Edit tour

Windows Analysis Report
file.dll

Overview

General Information

Sample name:	file.dll (renamed file extension from exe to dll)
Original sample name:	file.exe
Analysis ID:	1524250
MD5:	11c6dbe61f8144a8a66d8baaea40c4a3
SHA1:	753b6723e7a8a2ca1000662093dc830e444d65ed
SHA256:	396bae9eab9a773472e873a21cd471a17e3eca13cac264a22ef9adb735135c2d
Tags:	dllexesignedx64user-jstrosch
Infos:

Detection

Score:	5
Range:	0 - 100
Whitelisted:	false
Confidence:	60%

Signatures

AV process strings found (often used to terminate AV products)

Checks if the current process is being debugged

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

One or more processes crash

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Classification

Process Tree

System is w10x64

loaddll64.exe (PID: 1644 cmdline: loaddll64.exe "C:\Users\user\Desktop\file.dll" MD5: 763455F9DCB24DFEECC2B9D9F8D46D52)

conhost.exe (PID: 7120 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 5492 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\file.dll",#1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

rundll32.exe (PID: 3836 cmdline: rundll32.exe "C:\Users\user\Desktop\file.dll",#1 MD5: EF3179D498793BF4234F708D3BE28633)

WerFault.exe (PID: 3352 cmdline: C:\Windows\system32\WerFault.exe -u -p 3836 -s 448 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

rundll32.exe (PID: 5256 cmdline: rundll32.exe C:\Users\user\Desktop\file.dll,Java_com_sun_prism_d3d_D3DContext_nBlit MD5: EF3179D498793BF4234F708D3BE28633)

WerFault.exe (PID: 6032 cmdline: C:\Windows\system32\WerFault.exe -u -p 5256 -s 424 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

rundll32.exe (PID: 2976 cmdline: rundll32.exe C:\Users\user\Desktop\file.dll,Java_com_sun_prism_d3d_D3DContext_nBuildNativeGeometryInt MD5: EF3179D498793BF4234F708D3BE28633)

rundll32.exe (PID: 2704 cmdline: rundll32.exe C:\Users\user\Desktop\file.dll,Java_com_sun_prism_d3d_D3DContext_nBuildNativeGeometryShort MD5: EF3179D498793BF4234F708D3BE28633)

WerFault.exe (PID: 6748 cmdline: C:\Windows\system32\WerFault.exe -u -p 2704 -s 420 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

rundll32.exe (PID: 7164 cmdline: rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_prism_d3d_D3DContext_nBlit MD5: EF3179D498793BF4234F708D3BE28633)

WerFault.exe (PID: 5084 cmdline: C:\Windows\system32\WerFault.exe -u -p 7164 -s 424 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

rundll32.exe (PID: 1112 cmdline: rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_prism_d3d_D3DContext_nBuildNativeGeometryInt MD5: EF3179D498793BF4234F708D3BE28633)

rundll32.exe (PID: 420 cmdline: rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_prism_d3d_D3DContext_nBuildNativeGeometryShort MD5: EF3179D498793BF4234F708D3BE28633)

rundll32.exe (PID: 5756 cmdline: rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_prism_d3d_D3DSwapChain_nPresent MD5: EF3179D498793BF4234F708D3BE28633)

rundll32.exe (PID: 5288 cmdline: rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_prism_d3d_D3DShader_setConstantsI MD5: EF3179D498793BF4234F708D3BE28633)

rundll32.exe (PID: 5296 cmdline: rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_prism_d3d_D3DShader_setConstantsF MD5: EF3179D498793BF4234F708D3BE28633)

rundll32.exe (PID: 6104 cmdline: rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_prism_d3d_D3DShader_nGetRegister MD5: EF3179D498793BF4234F708D3BE28633)

rundll32.exe (PID: 2564 cmdline: rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_prism_d3d_D3DShader_init MD5: EF3179D498793BF4234F708D3BE28633)

rundll32.exe (PID: 3504 cmdline: rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_prism_d3d_D3DShader_enable MD5: EF3179D498793BF4234F708D3BE28633)

rundll32.exe (PID: 4820 cmdline: rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_prism_d3d_D3DShader_disable MD5: EF3179D498793BF4234F708D3BE28633)

rundll32.exe (PID: 6548 cmdline: rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_prism_d3d_D3DResourceFactory_nUpdateTextureI MD5: EF3179D498793BF4234F708D3BE28633)

rundll32.exe (PID: 6060 cmdline: rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_prism_d3d_D3DResourceFactory_nUpdateTextureF MD5: EF3179D498793BF4234F708D3BE28633)

rundll32.exe (PID: 3688 cmdline: rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_prism_d3d_D3DResourceFactory_nUpdateTextureB MD5: EF3179D498793BF4234F708D3BE28633)

rundll32.exe (PID: 5736 cmdline: rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_prism_d3d_D3DResourceFactory_nTestCooperativeLevel MD5: EF3179D498793BF4234F708D3BE28633)

rundll32.exe (PID: 2360 cmdline: rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_prism_d3d_D3DResourceFactory_nResetDevice MD5: EF3179D498793BF4234F708D3BE28633)

rundll32.exe (PID: 6164 cmdline: rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_prism_d3d_D3DResourceFactory_nReleaseResource MD5: EF3179D498793BF4234F708D3BE28633)

rundll32.exe (PID: 5356 cmdline: rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_prism_d3d_D3DResourceFactory_nReadPixelsI MD5: EF3179D498793BF4234F708D3BE28633)

rundll32.exe (PID: 6704 cmdline: rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_prism_d3d_D3DResourceFactory_nReadPixelsB MD5: EF3179D498793BF4234F708D3BE28633)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: file.dll

Static PE information: certificate valid

Source: file.dll

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT

Source: file.dll	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: file.dll	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: file.dll	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: file.dll	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: file.dll	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: file.dll	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: file.dll	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: file.dll	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: file.dll	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: file.dll	String found in binary or memory: http://ocsp.digicert.com0
Source: file.dll	String found in binary or memory: http://ocsp.digicert.com0A
Source: file.dll	String found in binary or memory: http://ocsp.digicert.com0C
Source: file.dll	String found in binary or memory: http://ocsp.digicert.com0X
Source: Amcache.hve.9.dr	String found in binary or memory: http://upx.sf.net
Source: file.dll	String found in binary or memory: http://www.digicert.com/CPS0

Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_00007FFBBAF271D0	1_2_00007FFBBAF271D0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_00007FFBBAF22E40	1_2_00007FFBBAF22E40
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_00007FFBBAF26710	1_2_00007FFBBAF26710
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_00007FFBBAF21D60	1_2_00007FFBBAF21D60

Source: C:\Windows\System32\loaddll64.exe

Code function: String function: 00007FFBBAF2A340 appears 61 times

Source: C:\Windows\System32\rundll32.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 5256 -s 424

Source: file.dll

Binary or memory string: OriginalFilenameprism_d3d.dllN vs file.dll

Source: classification engine

Classification label: clean5.winDLL@93/17@0/0

Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7164
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3836
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2704
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5256
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7120:120:WilError_03

Source: C:\Windows\System32\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\eed4804f-0b39-4996-939e-13ab64227461

Jump to behavior

Source: file.dll

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll64.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\loaddll64.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\file.dll,Java_com_sun_prism_d3d_D3DContext_nBlit

Source: unknown	Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\file.dll"
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\file.dll",#1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\file.dll,Java_com_sun_prism_d3d_D3DContext_nBlit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",#1
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 5256 -s 424
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 3836 -s 448
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\file.dll,Java_com_sun_prism_d3d_D3DContext_nBuildNativeGeometryInt
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\file.dll,Java_com_sun_prism_d3d_D3DContext_nBuildNativeGeometryShort
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 2704 -s 420
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_prism_d3d_D3DContext_nBlit
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_prism_d3d_D3DContext_nBuildNativeGeometryInt
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_prism_d3d_D3DContext_nBuildNativeGeometryShort
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_prism_d3d_D3DSwapChain_nPresent
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_prism_d3d_D3DShader_setConstantsI
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_prism_d3d_D3DShader_setConstantsF
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_prism_d3d_D3DShader_nGetRegister
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_prism_d3d_D3DShader_init
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_prism_d3d_D3DShader_enable
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_prism_d3d_D3DShader_disable
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_prism_d3d_D3DResourceFactory_nUpdateTextureI
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_prism_d3d_D3DResourceFactory_nUpdateTextureF
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_prism_d3d_D3DResourceFactory_nUpdateTextureB
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7164 -s 424
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_prism_d3d_D3DResourceFactory_nTestCooperativeLevel
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_prism_d3d_D3DResourceFactory_nResetDevice
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_prism_d3d_D3DResourceFactory_nReleaseResource
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_prism_d3d_D3DResourceFactory_nReadPixelsI
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_prism_d3d_D3DResourceFactory_nReadPixelsB
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\file.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\file.dll,Java_com_sun_prism_d3d_D3DContext_nBlit	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\file.dll,Java_com_sun_prism_d3d_D3DContext_nBuildNativeGeometryInt	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\file.dll,Java_com_sun_prism_d3d_D3DContext_nBuildNativeGeometryShort	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_prism_d3d_D3DContext_nBlit	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_prism_d3d_D3DContext_nBuildNativeGeometryInt	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_prism_d3d_D3DContext_nBuildNativeGeometryShort	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_prism_d3d_D3DSwapChain_nPresent	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_prism_d3d_D3DShader_setConstantsI	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_prism_d3d_D3DShader_setConstantsF	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_prism_d3d_D3DShader_nGetRegister	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_prism_d3d_D3DShader_init	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_prism_d3d_D3DShader_enable	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_prism_d3d_D3DShader_disable	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_prism_d3d_D3DResourceFactory_nUpdateTextureI	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_prism_d3d_D3DResourceFactory_nUpdateTextureF	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_prism_d3d_D3DResourceFactory_nUpdateTextureB	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_prism_d3d_D3DResourceFactory_nTestCooperativeLevel	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_prism_d3d_D3DResourceFactory_nResetDevice	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_prism_d3d_D3DResourceFactory_nReleaseResource	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_prism_d3d_D3DResourceFactory_nReadPixelsI	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_prism_d3d_D3DResourceFactory_nReadPixelsB	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 5256 -s 424	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",#1	Jump to behavior

Source: C:\Windows\System32\loaddll64.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: d3d9.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: wldp.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: file.dll

Static PE information: certificate valid

Source: file.dll

Static PE information: Image base 0x180000000 > 0x60000000

Source: file.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: file.dll

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT

Source: file.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: file.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Windows\System32\loaddll64.exe

API coverage: 9.6 %

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: Amcache.hve.9.dr	Binary or memory string: VMware
Source: Amcache.hve.9.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.9.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.9.dr	Binary or memory string: VMware-42 27 c5 9a 47 85 d6 84-53 49 ec ec 87 a6 6d 67
Source: Amcache.hve.9.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.9.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.9.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.9.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.9.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.9.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.9.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.9.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.9.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.9.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.9.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.9.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.9.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.9.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.9.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.9.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.9.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.9.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.9.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.9.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.9.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.9.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.9.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.9.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.9.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort

Source: C:\Windows\System32\loaddll64.exe

Code function: 1_2_00007FFBBAF2B2D4 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

1_2_00007FFBBAF2B2D4

Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_00007FFBBAF2B2D4 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		1_2_00007FFBBAF2B2D4
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_00007FFBBAF2AD34 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		1_2_00007FFBBAF2AD34

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",#1

Jump to behavior

Source: C:\Windows\System32\loaddll64.exe

Code function: 1_2_00007FFBBAF2AEB4 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

1_2_00007FFBBAF2AEB4

Source: C:\Windows\System32\loaddll64.exe

Code function: 1_2_00007FFBBAF271D0 memset,GetVersionExW,

1_2_00007FFBBAF271D0

Source: Amcache.hve.9.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.9.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.9.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.9.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.9.dr	Binary or memory string: MsMpEng.exe

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	11 Process Injection	1 Virtualization/Sandbox Evasion	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Rundll32	LSASS Memory	31 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	11 Process Injection	Security Account Manager	1 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Deobfuscate/Decode Files or Information	NTDS	3 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Obfuscated Files or Information	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.dll	0%	ReversingLabs

Source	Detection	Scanner	Label	Link
http://upx.sf.net	0%	URL Reputation	safe

Name	Source	Malicious	Antivirus Detection	Reputation
http://upx.sf.net	Amcache.hve.9.dr	false	URL Reputation: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1524250
Start date and time:	2024-10-02 17:24:22 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 13s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	42
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.dll (renamed file extension from exe to dll)
Original Sample Name:	file.exe
Detection:	CLEAN
Classification:	clean5.winDLL@93/17@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 2 Number of non-executed functions: 21

