Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.dll

Overview

General Information

Sample name:file.dll
(renamed file extension from exe to dll)
Original sample name:file.exe
Analysis ID:1524396
MD5:3eba0a6d4c057862984383f20d8ad3a9
SHA1:d948669c718485345f11c6c11cbfd0065fea1407
SHA256:db55e7a9fb5ee704aa90e6e011dd4968eb6bb3ae6adcda98f63098a4ab85054f
Tags:dllexesignedx64user-jstrosch
Infos:

Detection

Score:4
Range:0 - 100
Whitelisted:false
Confidence:40%

Signatures

AV process strings found (often used to terminate AV products)
Checks if the current process is being debugged
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info

Classification

Process Tree

  • System is w10x64
  • loaddll64.exe (PID: 7380 cmdline: loaddll64.exe "C:\Users\user\Desktop\file.dll" MD5: 763455F9DCB24DFEECC2B9D9F8D46D52)
    • conhost.exe (PID: 7388 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 7432 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\file.dll",#1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • rundll32.exe (PID: 7456 cmdline: rundll32.exe "C:\Users\user\Desktop\file.dll",#1 MD5: EF3179D498793BF4234F708D3BE28633)
    • rundll32.exe (PID: 7440 cmdline: rundll32.exe C:\Users\user\Desktop\file.dll,Java_com_sun_media_sound_DirectAudioDeviceProvider_nGetNumDevices MD5: EF3179D498793BF4234F708D3BE28633)
    • rundll32.exe (PID: 7528 cmdline: rundll32.exe C:\Users\user\Desktop\file.dll,Java_com_sun_media_sound_DirectAudioDeviceProvider_nNewDirectAudioDeviceInfo MD5: EF3179D498793BF4234F708D3BE28633)
      • WerFault.exe (PID: 7604 cmdline: C:\Windows\system32\WerFault.exe -u -p 7528 -s 428 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
    • rundll32.exe (PID: 7688 cmdline: rundll32.exe C:\Users\user\Desktop\file.dll,Java_com_sun_media_sound_DirectAudioDevice_nAvailable MD5: EF3179D498793BF4234F708D3BE28633)
    • rundll32.exe (PID: 7788 cmdline: rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_media_sound_DirectAudioDeviceProvider_nGetNumDevices MD5: EF3179D498793BF4234F708D3BE28633)
    • rundll32.exe (PID: 7796 cmdline: rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_media_sound_DirectAudioDeviceProvider_nNewDirectAudioDeviceInfo MD5: EF3179D498793BF4234F708D3BE28633)
      • WerFault.exe (PID: 5848 cmdline: C:\Windows\system32\WerFault.exe -u -p 7796 -s 424 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
    • rundll32.exe (PID: 7812 cmdline: rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_media_sound_DirectAudioDevice_nAvailable MD5: EF3179D498793BF4234F708D3BE28633)
    • rundll32.exe (PID: 7832 cmdline: rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_media_sound_DirectAudioDevice_nWrite MD5: EF3179D498793BF4234F708D3BE28633)
    • rundll32.exe (PID: 7856 cmdline: rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_media_sound_DirectAudioDevice_nStop MD5: EF3179D498793BF4234F708D3BE28633)
    • rundll32.exe (PID: 7876 cmdline: rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_media_sound_DirectAudioDevice_nStart MD5: EF3179D498793BF4234F708D3BE28633)
    • rundll32.exe (PID: 7884 cmdline: rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_media_sound_DirectAudioDevice_nSetBytePosition MD5: EF3179D498793BF4234F708D3BE28633)
    • rundll32.exe (PID: 7892 cmdline: rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_media_sound_DirectAudioDevice_nService MD5: EF3179D498793BF4234F708D3BE28633)
    • rundll32.exe (PID: 7904 cmdline: rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_media_sound_DirectAudioDevice_nRequiresServicing MD5: EF3179D498793BF4234F708D3BE28633)
    • rundll32.exe (PID: 7912 cmdline: rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_media_sound_DirectAudioDevice_nRead MD5: EF3179D498793BF4234F708D3BE28633)
      • WerFault.exe (PID: 560 cmdline: C:\Windows\system32\WerFault.exe -u -p 7912 -s 424 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
    • rundll32.exe (PID: 7920 cmdline: rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_media_sound_DirectAudioDevice_nOpen MD5: EF3179D498793BF4234F708D3BE28633)
    • rundll32.exe (PID: 7932 cmdline: rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_media_sound_DirectAudioDevice_nIsStillDraining MD5: EF3179D498793BF4234F708D3BE28633)
    • rundll32.exe (PID: 7948 cmdline: rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_media_sound_DirectAudioDevice_nGetFormats MD5: EF3179D498793BF4234F708D3BE28633)
      • WerFault.exe (PID: 2516 cmdline: C:\Windows\system32\WerFault.exe -u -p 7948 -s 424 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
    • rundll32.exe (PID: 7960 cmdline: rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_media_sound_DirectAudioDevice_nGetBytePosition MD5: EF3179D498793BF4234F708D3BE28633)
    • rundll32.exe (PID: 7984 cmdline: rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_media_sound_DirectAudioDevice_nGetBufferSize MD5: EF3179D498793BF4234F708D3BE28633)
    • rundll32.exe (PID: 8000 cmdline: rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_media_sound_DirectAudioDevice_nFlush MD5: EF3179D498793BF4234F708D3BE28633)
    • rundll32.exe (PID: 8024 cmdline: rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_media_sound_DirectAudioDevice_nClose MD5: EF3179D498793BF4234F708D3BE28633)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: file.dllStatic PE information: certificate valid
Source: file.dllStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: c:\jenkins\workspace\8-2-build-windows-x64-cygwin\jdk8u361\3183\build\windows-x64\jdk\objs\libjsoundds\jsoundds.pdb source: rundll32.exe, 00000005.00000002.1845247767.00007FFE148E6000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000B.00000002.1858048255.00007FFE148E6000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000D.00000002.1801309775.00007FFE148E6000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.1798930832.00007FFE148E6000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000F.00000002.1797254854.00007FFE148E6000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000013.00000002.1857103515.00007FFE148E6000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000016.00000002.1857082446.00007FFE148E6000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000001A.00000002.1801143978.00007FFE148E6000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000001B.00000002.1801396979.00007FFE148E6000.00000002.00000001.01000000.00000003.sdmp, file.dll
Source: C:\Windows\System32\WerFault.exeFile opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\
Source: C:\Windows\System32\WerFault.exeFile opened: C:\ProgramData\Microsoft\Windows\
Source: C:\Windows\System32\WerFault.exeFile opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_fil_aaf2aa7bbb9b37f79b9c410447131c297ce8878_d75f6fa5_cdadf65e-d1c7-4cc6-91c4-32817610f41f\
Source: C:\Windows\System32\WerFault.exeFile opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_fil_8c0c112fa52e9e255c09b8b22c5fbf32e1b4ee_d75f6fa5_361d8f20-ddfd-47f4-82a3-a96decf93460\
Source: C:\Windows\System32\WerFault.exeFile opened: C:\ProgramData\Microsoft\Windows\WER\
Source: C:\Windows\System32\WerFault.exeFile opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue
Source: file.dllString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: file.dllString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: file.dllString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: file.dllString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: file.dllString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: file.dllString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: file.dllString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: file.dllString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: file.dllString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: file.dllString found in binary or memory: http://ocsp.digicert.com0
Source: file.dllString found in binary or memory: http://ocsp.digicert.com0A
Source: file.dllString found in binary or memory: http://ocsp.digicert.com0C
Source: file.dllString found in binary or memory: http://ocsp.digicert.com0X
Source: Amcache.hve.8.drString found in binary or memory: http://upx.sf.net
Source: file.dllString found in binary or memory: http://www.digicert.com/CPS0
Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00007FFE148E2FAC5_2_00007FFE148E2FAC
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7528 -s 428
Source: file.dllBinary or memory string: OriginalFilenamejsoundds.dllN vs file.dll
Source: classification engineClassification label: clean4.winDLL@50/17@0/0
Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7948
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7388:120:WilError_03
Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7796
Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7912
Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7528
Source: C:\Windows\System32\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\57ebb9f4-8092-4257-aecc-0d107ca3f063Jump to behavior
Source: file.dllStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll64.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\file.dll,Java_com_sun_media_sound_DirectAudioDeviceProvider_nGetNumDevices
Source: unknownProcess created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\file.dll"
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\file.dll",#1
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\file.dll,Java_com_sun_media_sound_DirectAudioDeviceProvider_nGetNumDevices
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",#1
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\file.dll,Java_com_sun_media_sound_DirectAudioDeviceProvider_nNewDirectAudioDeviceInfo
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7528 -s 428
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\file.dll,Java_com_sun_media_sound_DirectAudioDevice_nAvailable
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_media_sound_DirectAudioDeviceProvider_nGetNumDevices
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_media_sound_DirectAudioDeviceProvider_nNewDirectAudioDeviceInfo
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_media_sound_DirectAudioDevice_nAvailable
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_media_sound_DirectAudioDevice_nWrite
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_media_sound_DirectAudioDevice_nStop
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_media_sound_DirectAudioDevice_nStart
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_media_sound_DirectAudioDevice_nSetBytePosition
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_media_sound_DirectAudioDevice_nService
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_media_sound_DirectAudioDevice_nRequiresServicing
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_media_sound_DirectAudioDevice_nRead
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_media_sound_DirectAudioDevice_nOpen
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_media_sound_DirectAudioDevice_nIsStillDraining
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_media_sound_DirectAudioDevice_nGetFormats
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_media_sound_DirectAudioDevice_nGetBytePosition
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_media_sound_DirectAudioDevice_nGetBufferSize
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_media_sound_DirectAudioDevice_nFlush
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_media_sound_DirectAudioDevice_nClose
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7912 -s 424
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7796 -s 424
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7948 -s 424
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\file.dll",#1Jump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\file.dll,Java_com_sun_media_sound_DirectAudioDeviceProvider_nGetNumDevicesJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\file.dll,Java_com_sun_media_sound_DirectAudioDeviceProvider_nNewDirectAudioDeviceInfoJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\file.dll,Java_com_sun_media_sound_DirectAudioDevice_nAvailableJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_media_sound_DirectAudioDeviceProvider_nGetNumDevicesJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_media_sound_DirectAudioDeviceProvider_nNewDirectAudioDeviceInfoJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_media_sound_DirectAudioDevice_nAvailableJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_media_sound_DirectAudioDevice_nWriteJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_media_sound_DirectAudioDevice_nStopJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_media_sound_DirectAudioDevice_nStartJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_media_sound_DirectAudioDevice_nSetBytePositionJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_media_sound_DirectAudioDevice_nServiceJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_media_sound_DirectAudioDevice_nRequiresServicingJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_media_sound_DirectAudioDevice_nReadJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_media_sound_DirectAudioDevice_nOpenJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_media_sound_DirectAudioDevice_nIsStillDrainingJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_media_sound_DirectAudioDevice_nGetFormatsJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_media_sound_DirectAudioDevice_nGetBytePositionJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_media_sound_DirectAudioDevice_nGetBufferSizeJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_media_sound_DirectAudioDevice_nFlushJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_media_sound_DirectAudioDevice_nCloseJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",#1Jump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: dsound.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: winmm.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: winmmbase.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BCDE0395-E52F-467C-8E3D-C4579291692E}\InprocServer32Jump to behavior
Source: file.dllStatic PE information: certificate valid
Source: file.dllStatic PE information: Image base 0x180000000 > 0x60000000
Source: file.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: file.dllStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Source: file.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: c:\jenkins\workspace\8-2-build-windows-x64-cygwin\jdk8u361\3183\build\windows-x64\jdk\objs\libjsoundds\jsoundds.pdb source: rundll32.exe, 00000005.00000002.1845247767.00007FFE148E6000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000B.00000002.1858048255.00007FFE148E6000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000D.00000002.1801309775.00007FFE148E6000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.1798930832.00007FFE148E6000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000F.00000002.1797254854.00007FFE148E6000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000013.00000002.1857103515.00007FFE148E6000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000016.00000002.1857082446.00007FFE148E6000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000001A.00000002.1801143978.00007FFE148E6000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000001B.00000002.1801396979.00007FFE148E6000.00000002.00000001.01000000.00000003.sdmp, file.dll
Source: file.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\loaddll64.exe TID: 7384Thread sleep time: -120000s >= -30000sJump to behavior
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\loaddll64.exeThread delayed: delay time: 120000Jump to behavior
Source: C:\Windows\System32\WerFault.exeFile opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\
Source: C:\Windows\System32\WerFault.exeFile opened: C:\ProgramData\Microsoft\Windows\
Source: C:\Windows\System32\WerFault.exeFile opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_fil_aaf2aa7bbb9b37f79b9c410447131c297ce8878_d75f6fa5_cdadf65e-d1c7-4cc6-91c4-32817610f41f\
Source: C:\Windows\System32\WerFault.exeFile opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_fil_8c0c112fa52e9e255c09b8b22c5fbf32e1b4ee_d75f6fa5_361d8f20-ddfd-47f4-82a3-a96decf93460\
Source: C:\Windows\System32\WerFault.exeFile opened: C:\ProgramData\Microsoft\Windows\WER\
Source: C:\Windows\System32\WerFault.exeFile opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue
Source: Amcache.hve.8.drBinary or memory string: VMware
Source: Amcache.hve.8.drBinary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.8.drBinary or memory string: vmci.syshbin
Source: Amcache.hve.8.drBinary or memory string: VMware, Inc.
Source: Amcache.hve.8.drBinary or memory string: VMware20,1hbin@
Source: Amcache.hve.8.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.8.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.8.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.8.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.8.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.8.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.8.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.8.drBinary or memory string: vmci.sys
Source: Amcache.hve.8.drBinary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.8.drBinary or memory string: vmci.syshbin`
Source: Amcache.hve.8.drBinary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.8.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.8.drBinary or memory string: VMware20,1
Source: Amcache.hve.8.drBinary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.8.drBinary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.8.drBinary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.8.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.8.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.8.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.8.drBinary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.8.drBinary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.8.drBinary or memory string: VMware Virtual RAM
Source: Amcache.hve.8.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.8.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
Source: C:\Windows\System32\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00007FFE148E4E4C IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_00007FFE148E4E4C
Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00007FFE148E4B38 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,5_2_00007FFE148E4B38
Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00007FFE148E4E4C IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_00007FFE148E4E4C
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",#1Jump to behavior
Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00007FFE148E4F98 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,5_2_00007FFE148E4F98
Source: Amcache.hve.8.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.8.drBinary or memory string: msmpeng.exe
Source: Amcache.hve.8.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.8.drBinary or memory string: MsMpEng.exe

