Edit tour

Windows Analysis Report
file.dll

Overview

General Information

Sample name:	file.dll (renamed file extension from exe to dll)
Original sample name:	file.exe
Analysis ID:	1524251
MD5:	c8b9ee438cd581e5632dfeceb9f3aad5
SHA1:	a1ef30f2487eb1d23f13a2600b3c77ca18343833
SHA256:	9be6844970271ee2c609303226275cc8cd753320af01da1db02dd31ce878be70
Tags:	dllexesignedx64user-jstrosch
Infos:

Detection

Score:	4
Range:	0 - 100
Whitelisted:	false
Confidence:	40%

Signatures

AV process strings found (often used to terminate AV products)

Checks if the current process is being debugged

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Classification

Process Tree

System is w10x64

loaddll64.exe (PID: 7512 cmdline: loaddll64.exe "C:\Users\user\Desktop\file.dll" MD5: 763455F9DCB24DFEECC2B9D9F8D46D52)

conhost.exe (PID: 7532 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7672 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\file.dll",#1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

rundll32.exe (PID: 7800 cmdline: rundll32.exe "C:\Users\user\Desktop\file.dll",#1 MD5: EF3179D498793BF4234F708D3BE28633)

WerFault.exe (PID: 8056 cmdline: C:\Windows\system32\WerFault.exe -u -p 7800 -s 332 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

rundll32.exe (PID: 7704 cmdline: rundll32.exe C:\Users\user\Desktop\file.dll,Java_com_sun_prism_impl_shape_NativePiscesRasterizer_init MD5: EF3179D498793BF4234F708D3BE28633)

rundll32.exe (PID: 4940 cmdline: rundll32.exe C:\Users\user\Desktop\file.dll,Java_com_sun_prism_impl_shape_NativePiscesRasterizer_produceFillAlphas MD5: EF3179D498793BF4234F708D3BE28633)

WerFault.exe (PID: 3936 cmdline: C:\Windows\system32\WerFault.exe -u -p 4940 -s 324 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

rundll32.exe (PID: 2504 cmdline: rundll32.exe C:\Users\user\Desktop\file.dll,Java_com_sun_prism_impl_shape_NativePiscesRasterizer_produceStrokeAlphas MD5: EF3179D498793BF4234F708D3BE28633)

WerFault.exe (PID: 2272 cmdline: C:\Windows\system32\WerFault.exe -u -p 2504 -s 332 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

rundll32.exe (PID: 8040 cmdline: rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_prism_impl_shape_NativePiscesRasterizer_init MD5: EF3179D498793BF4234F708D3BE28633)

rundll32.exe (PID: 8016 cmdline: rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_prism_impl_shape_NativePiscesRasterizer_produceFillAlphas MD5: EF3179D498793BF4234F708D3BE28633)

WerFault.exe (PID: 5632 cmdline: C:\Windows\system32\WerFault.exe -u -p 8016 -s 324 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

rundll32.exe (PID: 7488 cmdline: rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_prism_impl_shape_NativePiscesRasterizer_produceStrokeAlphas MD5: EF3179D498793BF4234F708D3BE28633)

WerFault.exe (PID: 4212 cmdline: C:\Windows\system32\WerFault.exe -u -p 7488 -s 324 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

cleanup

Code function: 5_2_00007FF83280ADC0 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

5_2_00007FF83280ADC0

Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_00007FF83280ADC0 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_2_00007FF83280ADC0
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_00007FF83280A7F0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	5_2_00007FF83280A7F0
Source: C:\Windows\System32\rundll32.exe	Code function: 10_2_00007FF83280ADC0 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	10_2_00007FF83280ADC0
Source: C:\Windows\System32\rundll32.exe	Code function: 10_2_00007FF83280A7F0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	10_2_00007FF83280A7F0

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",#1

Jump to behavior

Source: C:\Windows\System32\rundll32.exe

Code function: 5_2_00007FF83280A96C GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

5_2_00007FF83280A96C

Source: Amcache.hve.8.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.8.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.8.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.8.dr	Binary or memory string: MsMpEng.exe

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	11 Process Injection	1 Rundll32	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	21 Virtualization/Sandbox Evasion	LSASS Memory	31 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	11 Process Injection	Security Account Manager	21 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	1 File and Directory Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	2 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.dll	0%	ReversingLabs

Source	Detection	Scanner	Label	Link
http://upx.sf.net	0%	URL Reputation	safe

Name	Source	Malicious	Antivirus Detection	Reputation
http://upx.sf.net	Amcache.hve.8.dr	false	URL Reputation: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1524251
Start date and time:	2024-10-02 17:25:20 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 7s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	29
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.dll (renamed file extension from exe to dll)
Original Sample Name:	file.exe
Detection:	CLEAN
Classification:	clean4.winDLL@23/21@0/0
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 17

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.168.117.173
Excluded domains from analysis (whitelisted): onedsblobprdeus16.eastus.cloudapp.azure.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target rundll32.exe, PID 4940 because there are no executed function
Execution Graph export aborted for target rundll32.exe, PID 7800 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
VT rate limit hit for: file.dll

Simulations

Behavior and APIs

Time	Type	Description
11:26:24	API Interceptor	5x Sleep call for process: WerFault.exe modified
11:26:26	API Interceptor	1x Sleep call for process: loaddll64.exe modified

