Edit tour

Windows Analysis Report
u9R1HA4M7B.dll

Overview

General Information

Sample name:	u9R1HA4M7B.dll (renamed file extension from exe to dll, renamed because original name is a hash value)
Original sample name:	f5cb3234eff0dbbd653d5cdce1d4b1026fa9574ebeaf16aaae3d4e921b6a7f9d.exe
Analysis ID:	1431871
MD5:	180669dd53e9169c7775d5acc4b79a9f
SHA1:	faf9e7a6bfd0e766230f6c615693829c86fa7ff3
SHA256:	f5cb3234eff0dbbd653d5cdce1d4b1026fa9574ebeaf16aaae3d4e921b6a7f9d
Tags:	exewineloader
Infos:

Detection

WineLoader

Score:	60
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected WineLoader

PE file has a writeable .text section

AV process strings found (often used to terminate AV products)

Binary contains a suspicious time stamp

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found large amount of non-executed APIs

One or more processes crash

PE / OLE file has an invalid certificate

PE file contains an invalid checksum

PE file contains sections with non-standard names

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Classification

Process Tree

System is w10x64

loaddll64.exe (PID: 6716 cmdline: loaddll64.exe "C:\Users\user\Desktop\u9R1HA4M7B.dll" MD5: 763455F9DCB24DFEECC2B9D9F8D46D52)

conhost.exe (PID: 6740 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 5596 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\u9R1HA4M7B.dll",#1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

rundll32.exe (PID: 2336 cmdline: rundll32.exe "C:\Users\user\Desktop\u9R1HA4M7B.dll",#1 MD5: EF3179D498793BF4234F708D3BE28633)

WerFault.exe (PID: 7140 cmdline: C:\Windows\system32\WerFault.exe -u -p 2336 -s 140 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

rundll32.exe (PID: 6432 cmdline: rundll32.exe C:\Users\user\Desktop\u9R1HA4M7B.dll,_CreateFrameInfo MD5: EF3179D498793BF4234F708D3BE28633)

WerFault.exe (PID: 6648 cmdline: C:\Windows\system32\WerFault.exe -u -p 6432 -s 232 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

rundll32.exe (PID: 7296 cmdline: rundll32.exe C:\Users\user\Desktop\u9R1HA4M7B.dll,_CxxThrowException MD5: EF3179D498793BF4234F708D3BE28633)

WerFault.exe (PID: 7332 cmdline: C:\Windows\system32\WerFault.exe -u -p 7296 -s 128 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

rundll32.exe (PID: 7424 cmdline: rundll32.exe C:\Users\user\Desktop\u9R1HA4M7B.dll,_FindAndUnlinkFrame MD5: EF3179D498793BF4234F708D3BE28633)

WerFault.exe (PID: 7460 cmdline: C:\Windows\system32\WerFault.exe -u -p 7424 -s 236 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
WINELOADER		APT29	https://twitter.com/SinghSoodeep/status/1763808104221737156 https://twitter.com/greglesnewich/status/1762549311294804145 https://www.zscaler.com/blogs/security-research/european-diplomats-targeted-spikedwine-wineloader	https://malpedia.caad.fkie.fraunhofer.de/details/win.wineloader

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
u9R1HA4M7B.dll	JoeSecurity_WineLoader	Yara detected WineLoader	Joe Security

Unpacked PEs

Source	Rule	Description	Author
10.2.rundll32.exe.7ffe14630000.0.unpack	JoeSecurity_WineLoader	Yara detected WineLoader	Joe Security
4.2.rundll32.exe.7ffe14630000.0.unpack	JoeSecurity_WineLoader	Yara detected WineLoader	Joe Security
3.2.rundll32.exe.7ffe14630000.0.unpack	JoeSecurity_WineLoader	Yara detected WineLoader	Joe Security
13.2.rundll32.exe.7ffe14630000.0.unpack	JoeSecurity_WineLoader	Yara detected WineLoader	Joe Security
0.2.loaddll64.exe.7ffe14630000.0.unpack	JoeSecurity_WineLoader	Yara detected WineLoader	Joe Security

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: u9R1HA4M7B.dll

ReversingLabs: Detection: 39%

Source: u9R1HA4M7B.dll

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF

Source:

Binary string: D:\a\_work\1\s\\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: loaddll64.exe, 00000000.00000002.2912594295.00007FFE14641000.00000004.00000001.01000000.00000003.sdmp, rundll32.exe, 00000003.00000002.1758875603.00007FFE14641000.00000004.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.1752634781.00007FFE14641000.00000004.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000A.00000002.1766577814.00007FFE14641000.00000004.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000D.00000002.1773955469.00007FFE14641000.00000004.00000001.01000000.00000003.sdmp, u9R1HA4M7B.dll