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.189.173.20, 104.208.16.94, 20.189.173.21
Excluded domains from analysis (whitelisted): ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, onedsblobprdwus15.westus.cloudapp.azure.com, onedsblobprdwus16.westus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com, onedsblobprdcus16.centralus.cloudapp.azure.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
VT rate limit hit for: file.dll

Simulations

Behavior and APIs

Time	Type	Description
11:25:38	API Interceptor	4x Sleep call for process: WerFault.exe modified

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_fil_754f1c8f93fb6f2f4d4817606ede2c3e23ead4d_d75f6fa5_12432550-bfa0-4d6b-a8f0-14e09fe4b0ca\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.8206295211669482
Encrypted:	false
SSDEEP:	192:yWEFijyKo0P0Ivp2jixEzuiFlZ24lO8V:jyiWKIIvp2jZzuiFlY4lO8V
MD5:	21EE77D05877B280142DF67B9F75E14B
SHA1:	3F861EB894D6117BB9E8AE1996CE984B8B299A3E
SHA-256:	D56CA4C80A5BBDCF509A8ED4DDD583B390E2CE094761CF636229FA69D16B5FFB
SHA-512:	240AD965BF2BEBDAA974EE3D6CFCD60EC3C04B51E8FB108F36736CF8896B7C6EEAEA2E1F46A29732FBCB1AB3605F52E5431AAA08E1B0241740E0B439902D1CCF
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.2.3.5.6.3.4.1.2.4.2.2.0.8.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.2.3.5.6.3.4.2.3.5.1.4.3.1.7.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.2.4.3.2.5.5.0.-.b.f.a.0.-.4.d.6.b.-.a.8.f.0.-.1.4.e.0.9.f.e.4.b.0.c.a.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.8.1.e.a.1.9.e.-.2.2.4.1.-.4.b.e.0.-.8.7.b.8.-.f.a.f.1.3.3.9.5.5.0.d.6.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e._.f.i.l.e...d.l.l.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.f.c.-.0.0.0.1.-.0.0.1.4.-.c.5.0.3.-.4.4.5.6.d.f.1.4.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.d.d.3.9.9.a.e.4.6.3.0.3.3.4.3.f.9.f.0.d.a.1.8.9.a.e.e.1.1.c.6.7.b.d.8.6.8.2.2.2.!.r.u.n.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_fil_754f1c8f93fb6f2f4d4817606ede2c3e23ead4d_d75f6fa5_363aac94-5c49-4a35-8eee-f8e0566e9b82\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.8206902560767294
Encrypted:	false
SSDEEP:	192:1YHBqFidyeo0P0Ivp2jiB8zuiFlZ24lO8V:FioeIIvp2jhzuiFlY4lO8V
MD5:	0693382EE4BB5AD7D9976FAEF6C1BC0A
SHA1:	52E4F122C38052728A6FC9CA3C6D83E82062CF80
SHA-256:	6FAEBC06B39ECD02F76BC4DBE9D7037D7C587D29677AC82CACBB14AE86B00F4D
SHA-512:	FE462E167E3CF5618029E3859844694CE91F375C926AB9085375DCE4FC699650B2A6E4E632F71E5FF31163C327F83B074DF6D072929F2FBD9FA59E99123E59FC
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.2.3.5.6.3.3.2.8.3.7.1.9.5.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.2.3.5.6.3.3.3.3.2.1.5.7.5.2.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.6.3.a.a.c.9.4.-.5.c.4.9.-.4.a.3.5.-.8.e.e.e.-.f.8.e.0.5.6.6.e.9.b.8.2.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.6.f.e.c.5.8.c.-.d.3.a.9.-.4.5.a.f.-.a.a.1.5.-.7.7.6.e.1.f.5.a.8.d.a.9.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e._.f.i.l.e...d.l.l.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.e.f.c.-.0.0.0.1.-.0.0.1.4.-.f.3.a.0.-.c.d.5.0.d.f.1.4.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.d.d.3.9.9.a.e.4.6.3.0.3.3.4.3.f.9.f.0.d.a.1.8.9.a.e.e.1.1.c.6.7.b.d.8.6.8.2.2.2.!.r.u.n.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_fil_754f1c8f93fb6f2f4d4817606ede2c3e23ead4d_d75f6fa5_7fea4c19-51c4-47e9-a610-0b822d6f1abb\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.8212216328363725
Encrypted:	false
SSDEEP:	192:1EgmuFipyXo0P0Ivp2jixEzuiFlZ24lO8V:hi8XIIvp2jJzuiFlY4lO8V
MD5:	EDC4ABA2A333233D392B2BE01FD242EF
SHA1:	DCE586B17D4EA94FAF66AC85B379CE1B83B3DEFC
SHA-256:	5249CC3500A8F936904437B4E10BC67BCC892BA1FCEB8F6975341320EDDB3C04
SHA-512:	571603C72B975F9F46A7A8C1ABDA8D7CA2100BA0B0AD9948702CA7A45A2F35063D2033C6587963755DD5949E91504A6F117F2BB930EF4236F822E444571D3B63
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.2.3.5.6.3.3.2.8.3.7.2.0.1.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.2.3.5.6.3.3.3.3.6.8.4.5.0.5.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.f.e.a.4.c.1.9.-.5.1.c.4.-.4.7.e.9.-.a.6.1.0.-.0.b.8.2.2.d.6.f.1.a.b.b.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.c.b.d.f.3.2.b.-.6.5.b.7.-.4.b.e.3.-.8.5.9.7.-.e.3.5.3.8.f.4.5.1.d.4.b.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e._.f.i.l.e...d.l.l.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.4.8.8.-.0.0.0.1.-.0.0.1.4.-.6.b.1.2.-.c.6.5.0.d.f.1.4.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.d.d.3.9.9.a.e.4.6.3.0.3.3.4.3.f.9.f.0.d.a.1.8.9.a.e.e.1.1.c.6.7.b.d.8.6.8.2.2.2.!.r.u.n.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_fil_93f177c3cfa433ab5197dcc74639e9ae9f5a3069_d75f6fa5_d56c99e7-c6a7-431f-954f-ac72c846735b\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.8179678961560085
Encrypted:	false
SSDEEP:	192:1+jN3lFicyoo0j0IvXrpjix8zuiFlZ24lO8VY:s5iRokIvXrpjBzuiFlY4lO8VY
MD5:	157E8F652E381F9BBF79AEA50B9A2E1E
SHA1:	029DECD3B6796B14F30F12B15A191547E208A400
SHA-256:	48B7CC46F88D17B802DAFD8EE816E76A6AA3078B99A9419B1E84C9F35283F261
SHA-512:	5D2271B9206094A59BBC48EFDA5DDA593E35F9F095A7B55CA5A1968EB33CCD1A6A5907C88A650315C750D36FA0B09A01AC554D20FAF21FDF54EC517C19E1B56A
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.2.3.5.6.3.3.6.6.4.9.9.5.8.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.2.3.5.6.3.3.7.0.5.6.2.1.9.4.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.5.6.c.9.9.e.7.-.c.6.a.7.-.4.3.1.f.-.9.5.4.f.-.a.c.7.2.c.8.4.6.7.3.5.b.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.b.8.2.a.d.0.1.-.2.d.d.4.-.4.4.9.d.-.b.1.b.c.-.6.7.e.4.a.0.7.a.a.d.c.8.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e._.f.i.l.e...d.l.l.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.a.9.0.-.0.0.0.1.-.0.0.1.4.-.0.6.9.3.-.6.d.5.4.d.f.1.4.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.d.d.3.9.9.a.e.4.6.3.0.3.3.4.3.f.9.f.0.d.a.1.8.9.a.e.e.1.1.c.6.7.b.d.8.6.8.2.2.2.!.r.u.n.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB794.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Wed Oct 2 15:25:32 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	67928
Entropy (8bit):	1.5956032358629273
Encrypted:	false
SSDEEP:	192:SVbl/W6OMxw6LIK4y3HtwCN+kWEDbjG2vHSXmb4mMYYVnn6:4h/wTSIK4y3HtwO+kDrrB4ma96
MD5:	457748F33F292049FCBEE0C051CD42AC
SHA1:	72F371B77CBF590A36BF2CA8C03FA4ACEF119DE4
SHA-256:	0FC7250B80F6D5669A7FAEDB3E480F6A1E93E6FA48B3B9CACC726A5E43701B42
SHA-512:	E47F1FCCE34C2BAB417AF9740C5C6536DC0ED874FD9BF88F21BCC7EB09171ED26425D06C30FF76AC213FFE0394E0EAD2E81DB7CEB94BBCB99BD8D37DC18280A5
Malicious:	false
Preview:	MDMP..a..... ........e.f....................................4...~2..........T.......8...........T...............@...........x...........d...............................................................................eJ..............Lw......................T............e.f.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB802.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Wed Oct 2 15:25:33 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	59148
Entropy (8bit):	1.6740085952012365
Encrypted:	false
SSDEEP:	192:vQG10OMx88QJQ7IHc0PT6kY/EZ+PgYSXqo4lnFqv:IG17D8QJQ7IHc0PWkY/EaFo4lng
MD5:	B7C56472FD56F65551D11A757498EC93
SHA1:	19E4EF9E6E5F2A26BB5F90EABDBC911FEBC363EB
SHA-256:	9E90E037FE7B405FE9C5898FD3682579C86DD901A84683208A4992AA87CAACF1
SHA-512:	22263ABC46367DFB5665C02C5359BEC96ABED61A0935BE5130CC7C4C01305208AB42383FF564B2F67D2261692DDBAC78A79147E71F4C11F2DD529BE3D31C2333
Malicious:	false
Preview:	MDMP..a..... ........e.f........................................~-..........T.......8...........T...............D...........H...........4...............................................................................eJ..............Lw......................T............e.f.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB87F.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8760
Entropy (8bit):	3.6973462787253304
Encrypted:	false
SSDEEP:	192:R6l7wVeJzFAE6YRr4fgmfiL0n/JprR889bWljfKym:R6lXJRAE6YN4gmfG8/tpWxfW
MD5:	4B1F038FB84ECA89171B1C145B0A7900
SHA1:	EFDB8DBAC5412D54DBCEBB793F9AAB5B1F9456F4
SHA-256:	8EBEDA5243DCFC74F45DE545513EDA43BE279F9A6DC29E3417B03AC9EA8D43C1
SHA-512:	6DF82224A7EE6EEBBC44C55602916BEDDFF646D06F2DBBD449A9BA63254E968FE88FEE906BE6D2C30F9A5D21C6BC79EFB506802256C0A825113322425A3C2DDA
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.3.8.3.6.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB890.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8752
Entropy (8bit):	3.6962885640906586
Encrypted:	false
SSDEEP:	192:R6l7wVeJpluy6YeduHHLgmfiL0n/JprT89bWGjfNym:R6lXJiy6Y8uLgmfG8/QWafp
MD5:	C84F09EF7C728435B9EC435F36A3168A
SHA1:	EDCA016773E3B54A0309773F6A57B61C5F3909E1
SHA-256:	271905847D6E3887CBEF25FE9C68579FD0DCA0D9013BCFD8FCD16C99D0F46753
SHA-512:	1F9F285FD2109BC6BDBC1226BD8494DBB228CB463D370FF8E583945938D7ED3511C2A911A57ED57D91F9BDAA1D55FBA1FBBAED948CED2F621F5DD0FC62533C48
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.2.5.6.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB8BF.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4730
Entropy (8bit):	4.463074255800385
Encrypted:	false
SSDEEP:	48:cvIwWl8zsrJg771I9Y/5WpW8VYNYm8M4JCFCtsNrF6yq85m4zeWptSTSRd:uIjfFI7F/I7VBJi0GhpoORd
MD5:	BB279669C6E2686EBC7C000C0D34919B
SHA1:	9BA111576D7CC7BD7F72E9F07AEE2EB02FF71C1D
SHA-256:	0BD2E94E948D3C61C53B000504E61604E573F1B87D6D7151C8241BCDCB743FE1
SHA-512:	3D6B28C2470F4264851E9B7F8F6B0D220BB2241CE33D40E2B7C3EFA1FC56453CF9002FD46E94E6CF7D00B5692FEC6C5D81FA5B5F9C57F0B96B6D2151C7932207
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="525988" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB8D0.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4730
Entropy (8bit):	4.467180713672316
Encrypted:	false
SSDEEP:	48:cvIwWl8zsrJg771I9Y/5WpW8VYpJPYm8M4JCFCtsNrFPyq85m4zeOptSTSsd:uIjfFI7F/I7VSSJiRGZpoOsd
MD5:	2783E7B586BB692BF37610076278652B
SHA1:	8C258474CDBC0FAA8D584913A615B57355509533
SHA-256:	9EE08AF35C33D5BE95C8BA0B581E32A7C578C7C4FB8DC7A9D0C93F643FD2C37A
SHA-512:	9E784A8E3B5E098B7EEAC7F101942D0EC0C18521AD35B634FA4FF462EF4516A79EC3DDAFC66837163848BCFE68CE695D3DE63E06C6C43B611A83E4056A772FB6
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="525988" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC679.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Wed Oct 2 15:25:36 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	57436
Entropy (8bit):	1.7138147913521848
Encrypted:	false
SSDEEP:	192:2MFsOMxAepsEuTMGjEmnuu+2DSVDe4eXNdrgGmvTVypa:lFj/ep+MGjEmnuu+2DwkdF7mvTgk
MD5:	31C087CF2661B9C84B75834C640B70A3
SHA1:	C18E7A0520EB1491487883AF1B5ACA91AEADF639
SHA-256:	024C46BFB9EC94F553E71149F6BA7B4C0CDAAE039DA7EB11D26CC1F51D839118
SHA-512:	92EFC6FD0F8A8B7746424F85C439518D219941D593DDE95C2F9BFC955F0965551B35F1039AC23563B6BA2DC1D17B729252055EDE0FCF35268D0C28DE9FC13967
Malicious:	false
Preview:	MDMP..a..... ........e.f........................................~-..........T.......8...........T...........................H...........4...............................................................................eJ..............Lw......................T............e.f.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC735.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8492
Entropy (8bit):	3.6938084661988846
Encrypted:	false
SSDEEP:	192:R6l7wVeJvMXZ6YemuHHLgmfiL0DBoJprG89b7z3f1pm:R6lXJ0Z6YHuLgmfGIBob7jfi
MD5:	DFBA56AE55EA06524A72D596D6DDDFA6
SHA1:	B2EB4516A946DE482276DF7DE883F84C946E0299
SHA-256:	A83EE5E4B2004D52B204B46AD946C8B96124E9F45FF3132A30F3ECCDB73E2B77
SHA-512:	E0F603D9B7648F9742ADCD8519AE0FFE720B2EA22827705F570614635DA61DE0DF0234867DBF1BDBDCCA1AC407FE0E3C4D1C74018E3DC6634D39C8D73DD5AC7F
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.2.7.0.4.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC784.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4729
Entropy (8bit):	4.462587773487211
Encrypted:	false
SSDEEP:	48:cvIwWl8zsrJg771I9Y/5WpW8VYfYm8M4JCFCtsNNFA/yq85m4zedNptSTSNd:uIjfFI7F/I7V3JiaGsNpoONd
MD5:	9F433FA66F407DF394F1F172C4F4135C
SHA1:	5C2F72C3DEB90B9F2959976F3EE9ACC0A0333721
SHA-256:	F8BEC48E83764361289B9C7B627A3A749D9D0B331EF243E78BD82C5F5F78A360
SHA-512:	DD4053038A8637D0528DF259E70D54A027093850E939A6E024EB5033B65BEE60FDDB8CFE29FB4B684CC126B6162D7D157600B3BBF793406C006AB5DC57893854
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="525988" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD926.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Wed Oct 2 15:25:41 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	68828
Entropy (8bit):	1.564421803927063
Encrypted:	false
SSDEEP:	192:3RmxTOMx0503kA6QHnWyHHRAILT5q9GHhSXKTrxQHt:BmxKr503kA6QHWaeILT89AtTriN
MD5:	9C5AE198F712FFAE0213B5A9D3EA8E0B
SHA1:	C46097F8B4F93877C8B0155AE2C1C0CFCF112448
SHA-256:	395AF3B27160839DD9E378FA3724D2A5AB7871E510C14922FA7C31FA070E1E2B
SHA-512:	EB4D6A5513FA183977B6C10A6B59A0D2C8A1C9DF1D13DB220A0E6E5CB9436EC577CC75A4829E4FC6053330BFB490E62D76B75F2283770C012D9779205B2E6CCA
Malicious:	false
Preview:	MDMP..a..... ........e.f....................................4...~2..........T.......8...........T...........................x...........d...............................................................................eJ..............Lw......................T............e.f.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERDAAD.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8760
Entropy (8bit):	3.694902786437687
Encrypted:	false
SSDEEP:	192:R6l7wVeJhi86YeHLHsIgmfiL0n/JprQ89bj7jf9Bm:R6lXJ086YSHsIgmfG8/5jffS
MD5:	856972DA2CD110F9610AE15B1A0322B5
SHA1:	3410C377B68D8DAFAB84576543C4D1918438A856
SHA-256:	6463233A4A4FA3D2DB9915402FCC42010D4BB4EB49BA26B93EEACCC514D9E304
SHA-512:	D4213A2C2435BB1400E60386BA7ECFA9B8DDB1B57B6C9FC45332B5596E8E50D7C123E62D0B81D660002EB1510B091BF44D55D6EE2F2A81C802F3CA1C8D82E533
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.1.6.4.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERDAFD.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4730
Entropy (8bit):	4.465649148745461
Encrypted:	false
SSDEEP:	48:cvIwWl8zsrJg771I9Y/5WpW8VY0Ym8M4JCFCtsNrFSyq85m4zemptSTSxd:uIjfFI7F/I7VcJiEGBpoOxd
MD5:	75AD4F895016AFACBCA2AE1134903A26
SHA1:	F88017586D3A95BA1E2891EA127E443E37EC8AAF
SHA-256:	6A207C61158710CD1E28596B7106DFE9CAE17C5D6FAD9649C5667501815BA860
SHA-512:	BF85414C168CA3011BF873E7F14D7EA59AFD5A3BF4F58C3DF72EF2B670D0A83004C587E7B7E241D61CA14350A513106AF2594505513A06C7245081651929F65F
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="525988" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.372995690518871
Encrypted:	false
SSDEEP:	6144:YFVfpi6ceLP/9skLmb08yWWSPtaJG8nAge35OlMMhA2AX4WABlguNViL:gV1qyWWI/glMM6kF7vq
MD5:	6ABC6CE518154BFCE1A9FF6152BB6018
SHA1:	65273BC171C2B773A91437F2104B8E6C7A479F8F
SHA-256:	0276FF4265AF8EBE087371824082A5D3BD815F67205022BCD1AF43C3A83DC145
SHA-512:	F07E69DA3CB54815944DB9690C430E72A1409A5DCEF4AD06EC0B70594012C4842F6ADDFBB56788CC2E20CFD520DD1A6062BE5363AFC2F8E902C9CCF6F810ECC2
Malicious:	false
Preview:	regfC...C....\.Z.................... ....0......\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm...Q...................................................................................................................................................................................................................................................................................................................................................e........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Entropy (8bit):	5.772914279113951
TrID:	Win64 Dynamic Link Library (generic) (102004/3) 86.43% Win64 Executable (generic) (12005/4) 10.17% Generic Win/DOS Executable (2004/3) 1.70% DOS Executable Generic (2002/1) 1.70% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.01%
File name:	file.dll
File size:	135'840 bytes
MD5:	11c6dbe61f8144a8a66d8baaea40c4a3
SHA1:	753b6723e7a8a2ca1000662093dc830e444d65ed
SHA256:	396bae9eab9a773472e873a21cd471a17e3eca13cac264a22ef9adb735135c2d
SHA512:	c8b01d4c6a2503b18e423e68924803e5a7a7eded276da9dea3447d95584ad573459096716e6a9d8a629e64ec7e98987c89e2955febea6d6c0adf307e8d478ee9
SSDEEP:	3072:AdNu1ZBNfDXp5dJoXdTd7d74TwdRdtdg7j++1+V+vtW1+A+T+LfSoCxC1CEiJLCk:ZfCr+w69
TLSH:	4AD3941AB2C4883AC4161775A887AB35A2B1FE5327064BDF76B0731C3FB23D4ADB5158
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........}.....................................................................h.......h.......h.......h.......Rich............PE..d..