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
DLL Side-Loading		11
Process Injection		1
Rundll32		OS Credential Dumping1
System Time Discovery		Remote Services1
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		21
Virtualization/Sandbox Evasion		LSASS Memory31
Security Software Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
Process Injection		Security Account Manager21
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
DLL Side-Loading		NTDS1
File and Directory Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA Secrets2
System Information Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1524396 Sample: file.exe Startdate: 02/10/2024 Architecture: WINDOWS Score: 4 6 loaddll64.exe 1 2->6         started        process3 8 rundll32.exe 6->8         started        10 rundll32.exe 6->10         started        12 rundll32.exe 6->12         started        14 19 other processes 6->14 process4 16 WerFault.exe 8->16         started        18 WerFault.exe 10->18         started        20 WerFault.exe 12->20         started        22 WerFault.exe 20 16 14->22         started        24 rundll32.exe 14->24         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
file.dll0%ReversingLabs

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://upx.sf.net0%URL Reputationsafe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://upx.sf.netAmcache.hve.8.drfalse
  • URL Reputation: safe
unknown

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:41.0.0 Charoite
Analysis ID:1524396
Start date and time:2024-10-02 18:41:23 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 5m 24s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:43
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:file.dll
(renamed file extension from exe to dll)
Original Sample Name:file.exe
Detection:CLEAN
Classification:clean4.winDLL@50/17@0/0
EGA Information:
  • Successful, ratio: 100%
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 3
  • Number of non-executed functions: 4

Warnings

  • Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
  • Excluded IPs from analysis (whitelisted): 20.42.65.92
  • Excluded domains from analysis (whitelisted): onedsblobprdeus17.eastus.cloudapp.azure.com, ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
  • Not all processes where analyzed, report is missing behavior information
  • Report size exceeded maximum capacity and may have missing behavior information.
  • VT rate limit hit for: file.dll

Simulations

Behavior and APIs

TimeTypeDescription
12:42:26API Interceptor1x Sleep call for process: loaddll64.exe modified
12:42:31API Interceptor4x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_fil_5e1564abb16a4e5fdbf1dd3889df2dc84973c50_d75f6fa5_c7f62a21-e493-4b12-b64a-b464a8ac5a5d\Report.wer

Download File
Process:C:\Windows\System32\WerFault.exe
File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:dropped
Size (bytes):65536
Entropy (8bit):0.8247126392863233
Encrypted:false
SSDEEP:192:X3FiMIybo0e0Iv2lfjlwDzuiF6Z24lO8V:FimbRIv2djuzuiF6Y4lO8V
MD5:6153A85867663B05570E712E062A79A7
SHA1:D4C167B89D03242CBD50F1986C92CCFCD132BFE2
SHA-256:FA1CF23393F2B50CDFA03BE94B075C2894CEE8C8277EB4CC8F1BB885279869AD
SHA-512:17578FB991F840BAB613CE2F3D2A0FCFABF99FAD40001E2AAC0467E1E6A4C2B57C64B638917CF1C01C8B2E0B8DAB56DE85DFBD7C57CE27BFB55C808FC4236CB6
Malicious:false
Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.2.3.6.0.9.4.6.8.7.8.9.7.4.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.2.3.6.0.9.4.7.9.4.1.4.7.6.9.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.7.f.6.2.a.2.1.-.e.4.9.3.-.4.b.1.2.-.b.6.4.a.-.b.4.6.4.a.8.a.c.5.a.5.d.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.5.c.6.d.9.8.6.-.0.5.7.8.-.4.4.5.c.-.b.d.1.9.-.2.a.9.b.b.a.6.3.1.e.6.a.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e._.f.i.l.e...d.l.l.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.e.e.8.-.0.0.0.1.-.0.0.1.4.-.a.d.f.3.-.e.d.0.f.e.a.1.4.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.d.d.3.9.9.a.e.4.6.3.0.3.3.4.3.f.9.f.0.d.a.1.8.9.a.e.e.1.1.c.6.7.b.d.8.6.8.2.2.2.!.r.u.n.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_fil_8c0c112fa52e9e255c09b8b22c5fbf32e1b4ee_d75f6fa5_361d8f20-ddfd-47f4-82a3-a96decf93460\Report.wer

Download File
Process:C:\Windows\System32\WerFault.exe
File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:dropped
Size (bytes):65536
Entropy (8bit):0.8242486313348399
Encrypted:false
SSDEEP:192:hzkFi+IyIo0N0IvuKjlwDzuiF6Z24lO8V:FSikI6IvuKjuzuiF6Y4lO8V
MD5:0928EC14507D9933B93E4318ABAC7BC4
SHA1:26D2BECC7AE5AD9545F1CA76661DA68F16132894
SHA-256:4442C03DEC681B2BAACCEF2E5E8349B625A36C7FDEB25CD289EB1F3C5475674B
SHA-512:A535F808896CD3C2FD0D41565BFAB9AB990E7E2DEB3340688035DD9C36F670B77BEB55D7A749D63F552A1594B6B10F3BD2DD1364051E418F806B25E4A988D0C4
Malicious:false
Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.2.3.6.0.9.4.7.0.6.5.8.3.3.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.2.3.6.0.9.4.7.9.5.6.4.7.0.5.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.6.1.d.8.f.2.0.-.d.d.f.d.-.4.7.f.4.-.8.2.a.3.-.a.9.6.d.e.c.f.9.3.4.6.0.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.f.7.e.f.4.5.b.-.0.e.9.4.-.4.f.f.9.-.b.e.8.e.-.b.c.5.6.7.1.1.0.1.5.9.3.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e._.f.i.l.e...d.l.l.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.f.0.c.-.0.0.0.1.-.0.0.1.4.-.f.6.a.0.-.f.1.0.f.e.a.1.4.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.d.d.3.9.9.a.e.4.6.3.0.3.3.4.3.f.9.f.0.d.a.1.8.9.a.e.e.1.1.c.6.7.b.d.8.6.8.2.2.2.!.r.u.n.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_fil_aaf2aa7bbb9b37f79b9c410447131c297ce8878_d75f6fa5_6857f1e5-d3c3-4fcb-8393-08a142d21b50\Report.wer

