBBA3F1629854F38F8664686BCBEBAA98A8A11752F2DBF3C5E1C033D19E8499C1C9CDF37EC7B24B0AF8C8E09A6C0CCCF55794
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="525982" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE60B.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Wed Oct 2 15:19:28 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	56062
Entropy (8bit):	1.6592939847458699
Encrypted:	false
SSDEEP:	192:Ry+mi/7ukXk08OMxqPI+37OAQVQanTaEarGEE7iYB:w+m071XxzFPI+L+nWzyl+Y
MD5:	29F1672BFB56BFEEB5CE4BFA2C8E9C9B
SHA1:	0D2C9EB2C2366FF7B866DB892FD8E8EC3034E9BE
SHA-256:	2FC57EE1D98BD238B775637B5BCBB688EC8649B5936576532502313CE5752244
SHA-512:	BB35E55A83D1AB86EBECEBE30168A00552CBC6E41AFE97D0035E271EB8C1946C33A585178A50733424FBA5BDB22224810A7064AC2ED0211B4FB63B18A4AF15F4
Malicious:	false
Preview:	MDMP..a..... ........d.f........................L................)..........T.......8...........T...........0...........................................................................................................eJ......l.......Lw......................T.......L....d.f.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE64A.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8744
Entropy (8bit):	3.696426507719646
Encrypted:	false
SSDEEP:	192:R6l7wVeJIqQUU6Y3gscgmfiL01YzPpr089bTCzfTOxm:R6lXJFQUU6YQvgmfGakTT+f1
MD5:	8915354109D3FF47C448FA2C8076EF53
SHA1:	1A68769D44BD6AD32ECBD7BEBCC8FCAC0A29547B
SHA-256:	B6C57F27C800E3CFAFB9BDD8B3386BDEB5EF016E8BEFFC5233B3E2D362465D4F
SHA-512:	CB351AEFD23679B726B18AA5A3024CABD05798022C7BE57DAE67D8E5C559CC4F4AE0DC765A1514892064480015E96A305E9CB9E715925E6CBED51D313300D14B
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.2.4.4.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE66A.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4730
Entropy (8bit):	4.464226659165219
Encrypted:	false
SSDEEP:	48:cvIwWl8zsFJg771I9/4VWpW8VYczYm8M4JCFCtsNzFJ8yq85m4zmwilptSTSfd:uIjffI7wl7VeJi8G1YpoOfd
MD5:	599B0DA47B118B0FFC8F6F5E90F52183
SHA1:	EC750F5B57EB7380C8B6D7AD84F839D633A54D1B
SHA-256:	6666247DBEC900F0097438702AD91BC2B4B75B22CD5968FA22812527EF2A4D10
SHA-512:	355D2957F6B2BC21B3DA7A5F9534B3A3D59A2A22529500D5E2755C0D37198F34AF05EBB49F6531AFF416117E12AC6CBFA875B6AC214DC6EDE937A610BEF863BB
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="525982" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF2DC.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Wed Oct 2 15:19:32 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	66958
Entropy (8bit):	1.5076985030496757
Encrypted:	false
SSDEEP:	192:F/UMXxIOMxcP8ABw9akaca567mR/t2a159nqbf:pXhXP8AB9TrVI059nq
MD5:	18BD2010543D9785C129F7BE69248D1C
SHA1:	FD779EB01270E54B737F45684634AFB041E8C97F
SHA-256:	194357DC31BD3146BE5E0AB792DEEE07BF322BD7028A67A72CCB000D8FDA8E27
SHA-512:	1AF03076DFF117373B8D5EFAB673951D0A5012B62F4EDF28C9EB23E07C175003514043BF516702C5532A5F180E263274454FD09C35F947A78035DF7F862BDA68
Malicious:	false
Preview:	MDMP..a..... ........d.f........................L...........$...............T.......8...........T...........0...^.......................................................................................................eJ..............Lw......................T............d.f.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF3F6.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8746
Entropy (8bit):	3.69904461133513
Encrypted:	false
SSDEEP:	192:R6l7wVeJxq+UO6Y3DoBgmfiL0bYbpr/89b43zfIom:R6lXJc+UO6YzoBgmfGQR4jf+
MD5:	4BDD40FECF3A8724E2E1246277C5AAE2
SHA1:	E1AF49AA4A9D5F82F2E7F0404967C58AF3284633
SHA-256:	DAFC5EF71332713739CC91FE51F989E984CA8C770961DF2D6722133D4BA9188D
SHA-512:	B3E99F3B9F829EAB31FB35F90BB6EC670EBBD4463E3E7049B59D7E310826C8B34F38D8B72470BD315C661E916FE9A4CD97F644B5BB21D2BEA1E472D9A41681FA
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.3.4.4.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF501.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4730
Entropy (8bit):	4.464546587364498
Encrypted:	false
SSDEEP:	48:cvIwWl8zsFJg771I9/4VWpW8VYMYm8M4JCFCtsN7FZyq85m4zm+0ptSTSDd:uIjffI7wl7VYJibGkpoODd
MD5:	18687852884799CB41F309E34C204730
SHA1:	E0B82CF4F4CB69C93C13EBA4BE860848838DB5F3
SHA-256:	396E4ABB9573954D80CEE4EFA23BFB6A260105570D9B4F42F92D2DA5B903D78A
SHA-512:	F44588348CC2D2D4E2BD0B9CAABC816BF3B3277586D91EF9BD190DB9878271DC0E0A56E13BC568820F8590EC90F4A95A129802D5BBEF49018D904EC3008EFFA4
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="525982" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.417543867419685
Encrypted:	false
SSDEEP:	6144:Vcifpi6ceLPL9skLmb0mNSWSPtaJG8nAgex285i2MMhA20X4WABlGuN55+:yi58NSWIZBk2MM6AFBTo
MD5:	373AFBCDC8EC131166F24D0718489836
SHA1:	879B62C0BA2E1036E00C782DD883064D397465F0
SHA-256:	D3A74315C55A4498113CF17B1B988D664125B275954201934E8B6006C225E7FF
SHA-512:	3BF042501E27E4C195E45C09B7D9FDED8CDD1D0FC1D4A6605694C6FC1D76F0C6AA0595D723BDF06F0BA6BD1D72FEE603A2667C288BCB749846217A5F9255E06B
Malicious:	false
Preview:	regfE...E....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.}.u................................................................................................................................................................................................................................................................................................................................................f..A........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Entropy (8bit):	6.554742126903261
TrID:	Win64 Dynamic Link Library (generic) (102004/3) 86.43% Win64 Executable (generic) (12005/4) 10.17% Generic Win/DOS Executable (2004/3) 1.70% DOS Executable Generic (2002/1) 1.70% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.01%
File name:	file.dll
File size:	66'208 bytes
MD5:	236785dd3660b770236eefbb30bdf596
SHA1:	a6e5d3a08186b9ba7be15b1fec74f3bc3a5be5dd
SHA256:	829c5935218ccbed94948cedcb2058b954776657b9cf72fe7d0fc01dd5f95e40
SHA512:	bf92d2012f2f060f83013a3203e9c2e70fe0eadef6b46606ffc0d40531bd04d538df691456724d203697c6b87881f7b0e436a3b46aebc0f72ca7d49f6664cc58
SSDEEP:	1536:QT6nJHPXFs2rHj6cUVBEF4mgIktU7UfzPxd:n+cUVbmgRtUixd
TLSH:	89536C92E3A94595D8679038D6CAE52BE231780A0340CADF8781C7293F13FE5777A39D
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........................<.....................................................B.......B.......B.P.....B.......Rich...................

