Edit tour

Windows Analysis Report
rMA7e8O8iY.dll

Overview

General Information

Sample name:	rMA7e8O8iY.dll (renamed file extension from none to dll, renamed because original name is a hash value)
Original sample name:	c151a3024a0f056b00bdf3910f71b7e22370438e19aceb3a418cf7b212b2e75b
Analysis ID:	1532504
MD5:	78c32c40a80d47d1e39926781ea4d992
SHA1:	77300e74d31bcfa2043cc4c4971f7ea2cdc3d231
SHA256:	c151a3024a0f056b00bdf3910f71b7e22370438e19aceb3a418cf7b212b2e75b
Infos:

Detection

Score:	56
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

AI detected suspicious sample

Machine Learning detection for sample

AV process strings found (often used to terminate AV products)

Checks if the current process is being debugged

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found evasive API chain (date check)

Found evasive API chain (may stop execution after checking a module file name)

Found large amount of non-executed APIs

One or more processes crash

Sample execution stops while process was sleeping (likely an evasion)

Terminates after testing mutex exists (may check infected machine status)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

loaddll32.exe (PID: 7000 cmdline: loaddll32.exe "C:\Users\user\Desktop\rMA7e8O8iY.dll" MD5: 51E6071F9CBA48E79F10C84515AAE618)

conhost.exe (PID: 7020 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7160 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\rMA7e8O8iY.dll",#1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

rundll32.exe (PID: 6348 cmdline: rundll32.exe "C:\Users\user\Desktop\rMA7e8O8iY.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)

WerFault.exe (PID: 4268 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6348 -s 608 MD5: C31336C1EFC2CCB44B4326EA793040F2)

rundll32.exe (PID: 5984 cmdline: rundll32.exe C:\Users\user\Desktop\rMA7e8O8iY.dll,GzDHLPTXbfjnZdGY MD5: 889B99C52A60DD49227C5E485A016679)

WerFault.exe (PID: 3608 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5984 -s 600 MD5: C31336C1EFC2CCB44B4326EA793040F2)

rundll32.exe (PID: 6160 cmdline: rundll32.exe C:\Users\user\Desktop\rMA7e8O8iY.dll,bnihrxnmrpio MD5: 889B99C52A60DD49227C5E485A016679)

WerFault.exe (PID: 3752 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6160 -s 600 MD5: C31336C1EFC2CCB44B4326EA793040F2)

rundll32.exe (PID: 560 cmdline: rundll32.exe C:\Users\user\Desktop\rMA7e8O8iY.dll,bnpghteyxrum MD5: 889B99C52A60DD49227C5E485A016679)

WerFault.exe (PID: 6372 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 560 -s 592 MD5: C31336C1EFC2CCB44B4326EA793040F2)

rundll32.exe (PID: 2496 cmdline: rundll32.exe "C:\Users\user\Desktop\rMA7e8O8iY.dll",GzDHLPTXbfjnZdGY MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 4476 cmdline: rundll32.exe "C:\Users\user\Desktop\rMA7e8O8iY.dll",bnihrxnmrpio MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 1732 cmdline: rundll32.exe "C:\Users\user\Desktop\rMA7e8O8iY.dll",bnpghteyxrum MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 1072 cmdline: rundll32.exe "C:\Users\user\Desktop\rMA7e8O8iY.dll",snozacqpuormqulw MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 6092 cmdline: rundll32.exe "C:\Users\user\Desktop\rMA7e8O8iY.dll",rbfyvzbrlz MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 3488 cmdline: rundll32.exe "C:\Users\user\Desktop\rMA7e8O8iY.dll",fnyxctjuscq MD5: 889B99C52A60DD49227C5E485A016679)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: rMA7e8O8iY.dll

Avira: detected

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 96.6% probability

Machine Learning detection for sample

Source: rMA7e8O8iY.dll

Joe Sandbox ML: detected

Source: rMA7e8O8iY.dll

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL

Source: rMA7e8O8iY.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source:

Binary string: C:\oilers\bolfyhh.pdb source: rundll32.exe, 00000003.00000002.1917727365.000000006C7A1000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.1941763460.000000006C7A1000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000A.00000002.1928837550.000000006C7A1000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000D.00000002.1954199934.000000006C7A1000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000010.00000002.1795790030.000000006C7A1000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000011.00000002.1795272935.000000006C7A1000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000012.00000002.1797445036.000000006C7A1000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000013.00000002.1797881910.000000006C7A1000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000014.00000002.1795854277.000000006C7A1000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000015.00000002.1796507740.000000006C7A1000.00000002.00000001.01000000.00000003.sdmp, rMA7e8O8iY.dll

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6C791360 snozacqpuormqulw,GetFileAttributesA,lstrlenA,lstrcpyA,FindFirstFileA,lstrcmpA,lstrcmpA,lstrcpyA,snozacqpuormqulw,FindNextFileA,FindClose,	3_2_6C791360
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6C791130 FindFirstFileA,FindNextFileA,FindNextFileA,lstrcmpA,lstrcmpA,FindNextFileA,FindClose,	3_2_6C791130
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_6C791360 snozacqpuormqulw,GetFileAttributesA,lstrlenA,lstrcpyA,FindFirstFileA,lstrcmpA,lstrcmpA,lstrcpyA,snozacqpuormqulw,FindNextFileA,FindClose,	10_2_6C791360

Source: Amcache.hve.8.dr

String found in binary or memory: http://upx.sf.net

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6C793640	3_2_6C793640
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6C79DAD0	3_2_6C79DAD0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_6C793640	10_2_6C793640

Source: C:\Windows\SysWOW64\rundll32.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5984 -s 600

Source: rMA7e8O8iY.dll

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL

Source: classification engine

Classification label: mal56.winDLL@28/17@0/0

Source: C:\Windows\SysWOW64\rundll32.exe

File created: C:\Users\user\Desktop\IndexerVolumeGuid

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6160
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7020:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess560
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5984
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6348

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\c28384c9-b5f5-48c7-bf6e-018ed4caa0b3

Jump to behavior

Source: rMA7e8O8iY.dll

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\rMA7e8O8iY.dll,GzDHLPTXbfjnZdGY

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\rMA7e8O8iY.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\rMA7e8O8iY.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\rMA7e8O8iY.dll,GzDHLPTXbfjnZdGY
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\rMA7e8O8iY.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5984 -s 600
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6348 -s 608
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\rMA7e8O8iY.dll,bnihrxnmrpio
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6160 -s 600
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\rMA7e8O8iY.dll,bnpghteyxrum
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 560 -s 592
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\rMA7e8O8iY.dll",GzDHLPTXbfjnZdGY
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\rMA7e8O8iY.dll",bnihrxnmrpio
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\rMA7e8O8iY.dll",bnpghteyxrum
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\rMA7e8O8iY.dll",snozacqpuormqulw
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\rMA7e8O8iY.dll",rbfyvzbrlz
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\rMA7e8O8iY.dll",fnyxctjuscq
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\rMA7e8O8iY.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\rMA7e8O8iY.dll,GzDHLPTXbfjnZdGY	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\rMA7e8O8iY.dll,bnihrxnmrpio	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\rMA7e8O8iY.dll,bnpghteyxrum	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\rMA7e8O8iY.dll",GzDHLPTXbfjnZdGY	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\rMA7e8O8iY.dll",bnihrxnmrpio	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\rMA7e8O8iY.dll",bnpghteyxrum	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\rMA7e8O8iY.dll",snozacqpuormqulw	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\rMA7e8O8iY.dll",rbfyvzbrlz	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\rMA7e8O8iY.dll",fnyxctjuscq	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\rMA7e8O8iY.dll",#1	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: rMA7e8O8iY.dll

Static file information: File size 6599680 > 1048576

Source: rMA7e8O8iY.dll

Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x631400

Source: rMA7e8O8iY.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: rMA7e8O8iY.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6C798A3C LoadLibraryW,GetProcAddress,GetProcAddress,EncodePointer,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

3_2_6C798A3C

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6C796805 push ecx; ret	3_2_6C796818
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6C7978B5 push ecx; ret	3_2_6C7978C8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_6C796805 push ecx; ret	10_2_6C796818

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6C792080 rbfyvzbrlz,GetModuleFileNameW,OpenMutexA,ExitProcess,FindFirstChangeNotificationA,GetLastError,__cftoe,PathRemoveFileSpecW,lstrcatW,lstrcatW,lstrcatW,_memset,PathStripPathA,GetFileAttributesA,SetFileAttributesA,fnyxctjuscq,GetFileSizeEx,LdrInitializeThunk,

3_2_6C792080

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_3-3995

Source: C:\Windows\SysWOW64\rundll32.exe

Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess

graph_3-3399

Source: C:\Windows\SysWOW64\rundll32.exe

API coverage: 0.0 %

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6C791360 snozacqpuormqulw,GetFileAttributesA,lstrlenA,lstrcpyA,FindFirstFileA,lstrcmpA,lstrcmpA,lstrcpyA,snozacqpuormqulw,FindNextFileA,FindClose,	3_2_6C791360
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6C791130 FindFirstFileA,FindNextFileA,FindNextFileA,lstrcmpA,lstrcmpA,FindNextFileA,FindClose,	3_2_6C791130
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_6C791360 snozacqpuormqulw,GetFileAttributesA,lstrlenA,lstrcpyA,FindFirstFileA,lstrcmpA,lstrcmpA,lstrcpyA,snozacqpuormqulw,FindNextFileA,FindClose,	10_2_6C791360