Download File
Process:C:\Windows\System32\WerFault.exe
File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:dropped
Size (bytes):65536
Entropy (8bit):0.8269001855607607
Encrypted:false
SSDEEP:192:ePadFi+Iy3o0X0IvtEjlwDzuiF6Z24lO8V:oYik3wIvtEjuzuiF6Y4lO8V
MD5:E30E9A3C8D139C53C630D3D1960A13ED
SHA1:BD31F59FB029C0B464BCCCBA2CE5DD1D52D56FB8
SHA-256:8766F25A37465929D8DEA45EEBFBAAE15517665FB6768C00E015DB833FB720D1
SHA-512:8ABB98195A74A9F4C8EC78CA591A8BD4A1FE80045BE2F83F0128064B086357EA511A8FCA93660DC57C0365F33B6208D4573DDF139A2A3ED7A4779393ADAFD132
Malicious:false
Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.2.3.6.0.9.4.6.9.8.4.2.6.1.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.2.3.6.0.9.4.7.9.3.7.4.1.1.5.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.8.5.7.f.1.e.5.-.d.3.c.3.-.4.f.c.b.-.8.3.9.3.-.0.8.a.1.4.2.d.2.1.b.5.0.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.1.9.c.6.e.a.1.-.1.f.6.8.-.4.e.8.1.-.8.3.2.a.-.3.6.e.3.d.b.b.4.a.0.7.c.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e._.f.i.l.e...d.l.l.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.e.7.4.-.0.0.0.1.-.0.0.1.4.-.f.6.d.3.-.d.f.0.f.e.a.1.4.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.d.d.3.9.9.a.e.4.6.3.0.3.3.4.3.f.9.f.0.d.a.1.8.9.a.e.e.1.1.c.6.7.b.d.8.6.8.2.2.2.!.r.u.n.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_fil_aaf2aa7bbb9b37f79b9c410447131c297ce8878_d75f6fa5_cdadf65e-d1c7-4cc6-91c4-32817610f41f\Report.wer

Download File
Process:C:\Windows\System32\WerFault.exe
File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:dropped
Size (bytes):65536
Entropy (8bit):0.8273606856775506
Encrypted:false
SSDEEP:192:Xx0UVFiLy6io0X0IvtEjlQDzuiF6Z24lO8V:XTiuPwIvtEjOzuiF6Y4lO8V
MD5:4715297CCB98666AD3E432C3B6E7A8F1
SHA1:3A432CCFBE1C41D83FD644053BC5CEE160454DF3
SHA-256:8829196CCE4F60BEB58875635B8B6476616768DF693B7D103E45168ACB06B8E3
SHA-512:AD5EE6017BDF90C36D8D196CEBA36C4DC0D5EE95E25B06E0AE19A2DA916695097A0E49CC070ABC9318062D410AA795936812057003C40F3CCD26DC7C393CF4A6
Malicious:false
Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.2.3.6.0.9.4.0.1.4.6.8.3.4.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.2.3.6.0.9.4.0.4.5.9.3.3.0.1.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.d.a.d.f.6.5.e.-.d.1.c.7.-.4.c.c.6.-.9.1.c.4.-.3.2.8.1.7.6.1.0.f.4.1.f.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.0.b.7.9.3.5.6.-.7.6.9.c.-.4.6.d.9.-.a.0.b.3.-.e.5.1.7.5.1.d.3.6.0.a.a.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e._.f.i.l.e...d.l.l.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.d.6.8.-.0.0.0.1.-.0.0.1.4.-.c.b.2.4.-.4.5.0.c.e.a.1.4.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.d.d.3.9.9.a.e.4.6.3.0.3.3.4.3.f.9.f.0.d.a.1.8.9.a.e.e.1.1.c.6.7.b.d.8.6.8.2.2.2.!.r.u.n.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER12AF.tmp.dmp

Download File
Process:C:\Windows\System32\WerFault.exe
File Type:Mini DuMP crash report, 14 streams, Wed Oct 2 16:42:27 2024, 0x1205a4 type
Category:dropped
Size (bytes):68828
Entropy (8bit):1.620907839967701
Encrypted:false
SSDEEP:192:rMFBjDOMx++MYgPymb5eQUajwG4JWBz+v77RlTZ54YdtABupkq6:9FFYUymb5eQULWBz+v712PBck
MD5:18809A69265038577821B7F07B5B1D01
SHA1:5BCB905B3F056C027FBE6A50B4E856A00CB84CCC
SHA-256:BEF85BF54B2B9974EF38E63BAFB828F42F0E3FDAFBA79F84EE166D3F27A73E77
SHA-512:9573ED3022A9DA21F17775F8812055BA9C32BA390439DD439AA828887CCB57D01DA19A113DD68E14DFF3600751602402118932D939647E436423C5C64792008B
Malicious:false
Preview:MDMP..a..... ........w.f....................................D....2..........T.......8...........T.......................................................................................................................eJ......h.......Lw......................T............w.f.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER12CE.tmp.dmp

Download File
Process:C:\Windows\System32\WerFault.exe
File Type:Mini DuMP crash report, 14 streams, Wed Oct 2 16:42:27 2024, 0x1205a4 type
Category:dropped
Size (bytes):70588
Entropy (8bit):1.6022237905761223
Encrypted:false
SSDEEP:384:rFlFeU2Q7awCQA1v5jK7INjQnvmE1e/BITU:rFlFiwCQ3KQnS
MD5:5EF2A8B4061A453D3CA14AE650703C33
SHA1:91274FA0937CA396C1014BE80147E4B0DA32D36E
SHA-256:3EE7A1F5201CB78844C6A4864A77364CFFB21751080E81C6D25A6D25611AFCA8
SHA-512:8D27924B9CDCE08F6F668B1504740709ABB955755482CF55444EBEE39476FB4E2D816F01C9A425A71F27BACDDA955605223587FB7EBA6C76C2C42885662BC552
Malicious:false
Preview:MDMP..a..... ........w.f....................................D....2..........T.......8...........T.......................................................................................................................eJ......h.......Lw......................T.......t....w.f.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER132C.tmp.dmp

Download File
Process:C:\Windows\System32\WerFault.exe
File Type:Mini DuMP crash report, 14 streams, Wed Oct 2 16:42:27 2024, 0x1205a4 type
Category:dropped
Size (bytes):70388
Entropy (8bit):1.5908024008368407
Encrypted:false
SSDEEP:192:rIFBv67OMx+xUTTbrnB7njnEFI58tWQqmwnITv+AhUTDyPav6gjDPo:I6CFWTbB7njn+tWQqav+AhUTuPavN
MD5:ED7396FA160EEFC763889AFDCB94750F
SHA1:BA48EED24DA31ED231B86B9B9CAE0388ED423555
SHA-256:E178D8D19CE4FC5A207AD24EE442B1D4C0C037029771D9F8411B37775196C096
SHA-512:8EECA100B195CCA8AF269C1D66BC8CC5FE7D0F53EFD623FE9EFEE4CFE4391C0496F37E49879992E45357C2CBCDB8E31675CAAAB2455430A496FD2CC4C7734069
Malicious:false
Preview:MDMP..a..... ........w.f....................................T....2..........T.......8...........T.......................................................................................................................eJ......h.......Lw......................T............w.f.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER13E8.tmp.WERInternalMetadata.xml

Download File
Process:C:\Windows\System32\WerFault.exe
File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:dropped
Size (bytes):8516
Entropy (8bit):3.6960583772752464
Encrypted:false
SSDEEP:192:R6l7wVeJ4i+Axq6YVDXMfQgmfiL00UxprD89bZ8kfITm:R6lXJVY6YJXMfQgmfGPhZXfR
MD5:27987243199F349BBE702B56C184DC94
SHA1:05F0CE53FDB20B184C85CA973EF9332D10257CAC
SHA-256:F7EB69C283A3A7C00B2DA4219343C5FAA013C313F509C54D9D6600B6D5DA3DA9
SHA-512:C97D28B08FF3D031608BB87071735914C8301918C5DE4591971E99B380168A09CBB927CEA1EAF0349FC468F452B74124C0CCAF0F82BD50CF164F9777058E3CF1
Malicious:false
Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.9.1.2.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER13F8.tmp.WERInternalMetadata.xml

Download File
Process:C:\Windows\System32\WerFault.exe
File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:dropped
Size (bytes):8764
Entropy (8bit):3.7006371000037452
Encrypted:false
SSDEEP:192:R6l7wVeJ6Xtxq6YVD+MfQgmfiL0vopr/89bZN7frXTm:R6lXJSu6YJ+MfQgmfG0tZRf2
MD5:27BA217598DE67641A46300CF6F117C5
SHA1:D857BB440188C34D38FA48E4305CAF891B054C39
SHA-256:A1C1CDB12D455D8A41DEB1C7FE02540A1B7AC0EFD42DD6C054F488CA301B40F8
SHA-512:FAA61896D3A795960B71C60FD9D58412403299C3330596FD5CC85C7097AC3D61D64C95701B29BECE0FB8E6D779BEBFED1E046C0CFF1F3F6D004C62E99E958F33
Malicious:false
Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.7.9.6.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1437.tmp.xml

Download File
Process:C:\Windows\System32\WerFault.exe
File Type:XML 1.0 document, ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):4730
Entropy (8bit):4.463871466030304
Encrypted:false
SSDEEP:48:cvIwWl8zsmJg771I9kvWpW8VYJYm8M4JCFCtsNBFpbyq85m4zVZptSTS8d:uIjf8I7f+7VtJitbG3poO8d
MD5:C391EFE65C7C42F8EB69AFD7D1046085
SHA1:738891CB670886CB125CA14930505B33AE7E2B67
SHA-256:93CB254ACE98AEBEC40E65A4AE71702BD400343B87950E02A4BD706EBEEFF849
SHA-512:C2EB1A84A3CD8F8E61B4B5CD0D5373283BF18F1CB3C6AFB63F443551D59D7E90250D8E747F42CD2850180730B2B54DF5A457F8FED38155A43BCD165DEE678F12
Malicious:false
Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="526065" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1456.tmp.xml

Download File
Process:C:\Windows\System32\WerFault.exe
File Type:XML 1.0 document, ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):4729
Entropy (8bit):4.463317336130677
Encrypted:false
SSDEEP:48:cvIwWl8zsmJg771I9kvWpW8VY7PYm8M4JCFCtsNsFlyq85m4zVGhptSTSNad:uIjf8I7f+7VmSJiwG4hpoONad
MD5:39BB941159B8F027C496182B0E5CEE2A
SHA1:CD6361B2BE401057B64B1A586FADBF64520A3E25
SHA-256:31285B3947B3B24149B6642E98DA7DE062EF487C730794A979670C3D4B878536
SHA-512:73737AEA486C7C0EFF75405309CC4D6FA8CCB9D1C73F20A7A474DBCD61A7C6138D930AC3AC87D964246D3F9CD120F77C3EEC7DD855B82D2AAF466D68B395AECB
Malicious:false
Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="526065" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1465.tmp.WERInternalMetadata.xml