File Icon


Icon Hash:	7ae282899bbab082

Static PE Info

General

Entrypoint:	0x18000a5e0
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x180000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, DLL
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x63BBC001 [Mon Jan 9 07:19:29 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	072f7140db8daa63b9054de1b461a74b

Authenticode Signature

Signature Valid:	true
Signature Issuer:	CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	19/08/2021 02:00:00 20/08/2023 01:59:59
Subject Chain	CN="Oracle America, Inc.", OU=Software Engineering, O="Oracle America, Inc.", L=Redwood City, S=California, C=US
Version:	3
Thumbprint MD5:	2876C1BECB51837D0E3DE50903D025B6
Thumbprint SHA-1:	940D69C0A34A1B4CFD8048488BA86F4CED60481A
Thumbprint SHA-256:	EE46613A38B4F486164BCE7FB23178667715617F511B364594311A1548B08EB1
Serial:	068BE2F53452C882F18ED41A5DD4E7A3

Entrypoint Preview

Instruction
dec eax
mov dword ptr [esp+08h], ebx
dec eax
mov dword ptr [esp+10h], esi
push edi
dec eax
sub esp, 20h
dec ecx
mov edi, eax
mov ebx, edx
dec eax
mov esi, ecx
cmp edx, 01h
jne 00007FEF9C525A57h
call 00007FEF9C525BF0h
dec esp
mov eax, edi
mov edx, ebx
dec eax
mov ecx, esi
dec eax
mov ebx, dword ptr [esp+30h]
dec eax
mov esi, dword ptr [esp+38h]
dec eax
add esp, 20h
pop edi
jmp 00007FEF9C5258E4h
int3
int3
int3
inc eax
push ebx
dec eax
sub esp, 20h
dec eax
mov ebx, ecx
xor ecx, ecx
call dword ptr [000019EFh]
dec eax
mov ecx, ebx
call dword ptr [000019DEh]
call dword ptr [000019E8h]
dec eax
mov ecx, eax
mov edx, C0000409h
dec eax
add esp, 20h
pop ebx
dec eax
jmp dword ptr [000019DCh]
dec eax
mov dword ptr [esp+08h], ecx
dec eax
sub esp, 38h
mov ecx, 00000017h
call dword ptr [000019D0h]
test eax, eax
je 00007FEF9C525A59h
mov ecx, 00000002h
int 29h
dec eax
lea ecx, dword ptr [00004986h]
call 00007FEF9C525AFEh
dec eax
mov eax, dword ptr [esp+38h]
dec eax
mov dword ptr [00004A6Dh], eax
dec eax
lea eax, dword ptr [esp+38h]
dec eax
add eax, 08h
dec eax
mov dword ptr [000049FDh], eax
dec eax
mov eax, dword ptr [00004A56h]
dec eax
mov dword ptr [000048C7h], eax