File Icon


Icon Hash:	7ae282899bbab082

Static PE Info

General

Entrypoint:	0x18000ab54
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x180000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, DLL
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x63BBBFF6 [Mon Jan 9 07:19:18 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	a5ec31ee477499f10294bd429015753f

Authenticode Signature

Signature Valid:	true
Signature Issuer:	CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	19/08/2021 02:00:00 20/08/2023 01:59:59
Subject Chain	CN="Oracle America, Inc.", OU=Software Engineering, O="Oracle America, Inc.", L=Redwood City, S=California, C=US
Version:	3
Thumbprint MD5:	2876C1BECB51837D0E3DE50903D025B6
Thumbprint SHA-1:	940D69C0A34A1B4CFD8048488BA86F4CED60481A
Thumbprint SHA-256:	EE46613A38B4F486164BCE7FB23178667715617F511B364594311A1548B08EB1
Serial:	068BE2F53452C882F18ED41A5DD4E7A3

Entrypoint Preview

Instruction
dec eax
mov dword ptr [esp+08h], ebx
dec eax
mov dword ptr [esp+10h], esi
push edi
dec eax
sub esp, 20h
dec ecx
mov edi, eax
mov ebx, edx
dec eax
mov esi, ecx
cmp edx, 01h
jne 00007F38A54086D7h
call 00007F38A5408A14h
dec esp
mov eax, edi
mov edx, ebx
dec eax
mov ecx, esi
dec eax
mov ebx, dword ptr [esp+30h]
dec eax
mov esi, dword ptr [esp+38h]
dec eax
add esp, 20h
pop edi
jmp 00007F38A5408564h
int3
int3
int3
inc eax
push ebx
dec eax
sub esp, 20h
dec eax
mov ebx, ecx
dec eax
mov eax, edx
dec eax
lea ecx, dword ptr [0000FC01h]
xorps xmm0, xmm0
dec eax
mov dword ptr [ebx], ecx
dec eax
lea edx, dword ptr [ebx+08h]
dec eax
lea ecx, dword ptr [eax+08h]
movups dqword ptr [edx], xmm0
call 00007F38A54091A8h
dec eax
lea eax, dword ptr [0000FC14h]
dec eax
mov dword ptr [ebx], eax
dec eax
mov eax, ebx
dec eax
add esp, 20h
pop ebx
ret
dec eax
and dword ptr [ecx+10h], 00000000h
dec eax
lea eax, dword ptr [0000FC0Ch]
dec eax
mov dword ptr [ecx+08h], eax
dec eax
lea eax, dword ptr [0000FBF1h]
dec eax
mov dword ptr [ecx], eax
dec eax
mov eax, ecx
ret
int3
int3
inc eax
push ebx
dec eax
sub esp, 20h
dec eax
mov ebx, ecx
dec eax
mov eax, edx
dec eax
lea ecx, dword ptr [0000FBA5h]
xorps xmm0, xmm0
dec eax
mov dword ptr [ebx], ecx
dec eax
lea edx, dword ptr [ebx+08h]
dec eax
lea ecx, dword ptr [eax+08h]
movups dqword ptr [edx], xmm0
call 00007F38A540914Ch
dec eax
lea eax, dword ptr [00000000h]

Rich Headers

Programming Language:

[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x1c640	0x1044	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1d684	0xdc	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x21000	0x3a8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x20000	0xd14	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x1ea00	0x28a0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x22000	0x118	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x1a990	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x1a850	0x140	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xc000	0x288	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xa9e5	0xaa00	d607c2427113198d77f5664cbd0c33b7	False	0.5085477941176471	data	6.125260687153464	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0xc000	0x1224e	0x12400	3971ea6deb0cac45ad8f39ac4e67661c	False	0.17880458047945205	data	4.655226421934722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x1f000	0x9f8	0x400	bd93cfea89e84618ebcf550f41e6cf61	False	0.265625	data	3.0742552801167684	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x20000	0xd14	0xe00	a109694a9d484eaf5254bf0ad995674c	False	0.45535714285714285	data	4.70318982159129	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x21000	0x3a8	0x400	f26fe9c4c691a3ced445320f516ad8d8	False	0.4140625	data	3.11928289929837	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x22000	0x118	0x200	ac550551797bcdc73a1167b2808c0b10	False	0.458984375	data	3.374438955783244	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x21060	0x348	data	English	United States	0.46190476190476193