Source: C:\Windows\System32\loaddll32.exe

Thread delayed: delay time: 120000

Jump to behavior

Source: Amcache.hve.8.dr	Binary or memory string: VMware
Source: Amcache.hve.8.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.8.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.8.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.8.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.8.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.8.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.8.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.8.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.8.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.8.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.8.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.8.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.8.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.8.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.8.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.8.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.8.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.8.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.8.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.8.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.8.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.8.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.8.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.8.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.8.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.8.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.8.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.8.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Windows\SysWOW64\rundll32.exe	API call chain: ExitProcess graph end node			graph_3-3400
Source: C:\Windows\SysWOW64\rundll32.exe	API call chain: ExitProcess graph end node			graph_3-3911

Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

3_2_6C792080

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6C792D14 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

3_2_6C792D14

Source: C:\Windows\SysWOW64\rundll32.exe

3_2_6C798A3C

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6C792D14 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_6C792D14
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6C7955B4 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_6C7955B4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_6C792D14 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	10_2_6C792D14

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\rMA7e8O8iY.dll",#1

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6C791CC0 lstrcatW,GetCurrentProcess,_memset,CreateFileW,LoadCursorFromFileW,SetCursor,GetFileSizeEx,ReadFile,GetSystemTimeAsFileTime,WideCharToMultiByte,_strpbrk,lstrlenA,FindWindowA,VirtualProtect,

3_2_6C791CC0

Source: Amcache.hve.8.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.8.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.8.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.8.dr	Binary or memory string: MsMpEng.exe

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	3 Native API	1 DLL Side-Loading	11 Process Injection	1 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Rundll32	LSASS Memory	31 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	11 Virtualization/Sandbox Evasion	Security Account Manager	11 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Process Injection	NTDS	1 File and Directory Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	2 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Obfuscated Files or Information	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
rMA7e8O8iY.dll	100%	Avira	WORM/Lodbak.Gen
rMA7e8O8iY.dll	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
http://upx.sf.net	0%	URL Reputation	safe

Name	Source	Malicious	Antivirus Detection	Reputation
http://upx.sf.net	Amcache.hve.8.dr	false	URL Reputation: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1532504
Start date and time:	2024-10-13 14:04:21 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 48s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	33
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	rMA7e8O8iY.dll (renamed file extension from none to dll, renamed because original name is a hash value)
Original Sample Name:	c151a3024a0f056b00bdf3910f71b7e22370438e19aceb3a418cf7b212b2e75b
Detection:	MAL
Classification:	mal56.winDLL@28/17@0/0
EGA Information:	Successful, ratio: 66.7%
HCA Information:	Successful, ratio: 71% Number of executed functions: 5 Number of non-executed functions: 14

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 104.208.16.94
Excluded domains from analysis (whitelisted): ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, otelrules.azureedge.net, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com, onedsblobprdcus16.centralus.cloudapp.azure.com
Execution Graph export aborted for target rundll32.exe, PID 1072 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.

Simulations

Behavior and APIs

Time	Type	Description
08:05:25	API Interceptor	1x Sleep call for process: loaddll32.exe modified
08:05:37	API Interceptor	4x Sleep call for process: WerFault.exe modified