Rich Headers

Programming Language:

[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0xd300	0x4f8	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0xd7f8	0x78	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x11000	0x3a8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x10000	0x744	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0xda00	0x28a0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x12000	0x60	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xc600	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xc4c0	0x140	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xc000	0x120	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xa0a8	0xa200	797e78714301959121606ef273843089	False	0.5083188657407407	zlib compressed data	6.239049310448227	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0xc000	0x1c8a	0x1e00	4fb84c3f5dd448459577d8e934a6344d	False	0.41067708333333336	data	4.900369347449404	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xe000	0x1548	0x800	119916a6407a679706530e28630bde29	False	0.8046875	data	6.651099942184534	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x10000	0x744	0x800	bc7e0799e2391d08a6431c579932670a	False	0.44482421875	data	4.143474232180331	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x11000	0x3a8	0x400	c12afd11893cee67bf4b00d0f81c7bc2	False	0.4150390625	data	3.1106514367541083	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x12000	0x60	0x200	f32cc71d4335b8eea1e4877ebbfd14bb	False	0.197265625	data	1.2931658068090224	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x11060	0x344	data	English	United States	0.46291866028708134

Imports

DLL	Import
KERNEL32.dll	RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, DisableThreadLibraryCalls, InitializeSListHead, IsDebuggerPresent
VCRUNTIME140.dll	memcpy, memset, __C_specific_handler, __std_type_info_destroy_list
api-ms-win-crt-heap-l1-1-0.dll	calloc, free
api-ms-win-crt-math-l1-1-0.dll	pow, sqrt
api-ms-win-crt-runtime-l1-1-0.dll	_seh_filter_dll, _initterm_e, _initialize_narrow_environment, _initialize_onexit_table, _execute_onexit_table, _cexit, _initterm, _configure_narrow_argv

Exports

Name	Ordinal	Address
Java_com_sun_pisces_AbstractSurface_getRGBImpl	1	0x180001000
Java_com_sun_pisces_AbstractSurface_nativeFinalize	2	0x180001270
Java_com_sun_pisces_AbstractSurface_setRGBImpl	3	0x180001300
Java_com_sun_pisces_JavaSurface_initialize	4	0x1800015d0
Java_com_sun_pisces_PiscesRenderer_clearRectImpl	5	0x180001930
Java_com_sun_pisces_PiscesRenderer_drawImageImpl	6	0x180001a20
Java_com_sun_pisces_PiscesRenderer_emitAndClearAlphaRowImpl	7	0x180001c20
Java_com_sun_pisces_PiscesRenderer_fillAlphaMaskImpl	8	0x180001ef0
Java_com_sun_pisces_PiscesRenderer_fillLCDAlphaMaskImpl	9	0x180002010
Java_com_sun_pisces_PiscesRenderer_fillRectImpl	10	0x180002140
Java_com_sun_pisces_PiscesRenderer_initialize	11	0x1800021d0
Java_com_sun_pisces_PiscesRenderer_nativeFinalize	12	0x180002320
Java_com_sun_pisces_PiscesRenderer_setClipImpl	13	0x180002420
Java_com_sun_pisces_PiscesRenderer_setColorImpl	14	0x1800024b0
Java_com_sun_pisces_PiscesRenderer_setCompositeRuleImpl	15	0x180002560
Java_com_sun_pisces_PiscesRenderer_setLCDGammaCorrectionImpl	16	0x1800025f0
Java_com_sun_pisces_PiscesRenderer_setLinearGradientImpl	17	0x180002600
Java_com_sun_pisces_PiscesRenderer_setRadialGradientImpl	18	0x1800028f0
Java_com_sun_pisces_PiscesRenderer_setTextureImpl	19	0x180002cb0
Java_com_sun_pisces_Transform6_initialize	20	0x180003fe0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 2, 2024 17:19:52.518368959 CEST	53	64377	162.159.36.2	192.168.2.7
Oct 2, 2024 17:19:53.000408888 CEST	53689	53	192.168.2.7	1.1.1.1
Oct 2, 2024 17:19:53.007914066 CEST	53	53689	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 2, 2024 17:19:53.000408888 CEST	192.168.2.7	1.1.1.1	0x38c9	Standard query (0)	15.164.165.52.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 2, 2024 17:19:53.007914066 CEST	1.1.1.1	192.168.2.7	0x38c9	Name error (3)	15.164.165.52.in-addr.arpa	none	none	PTR (Pointer record)	IN (0x0001)	false

