Edit tour

Windows Analysis Report
OctVbUtl.dll

Overview

General Information

Sample name:	OctVbUtl.dll
Analysis ID:	1530830
MD5:	7705bfa817409119413ce6e15b00b389
SHA1:	7f4d21ce846e0ee22b574cebdc09b313ab47bdc5
SHA256:	1dd065c2accb056742144e8ee0fedfab243fa186a41d7b5070da18077d3fc8d5
Infos:

Detection

Score:	3
Range:	0 - 100
Whitelisted:	false
Confidence:	40%

Signatures

AV process strings found (often used to terminate AV products)

Checks if the current process is being debugged

Creates a process in suspended mode (likely to inject code)

Found large amount of non-executed APIs

One or more processes crash

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Classification

Process Tree

System is w10x64

loaddll32.exe (PID: 7548 cmdline: loaddll32.exe "C:\Users\user\Desktop\OctVbUtl.dll" MD5: 51E6071F9CBA48E79F10C84515AAE618)

conhost.exe (PID: 7584 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7628 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\OctVbUtl.dll",#1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

rundll32.exe (PID: 7644 cmdline: rundll32.exe "C:\Users\user\Desktop\OctVbUtl.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 7652 cmdline: rundll32.exe C:\Users\user\Desktop\OctVbUtl.dll,_OctlBitMskClr@8 MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 7696 cmdline: rundll32.exe C:\Users\user\Desktop\OctVbUtl.dll,_OctlBitMskSet@8 MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 7720 cmdline: rundll32.exe C:\Users\user\Desktop\OctVbUtl.dll,_OctlBitMskTst@8 MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 7776 cmdline: rundll32.exe "C:\Users\user\Desktop\OctVbUtl.dll",_OctlBitMskClr@8 MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 7784 cmdline: rundll32.exe "C:\Users\user\Desktop\OctVbUtl.dll",_OctlBitMskSet@8 MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 7792 cmdline: rundll32.exe "C:\Users\user\Desktop\OctVbUtl.dll",_OctlBitMskTst@8 MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 7808 cmdline: rundll32.exe "C:\Users\user\Desktop\OctVbUtl.dll",_OctlUtil_szW@12 MD5: 889B99C52A60DD49227C5E485A016679)

WerFault.exe (PID: 7320 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7808 -s 600 MD5: C31336C1EFC2CCB44B4326EA793040F2)

rundll32.exe (PID: 7816 cmdline: rundll32.exe "C:\Users\user\Desktop\OctVbUtl.dll",_OctlUtil_szR@12 MD5: 889B99C52A60DD49227C5E485A016679)

WerFault.exe (PID: 5452 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7816 -s 600 MD5: C31336C1EFC2CCB44B4326EA793040F2)

rundll32.exe (PID: 7824 cmdline: rundll32.exe "C:\Users\user\Desktop\OctVbUtl.dll",_OctlUtil_szL@12 MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 7836 cmdline: rundll32.exe "C:\Users\user\Desktop\OctVbUtl.dll",_OctlUtil_cpy@12 MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 7844 cmdline: rundll32.exe "C:\Users\user\Desktop\OctVbUtl.dll",_OctlUtil_acR@12 MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 7860 cmdline: rundll32.exe "C:\Users\user\Desktop\OctVbUtl.dll",_OctlUtil_acL@12 MD5: 889B99C52A60DD49227C5E485A016679)

WerFault.exe (PID: 7340 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7860 -s 592 MD5: C31336C1EFC2CCB44B4326EA793040F2)

rundll32.exe (PID: 7868 cmdline: rundll32.exe "C:\Users\user\Desktop\OctVbUtl.dll",_OctlUtil_4sw@8 MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 7876 cmdline: rundll32.exe "C:\Users\user\Desktop\OctVbUtl.dll",_OctlUtilPakP@16 MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 7904 cmdline: rundll32.exe "C:\Users\user\Desktop\OctVbUtl.dll",_OctlDttmUpk@8 MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 7924 cmdline: rundll32.exe "C:\Users\user\Desktop\OctVbUtl.dll",_OctlDttmSys@0 MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 7932 cmdline: rundll32.exe "C:\Users\user\Desktop\OctVbUtl.dll",_OctlDttmPrs@8 MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 7948 cmdline: rundll32.exe "C:\Users\user\Desktop\OctVbUtl.dll",_OctlDttmPak@4 MD5: 889B99C52A60DD49227C5E485A016679)

WerFault.exe (PID: 3632 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7948 -s 596 MD5: C31336C1EFC2CCB44B4326EA793040F2)

rundll32.exe (PID: 7956 cmdline: rundll32.exe "C:\Users\user\Desktop\OctVbUtl.dll",_OctlBitN2Mask@4 MD5: 889B99C52A60DD49227C5E485A016679)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: OctVbUtl.dll

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL

Source: C:\Windows\SysWOW64\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\
Source: C:\Windows\SysWOW64\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\
Source: C:\Windows\SysWOW64\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_8937994e4f6653102bf74df7bae4df35b16b585b_7522e4b5_861aaf2f-d957-4636-afe3-005811a133b1\
Source: C:\Windows\SysWOW64\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\
Source: C:\Windows\SysWOW64\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_1639818b7ea33fad73b6a9f374f2c2fc303b0dc_7522e4b5_42ad0679-496e-491f-b6c5-2a2b0b3da087\
Source: C:\Windows\SysWOW64\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: time.windows.com

Source: Amcache.hve.37.dr

String found in binary or memory: http://upx.sf.net

Source: C:\Windows\SysWOW64\rundll32.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7860 -s 592

Source: OctVbUtl.dll

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL

Source: classification engine

Classification label: clean3.winDLL@48/17@1/0

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7584:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7860
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7948
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7816
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7808

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\7c3f23c1-b9f6-40a8-9fe0-2cece27c4669

