Edit tour

Windows Analysis Report
6sg60cSBIQ.dll

Overview

General Information

Sample name:	6sg60cSBIQ.dll (renamed file extension from exe to dll, renamed because original name is a hash value)
Original sample name:	85b1a980eb8ced59f87cb5dd7702e15d6ca38441c4848698d140ffd37d2b55e6.exe
Analysis ID:	1417122
MD5:	f477f5fbc95bbde03a24cf42f6751afa
SHA1:	ae5a1b7a21fecf571d037baf85069d5b58b107ba
SHA256:	85b1a980eb8ced59f87cb5dd7702e15d6ca38441c4848698d140ffd37d2b55e6
Tags:	exesilentnight
Infos:

Detection

Score:	48
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

AV process strings found (often used to terminate AV products)

Checks if the current process is being debugged

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Tries to load missing DLLs

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

loaddll64.exe (PID: 5360 cmdline: loaddll64.exe "C:\Users\user\Desktop\6sg60cSBIQ.dll" MD5: 763455F9DCB24DFEECC2B9D9F8D46D52)

conhost.exe (PID: 7016 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7212 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\6sg60cSBIQ.dll",#1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

rundll32.exe (PID: 7264 cmdline: rundll32.exe "C:\Users\user\Desktop\6sg60cSBIQ.dll",#1 MD5: EF3179D498793BF4234F708D3BE28633)

rundll32.exe (PID: 7244 cmdline: rundll32.exe C:\Users\user\Desktop\6sg60cSBIQ.dll,Hdooie MD5: EF3179D498793BF4234F708D3BE28633)

rundll32.exe (PID: 7460 cmdline: rundll32.exe C:\Users\user\Desktop\6sg60cSBIQ.dll,_invalid_parameter_noinfo_noreturn MD5: EF3179D498793BF4234F708D3BE28633)

WerFault.exe (PID: 7532 cmdline: C:\Windows\system32\WerFault.exe -u -p 7460 -s 336 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

rundll32.exe (PID: 7636 cmdline: rundll32.exe C:\Users\user\Desktop\6sg60cSBIQ.dll,abort MD5: EF3179D498793BF4234F708D3BE28633)

WerFault.exe (PID: 7676 cmdline: C:\Windows\system32\WerFault.exe -u -p 7636 -s 328 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

rundll32.exe (PID: 7748 cmdline: rundll32.exe "C:\Users\user\Desktop\6sg60cSBIQ.dll",Hdooie MD5: EF3179D498793BF4234F708D3BE28633)

rundll32.exe (PID: 7756 cmdline: rundll32.exe "C:\Users\user\Desktop\6sg60cSBIQ.dll",_invalid_parameter_noinfo_noreturn MD5: EF3179D498793BF4234F708D3BE28633)

WerFault.exe (PID: 7840 cmdline: C:\Windows\system32\WerFault.exe -u -p 7756 -s 340 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

rundll32.exe (PID: 7772 cmdline: rundll32.exe "C:\Users\user\Desktop\6sg60cSBIQ.dll",abort MD5: EF3179D498793BF4234F708D3BE28633)

WerFault.exe (PID: 7848 cmdline: C:\Windows\system32\WerFault.exe -u -p 7772 -s 336 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: 6sg60cSBIQ.dll	ReversingLabs: Detection: 39%
Source: 6sg60cSBIQ.dll	Virustotal: Detection: 29%			Perma Link

Source: 6sg60cSBIQ.dll

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT

Source: Amcache.hve.16.dr

String found in binary or memory: http://upx.sf.net

Source: C:\Windows\System32\rundll32.exe	Code function: 13_2_00007FF8E7BA94C0	13_2_00007FF8E7BA94C0
Source: C:\Windows\System32\rundll32.exe	Code function: 13_2_00007FF8E7BB5880	13_2_00007FF8E7BB5880
Source: C:\Windows\System32\rundll32.exe	Code function: 13_2_00007FF8E7BABC90	13_2_00007FF8E7BABC90
Source: C:\Windows\System32\rundll32.exe	Code function: 13_2_00007FF8E7BB7C50	13_2_00007FF8E7BB7C50
Source: C:\Windows\System32\rundll32.exe	Code function: 13_2_00007FF8E7BA3C00	13_2_00007FF8E7BA3C00
Source: C:\Windows\System32\rundll32.exe	Code function: 13_2_00007FF8E7BB1800	13_2_00007FF8E7BB1800
Source: C:\Windows\System32\rundll32.exe	Code function: 13_2_00007FF8E7BB26D0	13_2_00007FF8E7BB26D0
Source: C:\Windows\System32\rundll32.exe	Code function: 13_2_00007FF8E7BA7EE0	13_2_00007FF8E7BA7EE0
Source: C:\Windows\System32\rundll32.exe	Code function: 13_2_00007FF8E7BA7260	13_2_00007FF8E7BA7260
Source: C:\Windows\System32\rundll32.exe	Code function: 13_2_00007FF8E7BAC200	13_2_00007FF8E7BAC200
Source: C:\Windows\System32\rundll32.exe	Code function: 13_2_00007FF8E7BB2230	13_2_00007FF8E7BB2230
Source: C:\Windows\System32\rundll32.exe	Code function: 13_2_00007FF8E7BB11C0	13_2_00007FF8E7BB11C0
Source: C:\Windows\System32\rundll32.exe	Code function: 13_2_00007FF8E7BAD9F0	13_2_00007FF8E7BAD9F0
Source: C:\Windows\System32\rundll32.exe	Code function: 13_2_00007FF8E7BB91B0	13_2_00007FF8E7BB91B0
Source: C:\Windows\System32\rundll32.exe	Code function: 22_2_00007FF8F7143C00	22_2_00007FF8F7143C00
Source: C:\Windows\System32\rundll32.exe	Code function: 22_2_00007FF8F7151800	22_2_00007FF8F7151800
Source: C:\Windows\System32\rundll32.exe	Code function: 22_2_00007FF8F7157C50	22_2_00007FF8F7157C50
Source: C:\Windows\System32\rundll32.exe	Code function: 22_2_00007FF8F7155880	22_2_00007FF8F7155880
Source: C:\Windows\System32\rundll32.exe	Code function: 22_2_00007FF8F714BC90	22_2_00007FF8F714BC90
Source: C:\Windows\System32\rundll32.exe	Code function: 22_2_00007FF8F71494C0	22_2_00007FF8F71494C0
Source: C:\Windows\System32\rundll32.exe	Code function: 22_2_00007FF8F7152230	22_2_00007FF8F7152230
Source: C:\Windows\System32\rundll32.exe	Code function: 22_2_00007FF8F714C200	22_2_00007FF8F714C200
Source: C:\Windows\System32\rundll32.exe	Code function: 22_2_00007FF8F7147260	22_2_00007FF8F7147260
Source: C:\Windows\System32\rundll32.exe	Code function: 22_2_00007FF8F7147EE0	22_2_00007FF8F7147EE0
Source: C:\Windows\System32\rundll32.exe	Code function: 22_2_00007FF8F71526D0	22_2_00007FF8F71526D0
Source: C:\Windows\System32\rundll32.exe	Code function: 22_2_00007FF8F71591B0	22_2_00007FF8F71591B0
Source: C:\Windows\System32\rundll32.exe	Code function: 22_2_00007FF8F714D9F0	22_2_00007FF8F714D9F0
Source: C:\Windows\System32\rundll32.exe	Code function: 22_2_00007FF8F71511C0	22_2_00007FF8F71511C0

Source: C:\Windows\System32\rundll32.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7460 -s 336