Download File
Process:C:\Windows\System32\WerFault.exe
File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:dropped
Size (bytes):8516
Entropy (8bit):3.6951922097815917
Encrypted:false
SSDEEP:192:R6l7wVeJnle6YVDtMfQgmfiL0tJprN89bZgkf0Tm:R6lXJle6YJtMfQgmfGy+Z7f9
MD5:C00E4CA16CC3710109E869C8DECB191D
SHA1:FF349D96BAF882E050418A44FE646096E154B318
SHA-256:04F7D465CA4F73BC8CC4F063164FD9DCC1B9F27D6F7EA05EAD6F03E4BFE5E6EF
SHA-512:FD121B3BA42050C5ED76A434E48F45F1E028BE818233DEBF99038CAB19C0E8F69023EA66013982B12A05B6B9EB585E052918450762A7B52267DF3C6AC2B4A63C
Malicious:false
Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.9.4.8.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER14D3.tmp.xml

Download File
Process:C:\Windows\System32\WerFault.exe
File Type:XML 1.0 document, ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):4729
Entropy (8bit):4.4649365606321485
Encrypted:false
SSDEEP:48:cvIwWl8zsmJg771I9kvWpW8VYNYm8M4JCFCtsN3FOryq85m4zVfptSTS1d:uIjf8I7f+7VtJiwGJpoO1d
MD5:669CBA42F2F720858A4679D593156BD5
SHA1:38CCD84B91E7330204D3A40CF70D068F2728910E
SHA-256:18D46AAA7B75A41530AD6A5DFD53EB54F34A3445A49D2757754AA3AA294A10D4
SHA-512:51608F2D256FD12251618C24C9F19E023E12FA0DBC77BE25F19CA5388C2F285D5CA9503C06F0D328C5067109537418FCC4A14560A250BD91EA40D14FF4F4D898
Malicious:false
Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="526065" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF822.tmp.dmp

Download File
Process:C:\Windows\System32\WerFault.exe
File Type:Mini DuMP crash report, 14 streams, Wed Oct 2 16:42:20 2024, 0x1205a4 type
Category:dropped
Size (bytes):72652
Entropy (8bit):1.5949374749139504
Encrypted:false
SSDEEP:192:EVCD916OMxGTg7WuVFU0zvIYw4aoSpweeCjUGNjsXvmo+1AkKYrBaL/bgwpU:jNTAkXpwBbOjsXvmo+12YrBob1pU
MD5:C6205002A3329E39C5C08FB1542F023C
SHA1:A6D1E1BD1363237189D5417C2C051EB7B360FE38
SHA-256:E57D87DDF1BCE7C4D741C7695C4E696E4F8C35BDCD1065AB63DD99067D6B89C8
SHA-512:4A52E7300782B48DF1ABE268FA04DD26CA31DC55D01783675B7D73566E899C79E04769FB0EC1D21EE707129993DB0E393522F860CD2C39D399B8CE59BA3C0F7E
Malicious:false
Preview:MDMP..a..... ........w.f....................................D....2..........T.......8...........T.......................................................................................................................eJ......h.......Lw......................T.......h....w.f.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF890.tmp.WERInternalMetadata.xml

Download File
Process:C:\Windows\System32\WerFault.exe
File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:dropped
Size (bytes):8744
Entropy (8bit):3.699037236395879
Encrypted:false
SSDEEP:192:R6l7wVeJd+2Axq6YVy3fhgmfiL0voprp89bmCzf2Cm:R6lXJEQ6YQpgmfG0Lmefa
MD5:26D67D3E4F5F7D4554F4B5557A4E696B
SHA1:68449F257083F8820ED6F5E069E5AF14416FBC49
SHA-256:2C40D472FF46096CF15AF47C0F57ADA32532072994FD8D33081B03461FABC87A
SHA-512:66C5AE0FB96B439BF29E817BEA149D48A7D8DF129840AAB4936B6C2B010BEF0942022C90EB0458B15B6C724D443BC004B9E10BEF16505CABD0CA3105F062F204
Malicious:false
Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.5.2.8.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF8C0.tmp.xml

Download File
Process:C:\Windows\System32\WerFault.exe
File Type:XML 1.0 document, ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):4730
Entropy (8bit):4.463809507356051
Encrypted:false
SSDEEP:48:cvIwWl8zsmJg771I9kvWpW8VYTYm8M4JCFCtsNBFVyq85m4zVDptSTSed:uIjf8I7f+7VbJi5GlpoOed
MD5:F8C4C9578987216F3D26351B200544A0
SHA1:B02D0038580CA0D21B6D3C7C9F5BA6AABD2C90DF
SHA-256:66A75F793EE58D9B041E1F981FB963F815124ADB7F23517A9B3559139B6E0C05
SHA-512:5CB7917E88B33B59ECAABC97050D832FFD02A081B2B1CF58940FB5EDB0E914E3ABC8EB6A97E364A37CCE27D33AD24F9EB3A1BEFE9A4E391442E6C09AA8F78F1A
Malicious:false
Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="526065" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve

Download File
Process:C:\Windows\System32\WerFault.exe
File Type:MS Windows registry file, NT/2000 or above
Category:dropped
Size (bytes):1835008
Entropy (8bit):4.466391747429157
Encrypted:false
SSDEEP:6144:YIXfpi67eLPU9skLmb0b4zWSPKaJG8nAgejZMMhA2gX4WABl0uNcdwBCswSb9:NXD94zWlLZMM6YFHa+9
MD5:741A42E45BFAFF93980E21E1830FAAD0
SHA1:AA262A6D88A5769D003F9E71EC27392BA01FB280
SHA-256:96E464B008FBB2A7066868B5F6EF4D3326B13945CD7BE1267D754F989329D154
SHA-512:D9E0353227EE00D6D13C81C69BAAEFD1FF6FA4EA1F7BFE98846634218315306ED5E08304D64AE3E211CF4466C3B748496418BFF9F76B9E5BCDA604B5249B652D
Malicious:false
Preview:regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtmf/k.................................................................................................................................................................................................................................................................................................................................................*.|8........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Entropy (8bit):6.594819095253984
TrID:
  • Win64 Dynamic Link Library (generic) (102004/3) 86.43%
  • Win64 Executable (generic) (12005/4) 10.17%
  • Generic Win/DOS Executable (2004/3) 1.70%
  • DOS Executable Generic (2002/1) 1.70%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.01%
File name:file.dll
File size:38'560 bytes
MD5:3eba0a6d4c057862984383f20d8ad3a9
SHA1:d948669c718485345f11c6c11cbfd0065fea1407
SHA256:db55e7a9fb5ee704aa90e6e011dd4968eb6bb3ae6adcda98f63098a4ab85054f
SHA512:580aab755931ad988a97e857b7f63d8fd7695238b863a5cf64664be87781c5f5d8b89cb2cab8fbfe1e260d0b150f8295cbbabfc6c06dee5a132a5f84a5bdb10e
SSDEEP:768:ZUnuO+VvZLaICImRUkyh98KdPMYiUFylPxWEUc:ZPNhCNYUCPM7U0PxN
TLSH:6B036DF7F158FEE6E48B84B0AAC2B723D330365145928FCE6715C7594F1B603A20A766
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........<.x.].+.].+.].+.%0+.].+.5.*.].+.5.*.].+.5.*.].+.5.*.].+.5.*.].+.].+.].+;4.*.].+;4.*.].+;4.*.].+;4\+.].+;4.*.].+Rich.].+.......

File Icon

Icon Hash:7ae282899bbab082

Static PE Info

General

Entrypoint:0x180004af8
Entrypoint Section:.text
Digitally signed:true
Imagebase:0x180000000
Subsystem:windows gui
Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, DLL
DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Time Stamp:0x63BBD4C4 [Mon Jan 9 08:48:04 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:6
OS Version Minor:0
File Version Major:6
File Version Minor:0
Subsystem Version Major:6
Subsystem Version Minor:0
Import Hash:145ca979761fd090fd4e48b33289ce1c

Authenticode Signature

Signature Valid:true
Signature Issuer:CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
Signature Validation Error:The operation completed successfully
Error Number:0
Not Before, Not After
  • 19/08/2021 01:00:00 20/08/2023 00:59:59
Subject Chain
  • CN="Oracle America, Inc.", OU=Software Engineering, O="Oracle America, Inc.", L=Redwood City, S=California, C=US
Version:3
Thumbprint MD5:2876C1BECB51837D0E3DE50903D025B6
Thumbprint SHA-1:940D69C0A34A1B4CFD8048488BA86F4CED60481A
Thumbprint SHA-256:EE46613A38B4F486164BCE7FB23178667715617F511B364594311A1548B08EB1
Serial:068BE2F53452C882F18ED41A5DD4E7A3

Entrypoint Preview

Instruction
dec eax
mov dword ptr [esp+08h], ebx
dec eax
mov dword ptr [esp+10h], esi
push edi
dec eax
sub esp, 20h
dec ecx
mov edi, eax
mov ebx, edx
dec eax
mov esi, ecx
cmp edx, 01h
jne 00007FD82127FBF7h
call 00007FD821280074h
dec esp
mov eax, edi
mov edx, ebx
dec eax
mov ecx, esi
dec eax
mov ebx, dword ptr [esp+30h]
dec eax
mov esi, dword ptr [esp+38h]
dec eax
add esp, 20h
pop edi
jmp 00007FD82127FA84h
int3
int3
int3
inc eax
push ebx
dec eax
sub esp, 20h
dec eax
mov ebx, ecx
xor ecx, ecx
call dword ptr [0000156Fh]
dec eax
mov ecx, ebx
call dword ptr [0000155Eh]
call dword ptr [00001568h]
dec eax
mov ecx, eax
mov edx, C0000409h
dec eax
add esp, 20h
pop ebx
dec eax
jmp dword ptr [0000155Ch]
dec eax
mov dword ptr [esp+08h], ecx
dec eax
sub esp, 38h
mov ecx, 00000017h
call 00007FD8212801A6h
test eax, eax
je 00007FD82127FBF9h
mov ecx, 00000002h
int 29h
dec eax
lea ecx, dword ptr [00003F8Fh]
call 00007FD82127FC9Fh
dec eax
mov eax, dword ptr [esp+38h]
dec eax
mov dword ptr [00004076h], eax
dec eax
lea eax, dword ptr [esp+38h]
dec eax
add eax, 08h
dec eax
mov dword ptr [00004006h], eax
dec eax
mov eax, dword ptr [0000405Fh]
dec eax
mov dword ptr [00003ED0h], eax