Jump to behavior

Source: OctVbUtl.dll

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\OctVbUtl.dll",#1

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\OctVbUtl.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\OctVbUtl.dll",#1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\OctVbUtl.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\OctVbUtl.dll,_OctlBitMskClr@8
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\OctVbUtl.dll,_OctlBitMskSet@8
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\OctVbUtl.dll,_OctlBitMskTst@8
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\OctVbUtl.dll",_OctlBitMskClr@8
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\OctVbUtl.dll",_OctlBitMskSet@8
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\OctVbUtl.dll",_OctlBitMskTst@8
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\OctVbUtl.dll",_OctlUtil_szW@12
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\OctVbUtl.dll",_OctlUtil_szR@12
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\OctVbUtl.dll",_OctlUtil_szL@12
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\OctVbUtl.dll",_OctlUtil_cpy@12
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\OctVbUtl.dll",_OctlUtil_acR@12
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\OctVbUtl.dll",_OctlUtil_acL@12
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\OctVbUtl.dll",_OctlUtil_4sw@8
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\OctVbUtl.dll",_OctlUtilPakP@16
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\OctVbUtl.dll",_OctlDttmUpk@8
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\OctVbUtl.dll",_OctlDttmSys@0
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\OctVbUtl.dll",_OctlDttmPrs@8
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\OctVbUtl.dll",_OctlDttmPak@4
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\OctVbUtl.dll",_OctlBitN2Mask@4
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7860 -s 592
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7808 -s 600
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7948 -s 596
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7816 -s 600
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\OctVbUtl.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\OctVbUtl.dll,_OctlBitMskClr@8	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\OctVbUtl.dll,_OctlBitMskSet@8	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\OctVbUtl.dll,_OctlBitMskTst@8	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\OctVbUtl.dll",_OctlBitMskClr@8	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\OctVbUtl.dll",_OctlBitMskSet@8	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\OctVbUtl.dll",_OctlBitMskTst@8	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\OctVbUtl.dll",_OctlUtil_szW@12	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\OctVbUtl.dll",_OctlUtil_szR@12	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\OctVbUtl.dll",_OctlUtil_szL@12	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\OctVbUtl.dll",_OctlUtil_cpy@12	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\OctVbUtl.dll",_OctlUtil_acR@12	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\OctVbUtl.dll",_OctlUtil_acL@12	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\OctVbUtl.dll",_OctlUtil_4sw@8	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\OctVbUtl.dll",_OctlUtilPakP@16	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\OctVbUtl.dll",_OctlDttmUpk@8	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\OctVbUtl.dll",_OctlDttmSys@0	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\OctVbUtl.dll",_OctlDttmPrs@8	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\OctVbUtl.dll",_OctlDttmPak@4	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\OctVbUtl.dll",_OctlBitN2Mask@4	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\OctVbUtl.dll",#1	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Windows\SysWOW64\rundll32.exe

API coverage: 0.0 %

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\System32\loaddll32.exe

Thread delayed: delay time: 120000

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\
Source: C:\Windows\SysWOW64\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\
Source: C:\Windows\SysWOW64\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_8937994e4f6653102bf74df7bae4df35b16b585b_7522e4b5_861aaf2f-d957-4636-afe3-005811a133b1\
Source: C:\Windows\SysWOW64\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\
Source: C:\Windows\SysWOW64\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_1639818b7ea33fad73b6a9f374f2c2fc303b0dc_7522e4b5_42ad0679-496e-491f-b6c5-2a2b0b3da087\
Source: C:\Windows\SysWOW64\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue

Source: Amcache.hve.37.dr	Binary or memory string: VMware
Source: Amcache.hve.37.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.37.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.37.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.37.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.37.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.37.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.37.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.37.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.37.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.37.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.37.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.37.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.37.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.37.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.37.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.37.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.37.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.37.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.37.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.37.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.37.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.37.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.37.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.37.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.37.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.37.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.37.dr	Binary or memory string: VMware-42 27 88 19 56 cc 59 1a-97 79 fb 8c bf a1 e2 9d
Source: Amcache.hve.37.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\OctVbUtl.dll",#1

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 11_2_10001E10 GetLocalTime,std::_Cnd_initX,std::_Cnd_initX,std::_Cnd_initX,std::_Cnd_initX,std::_Cnd_initX,std::_Cnd_initX,

11_2_10001E10

Source: Amcache.hve.37.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.37.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.37.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.37.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.37.dr	Binary or memory string: MsMpEng.exe

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	11 Process Injection	1 Rundll32	OS Credential Dumping	1 System Time Discovery	Remote Services	Data from Local System	1 Non-Application Layer Protocol	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	11 Virtualization/Sandbox Evasion	LSASS Memory	21 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	11 Process Injection	Security Account Manager	11 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	1 File and Directory Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	2 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
OctVbUtl.dll	0%	ReversingLabs

Source	Detection	Scanner	Label	Link
http://upx.sf.net	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
s-part-0017.t-0009.t-msedge.net	13.107.246.45	true	false		unknown
time.windows.com	unknown	unknown	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://upx.sf.net	Amcache.hve.37.dr	false	URL Reputation: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1530830
Start date and time:	2024-10-10 15:36:07 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 45s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	43
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	OctVbUtl.dll
Detection:	CLEAN
Classification:	clean3.winDLL@48/17@1/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 9
Cookbook Comments:	Found application associated with file extension: .dll

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 13.95.65.251, 20.189.173.22
Excluded domains from analysis (whitelisted): login.live.com, slscr.update.microsoft.com, otelrules.azureedge.net, twc.trafficmanager.net, otelrules.afd.azureedge.net, blobcollector.events.data.trafficmanager.net, onedsblobprdwus17.westus.cloudapp.azure.com, ctldl.windowsupdate.com, azureedge-t-prod.trafficmanager.net, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
VT rate limit hit for: OctVbUtl.dll

Simulations

Behavior and APIs

Time	Type	Description
09:37:26	API Interceptor	1x Sleep call for process: loaddll32.exe modified
09:37:52	API Interceptor	4x Sleep call for process: WerFault.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
s-part-0017.t-0009.t-msedge.net	http://flipsnack.com/BA85A977C6F/oct2024/full-view.html	Get hash	malicious	HTMLPhisher	Browse	13.107.246.45
	https://onlinefeature.blob.core.windows.net/plus/online.html?jd6123	Get hash	malicious	Unknown	Browse	13.107.246.45
	fTq2vadDnr.exe	Get hash	malicious	FormBook	Browse	13.107.246.45
	https://www.google.es/url?q=3HOSozuuQiApLjODz3yh&rct=tTPSJ3J3wDFX0jkXyycT&sa=t&esrc=WSECxFgECA0xys8Em2FL&source=&cd=HXUursu8uEcr4eTiw9XH&cad=XpPkDfJ9mfdQ6lDJVS0Y&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp%2Foilproductionpower.com%2Fddd%2Ff3E2tG5ASlq4OLZ8xJKHkkFY/TExQQG5vdm96eW1lcy5jb20=	Get hash	malicious	HTMLPhisher	Browse	13.107.246.45
	jQw7LVWJYw.exe	Get hash	malicious	Unknown	Browse	13.107.246.45
	SecuriteInfo.com.Trojan-Ransom.Win32.Zerber.gkca.4990.15640.exe	Get hash	malicious	Unknown	Browse	13.107.246.45
	SecuriteInfo.com.Win32.CrypterX-gen.327.26539.exe	Get hash	malicious	FormBook	Browse	13.107.246.45
	https://trendydigitalbuzze.com.de/YrWXF/	Get hash	malicious	Unknown	Browse	13.107.246.45
	http://beststarsoffers.click/img/FJHpEbd9pzMLCgDT	Get hash	malicious	Unknown	Browse	13.107.246.45
	http://beststarsoffers.click/img/BftYnyQgrWDRxBpx	Get hash	malicious	Unknown	Browse	13.107.246.45