Source: 6sg60cSBIQ.dll

Binary or memory string: OriginalFilenameSoftSpeed.dll0 vs 6sg60cSBIQ.dll

Source: C:\Windows\System32\loaddll64.exe	Section loaded: apphelp.dll			Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: kernel.appcore.dll			Jump to behavior

Source: classification engine

Classification label: mal48.winDLL@22/17@0/0

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7016:120:WilError_03
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7460
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7772
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7756
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7636

Source: C:\Windows\System32\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\f6adbc06-f78d-453c-8740-7ece992b191f

Jump to behavior

Source: 6sg60cSBIQ.dll

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll64.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\loaddll64.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\6sg60cSBIQ.dll,Hdooie

Source: 6sg60cSBIQ.dll	ReversingLabs: Detection: 39%
Source: 6sg60cSBIQ.dll	Virustotal: Detection: 29%

Source: unknown	Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\6sg60cSBIQ.dll"
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\6sg60cSBIQ.dll",#1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\6sg60cSBIQ.dll,Hdooie
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\6sg60cSBIQ.dll",#1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\6sg60cSBIQ.dll,_invalid_parameter_noinfo_noreturn
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7460 -s 336
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\6sg60cSBIQ.dll,abort
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7636 -s 328
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\6sg60cSBIQ.dll",Hdooie
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\6sg60cSBIQ.dll",_invalid_parameter_noinfo_noreturn
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\6sg60cSBIQ.dll",abort
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7756 -s 340
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7772 -s 336
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\6sg60cSBIQ.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\6sg60cSBIQ.dll,Hdooie	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\6sg60cSBIQ.dll,_invalid_parameter_noinfo_noreturn	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\6sg60cSBIQ.dll,abort	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\6sg60cSBIQ.dll",Hdooie	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\6sg60cSBIQ.dll",_invalid_parameter_noinfo_noreturn	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\6sg60cSBIQ.dll",abort	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\6sg60cSBIQ.dll",#1	Jump to behavior

Source: 6sg60cSBIQ.dll

Static PE information: Image base 0x180000000 > 0x60000000

Source: 6sg60cSBIQ.dll

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT

Source: C:\Windows\System32\rundll32.exe	Code function: 13_2_00007FF8E7BC4E70 push rax; ret		13_2_00007FF8E7BC4E7D
Source: C:\Windows\System32\rundll32.exe	Code function: 22_2_00007FF8F7164E70 push rax; ret		22_2_00007FF8F7164E7D

Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\loaddll64.exe TID: 5412

Thread sleep time: -120000s >= -30000s

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\System32\loaddll64.exe

Thread delayed: delay time: 120000

Jump to behavior

Source: Amcache.hve.16.dr	Binary or memory string: VMware
Source: Amcache.hve.16.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.16.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.16.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.16.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.16.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.16.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.16.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.16.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.16.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.16.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.16.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.16.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.16.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.16.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.16.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.16.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.16.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.16.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.16.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.16.dr	Binary or memory string: VMware-42 27 c7 3b 45 a3 e4 a4-61 bc 19 7c 28 5c 10 19
Source: Amcache.hve.16.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.16.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.16.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.16.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.16.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.16.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.16.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.16.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\6sg60cSBIQ.dll",#1

Jump to behavior

Source: Amcache.hve.16.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.16.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.16.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.16.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.16.dr	Binary or memory string: MsMpEng.exe

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	11 Process Injection	1 Rundll32	OS Credential Dumping	21 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	21 Virtualization/Sandbox Evasion	LSASS Memory	21 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	11 Process Injection	Security Account Manager	1 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Obfuscated Files or Information	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
6sg60cSBIQ.dll	39%	ReversingLabs	Win64.Trojan.SpywareX
6sg60cSBIQ.dll	30%	Virustotal		Browse

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
windowsupdatebg.s.llnwi.net	0%	Virustotal		Browse

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
windowsupdatebg.s.llnwi.net	69.164.0.128	true	false	0%, Virustotal, Browse	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://upx.sf.net	Amcache.hve.16.dr	false		high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1417122
Start date and time:	2024-03-28 16:18:05 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 1s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	34
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	6sg60cSBIQ.dll (renamed file extension from exe to dll, renamed because original name is a hash value)
Original Sample Name:	85b1a980eb8ced59f87cb5dd7702e15d6ca38441c4848698d140ffd37d2b55e6.exe
Detection:	MAL
Classification:	mal48.winDLL@22/17@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 2 Number of non-executed functions: 14

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, MoUsoCoreWorker.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 13.89.179.12
Excluded domains from analysis (whitelisted): ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, onedsblobprdcus17.centralus.cloudapp.azure.com, wu-bg-shim.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

Time	Type	Description
16:18:59	API Interceptor	4x Sleep call for process: WerFault.exe modified
16:18:59	API Interceptor	1x Sleep call for process: loaddll64.exe modified

Joe Sandbox View / Context

IPs

⊘No context

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
windowsupdatebg.s.llnwi.net	https://www.rewardgateway.com/	Get hash	malicious	HTMLPhisher	Browse	69.164.0.0
	rU6YAgkoAw.exe	Get hash	malicious	AsyncRAT	Browse	69.164.0.128
	https://www.attemplate.com/gcc/24f1e58b-b088-4195-ba46-839e73aec371/406eb232-0f42-45b3-8f82-5ddbf95d3c28/4526622a-5e47-4913-897d-b139c3f50e94/attachment?id=T3JlSlFGWnFzWFRVUk1mQzVwN1d5V3BvT0lIMGd1MmFSTncyMDRDRXRKY1dLWnk0bmZKanUwWkxaU0JRa1VvOGZhTkloMFNSY24vUTU3cFB2eGJmY090ZVc1ZUc0MHdldWRuVFdSWEtLem5UV3VXTlozS0kwTGpGTDNTT0d0SHAveERBQjJFUUNPTUhqWDY3MVJlZzhiSG14ZjVqMmdjNlVUMjh1NXpwazZLblFjeHdDQlBxblJwaVNKY1R6WUp6YnlhaHo5dTRpRFZUY2w2SGQwRW9oNzNXTFJ5MjdQN090UzNtWHIwZDVVK21OV095NHRLT0plZ29TT3EweVdZaDlhUW9lK2lmOWtpOUlmTFRYL3pDSVZzRCt2WEFBbjQyNVRQTDBoRE9IK1NXbmM3UndCdjk2dUg5QVF3MnRodGN3V2NjSCt1ZXZVbzR4VUt5dnEzcFhzOGRkRGUvYWROemJ4NDNHRkJLejRtU01ISmpOYVpEbi9GdUlJUFliMGQ1MHFBaHJCYnQzWWhMTExQcUtUU0RzQT09	Get hash	malicious	Unknown	Browse	69.164.0.128
	FindAll.xla	Get hash	malicious	Unknown	Browse	69.164.0.128
	SecuriteInfo.com.Trojan.Siggen27.33484.28759.31674.exe	Get hash	malicious	Unknown	Browse	69.164.0.0
	8tUCycu3Wq.exe	Get hash	malicious	PureLog Stealer, RHADAMANTHYS, zgRAT	Browse	69.164.0.0
	7294042_PDF.vbs	Get hash	malicious	GuLoader	Browse	69.164.0.0
	https://mail.profil.aktualisieren.87-121-52-217.cprapid.com/	Get hash	malicious	PayPal Phisher	Browse	69.164.0.128
	https://main.d3ugl75lhwl13s.amplifyapp.com/?serious-windows-defender-security-detection	Get hash	malicious	TechSupportScam	Browse	69.164.0.0
	https://attmailingselserviceupdate-4326763.ubpages.com/9448ff0e-ec5b-11ee-b33f/	Get hash	malicious	Unknown	Browse	69.164.0.0