Target ID:	3
Start time:	11:19:22
Start date:	02/10/2024
Path:	C:\Windows\System32\loaddll64.exe
Wow64 process (32bit):	false
Commandline:	loaddll64.exe "C:\Users\user\Desktop\file.dll"
Imagebase:	0x7ff6b4a20000
File size:	165'888 bytes
MD5 hash:	763455F9DCB24DFEECC2B9D9F8D46D52
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	11:19:22
Start date:	02/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	11:19:22
Start date:	02/10/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\file.dll",#1
Imagebase:	0x7ff79d400000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	11:19:22
Start date:	02/10/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe C:\Users\user\Desktop\file.dll,Java_com_sun_pisces_AbstractSurface_getRGBImpl
Imagebase:	0x7ff7c8fa0000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	11:19:22
Start date:	02/10/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe "C:\Users\user\Desktop\file.dll",#1
Imagebase:	0x7ff7c8fa0000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	11:19:22
Start date:	02/10/2024
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 5660 -s 332
Imagebase:	0x7ff71b3e0000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	11:19:22
Start date:	02/10/2024
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 2356 -s 332
Imagebase:	0x7ff71b3e0000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	11:19:25
Start date:	02/10/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe C:\Users\user\Desktop\file.dll,Java_com_sun_pisces_AbstractSurface_nativeFinalize
Imagebase:	0x7ff7c8fa0000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	11:19:28
Start date:	02/10/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe C:\Users\user\Desktop\file.dll,Java_com_sun_pisces_AbstractSurface_setRGBImpl
Imagebase:	0x7ff7c8fa0000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	11:19:28
Start date:	02/10/2024
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 7244 -s 332
Imagebase:	0x7ff71b3e0000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	11:19:31
Start date:	02/10/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_pisces_AbstractSurface_getRGBImpl
Imagebase:	0x7ff7c8fa0000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	11:19:31
Start date:	02/10/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_pisces_AbstractSurface_nativeFinalize
Imagebase:	0x7ff7c8fa0000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	11:19:31
Start date:	02/10/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_pisces_AbstractSurface_setRGBImpl
Imagebase:	0x7ff7c8fa0000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	11:19:31
Start date:	02/10/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_pisces_Transform6_initialize
Imagebase:	0x7ff7c8fa0000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	11:19:31
Start date:	02/10/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_pisces_PiscesRenderer_setTextureImpl
Imagebase:	0x7ff7c8fa0000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	11:19:31
Start date:	02/10/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_pisces_PiscesRenderer_setRadialGradientImpl
Imagebase:	0x7ff7c8fa0000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	11:19:31
Start date:	02/10/2024
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 7344 -s 324
Imagebase:	0x7ff71b3e0000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	30
Start time:	11:19:31
Start date:	02/10/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_pisces_PiscesRenderer_setLinearGradientImpl
Imagebase:	0x7ff7c8fa0000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	32
Start time:	11:19:31
Start date:	02/10/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_pisces_PiscesRenderer_setLCDGammaCorrectionImpl
Imagebase:	0x7ff7c8fa0000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	33
Start time:	11:19:31
Start date:	02/10/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_pisces_PiscesRenderer_setCompositeRuleImpl
Imagebase:	0x7ff7c8fa0000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	34
Start time:	11:19:31
Start date:	02/10/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_pisces_PiscesRenderer_setColorImpl
Imagebase:	0x7ff7c8fa0000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	36
Start time:	11:19:31
Start date:	02/10/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_pisces_PiscesRenderer_setClipImpl
Imagebase:	0x7ff7c8fa0000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	38
Start time:	11:19:32
Start date:	02/10/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_pisces_PiscesRenderer_nativeFinalize
Imagebase:	0x7ff7c8fa0000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	39
Start time:	11:19:32
Start date:	02/10/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_pisces_PiscesRenderer_initialize
Imagebase:	0x7ff7c8fa0000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Function 00007FFB1CA7ABF0 Relevance: 13.6, APIs: 9, Instructions: 72COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FFB1CA7AC0C
memset.VCRUNTIME140 ref: 00007FFB1CA7AC30
RtlCaptureContext.KERNEL32 ref: 00007FFB1CA7AC39
RtlLookupFunctionEntry.KERNEL32 ref: 00007FFB1CA7AC53
RtlVirtualUnwind.KERNEL32 ref: 00007FFB1CA7AC94
memset.VCRUNTIME140 ref: 00007FFB1CA7ACC7
IsDebuggerPresent.KERNEL32 ref: 00007FFB1CA7ACE8
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FFB1CA7AD09
UnhandledExceptionFilter.KERNEL32 ref: 00007FFB1CA7AD14

Memory Dump Source

Source File: 00000007.00000002.1579588275.00007FFB1CA71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFB1CA70000, based on PE: true