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_1639818b7ea33fad73b6a9f374f2c2fc303b0dc_7522e4b5_42ad0679-496e-491f-b6c5-2a2b0b3da087\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.8295099077372614
Encrypted:	false
SSDEEP:	192:vhCMiqO3q0BU/wjeT4zuiFrZ24IO8dci:MMiL3xBU/wjeMzuiFrY4IO8dci
MD5:	4DABC8BA68188D9AFCC8CC88BF294CE1
SHA1:	4E093EAD2D40D87C42300FF4D7085F5F7973626E
SHA-256:	D83EF3BE6B4F0716EF1EFE3747DFCAAF9BEC031E7BECB540DC5257A6491D779B
SHA-512:	4DB16925A8CD71FFFB03020323C140C1A1325567069BA845A072D2F2D418AF06A783305054AB4F400630165EC54C54B8A54198198BE411B0CD93E789B11666AC
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.3.0.4.1.0.4.8.2.7.9.3.1.2.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.3.0.4.1.0.4.9.5.4.4.9.3.7.3.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.2.a.d.0.6.7.9.-.4.9.6.e.-.4.9.1.f.-.b.6.c.5.-.2.a.2.b.0.b.3.d.a.0.8.7.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.2.d.d.5.4.2.6.-.5.4.7.5.-.4.8.d.2.-.b.5.5.f.-.c.f.8.8.f.5.9.f.c.c.1.8.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.e.8.0.-.0.0.0.1.-.0.0.1.4.-.2.7.a.5.-.4.f.8.b.1.9.1.b.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.8.f.a.8.8.9.e.4.5.6.a.a.6.4.6.a.4.d.0.a.4.3.4.9.9.7.7.4.3.0.c.e.5.f.a.5.e.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_1639818b7ea33fad73b6a9f374f2c2fc303b0dc_7522e4b5_fb894857-d887-4aca-9640-e1541cf37841\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.8292736625706508
Encrypted:	false
SSDEEP:	192:BYyiHOHoq0BU/wjeT4zuiFrZ24IO8dci:PiuIxBU/wjeMzuiFrY4IO8dci
MD5:	9D2E65BBF8367644AD6776FA3299F8A5
SHA1:	EDDA1BAC69D1108D9F088F060921228A6A7E6F70
SHA-256:	B6FA4D89E9EC582C9120EA32A6CC7FCC4D388B94C11A5A1F8B3F0A27319BF107
SHA-512:	175ED6C4CB6B931D49C1DDA7FC8642C2C115C5BE41796B64CD9C59631A06F17AE47F6F262AFED940945982AEA6571C12A6876E3EDC1C50B516B38AF09E13CF51
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.3.0.4.1.0.4.8.5.1.5.6.1.9.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.3.0.4.1.0.4.9.8.9.0.6.2.4.1.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.b.8.9.4.8.5.7.-.d.8.8.7.-.4.a.c.a.-.9.6.4.0.-.e.1.5.4.1.c.f.3.7.8.4.1.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.e.c.b.8.2.7.2.-.6.5.c.b.-.4.e.a.1.-.a.7.0.d.-.b.0.c.2.1.b.2.4.5.7.0.0.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.e.8.8.-.0.0.0.1.-.0.0.1.4.-.8.f.4.0.-.5.1.8.b.1.9.1.b.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.8.f.a.8.8.9.e.4.5.6.a.a.6.4.6.a.4.d.0.a.4.3.4.9.9.7.7.4.3.0.c.e.5.f.a.5.e.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_8937994e4f6653102bf74df7bae4df35b16b585b_7522e4b5_861aaf2f-d957-4636-afe3-005811a133b1\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.8290032466536316
Encrypted:	false
SSDEEP:	192:NVbiteOOsw0BU/wjeT4zuiFrZ24IO8dci:jitdLBU/wjeMzuiFrY4IO8dci
MD5:	028F53729A23F1847E38E7B6FA2D021D
SHA1:	F7853052B13F963550E851A5D46544BF61F19A66
SHA-256:	74529693E8E47D69E549FD7E681552419C87A28ABACD54513207EB484FE1B825
SHA-512:	0E595DB6904EEA0DF63F3E8D4AAF97D31BE834B2311A150D7BECE2272A1A1BEF90324ECB0B7798A9675073A0AA8E1383F518B05C42D0F0C2BB9F4D61B78BD982
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.3.0.4.1.0.4.8.2.4.0.5.4.3.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.3.0.4.1.0.4.9.7.7.1.7.9.4.0.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.6.1.a.a.f.2.f.-.d.9.5.7.-.4.6.3.6.-.a.f.e.3.-.0.0.5.8.1.1.a.1.3.3.b.1.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.6.8.b.f.8.8.a.-.3.2.e.0.-.4.9.9.3.-.a.4.2.8.-.f.4.5.2.f.b.0.c.7.d.e.f.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.e.b.4.-.0.0.0.1.-.0.0.1.4.-.b.d.d.5.-.5.9.8.b.1.9.1.b.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.8.f.a.8.8.9.e.4.5.6.a.a.6.4.6.a.4.d.0.a.4.3.4.9.9.7.7.4.3.0.c.e.5.f.a.5.e.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_d2d6a05f617930bde2d4c76b2a5555e299272ba9_7522e4b5_a66cba1d-ae51-4e93-836a-a8c12fd637a0\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.82967160425124
Encrypted:	false
SSDEEP:	192:YpzXiROTH30BU/wjeT4zuiFrZ24IO8dci:YdXiozEBU/wjeMzuiFrY4IO8dci
MD5:	A3DCD98E527482E2A05D5E0CBE13E06A
SHA1:	79FA44F63FB8C105A9AB21F57FC71008F97632B1
SHA-256:	16003AF85506CFF02F96951E6DA9FE3926AA310E86D2B5F22342FE11E8E345DF
SHA-512:	14A4FC2DDEEC65E281539A9D623413E6F96D29A0CA10B00EDC886ABCF5C4F46155EDF3B06B18C4EF4CFA5D036F569C83A2EA7A81E477D973DA721D170647DA23
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.3.0.4.1.0.4.8.3.2.7.8.1.0.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.3.0.4.1.0.4.9.8.7.4.6.8.3.4.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.6.6.c.b.a.1.d.-.a.e.5.1.-.4.e.9.3.-.8.3.6.a.-.a.8.c.1.2.f.d.6.3.7.a.0.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.d.1.2.6.f.a.d.-.c.7.6.5.-.4.a.3.e.-.9.e.1.4.-.5.a.4.7.b.2.e.c.6.1.3.9.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.f.0.c.-.0.0.0.1.-.0.0.1.4.-.a.c.0.9.-.8.3.8.b.1.9.1.b.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.8.f.a.8.8.9.e.4.5.6.a.a.6.4.6.a.4.d.0.a.4.3.4.9.9.7.7.4.3.0.c.e.5.f.a.5.e.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER31FF.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Thu Oct 10 13:37:28 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	42052
Entropy (8bit):	1.9222984897419135
Encrypted:	false
SSDEEP:	192:s7YG+XlCjNxfO5H4zEQRlgD89dst5CBEMETjNUTCTTsq:GhZxW5HURlPdQ5CBEM6NzPs
MD5:	E29CADCDE01BAD78BC5E9A80D9AE595B
SHA1:	A54759F626B4BCA5F5C00E429CFFC37130342964
SHA-256:	DEBB6A71A7D3AF3C09FCA580AA4CBFE3A35B2B11EA4D256460A850141221AC36
SHA-512:	A2B31168E6F8E9C82DDED953CB8168F710267AD237CF5F3151F807F010FA2F65A4CD50461ED19E95ED41D54D4609F21639D37AA5753AF58B7A67B354D35A46C5
Malicious:	false
Preview:	MDMP..a..... ..........g.........................................&..........T.......8...........T.......................................x...............................................................................eJ..............GenuineIntel............T..............g.............................0..1...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER323D.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Thu Oct 10 13:37:28 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	39884
Entropy (8bit):	1.9979770985996552
Encrypted:	false
SSDEEP:	192:sQXWCjNviLIO5H4Q7hdEwvnpaEaRlAlpMjviI:5ZSP5H/7TnOPAlP
MD5:	0D3AAA000E2A6FAFC4F7E20D379E2301
SHA1:	53E8313B89FA057C0CD7607E9B4E033D5739E646
SHA-256:	CC61176F0214EC8E5D5F215FF4CA43ABB3A71C792AB6A01941BE9E44BADCCAC8
SHA-512:	425425B16EEDAF2E806639870EF714D5323CDC39CC46BA17EEF15D80B09431280FE621D379CC06AA74FB52A65466DBF2F1640C0487A8999939EE0BCD7394835C
Malicious:	false
Preview:	MDMP..a..... ..........g.........................................&..........T.......8...........T...............$.......................x...............................................................................eJ..............GenuineIntel............T..............g.............................0..1...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER327C.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Thu Oct 10 13:37:28 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	43064
Entropy (8bit):	1.891044692357667
Encrypted:	false
SSDEEP:	192:sWXlCjN6IO5H4WT/GSi+CIRJx680JGhJTBywsniT:EZ6P5HX/EGki
MD5:	344E8962B7F874B961DFEFCE8188726B
SHA1:	8F4A6C497BCC95CB1D9E37A1F3EA4C8ADA642828
SHA-256:	6B88FFEAC376317D630789F8E4B6BFE344EB18EDE833373E73A26F9BA3048C69
SHA-512:	42B851BB867213C5DD89DC3B70A86887104EAFF0475F3BDF2D3F21F82BDD16AA2B791F5EDD2847B8FABAA8AB0ABA6550157DB6C56E9ED046B5C61164393B88AA
Malicious:	false