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_6sg_3152e4b3bd5a32c92a13e818e4165ed38ed22690_24c13995_187d3e90-249f-4e4d-9a2a-3747a8ce9b7f\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.7593944367378386
Encrypted:	false
SSDEEP:	192:1vASgzPiCyd70b5FUoZjVEazuiFJZ24lO8W:lcifdIb5FUcjLzuiFJY4lO8W
MD5:	423BC8B45116FE90A12A507F7C684FA3
SHA1:	44F788C385EF23FBB08F68AA8837FEE624836825
SHA-256:	5D30676CF46C108B23495F7F84B19D649D4EFA51F2963E2D516A911B8563D04E
SHA-512:	0EF953171F72234A02F71D8DA715557B001AC89F7129C4078E859C5025D0EE6EC6A5FDF2BC6FC167E16462834BBC9E6C20954B4B3FE03B119BF1EEE2104C39D7
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.6.1.1.2.7.3.7.1.4.1.2.7.7.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.5.6.1.1.2.7.3.7.5.1.6.2.9.5.6.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.8.7.d.3.e.9.0.-.2.4.9.f.-.4.e.4.d.-.9.a.2.a.-.3.7.4.7.a.8.c.e.9.b.7.f.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.e.2.f.4.4.a.1.-.1.a.a.f.-.4.2.0.f.-.a.e.1.9.-.e.a.f.6.c.8.f.7.e.4.d.c.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e._.6.s.g.6.0.c.S.B.I.Q...d.l.l.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.d.d.4.-.0.0.0.1.-.0.0.1.4.-.9.8.a.0.-.a.5.4.0.2.3.8.1.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.d.d.3.9.9.a.e.4.6.3.0.3.3.4.3.f.9.f.0.d.a.1.8.9.a.e.e.1.1.c.6.7.b.d.8.6.8.2.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_6sg_3152e4b3bd5a32c92a13e818e4165ed38ed22690_24c13995_f6cd8a97-c47f-4df6-9340-375c5d76d18a\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.7626432773857632
Encrypted:	false
SSDEEP:	192:iBVmisy470b5FUoZjVEazuiFJZ24lO8W:QmiB4Ib5FUcjLzuiFJY4lO8W
MD5:	4E4693EF185E5CD2C60004A7EC2AD8F2
SHA1:	BE5A1D959D1CBE42925902190571558D44997E34
SHA-256:	D4C66C9CEFC472FB79AF9C5C3F368F0136DC17353B6B2C0452C8C7B68E02513E
SHA-512:	C75D1AF48FEB6576A950E457CBB98066DB357348D6B0B5F1E8DB17798229CA947AB10DD208E0D7AA052536F4E0E61947ED926754B9D87313DC19CEAEF6272BFD
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.6.1.1.2.7.4.0.3.1.3.1.6.2.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.5.6.1.1.2.7.4.0.9.2.2.5.4.4.5.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.6.c.d.8.a.9.7.-.c.4.7.f.-.4.d.f.6.-.9.3.4.0.-.3.7.5.c.5.d.7.6.d.1.8.a.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.c.b.f.7.5.5.2.-.3.6.5.b.-.4.f.9.0.-.a.5.b.b.-.a.7.a.6.e.8.f.9.2.c.4.e.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e._.6.s.g.6.0.c.S.B.I.Q...d.l.l.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.e.5.c.-.0.0.0.1.-.0.0.1.4.-.f.1.6.5.-.7.4.4.2.2.3.8.1.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.d.d.3.9.9.a.e.4.6.3.0.3.3.4.3.f.9.f.0.d.a.1.8.9.a.e.e.1.1.c.6.7.b.d.8.6.8.2.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_6sg_3784abb0c760c4a0da83b9de70b0523f3255b47_24c13995_0470cc9b-4e1b-4912-a759-6b38fad3ff74\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.7622134549747919
Encrypted:	false
SSDEEP:	96:whFdVu/iSyKy/sj+4Rv1y/fUQXIDcQKc6PcEY6cw3EXaXz+HbHgSQgJj9Eo8FXq7:cFmiSy/b0kL/ejVEazuiFJZ24lO8W
MD5:	FF71FF7CCBD13B8F8463307B6BD99F3E
SHA1:	4B8CC27464030D76E7A7E6501694423F904DDADE
SHA-256:	B58EC6AABCA75B082F657C09955BC42D53851E9772B308DF2B8E5FC83EE6FD94
SHA-512:	3602168DEDBC45527C90872D3E5BEA2F515C9F468942669077E09F3D1D9C1F37AB0D22F38E1C709A806A8E299E0A44A9259809B0E46D300F5F858C305EB8D087
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.6.1.1.2.7.4.0.2.8.2.6.7.7.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.5.6.1.1.2.7.4.0.7.5.1.4.2.3.6.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.4.7.0.c.c.9.b.-.4.e.1.b.-.4.9.1.2.-.a.7.5.9.-.6.b.3.8.f.a.d.3.f.f.7.4.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.e.c.8.a.9.7.7.-.b.4.7.5.-.4.c.6.b.-.8.0.0.2.-.9.9.c.0.5.5.f.7.9.0.c.d.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e._.6.s.g.6.0.c.S.B.I.Q...d.l.l.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.e.4.c.-.0.0.0.1.-.0.0.1.4.-.f.2.6.6.-.7.3.4.2.2.3.8.1.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.d.d.3.9.9.a.e.4.6.3.0.3.3.4.3.f.9.f.0.d.a.1.8.9.a.e.e.1.1.c.6.7.b.d.8.6.8.2.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_6sg_3784abb0c760c4a0da83b9de70b0523f3255b47_24c13995_a04d76f8-d874-47c2-a198-cd97fde122a0\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.7588491479804744
Encrypted:	false
SSDEEP:	192:1vIITEviGygb0kL/ejVEazuiFJZ24lO8W:mMKi7gokL/ejLzuiFJY4lO8W
MD5:	D20C86AE12848A724325111A4C8C515A
SHA1:	D3B83A5F7461412E63C1BE3DC426A174424DCD26
SHA-256:	24C39B9B56AECF31D9B142E034FD63EFEBEB96C6903F41A6B3DAD61E890AFA92
SHA-512:	586068477791A8EBCA4932F22272C3E7271EC1FC438C6289C41B4A84ED7000AFF8AABBC549A6164CB5A26799D1153178117F38417D89A9C5657B5DBEA7376DE1
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.6.1.1.2.7.3.4.2.8.8.7.0.5.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.5.6.1.1.2.7.3.4.6.3.2.4.6.4.5.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.0.4.d.7.6.f.8.-.d.8.7.4.-.4.7.c.2.-.a.1.9.8.-.c.d.9.7.f.d.e.1.2.2.a.0.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.5.a.0.8.e.1.c.-.4.f.2.7.-.4.9.7.9.-.b.d.d.4.-.1.f.3.9.0.f.1.e.b.d.a.1.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e._.6.s.g.6.0.c.S.B.I.Q...d.l.l.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.d.2.4.-.0.0.0.1.-.0.0.1.4.-.1.4.0.b.-.d.7.3.e.2.3.8.1.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.d.d.3.9.9.a.e.4.6.3.0.3.3.4.3.f.9.f.0.d.a.1.8.9.a.e.e.1.1.c.6.7.b.d.8.6.8.2.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER8DAF.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Thu Mar 28 15:18:54 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	58438
Entropy (8bit):	1.6345199609504042
Encrypted:	false
SSDEEP:	192:NX3g6c8OMyMnMZSCNn7oBSv+UVixIM5PGd7qSyy+Ltm:R+zuMwCl7oIv+4KI0PGd7Tyy+Jm
MD5:	EA58BA454F40845AB63074E78307EAAE
SHA1:	369239072D0B3714BA510D6B31CE74CC56FFED62
SHA-256:	230F22D6E223AEA70104C78940923DCFB0193289658823369F2FEE66477ED431
SHA-512:	2BE0CE6816BE8A3C63F8437EAF0CE83052F2736644D24A5C8C2EC4181754EE34E4D2C3E8714291C8273AAED8A81618B3D9C91BC86C9038585881898C02E74FD2
Malicious:	false
Preview:	MDMP..a..... .......^..f........................L............... )..........T.......8...........T...........X...........................................................................................................eJ......l.......Lw......................T.......$...]..f.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER8E2D.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8520
Entropy (8bit):	3.6924724568045466
Encrypted:	false
SSDEEP:	192:R6l7wVeJ4UDAFKJ6YJU5ggmfWiFuOprH89b7Xyf0pEZpm:R6lXJ7DAkJ6YaOgmfWiFK7CfQj
MD5:	E56B135D4648CFABC2A4E2448B52542A
SHA1:	7DC738EBFA7C26962E3DB6B53FA35CF06C2EA3F3
SHA-256:	207572D1FF0727C152B486A329925DD500F53E1DB04DC2D4C5B34C81CD27D6A3
SHA-512:	A41DCE0DE8F59DCB046CBC96C98444955972D345CA4BF27C0C0196E0B51229A287B97D44332C5303BA531313611067250098AE275D73FF28E14C5E3DB7EB4923
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.4.6.0.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER8E5D.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4759
Entropy (8bit):	4.48213422072856
Encrypted:	false
SSDEEP:	48:cvIwWl8zsBJg771I9IbWpW8VYc5Ym8M4JCHCPJ6F9yq85maKvptSTSLd:uIjfTI7nq7VIJLaDvpoOLd
MD5:	986598451E2A250715949718C3823F07
SHA1:	BE6058FE8B70F07697F548CB07994CFD35F79F4D
SHA-256:	1BADEEECC42A090791DFA3307DF4D0AE034180BA6568ED8D6AC14C8F00420058
SHA-512:	9A342611809FE2004A834774C78BFD43681FCDFB47E2D8CF6713DB5E83DF9B1DA22A82242DADC70E861E131B3472D67A21DE02F5F0CEBE9C3DAC6A0E5E289D4C
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="255261" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WER98CB.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Thu Mar 28 15:18:57 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	55838
Entropy (8bit):	1.6739227971964972
Encrypted:	false
SSDEEP:	384:1qI+H3QglqA/F8B0Wm8sQ8f9kj04zlKsGf+:Qf9qA/sWQ8f9kj04xKbf+