Imports

DLL	Import
USER32.dll	IsWindow, GetDesktopWindow
MSVCP140.dll	?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ, ?cerr@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A, ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z, ?put@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@D@Z, ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z, ?widen@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADD@Z, ?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A, ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ, ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z, ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z, ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z, ?uncaught_exception@std@@YA_NXZ
KERNEL32.dll	LoadLibraryW, IsDebuggerPresent, InitializeSListHead, GetSystemTimeAsFileTime, GetCurrentThreadId, GetCurrentProcessId, QueryPerformanceCounter, IsProcessorFeaturePresent, TerminateProcess, GetCurrentProcess, SetUnhandledExceptionFilter, UnhandledExceptionFilter, RtlVirtualUnwind, RtlLookupFunctionEntry, GetSystemDirectoryW, GetVersionExW, FreeLibrary, GetProcAddress, OutputDebugStringA, GetVersion, RtlCaptureContext
VCRUNTIME140_1.dll	__CxxFrameHandler4
VCRUNTIME140.dll	__std_type_info_destroy_list, memset, __std_terminate, memcpy, _purecall, __C_specific_handler, __current_exception, __current_exception_context, __std_exception_copy, __std_exception_destroy, _CxxThrowException
api-ms-win-crt-runtime-l1-1-0.dll	_configure_narrow_argv, _invalid_parameter_noinfo, _cexit, _execute_onexit_table, _initialize_onexit_table, _initialize_narrow_environment, _initterm, _initterm_e, _errno, _seh_filter_dll, terminate
api-ms-win-crt-string-l1-1-0.dll	strncmp, strncpy, wcscat_s
api-ms-win-crt-stdio-l1-1-0.dll	fflush, __stdio_common_vsscanf, fopen, __stdio_common_vfprintf, __acrt_iob_func, __stdio_common_vsprintf
api-ms-win-crt-environment-l1-1-0.dll	getenv
api-ms-win-crt-heap-l1-1-0.dll	malloc, _callnewh, free

Exports

Name	Ordinal	Address
Java_com_sun_prism_d3d_D3DContext_nBlit	1	0x180002a30
Java_com_sun_prism_d3d_D3DContext_nBuildNativeGeometryInt	2	0x180002ad0
Java_com_sun_prism_d3d_D3DContext_nBuildNativeGeometryShort	3	0x180002c10
Java_com_sun_prism_d3d_D3DContext_nCreateD3DMesh	4	0x180002d50
Java_com_sun_prism_d3d_D3DContext_nCreateD3DMeshView	5	0x180002d90
Java_com_sun_prism_d3d_D3DContext_nCreateD3DPhongMaterial	6	0x180002de0
Java_com_sun_prism_d3d_D3DContext_nDrawIndexedQuads	7	0x1800038d0
Java_com_sun_prism_d3d_D3DContext_nGetFrameStats	8	0x1800039b0
Java_com_sun_prism_d3d_D3DContext_nIsRTTVolatile	9	0x180003b20
Java_com_sun_prism_d3d_D3DContext_nReleaseD3DMesh	10	0x180002e20
Java_com_sun_prism_d3d_D3DContext_nReleaseD3DMeshView	11	0x180002e20
Java_com_sun_prism_d3d_D3DContext_nReleaseD3DPhongMaterial	12	0x180002e20
Java_com_sun_prism_d3d_D3DContext_nRenderMeshView	13	0x180002e40
Java_com_sun_prism_d3d_D3DContext_nResetClipRect	14	0x180003b40
Java_com_sun_prism_d3d_D3DContext_nResetTransform	15	0x180003b60
Java_com_sun_prism_d3d_D3DContext_nSetAmbientLight	16	0x180002e50
Java_com_sun_prism_d3d_D3DContext_nSetBlendEnabled	17	0x180003b80
Java_com_sun_prism_d3d_D3DContext_nSetCameraPosition	18	0x180003c80
Java_com_sun_prism_d3d_D3DContext_nSetClipRect	19	0x180003cb0
Java_com_sun_prism_d3d_D3DContext_nSetCullingMode	20	0x180002e70
Java_com_sun_prism_d3d_D3DContext_nSetDeviceParametersFor2D	21	0x180002eb0
Java_com_sun_prism_d3d_D3DContext_nSetDeviceParametersFor3D	22	0x180002fc0
Java_com_sun_prism_d3d_D3DContext_nSetDiffuseColor	23	0x180002fe0
Java_com_sun_prism_d3d_D3DContext_nSetMap	24	0x180003010
Java_com_sun_prism_d3d_D3DContext_nSetMaterial	25	0x180003030
Java_com_sun_prism_d3d_D3DContext_nSetPointLight	26	0x180003050
Java_com_sun_prism_d3d_D3DContext_nSetProjViewMatrix	27	0x180003ce0
Java_com_sun_prism_d3d_D3DContext_nSetRenderTarget	28	0x180003e00
Java_com_sun_prism_d3d_D3DContext_nSetSpecularColor	29	0x1800030d0
Java_com_sun_prism_d3d_D3DContext_nSetTexture	30	0x180003e60
Java_com_sun_prism_d3d_D3DContext_nSetTransform	31	0x180003fa0
Java_com_sun_prism_d3d_D3DContext_nSetWireframe	32	0x180003110
Java_com_sun_prism_d3d_D3DContext_nSetWorldTransform	33	0x1800040b0
Java_com_sun_prism_d3d_D3DContext_nSetWorldTransformToIdentity	34	0x1800041b0
Java_com_sun_prism_d3d_D3DGraphics_nClear	35	0x1800041c0
Java_com_sun_prism_d3d_D3DPipeline_nDispose	36	0x180006290
Java_com_sun_prism_d3d_D3DPipeline_nGetAdapterCount	37	0x1800062a0
Java_com_sun_prism_d3d_D3DPipeline_nGetAdapterOrdinal	38	0x1800062b0
Java_com_sun_prism_d3d_D3DPipeline_nGetDriverInformation	39	0x1800062d0
Java_com_sun_prism_d3d_D3DPipeline_nGetErrorMessage	40	0x1800065a0
Java_com_sun_prism_d3d_D3DPipeline_nGetMaxSampleSupport	41	0x1800065d0
Java_com_sun_prism_d3d_D3DPipeline_nInit	42	0x180006660
Java_com_sun_prism_d3d_D3DResourceFactory_nCreateSwapChain	43	0x1800081f0
Java_com_sun_prism_d3d_D3DResourceFactory_nCreateTexture	44	0x180008280
Java_com_sun_prism_d3d_D3DResourceFactory_nGetContext	45	0x180008420
Java_com_sun_prism_d3d_D3DResourceFactory_nGetDevice	46	0x180008480
Java_com_sun_prism_d3d_D3DResourceFactory_nGetMaximumTextureSize	47	0x180008490
Java_com_sun_prism_d3d_D3DResourceFactory_nGetNativeTextureObject	48	0x1800084c0
Java_com_sun_prism_d3d_D3DResourceFactory_nGetTextureHeight	49	0x1800084d0
Java_com_sun_prism_d3d_D3DResourceFactory_nGetTextureWidth	50	0x1800084e0
Java_com_sun_prism_d3d_D3DResourceFactory_nIsDefaultPool	51	0x1800084f0
Java_com_sun_prism_d3d_D3DResourceFactory_nReadPixelsB	52	0x180008520
Java_com_sun_prism_d3d_D3DResourceFactory_nReadPixelsI	53	0x180008520
Java_com_sun_prism_d3d_D3DResourceFactory_nReleaseResource	54	0x180008570
Java_com_sun_prism_d3d_D3DResourceFactory_nResetDevice	55	0x1800085a0
Java_com_sun_prism_d3d_D3DResourceFactory_nTestCooperativeLevel	56	0x1800085c0
Java_com_sun_prism_d3d_D3DResourceFactory_nUpdateTextureB	57	0x1800085e0
Java_com_sun_prism_d3d_D3DResourceFactory_nUpdateTextureF	58	0x180008740
Java_com_sun_prism_d3d_D3DResourceFactory_nUpdateTextureI	59	0x1800089b0
Java_com_sun_prism_d3d_D3DShader_disable	60	0x180009ae0
Java_com_sun_prism_d3d_D3DShader_enable	61	0x180009b10
Java_com_sun_prism_d3d_D3DShader_init	62	0x180009b70
Java_com_sun_prism_d3d_D3DShader_nGetRegister	63	0x180009be0
Java_com_sun_prism_d3d_D3DShader_setConstantsF	64	0x180009bf0
Java_com_sun_prism_d3d_D3DShader_setConstantsI	65	0x180009cc0
Java_com_sun_prism_d3d_D3DSwapChain_nPresent	66	0x180004220

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Target ID:	1
Start time:	11:25:29
Start date:	02/10/2024
Path:	C:\Windows\System32\loaddll64.exe
Wow64 process (32bit):	false
Commandline:	loaddll64.exe "C:\Users\user\Desktop\file.dll"
Imagebase:	0x7ff6ce710000
File size:	165'888 bytes
MD5 hash:	763455F9DCB24DFEECC2B9D9F8D46D52
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	11:25:30
Start date:	02/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	3
Start time:	11:25:30
Start date:	02/10/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\file.dll",#1
Imagebase:	0x7ff6c0920000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	11:25:30
Start date:	02/10/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe C:\Users\user\Desktop\file.dll,Java_com_sun_prism_d3d_D3DContext_nBlit
Imagebase:	0x7ff6f9af0000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	11:25:30
Start date:	02/10/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe "C:\Users\user\Desktop\file.dll",#1
Imagebase:	0x7ff6f9af0000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	11:25:32
Start date:	02/10/2024
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 5256 -s 424
Imagebase:	0x7ff7035e0000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	11:25:32
Start date:	02/10/2024
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 3836 -s 448
Imagebase:	0x7ff7035e0000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	11:25:33
Start date:	02/10/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe C:\Users\user\Desktop\file.dll,Java_com_sun_prism_d3d_D3DContext_nBuildNativeGeometryInt
Imagebase:	0x7ff6f9af0000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	11:25:36
Start date:	02/10/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe C:\Users\user\Desktop\file.dll,Java_com_sun_prism_d3d_D3DContext_nBuildNativeGeometryShort
Imagebase:	0x7ff6f9af0000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	11:25:36
Start date:	02/10/2024
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 2704 -s 420
Imagebase:	0x7ff7035e0000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	11:25:39
Start date:	02/10/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_prism_d3d_D3DContext_nBlit
Imagebase:	0x7ff6f9af0000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	11:25:39
Start date:	02/10/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_prism_d3d_D3DContext_nBuildNativeGeometryInt
Imagebase:	0x7ff6f9af0000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	11:25:39
Start date:	02/10/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_prism_d3d_D3DContext_nBuildNativeGeometryShort
Imagebase:	0x7ff6f9af0000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	11:25:39
Start date:	02/10/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_prism_d3d_D3DSwapChain_nPresent
Imagebase:	0x7ff6f9af0000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	11:25:39
Start date:	02/10/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_prism_d3d_D3DShader_setConstantsI
Imagebase:	0x7ff6f9af0000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	11:25:39
Start date:	02/10/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_prism_d3d_D3DShader_setConstantsF
Imagebase:	0x7ff6f9af0000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	11:25:39
Start date:	02/10/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_prism_d3d_D3DShader_nGetRegister
Imagebase:	0x7ff6f9af0000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	11:25:39
Start date:	02/10/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_prism_d3d_D3DShader_init
Imagebase:	0x7ff6f9af0000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	11:25:39
Start date:	02/10/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_prism_d3d_D3DShader_enable
Imagebase:	0x7ff6f9af0000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	11:25:39
Start date:	02/10/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_prism_d3d_D3DShader_disable
Imagebase:	0x7ff6f9af0000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	11:25:39
Start date:	02/10/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_prism_d3d_D3DResourceFactory_nUpdateTextureI
Imagebase:	0x7ff6f9af0000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	29
Start time:	11:25:39
Start date:	02/10/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_prism_d3d_D3DResourceFactory_nUpdateTextureF
Imagebase:	0x7ff6f9af0000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	30
Start time:	11:25:39
Start date:	02/10/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_prism_d3d_D3DResourceFactory_nUpdateTextureB
Imagebase:	0x7ff6f9af0000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	31
Start time:	11:25:39
Start date:	02/10/2024
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 7164 -s 424
Imagebase:	0x7ff7035e0000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	34
Start time:	11:25:39
Start date:	02/10/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_prism_d3d_D3DResourceFactory_nTestCooperativeLevel
Imagebase:	0x7ff6f9af0000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	35
Start time:	11:25:39
Start date:	02/10/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_prism_d3d_D3DResourceFactory_nResetDevice
Imagebase:	0x7ff6f9af0000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	37
Start time:	11:25:40
Start date:	02/10/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_prism_d3d_D3DResourceFactory_nReleaseResource
Imagebase:	0x7ff6f9af0000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	39
Start time:	11:25:40
Start date:	02/10/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_prism_d3d_D3DResourceFactory_nReadPixelsI
Imagebase:	0x7ff6f9af0000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	40
Start time:	11:25:40
Start date:	02/10/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_prism_d3d_D3DResourceFactory_nReadPixelsB
Imagebase:	0x7ff6f9af0000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	1.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	14.7%
Total number of Nodes:	682
Total number of Limit Nodes:	0