Rich Headers

Programming Language:
  • [IMP] VS2008 SP1 build 30729

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x6b900x498.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT0x70280xc8.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE0xb0000x3a8.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0xa0000x414.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY0x6e000x28a0
IMAGE_DIRECTORY_ENTRY_BASERELOC0xc0000x18.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG0x63d00x54.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x64300x100.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x60000x1e0.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x10000x42400x440010434cc150e49b4c4b3d9702989f4389False0.5001148897058824data6.402448419543998IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata0x60000x17280x18009db75af0b1f76da6ef34e52058960a2eFalse0.3938802083333333data4.69613831702573IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data0x80000x10280x200453185540654a0fc2369d5c9fd4c8764False0.1171875DOS executable (block device driver)0.5880203660963527IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata0xa0000x4140x60054f40966546c8d4f2a98f23556904dd8False0.34765625data3.0284790702083986IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc0xb0000x3a80x4001212389b9c261c2809efd1a0865d3292False0.4111328125data3.086335558930524IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc0xc0000x180x200c6b98f325bb000ed1358c81b0d04d53dFalse0.07421875data0.3437437745953952IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

NameRVASizeTypeLanguageCountryZLIB Complexity
RT_VERSION0xb0600x344data0.46411483253588515

Imports

DLLImport
DSOUND.dll
WINMM.dlltimeGetTime
USER32.dllGetDesktopWindow, GetForegroundWindow
ole32.dllCoInitialize, CoUninitialize
KERNEL32.dllInitializeSListHead, DisableThreadLibraryCalls, GetSystemTimeAsFileTime, GetCurrentThreadId, GetCurrentProcessId, QueryPerformanceCounter, CloseHandle, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, SetEvent, WaitForSingleObject, CreateEventA, CreateThread, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, IsProcessorFeaturePresent, IsDebuggerPresent
VCRUNTIME140.dll__std_type_info_destroy_list, memset, __C_specific_handler, memcpy, memcmp
api-ms-win-crt-heap-l1-1-0.dllfree, malloc
api-ms-win-crt-string-l1-1-0.dllstrcpy, strncpy
api-ms-win-crt-runtime-l1-1-0.dll_initterm_e, _initterm, _cexit, _seh_filter_dll, _configure_narrow_argv, _initialize_narrow_environment, _initialize_onexit_table, _register_onexit_function, _execute_onexit_table, _crt_atexit

Exports

NameOrdinalAddress
Java_com_sun_media_sound_DirectAudioDeviceProvider_nGetNumDevices10x180002dc0
Java_com_sun_media_sound_DirectAudioDeviceProvider_nNewDirectAudioDeviceInfo20x180002dc8
Java_com_sun_media_sound_DirectAudioDevice_nAvailable30x1800010b0
Java_com_sun_media_sound_DirectAudioDevice_nClose40x1800010d4
Java_com_sun_media_sound_DirectAudioDevice_nFlush50x180001110
Java_com_sun_media_sound_DirectAudioDevice_nGetBufferSize60x180001130
Java_com_sun_media_sound_DirectAudioDevice_nGetBytePosition70x180001154
Java_com_sun_media_sound_DirectAudioDevice_nGetFormats80x18000117c
Java_com_sun_media_sound_DirectAudioDevice_nIsStillDraining90x1800011e0
Java_com_sun_media_sound_DirectAudioDevice_nOpen100x18000120c
Java_com_sun_media_sound_DirectAudioDevice_nRead110x180001324
Java_com_sun_media_sound_DirectAudioDevice_nRequiresServicing120x1800013dc
Java_com_sun_media_sound_DirectAudioDevice_nService130x180001400
Java_com_sun_media_sound_DirectAudioDevice_nSetBytePosition140x180001420
Java_com_sun_media_sound_DirectAudioDevice_nStart150x180001444
Java_com_sun_media_sound_DirectAudioDevice_nStop160x180001464
Java_com_sun_media_sound_DirectAudioDevice_nWrite170x180001484

Network Behavior

No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

General

Target ID:0
Start time:12:42:16
Start date:02/10/2024
Path:C:\Windows\System32\loaddll64.exe
Wow64 process (32bit):false
Commandline:loaddll64.exe "C:\Users\user\Desktop\file.dll"
Imagebase:0x7ff771a60000
File size:165'888 bytes
MD5 hash:763455F9DCB24DFEECC2B9D9F8D46D52
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:1
Start time:12:42:16
Start date:02/10/2024
Path:C:\Windows\System32\conhost.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:0x7ff7699e0000
File size:862'208 bytes
MD5 hash:0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:2
Start time:12:42:16
Start date:02/10/2024
Path:C:\Windows\System32\cmd.exe
Wow64 process (32bit):false
Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\file.dll",#1
Imagebase:0x7ff7f66e0000
File size:289'792 bytes
MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:3
Start time:12:42:16
Start date:02/10/2024
Path:C:\Windows\System32\rundll32.exe
Wow64 process (32bit):false
Commandline:rundll32.exe C:\Users\user\Desktop\file.dll,Java_com_sun_media_sound_DirectAudioDeviceProvider_nGetNumDevices
Imagebase:0x7ff7ae490000
File size:71'680 bytes
MD5 hash:EF3179D498793BF4234F708D3BE28633
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:4
Start time:12:42:16
Start date:02/10/2024
Path:C:\Windows\System32\rundll32.exe
Wow64 process (32bit):false
Commandline:rundll32.exe "C:\Users\user\Desktop\file.dll",#1
Imagebase:0x7ff7ae490000
File size:71'680 bytes
MD5 hash:EF3179D498793BF4234F708D3BE28633
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:5
Start time:12:42:19
Start date:02/10/2024
Path:C:\Windows\System32\rundll32.exe
Wow64 process (32bit):false
Commandline:rundll32.exe C:\Users\user\Desktop\file.dll,Java_com_sun_media_sound_DirectAudioDeviceProvider_nNewDirectAudioDeviceInfo
Imagebase:0x7ff7ae490000
File size:71'680 bytes
MD5 hash:EF3179D498793BF4234F708D3BE28633
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:8
Start time:12:42:20
Start date:02/10/2024
Path:C:\Windows\System32\WerFault.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\WerFault.exe -u -p 7528 -s 428
Imagebase:0x7ff71e800000
File size:570'736 bytes
MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:9
Start time:12:42:22
Start date:02/10/2024
Path:C:\Windows\System32\rundll32.exe
Wow64 process (32bit):false
Commandline:rundll32.exe C:\Users\user\Desktop\file.dll,Java_com_sun_media_sound_DirectAudioDevice_nAvailable
Imagebase:0x7ff7ae490000
File size:71'680 bytes
MD5 hash:EF3179D498793BF4234F708D3BE28633
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:10
Start time:12:42:25
Start date:02/10/2024
Path:C:\Windows\System32\rundll32.exe
Wow64 process (32bit):false
Commandline:rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_media_sound_DirectAudioDeviceProvider_nGetNumDevices
Imagebase:0x7ff7ae490000
File size:71'680 bytes
MD5 hash:EF3179D498793BF4234F708D3BE28633
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:11
Start time:12:42:25
Start date:02/10/2024
Path:C:\Windows\System32\rundll32.exe
Wow64 process (32bit):false
Commandline:rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_media_sound_DirectAudioDeviceProvider_nNewDirectAudioDeviceInfo
Imagebase:0x7ff7ae490000
File size:71'680 bytes
MD5 hash:EF3179D498793BF4234F708D3BE28633
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:12
Start time:12:42:25
Start date:02/10/2024
Path:C:\Windows\System32\rundll32.exe
Wow64 process (32bit):false
Commandline:rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_media_sound_DirectAudioDevice_nAvailable
Imagebase:0x7ff7ae490000
File size:71'680 bytes
MD5 hash:EF3179D498793BF4234F708D3BE28633
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:13
Start time:12:42:25
Start date:02/10/2024
Path:C:\Windows\System32\rundll32.exe
Wow64 process (32bit):false
Commandline:rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_media_sound_DirectAudioDevice_nWrite
Imagebase:0x7ff7ae490000
File size:71'680 bytes
MD5 hash:EF3179D498793BF4234F708D3BE28633
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:14
Start time:12:42:25
Start date:02/10/2024
Path:C:\Windows\System32\rundll32.exe
Wow64 process (32bit):false
Commandline:rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_media_sound_DirectAudioDevice_nStop
Imagebase:0x7ff7ae490000
File size:71'680 bytes
MD5 hash:EF3179D498793BF4234F708D3BE28633
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:15
Start time:12:42:25
Start date:02/10/2024
Path:C:\Windows\System32\rundll32.exe
Wow64 process (32bit):false
Commandline:rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_media_sound_DirectAudioDevice_nStart
Imagebase:0x7ff7ae490000
File size:71'680 bytes
MD5 hash:EF3179D498793BF4234F708D3BE28633
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:16
Start time:12:42:25
Start date:02/10/2024
Path:C:\Windows\System32\rundll32.exe
Wow64 process (32bit):false
Commandline:rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_media_sound_DirectAudioDevice_nSetBytePosition
Imagebase:0x7ff7ae490000
File size:71'680 bytes
MD5 hash:EF3179D498793BF4234F708D3BE28633
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:17
Start time:12:42:25
Start date:02/10/2024
Path:C:\Windows\System32\rundll32.exe
Wow64 process (32bit):false
Commandline:rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_media_sound_DirectAudioDevice_nService
Imagebase:0x7ff7ae490000
File size:71'680 bytes
MD5 hash:EF3179D498793BF4234F708D3BE28633
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:18
Start time:12:42:25
Start date:02/10/2024
Path:C:\Windows\System32\rundll32.exe
Wow64 process (32bit):false
Commandline:rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_media_sound_DirectAudioDevice_nRequiresServicing
Imagebase:0x7ff7ae490000
File size:71'680 bytes
MD5 hash:EF3179D498793BF4234F708D3BE28633
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:19
Start time:12:42:25
Start date:02/10/2024
Path:C:\Windows\System32\rundll32.exe
Wow64 process (32bit):false
Commandline:rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_media_sound_DirectAudioDevice_nRead
Imagebase:0x7ff7ae490000
File size:71'680 bytes
MD5 hash:EF3179D498793BF4234F708D3BE28633
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:20
Start time:12:42:25
Start date:02/10/2024
Path:C:\Windows\System32\rundll32.exe
Wow64 process (32bit):false
Commandline:rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_media_sound_DirectAudioDevice_nOpen
Imagebase:0x7ff7ae490000
File size:71'680 bytes
MD5 hash:EF3179D498793BF4234F708D3BE28633
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:21
Start time:12:42:25
Start date:02/10/2024
Path:C:\Windows\System32\rundll32.exe
Wow64 process (32bit):false
Commandline:rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_media_sound_DirectAudioDevice_nIsStillDraining
Imagebase:0x7ff7ae490000
File size:71'680 bytes
MD5 hash:EF3179D498793BF4234F708D3BE28633
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:22
Start time:12:42:25
Start date:02/10/2024
Path:C:\Windows\System32\rundll32.exe
Wow64 process (32bit):false
Commandline:rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_media_sound_DirectAudioDevice_nGetFormats
Imagebase:0x7ff7ae490000
File size:71'680 bytes
MD5 hash:EF3179D498793BF4234F708D3BE28633
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:23
Start time:12:42:26
Start date:02/10/2024
Path:C:\Windows\System32\rundll32.exe
Wow64 process (32bit):false
Commandline:rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_media_sound_DirectAudioDevice_nGetBytePosition
Imagebase:0x7ff7ae490000
File size:71'680 bytes
MD5 hash:EF3179D498793BF4234F708D3BE28633
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:25
Start time:12:42:26
Start date:02/10/2024
Path:C:\Windows\System32\rundll32.exe
Wow64 process (32bit):false
Commandline:rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_media_sound_DirectAudioDevice_nGetBufferSize
Imagebase:0x7ff7ae490000
File size:71'680 bytes
MD5 hash:EF3179D498793BF4234F708D3BE28633
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:26
Start time:12:42:26
Start date:02/10/2024
Path:C:\Windows\System32\rundll32.exe
Wow64 process (32bit):false
Commandline:rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_media_sound_DirectAudioDevice_nFlush
Imagebase:0x7ff7ae490000
File size:71'680 bytes
MD5 hash:EF3179D498793BF4234F708D3BE28633
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:27
Start time:12:42:26
Start date:02/10/2024
Path:C:\Windows\System32\rundll32.exe
Wow64 process (32bit):false
Commandline:rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_media_sound_DirectAudioDevice_nClose
Imagebase:0x7ff7ae490000
File size:71'680 bytes
MD5 hash:EF3179D498793BF4234F708D3BE28633
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:32
Start time:12:42:26
Start date:02/10/2024
Path:C:\Windows\System32\WerFault.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\WerFault.exe -u -p 7912 -s 424
Imagebase:0x7ff649540000
File size:570'736 bytes
MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:33
Start time:12:42:26
Start date:02/10/2024
Path:C:\Windows\System32\WerFault.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\WerFault.exe -u -p 7796 -s 424
Imagebase:0x7ff649540000
File size:570'736 bytes
MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:38
Start time:12:42:26
Start date:02/10/2024
Path:C:\Windows\System32\WerFault.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\WerFault.exe -u -p 7948 -s 424
Imagebase:0x7ff649540000
File size:570'736 bytes
MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