MD5:	7F970963D2773EE942EA9C8414636C1B
SHA1:	26754EC210BC8642CD7BCD5780BFAFF12A346774
SHA-256:	0EAC6ADFD925A933D6047562AFC5A886DE1E80C93076998EA3D3EA58CB543B00
SHA-512:	BA36E17DE8AEE3115F8FF585437C29A8221C19E2AC0433D26728AD0BE0F9EC99E56A7FEDD61550E5766C0733ECB73D40A2F8BE9EA17C67B8E224DAA572F6FFE6
Malicious:	false
Preview:	MDMP..a..... .......a..f........................L............... )..........T.......8...........T...........X...........................................................................................................eJ......l.......Lw......................T...........`..f.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER992A.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8520
Entropy (8bit):	3.696819296109918
Encrypted:	false
SSDEEP:	192:R6l7wVeJptIARB6YJ45ggmfWc7oUpr089bALGfnAm:R6lXJDIAX6YmOgmfWc7XAKfl
MD5:	40A191D2017FDB7EFAC5B4D88DC7FE6F
SHA1:	B7E8A33FAF8A0D4C139C4B512CEF8F241AD53694
SHA-256:	DE253F4C44AD224C06D4DA1AC5F11240A042408EDD1CBFD41F856E27E328530F
SHA-512:	F28ADD94C28F92D69855F3CDA29A6D7E78C86E8F5DB1C72FC29ED159C242CD87C55770B93B11CBB7A91B52D43ADDF4240E52EA386BA99B821ADF02E8A5328171
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.6.3.6.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9969.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4761
Entropy (8bit):	4.493566597439049
Encrypted:	false
SSDEEP:	48:cvIwWl8zsBJg771I9IbWpW8VYsYm8M4JCHCPTMFcfyq85m5SQptSTSmd:uIjfTI7nq7VYJtZfPDpoOmd
MD5:	4A59008C9F2245F4F4620C1ADAFB7335
SHA1:	4044B5FFE9F308063186A783AF4300EA57DAD4EC
SHA-256:	B5EDE1DEEAAF9A503EE3DCBF9626ACB4EC31AF211F11C673C02ED151F67B555F
SHA-512:	234313B48C7EE208C48FCCAC0F456B06C1E3836F159AA5F7A65546D5003ACE24AE4F116696E8271DEA417A50B54049E11EB5BA79223FC279B5768E7173918073
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="255261" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA510.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Thu Mar 28 15:19:00 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	55734
Entropy (8bit):	1.7009909293318368
Encrypted:	false
SSDEEP:	192:Lb369mkEOMbM4XFLCvj309MvJRe7FcSUSTSq9XVzEha0+:ffkLyM4XVCY9a7e7FpxuqZVzEhaf
MD5:	9A27FAD19AEB423AD5302F0B576E48C3
SHA1:	3C5670567837F480348EE9C53B76C681CD45EDD2
SHA-256:	BEC174CE7FC80738157E8883D712332ADC346A655D880D40EBDD04A68036D447
SHA-512:	BFF7DF5569F8DA853FBC1A81CAA87D0D4A8B6A4ACF08A1C7D5EB25ED99CE9D58810613ED6F3DFA8E80A8BA8368C517FA48054CAEEC389FC8C53FFD36F23780AA
Malicious:	false
Preview:	MDMP..a..... .......d..f........................L............... )..........T.......8...........T...........X...^.......................................................................................................eJ......l.......Lw......................T.......L...c..f.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA52F.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Thu Mar 28 15:19:00 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	55926
Entropy (8bit):	1.6641368183067295
Encrypted:	false
SSDEEP:	192:LBg36DUOMf5Unr0NcPR2zRwS4Vzz5SB0WCUS9PthnbnGu6h:1Y+q5Ur0AwR94VzzQB0WCxXhnbnGu6h
MD5:	98A081D731E1C0FFAE1FB829E3F234CA
SHA1:	7F2C854DA496398F3B4DEFD1F5914CA9443F93A6
SHA-256:	75A61B78EFB3225AE66415E37019F8E9FC290144D921B324223833B747AD2BAE
SHA-512:	E48D7B67E76E629E2F0AAF55CCF8F34ACE285E39C190A4BF16ECD9FB3D3218C89C62270419F33C40C60F7E7E2D2C36753ACC26DCFCD5CB40D2D01B4F6C77F277
Malicious:	false
Preview:	MDMP..a..... .......d..f........................L............... )..........T.......8...........T...........X...........................................................................................................eJ......l.......Lw......................T.......\...c..f.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA5BC.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8752
Entropy (8bit):	3.698371807356849
Encrypted:	false
SSDEEP:	192:R6l7wVeJWbqAzj6YyzhMgmfWiFuOprO89bbxrfRJm:R6lXJaqAX6YuhMgmfWiFVbNfu
MD5:	1D1A38ECE48D932A6E61891BBA6DD0CF
SHA1:	10A4CAE449EDAB3C8D301A6B21AB0398E9D1AEDB
SHA-256:	5A6502591C656C520328BED104FD50A1B741F9B1D3AFB3FB4ED9E3D0EEB5E348
SHA-512:	09D2E55A639FEF4F2A2DE36B568AE8EF1389F66BC92198B083163E9EBC98CBFB3526E6016FBDBCF11E90DF8D55395956F00C3EEDDB766E83825AFE5A64718A02
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.7.5.6.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA5DC.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8754
Entropy (8bit):	3.701399476857601
Encrypted:	false
SSDEEP:	192:R6l7wVeJQFNAgB6Yy8hMgmfWc7oUprH89bbgrfdJm:R6lXJCNAW6YBhMgmfWc7eb0f6
MD5:	CF58E79FFE5E07AFD6868B9CD17F1A63
SHA1:	7AA97C5523BB542E1CAD0FEFD83ABB474BE1DEAA
SHA-256:	C93010300EAE6F8C19457CF721C4D1598B72450D539A6E692E0688636124488D
SHA-512:	D956D74835F04EDD2C8A288A206FD0CDAC9C1BFF764CA3551904B7468BC6AC9FBE8A34B5B34F330A2A3840435133FDA8275E3852253DAB5AA1CCEC2ACED56822
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.7.7.2.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA5EC.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4760
Entropy (8bit):	4.484640778979459
Encrypted:	false
SSDEEP:	48:cvIwWl8zsBJg771I9IbWpW8VYw0Ym8M4JCHCPJ6F+kyq85maKDptSTS2d:uIjfTI7nq7VBBJLuDDpoO2d
MD5:	48EF8F47589FA51F15EAF88010EF10C3
SHA1:	8235DB5F96D4DF6DE085D4B1B35E73C9CC0B16B4
SHA-256:	ED9F2A7ACB1640002889390D940963C009D0FACFAC82666FF5EAF44381851C6D
SHA-512:	9CC69EDBA0B4A0249CA857605C7EEE1CAD847719DD8D01662D88ED1EC9FBD06574FD18B7A7A768243A41A4BAF075B4057AF6C5A22BFB0184568691E0C4288604
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="255261" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA63A.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4762
Entropy (8bit):	4.498558607486867
Encrypted:	false
SSDEEP:	48:cvIwWl8zsBJg771I9IbWpW8VY2Ym8M4JCHCPTMFhJyq85m5S0ptSTSxd:uIjfTI7nq7VaJtePXpoOxd
MD5:	03F12F54E8281FD7A66DD870DB76D372
SHA1:	CE98595CFC4E3DE0283B81ED42E02B9D9A1A531B
SHA-256:	60406D161C0CD15751EC815892565B26D808DC8D527952D4D997665FCE390BE1
SHA-512:	8E3CA440C610E614FD46B2363EB80B2298D966873817558449BAD0D1DE55AAA0371212C2F11329FACBD294D1D75C3DF24FF38D2EA8D545074FB7B04E5FCBDE1F
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="255261" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.3947309566525234
Encrypted:	false
SSDEEP:	6144:Hl4fiJoH0ncNXiUjt10qCG/gaocYGBoaUMMhA2NX4WABlBuNAfOBSqa:F4vFCMYQUMM6VFYSfU
MD5:	560E8CC688E73A615647339F9F4860A4
SHA1:	8315F7A1A95254C6BC0289A21271239918C9BE75
SHA-256:	BDE5CAFC7EB9C8CB579D1155B8A182F0C996196B949E954942B10C25D27B4BB1
SHA-512:	7D967054D1CCAA6F9D9BD14CDF6F7CD976B32D88D1B87F83C1A2187C674248FEBAE070EBE3BC3B0611466D380C4D90FAD335B75FF6FDF09F1D512822ED5A7890
Malicious:	false
Preview:	regfH...H....\.Z.................... ....`......\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.\|.>#...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Entropy (8bit):	5.9998946208769794
TrID:	Win64 Dynamic Link Library (generic) (102004/3) 86.43% Win64 Executable (generic) (12005/4) 10.17% Generic Win/DOS Executable (2004/3) 1.70% DOS Executable Generic (2002/1) 1.70% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.01%
File name:	6sg60cSBIQ.dll
File size:	171'008 bytes
MD5:	f477f5fbc95bbde03a24cf42f6751afa
SHA1:	ae5a1b7a21fecf571d037baf85069d5b58b107ba
SHA256:	85b1a980eb8ced59f87cb5dd7702e15d6ca38441c4848698d140ffd37d2b55e6
SHA512:	a53e25979a723914e348c1efe09f28467af54fb17aa1763bfb0fed61eb3d3726e89dc7e7a5e80da75172a10527598d3c3c823f35b2ed5dc721f24e2bd964477b
SSDEEP:	3072:M3sTSNgdIE4jneWJjxzRTLwlCTYhoDWmdUD2LH0kQhHMzJ+2ZedIcgQ7exgwt:M/e46AvTkmioH0kSwOb2
TLSH:	2AF3B547A16760F9D6BFD07996933626F9A134504334AF6B86408E231A33F70F63E729
File Content Preview:	MZ......................@..........................T....................!..L.!This program cannot be run in DOS mode....$........{...............q.......q..............-o..............-o......-o......Rich............................PE..d...x?.e.........."