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_326eb6a19cfdf346a5bd562595d48d974b8521d_7522e4b5_3279ce3c-6d9e-42cd-8c2d-460228f7ae03\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.829471987280309
Encrypted:	false
SSDEEP:	192:zp1iOOvOK0BU/wjeTHzuiFE5PZ24IO8dci:t1iPvIBU/wjezzuiF4Y4IO8dci
MD5:	CE19E11EE6251E230642803CD1B8454C
SHA1:	4398C675895E1EF41C1D6FDF0ACE654C3D87360A
SHA-256:	BB00E197EE14D5BCC3804D10BF09ECA1C77FE02642B28A6C4BAC99B18C0FBB22
SHA-512:	D6C45FAAA08222B6B2031FC432AD02C66A9A7B9BC86C5CB168491587A57093693B5F41D4D21DB542ED4F35E0123DE0B1EEDD936D8A7A01AFA76CD86BFF4E42FB
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.3.2.9.4.7.1.9.1.8.5.9.9.8.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.3.2.9.4.7.1.9.5.7.6.6.2.6.8.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.2.7.9.c.e.3.c.-.6.d.9.e.-.4.2.c.d.-.8.c.2.d.-.4.6.0.2.2.8.f.7.a.e.0.3.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.1.e.b.f.2.1.7.-.d.3.e.c.-.4.0.2.b.-.b.8.a.8.-.f.3.0.f.3.9.5.2.1.9.2.4.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.8.1.0.-.0.0.0.1.-.0.0.1.4.-.c.d.8.6.-.0.1.2.c.6.8.1.d.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.8.f.a.8.8.9.e.4.5.6.a.a.6.4.6.a.4.d.0.a.4.3.4.9.9.7.7.4.3.0.c.e.5.f.a.5.e.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_33482b87b0d8e03f47394b2e9a0604dbf93164_7522e4b5_0ba2ff45-be23-4a4a-b704-a8553d49b4a2\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.8385464546109099
Encrypted:	false
SSDEEP:	192:94iaOQ60BU/wjeTHzuiFE5PZ24IO84ci:Oi7QBBU/wjezzuiF4Y4IO84ci
MD5:	06DBAB7BFBC1779D31178E48E33151BF
SHA1:	CD019C59452C7C7A3128C21360DB0645BE7D8904
SHA-256:	9181F67DA7EAAF27AC416263E580584DF4E84A1A0CF0365D7E0363DB53C775EC
SHA-512:	9C8C7777F76A9D90D5514EE6D83AAB5351F45ABE8AD94872A3E91D18477ABAB865429E0BF414F8B249959F0D86052BCD0010AF0BAAC77C48B1435A44D89FA0C3
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.3.2.9.4.7.1.6.3.9.5.3.0.1.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.3.2.9.4.7.1.7.0.4.9.4.7.2.6.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.b.a.2.f.f.4.5.-.b.e.2.3.-.4.a.4.a.-.b.7.0.4.-.a.8.5.5.3.d.4.9.b.4.a.2.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.7.f.f.a.a.e.a.-.5.b.f.7.-.4.3.a.3.-.8.d.9.9.-.d.5.3.5.e.d.4.c.f.7.a.b.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.7.6.0.-.0.0.0.1.-.0.0.1.4.-.c.2.8.0.-.2.e.2.a.6.8.1.d.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.8.f.a.8.8.9.e.4.5.6.a.a.6.4.6.a.4.d.0.a.4.3.4.9.9.7.7.4.3.0.c.e.5.f.a.5.e.2.d.7.!.r.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_33482b87b0d8e03f47394b2e9a0604dbf93164_7522e4b5_296a96e6-a1fd-4510-b036-067b4db15b33\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.8383811406633447
Encrypted:	false
SSDEEP:	192:Lli7O2H60BU/wjeTHzuiFE5PZ24IO84ci:piC2HBBU/wjezzuiF4Y4IO84ci
MD5:	0F0B4A06A1DF5B77ACD27E21EDE124B0
SHA1:	8AE2D55B144808F4721212EA6E0BBD0BA0D94440
SHA-256:	38FDC57864DF7361D9FFACE9017A711F37375F0991E1A5C32CA5B1CAB22D2248
SHA-512:	88832339D6B2A258E31F470C631F32693F4F2EE071E4830A99ECD1D83599F9873337735F42980CFB19A0853D4FB25D45FAAF6CAE43E9C87B45DA287A58D704F4
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.3.2.9.4.7.1.6.4.0.4.6.6.1.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.3.2.9.4.7.1.7.0.5.8.8.3.2.1.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.9.6.a.9.6.e.6.-.a.1.f.d.-.4.5.1.0.-.b.0.3.6.-.0.6.7.b.4.d.b.1.5.b.3.3.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.f.3.a.4.b.e.f.-.b.b.7.e.-.4.1.7.e.-.b.5.2.3.-.4.a.2.3.6.b.8.9.4.8.f.5.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.8.c.c.-.0.0.0.1.-.0.0.1.4.-.0.2.6.d.-.3.5.2.a.6.8.1.d.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.8.f.a.8.8.9.e.4.5.6.a.a.6.4.6.a.4.d.0.a.4.3.4.9.9.7.7.4.3.0.c.e.5.f.a.5.e.2.d.7.!.r.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_c018787967c562f75385d7bd4d3f68f02869ef4c_7522e4b5_ac1e9f39-e6d8-48d1-88ca-21009397ff1b\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.8289506529421105
Encrypted:	false
SSDEEP:	192:7VviUOAKOu0BU/wjeTHzuiFE5PZ24IO8dci:pil1MBU/wjezzuiF4Y4IO8dci
MD5:	A87A1907107E7422BD8A27327B63DB76
SHA1:	4AB6BB3644AA6977FAD5402D3734F9F67D2CE789
SHA-256:	3EB3E090BEDA2238292EF5D0C71AB9D42F5D721C10C3E80F8528DC27E7E36F40
SHA-512:	297A1538897644204EC5D4E4D71F211729846693512D2A6CF41C0A7C7C8A0E2AC7216762662623A3C32A67524BD11142C70E0E1054D79A569AC4B78EBA662F36
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.3.2.9.4.7.2.2.2.7.5.0.1.4.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.3.2.9.4.7.2.2.7.2.8.1.4.5.3.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.c.1.e.9.f.3.9.-.e.6.d.8.-.4.8.d.1.-.8.8.c.a.-.2.1.0.0.9.3.9.7.f.f.1.b.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.a.c.9.b.c.6.a.-.c.9.f.5.-.4.b.b.e.-.9.3.5.5.-.f.e.8.2.1.5.e.8.7.6.1.e.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.2.3.0.-.0.0.0.1.-.0.0.1.4.-.0.c.b.2.-.c.d.2.d.6.8.1.d.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.8.f.a.8.8.9.e.4.5.6.a.a.6.4.6.a.4.d.0.a.4.3.4.9.9.7.7.4.3.0.c.e.5.f.a.5.e.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER529D.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Sun Oct 13 12:05:16 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	41430
Entropy (8bit):	2.0164042884954627
Encrypted:	false
SSDEEP:	192:F/95LCLkwCO5H4CislMdxwALc1yto07kNxAe:dnLeZd5HRlAYBA
MD5:	93D29E1A8F97E63B5EA9D0EDEBD89424
SHA1:	11768BBB5B98ACDB83A6D2EB1C45BE9EC423C978
SHA-256:	1E3A87AC1FBE94451FFAEAC2A5A5988D84714653164465BDEAC8C8F45B0F2360
SHA-512:	89F0B26440E81776CE4DB786B6CA98A4D13998503C98AE16174C0984A038A6F58395B7759EAB2DE9AC30B6FB603B5012837112A1CCE6EA071AAC5647728B4F1B
Malicious:	false
Preview:	MDMP..a..... .......\|..g.........................................&..........T.......8...........T......................................x...............................................................................eJ..............GenuineIntel............T.......`...{..g.............................0..=...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER52BC.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Sun Oct 13 12:05:16 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	42106
Entropy (8bit):	1.9846802195345297
Encrypted:	false
SSDEEP:	192:FX9pLCLNwhmO5H4xjB6FdvuLf7SfBsGhfrbElc:N3LeNwf5Hm6Fd0SfBnr
MD5:	3750352F7FE9E226C507458A19DA3833
SHA1:	2155CA1878A4F6CA035C833CF50697D2F1F31796
SHA-256:	CF96F8A11D140BAD4728E65DD288E59D977F6CD4C0D672FCA4C1CFB1F0BDD1A6
SHA-512:	F687CE60D9E99705D8D14E8778B022679BB11AD70E80189450338A42F39AD2B2FFC66D8E2E421C1F306CFAC48C5FC79B02139B9C7D170F8F0B268A7D41078800
Malicious:	false
Preview:	MDMP..a..... .......\|..g.........................................&..........T.......8...........T...........H...2.......................x...............................................................................eJ..............GenuineIntel............T...........{..g.............................0..=...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5398.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8364
Entropy (8bit):	3.694104983801508
Encrypted:	false
SSDEEP:	192:R6l7wVeJpbI6ISV6YVG6jgmf8fMprO89bsUsfoEm:R6lXJp06ISV6YE6jgmf8fOsHfK
MD5:	C985C1FEEB39C4667771A3D3C2C40F06
SHA1:	348E1682F4BF09C2940E9576781A84277ED4F30B
SHA-256:	18C36B6D04543FA0255A7E60F8CBE5AEEA63C594D51490A5571D3116C5DE9871
SHA-512:	ACFBDDC3F86869E96E7141175D6F777A4A902984D5C5BC990F63A0E32CBDE6A0E8B5F9FF077CCC62A00311C38908F9127F79D22D6082C33E56B26CF742BCA7D5
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.9.8.4.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER53A8.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8358
Entropy (8bit):	3.6945362525848497
Encrypted:	false
SSDEEP:	192:R6l7wVeJMl6ISB6YjX6Xgmf8fMprO89bsnsfxEm:R6lXJG6ISB6Yz6Xgmf8fOssfn
MD5:	2565A790EB7FEB0B54232E5425B526E5
SHA1:	6B9C68F3A13DAB9DA92C452C2B670CADAF119687
SHA-256:	2736164BD07A380C252313D27BA1375E97905CB793E8CB5E16019FA55D4F2F1A
SHA-512:	80269227E531F873BB4914CC7ED727DAD312BC9C8082DC46B2C75510ACB880E580FA406CB595C13B99E70EC4C84387A94ED72EBDDD9392C36C54E4A3D7E79421
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.3.4.8.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER53C8.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4791
Entropy (8bit):	4.484170668589483
Encrypted:	false
SSDEEP:	48:cvIwWl8zsQiJg77aI90fWpW8VYzYm8M4JCdPHFtDE+q8vjPiGScSrd:uIjfQwI7aO7V3JwAKOJ3rd
MD5:	D6164AD1EDDE44E908BA0A5578A418B2
SHA1:	2893D19CAAF5F8E95FFE529EC128A6CBE816C72B
SHA-256:	CEA52AF2E1156D583AC141DF1C8D64328252138F2C55EFA0995F60C0B76B5A4D
SHA-512:	3E5A870D3C9F8F3177FAE242290F78108CC7845D4B0A8282380BE71FC1350574722BC52C9DBE3675C0FE14BC069C9564E1BC264C14071BA8FEF7B410BD134400
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="541627" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WER53D7.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4791
Entropy (8bit):	4.485547689532079
Encrypted:	false
SSDEEP:	48:cvIwWl8zsQiJg77aI90fWpW8VYYYm8M4JCdPHF3Q+q8vjPqmGScShhd:uIjfQwI7aO7VcJZKumJ3hhd
MD5:	401CAC13E5787FF2FDB2C8E7CBECACDF
SHA1:	896F4C3E5559979247DA4ECDE722E72914A471C6
SHA-256:	8A1140F6ACA4AC35F21441DA10F74D9C5D511834EF85A11E2A7162B58E4FB85B
SHA-512:	6C0766D8D0E78BA5180327836880CFEC5984C0E91CBC90DF45A9C49E15FFFAE7451C289B74C138BDD42B2B7470460F2D7E2E493321E781E3AE5A4DBFD01E3BA2
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="541627" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5D6B.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Sun Oct 13 12:05:19 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	41464
Entropy (8bit):	1.9536464049070739
Encrypted:	false
SSDEEP:	96:5D8wQU64L8ev/Mue88ksRLCkhUZH/Doi75I4v45zph2NGqn68ex8ulpwLquSehoE:uJ9NLCLSO5H40p68exyeCOgSt3/
MD5:	1090888F5B0CB2BF54278050161AE0D1
SHA1:	99BD02AAE9AFD8209B4ABD9DC72046256501E1F6
SHA-256:	0AF9AB917300AED5E2902CB2F0DA12DE381C0A7F3C1A279CE3F37F27CB285048
SHA-512:	E70D7BF4670DBA2431C19DE9CEC467E5B167BC553B55DDFB949C3EA67F064D11E60480B45F5ED060CC9C0FD422D2C5235C49AB10DC5D7A5CA65A83E909FE49C4
Malicious:	false
Preview:	MDMP..a..... ..........g.........................................&..........T.......8...........T...............P.......................x...............................................................................eJ..............GenuineIntel............T...........~..g.............................0..=...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5DAA.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8262
Entropy (8bit):	3.692529725557234
Encrypted:	false
SSDEEP:	192:R6l7wVeJUE6IpmiCh6YVB6KgmfTdMpra89bLm2sf+z5m:R6lXJf6IpY6Yz6KgmfTdqLmVf+A
MD5:	5304B6FDE97494046B44A8E4EEADCA19
SHA1:	DB7232F28EF619FA405335025962657023FC61C9
SHA-256:	0CB236956D0C9A44893AC0ABF632503D38563B93275D3C84C191D589E054D294
SHA-512:	6A2F9C4319367EC714A1AF70D8271D6FF1A677DB96468C2BC30EF15FEB0BC22CF9ADFCB28D114E733F9FFAEB85BA590D720AE73EF12FD08A4541369B34F3973B
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.1.6.0.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5E09.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4650
Entropy (8bit):	4.467840559949726
Encrypted:	false
SSDEEP:	48:cvIwWl8zsCJg77aI90fWpW8VYvYm8M4JCdPuzPFR+q8/wzcL95GScSDd:uIjfQI7aO7VjJNo95J3Dd
MD5:	2CAB450F36A089531F21B2CFC5883F6C
SHA1:	BE5FB50BB065930A521E107EE4D217950AE30E90
SHA-256:	5E0DB2CCCD82804FC81844309BFAEF97CC7C1F55B0AE65469ECDDBCAC4955335
SHA-512:	272C74FB10B1F52C265E36281A05312AEE9B3FD40DD119BAA9E2F11B6E07DDDA1037B424001D538506F34B3031948F7AF15CADA9343FA9330EBDE1EACEF7A190
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="541628" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6961.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Sun Oct 13 12:05:22 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	43128
Entropy (8bit):	1.9026839172113963
Encrypted:	false
SSDEEP:	192:XAwz9eLCLdt0joO5H4Kd5LNKt8vEzmqpfLHMX5By+L:/zMLedGjv5H9FNKDBLkzy6
MD5:	F225B18C3B158D7A7A156ED197796982
SHA1:	B19C5F73D79D2B6BDC84A94404B02A7F1AB4912B
SHA-256:	23BD7CC14AAB38DBD7EC806EF45C821714BE30839C3D3EEC7C5BD2816BCBCAB3
SHA-512:	3E83DBFF0D83CF714555AE862F03C9D27486AB4321EF015AF676B5776DB24BACAF1F555AE823EE6C45676E73EB22B9A93DBBF01F02BC353C47CDBAB7677D1DD8
Malicious:	false
Preview:	MDMP..a..... ..........g.........................................&..........T.......8...........T......................................x...............................................................................eJ..............GenuineIntel............T.......0......g.............................0..=...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6A2D.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8258
Entropy (8bit):	3.692537091815225
Encrypted:	false
SSDEEP:	192:R6l7wVeJuM6Ipn6YVz62gmfTxMprB89b7usf07pm:R6lXJN6Ipn6YB62gmfTxn7tfB
MD5:	E5BC2A7F911C4A3E3D2EA029B6EA4762
SHA1:	A6A5014612486D4DCC1CFDA0743E3623461C2420
SHA-256:	DCF3B1E9F6053BC6FCA12ACF5C920E3F30E0D797B334E776538565B0AF8DB4D1
SHA-512:	905F2E7E98C36B50AC6E8F81E73475750CE6191ECF91EE79CA3008CD4509A076F1A9848DA53E967AAFC78DDE6C7AC3EE155D8D4923DBA78988696F0EE2A13B35
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.6.0.<./.P.i.d.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6A6D.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4650
Entropy (8bit):	4.46638656063785
Encrypted:	false
SSDEEP:	48:cvIwWl8zsCJg77aI90fWpW8VY3Ym8M4JCdPuzTF5+q8/wzcTGScSwd:uIjfQI7aO7VPJRcJ3wd
MD5:	361E7D53D2B0DCF44441404F64DA759B
SHA1:	EE56CADDAF585E818C5E1307CA963C45D100BAB3
SHA-256:	E9980B019B6AC1A476D505ADF5CD44B031DDDED15F946424BC08AE7FCAEC7598
SHA-512:	81C3C4022E370C4F106648A3E6C8C0679AF342A482FF2DCBCB354AC527ABCD42C393839B48D31E895CCE63C71DD552ECF3916C30F33694BC1A36A2F41F6B97AC
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="541628" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.46624320753057
Encrypted:	false
SSDEEP:	6144:EIXfpi67eLPU9skLmb0b4+WSPKaJG8nAgejZMMhA2gX4WABl0uNxdwBCswSbG:5XD94+WlLZMM6YFHT+G
MD5:	6EC10A690F088B16F892315F06445BA8
SHA1:	E4C39A8DC4C6D5F9F598A9D635CE4426BF38E9C0
SHA-256:	6CB3BDCCA8BB8296A127620B275980C02BC2D968276EC29CC09403AB92C9DFB1
SHA-512:	B10966050B7C39D3AADB60531A788E49113EF2C1B638C89065DF8C04887EC092D51453C1414A0246C33C56815FE121E78580C27ECE0439037A7BD7BB097D03E2
Malicious:	false
Preview:	regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtmF)`*h.................................................................................................................................................................................................................................................................................................................................................w.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.810145354922082
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	rMA7e8O8iY.dll
File size:	6'599'680 bytes
MD5:	78c32c40a80d47d1e39926781ea4d992
SHA1:	77300e74d31bcfa2043cc4c4971f7ea2cdc3d231
SHA256:	c151a3024a0f056b00bdf3910f71b7e22370438e19aceb3a418cf7b212b2e75b
SHA512:	d502b2a7212fc57466ae4c204794d9ded4d164ccd6f61d02069b60aab3ec718ca27e490b0c1d73c706ec0705fad859c006d17d9e03a996522f02386be6f17ab0
SSDEEP:	98304:L093FSbu5+0SIA7d2LxzyrM/M+SEL42/SYqCYcj6JtP+XlAu6mBg:uFE50EZ2LxzjU+xL42KcjIt+yu6F
TLSH:	4B663301E82A49F0CBCC307DAD74D330BA5470296B251BFAF7B85C8B5D562F01ABD5A2
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........./...A...A...A..b....A..b....A..b....A.......A...@...A..b....A..b....A..b....A.Rich..A.................PE..L......Y...........