Preview:	MDMP..a..... ..........g.........................................&..........T.......8...........T.......................................x...............................................................................eJ..............GenuineIntel............T..............g.............................0..1...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3328.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Thu Oct 10 13:37:28 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	41784
Entropy (8bit):	1.9477045003808109
Encrypted:	false
SSDEEP:	192:sP96XwCjNI/O5H4F/1tjgRov5N+8LCnwfM+:S9cZI25HA/1tjgRK5N+9w
MD5:	87DCB63035CDAF6B5CB5C7760F427029
SHA1:	D9CD15D2A54471677FB63DB590B4770A4D336B92
SHA-256:	A5A331AED0E352A11766DE7CE1E28BD1A0128FBC6A01148381E0230A441B7855
SHA-512:	54571AA689A07E7A8E82C16366274096A2B1F52F701C6285D5613B8E1677EF20F09968BA5EB5A4711CC27441457B505822C2868B6452BCCD1259032D226A514E
Malicious:	false
Preview:	MDMP..a..... ..........g.........................................&..........T.......8...........T.......................................x...............................................................................eJ..............GenuineIntel............T..............g.............................0..1...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3338.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8248
Entropy (8bit):	3.692241135710145
Encrypted:	false
SSDEEP:	192:R6l7wVeJ086X6YcM66NqDgmfT80prz89bCysfiIvWm:R6lXJv6X6YP61DgmfT8lCxf5
MD5:	41BA5BEBFB0F68823B9A9F98E16D4976
SHA1:	DD74190BA99ED333136427CEBC8DFBB2CEC08005
SHA-256:	FDFC5E32B754847089C3CE200A37C72CB2BD8D2A55985987A65ECE26EDF61A88
SHA-512:	136986C74B077CC5371423E01B1399ECC8EDB88BC54AB3CB366B46EA5C1BAE33A6DAC50453AF0C1A34CE86BCF51903506DA6B53795A3810634364DB0168B484D
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.8.6.0.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3387.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8248
Entropy (8bit):	3.692767897472297
Encrypted:	false
SSDEEP:	192:R6l7wVeJaM6/6Ycm66NqDgmfTa0prr89bC4sf+hWm:R6lXJh6/6Yl61DgmfTatCrfM
MD5:	9EC3F59DDFE981C2F88CCA3F86290468
SHA1:	EA35184E5A4C331335134F1343C4B4A2531602C9
SHA-256:	377C681D7DCAA80D66B16AFE465FC76407493CE3CFD027047507E7AAA6B41CC5
SHA-512:	BC3190D9F9ACDF536669C5A39D52E000DCF5203392C2D771FD3183E7DE44B9F78982116ED75EC32364A1AFD39AC2F121288DAAC178DC884EB2E9177320AA365A
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.8.0.8.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER33F4.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8256
Entropy (8bit):	3.691858221084438
Encrypted:	false
SSDEEP:	192:R6l7wVeJnv6s6YcX66NqDgmfTZ0prG89bCKsf0J1Wm:R6lXJv6s6Yk61DgmfTZ+CpfQN
MD5:	A014AD3CD0B846921BDD580F005C16FD
SHA1:	EBC88F3849BDE26318A3296876E9E1ED393E9504
SHA-256:	EC5BC883FA14539DD384C1DAEC7A99BFD3C89788CD497341220744D69820B5B3
SHA-512:	FDE3EA3C94A491F9C257B0078BF1F6083F01C2D03D8BD837A83BC25B7A12A5BB5CAB02F49012FBE13B70E87BC1E65FBFA87EE4B25AAD1BA9E94C7E67292EA443
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.9.4.8.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3405.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4646
Entropy (8bit):	4.462283262676011
Encrypted:	false
SSDEEP:	48:cvIwWl8zsVJg77aI9grWpW8VYGdYm8M4JCdPZFh7+q8/JoGScS4d:uIjfvI7Ga7Vh8Jq7J34d
MD5:	C602A6913FA94860B2E3330AFA513606
SHA1:	2CD49F856BF6551E840BA06D00305848F8FEEE28
SHA-256:	5AD047BD0FE9717009DE84FC166CE9E00D783877AB127AA48A4065E5B57B81D3
SHA-512:	1F0CB76D95318418FE83E3B76854C68B83C24F5D3AC39F26ACF674045F10CBD7C5119537BD2BA6FC556B972560C16176F59580CD4D098085B0AB6E1214EE95EE
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="537400" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3433.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4646
Entropy (8bit):	4.461699385843438
Encrypted:	false
SSDEEP:	48:cvIwWl8zsVJg77aI9grWpW8VYGQYm8M4JCdPTFO+q8/JIGScSyd:uIjfvI7Ga7Vh9JHXJ3yd
MD5:	01C6D3D7F577DEE5FF5002D7530A3237
SHA1:	757B368F2989ED247276F616D9C6FA3A4ACDE72B
SHA-256:	F0BBB3CD780834D08A27514B8A37C086CE2D31CC8292DB874FB98F6B30E67D3F
SHA-512:	1084F15D04D568CB4DB3A826FEA53FD1B55F4A15FAD4A1C4EE6D37F1842E76479C883D7D7DA52CDC41D342F1D7804205D6EC48E122D101819BC9D0B07BEE25F4
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="537400" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3491.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4654
Entropy (8bit):	4.45843308550589
Encrypted:	false
SSDEEP:	48:cvIwWl8zsVJg77aI9grWpW8VYG+Ym8M4JCdPSFTL+q8/A5GScShd:uIjfvI7Ga7Vh3JnhJ3hd
MD5:	FD6F04DDE40B8E1DC329BC825CA3CEAE
SHA1:	ACBA2E094F95E81920032B658D61F033EE4D11E8
SHA-256:	B42DF26B728BEAC75BF4A358023F6A2A4BA489374AE66FA627F2700F13A76151
SHA-512:	969EEF97675D348B7DBCBA00B618996281986D1C514A76DA9F44CE96C820667C6A9BC021B21D45B62A72FCA57F51380039FEB7D27F570BD088BF72D0FDFC7D42
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="537400" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WER34DE.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8248
Entropy (8bit):	3.693373316788421
Encrypted:	false
SSDEEP:	192:R6l7wVeJVw6Q6YcM66NqDgmfTa0pr989bLvsffZm:R6lXJC6Q6Yf61DgmfTa7LUfs
MD5:	10CA6BBF72D1B196160EC3F60AEAA56B
SHA1:	EE795F8FA4D3B447D11B2C54D3C43C8C48B6D429
SHA-256:	A08B8468471B7382F1DB13B872B9D69547E17AA822D9A59D259BFE339ACD4AD5
SHA-512:	0C758B4457D9D317DD376C80A205931CBA3B870B4BC3CCE3F2E06082C3CECA360811049F7A7626ADF3CFA07926A423982FCC5396A4B2F68244FA18544D6219B5
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.8.1.6.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER355C.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4646
Entropy (8bit):	4.458719000285173
Encrypted:	false
SSDEEP:	48:cvIwWl8zsVJg77aI9grWpW8VYGL4Ym8M4JCdPZFrP+q8/JlGScSDwM6d:uIjfvI7Ga7VhpJCPmJ3L6d
MD5:	66D55A6AA29A816AC7F4B21D7ABD36EF
SHA1:	B2AEE65ADD41725B981F47BF411A1C59C6DC0C86
SHA-256:	2C36C499B9F5DA5D54260F5D093ADA89E4C4B36BE4D48ACC71F0C6344D263B32
SHA-512:	67CEA7407162922688E289D31318BD11C21B92E6D0A7636436D7DE9FE8FEF75B32513B9982E6000FC7947761DE6B68CA7FF7305B07A3DDEF57CBBD6BAA7081B9
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="537400" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.417465629024975
Encrypted:	false
SSDEEP:	6144:ycifpi6ceLPL9skLmb0moSWSPtaJG8nAgex285i2MMhA20X4WABlGuNo5+:fi58oSWIZBk2MM6AFBWo
MD5:	ECC2309731D7A1668307A940941A4527
SHA1:	441777058543486D7E1597C33CFAB909A8EAC637
SHA-256:	4817DF9A96244CD6A732F3D290832E8D721F6A20C301B59814E98ABD804C6CCA
SHA-512:	266A106A5841B6F3F3A075B0058EFA583328DBB5A10A28620DA7EB1A7839078DAA473D8A11B26005A2A6F3658B2B9EA610C63E147D442810C793D4E74F3CB050
Malicious:	false
Preview:	regfE...E....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm..Y..................................................................................................................................................................................................................................................................................................................................................IN.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	1.9893947676021677
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	OctVbUtl.dll
File size:	24'576 bytes
MD5:	7705bfa817409119413ce6e15b00b389
SHA1:	7f4d21ce846e0ee22b574cebdc09b313ab47bdc5
SHA256:	1dd065c2accb056742144e8ee0fedfab243fa186a41d7b5070da18077d3fc8d5
SHA512:	3f9d810f154a8545102d09b9de8d511948a422df63070b6b7479fbe5752877793d7baec870a14e401e0117201bc92af64c9977fba5c37cefdb127f99c97ec440
SSDEEP:	192:VuN+v5sGR3Wt5CBM0u69/EmLN5v3cxqpj5jfU0QG3Kn57gr+:VZ5sGs5CBM0L7MUnQGmtgr+
TLSH:	A5B241651DA0D530F26642FEC932E0BFA8BD6F4491C357A3A39C14273F629E07E3A416
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........oY............................................................e.......r.......Rich............................PE..L......A...