Disassembly

Reset < >

    Execution Graph

    Execution Coverage:7.5%
    Dynamic/Decrypted Code Coverage:0%
    Signature Coverage:4.5%
    Total number of Nodes:177
    Total number of Limit Nodes:1
    execution_graph 1466 7ffe148e51fd __scrt_dllmain_exception_filter 1293 7ffe148e37b8 CoInitializeEx 1294 7ffe148e380d WaitForSingleObject 1293->1294 1295 7ffe148e3829 CoUninitialize 1294->1295 1296 7ffe148e37c6 SetEvent 1294->1296 1296->1294 1467 7ffe148e4af8 1468 7ffe148e4b19 1467->1468 1469 7ffe148e4b14 1467->1469 1471 7ffe148e4f98 1469->1471 1472 7ffe148e4fbb GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 1471->1472 1473 7ffe148e502f 1471->1473 1472->1473 1473->1468 1474 7ffe148e31f8 1475 7ffe148e38f8 memcmp 1474->1475 1476 7ffe148e321e 1475->1476 1477 7ffe148e323d 1476->1477 1478 7ffe148e3222 strncpy 1476->1478 1478->1477 1305 7ffe148e10d4 1306 7ffe148e10d9 1305->1306 1307 7ffe148e110a 1305->1307 1306->1307 1312 7ffe148e39e8 1306->1312 1310 7ffe148e10fb free 1311 7ffe148e1101 free 1310->1311 1311->1307 1313 7ffe148e10f2 1312->1313 1314 7ffe148e39ed 1312->1314 1313->1310 1313->1311 1315 7ffe148e3a01 free 1314->1315 1315->1313 1316 7ffe148e1110 1317 7ffe148e112a 1316->1317 1318 7ffe148e1119 1316->1318 1318->1317 1320 7ffe148e3a10 1318->1320 1321 7ffe148e3a1f 1320->1321 1323 7ffe148e3a38 1320->1323 1326 7ffe148e33c4 1321->1326 1324 7ffe148e3a36 1323->1324 1325 7ffe148e33c4 2 API calls 1323->1325 1324->1317 1325->1324 1330 7ffe148e33f5 1326->1330 1327 7ffe148e3527 1329 7ffe148e3530 memset 1327->1329 1331 7ffe148e354d 1327->1331 1328 7ffe148e350e memset 1328->1327 1329->1331 1330->1327 1330->1328 1330->1331 1331->1324 1332 7ffe148e3250 1338 7ffe148e38f8 1332->1338 1335 7ffe148e32b5 memset 1337 7ffe148e32c6 1335->1337 1336 7ffe148e32be memcpy 1336->1337 1340 7ffe148e391d 1338->1340 1341 7ffe148e3269 1338->1341 1340->1341 1342 7ffe148e399c 1340->1342 1341->1335 1341->1336 1341->1337 1343 7ffe148e39a9 1342->1343 1344 7ffe148e39cf memcmp 1343->1344 1345 7ffe148e39b3 1343->1345 1344->1345 1345->1340 1346 7ffe148e120c malloc 1347 7ffe148e12d1 1346->1347 1348 7ffe148e1242 1346->1348 1352 7ffe148e3d74 1348->1352 1351 7ffe148e12c4 free 1351->1347 1353 7ffe148e3d9a 1352->1353 1364 7ffe148e12bc 1352->1364 1354 7ffe148e3e0c malloc 1353->1354 1353->1364 1355 7ffe148e3e23 memset 1354->1355 1354->1364 1365 7ffe148e32f4 1355->1365 1358 7ffe148e3ea7 1360 7ffe148e3eae free 1358->1360 1360->1364 1362 7ffe148e3e7e 1363 7ffe148e33c4 2 API calls 1362->1363 1363->1364 1364->1347 1364->1351 1366 7ffe148e331b 1365->1366 1371 7ffe148e3370 1365->1371 1367 7ffe148e399c memcmp 1366->1367 1368 7ffe148e332d 1367->1368 1369 7ffe148e337f GetForegroundWindow 1368->1369 1368->1371 1370 7ffe148e338d GetDesktopWindow 1369->1370 1369->1371 1370->1371 1371->1358 1372 7ffe148e35ac 1371->1372 1373 7ffe148e35ff 1372->1373 1374 7ffe148e3658 memset 1373->1374 1375 7ffe148e3631 memset 1373->1375 1376 7ffe148e3677 1374->1376 1375->1376 1379 7ffe148e43c0 1376->1379 1380 7ffe148e43ca 1379->1380 1381 7ffe148e36af 1380->1381 1382 7ffe148e4b6c IsProcessorFeaturePresent 1380->1382 1381->1358 1381->1362 1383 7ffe148e4b83 1382->1383 1388 7ffe148e4c40 RtlCaptureContext 1383->1388 1389 7ffe148e4c5a RtlLookupFunctionEntry 1388->1389 1390 7ffe148e4b96 1389->1390 1391 7ffe148e4c70 RtlVirtualUnwind 1389->1391 1392 7ffe148e4b38 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 1390->1392 1391->1389 1391->1390 1479 7ffe148e302c EnterCriticalSection 1480 7ffe148e3065 LeaveCriticalSection 1479->1480 1481 7ffe148e3044 SetEvent CloseHandle 1479->1481 1481->1480 1482 7ffe148e44ac 1483 7ffe148e44d0 __scrt_acquire_startup_lock 1482->1483 1484 7ffe148e515a _seh_filter_dll 1483->1484 1393 7ffe148e2dc8 1396 7ffe148e2e06 1393->1396 1394 7ffe148e43c0 8 API calls 1395 7ffe148e2f12 1394->1395 1398 7ffe148e2e48 1396->1398 1399 7ffe148e2f30 1396->1399 1398->1394 1400 7ffe148e5154 1399->1400 1401 7ffe148e2f56 strcpy strcpy strcpy 1400->1401 1404 7ffe148e3bf0 1401->1404 1405 7ffe148e3c07 1404->1405 1406 7ffe148e2f99 1405->1406 1407 7ffe148e3c47 #7 1405->1407 1408 7ffe148e3c39 #2 1405->1408 1406->1398 1409 7ffe148e3c53 strncpy 1407->1409 1408->1409 1409->1406 1410 7ffe148e1444 1411 7ffe148e144d 1410->1411 1412 7ffe148e145e 1410->1412 1411->1412 1414 7ffe148e4050 1411->1414 1415 7ffe148e40bb 1414->1415 1418 7ffe148e4068 1414->1418 1416 7ffe148e40b9 1415->1416 1417 7ffe148e3750 4 API calls 1415->1417 1416->1412 1417->1416 1418->1416 1422 7ffe148e3750 EnterCriticalSection 1418->1422 1420 7ffe148e33c4 2 API calls 1420->1416 1421 7ffe148e408c 1421->1416 1421->1420 1423 7ffe148e3779 SetEvent WaitForSingleObject 1422->1423 1424 7ffe148e3772 1422->1424 1425 7ffe148e37a3 LeaveCriticalSection 1423->1425 1424->1425 1425->1421 1426 7ffe148e1484 1427 7ffe148e14d8 1426->1427 1428 7ffe148e14c6 1426->1428 1428->1427 1429 7ffe148e1580 1428->1429 1430 7ffe148e156f free 1428->1430 1433 7ffe148e15ba 1428->1433 1431 7ffe148e1585 malloc 1429->1431 1429->1433 1430->1429 1431->1427 1431->1433 1434 7ffe148e4174 1433->1434 1440 7ffe148e4197 1434->1440 1435 7ffe148e4306 1435->1427 1436 7ffe148e3750 4 API calls 1436->1435 1437 7ffe148e424d 1438 7ffe148e4256 memcpy 1437->1438 1439 7ffe148e4272 1437->1439 1438->1439 1441 7ffe148e4282 memcpy 1439->1441 1443 7ffe148e4241 1439->1443 1440->1437 1442 7ffe148e33c4 2 API calls 1440->1442 1440->1443 1441->1443 1442->1440 1443->1435 1443->1436 1485 7ffe148e1324 1486 7ffe148e1352 1485->1486 1488 7ffe148e138e 1485->1488 1486->1488 1489 7ffe148e3ed0 1486->1489 1490 7ffe148e3f03 1489->1490 1491 7ffe148e3f7d 1490->1491 1492 7ffe148e3f64 memcpy 1490->1492 1494 7ffe148e3f54 1490->1494 1493 7ffe148e3f8c memcpy 1491->1493 1491->1494 1492->1491 1493->1494 1494->1488 1298 7ffe148e1000 1301 7ffe148e2fac InitializeCriticalSection CreateEventA CreateEventA 1298->1301 1300 7ffe148e1010 _onexit 1302 7ffe148e2ff4 1301->1302 1303 7ffe148e3020 1301->1303 1302->1303 1304 7ffe148e2ffd CreateThread 1302->1304 1303->1300 1304->1303 1444 7ffe148e2dc0 1445 7ffe148e3ae4 1444->1445 1446 7ffe148e3b17 #2 1445->1446 1447 7ffe148e3af9 timeGetTime 1445->1447 1450 7ffe148e3b81 #7 1446->1450 1451 7ffe148e3b61 1446->1451 1447->1446 1448 7ffe148e3bde 1447->1448 1453 7ffe148e3bc9 timeGetTime 1450->1453 1454 7ffe148e3ba4 1450->1454 1452 7ffe148e38f8 memcmp 1451->1452 1455 7ffe148e3b6a 1452->1455 1453->1448 1456 7ffe148e38f8 memcmp 1454->1456 1455->1450 1457 7ffe148e3bad 1456->1457 1457->1453 1458 7ffe148e1400 1459 7ffe148e141a 1458->1459 1460 7ffe148e1409 1458->1460 1460->1459 1462 7ffe148e4004 1460->1462 1463 7ffe148e4008 1462->1463 1465 7ffe148e4022 1462->1465 1464 7ffe148e33c4 2 API calls 1463->1464 1463->1465 1464->1465 1465->1459 1495 7ffe148e11e0 1496 7ffe148e11ed 1495->1496 1497 7ffe148e11fe 1495->1497 1496->1497 1499 7ffe148e40fc 1496->1499 1500 7ffe148e33c4 2 API calls 1499->1500 1501 7ffe148e410f 1500->1501 1501->1497