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_fil_1aff9662ccd791d8d4eef4da2398bc923098b68_d75f6fa5_a4482ba1-72b3-4036-ba59-9c7045524573\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.7623982746427704
Encrypted:	false
SSDEEP:	192:zMFityTo0nm0Iv55jyMLzuiFKZ24lO8Vq:GiYT5Iv55jzzuiFKY4lO8V
MD5:	C366541F468CC5ACE14E2A4BE1475EDC
SHA1:	F4D9B4490864BA9B7E6C302DA1791BB7FBEE356C
SHA-256:	AE469075542552A7D25DE7C0F6DC2BAB1AB1FF627630E3DFB6FEAB870F842970
SHA-512:	D334FE8EB13A89EB61C23F631398436332ED71EE8C3EF66E533C59B23B66853A0CDB56F8A3B8511AF33AAD2067627CBEDC3AF30B0DF0B708BD4C555B9F7936B6
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.2.3.5.6.3.8.3.1.8.2.6.5.3.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.2.3.5.6.3.8.3.4.9.5.1.5.3.0.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.4.4.8.2.b.a.1.-.7.2.b.3.-.4.0.3.6.-.b.a.5.9.-.9.c.7.0.4.5.5.2.4.5.7.3.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.0.5.6.a.f.d.3.-.b.0.5.b.-.4.f.9.c.-.9.c.f.e.-.9.1.b.f.c.e.8.2.9.e.4.c.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e._.f.i.l.e...d.l.l.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.9.c.8.-.0.0.0.1.-.0.0.1.3.-.2.c.e.6.-.2.4.7.0.d.f.1.4.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.d.d.3.9.9.a.e.4.6.3.0.3.3.4.3.f.9.f.0.d.a.1.8.9.a.e.e.1.1.c.6.7.b.d.8.6.8.2.2.2.!.r.u.n.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_fil_1aff9662ccd791d8d4eef4da2398bc923098b68_d75f6fa5_ce2adf5f-3e69-4e0c-9b84-80f5ada87843\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.7623145515041094
Encrypted:	false
SSDEEP:	192:JDaFiyymo0nm0Iv55jyMLzuiFKZ24lO8V:qivm5Iv55jzzuiFKY4lO8V
MD5:	39944880E020BE95DF8BB7A6B7620C80
SHA1:	77E6CDD5B503A9791A73549FC915215111CDB2CF
SHA-256:	FDB9AE9B2B75308C4080663965D30B1671C384588F695509DC66FDB86589CB01
SHA-512:	FBC3E39958257158F363FE0427C3E9B063949A991490A0D641170434C2717BC9B47F79F24DFC9FD26C9DD5A74B16A6460AED8956C3EA435381D63D954EC11DC2
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.2.3.5.6.3.8.6.5.5.8.8.4.2.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.2.3.5.6.3.8.8.2.4.6.3.2.6.2.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.e.2.a.d.f.5.f.-.3.e.6.9.-.4.e.0.c.-.9.b.8.4.-.8.0.f.5.a.d.a.8.7.8.4.3.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.4.3.f.1.7.c.e.-.e.3.7.8.-.4.f.1.0.-.b.b.f.5.-.0.b.1.6.1.5.3.f.8.1.0.9.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e._.f.i.l.e...d.l.l.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.d.4.0.-.0.0.0.1.-.0.0.1.3.-.2.8.9.0.-.f.d.7.1.d.f.1.4.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.d.d.3.9.9.a.e.4.6.3.0.3.3.4.3.f.9.f.0.d.a.1.8.9.a.e.e.1.1.c.6.7.b.d.8.6.8.2.2.2.!.r.u.n.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_fil_56d7447d6a13c353c2282cc3f2ec25695913c0_d75f6fa5_1ac2261b-d3b6-4096-8723-9d2cb56e6a9e\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.7621940943670948
Encrypted:	false
SSDEEP:	192:FAFiUVyNo0n0IvrOjyMLzuiFKZ24lO8V:wiUwNgIvrOjzzuiFKY4lO8V
MD5:	BD3D9DC7DCE875BAB11ACDEFCF41FC2A
SHA1:	1A912E9769889911BCA84EA0A668141BFABCC0F3
SHA-256:	472C5A0BA108EFE08588FF72B5D7F1CCD9306E7685938B6C57EF1F51B1592C85
SHA-512:	B35F2037876D7E2E6908C80FDA0BBBA38B28B255DECB0F32A9699513770F7745DFC4EA5885585669F05DDB9E829DBC2CE14C56DA277D804CD9FCA5B0EE9B7512
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.2.3.5.6.3.8.6.5.1.8.5.6.6.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.2.3.5.6.3.8.8.1.2.7.9.3.3.9.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.a.c.2.2.6.1.b.-.d.3.b.6.-.4.0.9.6.-.8.7.2.3.-.9.d.2.c.b.5.6.e.6.a.9.e.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.a.9.1.c.0.d.1.-.6.9.6.2.-.4.b.2.e.-.9.c.0.7.-.7.7.7.f.4.0.1.8.3.d.3.c.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e._.f.i.l.e...d.l.l.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.f.5.0.-.0.0.0.1.-.0.0.1.3.-.0.3.6.2.-.f.7.7.1.d.f.1.4.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.d.d.3.9.9.a.e.4.6.3.0.3.3.4.3.f.9.f.0.d.a.1.8.9.a.e.e.1.1.c.6.7.b.d.8.6.8.2.2.2.!.r.u.n.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_fil_56d7447d6a13c353c2282cc3f2ec25695913c0_d75f6fa5_9b2953ba-c62e-42a8-a2c8-a3c4d6984f18\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.7617944367994925
Encrypted:	false
SSDEEP:	192:Eq/bFi8y3o0n0IvrOjyMLzuiFKZ24lO8V:Nhix3gIvrOjzzuiFKY4lO8V
MD5:	21FAE53C6CD3BF26CBABDC6873656DFE
SHA1:	61E20F2AA17DE6DC1D66AE862E70CC547A6728DB
SHA-256:	13799EEB775EE046FCC1E8785082CCE32E0037DE4F9726DE3AA814F13982E7C9
SHA-512:	F9459863DA2EBCB22F495F31C44CE9CBD10465D2E7E0C15EE6864B4705B980EE20900BA47287DCB244B1A90FF1966A25DB194E08C73ABD6B20F84EA482C13AA9
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.2.3.5.6.3.8.0.1.0.5.4.8.8.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.2.3.5.6.3.8.0.4.4.9.2.3.6.5.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.b.2.9.5.3.b.a.-.c.6.2.e.-.4.2.a.8.-.a.2.c.8.-.a.3.c.4.d.6.9.8.4.f.1.8.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.c.e.6.0.d.f.2.-.e.7.e.a.-.4.5.6.6.-.a.a.c.a.-.4.a.1.8.f.4.a.c.6.6.4.7.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e._.f.i.l.e...d.l.l.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.3.4.c.-.0.0.0.1.-.0.0.1.3.-.5.e.b.a.-.5.8.6.e.d.f.1.4.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.d.d.3.9.9.a.e.4.6.3.0.3.3.4.3.f.9.f.0.d.a.1.8.9.a.e.e.1.1.c.6.7.b.d.8.6.8.2.2.2.!.r.u.n.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_fil_9de19133aefe36cce1fe9ee66691ccc86823a879_d75f6fa5_d06e6c10-5330-4937-9ceb-dc1518b61a0b\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.759149194914348
Encrypted:	false
SSDEEP:	192:j6IFiPy6Oo0s0IvBHjyMLzuiFKZ24lO8V:xiKrTIvBHjzzuiFKY4lO8V
MD5:	1B36F73E78CDDC7048C5FDDE40D4B9C1
SHA1:	74D68064417DFAA2BDE5D3AA796731136F2B7A70
SHA-256:	02136F9DBD6D81F3E279D8B5EE3A4756A1BB728AAC8AE718FD7F001DDAA04655
SHA-512:	2600EA7D9FCA740478DE8CCF2331DD627370C654B81CDDBD8306FBC3E5B630ABF1CD2FF0BE7AD78DEEAF0DC7D65B93A84D807943A54206531C9FE08E28B47FAA
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.2.3.5.6.3.7.7.4.9.8.4.3.8.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.2.3.5.6.3.7.8.1.0.7.8.2.4.0.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.0.6.e.6.c.1.0.-.5.3.3.0.-.4.9.3.7.-.9.c.e.b.-.d.c.1.5.1.8.b.6.1.a.0.b.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.1.9.3.d.e.1.7.-.a.b.b.7.-.4.c.1.6.-.9.4.1.2.-.a.2.5.2.1.9.4.6.5.c.c.b.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e._.f.i.l.e...d.l.l.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.e.7.8.-.0.0.0.1.-.0.0.1.3.-.f.d.4.4.-.9.6.6.c.d.f.1.4.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.d.d.3.9.9.a.e.4.6.3.0.3.3.4.3.f.9.f.0.d.a.1.8.9.a.e.e.1.1.c.6.7.b.d.8.6.8.2.2.2.!.r.u.n.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1501.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Wed Oct 2 15:26:26 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	55902
Entropy (8bit):	1.6935216916827138
Encrypted:	false
SSDEEP:	192:1q2fXRkWVXOMxDE8nZlSFsutVeIC42CLT7GlS:UKxQL8Z5ieyTT7
MD5:	6D0B8C09DEE0D120E60A730114D4729A
SHA1:	1520F99CE9E8A7B8EAF5387B704CE26261882F5F
SHA-256:	B71EAA4DFAD131841FA96C66C854DE3AE4DA66D07BDA4EAB7BE88CC864443A01
SHA-512:	120EA537AFE946E3A89E0E570AAB9C155930ED1E3B197D5E5694FB50C429B02C9E89F3DF837582689A2D3D1973BE3547EF4E58749763E5ED554718A8AC1D1858
Malicious:	false
Preview:	MDMP..a..... ......."f.f........................L................)..........T.......8...........T...........0...........................................................................................................eJ......l.......Lw......................T.......P...!f.f.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1530.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Wed Oct 2 15:26:26 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	57622
Entropy (8bit):	1.666059943808741
Encrypted:	false
SSDEEP:	96:548/O43kPpw+agmzHgyeEiVA2G1eoi7Mx5KNaojoy0YKfRYf2e4PNoqaoIn8HmNn:1+2fB2G1XOMx5gOOKfRYfZ4PreY74j
MD5:	4157DEF49F93BB77593A93663361F8A9
SHA1:	E39712002CEA8323836AA72B07DB9A7F6FCDEBB5
SHA-256:	C6FE8F8C6FFF91E4E1679D759E77CC80BCB9DA6074BF5553A9EB3E4D54945C69
SHA-512:	427EDBEC22447862CD3D356C9EBCDFC2AC215B5718CEEF6AA030399626800621C56A9860565D6CB7B9F800ED503A52BF3DAD87C4894B986960C7BB660D0337D7
Malicious:	false
Preview:	MDMP..a..... ......."f.f........................L................)..........T.......8...........T...........0...........................................................................................................eJ......l.......Lw......................T.......@..."f.f.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER15BE.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	3.697716395918141
Encrypted:	false
SSDEEP:	192:R6l7wVeJSLsZx6YjFYugmfiL0v+prO89bZvjf2Tm:R6lXJOsZx6YhYugmfGUcZLfj
MD5:	7BD408A0515D5AF17198F305D87446C1
SHA1:	7C6CBCE404FCAA4D02BFA8DD73E5C8A6E4AB71B9
SHA-256:	B067437FE5467331B7BF0FD77CE5CA282C3974F287229AAC1B3AC51EE8E938AA
SHA-512:	FC26D5C05CC527E7900E6C6411D0453E7C1F98A4072A0E8AB396C6DC33B01ACED6B82477ED990529DE4B52E895ACC260B9A6BDA4559162329F9D53C50133BD4E
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.8.0.1.6.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1679.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8730
Entropy (8bit):	3.7003612464555333
Encrypted:	false
SSDEEP:	192:R6l7wVeJ+ceZq6YjQUYugmfiL0MlprO89bZ4jfixvTm:R6lXJ1eZq6Y8UYugmfGXvZkff
MD5:	33A8FFF6FD05FF0D479AEA6D8E0F189B
SHA1:	289107540DD1AA2AB89461CAD9EBADB84D2BC75D
SHA-256:	FE10C07543F7AFEB6567353D35D14638EF4CF53BE3BD61C1788A6E1F0EC08BF0
SHA-512:	05F25E2BF4EB9253BFF59E2DFE169956ED159A22CFADCEA0AFB3C267B555C0513449643D7C9C59B5B067A75E2F43D3080BB373B42ACD21F910CCD08B8F5062E1