Executed Functions

Function 00007FFBBAF261A0 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 46
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryW.KERNEL32 ref: 00007FFBBAF261D4
wcscat_s.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFBBAF261EF
LoadLibraryExW.KERNELBASE ref: 00007FFBBAF261FA
GetProcAddress.KERNEL32 ref: 00007FFBBAF2621F
GetProcAddress.KERNEL32 ref: 00007FFBBAF2623A
FreeLibrary.KERNEL32 ref: 00007FFBBAF2624E

Strings

Direct3DCreate9, xrefs: 00007FFBBAF26215
\d3d9.dll, xrefs: 00007FFBBAF261DE
Direct3DCreate9Ex, xrefs: 00007FFBBAF2622C

Memory Dump Source

Source File: 00000001.00000002.2795831177.00007FFBBAF21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFBBAF20000, based on PE: true

Associated: 00000001.00000002.2795786977.00007FFBBAF20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2795875234.00007FFBBAF2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2795921230.00007FFBBAF3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2795952946.00007FFBBAF40000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffbbaf20000_loaddll64.jbxd

Similarity

API ID: AddressLibraryProc$DirectoryFreeLoadSystemwcscat_s
String ID: Direct3DCreate9$Direct3DCreate9Ex$\d3d9.dll
API String ID: 632231914-4147465227
Opcode ID: d04707e5138d042c3967d50fc19bbdc52fffa3db967abf2e19a6c82f233c0313
Instruction ID: 3e08be0938841bb591466fdb82a21513411dcb2229d9c58a8a74520bb8c7641e
Opcode Fuzzy Hash: d04707e5138d042c3967d50fc19bbdc52fffa3db967abf2e19a6c82f233c0313
Instruction Fuzzy Hash: 342195B4E19F4281EB50EB79E8642F962A8BF48706F4081B5DE4DC66A4DF3CE5098308

Function 00007FFBBAF2A834 Relevance: 13.7, APIs: 9, Instructions: 230
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FFBBAF2A85C
__scrt_initialize_crt.LIBCMT ref: 00007FFBBAF2A8A1
__scrt_acquire_startup_lock.LIBCMT ref: 00007FFBBAF2A8AE
_RTC_Initialize.LIBCMT ref: 00007FFBBAF2A8DC
__scrt_dllmain_after_initialize_c.LIBCMT ref: 00007FFBBAF2A902
__scrt_release_startup_lock.LIBCMT ref: 00007FFBBAF2A92D

Memory Dump Source

Source File: 00000001.00000002.2795831177.00007FFBBAF21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFBBAF20000, based on PE: true

Associated: 00000001.00000002.2795786977.00007FFBBAF20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2795875234.00007FFBBAF2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2795921230.00007FFBBAF3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2795952946.00007FFBBAF40000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffbbaf20000_loaddll64.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_initialize_crt__scrt_release_startup_lock
String ID:
API String ID: 349153199-0
Opcode ID: c6b574932d63565bc480fa72a51d04e861c9c29c6bedfa5b21a3a2c63453ff0d
Instruction ID: cb0c82e4cdbf9d101c011de496036fcdb87d994bc19f8e09fe0983c21a0fbe73
Opcode Fuzzy Hash: c6b574932d63565bc480fa72a51d04e861c9c29c6bedfa5b21a3a2c63453ff0d
Instruction Fuzzy Hash: 7F817FA1E08B4385FA54BB7ED8612F92298AF45782F5441B5FF0DC7296DE3CE8468708

Non-executed Functions

Function 00007FFBBAF271D0 Relevance: 33.4, APIs: 2, Strings: 17, Instructions: 160
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.VCRUNTIME140 ref: 00007FFBBAF2720F
GetVersionExW.KERNEL32 ref: 00007FFBBAF27221

Part of subcall function 00007FFBBAF2A340: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(00000000,?,00000000,00007FFBBAF212E2), ref: 00007FFBBAF2A36F
Part of subcall function 00007FFBBAF2A340: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0 ref: 00007FFBBAF2A3C1
Part of subcall function 00007FFBBAF2A340: fopen.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFBBAF2A3D9
Part of subcall function 00007FFBBAF2A340: printf.MSPDB140-MSVCRT ref: 00007FFBBAF2A3F8
Part of subcall function 00007FFBBAF2A340: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFBBAF2A40C
Part of subcall function 00007FFBBAF2A340: fprintf.MSPDB140-MSVCRT ref: 00007FFBBAF2A463
Part of subcall function 00007FFBBAF2A340: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,00000000,00007FFBBAF212E2), ref: 00007FFBBAF2A4C7
Part of subcall function 00007FFBBAF2A340: fprintf.MSPDB140-MSVCRT ref: 00007FFBBAF2A4E0
Part of subcall function 00007FFBBAF2A340: fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFBBAF2A4EC

Part of subcall function 00007FFBBAF2A340: fprintf.MSPDB140-MSVCRT ref: 00007FFBBAF2A498

Strings

OS_WIN8, xrefs: 00007FFBBAF27292
OS_WIN7, xrefs: 00007FFBBAF272CC
OS_WINSERV_2008_R2, xrefs: 00007FFBBAF272EA
OS_WINSERV_2003, xrefs: 00007FFBBAF2737B
OS_UNKNOWN: dwMajorVersion=%d dwMinorVersion=%d, xrefs: 00007FFBBAF273F4
OS_WINSERV_2008, xrefs: 00007FFBBAF27330
OS_UNKNOWN: GetVersionEx failed, xrefs: 00007FFBBAF27453
OS_WINXP , xrefs: 00007FFBBAF27399
OS_WIN8.1 or newer, xrefs: 00007FFBBAF27414
Pro, xrefs: 00007FFBBAF273CA
OS_WINXP_64, xrefs: 00007FFBBAF2735E
OS_WINSERV_2012_R2 or newer, xrefs: 00007FFBBAF27427
OS_UNKNOWN: dwPlatformId=%d dwMajorVersion=%d, xrefs: 00007FFBBAF27440
OS_WINSERV_2012, xrefs: 00007FFBBAF272A8
Home, xrefs: 00007FFBBAF273AF
OS_VISTA, xrefs: 00007FFBBAF27312
[I] OS Version = , xrefs: 00007FFBBAF27229

Memory Dump Source

Source File: 00000001.00000002.2795831177.00007FFBBAF21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFBBAF20000, based on PE: true

Associated: 00000001.00000002.2795786977.00007FFBBAF20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2795875234.00007FFBBAF2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2795921230.00007FFBBAF3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2795952946.00007FFBBAF40000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffbbaf20000_loaddll64.jbxd

Similarity

API ID: fprintf$getenv$Version__acrt_iob_func__stdio_common_vfprintffflushfopenmemsetprintf
String ID: Home$OS_UNKNOWN: GetVersionEx failed$OS_UNKNOWN: dwMajorVersion=%d dwMinorVersion=%d$OS_UNKNOWN: dwPlatformId=%d dwMajorVersion=%d$OS_VISTA$OS_WIN7$OS_WIN8$OS_WIN8.1 or newer$OS_WINSERV_2003$OS_WINSERV_2008$OS_WINSERV_2008_R2$OS_WINSERV_2012$OS_WINSERV_2012_R2 or newer$OS_WINXP $OS_WINXP_64$Pro$[I] OS Version =
API String ID: 3483071900-1252748077
Opcode ID: 893202d08ab13633ff7bcac80312153664b0057064e778c8984c9e5cb8cc51a6
Instruction ID: 37d5c4ede43c9a2fd2603fa9199d82d6757e588df59dc56c19d249db48a867e7
Opcode Fuzzy Hash: 893202d08ab13633ff7bcac80312153664b0057064e778c8984c9e5cb8cc51a6
Instruction Fuzzy Hash: D87153B1E0CB4382FB35EB78D4A06F96699EF44306F4440B6EF4DC2591DE3CA949CA09

Function 00007FFBBAF26710 Relevance: 28.8, APIs: 1, Strings: 18, Instructions: 264
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Adapter Ordinal : %d, xrefs: 00007FFBBAF267E6
%02X%02X-%02X%02X, xrefs: 00007FFBBAF26927
D3DPPLM::CheckAdaptersInfo: no suitable adapters found, xrefs: 00007FFBBAF26B98
SubSys Id : 0x%x, xrefs: 00007FFBBAF26894
Driver Version : %d.%d.%d.%d, xrefs: 00007FFBBAF268C2
Description : %s, xrefs: 00007FFBBAF2681F
Vendor Id : 0x%04x, xrefs: 00007FFBBAF2685C
D3DPPLM::CheckForBadHardware: found matching hardware: VendorId=0x%04x DeviceId=0x%04x, xrefs: 00007FFBBAF26A9A
WARNING: Unsupported video adapter found, device disabled, xrefs: 00007FFBBAF26AF3
Adapter Handle : 0x%x, xrefs: 00007FFBBAF26800
WARNING: bad driver version detected, device disabled. Please update your driver to at least version %d.%d.%d.%d, xrefs: 00007FFBBAF26ACA
forceGPU, xrefs: 00007FFBBAF2699E
------------------, xrefs: 00007FFBBAF2675F, 00007FFBBAF26B2C
GDI Name, Driver : %s, %s, xrefs: 00007FFBBAF26845
[I] GUID : {%08X-%04X-%04X-, xrefs: 00007FFBBAF268F6
Device Id : 0x%04x, xrefs: 00007FFBBAF26878
%02X%02X%02X%02X}, xrefs: 00007FFBBAF26982
CheckAdaptersInfo, xrefs: 00007FFBBAF26730

Memory Dump Source

Source File: 00000001.00000002.2795831177.00007FFBBAF21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFBBAF20000, based on PE: true

Associated: 00000001.00000002.2795786977.00007FFBBAF20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2795875234.00007FFBBAF2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2795921230.00007FFBBAF3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2795952946.00007FFBBAF40000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffbbaf20000_loaddll64.jbxd

Similarity

API ID: fprintf$getenv$__acrt_iob_func__stdio_common_vfprintffflushfopenprintf
String ID: %02X%02X%02X%02X}$%02X%02X-%02X%02X$------------------$Adapter Handle : 0x%x$Adapter Ordinal : %d$CheckAdaptersInfo$D3DPPLM::CheckAdaptersInfo: no suitable adapters found$D3DPPLM::CheckForBadHardware: found matching hardware: VendorId=0x%04x DeviceId=0x%04x$Description : %s$Device Id : 0x%04x$Driver Version : %d.%d.%d.%d$GDI Name, Driver : %s, %s$SubSys Id : 0x%x$Vendor Id : 0x%04x$WARNING: Unsupported video adapter found, device disabled$WARNING: bad driver version detected, device disabled. Please update your driver to at least version %d.%d.%d.%d$[I] GUID : {%08X-%04X-%04X-$forceGPU
API String ID: 3079345343-2211495158
Opcode ID: a02da72c7345d911313d27be48f842a44bfa780e79725bc29cb040cae99f9283
Instruction ID: 232da4cb597f9eb6aef1eae4d3c14cc56113119abf1cce40f158adfbdcaebcbe
Opcode Fuzzy Hash: a02da72c7345d911313d27be48f842a44bfa780e79725bc29cb040cae99f9283
Instruction Fuzzy Hash: 69D191B2A08B8286D720DF28E4606EEB7A5FB84755F444176EF9D83694CF3CD444CB48

Function 00007FFBBAF22E40 Relevance: 19.6, APIs: 3, Strings: 8, Instructions: 334
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FFBBAF24CE1
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FFBBAF24D40

Part of subcall function 00007FFBBAF24310: ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140(?,?,?,00000000,?,00007FFBBAF2537C), ref: 00007FFBBAF2448C
Part of subcall function 00007FFBBAF24310: ?uncaught_exception@std@@YA_NXZ.MSVCP140(?,?,?,00000000,?,00007FFBBAF2537C), ref: 00007FFBBAF24493
Part of subcall function 00007FFBBAF24310: ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ.MSVCP140(?,?,?,00000000,?,00007FFBBAF2537C), ref: 00007FFBBAF2449F

Strings

D3DMeshView.render() - SetPixelShaderConstantF (PSR_SPECULARCOLOR) failed !!!, xrefs: 00007FFBBAF24E6B
$, xrefs: 00007FFBBAF25152
D3DMeshView.render() - SetVertexShaderConstantF (VSR_AMBIENTCOLOR) failed !!!, xrefs: 00007FFBBAF24E0D
D3DMeshView.render() - SetVertexShader failed !!!, xrefs: 00007FFBBAF24D2A
D3DMeshView.render() - SetFVF failed !!!, xrefs: 00007FFBBAF24CCB
D3DMeshView.render() - setPixelShader failed !!!, xrefs: 00007FFBBAF24FDF
D3DMeshView.render() - SetPixelShaderConstantF (PSR_LIGHTCOLOR) failed !!!, xrefs: 00007FFBBAF24F6E
D3DMeshView.render() - SetPixelShaderConstantF (PSR_DIFFUSECOLOR) failed !!!, xrefs: 00007FFBBAF24E3B