File Icon


Icon Hash:	7ae282899bbab082

Static PE Info

General

Entrypoint:	0x1000409b
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x10000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x591E1A16 [Thu May 18 22:03:02 2017 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	a0206f6891f2c05e6d3e84ee463160e0

Entrypoint Preview

Instruction
mov edi, edi
push ebp
mov ebp, esp
cmp dword ptr [ebp+0Ch], 01h
jne 00007F753CD49697h
call 00007F753CD4C9E2h
push dword ptr [ebp+08h]
mov ecx, dword ptr [ebp+10h]
mov edx, dword ptr [ebp+0Ch]
call 00007F753CD49581h
pop ecx
pop ebp
retn 000Ch
mov edi, edi
push ebp
mov ebp, esp
sub esp, 20h
mov eax, dword ptr [ebp+08h]
push esi
push edi
push 00000008h
pop ecx
mov esi, 10011248h
lea edi, dword ptr [ebp-20h]
rep movsd
mov dword ptr [ebp-08h], eax
mov eax, dword ptr [ebp+0Ch]
pop edi
mov dword ptr [ebp-04h], eax
pop esi
test eax, eax
je 00007F753CD4969Eh
test byte ptr [eax], 00000008h
je 00007F753CD49699h
mov dword ptr [ebp-0Ch], 01994000h
lea eax, dword ptr [ebp-0Ch]
push eax
push dword ptr [ebp-10h]
push dword ptr [ebp-1Ch]
push dword ptr [ebp-20h]
call dword ptr [100110A0h]
leave
retn 0008h
mov edi, edi
push ebp
mov ebp, esp
sub esp, 00000328h
mov dword ptr [1001A1F0h], eax
mov dword ptr [1001A1ECh], ecx
mov dword ptr [1001A1E8h], edx
mov dword ptr [1001A1E4h], ebx
mov dword ptr [1001A1E0h], esi
mov dword ptr [1001A1DCh], edi
mov word ptr [1001A208h], ss
mov word ptr [1001A1FCh], cs
mov word ptr [1001A1D8h], ds
mov word ptr [1001A1D4h], es
mov word ptr [1001A1D0h], fs
mov word ptr [1001A1CCh], gs

Rich Headers

Programming Language:

[ASM] VS2010 SP1 build 40219
[ C ] VS2010 SP1 build 40219
[C++] VS2010 SP1 build 40219
[IMP] VS2008 SP1 build 30729
[EXP] VS2010 SP1 build 40219
[LNK] VS2010 SP1 build 40219

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x18790	0xc3	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x17edc	0x78	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x1c000	0xe30	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x111c0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x17648	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x11000	0x188	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xf594	0xf600	ac11eb61c408c96d73dee32b7b57d93c	False	0.5930513211382114	data	6.73225533995724	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x11000	0x7853	0x7a00	da6644db11154152d8cd5405cd2f994c	False	0.4815893954918033	data	6.16857398365695	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x19000	0x263c	0x1200	bf415ed8634332622a0595304655d994	False	0.3708767361111111	data	3.937792920066365	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0x1c000	0x18aa	0x1a00	ada87df48d63a76359eb7b29d5940b5d	False	0.466796875	data	4.503417224823786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.rsrc	0x1e000	0x631220	0x631400	c3c007570172619d5e97b50591e789b3	unknown	unknown	unknown	unknown	IMAGE_SCN_MEM_READ

Imports

DLL	Import
KERNEL32.dll	lstrlenA, VerSetConditionMask, GetCurrentProcess, GetSystemTimeAsFileTime, WideCharToMultiByte, GetFileAttributesA, VerifyVersionInfoA, ReadFile, GetModuleFileNameW, CreateFileW, lstrlenW, GetFileSizeEx, FindFirstFileA, GetLastError, SetFileAttributesA, FindClose, OpenMutexA, lstrcmpA, FindFirstChangeNotificationA, lstrcatW, VirtualProtect, lstrcpyA, HeapSize, HeapReAlloc, LoadLibraryW, GetStringTypeW, MultiByteToWideChar, FindNextFileA, ExitProcess, LCMapStringW, RtlUnwind, GetCurrentProcessId, GetTickCount, QueryPerformanceCounter, HeapAlloc, GetCurrentThreadId, DecodePointer, GetCommandLineA, RaiseException, TerminateProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, HeapFree, IsProcessorFeaturePresent, GetCPInfo, InterlockedIncrement, InterlockedDecrement, GetACP, GetOEMCP, IsValidCodePage, EncodePointer, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetModuleHandleW, SetLastError, GetProcAddress, WriteFile, GetStdHandle, HeapCreate, HeapDestroy, SetEnvironmentVariableA, SetEnvironmentVariableW, Sleep, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, SetHandleCount, GetFileType, GetStartupInfoW, GetModuleFileNameA, FreeEnvironmentStringsW, GetEnvironmentStringsW, CompareStringW
USER32.dll	SetCursor, IsMenu, GetTopWindow, LoadBitmapA, wsprintfW, GetMenu, RegisterClipboardFormatA, LoadCursorFromFileW, LoadImageA, FindWindowA, GetShellWindow, LoadStringA
GDI32.dll	DeleteObject
SHELL32.dll
SHLWAPI.dll	PathRemoveFileSpecW, PathStripPathA

Exports

Name	Ordinal	Address
GzDHLPTXbfjnZdGY	1	0x10002360
bnihrxnmrpio	2	0x10001210
bnpghteyxrum	3	0x10001220
fnyxctjuscq	4	0x100014b0
rbfyvzbrlz	5	0x10002080
snozacqpuormqulw	6	0x10001360