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.4.8.8.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER168A.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4730
Entropy (8bit):	4.470025867789842
Encrypted:	false
SSDEEP:	48:cvIwWl8zscJg771I9O7/CUWpW8VYDmYm8M4JCFCtsNFF/0yq85m4zshptSTSQd:uIjfaI7/zCN7VCPJisGQpoOQd
MD5:	CC55A7D18B42D42DCF0F419EF59484E1
SHA1:	8A326D53CBD323D8A02A51FD8938E661123AB1E3
SHA-256:	FFF02872B883A51DBF9C43C0B59F37F103C31993E9B5B67277132478F5DDD838
SHA-512:	1C1216C79AD2B594F0190CDA16109C2D9BBD750F984AEE65C18C033C295ABA7945E833E240C4BC962038BFA09BB9BFE7FDD77B2D10684775D34EDA3BCB57DB74
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="525989" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WER16B9.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4730
Entropy (8bit):	4.470243279642452
Encrypted:	false
SSDEEP:	48:cvIwWl8zscJg771I9O7/CUWpW8VYDnYm8M4JCFCtsNkFSRyq85m4zsgptSTSbd:uIjfaI7/zCN7VC6JiRRGNpoObd
MD5:	508D8D28F903E0962D4FF9312A27E88B
SHA1:	89DEF801AC0CFCFD95CCD0E01C6FE504BD91755E
SHA-256:	E513C28FC21387D63AE682EB4EC82800F324C4125D232CF966E594C0610D198A
SHA-512:	7246ECAE0710CD53386C31C4F83082553152143E08EA9E4512F8ADC011F74A130306B34654F3C32F6500CFCAB9DB24476241C3F2EA358EBF747AD150F27E31E5
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="525989" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WER801.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Wed Oct 2 15:26:23 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	58334
Entropy (8bit):	1.6622528930321578
Encrypted:	false
SSDEEP:	192:ccS2fgajcVFXOMxN79XIJQxlomDRuAGqjaPynryc:sacVAkRXryPyrT
MD5:	F33832D14603CC4867D32BF3234DE97F
SHA1:	93039F57B7FBBE09B431BD1079BEFC2C5156D002
SHA-256:	AD6E5F8D536854566DB5D1939A63F754E9B9EFD5B4149D903475C70CEB80FB70
SHA-512:	768B7850DDB56D88A20B7A20DC8B1E5178AD761F25349B8DE60D305920D964BCC7CCCECF39D6270985C921B2B125906F6E2F2CBE97A2727A325A70F75995D6F3
Malicious:	false
Preview:	MDMP..a..... ........f.f........................L................)..........T.......8...........T...........0...........................................................................................................eJ......l.......Lw......................T............f.f.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER850.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8744
Entropy (8bit):	3.7008533239124217
Encrypted:	false
SSDEEP:	192:R6l7wVeJtMlbcZIX6YQecpDbLgmfiL0MlprM89b0Njf01cm:R6lXJU4ZQ6YRcNgmfGXx05fO
MD5:	B71486B8120BB564463B94EB5C3E15DC
SHA1:	0ECD512C3B9480C8B4DBD4DE55863C8A8E898F7A
SHA-256:	1E31E5D4E66EA692932D22D5E8905F16CFE8137E23ECF22C3EC9918A9CB09384
SHA-512:	2E4D924E51E19BD1AA4EEFFA5D2A1FB6CC6F8AD5FF2C74829B3AE22485DE1D5DA5B3CFBB3AC4A9067CDCFAAB0F7856961FDAC38F895B81539363E64EA805AF5E
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.2.5.0.4.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER880.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4730
Entropy (8bit):	4.468112177589768
Encrypted:	false
SSDEEP:	48:cvIwWl8zscJg771I9O7/CUWpW8VYFYm8M4JCFCtsNkFUyq85m4zstxptSTS2Dd:uIjfaI7/zCN7VlJiFGypoO2Dd
MD5:	0AD432E87A6A77ED61E058A3DF0465FF
SHA1:	C5F85C4184D9BF67267027B44D9B4D92C4F1404B
SHA-256:	43D77BDA50935DC1A867BA6D29096E3CE9CE088BCDAC246B9BF40E307EC2D8EE
SHA-512:	3C7BD89CFB5EDAA8649A89F469D5238C9D5F111774C6E3A48F6AEF1E30F5856C96DEAA1268D8471547C9B6712748B39638E40A68C1EBD3C26ECDE490BA48550C
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="525989" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF1D9.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Wed Oct 2 15:26:17 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	56466
Entropy (8bit):	1.6307326847445722
Encrypted:	false
SSDEEP:	192:uR2fBNOMx0tWawi6gsMllQsIe+weR4x/BsH3:wSAnv6gsMQe+8/i
MD5:	8772E5E1B876D42689DEB4757F615BDC
SHA1:	FDB4CA5D856576DC3E46F8B1BD2CE79E7C2C72B5
SHA-256:	1D6AA6D275FF7DF6F30F9D42656F8A74693B84B5C02222A7EC171A0E751A83D9
SHA-512:	8E8F782C172FAD5CDFADCC3E73926047B1357475191C82757EF42B84CA25E3380F84983F853286433B7F3C7888CF083C32C67DEFA2ECBAB79786A9E9BA2D3387
Malicious:	false
Preview:	MDMP..a..... ........f.f........................L................)..........T.......8...........T.......................................................................................................................eJ......l.......Lw......................T.......x....f.f.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF2D4.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8498
Entropy (8bit):	3.694651124772347
Encrypted:	false
SSDEEP:	192:R6l7wVeJyrqZD6YvNNwd13gmfiL0qjpr789bz+DfbBRm:R6lXJuqZD6YFqd13gmfGlCzCfq
MD5:	692182B4E7BE1F129D067C1CB33ADCCB
SHA1:	52F70B8455E92881CF315DC6728E4A96A3287925
SHA-256:	3A1A7C55786A1660936958A450A506BA5EF92C231A7ECD843EA25D5902F24008
SHA-512:	ACD1394043A4A7173E8E89AC9103EA83AF54539BFC9A8254AC3E2742D7DDC2C9B8615AF8519135A78FE45E69498ECB2E9A350171D25F1A9682C8791956DE445A
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.8.0.0.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF304.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4729
Entropy (8bit):	4.469462130508209
Encrypted:	false
SSDEEP:	48:cvIwWl8zsrJg771I9O7/CUWpW8VYjYm8M4JCFCtsNF6Fmyq85m4zWwH0ptSTSkd:uIjfFI7/zCN7VLJiFNGnUpoOkd
MD5:	16ECAFA1971AC3575AEBE97A38673F39
SHA1:	08F9CCEEBEC1619CA463611BA3A330C9E1DC2882
SHA-256:	4921DC8C9256FEF05AD6556C35DB538AB3B8DEBEC13CC5B23468C486EAF5CE80
SHA-512:	FC1DA6D912F7A76A4D3892364AAEC39134ECE9F6DB01988D2B796395F04A7E4C9441C64C4CD2CAF99AD882F66CCE4CBF815F15BC411F428F38C686E2B8D83FD7
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="525988" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WERFBFB.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Wed Oct 2 15:26:20 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	56926
Entropy (8bit):	1.6629723799917173
Encrypted:	false
SSDEEP:	192:vpG2fICkF1XOMxFei9I+e+61UiV/C1J+tRq:kVdFwueN+e+x6/C1J
MD5:	4E2CE04E72F0472378289FC769B8EFA2
SHA1:	46BDB95F38048CA70A5E88AE954543C65991A1E1
SHA-256:	2B562FA7724A0D1599CE20640F50CF6407671EB0ABC3B3C6237CFBA43EA8A48B
SHA-512:	CC689BDBD0C1961C3990C7236608C5CDFD30D9E9E95DD45FFE43885F820C9C53BF1BB39926D46C88043E250A42C0603612D13194FD0E606C8C88A34D99D8BED9
Malicious:	false
Preview:	MDMP..a..... ........f.f........................L................)..........T.......8...........T...........0...........................................................................................................eJ......l.......Lw......................T.......L....f.f.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERFC98.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8744
Entropy (8bit):	3.69723469235483
Encrypted:	false
SSDEEP:	192:R6l7wVeJ8DSZGKF6YQ/cpDbLgmfiL0v+pra89bvjbft/6Fm:R6lXJISZdF6YQcNgmfGUIv/ftp
MD5:	FA850F394C278ED277E96228442C9EAE
SHA1:	3CAC019D2911C265EE2E28A63CAC155C2709CAFD
SHA-256:	027D2D06D9272917D5ADE13DD65390F6B780E3A5EFAE1FE856BD87C8599D634E
SHA-512:	8DCEB2A92F97B6FA5A82641E04FF882A573AB15CFDA3B8C0216850EFCA83B0A24130351D57A7E00F20C2AE07E400F9D332D7DF406B34091D179A7CFDADE8C56D
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.9.4.0.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERFCC8.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4730
Entropy (8bit):	4.466100648722971
Encrypted:	false
SSDEEP:	48:cvIwWl8zscJg771I9O7/CUWpW8VY1Ym8M4JCFCtsNFF3w5yq85m4zs/HptSTS8d:uIjfaI7/zCN7VRJiA5GyHpoO8d
MD5:	095D02C8A8B4837D487DA38300CF80F8
SHA1:	EC5408A10268979A4477D59DB4242DB943B1BEC1
SHA-256:	11AF53F58F66B64E7DFD851CF80CB8D76511DA14DEE552670725411BFA9E4987
SHA-512:	9B4995FE9853DFE69EDDA09DE1A429BA93728D5C39116BF9B266C6D8140BC79E1A6D0D3B847A26C2BECF6C65CC82FD9A44942C9111EAB354C422EA89378AE9D8
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="525989" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.296111888720287
Encrypted:	false
SSDEEP:	6144:l41fWRYkg7Di2vXoy00lWZgiWaaKxC44Q0NbuDs+qwmBMZJh1Vje:y1/YCW2AoQ0Ni4wwMHrVC
MD5:	F599FCE8EA4F174EA516F4D8E52EED7C
SHA1:	0E670CF30F2672098B45DBDB83D8A75DCE958278
SHA-256:	43D1E5BD6FAEE2B1BF14E39ECF7CCB7A767E680A043E6591A65A37F69EF78899
SHA-512:	B3A2E536A110C80CDA050E6514E282A99A2FC90090908DDF1857A57F3B7732E9FD8E04D6A0565903D503514EB3B5C0E15A6AAC5692D72A2C18FA748C2F729AAA
Malicious:	false
Preview:	regfG...G....\.Z.................... ....`......\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm6..l................................................................................................................................................................................................................................................................................................................................................O..X........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Entropy (8bit):	6.469766894882436
TrID:	Win64 Dynamic Link Library (generic) (102004/3) 86.43% Win64 Executable (generic) (12005/4) 10.17% Generic Win/DOS Executable (2004/3) 1.70% DOS Executable Generic (2002/1) 1.70% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.01%
File name:	file.dll
File size:	66'208 bytes
MD5:	c8b9ee438cd581e5632dfeceb9f3aad5
SHA1:	a1ef30f2487eb1d23f13a2600b3c77ca18343833
SHA256:	9be6844970271ee2c609303226275cc8cd753320af01da1db02dd31ce878be70
SHA512:	ef6c1f793d096661a6e964c7e1e52767e1d22ee7a3bc61ec82253e06b5a00f23f9d15f38d186260b177bbb4e249a8617f8aa34909f700bcfc9450c1d2f1a572d
SSDEEP:	1536:rRWlBn+gKaMO0AusJNdhHtHSww7UbDPxSm:tWl8gKaMxAfpH9Sww+xD
TLSH:	93534986F5E988D9F12A9475B065B21FE43334540BA089CF439085285FB1BD1BBFB36B
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........PRF.1<..1<..1<..I...1<..I=..1<..Z=..1<..1=..1<..I9..1<..I8..1<..I?..1<.JH8..1<.JH<..1<.JH...1<.JH>..1<.Rich.1<................