Associated: 00000007.00000002.1579544304.00007FFB1CA70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1579654989.00007FFB1CA7C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1579715357.00007FFB1CA7E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1579776418.00007FFB1CA80000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffb1ca70000_rundll32.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandledmemset$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 313767242-0
Opcode ID: 6be6f6b38f90620eea8d1306af1076ac9f4c5fa117e3095326b3843d25edd67e
Instruction ID: 552b887783587caf7910a79f2d6879649bec9534e20dd8709bb13bd3231bf64a
Opcode Fuzzy Hash: 6be6f6b38f90620eea8d1306af1076ac9f4c5fa117e3095326b3843d25edd67e
Instruction Fuzzy Hash: 02318DF2618F8196EB618FB0F8543ED6361FB84758F64413ADA4E47A88DF39C548C700

Function 00007FFB1CA731F0 Relevance: 12.3, APIs: 6, Strings: 2, Instructions: 335COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFB1CA73563
calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFB1CA73571
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFB1CA73612
calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFB1CA73620
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFB1CA736B7
calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFB1CA736C5

Strings

java/lang/OutOfMemoryError, xrefs: 00007FFB1CA73726
Allocation of internal renderer buffer failed., xrefs: 00007FFB1CA7371C

Memory Dump Source

Source File: 00000007.00000002.1579588275.00007FFB1CA71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFB1CA70000, based on PE: true

Associated: 00000007.00000002.1579544304.00007FFB1CA70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1579654989.00007FFB1CA7C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1579715357.00007FFB1CA7E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1579776418.00007FFB1CA80000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffb1ca70000_rundll32.jbxd

Similarity

API ID: callocfree
String ID: Allocation of internal renderer buffer failed.$java/lang/OutOfMemoryError
API String ID: 306872129-2377867479
Opcode ID: 5f733ac2d0cab575633ee8ed465d9249de1b7cf363b7a28ea37305c2fd133613
Instruction ID: ca6bd4284f5a43f3700b123bea2085bf5897e186a2e3ae07a873534652409c2e
Opcode Fuzzy Hash: 5f733ac2d0cab575633ee8ed465d9249de1b7cf363b7a28ea37305c2fd133613
Instruction Fuzzy Hash: 05E1E4B2619B818AD766CF75E4093EE7792FB84F54F250236CE4A87748DF3AE4408B50

Function 00007FFB1CA728F0 Relevance: 2.7, Strings: 2, Instructions: 194COMMON

Download Yara Rule

Strings

java/lang/OutOfMemoryError, xrefs: 00007FFB1CA72C82
Allocation of internal renderer buffer failed., xrefs: 00007FFB1CA72C78

Memory Dump Source

Source File: 00000007.00000002.1579588275.00007FFB1CA71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFB1CA70000, based on PE: true

Associated: 00000007.00000002.1579544304.00007FFB1CA70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1579654989.00007FFB1CA7C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1579715357.00007FFB1CA7E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1579776418.00007FFB1CA80000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffb1ca70000_rundll32.jbxd

Similarity

API ID:
String ID: Allocation of internal renderer buffer failed.$java/lang/OutOfMemoryError
API String ID: 0-2377867479
Opcode ID: d1bb83acb865c2bd226f3ee30411a49ee73c1374ee1b14ac6a7417a49479102d
Instruction ID: 8fb2b8256dec2528e679168ffcd1dcb1a56cd02ff628f53fe5f3ce3b1c1c658e
Opcode Fuzzy Hash: d1bb83acb865c2bd226f3ee30411a49ee73c1374ee1b14ac6a7417a49479102d
Instruction Fuzzy Hash: F4A1DA62E24BC852D216CB37E5453F9B321FFAE784F299712EB5832661DF35B0A19700

Function 00007FFB1CA72600 Relevance: 2.7, Strings: 2, Instructions: 159COMMON

Download Yara Rule

Strings

java/lang/OutOfMemoryError, xrefs: 00007FFB1CA728CC
Allocation of internal renderer buffer failed., xrefs: 00007FFB1CA728C2

Memory Dump Source

Source File: 00000007.00000002.1579588275.00007FFB1CA71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFB1CA70000, based on PE: true

Associated: 00000007.00000002.1579544304.00007FFB1CA70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1579654989.00007FFB1CA7C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1579715357.00007FFB1CA7E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1579776418.00007FFB1CA80000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffb1ca70000_rundll32.jbxd

Similarity

API ID: free
String ID: Allocation of internal renderer buffer failed.$java/lang/OutOfMemoryError
API String ID: 1294909896-2377867479
Opcode ID: 3d0bcbc75c54bcef79349cb7cd6abf24b2bcf979ee7a7b4f3e867e26a1249d67
Instruction ID: 8a07ac56a0f1cb6cfcf951999985f04666bfe3d4137851bdcbcaea9b38321e3b
Opcode Fuzzy Hash: 3d0bcbc75c54bcef79349cb7cd6abf24b2bcf979ee7a7b4f3e867e26a1249d67
Instruction Fuzzy Hash: 5671B662A24BC881D612CB3AE5497F97321FFADB84F29D722EE4833615DF35A1958700