Target ID:	0
Start time:	08:05:15
Start date:	13/10/2024
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe "C:\Users\user\Desktop\rMA7e8O8iY.dll"
Imagebase:	0x170000
File size:	126'464 bytes
MD5 hash:	51E6071F9CBA48E79F10C84515AAE618
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	08:05:15
Start date:	13/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	08:05:15
Start date:	13/10/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\rMA7e8O8iY.dll",#1
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	08:05:15
Start date:	13/10/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\rMA7e8O8iY.dll,GzDHLPTXbfjnZdGY
Imagebase:	0x2f0000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	08:05:15
Start date:	13/10/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\rMA7e8O8iY.dll",#1
Imagebase:	0x2f0000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	08:05:16
Start date:	13/10/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 5984 -s 600
Imagebase:	0x470000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	08:05:16
Start date:	13/10/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 6348 -s 608
Imagebase:	0x470000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	08:05:18
Start date:	13/10/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\rMA7e8O8iY.dll,bnihrxnmrpio
Imagebase:	0x2f0000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	08:05:19
Start date:	13/10/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 6160 -s 600
Imagebase:	0x470000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	08:05:21
Start date:	13/10/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\rMA7e8O8iY.dll,bnpghteyxrum
Imagebase:	0x2f0000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	08:05:22
Start date:	13/10/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 560 -s 592
Imagebase:	0x470000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	08:05:24
Start date:	13/10/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\rMA7e8O8iY.dll",GzDHLPTXbfjnZdGY
Imagebase:	0x2f0000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	08:05:25
Start date:	13/10/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\rMA7e8O8iY.dll",bnihrxnmrpio
Imagebase:	0x2f0000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	08:05:25
Start date:	13/10/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\rMA7e8O8iY.dll",bnpghteyxrum
Imagebase:	0x2f0000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	08:05:25
Start date:	13/10/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\rMA7e8O8iY.dll",snozacqpuormqulw
Imagebase:	0x2f0000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	08:05:25
Start date:	13/10/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\rMA7e8O8iY.dll",rbfyvzbrlz
Imagebase:	0x2f0000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	08:05:25
Start date:	13/10/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\rMA7e8O8iY.dll",fnyxctjuscq
Imagebase:	0x2f0000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	10.2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	12.7%
Total number of Nodes:	898
Total number of Limit Nodes:	7

Executed Functions

Function 6C791CC0 Relevance: 35.3, APIs: 13, Strings: 7, Instructions: 261
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32(0000DD4D,74E2F770), ref: 6C791CDE
_memset.LIBCMT ref: 6C791D06
CreateFileW.KERNELBASE(C:\Users\user\Desktop\IndexerVolumeGuid,80000000,00000003,00000000,00000004,00000080,00000000), ref: 6C791DB2
LoadCursorFromFileW.USER32(fNobvJLcACQdSq), ref: 6C791E19
SetCursor.USER32(00000000), ref: 6C791E20
GetFileSizeEx.KERNEL32(00000000,?), ref: 6C791F05
ReadFile.KERNELBASE(00000000,00000000,00000000,?,00000000), ref: 6C791F54

Strings

s4W>, xrefs: 6C791FF7
qfkclalqqi, xrefs: 6C791E2B
1zl, xrefs: 6C791E91
asnfpwrqc, xrefs: 6C79202C
dsqdadoehhkwcgyogrpvxayvwolz, xrefs: 6C791CE9
C:\Users\user\Desktop\IndexerVolumeGuid, xrefs: 6C791DA8
fNobvJLcACQdSq, xrefs: 6C791E14

Memory Dump Source

Source File: 00000003.00000002.1917700358.000000006C791000.00000020.00000001.01000000.00000003.sdmp, Offset: 6C790000, based on PE: true

Associated: 00000003.00000002.1917677637.000000006C790000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1917727365.000000006C7A1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1917750595.000000006C7A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1917773342.000000006C7AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1917773342.000000006C7AE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c790000_rundll32.jbxd

Similarity

API ID: File$Cursor$CreateCurrentFromLoadProcessReadSize_memset
String ID: C:\Users\user\Desktop\IndexerVolumeGuid$asnfpwrqc$dsqdadoehhkwcgyogrpvxayvwolz$fNobvJLcACQdSq$qfkclalqqi$s4W>$1zl
API String ID: 1010611447-3706999952
Opcode ID: 84e722112169ca278c463fbb8be9622f1be5caf21b1433bc3299191c56870529
Instruction ID: 044f2b6e754b22b675b151b19d1c304e82feb393aba375cec5f3906ea8607d2a
Opcode Fuzzy Hash: 84e722112169ca278c463fbb8be9622f1be5caf21b1433bc3299191c56870529
Instruction Fuzzy Hash: BEA1E0B1B00208DFDF14CFE4E949BAE7BB4FB4A315F1042A8E546AB680D7719959CF50

Function 6C792080 Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 196
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 6C793514: __FF_MSGBANNER.LIBCMT ref: 6C79352D
Part of subcall function 6C793514: __NMSG_WRITE.LIBCMT ref: 6C793534
Part of subcall function 6C793514: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,?,?,6C793DE0,?,00000004), ref: 6C793559

GetModuleFileNameW.KERNEL32(6C790000,C:\Users\user\Desktop\IndexerVolumeGuid,00000104), ref: 6C7920D9
OpenMutexA.KERNEL32(001F0001,00000000,bbodihmykbbodihmyk), ref: 6C7920EA
ExitProcess.KERNEL32 ref: 6C7920F5
FindFirstChangeNotificationA.KERNELBASE(hlczjuikox,0000000F,0000DD4D), ref: 6C7921B7
GetLastError.KERNEL32 ref: 6C7921C7
__cftoe.LIBCMT ref: 6C7921EC
PathRemoveFileSpecW.SHLWAPI(C:\Users\user\Desktop\IndexerVolumeGuid), ref: 6C7921F9
lstrcatW.KERNEL32(C:\Users\user\Desktop\IndexerVolumeGuid,6C7A32D0), ref: 6C79220F
lstrcatW.KERNEL32(C:\Users\user\Desktop\IndexerVolumeGuid,IndexerVolumeGuid), ref: 6C79221B
_memset.LIBCMT ref: 6C792229
PathStripPathA.KERNELBASE(?), ref: 6C792236

Strings

IndexerVolumeGuid, xrefs: 6C792211
hlczjuikox, xrefs: 6C7921A8, 6C7921AD
bbodihmykbbodihmyk, xrefs: 6C7920DF
C:\Users\user\Desktop\IndexerVolumeGuid, xrefs: 6C7920BB, 6C7921D3, 6C7921F4, 6C79220A, 6C792216

Memory Dump Source

Source File: 00000003.00000002.1917700358.000000006C791000.00000020.00000001.01000000.00000003.sdmp, Offset: 6C790000, based on PE: true

Associated: 00000003.00000002.1917677637.000000006C790000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1917727365.000000006C7A1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1917750595.000000006C7A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1917773342.000000006C7AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1917773342.000000006C7AE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c790000_rundll32.jbxd

Similarity

API ID: Path$Filelstrcat$AllocateChangeErrorExitFindFirstHeapLastModuleMutexNameNotificationOpenProcessRemoveSpecStrip__cftoe_memset
String ID: C:\Users\user\Desktop\IndexerVolumeGuid$IndexerVolumeGuid$bbodihmykbbodihmyk$hlczjuikox
API String ID: 1133227495-1474762970
Opcode ID: fb9cdd06e65ea58d9d6bdd2ac413fd50b887ea51d77c62d2b4283a047f31c056
Instruction ID: ca78085657a62475c1448427a6fac70a80435c94e35f88008f166943e4cb206f
Opcode Fuzzy Hash: fb9cdd06e65ea58d9d6bdd2ac413fd50b887ea51d77c62d2b4283a047f31c056
Instruction Fuzzy Hash: 1271C1B1608341DFD700DFA4E94DA9F7BB4BB8A354F414928F59997690EB30D128CF92

Function 6C792360 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 139
registrywindowclipboardCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

rbfyvzbrlz.RMA7E8O8IY ref: 6C79240C
LoadStringA.USER32(00000000,0000008D,6C7AAD90,00000104), ref: 6C792427
RegisterClipboardFormatA.USER32(6C7AAD90), ref: 6C792432
snozacqpuormqulw.RMA7E8O8IY(6C7AAD90), ref: 6C79243D
LoadBitmapA.USER32(00000000,0000000F), ref: 6C79244E
__floor_pentium4.LIBCMT ref: 6C7924CA
RealDriveType.SHELL32(00000000,00000000), ref: 6C7924F9
_calloc.LIBCMT ref: 6C79250E
_memset.LIBCMT ref: 6C792559

Strings

^, xrefs: 6C792397
uFRxZVMGSbqgaxkbizaofdgu, xrefs: 6C792462
lyklbyetstmygefupednncwmkzipppjjfymgy, xrefs: 6C79253F

Memory Dump Source

Source File: 00000003.00000002.1917700358.000000006C791000.00000020.00000001.01000000.00000003.sdmp, Offset: 6C790000, based on PE: true

Associated: 00000003.00000002.1917677637.000000006C790000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1917727365.000000006C7A1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1917750595.000000006C7A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1917773342.000000006C7AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1917773342.000000006C7AE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c790000_rundll32.jbxd

Similarity

API ID: Load$BitmapClipboardDriveFormatRealRegisterStringType__floor_pentium4_calloc_memsetrbfyvzbrlzsnozacqpuormqulw
String ID: ^$lyklbyetstmygefupednncwmkzipppjjfymgy$uFRxZVMGSbqgaxkbizaofdgu
API String ID: 1740096499-1716715573
Opcode ID: f12298a3a81d2dfb68051f0c0a91fa8ec61a2bf01a205f10154584601895819f
Instruction ID: a7545854882f963ac3523d0c1774e7cb2f2f3bb6770477467a10a1aa13a45402
Opcode Fuzzy Hash: f12298a3a81d2dfb68051f0c0a91fa8ec61a2bf01a205f10154584601895819f
Instruction Fuzzy Hash: 625127B07083019BDB21EFA4F94A7DE3BF4AB86718F004538E8D49B684EB719519CB81

Function 6C793514 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__FF_MSGBANNER.LIBCMT ref: 6C79352D

Part of subcall function 6C795BDA: __NMSG_WRITE.LIBCMT ref: 6C795C01
Part of subcall function 6C795BDA: __NMSG_WRITE.LIBCMT ref: 6C795C0B