File Icon


Icon Hash:	7ae282899bbab082

Static PE Info

General

Entrypoint:	0x18000a7b0
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x180000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, DLL
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x63BBBFF0 [Mon Jan 9 07:19:12 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	09d49104ca88cc807432c92158652879

Authenticode Signature

Signature Valid:	true
Signature Issuer:	CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	19/08/2021 02:00:00 20/08/2023 01:59:59
Subject Chain	CN="Oracle America, Inc.", OU=Software Engineering, O="Oracle America, Inc.", L=Redwood City, S=California, C=US
Version:	3
Thumbprint MD5:	2876C1BECB51837D0E3DE50903D025B6
Thumbprint SHA-1:	940D69C0A34A1B4CFD8048488BA86F4CED60481A
Thumbprint SHA-256:	EE46613A38B4F486164BCE7FB23178667715617F511B364594311A1548B08EB1
Serial:	068BE2F53452C882F18ED41A5DD4E7A3

Entrypoint Preview

Instruction
dec eax
mov dword ptr [esp+08h], ebx
dec eax
mov dword ptr [esp+10h], esi
push edi
dec eax
sub esp, 20h
dec ecx
mov edi, eax
mov ebx, edx
dec eax
mov esi, ecx
cmp edx, 01h
jne 00007FA180BD61F7h
call 00007FA180BD6390h
dec esp
mov eax, edi
mov edx, ebx
dec eax
mov ecx, esi
dec eax
mov ebx, dword ptr [esp+30h]
dec eax
mov esi, dword ptr [esp+38h]
dec eax
add esp, 20h
pop edi
jmp 00007FA180BD6084h
int3
int3
int3
inc eax
push ebx
dec eax
sub esp, 20h
dec eax
mov ebx, ecx
xor ecx, ecx
call dword ptr [0000181Fh]
dec eax
mov ecx, ebx
call dword ptr [0000180Eh]
call dword ptr [00001818h]
dec eax
mov ecx, eax
mov edx, C0000409h
dec eax
add esp, 20h
pop ebx
dec eax
jmp dword ptr [0000180Ch]
dec eax
mov dword ptr [esp+08h], ecx
dec eax
sub esp, 38h
mov ecx, 00000017h
call dword ptr [00001800h]
test eax, eax
je 00007FA180BD61F9h
mov ecx, 00000002h
int 29h
dec eax
lea ecx, dword ptr [00003AA6h]
call 00007FA180BD629Eh
dec eax
mov eax, dword ptr [esp+38h]
dec eax
mov dword ptr [00003B8Dh], eax
dec eax
lea eax, dword ptr [esp+38h]
dec eax
add eax, 08h
dec eax
mov dword ptr [00003B1Dh], eax
dec eax
mov eax, dword ptr [00003B76h]
dec eax
mov dword ptr [000039E7h], eax