File Icon


Icon Hash:	7ae282899bbab082

Static PE Info

General

Entrypoint:	0x18000f2f0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x180000000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, DLL
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x65EF3F78 [Mon Mar 11 17:29:28 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	18ecba85a4db5cb9282cb4f36e09b31d

Entrypoint Preview

Instruction
dec eax
sub esp, 38h
dec esp
mov dword ptr [esp+30h], eax
mov dword ptr [esp+24h], edx
dec eax
mov dword ptr [esp+28h], ecx
cmp dword ptr [esp+24h], 01h
jne 00007F17ADCB7997h
call 00007F17ADCC52B7h
mov eax, 00000001h
dec eax
add esp, 38h
ret
nop dword ptr [eax+eax+00000000h]
push esi
dec eax
sub esp, 000001C0h
dec eax
mov dword ptr [esp+000000B0h], ecx
dec eax
lea ecx, dword ptr [esp+68h]
call 00007F17ADCCA4BBh
dec eax
lea ecx, dword ptr [esp+50h]
call 00007F17ADCCA4B1h
dec eax
lea edx, dword ptr [esp+68h]
dec esp
lea eax, dword ptr [esp+50h]
xor ecx, ecx
call 00007F17ADCB3F80h
test al, 01h
jne 00007F17ADCB79A8h
dec eax
mov dword ptr [esp+38h], 00000000h
mov dword ptr [esp+28h], 00000001h
jmp 00007F17ADCB7AB8h
call 00007F17ADCB4D51h
dec eax
mov ecx, 80000001h
dec eax
mov edx, 80000002h
test al, 01h
dec eax
cmovne ecx, edx
dec eax
mov dword ptr [esp+48h], ecx
mov dword ptr [esp+44h], 00000000h
dec eax
mov dword ptr [esp+30h], 00000000h
dec eax
lea ecx, dword ptr [esp+50h]
dec eax
lea edx, dword ptr [esp+00000098h]
call 00007F17ADCCC395h
dec eax
lea ecx, dword ptr [esp+00000098h]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x27740	0x84	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x277c4	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x30000	0x4be	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x2c000	0x22d4	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x2f000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x25000	0x30	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x23e7e	0x24000	926d82e674cf6ca9a1828583461fd805	False	0.4482218424479167	data	5.932744776119157	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x25000	0x2884	0x2a00	c15e937d9b2c0dd3e6f1020a7b43f241	False	0.44419642857142855	data	5.602639422845107	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x28000	0x354c	0x200	e0d111e3c2ecb20c06b8e94025777cf3	False	0.0703125	data	0.3911774675255742	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x2c000	0x22d4	0x2400	70cd2713f641b70f83c8ccd1006c041f	False	0.4742838541666667	data	5.186010432208239	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x2f000	0xc	0x200	9c0d2fd8c1db82fd32404a48578bf055	False	0.048828125	data	0.13872951814887827	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.rsrc	0x30000	0x4be	0x600	9d3239eca80b03ce1878ad0ea944f137	False	0.3697916666666667	data	3.4708182985183704	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x300a0	0x2dc	data	English	United States	0.4726775956284153
RT_MANIFEST	0x3037c	0x142	ASCII text, with CRLF line terminators	English	United States	0.5745341614906833