__NMSG_WRITE.LIBCMT ref: 6C793534

Part of subcall function 6C795A2B: GetModuleFileNameW.KERNEL32(00000000,6C7AA4AA,00000104,?,?,=yl), ref: 6C795AC7
Part of subcall function 6C795A2B: __invoke_watson.LIBCMT ref: 6C795AF0
Part of subcall function 6C795A2B: _wcslen.LIBCMT ref: 6C795AF6
Part of subcall function 6C795A2B: _wcslen.LIBCMT ref: 6C795B03

Part of subcall function 6C79576A: ___crtCorExitProcess.LIBCMT ref: 6C795772
Part of subcall function 6C79576A: ExitProcess.KERNEL32 ref: 6C79577B

RtlAllocateHeap.NTDLL(00000000,00000001,?,?,?,?,6C793DE0,?,00000004), ref: 6C793559

Strings

=yl, xrefs: 6C79351A, 6C793550, 6C793570, 6C793591

Memory Dump Source

Source File: 00000003.00000002.1917700358.000000006C791000.00000020.00000001.01000000.00000003.sdmp, Offset: 6C790000, based on PE: true

Associated: 00000003.00000002.1917677637.000000006C790000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1917727365.000000006C7A1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1917750595.000000006C7A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1917773342.000000006C7AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1917773342.000000006C7AE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c790000_rundll32.jbxd

Similarity

API ID: ExitProcess_wcslen$AllocateFileHeapModuleName___crt__invoke_watson
String ID: =yl
API String ID: 2361220029-3172309113
Opcode ID: 8a439a23aa81f27e50c9122934221f844a07153baf9be52c0762abe74852997c
Instruction ID: 1b08621e51e16506aa3826a213ace0e75d6c981f89c7fba920d4b564ce766662
Opcode Fuzzy Hash: 8a439a23aa81f27e50c9122934221f844a07153baf9be52c0762abe74852997c
Instruction Fuzzy Hash: 7801B5B1244311AEF78117B5BF8CB7B37E8AB4A76EF500235E51C8BE90DB7088448660

Function 6C793DC1 Relevance: 4.5, APIs: 3, Instructions: 41
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 6C793514: __FF_MSGBANNER.LIBCMT ref: 6C79352D
Part of subcall function 6C793514: __NMSG_WRITE.LIBCMT ref: 6C793534
Part of subcall function 6C793514: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,?,?,6C793DE0,?,00000004), ref: 6C793559

std::exception::exception.LIBCMT ref: 6C793E10
std::exception::exception.LIBCMT ref: 6C793E2A
__CxxThrowException@8.LIBCMT ref: 6C793E3B

Memory Dump Source

Source File: 00000003.00000002.1917700358.000000006C791000.00000020.00000001.01000000.00000003.sdmp, Offset: 6C790000, based on PE: true

Associated: 00000003.00000002.1917677637.000000006C790000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1917727365.000000006C7A1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1917750595.000000006C7A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1917773342.000000006C7AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1917773342.000000006C7AE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c790000_rundll32.jbxd

Similarity

API ID: std::exception::exception$AllocateException@8HeapThrow
String ID:
API String ID: 877034779-0
Opcode ID: f5e8bad0f9be49e4392fde6b8598ce1b5698c7ffd8b3fdcf895792cdc0cb55c8
Instruction ID: 8f42737860e049c264b41963567eab12050df72fcac4eb8e95e7eca3996aa475
Opcode Fuzzy Hash: f5e8bad0f9be49e4392fde6b8598ce1b5698c7ffd8b3fdcf895792cdc0cb55c8
Instruction Fuzzy Hash: 2DF0F935500105AADF44DB95FB0EAEE7AB8AF41318F100659D41497DD0DB71C70A8780

Non-executed Functions

Function 6C791130 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 74
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileA.KERNEL32(c:\*.*,?,?,lyklbyetstmygefupednncwmkzipppjjfymgy), ref: 6C79115B
FindNextFileA.KERNEL32(00000000,?), ref: 6C791189
lstrcmpA.KERNEL32(?,qstkuikagi), ref: 6C7911AC
FindNextFileA.KERNEL32(00000000,?), ref: 6C7911BA
FindClose.KERNEL32(00000000), ref: 6C7911C1

Strings

c:\*.*, xrefs: 6C791150
qstkuikagi, xrefs: 6C7911A0
k%yl, xrefs: 6C791143
k%yl, xrefs: 6C7911CC, 6C7911E7, 6C79116D
lyklbyetstmygefupednncwmkzipppjjfymgy, xrefs: 6C791147

Memory Dump Source

Source File: 00000003.00000002.1917700358.000000006C791000.00000020.00000001.01000000.00000003.sdmp, Offset: 6C790000, based on PE: true

Associated: 00000003.00000002.1917677637.000000006C790000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1917727365.000000006C7A1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1917750595.000000006C7A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1917773342.000000006C7AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1917773342.000000006C7AE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c790000_rundll32.jbxd

Similarity

API ID: Find$File$Next$CloseFirstlstrcmp
String ID: c:\*.*$k%yl$k%yl$lyklbyetstmygefupednncwmkzipppjjfymgy$qstkuikagi
API String ID: 2327987229-1098256769
Opcode ID: 847865e824824e59375ec6d5358ff886cfbc2f431c10730aed859827243e1112
Instruction ID: f2cb8e0931d21afb0770e7d9af07c7a6ddd7cebd6d745d60182f90f92cc49277
Opcode Fuzzy Hash: 847865e824824e59375ec6d5358ff886cfbc2f431c10730aed859827243e1112
Instruction Fuzzy Hash: 08219372B001189BDB14DBB9FD849EE77B8EF493A0F0002B5E90DD7640EB31D9598BA0

Function 6C791360 Relevance: 15.1, APIs: 10, Instructions: 72
stringfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileAttributesA.KERNEL32(?), ref: 6C79137A
lstrlenA.KERNEL32(?), ref: 6C791389
lstrcpyA.KERNEL32(?,6C7A2EB8), ref: 6C7913A8
FindFirstFileA.KERNEL32(?,?,?,6C7A2EB8), ref: 6C7913B6
lstrcmpA.KERNEL32(6C7A3174,?,?,6C7A2EB8), ref: 6C7913CF
lstrcmpA.KERNEL32(6C7A3178,?,?,6C7A2EB8), ref: 6C7913E5
lstrcpyA.KERNEL32(?,?,?,6C7A2EB8), ref: 6C7913F7
snozacqpuormqulw.RMA7E8O8IY(?,?,?,?,6C7A2EB8), ref: 6C7913FE
FindNextFileA.KERNEL32(00000000,?,?,6C7A2EB8), ref: 6C791412
FindClose.KERNEL32(00000000,?,6C7A2EB8), ref: 6C79141D

Memory Dump Source

Source File: 00000003.00000002.1917700358.000000006C791000.00000020.00000001.01000000.00000003.sdmp, Offset: 6C790000, based on PE: true

Associated: 00000003.00000002.1917677637.000000006C790000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1917727365.000000006C7A1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1917750595.000000006C7A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1917773342.000000006C7AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1917773342.000000006C7AE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c790000_rundll32.jbxd

Similarity

API ID: FileFind$lstrcmplstrcpy$AttributesCloseFirstNextlstrlensnozacqpuormqulw
String ID:
API String ID: 1590718337-0
Opcode ID: 360d8e749a1755787f86d9d4065ac79481ae7ae293ffd661fdc27201804fbfa2
Instruction ID: 630860252f9e0a717dae2e25abb3945ac91b5af16af6a64f6391d65c355b3893
Opcode Fuzzy Hash: 360d8e749a1755787f86d9d4065ac79481ae7ae293ffd661fdc27201804fbfa2
Instruction Fuzzy Hash: DD21D131300644EBFB119BB2ED48AFF77BCAB0A355F000678E816C2540DB34DA558B60

Function 6C792D14 Relevance: 7.6, APIs: 5, Instructions: 58
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

IsDebuggerPresent.KERNEL32 ref: 6C7941C5
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 6C7941DA
UnhandledExceptionFilter.KERNEL32(6C7A1268), ref: 6C7941E5
GetCurrentProcess.KERNEL32(C0000409), ref: 6C794201
TerminateProcess.KERNEL32(00000000), ref: 6C794208

Memory Dump Source

Source File: 00000003.00000002.1917700358.000000006C791000.00000020.00000001.01000000.00000003.sdmp, Offset: 6C790000, based on PE: true

Associated: 00000003.00000002.1917677637.000000006C790000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1917727365.000000006C7A1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1917750595.000000006C7A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1917773342.000000006C7AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1917773342.000000006C7AE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c790000_rundll32.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: 2a26fdd8b3ab03edb596f45766087008facd294e025510a02cdc31ef2a77c735
Instruction ID: ad30a314975442328c4156e81a6353c62cd6730d9d45aaf774c3ccc714603728
Opcode Fuzzy Hash: 2a26fdd8b3ab03edb596f45766087008facd294e025510a02cdc31ef2a77c735
Instruction Fuzzy Hash: FD2122B8B00201EFDF00CFA6F188A6D3BB0FB1A3A4F10803AE91987240E37589819F11

Function 6C793640 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1917700358.000000006C791000.00000020.00000001.01000000.00000003.sdmp, Offset: 6C790000, based on PE: true

Associated: 00000003.00000002.1917677637.000000006C790000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1917727365.000000006C7A1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1917750595.000000006C7A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1917773342.000000006C7AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1917773342.000000006C7AE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c790000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction ID: b3b10b98c9805b390b35bd573d99e22c01d66edbccc80e70fb1db44b4ecec106
Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction Fuzzy Hash: C411EB7724618143D600892EFBB86A7A7D5EBC533D73943BAD0694BF58D223A1559600

Function 6C7951FB Relevance: 38.6, APIs: 17, Strings: 5, Instructions: 109
libraryloadermemoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,6C7AA0C4,6C793E6A,6C7A79D0,00000008,00000004,6C7A7D98,6C7AA0C4,00000004), ref: 6C795203
__mtterm.LIBCMT ref: 6C79520F