File Icon


Icon Hash:	7ae282899bbab082

Static PE Info

General

Entrypoint:	0x10002023
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x10000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL
DLL Characteristics:
Time Stamp:	0x418C1BE3 [Sat Nov 6 00:33:39 2004 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	202649762e5b9fcd0ef0205cdd163673

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
push ebx
mov ebx, dword ptr [ebp+08h]
push esi
mov esi, dword ptr [ebp+0Ch]
push edi
mov edi, dword ptr [ebp+10h]
test esi, esi
jne 00007FD82145404Bh
cmp dword ptr [10004060h], 00000000h
jmp 00007FD821454068h
cmp esi, 01h
je 00007FD821454047h
cmp esi, 02h
jne 00007FD821454064h
mov eax, dword ptr [10004070h]
test eax, eax
je 00007FD82145404Bh
push edi
push esi
push ebx
call eax
test eax, eax
je 00007FD82145404Eh
push edi
push esi
push ebx
call 00007FD821453F5Ah
test eax, eax
jne 00007FD821454046h
xor eax, eax
jmp 00007FD821454090h
push edi
push esi
push ebx
call 00007FD821452FD2h
cmp esi, 01h
mov dword ptr [ebp+0Ch], eax
jne 00007FD82145404Eh
test eax, eax
jne 00007FD821454079h
push edi
push eax
push ebx
call 00007FD821453F36h
test esi, esi
je 00007FD821454047h
cmp esi, 03h
jne 00007FD821454068h
push edi
push esi
push ebx
call 00007FD821453F25h
test eax, eax
jne 00007FD821454045h
and dword ptr [ebp+0Ch], eax
cmp dword ptr [ebp+0Ch], 00000000h
je 00007FD821454053h
mov eax, dword ptr [10004070h]
test eax, eax
je 00007FD82145404Ah
push edi
push esi
push ebx
call eax
mov dword ptr [ebp+0Ch], eax
mov eax, dword ptr [ebp+0Ch]
pop edi
pop esi
pop ebx
pop ebp
retn 000Ch
jmp dword ptr [1000302Ch]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Rich Headers