Rich Headers

Programming Language:

[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0xd8c0	0x124	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0xd9e4	0x78	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x10000	0x3a8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0xf000	0x978	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0xda00	0x28a0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x11000	0x2c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xc5f0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xc4b0	0x140	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xc000	0x148	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xa298	0xa400	058a96049f790b6845c1d55e32350029	False	0.5293921493902439	data	6.216775210251593	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0xc000	0x1eca	0x2000	0bc7857c6b1ce3f3f3f122a2dba6433f	False	0.4796142578125	data	4.983766211377523	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xe000	0x838	0x200	b95dc0226e24cbebd508c44860443b06	False	0.091796875	data	0.4700436669171337	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0xf000	0x978	0xa00	1f647edf4ca4a63a1aa4169dc36a912f	False	0.471875	data	4.433514314399998	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x10000	0x3a8	0x400	3f928bf830296675d5caa545d8331e56	False	0.412109375	data	3.1070883323471334	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x11000	0x2c	0x200	5ee3cf2d4c323de703ad73f54ce68050	False	0.11328125	data	0.6406789934533421	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x10060	0x348	data	English	United States	0.46190476190476193

Imports

DLL	Import
KERNEL32.dll	RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, DisableThreadLibraryCalls, InitializeSListHead, IsDebuggerPresent
VCRUNTIME140.dll	memset, __C_specific_handler, __std_type_info_destroy_list, memcpy
api-ms-win-crt-heap-l1-1-0.dll	free, calloc, malloc
api-ms-win-crt-math-l1-1-0.dll	pow, sqrt, ceil, cos, floor, acos
api-ms-win-crt-runtime-l1-1-0.dll	_seh_filter_dll, _initterm_e, _initialize_onexit_table, _execute_onexit_table, _cexit, _initterm, _initialize_narrow_environment, _configure_narrow_argv

Exports

Name	Ordinal	Address
Java_com_sun_prism_impl_shape_NativePiscesRasterizer_init	1	0x1800043a0
Java_com_sun_prism_impl_shape_NativePiscesRasterizer_produceFillAlphas	2	0x1800043b0
Java_com_sun_prism_impl_shape_NativePiscesRasterizer_produceStrokeAlphas	3	0x180004810

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Target ID:	0
Start time:	11:26:16
Start date:	02/10/2024
Path:	C:\Windows\System32\loaddll64.exe
Wow64 process (32bit):	false
Commandline:	loaddll64.exe "C:\Users\user\Desktop\file.dll"
Imagebase:	0x7ff62d8e0000
File size:	165'888 bytes
MD5 hash:	763455F9DCB24DFEECC2B9D9F8D46D52
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	11:26:16
Start date:	02/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff620390000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	11:26:16
Start date:	02/10/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\file.dll",#1
Imagebase:	0x7ff739570000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	11:26:16
Start date:	02/10/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe C:\Users\user\Desktop\file.dll,Java_com_sun_prism_impl_shape_NativePiscesRasterizer_init
Imagebase:	0x7ff6e5910000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	11:26:16
Start date:	02/10/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe "C:\Users\user\Desktop\file.dll",#1
Imagebase:	0x7ff6e5910000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	11:26:17
Start date:	02/10/2024
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 7800 -s 332
Imagebase:	0x7ff7b4b70000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	11:26:19
Start date:	02/10/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe C:\Users\user\Desktop\file.dll,Java_com_sun_prism_impl_shape_NativePiscesRasterizer_produceFillAlphas
Imagebase:	0x7ff6e5910000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	11:26:19
Start date:	02/10/2024
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 4940 -s 324
Imagebase:	0x7ff7b4b70000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	11:26:22
Start date:	02/10/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe C:\Users\user\Desktop\file.dll,Java_com_sun_prism_impl_shape_NativePiscesRasterizer_produceStrokeAlphas
Imagebase:	0x7ff6e5910000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	11:26:23
Start date:	02/10/2024
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 2504 -s 332
Imagebase:	0x7ff7b4b70000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	11:26:25
Start date:	02/10/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_prism_impl_shape_NativePiscesRasterizer_init
Imagebase:	0x7ff6e5910000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	11:26:26
Start date:	02/10/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_prism_impl_shape_NativePiscesRasterizer_produceFillAlphas
Imagebase:	0x7ff6e5910000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	11:26:26
Start date:	02/10/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_prism_impl_shape_NativePiscesRasterizer_produceStrokeAlphas
Imagebase:	0x7ff6e5910000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	11:26:26
Start date:	02/10/2024
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 8016 -s 324
Imagebase:	0x7ff7b4b70000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	11:26:26
Start date:	02/10/2024
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 7488 -s 324
Imagebase:	0x7ff7b4b70000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Function 00007FF832803370 Relevance: 16.8, APIs: 11, Instructions: 282COMMON

Download Yara Rule

APIs

sqrt.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF83280342B
sqrt.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF8328035BA
acos.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF8328035C8
sqrt.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF8328035F1
cos.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF83280360E
cos.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF83280363C
cos.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF83280365D
sqrt.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF832803694
pow.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF8328036BC
pow.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF8328036EB
pow.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF8328036F9

Memory Dump Source

Source File: 00000005.00000002.1408087834.00007FF832801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF832800000, based on PE: true

Associated: 00000005.00000002.1408064000.00007FF832800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1408111530.00007FF83280C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1408127402.00007FF83280E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1408150539.00007FF83280F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff832800000_rundll32.jbxd

Similarity

API ID: sqrt$acos
String ID:
API String ID: 1924845392-0
Opcode ID: 66e196cd4f565e1fe787a2ec665249acba415d5ab10a516904815f744e337c19
Instruction ID: 7dd5cec6d74bdba37a33af3a1df9075a092a9a32077f94f0e08f0acfcd064738
Opcode Fuzzy Hash: 66e196cd4f565e1fe787a2ec665249acba415d5ab10a516904815f744e337c19
Instruction Fuzzy Hash: D8C1C512F28F8955E213863658421F9A254FF7F3E4F19D323F94933672AFA871D2A600

Function 00007FF83280ADC0 Relevance: 13.6, APIs: 9, Instructions: 72COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FF83280ADDC
memset.VCRUNTIME140 ref: 00007FF83280AE00
RtlCaptureContext.KERNEL32 ref: 00007FF83280AE09
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF83280AE23
RtlVirtualUnwind.KERNEL32 ref: 00007FF83280AE64
memset.VCRUNTIME140 ref: 00007FF83280AE97
IsDebuggerPresent.KERNEL32 ref: 00007FF83280AEB8
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF83280AED9
UnhandledExceptionFilter.KERNEL32 ref: 00007FF83280AEE4

Memory Dump Source

Source File: 00000005.00000002.1408087834.00007FF832801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF832800000, based on PE: true

Associated: 00000005.00000002.1408064000.00007FF832800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1408111530.00007FF83280C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1408127402.00007FF83280E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1408150539.00007FF83280F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff832800000_rundll32.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandledmemset$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 313767242-0
Opcode ID: eacc2973cbd1dde0174fa1e808a3fb825669d718628b8f022ae0abaee566525b
Instruction ID: dc0e077bea451a38067e82e5c26a8cb991daddbfa4827342ad7a9ce82030dd82
Opcode Fuzzy Hash: eacc2973cbd1dde0174fa1e808a3fb825669d718628b8f022ae0abaee566525b
Instruction Fuzzy Hash: A8315D72708B819AEB609F60E8407ED7364FB84798F44843ADB4E47BA4DF78D648D710

Function 00007FF8328069A0 Relevance: 3.4, APIs: 2, Instructions: 368COMMON

Download Yara Rule

APIs

sqrt.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF832806BA3
sqrt.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF832806BFD

Memory Dump Source

Source File: 00000005.00000002.1408087834.00007FF832801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF832800000, based on PE: true

Associated: 00000005.00000002.1408064000.00007FF832800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1408111530.00007FF83280C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1408127402.00007FF83280E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1408150539.00007FF83280F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff832800000_rundll32.jbxd