Part of subcall function 6C794EDA: DecodePointer.KERNEL32(00000005,6C793F2D,6C793F13,6C7A79D0,00000008,00000004,6C7A7D98,6C7AA0C4,00000004), ref: 6C794EEB
Part of subcall function 6C794EDA: TlsFree.KERNEL32(00000013,6C793F2D,6C793F13,6C7A79D0,00000008,00000004,6C7A7D98,6C7AA0C4,00000004), ref: 6C794F05
Part of subcall function 6C794EDA: DeleteCriticalSection.KERNEL32(00000000,00000000,6C7A122C,?,6C793F2D,6C793F13,6C7A79D0,00000008,00000004,6C7A7D98,6C7AA0C4,00000004), ref: 6C79666B
Part of subcall function 6C794EDA: _free.LIBCMT ref: 6C79666E
Part of subcall function 6C794EDA: DeleteCriticalSection.KERNEL32(00000013,6C7A122C,?,6C793F2D,6C793F13,6C7A79D0,00000008,00000004,6C7A7D98,6C7AA0C4,00000004), ref: 6C796695

GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 6C795225
GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 6C795232
GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 6C79523F
GetProcAddress.KERNEL32(00000000,FlsFree), ref: 6C79524C
TlsAlloc.KERNEL32 ref: 6C79529C
TlsSetValue.KERNEL32(00000000), ref: 6C7952B7
__init_pointers.LIBCMT ref: 6C7952C1
EncodePointer.KERNEL32 ref: 6C7952D2
EncodePointer.KERNEL32 ref: 6C7952DF
EncodePointer.KERNEL32 ref: 6C7952EC
EncodePointer.KERNEL32 ref: 6C7952F9
DecodePointer.KERNEL32(Function_0000505E), ref: 6C79531A
DecodePointer.KERNEL32(00000000), ref: 6C795349
GetCurrentThreadId.KERNEL32 ref: 6C79535B

Strings

KERNEL32.DLL, xrefs: 6C7951FE
FlsSetValue, xrefs: 6C795234
FlsGetValue, xrefs: 6C795227
FlsAlloc, xrefs: 6C79521F
FlsFree, xrefs: 6C795241

Memory Dump Source

Source File: 00000003.00000002.1917700358.000000006C791000.00000020.00000001.01000000.00000003.sdmp, Offset: 6C790000, based on PE: true

Associated: 00000003.00000002.1917677637.000000006C790000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1917727365.000000006C7A1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1917750595.000000006C7A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1917773342.000000006C7AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1917773342.000000006C7AE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c790000_rundll32.jbxd

Similarity

API ID: Pointer$AddressEncodeProc$Decode$CriticalDeleteSection$AllocCurrentFreeHandleModuleThreadValue__init_pointers__mtterm_free
String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL
API String ID: 3821259317-3819984048
Opcode ID: 889a74feabc74feb8fa1a57113454886614d28b558ab857e058fa526be9c4ef2
Instruction ID: 0f45f76e74701728c01ace0f6735c0cb4569680c40046caf745a3111c5b8fe2f
Opcode Fuzzy Hash: 889a74feabc74feb8fa1a57113454886614d28b558ab857e058fa526be9c4ef2
Instruction Fuzzy Hash: 20314A35A01225DFEF51AFFABA4C65E3FB4AB462B9710473AF42493690DB348005DF60

Function 6C794F17 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,6C7A7AC8,00000008,6C793F72,00000000,00000000), ref: 6C794F28
__lock.LIBCMT ref: 6C794F5C

Part of subcall function 6C79677E: __mtinitlocknum.LIBCMT ref: 6C796794
Part of subcall function 6C79677E: __amsg_exit.LIBCMT ref: 6C7967A0
Part of subcall function 6C79677E: EnterCriticalSection.KERNEL32(00000000,00000000,?,6C7950EF,0000000D,6C7A7AF0,00000008,6C7951E6,00000000,?,6C793F99,00000000,6C7A79D0,00000008,00000004), ref: 6C7967A8

InterlockedIncrement.KERNEL32(6C7A9080), ref: 6C794F69
__lock.LIBCMT ref: 6C794F7D
___addlocaleref.LIBCMT ref: 6C794F9B

Strings

KERNEL32.DLL, xrefs: 6C794F23

Memory Dump Source

Source File: 00000003.00000002.1917700358.000000006C791000.00000020.00000001.01000000.00000003.sdmp, Offset: 6C790000, based on PE: true

Associated: 00000003.00000002.1917677637.000000006C790000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1917727365.000000006C7A1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1917750595.000000006C7A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1917773342.000000006C7AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1917773342.000000006C7AE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c790000_rundll32.jbxd

Similarity

API ID: __lock$CriticalEnterHandleIncrementInterlockedModuleSection___addlocaleref__amsg_exit__mtinitlocknum
String ID: KERNEL32.DLL
API String ID: 637971194-2576044830
Opcode ID: 416049f7d82784b28e624b2b2ab1dd5dfbca1d3f59b353efd0a5879540cecf3d
Instruction ID: f4e3f15a1a99f44b057735a0f4a128b00252dba1d512b13e8f878bd93460da9f
Opcode Fuzzy Hash: 416049f7d82784b28e624b2b2ab1dd5dfbca1d3f59b353efd0a5879540cecf3d
Instruction Fuzzy Hash: 9C01A171500B00DFE7209FB6E60C78AFBF0AF01325F108A0ED49A97BA0CB70A648DB50

Function 6C79469A Relevance: 9.0, APIs: 6, Instructions: 47
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__getptd.LIBCMT ref: 6C7946A6

Part of subcall function 6C795044: __amsg_exit.LIBCMT ref: 6C795054

__amsg_exit.LIBCMT ref: 6C7946C6
__lock.LIBCMT ref: 6C7946D6
InterlockedDecrement.KERNEL32(?), ref: 6C7946F3
_free.LIBCMT ref: 6C794706
InterlockedIncrement.KERNEL32(02A51658), ref: 6C79471E

Memory Dump Source

Source File: 00000003.00000002.1917700358.000000006C791000.00000020.00000001.01000000.00000003.sdmp, Offset: 6C790000, based on PE: true

Associated: 00000003.00000002.1917677637.000000006C790000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1917727365.000000006C7A1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1917750595.000000006C7A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1917773342.000000006C7AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1917773342.000000006C7AE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c790000_rundll32.jbxd

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__lock_free
String ID:
API String ID: 2396328878-0
Opcode ID: 790608fde69610e79d47b2ee3c2123ea3aeafba80fe4bb8e1537588dcac63588
Instruction ID: 47ef57ab6ad61f502a9266ef3e73b18776b3796d05105cf0bf0a2f9ac6917da3
Opcode Fuzzy Hash: 790608fde69610e79d47b2ee3c2123ea3aeafba80fe4bb8e1537588dcac63588
Instruction Fuzzy Hash: 0D016131A02615AFDB109BA5BA0D78E77B0BF02729F100225D430A7F80C7359955EFD5

Function 6C794E1B Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 6C794E27

Part of subcall function 6C795044: __amsg_exit.LIBCMT ref: 6C795054

__getptd.LIBCMT ref: 6C794E3E
__amsg_exit.LIBCMT ref: 6C794E4C
__lock.LIBCMT ref: 6C794E5C
__updatetlocinfoEx_nolock.LIBCMT ref: 6C794E70

Memory Dump Source

Source File: 00000003.00000002.1917700358.000000006C791000.00000020.00000001.01000000.00000003.sdmp, Offset: 6C790000, based on PE: true

Associated: 00000003.00000002.1917677637.000000006C790000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1917727365.000000006C7A1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1917750595.000000006C7A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1917773342.000000006C7AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1917773342.000000006C7AE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c790000_rundll32.jbxd

Similarity

API ID: __amsg_exit__getptd$Ex_nolock__lock__updatetlocinfo
String ID:
API String ID: 613284903-0
Opcode ID: 9a719986c119a104f700e9ed354828183285976d89b2fb35986647b6ff05ae8d
Instruction ID: e1809ccbf91e9f3650191b59ec06ab8a3a7fde50bbb772ecc6eb7a5816917edb
Opcode Fuzzy Hash: 9a719986c119a104f700e9ed354828183285976d89b2fb35986647b6ff05ae8d
Instruction Fuzzy Hash: D7F09032904710DADF51AFB8B70D7CD33A06F00B29F118319D520ABBC0CB694A48EA9A

Function 6C7993BB Relevance: 6.1, APIs: 4, Instructions: 68COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 6C7993DC

Part of subcall function 6C793514: __FF_MSGBANNER.LIBCMT ref: 6C79352D
Part of subcall function 6C793514: __NMSG_WRITE.LIBCMT ref: 6C793534
Part of subcall function 6C793514: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,?,?,6C793DE0,?,00000004), ref: 6C793559

Memory Dump Source

Source File: 00000003.00000002.1917700358.000000006C791000.00000020.00000001.01000000.00000003.sdmp, Offset: 6C790000, based on PE: true

Associated: 00000003.00000002.1917677637.000000006C790000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1917727365.000000006C7A1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1917750595.000000006C7A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1917773342.000000006C7AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1917773342.000000006C7AE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c790000_rundll32.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: e8046d94f0205bec077ae7e909052dc691297f7fb0ce00b12fc316bbbbef57fb
Instruction ID: b8953115aeae5969b552193700c561dacc413298d0e3860cf7ae2315129768ac
Opcode Fuzzy Hash: e8046d94f0205bec077ae7e909052dc691297f7fb0ce00b12fc316bbbbef57fb
Instruction Fuzzy Hash: 4E11C832509221AFEF521FB5BB0C68F37A4AB513EAB144235E46C8AE60DB30C8409790