    Callgraph

    • Executed
    • Not Executed
    • Opacity -> Relevance
    • Disassembly available
    callgraph 0 Function_00007FFE148E13DC 13 Function_00007FFE148E3FFC 0->13 1 Function_00007FFE148E10D4 20 Function_00007FFE148E39E8 1->20 2 Function_00007FFE148E3ED0 99 Function_00007FFE148E30A4 2->99 3 Function_00007FFE148E2CD0 4 Function_00007FFE148E51CA 5 Function_00007FFE148E2DC8 9 Function_00007FFE148E43C0 5->9 43 Function_00007FFE148E2F30 5->43 6 Function_00007FFE148E36C8 7 Function_00007FFE148E47C8 7->7 18 Function_00007FFE148E50F4 7->18 21 Function_00007FFE148E43E4 7->21 27 Function_00007FFE148E4710 7->27 28 Function_00007FFE148E450C 7->28 35 Function_00007FFE148E453C 7->35 40 Function_00007FFE148E4734 7->40 51 Function_00007FFE148E4454 7->51 56 Function_00007FFE148E4550 7->56 58 Function_00007FFE148E4E4C 7->58 61 Function_00007FFE148E5044 7->61 66 Function_00007FFE148E5078 7->66 71 Function_00007FFE148E4674 7->71 74 Function_00007FFE148E5068 7->74 84 Function_00007FFE148E4494 7->84 85 Function_00007FFE148E5094 7->85 90 Function_00007FFE148E50B8 7->90 95 Function_00007FFE148E50B0 7->95 8 Function_00007FFE148E33C4 38 Function_00007FFE148E4B38 9->38 63 Function_00007FFE148E4C40 9->63 10 Function_00007FFE148E2DC0 15 Function_00007FFE148E38F8 10->15 11 Function_00007FFE148E51FD 12 Function_00007FFE148E40FC 12->8 12->99 14 Function_00007FFE148E4AF8 80 Function_00007FFE148E4F98 14->80 77 Function_00007FFE148E399C 15->77 16 Function_00007FFE148E31F8 16->15 17 Function_00007FFE148E32F4 17->77 19 Function_00007FFE148E3BF0 70 Function_00007FFE148E3974 19->70 20->6 33 Function_00007FFE148E3700 20->33 36 Function_00007FFE148E4E38 21->36 22 Function_00007FFE148E4AE1 23 Function_00007FFE148E51E1 23->35 24 Function_00007FFE148E11E0 24->12 25 Function_00007FFE148E3A10 25->8 26 Function_00007FFE148E1110 26->25 27->36 28->36 79 Function_00007FFE148E519C 28->79 29 Function_00007FFE148E120C 68 Function_00007FFE148E3D74 29->68 30 Function_00007FFE148E4706 31 Function_00007FFE148E4004 31->8 32 Function_00007FFE148E1000 76 Function_00007FFE148E4760 32->76 96 Function_00007FFE148E2FAC 32->96 34 Function_00007FFE148E1400 34->31 82 Function_00007FFE148E5198 35->82 37 Function_00007FFE148E3838 39 Function_00007FFE148E5234 40->82 41 Function_00007FFE148E4E30 42 Function_00007FFE148E4330 55 Function_00007FFE148E4350 42->55 43->19 44 Function_00007FFE148E1130 83 Function_00007FFE148E3A94 44->83 45 Function_00007FFE148E302C 46 Function_00007FFE148E1324 46->2 46->3 47 Function_00007FFE148E1020 48 Function_00007FFE148E1420 57 Function_00007FFE148E404C 48->57 49 Function_00007FFE148E4420 49->36 49->41 93 Function_00007FFE148E4CB4 49->93 50 Function_00007FFE148E1154 81 Function_00007FFE148E3A98 50->81 78 Function_00007FFE148E459C 51->78 52 Function_00007FFE148E3750 53 Function_00007FFE148E4050 53->8 53->52 54 Function_00007FFE148E3250 54->15 56->82 56->93 60 Function_00007FFE148E4E44 58->60 59 Function_00007FFE148E1444 59->53 62 Function_00007FFE148E4140 64 Function_00007FFE148E3C7C 64->47 65 Function_00007FFE148E117C 65->64 67 Function_00007FFE148E3074 68->8 68->17 68->33 97 Function_00007FFE148E35AC 68->97 69 Function_00007FFE148E4174 69->8 69->52 69->99 72 Function_00007FFE148E3A70 72->99 73 Function_00007FFE148E446C 73->82 75 Function_00007FFE148E1464 75->62 78->36 78->58 81->99 84->82 86 Function_00007FFE148E508C 85->86 88 Function_00007FFE148E5084 85->88 87 Function_00007FFE148E1484 87->3 87->69 92 Function_00007FFE148E16B4 87->92 89 Function_00007FFE148E37B8 91 Function_00007FFE148E51B2 94 Function_00007FFE148E10B0 94->72 97->9 97->37 98 Function_00007FFE148E44AC 98->36 99->67

    Executed Functions

    Function 00007FFE148E2FAC Relevance: 6.0, APIs: 4, Instructions: 35threadCOMMONLIBRARYCODE
    Download Yara Rule