Function 00007FFB1CA7A2C0 Relevance: 16.7, APIs: 11, Instructions: 230COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FFB1CA7A2E8
__scrt_initialize_crt.LIBCMT ref: 00007FFB1CA7A32D
__scrt_acquire_startup_lock.LIBCMT ref: 00007FFB1CA7A33A
_RTC_Initialize.LIBCMT ref: 00007FFB1CA7A368
__scrt_dllmain_after_initialize_c.LIBCMT ref: 00007FFB1CA7A38E
__scrt_release_startup_lock.LIBCMT ref: 00007FFB1CA7A3B9

Memory Dump Source

Source File: 00000007.00000002.1579588275.00007FFB1CA71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFB1CA70000, based on PE: true

Associated: 00000007.00000002.1579544304.00007FFB1CA70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1579654989.00007FFB1CA7C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1579715357.00007FFB1CA7E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1579776418.00007FFB1CA80000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffb1ca70000_rundll32.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_initialize_crt__scrt_release_startup_lock
String ID:
API String ID: 349153199-0
Opcode ID: 578a9888e317f13b2185e6453b85aaf855756a6625627244a964c00a8e05a250
Instruction ID: d1a794b5a79288ae2cd868c12ad37c3aaf6e22170ba34581429c687005884c99
Opcode Fuzzy Hash: 578a9888e317f13b2185e6453b85aaf855756a6625627244a964c00a8e05a250
Instruction Fuzzy Hash: 6D81B0E1E28F0355F6529BB5F46E2F92292BF857A0F346235D90D4369EDE2EEC418700

Function 00007FFB1CA72320 Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 58COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFB1CA7236B
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFB1CA72386
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFB1CA72398
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFB1CA723AA
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFB1CA723BC
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFB1CA723C5

Strings

java/lang/OutOfMemoryError, xrefs: 00007FFB1CA72401
Allocation of internal renderer buffer failed., xrefs: 00007FFB1CA723F7

Memory Dump Source

Source File: 00000007.00000002.1579588275.00007FFB1CA71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFB1CA70000, based on PE: true

Associated: 00000007.00000002.1579544304.00007FFB1CA70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1579654989.00007FFB1CA7C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1579715357.00007FFB1CA7E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1579776418.00007FFB1CA80000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffb1ca70000_rundll32.jbxd

Similarity

API ID: free
String ID: Allocation of internal renderer buffer failed.$java/lang/OutOfMemoryError
API String ID: 1294909896-2377867479
Opcode ID: baf3072947eb7240da5f26cbe3cd6d1cbe086b9e92a3f6fc9c7481688ad742fb
Instruction ID: 7e956f7e71318c9e62facf0609c7c9443137063780fb64ba46d3b692a2bdb353
Opcode Fuzzy Hash: baf3072947eb7240da5f26cbe3cd6d1cbe086b9e92a3f6fc9c7481688ad742fb
Instruction Fuzzy Hash: C221FEE5A29F8281FA5A8B71F8586F82352BF44FA4F384336DE0E46759CE2D94418351

Function 00007FFB1CA72F10 Relevance: 9.2, APIs: 4, Strings: 2, Instructions: 158COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFB1CA72FEE
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFB1CA730DC
calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFB1CA730EA
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFB1CA7315E

Strings

java/lang/OutOfMemoryError, xrefs: 00007FFB1CA731CF
Allocation of internal renderer buffer failed., xrefs: 00007FFB1CA731C5

Memory Dump Source

Source File: 00000007.00000002.1579588275.00007FFB1CA71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFB1CA70000, based on PE: true

Associated: 00000007.00000002.1579544304.00007FFB1CA70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1579654989.00007FFB1CA7C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1579715357.00007FFB1CA7E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1579776418.00007FFB1CA80000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffb1ca70000_rundll32.jbxd

Similarity

API ID: free$calloc
String ID: Allocation of internal renderer buffer failed.$java/lang/OutOfMemoryError
API String ID: 3095843317-2377867479
Opcode ID: 32b5628137689e10ea177fefe7975dc5c3c2437fc6fcbd0b2ca8bfd8a3871ec4
Instruction ID: 2539e657969277fb8848268cc987206f4ed33136578d8babcfbc5ff7f924e688
Opcode Fuzzy Hash: 32b5628137689e10ea177fefe7975dc5c3c2437fc6fcbd0b2ca8bfd8a3871ec4
Instruction Fuzzy Hash: 037159F2A15B818AD751CF65E8093EA77A1FB84F98F244236CE494B718CF39E444DB20

Function 00007FFB1CA71C20 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 167COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFB1CA71E09
calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFB1CA71E17

Strings

java/lang/OutOfMemoryError, xrefs: 00007FFB1CA71ED2
Allocation of internal renderer buffer failed., xrefs: 00007FFB1CA71EC8

Memory Dump Source

Source File: 00000007.00000002.1579588275.00007FFB1CA71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFB1CA70000, based on PE: true

Associated: 00000007.00000002.1579544304.00007FFB1CA70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1579654989.00007FFB1CA7C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1579715357.00007FFB1CA7E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1579776418.00007FFB1CA80000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffb1ca70000_rundll32.jbxd