Similarity

API ID: sqrt
String ID:
API String ID: 1201437784-0
Opcode ID: d8ced8b30b41726c2ac10d819c36855d0f14c5405ed51f208198e1f9e842bd7f
Instruction ID: 7c1c357a6e63fd3e8cd7b64b59a8091df00a7849c1eb1ee14e57094e7c1100c5
Opcode Fuzzy Hash: d8ced8b30b41726c2ac10d819c36855d0f14c5405ed51f208198e1f9e842bd7f
Instruction Fuzzy Hash: C012D732E18B8AA5E212DB3798411F5B350FF6E7D5F14D722EE48631B1DF78B095AA00

Function 00007FF832807470 Relevance: 3.3, APIs: 2, Instructions: 326COMMON

Download Yara Rule

APIs

sqrt.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF8328075F5
sqrt.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF832807653

Memory Dump Source

Source File: 00000005.00000002.1408087834.00007FF832801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF832800000, based on PE: true

Associated: 00000005.00000002.1408064000.00007FF832800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1408111530.00007FF83280C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1408127402.00007FF83280E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1408150539.00007FF83280F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff832800000_rundll32.jbxd

Similarity

API ID: sqrt
String ID:
API String ID: 1201437784-0
Opcode ID: 5dd65a038dedf495063e417fbed689900c38d9b4707146914857e4ad423f5ca9
Instruction ID: d0ecb2da5be6a430133efd7aedd8e37f7b03e6bb4f5ba63c718d6afc2d8dc8e0
Opcode Fuzzy Hash: 5dd65a038dedf495063e417fbed689900c38d9b4707146914857e4ad423f5ca9
Instruction Fuzzy Hash: CAF1C732E18A8995E311DB3798412F9B360FF6E7D5F04C722EE4863271DF78B195AA00

Function 00007FF832808580 Relevance: 1.8, APIs: 1, Instructions: 268COMMON

Download Yara Rule

APIs

sqrt.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF832808948

Memory Dump Source

Source File: 00000005.00000002.1408087834.00007FF832801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF832800000, based on PE: true

Associated: 00000005.00000002.1408064000.00007FF832800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1408111530.00007FF83280C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1408127402.00007FF83280E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1408150539.00007FF83280F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff832800000_rundll32.jbxd

Similarity

API ID: sqrt
String ID:
API String ID: 1201437784-0
Opcode ID: 91e3cc972b5ae0e30e00b42c4d18bc48a61f230dc3a6c588e7d0b5d17bc13a1a
Instruction ID: f3cdc2ec8c0a3fbb9624c65e3f4a35baa61a8e7a752402009ba309e62f3f9b45
Opcode Fuzzy Hash: 91e3cc972b5ae0e30e00b42c4d18bc48a61f230dc3a6c588e7d0b5d17bc13a1a
Instruction Fuzzy Hash: 88C1F622E28BCD51E223963764421F5A250EFBF3D5F2DDB22FE84325B2EB6575C16600

Function 00007FF83280A490 Relevance: 16.7, APIs: 11, Instructions: 230COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FF83280A4B8
__scrt_initialize_crt.LIBCMT ref: 00007FF83280A4FD
__scrt_acquire_startup_lock.LIBCMT ref: 00007FF83280A50A
_RTC_Initialize.LIBCMT ref: 00007FF83280A538
__scrt_dllmain_after_initialize_c.LIBCMT ref: 00007FF83280A55E
__scrt_release_startup_lock.LIBCMT ref: 00007FF83280A589

Memory Dump Source

Source File: 00000005.00000002.1408087834.00007FF832801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF832800000, based on PE: true

Associated: 00000005.00000002.1408064000.00007FF832800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1408111530.00007FF83280C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1408127402.00007FF83280E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1408150539.00007FF83280F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff832800000_rundll32.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_initialize_crt__scrt_release_startup_lock
String ID:
API String ID: 349153199-0
Opcode ID: 5c02f2d25d8e562058caf52bfc8ca37935f8dee43ddd379eeef422915e9d1f82
Instruction ID: 306afc872d21e351d765f39728dcf3de84e603229d738a59b0ba8c8c12326ed7
Opcode Fuzzy Hash: 5c02f2d25d8e562058caf52bfc8ca37935f8dee43ddd379eeef422915e9d1f82
Instruction Fuzzy Hash: 95819D21F08643A6F6649B669C512F922A0EF897E0F14C535EB4C477B6DEFCE849A700

Function 00007FF8328055B0 Relevance: 12.7, APIs: 10, Instructions: 248COMMON

Download Yara Rule

APIs

calloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,00007FF832804718), ref: 00007FF83280561F
memset.VCRUNTIME140(?,?,?,?,?,?,?,00007FF832804718), ref: 00007FF832805648
calloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,00007FF832804718), ref: 00007FF832805673
calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF832805691
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF83280586F
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF83280587A
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF83280588D
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF83280590E
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF832805917
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF83280592A

Memory Dump Source

Source File: 00000005.00000002.1408087834.00007FF832801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF832800000, based on PE: true

Associated: 00000005.00000002.1408064000.00007FF832800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1408111530.00007FF83280C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1408127402.00007FF83280E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1408150539.00007FF83280F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff832800000_rundll32.jbxd

Similarity

API ID: free$calloc$memset
String ID:
API String ID: 2591755499-0
Opcode ID: 082be3346bc34d59fb11e9c397db3feef17fd1bccced53f588ac85f35ba0ea85
Instruction ID: 21f718f6ffe555e097fef9e6a87468e6f40ea1f9dd8f18667e9e474d12d5b403
Opcode Fuzzy Hash: 082be3346bc34d59fb11e9c397db3feef17fd1bccced53f588ac85f35ba0ea85
Instruction Fuzzy Hash: 0DA1B0B2B096819BE714CF15E8446AA7BA1FB89BE4F048134EF4E43764DE7CE845DB00

Function 00007FF832805E40 Relevance: 7.7, APIs: 5, Instructions: 211COMMON

Download Yara Rule

APIs

calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF832805F8F
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF832805FC7
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF83280601A
calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF832806029
ceil.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF832806096

Memory Dump Source

Source File: 00000005.00000002.1408087834.00007FF832801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF832800000, based on PE: true

Associated: 00000005.00000002.1408064000.00007FF832800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1408111530.00007FF83280C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1408127402.00007FF83280E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1408150539.00007FF83280F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff832800000_rundll32.jbxd

Similarity

API ID: callocfree$ceil
String ID:
API String ID: 920742804-0
Opcode ID: 7b353ca00502c3536801fa9377f0099fd6f296448c3ffe68f62c156614f68bc9
Instruction ID: dc1ceb9eb7d20a3e45e38046226d5e7095b6272c4d2bdee5bd993549ec7d4806
Opcode Fuzzy Hash: 7b353ca00502c3536801fa9377f0099fd6f296448c3ffe68f62c156614f68bc9
Instruction Fuzzy Hash: E691F2B2605A4597D7218F2AD8405A9B7A0FF097A0F45C336DF9EA37A1EB3CE945C700

Function 00007FF832806140 Relevance: 6.2, APIs: 4, Instructions: 203COMMON

Download Yara Rule

APIs

ceil.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF8328061B7
ceil.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF8328061DD
calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF8328062D1
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF832806382

Memory Dump Source

Source File: 00000005.00000002.1408087834.00007FF832801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF832800000, based on PE: true

Associated: 00000005.00000002.1408064000.00007FF832800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1408111530.00007FF83280C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1408127402.00007FF83280E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1408150539.00007FF83280F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff832800000_rundll32.jbxd

Similarity

API ID: ceil$callocfree
String ID:
API String ID: 4015380324-0
Opcode ID: ffe61c1e437331e362619924dbc882b1748c29c536025809f6c113a5c8bdd440
Instruction ID: 538e8fee2513a1bac9d9dc80cf896049276d8fb9dd28353eb9b8fd2d59b29389
Opcode Fuzzy Hash: ffe61c1e437331e362619924dbc882b1748c29c536025809f6c113a5c8bdd440
Instruction Fuzzy Hash: A0A1B432A14B8896E311DF39D4406FDB7A0FF99B98F048332EA4963765DB74E981DB40