Imports

DLL	Import
KERNEL32.dll	GetLastError, LocalFree, CloseHandle
ADVAPI32.dll	RegCloseKey

Exports

Name	Ordinal	Address
Hdooie	1	0x18001c4d0
_invalid_parameter_noinfo_noreturn	2	0x18001ab00
abort	3	0x18001e430

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Mar 28, 2024 16:18:49.241309881 CET	1.1.1.1	192.168.2.9	0xb9ab	No error (0)	windowsupdatebg.s.llnwi.net		69.164.0.128	A (IP address)	IN (0x0001)	false
Mar 28, 2024 16:18:49.241309881 CET	1.1.1.1	192.168.2.9	0xb9ab	No error (0)	windowsupdatebg.s.llnwi.net		69.164.0.0	A (IP address)	IN (0x0001)	false

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: loaddll64.exePID: 5360, Parent PID: 3504

General

Target ID:	5
Start time:	16:18:50
Start date:	28/03/2024
Path:	C:\Windows\System32\loaddll64.exe
Wow64 process (32bit):	false
Commandline:	loaddll64.exe "C:\Users\user\Desktop\6sg60cSBIQ.dll"
Imagebase:	0x7ff77afb0000
File size:	165'888 bytes
MD5 hash:	763455F9DCB24DFEECC2B9D9F8D46D52
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 7016, Parent PID: 5360

General

Target ID:	6
Start time:	16:18:50
Start date:	28/03/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: cmd.exePID: 7212, Parent PID: 5360

General

Target ID:	8
Start time:	16:18:50
Start date:	28/03/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\6sg60cSBIQ.dll",#1
Imagebase:	0x7ff623470000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: rundll32.exePID: 7244, Parent PID: 5360

General

Target ID:	9
Start time:	16:18:50
Start date:	28/03/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe C:\Users\user\Desktop\6sg60cSBIQ.dll,Hdooie
Imagebase:	0x7ff7b1a70000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: rundll32.exePID: 7264, Parent PID: 7212

General

Target ID:	11
Start time:	16:18:50
Start date:	28/03/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe "C:\Users\user\Desktop\6sg60cSBIQ.dll",#1
Imagebase:	0x7ff7b1a70000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: rundll32.exePID: 7460, Parent PID: 5360

General

Target ID:	13
Start time:	16:18:53
Start date:	28/03/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe C:\Users\user\Desktop\6sg60cSBIQ.dll,_invalid_parameter_noinfo_noreturn
Imagebase:	0x7ff7b1a70000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: WerFault.exePID: 7532, Parent PID: 7460

General

Target ID:	16
Start time:	16:18:54
Start date:	28/03/2024
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 7460 -s 336
Imagebase:	0x7ff7edf90000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: rundll32.exePID: 7636, Parent PID: 5360

General

Target ID:	18
Start time:	16:18:56
Start date:	28/03/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe C:\Users\user\Desktop\6sg60cSBIQ.dll,abort
Imagebase:	0x7ff7b1a70000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: WerFault.exePID: 7676, Parent PID: 7636

General

Target ID:	20
Start time:	16:18:57
Start date:	28/03/2024
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 7636 -s 328
Imagebase:	0x7ff7edf90000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: rundll32.exePID: 7748, Parent PID: 5360

General

Target ID:	21
Start time:	16:18:59
Start date:	28/03/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe "C:\Users\user\Desktop\6sg60cSBIQ.dll",Hdooie
Imagebase:	0x7ff7b1a70000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: rundll32.exePID: 7756, Parent PID: 5360

General

Target ID:	22
Start time:	16:18:59
Start date:	28/03/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe "C:\Users\user\Desktop\6sg60cSBIQ.dll",_invalid_parameter_noinfo_noreturn
Imagebase:	0x7ff7b1a70000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: rundll32.exePID: 7772, Parent PID: 5360

General

Target ID:	23
Start time:	16:18:59
Start date:	28/03/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe "C:\Users\user\Desktop\6sg60cSBIQ.dll",abort
Imagebase:	0x7ff7b1a70000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: WerFault.exePID: 7840, Parent PID: 7756

General

Target ID:	26
Start time:	16:19:00
Start date:	28/03/2024
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 7756 -s 340
Imagebase:	0x7ff7edf90000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: WerFault.exePID: 7848, Parent PID: 7772

General

Target ID:	27
Start time:	16:19:00
Start date:	28/03/2024
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 7772 -s 336
Imagebase:	0x7ff7edf90000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: rundll32.exePID: 7460, Parent PID: 5360COMMON

Execution Graph

Execution Coverage:	0.2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	4.8%
Total number of Nodes:	1635
Total number of Limit Nodes:	0

Executed Functions

Function 00007FF8E7BBC790 Relevance: 1.5, APIs: 1, Instructions: 19
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(?,?,?,?,?,?,00007FF8E7BB8055,?,?,?,?,00007FF8E7BC1E79), ref: 00007FF8E7BBC7C2

Memory Dump Source

Source File: 0000000D.00000002.1373899668.00007FF8E7BA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF8E7BA0000, based on PE: true

Associated: 0000000D.00000002.1373878708.00007FF8E7BA0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000D.00000002.1373930358.00007FF8E7BC5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000D.00000002.1373949411.00007FF8E7BCC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000D.00000002.1373949411.00007FF8E7BD0000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff8e7ba0000_rundll32.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 30b4a6cf627e4c54fad3becd84435e4abdb3b242b081ad92acdaacf49d9325b3
Instruction ID: 9c87d1f5cd381b255ef936b33c1a909ee4325d9f803558cfa3963cfb1d85ebc7
Opcode Fuzzy Hash: 30b4a6cf627e4c54fad3becd84435e4abdb3b242b081ad92acdaacf49d9325b3
Instruction Fuzzy Hash: 9FD0C236A1C64481E6106B62BA0115E6B609FD9BD4F54C135EE5D57768CE2CC9438B00

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00007FF8E7BA3C00 Relevance: 1.5, APIs: 1, Instructions: 221
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000D.00000002.1373899668.00007FF8E7BA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF8E7BA0000, based on PE: true

Associated: 0000000D.00000002.1373878708.00007FF8E7BA0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000D.00000002.1373930358.00007FF8E7BC5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000D.00000002.1373949411.00007FF8E7BCC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000D.00000002.1373949411.00007FF8E7BD0000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff8e7ba0000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88eb65be87c309a40b61fb06c8d2aeba07844c8f7848fb34c20d3f5b2ff1161d
Instruction ID: 8d14849b2d290c21a60046947fffe9b7ced7301ce4fc02163c3f4714ce0786f6
Opcode Fuzzy Hash: 88eb65be87c309a40b61fb06c8d2aeba07844c8f7848fb34c20d3f5b2ff1161d
Instruction Fuzzy Hash: 10A17B32A1C68586E760ABA1F0107AFB7A1EBC47C4F144035EAED47B8ACF7DD4458B41