Similarity

API ID: callocfree
String ID: Allocation of internal renderer buffer failed.$java/lang/OutOfMemoryError
API String ID: 306872129-2377867479
Opcode ID: 08ac2aab027b13a6e1e86c8b5b0d6ead7b535dff24238d5f75d8d1b9ea5c0bad
Instruction ID: 1e41bd88c59da014b3bc9e66a0904ee4bb699413c0f4d18133beadc60b58e85d
Opcode Fuzzy Hash: 08ac2aab027b13a6e1e86c8b5b0d6ead7b535dff24238d5f75d8d1b9ea5c0bad
Instruction Fuzzy Hash: F6717CB6618B8186E6599BA2F5182FDB3A2FB88BD0F204135DF4D43B58CF3DB4618700

Function 00007FFB1CA72CB0 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 128COMMON

Download Yara Rule

APIs

calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFB1CA72D79
memcpy.VCRUNTIME140 ref: 00007FFB1CA72DA6

Strings

java/lang/OutOfMemoryError, xrefs: 00007FFB1CA72EE0
Allocation of internal renderer buffer failed., xrefs: 00007FFB1CA72ED6

Memory Dump Source

Source File: 00000007.00000002.1579588275.00007FFB1CA71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFB1CA70000, based on PE: true

Associated: 00000007.00000002.1579544304.00007FFB1CA70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1579654989.00007FFB1CA7C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1579715357.00007FFB1CA7E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1579776418.00007FFB1CA80000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffb1ca70000_rundll32.jbxd

Similarity

API ID: callocmemcpy
String ID: Allocation of internal renderer buffer failed.$java/lang/OutOfMemoryError
API String ID: 400117054-2377867479
Opcode ID: 3f0e1b8914a8cd27024a86203019c7dcb119c9e37dc1ef229af09f153bc5b4c7
Instruction ID: cf41e3bbc8e00c3d1e794752e5e4da0665ddded11f7111dfa0404c3bb5984243
Opcode Fuzzy Hash: 3f0e1b8914a8cd27024a86203019c7dcb119c9e37dc1ef229af09f153bc5b4c7
Instruction Fuzzy Hash: FC518DB6618BC185D6619B61F4193EAB7A1FB88BD0F200236DE8C17B5ACF3ED444CB00

Function 00007FFB1CA721D0 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 77COMMON

Download Yara Rule

APIs

calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFB1CA7226C

Strings

java/lang/OutOfMemoryError, xrefs: 00007FFB1CA722FB
Allocation of internal renderer buffer failed!!!, xrefs: 00007FFB1CA722F4
java/lang/IllegalStateException, xrefs: 00007FFB1CA72232

Memory Dump Source

Source File: 00000007.00000002.1579588275.00007FFB1CA71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFB1CA70000, based on PE: true

Associated: 00000007.00000002.1579544304.00007FFB1CA70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1579654989.00007FFB1CA7C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1579715357.00007FFB1CA7E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1579776418.00007FFB1CA80000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffb1ca70000_rundll32.jbxd

Similarity

API ID: calloc
String ID: Allocation of internal renderer buffer failed!!!$java/lang/IllegalStateException$java/lang/OutOfMemoryError
API String ID: 2635317215-1600809252
Opcode ID: b499796bf06104ee770888ad942159572bc9732d1b0a507f08d336693f5bb663
Instruction ID: f34c6e44051b3aa21d0b85eab79c9716912789bc88d192961413c73824b94f7a
Opcode Fuzzy Hash: b499796bf06104ee770888ad942159572bc9732d1b0a507f08d336693f5bb663
Instruction Fuzzy Hash: 693193F1A28F8685EB519B65F40C2F927A2FB44BE8F348236DA0D47759CE3EE4458700

Function 00007FFB1CA715D0 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 71COMMON

Download Yara Rule

APIs

calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFB1CA71645

Strings

java/lang/OutOfMemoryError, xrefs: 00007FFB1CA716C4
java/lang/IllegalStateException, xrefs: 00007FFB1CA716D4
Allocation of internal renderer buffer failed., xrefs: 00007FFB1CA716BD

Memory Dump Source

Source File: 00000007.00000002.1579588275.00007FFB1CA71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFB1CA70000, based on PE: true

Associated: 00000007.00000002.1579544304.00007FFB1CA70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1579654989.00007FFB1CA7C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1579715357.00007FFB1CA7E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.1579776418.00007FFB1CA80000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffb1ca70000_rundll32.jbxd

Similarity

API ID: calloc
String ID: Allocation of internal renderer buffer failed.$java/lang/IllegalStateException$java/lang/OutOfMemoryError
API String ID: 2635317215-3767971941
Opcode ID: 5709dfe840c250ed4f8062bfbad6554bfc7eb086926142d627de7afd5a7d702f
Instruction ID: 6a3cc67e8484e6e5672bacc01aad29e0a9166e70d44d18d5c33e5f333f9668ff
Opcode Fuzzy Hash: 5709dfe840c250ed4f8062bfbad6554bfc7eb086926142d627de7afd5a7d702f
Instruction Fuzzy Hash: 703139F2928F4286E7469F61F4481E937A2BB44BA4F784235DA4D07368DF3EE445C740