Memory Dump Source

Source File: 00000001.00000002.2795831177.00007FFBBAF21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFBBAF20000, based on PE: true

Associated: 00000001.00000002.2795786977.00007FFBBAF20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2795875234.00007FFBBAF2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2795921230.00007FFBBAF3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2795952946.00007FFBBAF40000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffbbaf20000_loaddll64.jbxd

Similarity

API ID: D@std@@@std@@U?$char_traits@V01@$??6?$basic_ostream@V01@@$?setstate@?$basic_ios@?uncaught_exception@std@@Osfx@?$basic_ostream@
String ID: $$D3DMeshView.render() - SetFVF failed !!!$D3DMeshView.render() - SetPixelShaderConstantF (PSR_DIFFUSECOLOR) failed !!!$D3DMeshView.render() - SetPixelShaderConstantF (PSR_LIGHTCOLOR) failed !!!$D3DMeshView.render() - SetPixelShaderConstantF (PSR_SPECULARCOLOR) failed !!!$D3DMeshView.render() - SetVertexShader failed !!!$D3DMeshView.render() - SetVertexShaderConstantF (VSR_AMBIENTCOLOR) failed !!!$D3DMeshView.render() - setPixelShader failed !!!
API String ID: 1408943881-3757511292
Opcode ID: bd4b6908961b625247124c0d0fe1db436064d5d9c3bbbee4f48cccf716154c01
Instruction ID: b21404c29ec43744832de0fd6a07fc6c10422f7b2fb46623c26748eb2fa7e4aa
Opcode Fuzzy Hash: bd4b6908961b625247124c0d0fe1db436064d5d9c3bbbee4f48cccf716154c01
Instruction Fuzzy Hash: 3FF170B2E08B8286E764DB36E4503EA6364FB88B86F448171EF4E97755DF7CE4448B04

Function 00007FFBBAF2B2D4 Relevance: 13.6, APIs: 9, Instructions: 72
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FFBBAF2B2F0
memset.VCRUNTIME140 ref: 00007FFBBAF2B314
RtlCaptureContext.KERNEL32 ref: 00007FFBBAF2B31D
RtlLookupFunctionEntry.KERNEL32 ref: 00007FFBBAF2B337
RtlVirtualUnwind.KERNEL32 ref: 00007FFBBAF2B378
memset.VCRUNTIME140 ref: 00007FFBBAF2B3AB
IsDebuggerPresent.KERNEL32 ref: 00007FFBBAF2B3CC
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FFBBAF2B3ED
UnhandledExceptionFilter.KERNEL32 ref: 00007FFBBAF2B3F8

Memory Dump Source

Source File: 00000001.00000002.2795831177.00007FFBBAF21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFBBAF20000, based on PE: true

Associated: 00000001.00000002.2795786977.00007FFBBAF20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2795875234.00007FFBBAF2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2795921230.00007FFBBAF3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2795952946.00007FFBBAF40000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffbbaf20000_loaddll64.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandledmemset$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 313767242-0
Opcode ID: 97272919b4dacb44bf94145013f2822a922e633abf56f33983487a237d7fd979
Instruction ID: f39498bda93c1b2a738aa051c2568f0474a321da1024cba2c16c8711903c2007
Opcode Fuzzy Hash: 97272919b4dacb44bf94145013f2822a922e633abf56f33983487a237d7fd979
Instruction Fuzzy Hash: DB314BB2A09F8186EB609F64E8907ED6368FB84745F44447AEF4D87A98DF38D548C708

Function 00007FFBBAF2AEB4 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FFBBAF2AEE0
GetCurrentThreadId.KERNEL32 ref: 00007FFBBAF2AEEE
GetCurrentProcessId.KERNEL32 ref: 00007FFBBAF2AEFA
QueryPerformanceCounter.KERNEL32 ref: 00007FFBBAF2AF0A

Memory Dump Source

Source File: 00000001.00000002.2795831177.00007FFBBAF21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFBBAF20000, based on PE: true

Associated: 00000001.00000002.2795786977.00007FFBBAF20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2795875234.00007FFBBAF2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2795921230.00007FFBBAF3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2795952946.00007FFBBAF40000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffbbaf20000_loaddll64.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 99c6b58b56d686e220eeb29960b2c045fdf6fb2ad22775280c6b605770152632
Instruction ID: e1f31f572f5db286758870302d67fc471599ed2ee4103a34d777da0707b80555
Opcode Fuzzy Hash: 99c6b58b56d686e220eeb29960b2c045fdf6fb2ad22775280c6b605770152632
Instruction Fuzzy Hash: 10112562E04F018AEB10DF38E8542E833A8FB0C759F041A31EB5D867A4DF3CD5A98344

Function 00007FFBBAF2AD34 Relevance: 4.5, APIs: 3, Instructions: 13COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 00007FFBBAF2AD3F
UnhandledExceptionFilter.KERNEL32 ref: 00007FFBBAF2AD48
GetCurrentProcess.KERNEL32 ref: 00007FFBBAF2AD4E

Memory Dump Source

Source File: 00000001.00000002.2795831177.00007FFBBAF21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFBBAF20000, based on PE: true

Associated: 00000001.00000002.2795786977.00007FFBBAF20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2795875234.00007FFBBAF2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2795921230.00007FFBBAF3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2795952946.00007FFBBAF40000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffbbaf20000_loaddll64.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CurrentProcess
String ID:
API String ID: 1249254920-0
Opcode ID: e27496faf890620752add7c27e286e37c05d16a1145388737d00f04a7a210a1b
Instruction ID: 4e7ae48c5dc0d11459b4ab893d33738dac684388e8afb1c7d525ce5b14f32e62
Opcode Fuzzy Hash: e27496faf890620752add7c27e286e37c05d16a1145388737d00f04a7a210a1b
Instruction Fuzzy Hash: E1D09EB1E08E4687E7189779E8255F51214AF58B46B041474DF0EC53109D3C548B4248

Function 00007FFBBAF21D60 Relevance: .2, Instructions: 243COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2795831177.00007FFBBAF21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFBBAF20000, based on PE: true

Associated: 00000001.00000002.2795786977.00007FFBBAF20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2795875234.00007FFBBAF2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2795921230.00007FFBBAF3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2795952946.00007FFBBAF40000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffbbaf20000_loaddll64.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1863f5ebe23096a4cad5d8d7ca414eb9ab8624279cf1ab1093dd95d7bf3b880c
Instruction ID: 89e62cb888b421bfff12ed684d5aa714938909ec00d1225128af4052f3a2d515
Opcode Fuzzy Hash: 1863f5ebe23096a4cad5d8d7ca414eb9ab8624279cf1ab1093dd95d7bf3b880c
Instruction Fuzzy Hash: D1B13576B04B418AE714CB7AC4607AD67B5FB88B89F008172EF0D97A54DF39E859C708

Function 00007FFBBAF27760 Relevance: 35.2, APIs: 10, Strings: 10, Instructions: 169
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersion.KERNEL32(?,?,?,00007FFBBAF270FF,?,?,?,00007FFBBAF266D5), ref: 00007FFBBAF277B1
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,00007FFBBAF270FF,?,?,?,00007FFBBAF266D5), ref: 00007FFBBAF277FE
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,00007FFBBAF270FF,?,?,?,00007FFBBAF266D5), ref: 00007FFBBAF2780D
fprintf.MSPDB140-MSVCRT ref: 00007FFBBAF27829
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,00007FFBBAF270FF,?,?,?,00007FFBBAF266D5), ref: 00007FFBBAF27833
fflush.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,00007FFBBAF270FF,?,?,?,00007FFBBAF266D5), ref: 00007FFBBAF2783C
strncpy.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFBBAF270FF,?,?,?,00007FFBBAF266D5), ref: 00007FFBBAF27866
strncpy.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFBBAF270FF,?,?,?,00007FFBBAF266D5), ref: 00007FFBBAF278F2
memset.VCRUNTIME140(?,?,?,00007FFBBAF270FF,?,?,?,00007FFBBAF266D5), ref: 00007FFBBAF27927
strncpy.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFBBAF270FF,?,?,?,00007FFBBAF266D5), ref: 00007FFBBAF2795C

Strings

InitD3D: failed to init adapters, xrefs: 00007FFBBAF2796E
D3DPipelineManager: Created D3D9Ex device, xrefs: 00007FFBBAF27804
verbose, xrefs: 00007FFBBAF27793
Zero adapters found, xrefs: 00007FFBBAF2789C
D3DPipelineManager: Unable to create D3D9 device, xrefs: 00007FFBBAF2781F
InitD3D: unable to create IDirect3D9 object, xrefs: 00007FFBBAF27858
InitAdapters: out of memory, xrefs: 00007FFBBAF278E4
D3DPipelineManager: Created D3D9 device, xrefs: 00007FFBBAF27813
Adapter validation failed for all adapters, xrefs: 00007FFBBAF2794E
disableD3D9Ex, xrefs: 00007FFBBAF27783

Memory Dump Source

Source File: 00000001.00000002.2795831177.00007FFBBAF21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFBBAF20000, based on PE: true

Associated: 00000001.00000002.2795786977.00007FFBBAF20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2795875234.00007FFBBAF2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2795921230.00007FFBBAF3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2795952946.00007FFBBAF40000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffbbaf20000_loaddll64.jbxd

Similarity

API ID: __acrt_iob_funcstrncpy$Versionfflushfprintfmemset
String ID: Adapter validation failed for all adapters$D3DPipelineManager: Created D3D9 device$D3DPipelineManager: Created D3D9Ex device$D3DPipelineManager: Unable to create D3D9 device$InitAdapters: out of memory$InitD3D: failed to init adapters$InitD3D: unable to create IDirect3D9 object$Zero adapters found$disableD3D9Ex$verbose
API String ID: 626451258-2301350666
Opcode ID: 6c96447d5c59d595813d45e78919aa593ab63d6999dddb40858c30737d5aa2ab
Instruction ID: 6fdc0f6a0f25cb9bc554cec03ef1634b79f5b3d9eb91bc6e15d6ffc59818fec0
Opcode Fuzzy Hash: 6c96447d5c59d595813d45e78919aa593ab63d6999dddb40858c30737d5aa2ab
Instruction Fuzzy Hash: 7E713AA5E09F0286EB14AB79D4A01F833A8FF44B82B5441B5EF5E87791DF3CE4158748

Function 00007FFBBAF2A340 Relevance: 33.4, APIs: 10, Strings: 9, Instructions: 104
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(00000000,?,00000000,00007FFBBAF212E2), ref: 00007FFBBAF2A36F
getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0 ref: 00007FFBBAF2A3C1
fopen.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFBBAF2A3D9
printf.MSPDB140-MSVCRT ref: 00007FFBBAF2A3F8
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFBBAF2A40C
fprintf.MSPDB140-MSVCRT ref: 00007FFBBAF2A463
fprintf.MSPDB140-MSVCRT ref: 00007FFBBAF2A498

Part of subcall function 00007FFBBAF2A570: __stdio_common_vsscanf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFBBAF2A5B4

__stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,00000000,00007FFBBAF212E2), ref: 00007FFBBAF2A4C7
fprintf.MSPDB140-MSVCRT ref: 00007FFBBAF2A4E0
fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFBBAF2A4EC

Strings

(E) , xrefs: 00007FFBBAF2A48E
(V) , xrefs: 00007FFBBAF2A473
NWT_TRACE_LEVEL, xrefs: 00007FFBBAF2A368
(W) , xrefs: 00007FFBBAF2A485
NWT_TRACE_FILE, xrefs: 00007FFBBAF2A3BA
(%d) , xrefs: 00007FFBBAF2A45C
(E): Error opening trace file %s, xrefs: 00007FFBBAF2A3F1
(I) , xrefs: 00007FFBBAF2A47C
(X) , xrefs: 00007FFBBAF2A46A

Memory Dump Source

Source File: 00000001.00000002.2795831177.00007FFBBAF21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFBBAF20000, based on PE: true

Associated: 00000001.00000002.2795786977.00007FFBBAF20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2795875234.00007FFBBAF2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2795921230.00007FFBBAF3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2795952946.00007FFBBAF40000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffbbaf20000_loaddll64.jbxd