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8E7BB91B0 Relevance: 1.4, Strings: 1, Instructions: 130COMMON

Download Yara Rule

Strings

+Ty, xrefs: 00007FF8E7BB9228

Memory Dump Source

Source File: 0000000D.00000002.1373899668.00007FF8E7BA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF8E7BA0000, based on PE: true

Associated: 0000000D.00000002.1373878708.00007FF8E7BA0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000D.00000002.1373930358.00007FF8E7BC5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000D.00000002.1373949411.00007FF8E7BCC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000D.00000002.1373949411.00007FF8E7BD0000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff8e7ba0000_rundll32.jbxd

Similarity

API ID:
String ID: +Ty
API String ID: 0-3135441748
Opcode ID: 31bb0eebdc54fb6114c17da7d0c1c187cd07aec1cc3cb0d921dc1097fb5c6ff6
Instruction ID: fe75f13a0975202c30c55b274985649674d012ce7266764de8566dbbfbe7de0d
Opcode Fuzzy Hash: 31bb0eebdc54fb6114c17da7d0c1c187cd07aec1cc3cb0d921dc1097fb5c6ff6
Instruction Fuzzy Hash: 75513936A0CA9585E7609BA5F00136FB7A0FBC5784F144036EBAD87B89CF7CD4458B02

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8E7BB5880 Relevance: .3, Instructions: 338COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1373899668.00007FF8E7BA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF8E7BA0000, based on PE: true

Associated: 0000000D.00000002.1373878708.00007FF8E7BA0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000D.00000002.1373930358.00007FF8E7BC5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000D.00000002.1373949411.00007FF8E7BCC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000D.00000002.1373949411.00007FF8E7BD0000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff8e7ba0000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d52488465e13fb98ba57eb3db2aa74ede2f6f023e70f08ee45b1bede1d23aee
Instruction ID: 05baa90784829413c0de4a2935ce75374dc213da1f7997a32fd80ff1ce37acbf
Opcode Fuzzy Hash: 6d52488465e13fb98ba57eb3db2aa74ede2f6f023e70f08ee45b1bede1d23aee
Instruction Fuzzy Hash: 2BF1323662C6418AD664CB68E09072FB7A1FBC8794F145126FFAE87795CA3CD501DB02

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8E7BAD9F0 Relevance: .3, Instructions: 278COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1373899668.00007FF8E7BA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF8E7BA0000, based on PE: true

Associated: 0000000D.00000002.1373878708.00007FF8E7BA0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000D.00000002.1373930358.00007FF8E7BC5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000D.00000002.1373949411.00007FF8E7BCC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000D.00000002.1373949411.00007FF8E7BD0000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff8e7ba0000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f824a089d3ba7ed0fb8e6aee3a358ccf87f94a8e01a480d477a6eefc736e909e
Instruction ID: 2f9d55983cf09c7eaac15b276a060dcc72ddfd4163e40a2b7852457385a3e2f3
Opcode Fuzzy Hash: f824a089d3ba7ed0fb8e6aee3a358ccf87f94a8e01a480d477a6eefc736e909e
Instruction Fuzzy Hash: 74C16D31A2C54292EA60B7B4E4513FE7351AFD03E0F900631F6BE866DBDE6DE9058742

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8E7BB11C0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1373899668.00007FF8E7BA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF8E7BA0000, based on PE: true

Associated: 0000000D.00000002.1373878708.00007FF8E7BA0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000D.00000002.1373930358.00007FF8E7BC5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000D.00000002.1373949411.00007FF8E7BCC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000D.00000002.1373949411.00007FF8E7BD0000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff8e7ba0000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28d2e3a8d22c21247c66c8e072c68ea2962f5d25343e74a34322c1792b93109a
Instruction ID: f664078531215e25754169f8f3b57141eee99023b73877be4e1f1ec6a43ba3dc
Opcode Fuzzy Hash: 28d2e3a8d22c21247c66c8e072c68ea2962f5d25343e74a34322c1792b93109a
Instruction Fuzzy Hash: 78B1A132A1C58691EA20D7A5E4403FE7351EFD43D4F504232EABE879DADE2CD945CB02

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8E7BB1800 Relevance: .2, Instructions: 211COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1373899668.00007FF8E7BA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF8E7BA0000, based on PE: true

Associated: 0000000D.00000002.1373878708.00007FF8E7BA0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000D.00000002.1373930358.00007FF8E7BC5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000D.00000002.1373949411.00007FF8E7BCC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000D.00000002.1373949411.00007FF8E7BD0000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff8e7ba0000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed76e3804282a12e7830e3c2831e9c1e0729c86e5c87e91717acd2a9defd6f7e
Instruction ID: ebc70a99785b8546b4c8fd241500bc87da8cfb1a90401589dba6776f26f8399e
Opcode Fuzzy Hash: ed76e3804282a12e7830e3c2831e9c1e0729c86e5c87e91717acd2a9defd6f7e
Instruction Fuzzy Hash: A691B232A1C58656E220ABB8E4513BFB791EBC0390F144635F7BE476DACE3CE5018B12

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8E7BA94C0 Relevance: .2, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1373899668.00007FF8E7BA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF8E7BA0000, based on PE: true

Associated: 0000000D.00000002.1373878708.00007FF8E7BA0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000D.00000002.1373930358.00007FF8E7BC5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000D.00000002.1373949411.00007FF8E7BCC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000D.00000002.1373949411.00007FF8E7BD0000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff8e7ba0000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fde3f32d49a88e6af8858bee52a5595f0163212ddf8c05d4d00c06b985025830
Instruction ID: fa8baa5c09c08a8c23b942ab5b0284971e5a0d0468c93d6e0be65ba07d41ce93
Opcode Fuzzy Hash: fde3f32d49a88e6af8858bee52a5595f0163212ddf8c05d4d00c06b985025830
Instruction Fuzzy Hash: 0191943291C6C185E760AAA8E4503BFB791EFC57E0F144231E6B987BD9CF6CD8419B02

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8E7BABC90 Relevance: .2, Instructions: 207COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1373899668.00007FF8E7BA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF8E7BA0000, based on PE: true

Associated: 0000000D.00000002.1373878708.00007FF8E7BA0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000D.00000002.1373930358.00007FF8E7BC5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000D.00000002.1373949411.00007FF8E7BCC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000D.00000002.1373949411.00007FF8E7BD0000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff8e7ba0000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb0779e80f5cac2bc7f72d670610a64edcc5e3e1c0915bb3cd0c44f106fa7847
Instruction ID: 79bf27eeefd62c381a8044a6bfbad0ae8f44643e6ed566a5a58c1b7061b303de
Opcode Fuzzy Hash: fb0779e80f5cac2bc7f72d670610a64edcc5e3e1c0915bb3cd0c44f106fa7847
Instruction Fuzzy Hash: B7917872A185018BD728DB7CD89022E7791EBC83B4B184739EA7EC76E4DE3CE5018B45

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8E7BAC200 Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1373899668.00007FF8E7BA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF8E7BA0000, based on PE: true