Source: file.dll	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: file.dll	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: file.dll	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: file.dll	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: file.dll	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: file.dll	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: file.dll	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: file.dll	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: file.dll	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: file.dll	String found in binary or memory: http://ocsp.digicert.com0
Source: file.dll	String found in binary or memory: http://ocsp.digicert.com0A
Source: file.dll	String found in binary or memory: http://ocsp.digicert.com0C
Source: file.dll	String found in binary or memory: http://ocsp.digicert.com0X
Source: Amcache.hve.12.dr	String found in binary or memory: http://upx.sf.net
Source: file.dll	String found in binary or memory: http://www.digicert.com/CPS0

Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_00007FFB1CA72600	7_2_00007FFB1CA72600
Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_00007FFB1CA731F0	7_2_00007FFB1CA731F0
Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_00007FFB1CA728F0	7_2_00007FFB1CA728F0

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6568:120:WilError_03
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7244
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7344
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5660
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2356

Source: unknown	Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\file.dll"
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\file.dll",#1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\file.dll,Java_com_sun_pisces_AbstractSurface_getRGBImpl
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",#1
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 5660 -s 332
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 2356 -s 332
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\file.dll,Java_com_sun_pisces_AbstractSurface_nativeFinalize
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\file.dll,Java_com_sun_pisces_AbstractSurface_setRGBImpl
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7244 -s 332
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_pisces_AbstractSurface_getRGBImpl
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_pisces_AbstractSurface_nativeFinalize
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_pisces_AbstractSurface_setRGBImpl
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_pisces_Transform6_initialize
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_pisces_PiscesRenderer_setTextureImpl
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_pisces_PiscesRenderer_setRadialGradientImpl
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7344 -s 324
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_pisces_PiscesRenderer_setLinearGradientImpl
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_pisces_PiscesRenderer_setLCDGammaCorrectionImpl
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_pisces_PiscesRenderer_setCompositeRuleImpl
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_pisces_PiscesRenderer_setColorImpl
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_pisces_PiscesRenderer_setClipImpl
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_pisces_PiscesRenderer_nativeFinalize
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_pisces_PiscesRenderer_initialize
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\file.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\file.dll,Java_com_sun_pisces_AbstractSurface_getRGBImpl	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\file.dll,Java_com_sun_pisces_AbstractSurface_nativeFinalize	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\file.dll,Java_com_sun_pisces_AbstractSurface_setRGBImpl	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_pisces_AbstractSurface_getRGBImpl	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_pisces_AbstractSurface_nativeFinalize	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_pisces_AbstractSurface_setRGBImpl	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_pisces_Transform6_initialize	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_pisces_PiscesRenderer_setTextureImpl	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_pisces_PiscesRenderer_setRadialGradientImpl	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_pisces_PiscesRenderer_setLinearGradientImpl	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_pisces_PiscesRenderer_setLCDGammaCorrectionImpl	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_pisces_PiscesRenderer_setCompositeRuleImpl	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_pisces_PiscesRenderer_setColorImpl	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_pisces_PiscesRenderer_setClipImpl	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_pisces_PiscesRenderer_nativeFinalize	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_pisces_PiscesRenderer_initialize	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",#1	Jump to behavior

Source: C:\Windows\System32\loaddll64.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: kernel.appcore.dll	Jump to behavior

Source: file.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: file.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: Amcache.hve.12.dr	Binary or memory string: VMware
Source: Amcache.hve.12.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.12.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.12.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.12.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.12.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.12.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.12.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.12.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.12.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.12.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.12.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.12.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.12.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.12.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.12.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.12.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.12.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.12.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.12.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.12.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.12.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.12.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.12.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.12.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.12.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.12.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.12.dr	Binary or memory string: VMware-42 27 88 19 56 cc 59 1a-97 79 fb 8c bf a1 e2 9d
Source: Amcache.hve.12.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: `rundll32.exe {DLLname, DLLfunction}` ).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.dll

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

Compliance

Networking

System Summary

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_fil_163b281bc03766b9d229495832e480b11c6631eb_d75f6fa5_1ac289ff-28d1-4d50-907b-2997462c5727\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_fil_163b281bc03766b9d229495832e480b11c6631eb_d75f6fa5_527bf8e3-915d-4f0a-a5f5-0f3120f0c5d6\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_fil_163b281bc03766b9d229495832e480b11c6631eb_d75f6fa5_75b49cbe-11f1-4246-8ee2-53a4fbf46332\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_fil_f365a289cde21bdad085295fbeb3d421d2947397_d75f6fa5_131b5758-8b7a-4ded-a65f-584aa0c3c453\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WERCF37.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERCFA5.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD022.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD023.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD072.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD081.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE60B.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE64A.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE66A.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF2DC.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF3F6.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF501.tmp.xml

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Rich Headers

Data Directories

Sections

Windows Analysis Report
file.dll