Similarity

API ID: fprintf$getenv$__acrt_iob_func__stdio_common_vfprintf__stdio_common_vsscanffflushfopenprintf
String ID: (%d) $(E) $(E): Error opening trace file %s$(I) $(V) $(W) $(X) $NWT_TRACE_FILE$NWT_TRACE_LEVEL
API String ID: 2778072158-2740212586
Opcode ID: 50e40f2db937b8b1366d800ad5e72cb9880236419f32a7ccaad76bb06a829812
Instruction ID: 69bba944b8140308dcc129eadca059780aa03221d0a8f4c82945f9fed9c373cc
Opcode Fuzzy Hash: 50e40f2db937b8b1366d800ad5e72cb9880236419f32a7ccaad76bb06a829812
Instruction Fuzzy Hash: 40510CF1D08F4285EA24BB3DE8641F422A9BF44782F4451B5EF4D862A4DF2DE905C748

Function 00007FFBBAF26F70 Relevance: 31.6, APIs: 6, Strings: 12, Instructions: 108
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FFBBAF2A5C8: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFBBAF21241), ref: 00007FFBBAF2A5E2

getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(?,?,?,00007FFBBAF266D5), ref: 00007FFBBAF26FDB

Part of subcall function 00007FFBBAF2A340: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(00000000,?,00000000,00007FFBBAF212E2), ref: 00007FFBBAF2A36F
Part of subcall function 00007FFBBAF2A340: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0 ref: 00007FFBBAF2A3C1
Part of subcall function 00007FFBBAF2A340: fopen.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFBBAF2A3D9
Part of subcall function 00007FFBBAF2A340: printf.MSPDB140-MSVCRT ref: 00007FFBBAF2A3F8
Part of subcall function 00007FFBBAF2A340: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFBBAF2A40C
Part of subcall function 00007FFBBAF2A340: fprintf.MSPDB140-MSVCRT ref: 00007FFBBAF2A463
Part of subcall function 00007FFBBAF2A340: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,00000000,00007FFBBAF212E2), ref: 00007FFBBAF2A4C7
Part of subcall function 00007FFBBAF2A340: fprintf.MSPDB140-MSVCRT ref: 00007FFBBAF2A4E0
Part of subcall function 00007FFBBAF2A340: fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFBBAF2A4EC

strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFBBAF266D5), ref: 00007FFBBAF27011
strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFBBAF266D5), ref: 00007FFBBAF2702D
strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFBBAF266D5), ref: 00007FFBBAF27049
strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFBBAF266D5), ref: 00007FFBBAF27061
strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFBBAF266D5), ref: 00007FFBBAF27079

Part of subcall function 00007FFBBAF2A340: fprintf.MSPDB140-MSVCRT ref: 00007FFBBAF2A498

Strings

NEWT_D3D_RASTERIZER, xrefs: 00007FFBBAF26FD4
[W] D3DPPLM::SelectDeviceType: , xrefs: 00007FFBBAF26FF2
ref, xrefs: 00007FFBBAF27007
rgb, xrefs: 00007FFBBAF27023
unknown rasterizer: %s, only (ref|hal|nul) supported, hal selected instead, xrefs: 00007FFBBAF2709E
isVsyncEnabled, xrefs: 00007FFBBAF26FC4
nullref rasterizer selected, xrefs: 00007FFBBAF27088
hal, xrefs: 00007FFBBAF2703F
ref rasterizer selected, xrefs: 00007FFBBAF270BF
hal rasterizer selected, xrefs: 00007FFBBAF270AC
nul, xrefs: 00007FFBBAF2706F
tnl, xrefs: 00007FFBBAF27057

Memory Dump Source

Source File: 00000001.00000002.2795831177.00007FFBBAF21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFBBAF20000, based on PE: true

Associated: 00000001.00000002.2795786977.00007FFBBAF20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2795875234.00007FFBBAF2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2795921230.00007FFBBAF3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2795952946.00007FFBBAF40000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffbbaf20000_loaddll64.jbxd

Similarity

API ID: strncmp$fprintfgetenv$__acrt_iob_func__stdio_common_vfprintffflushfopenmallocprintf
String ID: NEWT_D3D_RASTERIZER$[W] D3DPPLM::SelectDeviceType: $hal$hal rasterizer selected$isVsyncEnabled$nul$nullref rasterizer selected$ref$ref rasterizer selected$rgb$tnl$unknown rasterizer: %s, only (ref|hal|nul) supported, hal selected instead
API String ID: 1456602000-3491790485
Opcode ID: 8ae341b471262eefb95e50027a53267c9b1a3444c03fc959e2edf6d02134cc63
Instruction ID: a9cfdb447c7406cc98d5f87d972ea0f015f1a7afcdc50ef634c60635705c6109
Opcode Fuzzy Hash: 8ae341b471262eefb95e50027a53267c9b1a3444c03fc959e2edf6d02134cc63
Instruction Fuzzy Hash: 4D5121B1E08B4285EB14EB3AE8603E933A8AF44B45F4440B5EF0D86695DF3DE509C708

Function 00007FFBBAF2A337 Relevance: 22.8, APIs: 9, Strings: 4, Instructions: 94
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(00000000,?,00000000,00007FFBBAF212E2), ref: 00007FFBBAF2A36F
getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0 ref: 00007FFBBAF2A3C1
fopen.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFBBAF2A3D9
printf.MSPDB140-MSVCRT ref: 00007FFBBAF2A3F8
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFBBAF2A40C
fprintf.MSPDB140-MSVCRT ref: 00007FFBBAF2A463
fprintf.MSPDB140-MSVCRT ref: 00007FFBBAF2A498

Part of subcall function 00007FFBBAF2A570: __stdio_common_vsscanf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFBBAF2A5B4

__stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,00000000,00007FFBBAF212E2), ref: 00007FFBBAF2A4C7
fprintf.MSPDB140-MSVCRT ref: 00007FFBBAF2A4E0
fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFBBAF2A4EC

Strings

NWT_TRACE_LEVEL, xrefs: 00007FFBBAF2A368
NWT_TRACE_FILE, xrefs: 00007FFBBAF2A3BA
(%d) , xrefs: 00007FFBBAF2A45C
(E): Error opening trace file %s, xrefs: 00007FFBBAF2A3F1

Memory Dump Source

Source File: 00000001.00000002.2795831177.00007FFBBAF21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFBBAF20000, based on PE: true

Associated: 00000001.00000002.2795786977.00007FFBBAF20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2795875234.00007FFBBAF2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2795921230.00007FFBBAF3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2795952946.00007FFBBAF40000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffbbaf20000_loaddll64.jbxd

Similarity

API ID: fprintf$getenv$__acrt_iob_func__stdio_common_vfprintf__stdio_common_vsscanffflushfopenprintf
String ID: (%d) $(E): Error opening trace file %s$NWT_TRACE_FILE$NWT_TRACE_LEVEL
API String ID: 2778072158-549656437
Opcode ID: 885049814577bbff44a393ec9ccc0d62a2dcff472222d395173318e95484044a
Instruction ID: 4609ba56d70bad593964cc42bd5f2cb9803c56231250241603b6c672ad7f1d64
Opcode Fuzzy Hash: 885049814577bbff44a393ec9ccc0d62a2dcff472222d395173318e95484044a
Instruction Fuzzy Hash: 76411CB1E09B4285EB20AB3DE8641F423A8FF44786F4445B5EF5D866A4DF2DE805C748

Function 00007FFBBAF24600 Relevance: 12.2, APIs: 8, Instructions: 156
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memcpy.VCRUNTIME140 ref: 00007FFBBAF24704
memset.VCRUNTIME140 ref: 00007FFBBAF2470D
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFBBAF24712
_invalid_parameter_noinfo.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFBBAF2471E
memcpy.VCRUNTIME140 ref: 00007FFBBAF247EE
memset.VCRUNTIME140 ref: 00007FFBBAF247F7
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFBBAF247FC
_invalid_parameter_noinfo.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFBBAF24808

Memory Dump Source

Source File: 00000001.00000002.2795831177.00007FFBBAF21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFBBAF20000, based on PE: true

Associated: 00000001.00000002.2795786977.00007FFBBAF20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2795875234.00007FFBBAF2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2795921230.00007FFBBAF3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2795952946.00007FFBBAF40000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffbbaf20000_loaddll64.jbxd

Similarity

API ID: _errno_invalid_parameter_noinfomemcpymemset
String ID:
API String ID: 187659361-0
Opcode ID: 1e4c427ac561f24aceb66aeb32417f205ea1092f0eb2d1bb81de26ae57bce442
Instruction ID: b6d0fce94ae86a706018fd8d1d6e5646991e1d7bad8e4049fde2abd39490e04f
Opcode Fuzzy Hash: 1e4c427ac561f24aceb66aeb32417f205ea1092f0eb2d1bb81de26ae57bce442
Instruction Fuzzy Hash: AB615B76E14B5586EB209F2AE4607AA3BA4FB85F86F048075EF4D87B44CF7DE4058B04

Function 00007FFBBAF24840 Relevance: 12.2, APIs: 8, Instructions: 156
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memcpy.VCRUNTIME140 ref: 00007FFBBAF24944
memset.VCRUNTIME140 ref: 00007FFBBAF2494D
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFBBAF24952
_invalid_parameter_noinfo.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFBBAF2495E
memcpy.VCRUNTIME140 ref: 00007FFBBAF24A32
memset.VCRUNTIME140 ref: 00007FFBBAF24A3B
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFBBAF24A40
_invalid_parameter_noinfo.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFBBAF24A4C

Memory Dump Source

Source File: 00000001.00000002.2795831177.00007FFBBAF21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFBBAF20000, based on PE: true

Associated: 00000001.00000002.2795786977.00007FFBBAF20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2795875234.00007FFBBAF2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2795921230.00007FFBBAF3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2795952946.00007FFBBAF40000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffbbaf20000_loaddll64.jbxd

Similarity

API ID: _errno_invalid_parameter_noinfomemcpymemset
String ID:
API String ID: 187659361-0
Opcode ID: d75b25198b8417601ca87ab23c7450e543a27b18e26c2ae570d73a3e5344d962
Instruction ID: 764ec6cc6ead369b7023d80bac45344805ac56e542d45659a435a977c8bf168a
Opcode Fuzzy Hash: d75b25198b8417601ca87ab23c7450e543a27b18e26c2ae570d73a3e5344d962
Instruction Fuzzy Hash: 76616CB6E04B5586EB209F2AD4607AA37A4FB84F86F048075EF5D87B54CF7DD4058B08

Function 00007FFBBAF24310 Relevance: 10.6, APIs: 7, Instructions: 133
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ.MSVCP140(?,?,?,00000000,?,00007FFBBAF2537C), ref: 00007FFBBAF243A3
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140(?,?,?,00000000,?,00007FFBBAF2537C), ref: 00007FFBBAF243F7
?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z.MSVCP140(?,?,?,00000000,?,00007FFBBAF2537C), ref: 00007FFBBAF2441E
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140(?,?,?,00000000,?,00007FFBBAF2537C), ref: 00007FFBBAF24446
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140(?,?,?,00000000,?,00007FFBBAF2537C), ref: 00007FFBBAF2448C
?uncaught_exception@std@@YA_NXZ.MSVCP140(?,?,?,00000000,?,00007FFBBAF2537C), ref: 00007FFBBAF24493
?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ.MSVCP140(?,?,?,00000000,?,00007FFBBAF2537C), ref: 00007FFBBAF2449F

Memory Dump Source

Source File: 00000001.00000002.2795831177.00007FFBBAF21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFBBAF20000, based on PE: true

Associated: 00000001.00000002.2795786977.00007FFBBAF20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2795875234.00007FFBBAF2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2795921230.00007FFBBAF3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2795952946.00007FFBBAF40000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffbbaf20000_loaddll64.jbxd

Similarity

API ID: D@std@@@std@@U?$char_traits@$?sputc@?$basic_streambuf@$?flush@?$basic_ostream@?setstate@?$basic_ios@?sputn@?$basic_streambuf@?uncaught_exception@std@@Osfx@?$basic_ostream@V12@
String ID:
API String ID: 1492985063-0
Opcode ID: 3e26db33542d38082c6f94190852e4ab1b19e1bbd64cbd6028c19a5828d2955a
Instruction ID: 8e2ee81d14237409b59742cdd3f3d147894e269e071c6ce60da7a533eb4a87e7
Opcode Fuzzy Hash: 3e26db33542d38082c6f94190852e4ab1b19e1bbd64cbd6028c19a5828d2955a
Instruction Fuzzy Hash: 53514272E18F4181EB208B2DD1A02B8A7A4FB85F97F158575DF5F837A0CF79D8469208

Function 00007FFBBAF262D0 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 181COMMON

Download Yara Rule

APIs

GetVersionExW.KERNEL32 ref: 00007FFBBAF26449

Strings

maxSamples, xrefs: 00007FFBBAF263F9
osMajorVersion, xrefs: 00007FFBBAF26466
osMinorVersion, xrefs: 00007FFBBAF264B8
osBuildNumber, xrefs: 00007FFBBAF2650A