Function 00007FF832808FB0 Relevance: 5.1, APIs: 4, Instructions: 68COMMON

Download Yara Rule

APIs

calloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF832808CF2,?,?,?,?,?,?,?,?,00007FF8328087E2), ref: 00007FF832808FDC
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF832808CF2,?,?,?,?,?,?,?,?,00007FF8328087E2), ref: 00007FF83280901D
calloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF832808CF2,?,?,?,?,?,?,?,?,00007FF8328087E2), ref: 00007FF83280903C
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF832808CF2,?,?,?,?,?,?,?,?,00007FF8328087E2), ref: 00007FF83280907B

Memory Dump Source

Source File: 00000005.00000002.1408087834.00007FF832801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF832800000, based on PE: true

Associated: 00000005.00000002.1408064000.00007FF832800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1408111530.00007FF83280C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1408127402.00007FF83280E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1408150539.00007FF83280F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff832800000_rundll32.jbxd

Similarity

API ID: callocfree
String ID:
API String ID: 306872129-0
Opcode ID: 15aa3de9cda5ed4716650e95d464635b1c17d6a6e46c7730f98fd0bd36c3e555
Instruction ID: 84dcdc91b681cc838a2e927a59ca7c30d16842ba5d6a29e1b4a8bf4962e2a937
Opcode Fuzzy Hash: 15aa3de9cda5ed4716650e95d464635b1c17d6a6e46c7730f98fd0bd36c3e555
Instruction Fuzzy Hash: 9A313872704A419AD754CF25D840AADB7A0FB84FD8F14C436CA0943768DF78E856DB40

Analysis Process: rundll32.exePID: 4940, Parent PID: 7512COMMON

Non-executed Functions

Function 00007FF832803370 Relevance: 16.8, APIs: 11, Instructions: 282COMMON

Download Yara Rule

APIs

sqrt.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF83280342B
sqrt.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF8328035BA
acos.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF8328035C8
sqrt.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF8328035F1
cos.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF83280360E
cos.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF83280363C
cos.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF83280365D
sqrt.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF832803694
pow.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF8328036BC
pow.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF8328036EB
pow.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF8328036F9

Memory Dump Source

Source File: 0000000A.00000002.1408228746.00007FF832801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF832800000, based on PE: true

Associated: 0000000A.00000002.1408203995.00007FF832800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.1408276598.00007FF83280C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.1408318436.00007FF83280F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ff832800000_rundll32.jbxd

Similarity

API ID: sqrt$acos
String ID:
API String ID: 1924845392-0
Opcode ID: 66e196cd4f565e1fe787a2ec665249acba415d5ab10a516904815f744e337c19
Instruction ID: 7dd5cec6d74bdba37a33af3a1df9075a092a9a32077f94f0e08f0acfcd064738
Opcode Fuzzy Hash: 66e196cd4f565e1fe787a2ec665249acba415d5ab10a516904815f744e337c19
Instruction Fuzzy Hash: D8C1C512F28F8955E213863658421F9A254FF7F3E4F19D323F94933672AFA871D2A600

Function 00007FF83280ADC0 Relevance: 13.6, APIs: 9, Instructions: 72COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FF83280ADDC
memset.VCRUNTIME140 ref: 00007FF83280AE00
RtlCaptureContext.KERNEL32 ref: 00007FF83280AE09
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF83280AE23
RtlVirtualUnwind.KERNEL32 ref: 00007FF83280AE64
memset.VCRUNTIME140 ref: 00007FF83280AE97
IsDebuggerPresent.KERNEL32 ref: 00007FF83280AEB8
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF83280AED9
UnhandledExceptionFilter.KERNEL32 ref: 00007FF83280AEE4

Memory Dump Source

Source File: 0000000A.00000002.1408228746.00007FF832801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF832800000, based on PE: true

Associated: 0000000A.00000002.1408203995.00007FF832800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.1408276598.00007FF83280C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.1408318436.00007FF83280F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ff832800000_rundll32.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandledmemset$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 313767242-0
Opcode ID: eacc2973cbd1dde0174fa1e808a3fb825669d718628b8f022ae0abaee566525b
Instruction ID: dc0e077bea451a38067e82e5c26a8cb991daddbfa4827342ad7a9ce82030dd82
Opcode Fuzzy Hash: eacc2973cbd1dde0174fa1e808a3fb825669d718628b8f022ae0abaee566525b
Instruction Fuzzy Hash: A8315D72708B819AEB609F60E8407ED7364FB84798F44843ADB4E47BA4DF78D648D710

Function 00007FF83280A490 Relevance: 16.7, APIs: 11, Instructions: 230COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FF83280A4B8
__scrt_initialize_crt.LIBCMT ref: 00007FF83280A4FD
__scrt_acquire_startup_lock.LIBCMT ref: 00007FF83280A50A
_RTC_Initialize.LIBCMT ref: 00007FF83280A538
__scrt_dllmain_after_initialize_c.LIBCMT ref: 00007FF83280A55E
__scrt_release_startup_lock.LIBCMT ref: 00007FF83280A589

Memory Dump Source

Source File: 0000000A.00000002.1408228746.00007FF832801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF832800000, based on PE: true

Associated: 0000000A.00000002.1408203995.00007FF832800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.1408276598.00007FF83280C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.1408318436.00007FF83280F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ff832800000_rundll32.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_initialize_crt__scrt_release_startup_lock
String ID:
API String ID: 349153199-0
Opcode ID: 5c02f2d25d8e562058caf52bfc8ca37935f8dee43ddd379eeef422915e9d1f82
Instruction ID: 306afc872d21e351d765f39728dcf3de84e603229d738a59b0ba8c8c12326ed7
Opcode Fuzzy Hash: 5c02f2d25d8e562058caf52bfc8ca37935f8dee43ddd379eeef422915e9d1f82
Instruction Fuzzy Hash: 95819D21F08643A6F6649B669C512F922A0EF897E0F14C535EB4C477B6DEFCE849A700

Function 00007FF8328055B0 Relevance: 12.7, APIs: 10, Instructions: 248COMMON

Download Yara Rule

APIs

calloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,00007FF832804718), ref: 00007FF83280561F
memset.VCRUNTIME140(?,?,?,?,?,?,?,00007FF832804718), ref: 00007FF832805648
calloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,00007FF832804718), ref: 00007FF832805673
calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF832805691
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF83280586F
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF83280587A
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF83280588D
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF83280590E
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF832805917
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF83280592A

Memory Dump Source

Source File: 0000000A.00000002.1408228746.00007FF832801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF832800000, based on PE: true

Associated: 0000000A.00000002.1408203995.00007FF832800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.1408276598.00007FF83280C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.1408318436.00007FF83280F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ff832800000_rundll32.jbxd

Similarity

API ID: free$calloc$memset
String ID:
API String ID: 2591755499-0
Opcode ID: 082be3346bc34d59fb11e9c397db3feef17fd1bccced53f588ac85f35ba0ea85
Instruction ID: 21f718f6ffe555e097fef9e6a87468e6f40ea1f9dd8f18667e9e474d12d5b403
Opcode Fuzzy Hash: 082be3346bc34d59fb11e9c397db3feef17fd1bccced53f588ac85f35ba0ea85
Instruction Fuzzy Hash: 0DA1B0B2B096819BE714CF15E8446AA7BA1FB89BE4F048134EF4E43764DE7CE845DB00

Function 00007FF832805E40 Relevance: 7.7, APIs: 5, Instructions: 211COMMON

Download Yara Rule

APIs

calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF832805F8F
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF832805FC7
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF83280601A
calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF832806029
ceil.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF832806096

Memory Dump Source

Source File: 0000000A.00000002.1408228746.00007FF832801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF832800000, based on PE: true

Associated: 0000000A.00000002.1408203995.00007FF832800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.1408276598.00007FF83280C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.1408318436.00007FF83280F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ff832800000_rundll32.jbxd