Programming Language:

[C++] VS98 (6.0) build 8168
[LNK] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x3190	0x1dc	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x306c	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x5000	0x64	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x3000	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x10c6	0x2000	e388f8f9aa9348c2bdab1dc6983dbfe0	False	0.2496337890625	data	3.8023523456532504	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x3000	0x36c	0x1000	4f9387300465ed2e8c7b14431a987f6d	False	0.122314453125	data	1.4115510377731795	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x4000	0x74	0x1000	41d8d7e6061e41107b87551e6c5ba224	False	0.014892578125	Matlab v4 mat-file (little endian) 02u-%02u, numeric, rows 0, columns 0	0.1519365264852921	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0x5000	0x90	0x1000	1c1f5319e9e18f2b85725b747d676f74	False	0.0322265625	data	0.24818896091619172	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLL	Import
KERNEL32.dll	GetLocalTime
MSVCRT.dll	floor, _ftol, sprintf, strlen, strcmp, memcpy, sscanf, strcpy, free, _initterm, malloc, _adjust_fdiv

Exports

Name	Ordinal	Address
_OctlBitMskClr@8	1	0x1000104f
_OctlBitMskSet@8	2	0x10001033
_OctlBitMskTst@8	3	0x1000106d
_OctlBitN2Mask@4	4	0x1000101c
_OctlDttmPak@4	5	0x1000142b
_OctlDttmPrs@8	6	0x1000143e
_OctlDttmSys@0	7	0x100013f6
_OctlDttmUpk@8	8	0x10001400
_OctlUtilPakP@16	9	0x10001233
_OctlUtil_4sw@8	10	0x100012d8
_OctlUtil_acL@12	11	0x10001381
_OctlUtil_acR@12	12	0x1000130c
_OctlUtil_cpy@12	13	0x10001092
_OctlUtil_szL@12	14	0x100011ac
_OctlUtil_szR@12	15	0x100010b2
_OctlUtil_szW@12	16	0x1000118e

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 10, 2024 15:37:11.053024054 CEST	55941	53	192.168.2.7	1.1.1.1
Oct 10, 2024 15:37:34.713753939 CEST	53	56633	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 10, 2024 15:37:11.053024054 CEST	192.168.2.7	1.1.1.1	0xa7c	Standard query (0)	time.windows.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 10, 2024 15:37:11.061086893 CEST	1.1.1.1	192.168.2.7	0xa7c	No error (0)	time.windows.com	twc.trafficmanager.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 10, 2024 15:37:12.757292032 CEST	1.1.1.1	192.168.2.7	0x6625	No error (0)	shed.dual-low.s-part-0017.t-0009.t-msedge.net	s-part-0017.t-0009.t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 10, 2024 15:37:12.757292032 CEST	1.1.1.1	192.168.2.7	0x6625	No error (0)	s-part-0017.t-0009.t-msedge.net		13.107.246.45	A (IP address)	IN (0x0001)	false

Target ID:	1
Start time:	09:37:16
Start date:	10/10/2024
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe "C:\Users\user\Desktop\OctVbUtl.dll"
Imagebase:	0xe40000
File size:	126'464 bytes
MD5 hash:	51E6071F9CBA48E79F10C84515AAE618
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	09:37:16
Start date:	10/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	09:37:17
Start date:	10/10/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\OctVbUtl.dll",#1
Imagebase:	0x410000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	09:37:17
Start date:	10/10/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\OctVbUtl.dll",#1
Imagebase:	0x2f0000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	09:37:17
Start date:	10/10/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\OctVbUtl.dll,_OctlBitMskClr@8
Imagebase:	0x2f0000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	09:37:20
Start date:	10/10/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\OctVbUtl.dll,_OctlBitMskSet@8
Imagebase:	0x2f0000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	09:37:23
Start date:	10/10/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\OctVbUtl.dll,_OctlBitMskTst@8
Imagebase:	0x2f0000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	09:37:26
Start date:	10/10/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\OctVbUtl.dll",_OctlBitMskClr@8
Imagebase:	0xa70000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	09:37:26
Start date:	10/10/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\OctVbUtl.dll",_OctlBitMskSet@8
Imagebase:	0x2f0000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	09:37:26
Start date:	10/10/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\OctVbUtl.dll",_OctlBitMskTst@8
Imagebase:	0x2f0000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	09:37:26
Start date:	10/10/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\OctVbUtl.dll",_OctlUtil_szW@12
Imagebase:	0x2f0000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	09:37:26
Start date:	10/10/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\OctVbUtl.dll",_OctlUtil_szR@12
Imagebase:	0x2f0000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	09:37:26
Start date:	10/10/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\OctVbUtl.dll",_OctlUtil_szL@12
Imagebase:	0x2f0000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	09:37:26
Start date:	10/10/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\OctVbUtl.dll",_OctlUtil_cpy@12
Imagebase:	0x2f0000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	09:37:26
Start date:	10/10/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\OctVbUtl.dll",_OctlUtil_acR@12
Imagebase:	0x2f0000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	09:37:26
Start date:	10/10/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\OctVbUtl.dll",_OctlUtil_acL@12
Imagebase:	0x2f0000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	09:37:26
Start date:	10/10/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\OctVbUtl.dll",_OctlUtil_4sw@8
Imagebase:	0x2f0000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	09:37:26
Start date:	10/10/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\OctVbUtl.dll",_OctlUtilPakP@16
Imagebase:	0x2f0000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	09:37:26
Start date:	10/10/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\OctVbUtl.dll",_OctlDttmUpk@8
Imagebase:	0x2f0000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	09:37:26
Start date:	10/10/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\OctVbUtl.dll",_OctlDttmSys@0
Imagebase:	0x2f0000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	09:37:26
Start date:	10/10/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\OctVbUtl.dll",_OctlDttmPrs@8
Imagebase:	0x2f0000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	09:37:26
Start date:	10/10/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\OctVbUtl.dll",_OctlDttmPak@4
Imagebase:	0x2f0000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	09:37:26
Start date:	10/10/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\OctVbUtl.dll",_OctlBitN2Mask@4
Imagebase:	0x2f0000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	34
Start time:	09:37:27
Start date:	10/10/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7860 -s 592
Imagebase:	0xcf0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	35
Start time:	09:37:27
Start date:	10/10/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7808 -s 600
Imagebase:	0xcf0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	37
Start time:	09:37:27
Start date:	10/10/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7948 -s 596
Imagebase:	0xcf0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	38
Start time:	09:37:28
Start date:	10/10/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7816 -s 600
Imagebase:	0xcf0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	4.5%
Total number of Nodes:	44
Total number of Limit Nodes:	0