Associated: 0000000D.00000002.1373878708.00007FF8E7BA0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000D.00000002.1373930358.00007FF8E7BC5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000D.00000002.1373949411.00007FF8E7BCC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000D.00000002.1373949411.00007FF8E7BD0000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff8e7ba0000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92f31f0e63b8774943e5d634440e085fac9df005199340233334e03a10e7fe3e
Instruction ID: 14c15ac320368c41c2f6244af761eed503fff7870677f0780d0d17c1fcc1b31a
Opcode Fuzzy Hash: 92f31f0e63b8774943e5d634440e085fac9df005199340233334e03a10e7fe3e
Instruction Fuzzy Hash: D1718136A1D69486D7649BB8E45137EBBA1EBC53A4F140236FBAE477D5CE3CD8008B01

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8E7BA7260 Relevance: .2, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1373899668.00007FF8E7BA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF8E7BA0000, based on PE: true

Associated: 0000000D.00000002.1373878708.00007FF8E7BA0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000D.00000002.1373930358.00007FF8E7BC5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000D.00000002.1373949411.00007FF8E7BCC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000D.00000002.1373949411.00007FF8E7BD0000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff8e7ba0000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c899599762e676fcbfefe5def2e268b7a33ffca36d1b53d31627db8e6aeaa00
Instruction ID: 26f731db6fc8e98f3c671baa1e2eb04f23009d07e51c5fdd6b78433d7f10afd3
Opcode Fuzzy Hash: 0c899599762e676fcbfefe5def2e268b7a33ffca36d1b53d31627db8e6aeaa00
Instruction Fuzzy Hash: EF61AF32A1D64586E794ABA9E04036F7BA1EBC47C0F101035FBAE877D9DE3DD8418B52

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8E7BA7EE0 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1373899668.00007FF8E7BA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF8E7BA0000, based on PE: true

Associated: 0000000D.00000002.1373878708.00007FF8E7BA0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000D.00000002.1373930358.00007FF8E7BC5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000D.00000002.1373949411.00007FF8E7BCC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000D.00000002.1373949411.00007FF8E7BD0000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff8e7ba0000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 321f91c93e60edc90b93814640802c4c3f265b86f50a1ad8742056d9a19057c8
Instruction ID: 059d42581ba44d99b67ff42f69eb6ae8da0b6b7534a5b36a94b9a09014a84b16
Opcode Fuzzy Hash: 321f91c93e60edc90b93814640802c4c3f265b86f50a1ad8742056d9a19057c8
Instruction Fuzzy Hash: DD51C53662865486DA60EBA9E44076EB7A0EBC5BE0F100231FFBE47BD5CE3DD4418701

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8E7BB26D0 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1373899668.00007FF8E7BA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF8E7BA0000, based on PE: true

Associated: 0000000D.00000002.1373878708.00007FF8E7BA0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000D.00000002.1373930358.00007FF8E7BC5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000D.00000002.1373949411.00007FF8E7BCC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000D.00000002.1373949411.00007FF8E7BD0000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff8e7ba0000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d28395219f43796104e61c328d02a2d423d772ad2f31e95420d5d8c4e906ecc
Instruction ID: 61051c4b945e169025d374e010d9aceac365875b93a25ead2d75251d27eb5330
Opcode Fuzzy Hash: 5d28395219f43796104e61c328d02a2d423d772ad2f31e95420d5d8c4e906ecc
Instruction Fuzzy Hash: CF41D23392861047D3649AB9E84036EB6A1EBC43B4F154339FF79976D5DE3CD8018B41

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8E7BB7C50 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1373899668.00007FF8E7BA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF8E7BA0000, based on PE: true

Associated: 0000000D.00000002.1373878708.00007FF8E7BA0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000D.00000002.1373930358.00007FF8E7BC5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000D.00000002.1373949411.00007FF8E7BCC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000D.00000002.1373949411.00007FF8E7BD0000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff8e7ba0000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 696dbf2c24fe3d4679110dd74613963ce26456b4dcf47fd6a679d971f4c0f365
Instruction ID: 7a7aefc7aadbb5a2c1b7dbaa8002d640ad2dab657deee91455bd8cb017253423
Opcode Fuzzy Hash: 696dbf2c24fe3d4679110dd74613963ce26456b4dcf47fd6a679d971f4c0f365
Instruction Fuzzy Hash: 22419372A1C1914FE368DA79E45036EBBD1EBC5354F044235FAA987BCACA3CD5018F05

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8E7BB2230 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1373899668.00007FF8E7BA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF8E7BA0000, based on PE: true

Associated: 0000000D.00000002.1373878708.00007FF8E7BA0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000D.00000002.1373930358.00007FF8E7BC5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000D.00000002.1373949411.00007FF8E7BCC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000D.00000002.1373949411.00007FF8E7BD0000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff8e7ba0000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 971cfb8789d30850329cc70881e0e26c8e025b26850859a31780c7c39fff3ab8
Instruction ID: 3cf0b7fe45f61f6548bb1351ea795f40286d8828e5a3d5fae5104aa1363906ff
Opcode Fuzzy Hash: 971cfb8789d30850329cc70881e0e26c8e025b26850859a31780c7c39fff3ab8
Instruction Fuzzy Hash: EE513A36A0CA8585E7609BA5F0117AFBBA0EBC47D4F144035EBAD87B99CF7CD4458B02

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: rundll32.exePID: 7756, Parent PID: 5360COMMON

Execution Graph

Execution Coverage:	0.2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	1644
Total number of Limit Nodes:	0

Executed Functions

Function 00007FF8F715C790 Relevance: 1.5, APIs: 1, Instructions: 19
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(?,?,?,?,?,?,00007FF8F7158055,?,?,?,?,00007FF8F7161E79), ref: 00007FF8F715C7C2

Memory Dump Source

Source File: 00000016.00000002.1389725279.00007FF8F7141000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF8F7140000, based on PE: true

Associated: 00000016.00000002.1389704538.00007FF8F7140000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.1389755289.00007FF8F7165000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.1389776048.00007FF8F716C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.1389776048.00007FF8F7170000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff8f7140000_rundll32.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 30b4a6cf627e4c54fad3becd84435e4abdb3b242b081ad92acdaacf49d9325b3
Instruction ID: e03a11d19d777b85be7488d2914608128c3c83944cf1263819091a52dd807769
Opcode Fuzzy Hash: 30b4a6cf627e4c54fad3becd84435e4abdb3b242b081ad92acdaacf49d9325b3
Instruction Fuzzy Hash: 9BD0C22AA1C64482E7206B32B90105E5A509FEABD4F588039EE5D1BBA8CD28C5838B04

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: `rundll32.exe {DLLname, DLLfunction}` ).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 6sg60cSBIQ.dll

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_6sg_3152e4b3bd5a32c92a13e818e4165ed38ed22690_24c13995_187d3e90-249f-4e4d-9a2a-3747a8ce9b7f\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_6sg_3152e4b3bd5a32c92a13e818e4165ed38ed22690_24c13995_f6cd8a97-c47f-4df6-9340-375c5d76d18a\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_6sg_3784abb0c760c4a0da83b9de70b0523f3255b47_24c13995_0470cc9b-4e1b-4912-a759-6b38fad3ff74\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_6sg_3784abb0c760c4a0da83b9de70b0523f3255b47_24c13995_a04d76f8-d874-47c2-a198-cd97fde122a0\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER8DAF.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER8E2D.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER8E5D.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER98CB.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER992A.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9969.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA510.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA52F.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA5BC.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA5DC.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA5EC.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA63A.tmp.xml

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Windows Analysis Report
6sg60cSBIQ.dll

Function 00007FF8E7BBC790 Relevance: 1.5, APIs: 1, Instructions: 19
memoryCOMMON

Function 00007FF8E7BA3C00 Relevance: 1.5, APIs: 1, Instructions: 221
COMMON