    Control-flow Graph

    APIs
    Memory Dump Source
    • Source File: 00000005.00000002.1845229819.00007FFE148E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE148E0000, based on PE: true
    • Associated: 00000005.00000002.1845214561.00007FFE148E0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000005.00000002.1845247767.00007FFE148E6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000005.00000002.1845263512.00007FFE148E8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000005.00000002.1845279057.00007FFE148EA000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_7ffe148e0000_rundll32.jbxd
    Similarity
    • API ID: Create$Event$CriticalInitializeSectionThread
    • String ID:
    • API String ID: 3438895259-0
    • Opcode ID: dd0792dc9d06356fa9e35f075b9c6cd95ec06885470ca604acc3b206e13d9322
    • Instruction ID: b13892f98a47aa2efcd57e01bd2903d8868b99f4359015cb488a873bd1710653
    • Opcode Fuzzy Hash: dd0792dc9d06356fa9e35f075b9c6cd95ec06885470ca604acc3b206e13d9322
    • Instruction Fuzzy Hash: 0B01AD32A14F2182FB64DF32A895B2A73A1EB49B28F445078DE0E76764CF3CD098C300
    Function 00007FFE148E47C8 Relevance: 24.2, APIs: 16, Instructions: 235COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 0 7ffe148e47c8-7ffe148e47ce 1 7ffe148e4809-7ffe148e4813 0->1 2 7ffe148e47d0-7ffe148e47d3 0->2 3 7ffe148e4934-7ffe148e4950 1->3 4 7ffe148e47fd-7ffe148e483c call 7ffe148e4550 2->4 5 7ffe148e47d5-7ffe148e47d8 2->5 8 7ffe148e4952 3->8 9 7ffe148e4964-7ffe148e497f call 7ffe148e43e4 3->9 23 7ffe148e4856-7ffe148e486b call 7ffe148e43e4 4->23 24 7ffe148e483e 4->24 6 7ffe148e47da-7ffe148e47dd 5->6 7 7ffe148e47f0 __scrt_dllmain_crt_thread_attach 5->7 11 7ffe148e47e9-7ffe148e47ee call 7ffe148e4494 6->11 12 7ffe148e47df-7ffe148e47e8 6->12 15 7ffe148e47f5-7ffe148e47fc 7->15 13 7ffe148e4954-7ffe148e4963 8->13 21 7ffe148e49b6-7ffe148e49e8 call 7ffe148e4e4c 9->21 22 7ffe148e4981-7ffe148e49b4 call 7ffe148e450c call 7ffe148e5078 call 7ffe148e50f4 call 7ffe148e453c call 7ffe148e4710 call 7ffe148e4734 9->22 11->15 34 7ffe148e49ea-7ffe148e49f0 21->34 35 7ffe148e49f9-7ffe148e49ff 21->35 22->13 32 7ffe148e4925-7ffe148e4933 call 7ffe148e4e4c 23->32 33 7ffe148e4871-7ffe148e4882 call 7ffe148e4454 23->33 27 7ffe148e4840-7ffe148e4855 24->27 32->3 51 7ffe148e48d3-7ffe148e48dd call 7ffe148e4710 33->51 52 7ffe148e4884-7ffe148e48a8 call 7ffe148e50b8 call 7ffe148e5068 call 7ffe148e5094 call 7ffe148e5190 33->52 34->35 38 7ffe148e49f2-7ffe148e49f4 34->38 39 7ffe148e4a46-7ffe148e4a5c call 7ffe148e5044 35->39 40 7ffe148e4a01-7ffe148e4a0b 35->40 45 7ffe148e4ae9-7ffe148e4af6 38->45 56 7ffe148e4a96-7ffe148e4a98 39->56 57 7ffe148e4a5e-7ffe148e4a60 39->57 46 7ffe148e4a0d-7ffe148e4a15 40->46 47 7ffe148e4a17-7ffe148e4a25 40->47 53 7ffe148e4a2b-7ffe148e4a33 call 7ffe148e47c8 46->53 47->53 68 7ffe148e4adf-7ffe148e4ae7 47->68 51->24 70 7ffe148e48e3-7ffe148e48ef call 7ffe148e50b0 51->70 52->51 100 7ffe148e48aa-7ffe148e48b1 __scrt_dllmain_after_initialize_c 52->100 62 7ffe148e4a38-7ffe148e4a40 53->62 66 7ffe148e4a9a-7ffe148e4a9d 56->66 67 7ffe148e4a9f-7ffe148e4ab4 call 7ffe148e47c8 56->67 57->56 64 7ffe148e4a62-7ffe148e4a86 call 7ffe148e5044 call 7ffe148e47c8 57->64 62->39 62->68 64->56 94 7ffe148e4a88-7ffe148e4a8d 64->94 66->67 66->68 67->68 81 7ffe148e4ab6-7ffe148e4ac0 67->81 68->45 89 7ffe148e4915-7ffe148e4920 70->89 90 7ffe148e48f1-7ffe148e48fb call 7ffe148e4674 70->90 86 7ffe148e4acb-7ffe148e4adb 81->86 87 7ffe148e4ac2-7ffe148e4ac9 81->87 86->68 87->68 89->27 90->89 99 7ffe148e48fd-7ffe148e490b 90->99 94->56 99->89 100->51 101 7ffe148e48b3-7ffe148e48c1 call 7ffe148e518a 100->101 103 7ffe148e48c6-7ffe148e48d0 101->103 103->51
    APIs
    Memory Dump Source
    • Source File: 00000005.00000002.1845229819.00007FFE148E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE148E0000, based on PE: true
    • Associated: 00000005.00000002.1845214561.00007FFE148E0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000005.00000002.1845247767.00007FFE148E6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000005.00000002.1845263512.00007FFE148E8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000005.00000002.1845279057.00007FFE148EA000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_7ffe148e0000_rundll32.jbxd
    Similarity
    • API ID: Initialize__scrt_acquire_startup_lock__scrt_fastfail__scrt_release_startup_lock$__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_initialize_crt__scrt_initialize_default_local_stdio_options__scrt_is_nonwritable_in_current_image__scrt_uninitialize_crt
    • String ID:
    • API String ID: 627783611-0
    • Opcode ID: 3f597a04b6ab8b0343895d836925db316f3703b43f16bd7aca69a5a408eae50a
    • Instruction ID: 197ca062295b498e2d52b72c94c495799f7ac93e044bc60f6b3dc851f9ab845b
    • Opcode Fuzzy Hash: 3f597a04b6ab8b0343895d836925db316f3703b43f16bd7aca69a5a408eae50a
    • Instruction Fuzzy Hash: B491AF20E0CE4745F650AB6BA4C1279A290AF87BB4F4440B5FA0D777B6DE3DE88D9700
    Function 00007FFE148E37B8 Relevance: 6.0, APIs: 4, Instructions: 32synchronizationCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    Memory Dump Source
    • Source File: 00000005.00000002.1845229819.00007FFE148E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE148E0000, based on PE: true
    • Associated: 00000005.00000002.1845214561.00007FFE148E0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000005.00000002.1845247767.00007FFE148E6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000005.00000002.1845263512.00007FFE148E8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000005.00000002.1845279057.00007FFE148EA000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_7ffe148e0000_rundll32.jbxd
    Similarity
    • API ID: EventInitializeObjectSingleUninitializeWait
    • String ID:
    • API String ID: 1715565137-0
    • Opcode ID: 30b1bb477b62f2e1aba44ed86eda383787f758e682205c0199c7b0649ef947ea
    • Instruction ID: 90fc83a8afb65fd7fed7c69e85d94751565f6de10c1fcc4f76bebeb294fe1334
    • Opcode Fuzzy Hash: 30b1bb477b62f2e1aba44ed86eda383787f758e682205c0199c7b0649ef947ea
    • Instruction Fuzzy Hash: 72010835A18E0582E744EB2BD8C0228A7A0FB86B65F5040B5E90EA3770DF3DE84D8710

    Non-executed Functions

    Function 00007FFE148E2F30 Relevance: 10.5, APIs: 3, Strings: 4, Instructions: 27stringCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • strcpy.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000000,00007FFE148E2E48), ref: 00007FFE148E2F64
    • strcpy.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000000,00007FFE148E2E48), ref: 00007FFE148E2F77
    • strcpy.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000000,00007FFE148E2E48), ref: 00007FFE148E2F8A
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.1845229819.00007FFE148E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE148E0000, based on PE: true
    • Associated: 00000005.00000002.1845214561.00007FFE148E0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000005.00000002.1845247767.00007FFE148E6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000005.00000002.1845263512.00007FFE148E8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000005.00000002.1845279057.00007FFE148EA000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_7ffe148e0000_rundll32.jbxd
    Similarity
    • API ID: strcpy
    • String ID: Unknown Description$Unknown Name$Unknown Vendor$Unknown Version
    • API String ID: 3177657795-2520111763
    • Opcode ID: 86ec986f349a7b2790bf3a8a0076e515a7f4652e7669583b5473761b72895a67
    • Instruction ID: e8734bc6a7b8b836417fede82392259c7646b9506fc57f6bf66ed6d9c329315d
    • Opcode Fuzzy Hash: 86ec986f349a7b2790bf3a8a0076e515a7f4652e7669583b5473761b72895a67
    • Instruction Fuzzy Hash: BFF04472A1894291EB00DB16D4D12F8A321EB45768FC89071E51C6F3B6EEBCD54DC310
    Function 00007FFE148E3BF0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 37stringCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • #2.DSOUND(?,?,?,00007FFE148E2F99,?,?,00000000,00007FFE148E2E48), ref: 00007FFE148E3C39
    • strncpy.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFE148E2F99,?,?,00000000,00007FFE148E2E48), ref: 00007FFE148E3C5C
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.1845229819.00007FFE148E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE148E0000, based on PE: true
    • Associated: 00000005.00000002.1845214561.00007FFE148E0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000005.00000002.1845247767.00007FFE148E6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000005.00000002.1845263512.00007FFE148E8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000005.00000002.1845279057.00007FFE148EA000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_7ffe148e0000_rundll32.jbxd
    Similarity
    • API ID: strncpy
    • String ID: DirectSound Capture$DirectSound Playback
    • API String ID: 3301158039-437622269
    • Opcode ID: dfd5096dd5408a71375ab07797f61adefa24f704688274d9e23a2b77435865dc
    • Instruction ID: 80952f7a56ea6c8dfdad76696fbd6f7e8b261f7e1c8369644a8fd62106e1279e
    • Opcode Fuzzy Hash: dfd5096dd5408a71375ab07797f61adefa24f704688274d9e23a2b77435865dc
    • Instruction Fuzzy Hash: 00018071A08E4396E7148B1BE5C00A8E321FB46BA4B808175F66D637B4DF38E56EC700
    Function 00007FFE148E2DC0 Relevance: 6.1, APIs: 4, Instructions: 70timeCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    Memory Dump Source
    • Source File: 00000005.00000002.1845229819.00007FFE148E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE148E0000, based on PE: true
    • Associated: 00000005.00000002.1845214561.00007FFE148E0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000005.00000002.1845247767.00007FFE148E6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000005.00000002.1845263512.00007FFE148E8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000005.00000002.1845279057.00007FFE148EA000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_7ffe148e0000_rundll32.jbxd
    Similarity
    • API ID: Timetime
    • String ID:
    • API String ID: 17336451-0
    • Opcode ID: 5bd067ee3f8a19375c4f6cb59a19cf5bf464f5941ff96378297cf0e93543ad10
    • Instruction ID: 07006fe868d6be14522962abc4000988755ceb655b8f5bdeed20efe5d8a7eeee
    • Opcode Fuzzy Hash: 5bd067ee3f8a19375c4f6cb59a19cf5bf464f5941ff96378297cf0e93543ad10
    • Instruction Fuzzy Hash: 95314F71A29A4286EB54CB26D4C0239B3A1FB86324F5042B9F55EA37F5CF3CE8498701
    Function 00007FFE148E3750 Relevance: 6.0, APIs: 4, Instructions: 23synchronizationCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • EnterCriticalSection.KERNEL32(?,?,?,00007FFE148E40D8,?,?,?,00007FFE148E145E), ref: 00007FFE148E3760
    • SetEvent.KERNEL32(?,?,?,00007FFE148E40D8,?,?,?,00007FFE148E145E), ref: 00007FFE148E3787
    • WaitForSingleObject.KERNEL32(?,?,?,00007FFE148E40D8,?,?,?,00007FFE148E145E), ref: 00007FFE148E3797
    • LeaveCriticalSection.KERNEL32(?,?,?,00007FFE148E40D8,?,?,?,00007FFE148E145E), ref: 00007FFE148E37AA
    Memory Dump Source
    • Source File: 00000005.00000002.1845229819.00007FFE148E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE148E0000, based on PE: true
    • Associated: 00000005.00000002.1845214561.00007FFE148E0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000005.00000002.1845247767.00007FFE148E6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000005.00000002.1845263512.00007FFE148E8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000005.00000002.1845279057.00007FFE148EA000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_7ffe148e0000_rundll32.jbxd
    Similarity
    • API ID: CriticalSection$EnterEventLeaveObjectSingleWait
    • String ID:
    • API String ID: 4060455350-0
    • Opcode ID: 62dd230d8edb3e629cc67c132f3969ac77fd722424eef89bf0a9c0514808786d
    • Instruction ID: 9a2df963f012e970308be1a51c6cf0a92009f1a44c6caa56e73a743b580a9edb
    • Opcode Fuzzy Hash: 62dd230d8edb3e629cc67c132f3969ac77fd722424eef89bf0a9c0514808786d
    • Instruction Fuzzy Hash: F2F0A964A28E06C1FA00EB23ECC0138A360AF5A735B4401B1E92E77370DE3CA58D8320