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Non-executed Functions

Function 10001E10 Relevance: 10.6, APIs: 7, Instructions: 104
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLocalTime.KERNEL32(?), ref: 10001E1A

Part of subcall function 100018F0: std::_Cnd_initX.LIBCPMTD ref: 1000191E
Part of subcall function 100018F0: std::_Cnd_initX.LIBCPMTD ref: 1000192B

Part of subcall function 10001951: std::_Cnd_initX.LIBCPMTD ref: 1000197F
Part of subcall function 10001951: std::_Cnd_initX.LIBCPMTD ref: 10001990

Part of subcall function 100019B2: std::_Cnd_initX.LIBCPMTD ref: 100019C7
Part of subcall function 100019B2: std::_Cnd_initX.LIBCPMTD ref: 100019F8
Part of subcall function 100019B2: std::_Cnd_initX.LIBCPMTD ref: 10001A05

Part of subcall function 10001A29: std::_Cnd_initX.LIBCPMTD ref: 10001A4A
Part of subcall function 10001A29: std::_Cnd_initX.LIBCPMTD ref: 10001A57

Part of subcall function 10001A8A: std::_Cnd_initX.LIBCPMTD ref: 10001AAB
Part of subcall function 10001A8A: std::_Cnd_initX.LIBCPMTD ref: 10001ABC

Part of subcall function 10001AEB: std::_Cnd_initX.LIBCPMTD ref: 10001B10
Part of subcall function 10001AEB: std::_Cnd_initX.LIBCPMTD ref: 10001B1D

std::_Cnd_initX.LIBCPMTD ref: 10001EA5
std::_Cnd_initX.LIBCPMTD ref: 10001EC8
std::_Cnd_initX.LIBCPMTD ref: 10001EE4
std::_Cnd_initX.LIBCPMTD ref: 10001F00
std::_Cnd_initX.LIBCPMTD ref: 10001F19
std::_Cnd_initX.LIBCPMTD ref: 10001F32

Memory Dump Source

Source File: 0000000B.00000002.1765362311.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000B.00000002.1765341007.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000B.00000002.1765383434.0000000010003000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000B.00000002.1765401573.0000000010005000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_10000000_rundll32.jbxd

Similarity

API ID: Cnd_initstd::_$LocalTime
String ID:
API String ID: 2173581990-0
Opcode ID: b4793d592fb2b4f17ad14db28ac2cb919694318992dcf14b4d0e88b5adc2a56d
Instruction ID: ab08f9b404e6e56ca6d1af1f9d924861b249ebe891b5a8bd52601f9c1a157696
Opcode Fuzzy Hash: b4793d592fb2b4f17ad14db28ac2cb919694318992dcf14b4d0e88b5adc2a56d
Instruction Fuzzy Hash: BA31D2B6E10107A7EF04C7A0DC92ABF7379DF44341F244278F406A7688E635EA149751

Function 10001797 Relevance: 13.6, APIs: 4, Strings: 5, Instructions: 98
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

strlen.MSVCRT ref: 100017A8
strcpy.MSVCRT(?,?), ref: 100017C1
sscanf.MSVCRT ref: 10001802
strcmp.MSVCRT ref: 1000188F

Strings

, xrefs: 100017D5
, xrefs: 100017D1
, xrefs: 100017CD
, xrefs: 100017D9
, xrefs: 100017C9

Memory Dump Source

Source File: 0000000B.00000002.1765362311.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000B.00000002.1765341007.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000B.00000002.1765383434.0000000010003000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000B.00000002.1765401573.0000000010005000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_10000000_rundll32.jbxd

Similarity

API ID: sscanfstrcmpstrcpystrlen
String ID: $ $ $ $
API String ID: 968285010-1444812030
Opcode ID: fc441633a90b755dcb4422550707a411901617201c66723958dc1d3ceb4db771
Instruction ID: 0987e11745ac295f64cab65bdeb32ee07c7e3b358009fc3690f9d3b7a62c3504
Opcode Fuzzy Hash: fc441633a90b755dcb4422550707a411901617201c66723958dc1d3ceb4db771
Instruction Fuzzy Hash: B43174B6D10208ABEB00CBE8DC95EDFB7BDEF58241F048119F505B7245EA35A6088BB1

Function 10001C13 Relevance: 10.6, APIs: 7, Instructions: 93
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

std::_Cnd_initX.LIBCPMTD ref: 10001C1B
std::_Cnd_initX.LIBCPMTD ref: 10001C3E
std::_Cnd_initX.LIBCPMTD ref: 10001C4B
std::_Cnd_initX.LIBCPMTD ref: 10001C83
std::_Cnd_initX.LIBCPMTD ref: 10001C99
std::_Cnd_initX.LIBCPMTD ref: 10001CDD
std::_Cnd_initX.LIBCPMTD ref: 10001CEA

Part of subcall function 10001B7B: std::_Cnd_initX.LIBCPMTD ref: 10001B82

Memory Dump Source

Source File: 0000000B.00000002.1765362311.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000B.00000002.1765341007.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000B.00000002.1765383434.0000000010003000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000B.00000002.1765401573.0000000010005000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_10000000_rundll32.jbxd

Similarity

API ID: Cnd_initstd::_
String ID:
API String ID: 1955959516-0
Opcode ID: ddfdfc050ccffb4585a401765c6c4427e6421c8b209c5b1508180ee8afcb795b
Instruction ID: dc694722cb004730e918ccfedee204b95ea9d549ac969d9b2753c64d19c647a2
Opcode Fuzzy Hash: ddfdfc050ccffb4585a401765c6c4427e6421c8b209c5b1508180ee8afcb795b
Instruction Fuzzy Hash: 8031EAF9D00208BBEB04DFA4DC869DE3BA8EB482A0F14C525FC0D9B245E635F7548B91

Function 100016D2 Relevance: 7.5, APIs: 5, Instructions: 40
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 10001683: sprintf.MSVCRT ref: 100016C4

std::_Cnd_initX.LIBCPMTD ref: 100016F2
std::_Cnd_initX.LIBCPMTD ref: 10001701
std::_Cnd_initX.LIBCPMTD ref: 1000170E
strlen.MSVCRT ref: 10001720
sprintf.MSVCRT ref: 1000172E

Memory Dump Source

Source File: 0000000B.00000002.1765362311.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000B.00000002.1765341007.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000B.00000002.1765383434.0000000010003000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000B.00000002.1765401573.0000000010005000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_10000000_rundll32.jbxd

Similarity

API ID: Cnd_initstd::_$sprintf$strlen
String ID:
API String ID: 1236961258-0
Opcode ID: ecd8c3b1ca777a9503f504438db89ecd3c2de48004d2c6b43dccb86bee299af6
Instruction ID: 21d67863bf6faeafbf9df8e54127ddecaf4084e2a1d46c932092d44ed4f8a465
Opcode Fuzzy Hash: ecd8c3b1ca777a9503f504438db89ecd3c2de48004d2c6b43dccb86bee299af6
Instruction Fuzzy Hash: 6DF036FA9001047BEB04DB68DC56DEF336DDB44294B088524FD1D8B305EA36F71087A2