Function 6C795702 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25COMMONLIBRARYCODE

Download Yara Rule

APIs

DecodePointer.KERNEL32(?,6C79573B,00000000,00000000,00000000,00000000,00000000,6C798D24,?,6C795BE1,00000003,6C793532), ref: 6C79570D
__invoke_watson.LIBCMT ref: 6C795729

Strings

=yl, xrefs: 6C795726

Memory Dump Source

Source File: 00000003.00000002.1917700358.000000006C791000.00000020.00000001.01000000.00000003.sdmp, Offset: 6C790000, based on PE: true

Associated: 00000003.00000002.1917677637.000000006C790000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1917727365.000000006C7A1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1917750595.000000006C7A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1917773342.000000006C7AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1917773342.000000006C7AE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c790000_rundll32.jbxd

Similarity

API ID: DecodePointer__invoke_watson
String ID: =yl
API String ID: 4034010525-3172309113
Opcode ID: a1026041ab2eb575e221364ab1d76da2885023b714054f87c032d3ee74ca87eb
Instruction ID: 5477248bdfdaa3c41174e47873197a9234ea0b4bae28812ee5fcef1274bcfa8b
Opcode Fuzzy Hash: a1026041ab2eb575e221364ab1d76da2885023b714054f87c032d3ee74ca87eb
Instruction Fuzzy Hash: 22E0B672500119EBDF465EB1ED099AA3B66AB44651B944420F91881520D736C974AB90

Function 6C79576A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

___crtCorExitProcess.LIBCMT ref: 6C795772

Part of subcall function 6C79573F: GetModuleHandleW.KERNEL32(mscoree.dll,=yl,6C795777,=yl,?,6C793543,000000FF,0000001E,?,?,?,?,6C793DE0,?,00000004), ref: 6C795749
Part of subcall function 6C79573F: GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 6C795759

ExitProcess.KERNEL32 ref: 6C79577B

Strings

=yl, xrefs: 6C79576F

Memory Dump Source

Source File: 00000003.00000002.1917700358.000000006C791000.00000020.00000001.01000000.00000003.sdmp, Offset: 6C790000, based on PE: true

Associated: 00000003.00000002.1917677637.000000006C790000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1917727365.000000006C7A1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1917750595.000000006C7A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1917773342.000000006C7AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1917773342.000000006C7AE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c790000_rundll32.jbxd

Similarity

API ID: ExitProcess$AddressHandleModuleProc___crt
String ID: =yl
API String ID: 2427264223-3172309113
Opcode ID: a817b5203e31eb418dd0b60e6e53f9fed4c4ce58bd6950410ff6a31037a02756
Instruction ID: 61f2d34fce38185efbf97c9dc055959f4963b75916dd85c34bc433236f25ce28
Opcode Fuzzy Hash: a817b5203e31eb418dd0b60e6e53f9fed4c4ce58bd6950410ff6a31037a02756
Instruction Fuzzy Hash: 45B09231000158FBEF012F62FC0D89E3F2AEB812A1B104021F8090A120DF72EE96AA80

Analysis Process: rundll32.exePID: 6160, Parent PID: 7000COMMON

Execution Graph

Execution Coverage:	1.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	50
Total number of Limit Nodes:	0

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Non-executed Functions

Function 6C791360 Relevance: 15.1, APIs: 10, Instructions: 72
stringfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileAttributesA.KERNEL32(?), ref: 6C79137A
lstrlenA.KERNEL32(?), ref: 6C791389
lstrcpyA.KERNEL32(?,6C7A2EB8), ref: 6C7913A8
FindFirstFileA.KERNEL32(?,?,?,6C7A2EB8), ref: 6C7913B6
lstrcmpA.KERNEL32(6C7A3174,?,?,6C7A2EB8), ref: 6C7913CF
lstrcmpA.KERNEL32(6C7A3178,?,?,6C7A2EB8), ref: 6C7913E5
lstrcpyA.KERNEL32(?,?,?,6C7A2EB8), ref: 6C7913F7
snozacqpuormqulw.RMA7E8O8IY(?,?,?,?,6C7A2EB8), ref: 6C7913FE
FindNextFileA.KERNEL32(00000000,?,?,6C7A2EB8), ref: 6C791412
FindClose.KERNEL32(00000000,?,6C7A2EB8), ref: 6C79141D

Memory Dump Source

Source File: 0000000A.00000002.1928810142.000000006C791000.00000020.00000001.01000000.00000003.sdmp, Offset: 6C790000, based on PE: true

Associated: 0000000A.00000002.1928786287.000000006C790000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.1928837550.000000006C7A1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.1928860695.000000006C7A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.1928885370.000000006C7AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.1928885370.000000006C7AE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6c790000_rundll32.jbxd

Similarity

API ID: FileFind$lstrcmplstrcpy$AttributesCloseFirstNextlstrlensnozacqpuormqulw
String ID:
API String ID: 1590718337-0
Opcode ID: 360d8e749a1755787f86d9d4065ac79481ae7ae293ffd661fdc27201804fbfa2
Instruction ID: 630860252f9e0a717dae2e25abb3945ac91b5af16af6a64f6391d65c355b3893
Opcode Fuzzy Hash: 360d8e749a1755787f86d9d4065ac79481ae7ae293ffd661fdc27201804fbfa2
Instruction Fuzzy Hash: DD21D131300644EBFB119BB2ED48AFF77BCAB0A355F000678E816C2540DB34DA558B60

Function 6C792D14 Relevance: 7.6, APIs: 5, Instructions: 58
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

IsDebuggerPresent.KERNEL32 ref: 6C7941C5
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 6C7941DA
UnhandledExceptionFilter.KERNEL32(6C7A1268), ref: 6C7941E5
GetCurrentProcess.KERNEL32(C0000409), ref: 6C794201
TerminateProcess.KERNEL32(00000000), ref: 6C794208

Memory Dump Source

Source File: 0000000A.00000002.1928810142.000000006C791000.00000020.00000001.01000000.00000003.sdmp, Offset: 6C790000, based on PE: true

Associated: 0000000A.00000002.1928786287.000000006C790000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.1928837550.000000006C7A1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.1928860695.000000006C7A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.1928885370.000000006C7AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.1928885370.000000006C7AE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6c790000_rundll32.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: 2a26fdd8b3ab03edb596f45766087008facd294e025510a02cdc31ef2a77c735
Instruction ID: ad30a314975442328c4156e81a6353c62cd6730d9d45aaf774c3ccc714603728
Opcode Fuzzy Hash: 2a26fdd8b3ab03edb596f45766087008facd294e025510a02cdc31ef2a77c735
Instruction Fuzzy Hash: FD2122B8B00201EFDF00CFA6F188A6D3BB0FB1A3A4F10803AE91987240E37589819F11

Function 6C792360 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 58
registrywindowclipboardCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

rbfyvzbrlz.RMA7E8O8IY ref: 6C79240C
LoadStringA.USER32(00000000,0000008D,6C7AAD90,00000104), ref: 6C792427
RegisterClipboardFormatA.USER32(6C7AAD90), ref: 6C792432
snozacqpuormqulw.RMA7E8O8IY(6C7AAD90), ref: 6C79243D
LoadBitmapA.USER32(00000000,0000000F), ref: 6C79244E

Strings

uFRxZVMGSbqgaxkbizaofdgu, xrefs: 6C792462

Memory Dump Source

Source File: 0000000A.00000002.1928810142.000000006C791000.00000020.00000001.01000000.00000003.sdmp, Offset: 6C790000, based on PE: true

Associated: 0000000A.00000002.1928786287.000000006C790000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.1928837550.000000006C7A1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.1928860695.000000006C7A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.1928885370.000000006C7AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.1928885370.000000006C7AE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6c790000_rundll32.jbxd

Similarity

API ID: Load$BitmapClipboardFormatRegisterStringrbfyvzbrlzsnozacqpuormqulw
String ID: uFRxZVMGSbqgaxkbizaofdgu
API String ID: 2482714681-1815986579
Opcode ID: e3bce024c539109483c592d7ab4aa0dce28265d6cd157fdc0c3cb6bd425097ec
Instruction ID: 889374d3450cf95cdb29cec0f2430c59427b61a3d7d82a329f080db6bfdd8d16
Opcode Fuzzy Hash: e3bce024c539109483c592d7ab4aa0dce28265d6cd157fdc0c3cb6bd425097ec
Instruction Fuzzy Hash: EA110470604305ABD711AFA4F94EBAF3BB8AB86759F004634E8D05B984DB72D119CB82

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: `rundll32.exe {DLLname, DLLfunction}` ).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report rMA7e8O8iY.dll

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_326eb6a19cfdf346a5bd562595d48d974b8521d_7522e4b5_3279ce3c-6d9e-42cd-8c2d-460228f7ae03\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_33482b87b0d8e03f47394b2e9a0604dbf93164_7522e4b5_0ba2ff45-be23-4a4a-b704-a8553d49b4a2\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_33482b87b0d8e03f47394b2e9a0604dbf93164_7522e4b5_296a96e6-a1fd-4510-b036-067b4db15b33\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_c018787967c562f75385d7bd4d3f68f02869ef4c_7522e4b5_ac1e9f39-e6d8-48d1-88ca-21009397ff1b\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER529D.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER52BC.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5398.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER53A8.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER53C8.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER53D7.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5D6B.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5DAA.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5E09.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6961.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6A2D.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6A6D.tmp.xml

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Windows Analysis Report
rMA7e8O8iY.dll

Function 6C791CC0 Relevance: 35.3, APIs: 13, Strings: 7, Instructions: 261
fileCOMMON