Memory Dump Source

Source File: 00000001.00000002.2795831177.00007FFBBAF21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFBBAF20000, based on PE: true

Associated: 00000001.00000002.2795786977.00007FFBBAF20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2795875234.00007FFBBAF2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2795921230.00007FFBBAF3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2795952946.00007FFBBAF40000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffbbaf20000_loaddll64.jbxd

Similarity

API ID: Version
String ID: maxSamples$osBuildNumber$osMajorVersion$osMinorVersion
API String ID: 1889659487-98465600
Opcode ID: f3d306c855f22df1530f6ad98c868a49d275abd199ed2353e94b2a50aea15da9
Instruction ID: a5436450998c4198e27d8cbbe601719c81928a89a4454ecd75c7e37739581afa
Opcode Fuzzy Hash: f3d306c855f22df1530f6ad98c868a49d275abd199ed2353e94b2a50aea15da9
Instruction Fuzzy Hash: 8D711766B08B8682EA909F6AD4547FD67A4FB89FC5F488071DF0E87758DE3CE5098304

Function 00007FFBBAF23130 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 132COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFBBAF2A340: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(00000000,?,00000000,00007FFBBAF212E2), ref: 00007FFBBAF2A36F
Part of subcall function 00007FFBBAF2A340: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0 ref: 00007FFBBAF2A3C1
Part of subcall function 00007FFBBAF2A340: fopen.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFBBAF2A3D9
Part of subcall function 00007FFBBAF2A340: printf.MSPDB140-MSVCRT ref: 00007FFBBAF2A3F8
Part of subcall function 00007FFBBAF2A340: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFBBAF2A40C
Part of subcall function 00007FFBBAF2A340: fprintf.MSPDB140-MSVCRT ref: 00007FFBBAF2A463
Part of subcall function 00007FFBBAF2A340: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,00000000,00007FFBBAF212E2), ref: 00007FFBBAF2A4C7
Part of subcall function 00007FFBBAF2A340: fprintf.MSPDB140-MSVCRT ref: 00007FFBBAF2A4E0
Part of subcall function 00007FFBBAF2A340: fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFBBAF2A4EC

GetDesktopWindow.USER32 ref: 00007FFBBAF231A8

Part of subcall function 00007FFBBAF2A340: fprintf.MSPDB140-MSVCRT ref: 00007FFBBAF2A498

Strings

D3DContext::InitContext: successfully created device: %d, xrefs: 00007FFBBAF232CA
HARDWARE_VERTEXPROCESSING, xrefs: 00007FFBBAF2321A
SOFTWARE_VERTEXPROCESSING, xrefs: 00007FFBBAF231F3
D3DContext::InitContext device %d, xrefs: 00007FFBBAF23158

Memory Dump Source

Source File: 00000001.00000002.2795831177.00007FFBBAF21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFBBAF20000, based on PE: true

Associated: 00000001.00000002.2795786977.00007FFBBAF20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2795875234.00007FFBBAF2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2795921230.00007FFBBAF3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2795952946.00007FFBBAF40000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffbbaf20000_loaddll64.jbxd

Similarity

API ID: fprintf$getenv$DesktopWindow__acrt_iob_func__stdio_common_vfprintffflushfopenprintf
String ID: HARDWARE_VERTEXPROCESSING$SOFTWARE_VERTEXPROCESSING$D3DContext::InitContext device %d$D3DContext::InitContext: successfully created device: %d
API String ID: 1238270013-482639655
Opcode ID: 827f2b091744698964e49d81cc6cb3083a082b17fa970bd89772ad2f081cc6c0
Instruction ID: 856801e741937eeecbfc1b61d2edb20a6aaf198818bc953eda7af55917b104d6
Opcode Fuzzy Hash: 827f2b091744698964e49d81cc6cb3083a082b17fa970bd89772ad2f081cc6c0
Instruction Fuzzy Hash: AD517E72B08B8582E724CF29E5507EAB3A4FB88B84F004125EF9D83665DF38E465CB44

Function 00007FFBBAF2B8F4 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 28COMMON

Download Yara Rule

APIs

__current_exception.VCRUNTIME140 ref: 00007FFBBAF2B929
__current_exception_context.VCRUNTIME140 ref: 00007FFBBAF2B93D
terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFBBAF2B945

Strings

csm, xrefs: 00007FFBBAF2B915

Memory Dump Source

Source File: 00000001.00000002.2795831177.00007FFBBAF21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFBBAF20000, based on PE: true

Associated: 00000001.00000002.2795786977.00007FFBBAF20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2795875234.00007FFBBAF2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2795921230.00007FFBBAF3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2795952946.00007FFBBAF40000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffbbaf20000_loaddll64.jbxd

Similarity

API ID: __current_exception__current_exception_contextterminate
String ID: csm
API String ID: 2542180945-1018135373
Opcode ID: 9e9710f0591a29c53884a94cb3729aa42d1403e6f923cbf35637d194a76df934
Instruction ID: 22c4e205c3ea95311799064348092817cd0122f3f71a9c66d29477043a4539eb
Opcode Fuzzy Hash: 9e9710f0591a29c53884a94cb3729aa42d1403e6f923cbf35637d194a76df934
Instruction Fuzzy Hash: 40F01F76A05B40CAC710AF26E8A00A83768E748B99B4A6164FF4D87B15CF38C8908340

Function 00007FFBBAF26DC0 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 86stringCOMMON

Download Yara Rule

APIs

strncpy.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,00007FFBBAF25EBF), ref: 00007FFBBAF26EDB

Strings

WARNING: bad driver version detected, device disabled. Please update your driver to at least version %d.%d.%d.%d, xrefs: 00007FFBBAF26EAE
D3DPPLM::CheckForBadHardware: found matching hardware: VendorId=0x%04x DeviceId=0x%04x, xrefs: 00007FFBBAF26E7E
WARNING: Unsupported video adapter found, device disabled, xrefs: 00007FFBBAF26ECD

Memory Dump Source

Source File: 00000001.00000002.2795831177.00007FFBBAF21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFBBAF20000, based on PE: true

Associated: 00000001.00000002.2795786977.00007FFBBAF20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2795875234.00007FFBBAF2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2795921230.00007FFBBAF3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2795952946.00007FFBBAF40000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffbbaf20000_loaddll64.jbxd

Similarity

API ID: strncpy
String ID: D3DPPLM::CheckForBadHardware: found matching hardware: VendorId=0x%04x DeviceId=0x%04x$WARNING: Unsupported video adapter found, device disabled$WARNING: bad driver version detected, device disabled. Please update your driver to at least version %d.%d.%d.%d
API String ID: 3301158039-2891762250
Opcode ID: 40cbf9719cb7f1d6758cfa2ac922f6985c72c44826cb81b1a54f8f8b33c95bd2
Instruction ID: be4f9460fbc14d815b68891b9085dc4adb6f79adfd1093dcb19e5ec4969d7010
Opcode Fuzzy Hash: 40cbf9719cb7f1d6758cfa2ac922f6985c72c44826cb81b1a54f8f8b33c95bd2
Instruction Fuzzy Hash: 2F31A0A1E08F0282EB609B6DE4601F9A294EB44761F1403B6FE6D836E0DF3CE4468648

Function 00007FFBBAF28280 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 67COMMON

Download Yara Rule

APIs

OutputDebugStringA.KERNEL32 ref: 00007FFBBAF282C7

Strings

nCreateTexture: unknown format hint: %d, xrefs: 00007FFBBAF2833D
Texture.Usage.DYNAMIC, xrefs: 00007FFBBAF282C0

Memory Dump Source

Source File: 00000001.00000002.2795831177.00007FFBBAF21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFBBAF20000, based on PE: true

Associated: 00000001.00000002.2795786977.00007FFBBAF20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2795875234.00007FFBBAF2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2795921230.00007FFBBAF3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2795952946.00007FFBBAF40000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffbbaf20000_loaddll64.jbxd

Similarity

API ID: DebugOutputString
String ID: Texture.Usage.DYNAMIC$nCreateTexture: unknown format hint: %d
API String ID: 1166629820-2628201927
Opcode ID: 7727f6d33c6b3b027701db175bef16aba0b9ab9843f19c68cda378c17dcf3a2d
Instruction ID: 30baf7e7fa8aae28b76300bab8a1e735dd228f35a6346460c0024ed749131209
Opcode Fuzzy Hash: 7727f6d33c6b3b027701db175bef16aba0b9ab9843f19c68cda378c17dcf3a2d
Instruction Fuzzy Hash: 93311872A0CB818AE7709B28F0507EAB7A4FB84745F444175EB8983A59DF3CD445CB44

Function 00007FFBBAF26F10 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24COMMON

Download Yara Rule

APIs

GetVersion.KERNEL32(?,?,?,?,00007FFBBAF26698), ref: 00007FFBBAF26F14

Strings

OS check overridden via NEWT_D3D_NO_HWCHECK, xrefs: 00007FFBBAF26F49
D3DPPLM::CheckOSVersion: Windows 2000 or earlier OS detected, failed, xrefs: 00007FFBBAF26F2D

Memory Dump Source

Source File: 00000001.00000002.2795831177.00007FFBBAF21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFBBAF20000, based on PE: true

Associated: 00000001.00000002.2795786977.00007FFBBAF20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2795875234.00007FFBBAF2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2795921230.00007FFBBAF3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2795952946.00007FFBBAF40000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffbbaf20000_loaddll64.jbxd

Similarity

API ID: Version
String ID: OS check overridden via NEWT_D3D_NO_HWCHECK$D3DPPLM::CheckOSVersion: Windows 2000 or earlier OS detected, failed
API String ID: 1889659487-2189726416
Opcode ID: 74def4e7f39eb65c4dba3ca7bf262e55c71bcfc5a41d0f748d1dfc147e419f2f
Instruction ID: 86247e9b404b83fafdf349947d6cf38289d45bf2ac53afe2a35f20f3ef27d8d5
Opcode Fuzzy Hash: 74def4e7f39eb65c4dba3ca7bf262e55c71bcfc5a41d0f748d1dfc147e419f2f
Instruction Fuzzy Hash: C2F030E4E08A4382FB54B77CC8A13F8129AEB51302FC004B1EA4DC16D0DE7DA98AC70D

Function 00007FFBBAF25350 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z.MSVCP140 ref: 00007FFBBAF25381
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FFBBAF25391

Strings

D3DPhongMaterial::getMap -- type is out of range - type = , xrefs: 00007FFBBAF25370

Memory Dump Source

Source File: 00000001.00000002.2795831177.00007FFBBAF21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFBBAF20000, based on PE: true

Associated: 00000001.00000002.2795786977.00007FFBBAF20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2795875234.00007FFBBAF2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2795921230.00007FFBBAF3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2795952946.00007FFBBAF40000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffbbaf20000_loaddll64.jbxd

Similarity

API ID: V01@$??6?$basic_ostream@D@std@@@std@@U?$char_traits@$V01@@
String ID: D3DPhongMaterial::getMap -- type is out of range - type =
API String ID: 3022475274-1789742052
Opcode ID: d25f46c8111b3a8002844401e421e151b27bd4071df0a9608d010cfbae37aed1
Instruction ID: 47fc2357c16f91382ccb74a6aaa6d7caa9538413ae472ed027105ac7f40285af
Opcode Fuzzy Hash: d25f46c8111b3a8002844401e421e151b27bd4071df0a9608d010cfbae37aed1
Instruction Fuzzy Hash: 5EE06DE0F19E0681EA149B79ECA00F92265AF44B87B1410B1DE0ECA220DE6C94D6870C

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: `rundll32.exe {DLLname, DLLfunction}` ).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.dll

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

Compliance

Networking

System Summary

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_fil_754f1c8f93fb6f2f4d4817606ede2c3e23ead4d_d75f6fa5_12432550-bfa0-4d6b-a8f0-14e09fe4b0ca\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_fil_754f1c8f93fb6f2f4d4817606ede2c3e23ead4d_d75f6fa5_363aac94-5c49-4a35-8eee-f8e0566e9b82\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_fil_754f1c8f93fb6f2f4d4817606ede2c3e23ead4d_d75f6fa5_7fea4c19-51c4-47e9-a610-0b822d6f1abb\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_fil_93f177c3cfa433ab5197dcc74639e9ae9f5a3069_d75f6fa5_d56c99e7-c6a7-431f-954f-ac72c846735b\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB794.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB802.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB87F.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB890.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB8BF.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB8D0.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC679.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC735.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC784.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD926.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERDAAD.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERDAFD.tmp.xml

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Rich Headers

Data Directories

Sections

Windows Analysis Report
file.dll