Function 10001F78 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 54
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

malloc.MSVCRT ref: 10001FA6
_initterm.MSVCRT ref: 10001FD1
free.MSVCRT ref: 1000200E

Strings

k{v, xrefs: 10001F8E

Memory Dump Source

Source File: 0000000B.00000002.1765362311.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000B.00000002.1765341007.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000B.00000002.1765383434.0000000010003000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000B.00000002.1765401573.0000000010005000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_10000000_rundll32.jbxd

Similarity

API ID: _inittermfreemalloc
String ID: k{v
API String ID: 1678931842-443568515
Opcode ID: aeb9f87fe75f09e05d32e0472d00320c0c9aa55d5e1b64bd9f1e61d41ecdf792
Instruction ID: 97060b36a5f8e97810dc2dc4be58e409afa948e07d3965cd941dee6dac81ba7b
Opcode Fuzzy Hash: aeb9f87fe75f09e05d32e0472d00320c0c9aa55d5e1b64bd9f1e61d41ecdf792
Instruction Fuzzy Hash: C81127B2609322CBF314CBA5DCD4B5677A5EB803D1F138029EA42E716DDF31A850CB18

Function 1000143E Relevance: 6.0, APIs: 4, Instructions: 48
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

floor.MSVCRT ref: 10001470
_ftol.MSVCRT ref: 10001479
floor.MSVCRT ref: 10001499
_ftol.MSVCRT ref: 100014A2

Memory Dump Source

Source File: 0000000B.00000002.1765362311.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000B.00000002.1765341007.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000B.00000002.1765383434.0000000010003000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000B.00000002.1765401573.0000000010005000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_10000000_rundll32.jbxd

Similarity

API ID: _ftolfloor
String ID:
API String ID: 3596157161-0
Opcode ID: e9083ee1baef0c7cac7948eb9dbc3993338635afb221cd1a80c42fd75441a0d5
Instruction ID: 0e86c1410bc3e7522d87da5241d59ccba63341cbdfd7e08bb15fc18ea186b650
Opcode Fuzzy Hash: e9083ee1baef0c7cac7948eb9dbc3993338635afb221cd1a80c42fd75441a0d5
Instruction Fuzzy Hash: AD019E70800509FBEB00DFA8ED497CE7BB8FF407C1F10C164F94891159DB3196A88BA2

Function 1000173C Relevance: 6.0, APIs: 4, Instructions: 34
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 10001683: sprintf.MSVCRT ref: 100016C4

std::_Cnd_initX.LIBCPMTD ref: 1000175C
std::_Cnd_initX.LIBCPMTD ref: 10001769
strlen.MSVCRT ref: 1000177B
sprintf.MSVCRT ref: 10001789

Memory Dump Source

Source File: 0000000B.00000002.1765362311.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000B.00000002.1765341007.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000B.00000002.1765383434.0000000010003000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000B.00000002.1765401573.0000000010005000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_10000000_rundll32.jbxd

Similarity

API ID: Cnd_initsprintfstd::_$strlen
String ID:
API String ID: 2133256109-0
Opcode ID: 98827394ca3ec6ca3c5130480201db0136ed86399be691cb16598800973b98f1
Instruction ID: bb305d2a609ac81a0d505e7b7bf13d7fd440d2982e166c3b8775b18275a147f2
Opcode Fuzzy Hash: 98827394ca3ec6ca3c5130480201db0136ed86399be691cb16598800973b98f1
Instruction Fuzzy Hash: 2AF0F4FA9001047BEB00DB64DC46DEB376CDB44294B048424F91D87209E936F6104792

Function 10001A8A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

std::_Cnd_initX.LIBCPMTD ref: 10001AAB
std::_Cnd_initX.LIBCPMTD ref: 10001ABC

Strings

;, xrefs: 10001AA0

Memory Dump Source

Source File: 0000000B.00000002.1765362311.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000B.00000002.1765341007.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000B.00000002.1765383434.0000000010003000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000B.00000002.1765401573.0000000010005000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_10000000_rundll32.jbxd

Similarity

API ID: Cnd_initstd::_
String ID: ;
API String ID: 1955959516-1661535913
Opcode ID: cbcfeafc25ac64bf85fea71812c707afced2db451e6267fc3162be5e27dc6e29
Instruction ID: b48bdcff954eb0a6557994013d606574a1ae58d02fed3ddc0b1e58f5e04090c1
Opcode Fuzzy Hash: cbcfeafc25ac64bf85fea71812c707afced2db451e6267fc3162be5e27dc6e29
Instruction Fuzzy Hash: 72F0D0F9900208BBEB40DFA5DC46ADA37ACDB042E4F04C425F91D8B245E779E7548F92

Function 100018F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

std::_Cnd_initX.LIBCPMTD ref: 1000191E
std::_Cnd_initX.LIBCPMTD ref: 1000192B

Strings

g, xrefs: 10001906

Memory Dump Source

Source File: 0000000B.00000002.1765362311.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000B.00000002.1765341007.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000B.00000002.1765383434.0000000010003000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000B.00000002.1765401573.0000000010005000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_10000000_rundll32.jbxd

Similarity

API ID: Cnd_initstd::_
String ID: g
API String ID: 1955959516-30677878
Opcode ID: 32e702a7540e3795c00ae61329ff3d7ab9576be9a921dc28083833644fc0cff9
Instruction ID: b171246b29acb0fe94f1ed34db5e2a6966bd06c2f108ed1415a7fe8fcfe25bdc
Opcode Fuzzy Hash: 32e702a7540e3795c00ae61329ff3d7ab9576be9a921dc28083833644fc0cff9
Instruction Fuzzy Hash: 2CF0D6F9C00208BBEB00DF95D846BCE37ECDB082A5F04C415F91D9A245E635E7548F91

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: `rundll32.exe {DLLname, DLLfunction}` ).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report OctVbUtl.dll

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

Compliance

Spreading

Networking

System Summary

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_1639818b7ea33fad73b6a9f374f2c2fc303b0dc_7522e4b5_42ad0679-496e-491f-b6c5-2a2b0b3da087\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_1639818b7ea33fad73b6a9f374f2c2fc303b0dc_7522e4b5_fb894857-d887-4aca-9640-e1541cf37841\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_8937994e4f6653102bf74df7bae4df35b16b585b_7522e4b5_861aaf2f-d957-4636-afe3-005811a133b1\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_d2d6a05f617930bde2d4c76b2a5555e299272ba9_7522e4b5_a66cba1d-ae51-4e93-836a-a8c12fd637a0\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER31FF.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER323D.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER327C.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3328.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3338.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3387.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER33F4.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3405.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3433.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3491.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER34DE.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER355C.tmp.xml

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Windows Analysis Report
OctVbUtl.dll