Similarity

API ID: callocfree$ceil
String ID:
API String ID: 920742804-0
Opcode ID: 7b353ca00502c3536801fa9377f0099fd6f296448c3ffe68f62c156614f68bc9
Instruction ID: dc1ceb9eb7d20a3e45e38046226d5e7095b6272c4d2bdee5bd993549ec7d4806
Opcode Fuzzy Hash: 7b353ca00502c3536801fa9377f0099fd6f296448c3ffe68f62c156614f68bc9
Instruction Fuzzy Hash: E691F2B2605A4597D7218F2AD8405A9B7A0FF097A0F45C336DF9EA37A1EB3CE945C700

Function 00007FF832806140 Relevance: 6.2, APIs: 4, Instructions: 203COMMON

Download Yara Rule

APIs

ceil.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF8328061B7
ceil.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF8328061DD
calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF8328062D1
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF832806382

Memory Dump Source

Source File: 0000000A.00000002.1408228746.00007FF832801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF832800000, based on PE: true

Associated: 0000000A.00000002.1408203995.00007FF832800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.1408276598.00007FF83280C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.1408318436.00007FF83280F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ff832800000_rundll32.jbxd

Similarity

API ID: ceil$callocfree
String ID:
API String ID: 4015380324-0
Opcode ID: ffe61c1e437331e362619924dbc882b1748c29c536025809f6c113a5c8bdd440
Instruction ID: 538e8fee2513a1bac9d9dc80cf896049276d8fb9dd28353eb9b8fd2d59b29389
Opcode Fuzzy Hash: ffe61c1e437331e362619924dbc882b1748c29c536025809f6c113a5c8bdd440
Instruction Fuzzy Hash: A0A1B432A14B8896E311DF39D4406FDB7A0FF99B98F048332EA4963765DB74E981DB40

Function 00007FF832808FB0 Relevance: 5.1, APIs: 4, Instructions: 68COMMON

Download Yara Rule

APIs

calloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF832808CF2,?,?,?,?,?,?,?,?,00007FF8328087E2), ref: 00007FF832808FDC
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF832808CF2,?,?,?,?,?,?,?,?,00007FF8328087E2), ref: 00007FF83280901D
calloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF832808CF2,?,?,?,?,?,?,?,?,00007FF8328087E2), ref: 00007FF83280903C
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF832808CF2,?,?,?,?,?,?,?,?,00007FF8328087E2), ref: 00007FF83280907B

Memory Dump Source

Source File: 0000000A.00000002.1408228746.00007FF832801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF832800000, based on PE: true

Associated: 0000000A.00000002.1408203995.00007FF832800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.1408276598.00007FF83280C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.1408318436.00007FF83280F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ff832800000_rundll32.jbxd

Similarity

API ID: callocfree
String ID:
API String ID: 306872129-0
Opcode ID: 15aa3de9cda5ed4716650e95d464635b1c17d6a6e46c7730f98fd0bd36c3e555
Instruction ID: 84dcdc91b681cc838a2e927a59ca7c30d16842ba5d6a29e1b4a8bf4962e2a937
Opcode Fuzzy Hash: 15aa3de9cda5ed4716650e95d464635b1c17d6a6e46c7730f98fd0bd36c3e555
Instruction Fuzzy Hash: 9A313872704A419AD754CF25D840AADB7A0FB84FD8F14C436CA0943768DF78E856DB40

Source: C:\Windows\System32\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_fil_56d7447d6a13c353c2282cc3f2ec25695913c0_d75f6fa5_9b2953ba-c62e-42a8-a2c8-a3c4d6984f18\	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_fil_9de19133aefe36cce1fe9ee66691ccc86823a879_d75f6fa5_d06e6c10-5330-4937-9ceb-dc1518b61a0b\	Jump to behavior

Source: file.dll	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: file.dll	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: file.dll	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: file.dll	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: file.dll	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: file.dll	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: file.dll	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: file.dll	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: file.dll	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: file.dll	String found in binary or memory: http://ocsp.digicert.com0
Source: file.dll	String found in binary or memory: http://ocsp.digicert.com0A
Source: file.dll	String found in binary or memory: http://ocsp.digicert.com0C
Source: file.dll	String found in binary or memory: http://ocsp.digicert.com0X
Source: Amcache.hve.8.dr	String found in binary or memory: http://upx.sf.net
Source: file.dll	String found in binary or memory: http://www.digicert.com/CPS0

Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_00007FF832808580	5_2_00007FF832808580
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_00007FF8328069A0	5_2_00007FF8328069A0
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_00007FF832803370	5_2_00007FF832803370
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_00007FF832807470	5_2_00007FF832807470
Source: C:\Windows\System32\rundll32.exe	Code function: 10_2_00007FF832808580	10_2_00007FF832808580
Source: C:\Windows\System32\rundll32.exe	Code function: 10_2_00007FF8328069A0	10_2_00007FF8328069A0
Source: C:\Windows\System32\rundll32.exe	Code function: 10_2_00007FF832803370	10_2_00007FF832803370
Source: C:\Windows\System32\rundll32.exe	Code function: 10_2_00007FF832807470	10_2_00007FF832807470

Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2504
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7532:120:WilError_03
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7488
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess8016
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4940
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7800

Source: unknown	Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\file.dll"
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\file.dll",#1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\file.dll,Java_com_sun_prism_impl_shape_NativePiscesRasterizer_init
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",#1
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7800 -s 332
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\file.dll,Java_com_sun_prism_impl_shape_NativePiscesRasterizer_produceFillAlphas
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 4940 -s 324
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\file.dll,Java_com_sun_prism_impl_shape_NativePiscesRasterizer_produceStrokeAlphas
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 2504 -s 332
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_prism_impl_shape_NativePiscesRasterizer_init
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_prism_impl_shape_NativePiscesRasterizer_produceFillAlphas
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_prism_impl_shape_NativePiscesRasterizer_produceStrokeAlphas
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 8016 -s 324
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7488 -s 324
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\file.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\file.dll,Java_com_sun_prism_impl_shape_NativePiscesRasterizer_init	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\file.dll,Java_com_sun_prism_impl_shape_NativePiscesRasterizer_produceFillAlphas	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\file.dll,Java_com_sun_prism_impl_shape_NativePiscesRasterizer_produceStrokeAlphas	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_prism_impl_shape_NativePiscesRasterizer_init	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_prism_impl_shape_NativePiscesRasterizer_produceFillAlphas	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_prism_impl_shape_NativePiscesRasterizer_produceStrokeAlphas	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",#1	Jump to behavior

Source: C:\Windows\System32\loaddll64.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: kernel.appcore.dll	Jump to behavior

Source: file.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: file.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: Amcache.hve.8.dr	Binary or memory string: VMware
Source: Amcache.hve.8.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.8.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.8.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.8.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.8.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.8.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.8.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.8.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.8.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.8.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.8.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.8.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.8.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.8.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.8.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.8.dr	Binary or memory string: VMware-42 27 ae 88 8c 2b 21 02-a5 86 22 5b 84 51 ac f0
Source: Amcache.hve.8.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.8.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.8.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.8.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.8.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.8.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.8.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.8.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.8.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.8.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.8.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.8.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: `rundll32.exe {DLLname, DLLfunction}` ).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.dll

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

Compliance

Spreading

Networking

System Summary

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_fil_1aff9662ccd791d8d4eef4da2398bc923098b68_d75f6fa5_a4482ba1-72b3-4036-ba59-9c7045524573\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_fil_1aff9662ccd791d8d4eef4da2398bc923098b68_d75f6fa5_ce2adf5f-3e69-4e0c-9b84-80f5ada87843\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_fil_56d7447d6a13c353c2282cc3f2ec25695913c0_d75f6fa5_1ac2261b-d3b6-4096-8723-9d2cb56e6a9e\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_fil_56d7447d6a13c353c2282cc3f2ec25695913c0_d75f6fa5_9b2953ba-c62e-42a8-a2c8-a3c4d6984f18\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_fil_9de19133aefe36cce1fe9ee66691ccc86823a879_d75f6fa5_d06e6c10-5330-4937-9ceb-dc1518b61a0b\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1501.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1530.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER15BE.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1679.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER168A.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER16B9.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER801.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER850.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER880.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF1D9.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF2D4.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF304.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERFBFB.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERFC98.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERFCC8.tmp.xml

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Windows Analysis Report
file.dll