Source: Amcache.hve.8.dr

String found in binary or memory: http://upx.sf.net

System Summary

PE file has a writeable .text section

Source: u9R1HA4M7B.dll

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFE1463A45A	0_2_00007FFE1463A45A
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFE146394D4	0_2_00007FFE146394D4
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFE146385AC	0_2_00007FFE146385AC
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFE14637957	0_2_00007FFE14637957

Source: C:\Windows\System32\rundll32.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 2336 -s 140

Source: u9R1HA4M7B.dll

Static PE information: invalid certificate

Source: u9R1HA4M7B.dll

Binary or memory string: OriginalFilenamevcruntime140.dllT vs u9R1HA4M7B.dll

Source: classification engine

Classification label: mal60.troj.winDLL@16/17@0/0

Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7296
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6740:120:WilError_03
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7424
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6432
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2336

Source: C:\Windows\System32\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\ac83b3e1-bd1a-4e32-b8f5-9b4f523c2fce

Jump to behavior

Source: u9R1HA4M7B.dll

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: C:\Windows\System32\loaddll64.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\loaddll64.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\u9R1HA4M7B.dll,_CreateFrameInfo

Source: u9R1HA4M7B.dll

ReversingLabs: Detection: 39%

Source: unknown	Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\u9R1HA4M7B.dll"
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\u9R1HA4M7B.dll",#1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\u9R1HA4M7B.dll,_CreateFrameInfo
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\u9R1HA4M7B.dll",#1
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 2336 -s 140
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6432 -s 232
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\u9R1HA4M7B.dll,_CxxThrowException
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7296 -s 128
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\u9R1HA4M7B.dll,_FindAndUnlinkFrame
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7424 -s 236
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\u9R1HA4M7B.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\u9R1HA4M7B.dll,_CreateFrameInfo	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\u9R1HA4M7B.dll,_CxxThrowException	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\u9R1HA4M7B.dll,_FindAndUnlinkFrame	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\u9R1HA4M7B.dll",#1	Jump to behavior

Source: C:\Windows\System32\loaddll64.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: kernel.appcore.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: u9R1HA4M7B.dll

Static PE information: Image base 0x7fffe43c0000 > 0x60000000

Source: u9R1HA4M7B.dll

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF

Source: u9R1HA4M7B.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Data Obfuscation

Yara detected WineLoader

Source: Yara match	File source: u9R1HA4M7B.dll, type: SAMPLE
Source: Yara match	File source: 10.2.rundll32.exe.7ffe14630000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.7ffe14630000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.7ffe14630000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.7ffe14630000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll64.exe.7ffe14630000.0.unpack, type: UNPACKEDPE

Source: u9R1HA4M7B.dll

Static PE information: 0xEFFF39AD [Sun Aug 4 18:57:49 2097 UTC]

Source: u9R1HA4M7B.dll

Static PE information: real checksum: 0x1d3b4 should be: 0x187ce

Source: u9R1HA4M7B.dll

Static PE information: section name: _RDATA

Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\loaddll64.exe

API coverage: 8.5 %

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: Amcache.hve.8.dr	Binary or memory string: VMware
Source: Amcache.hve.8.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.8.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.8.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.8.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.8.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.8.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.8.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.8.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.8.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.8.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.8.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.8.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.8.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.8.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.8.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.8.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.8.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.8.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.8.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.8.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.8.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.8.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.8.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.8.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.8.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.8.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.8.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.8.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Windows\System32\loaddll64.exe

Code function: 0_2_00007FFE14640338 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

0_2_00007FFE14640338

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\u9R1HA4M7B.dll",#1

Jump to behavior

Source: C:\Windows\System32\loaddll64.exe

Code function: 0_2_00007FFE1464028C GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00007FFE1464028C

Source: C:\Windows\System32\loaddll64.exe

Code function: 0_2_00007FFE1463AC8A GetUserNameW,

0_2_00007FFE1463AC8A

Source: Amcache.hve.8.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.8.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.8.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.8.dr	Binary or memory string: MsMpEng.exe

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	11 Process Injection	1 Rundll32	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	11 Process Injection	LSASS Memory	11 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Timestomp	Security Account Manager	1 Account Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	1 System Owner/User Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	2 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
u9R1HA4M7B.dll	39%	ReversingLabs	Win64.Trojan.Generic

Name	Source	Malicious	Antivirus Detection	Reputation
http://upx.sf.net	Amcache.hve.8.dr	false		high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1431871
Start date and time:	2024-04-25 22:12:04 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 54s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	20
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	u9R1HA4M7B.dll (renamed file extension from exe to dll, renamed because original name is a hash value)
Original Sample Name:	f5cb3234eff0dbbd653d5cdce1d4b1026fa9574ebeaf16aaae3d4e921b6a7f9d.exe
Detection:	MAL
Classification:	mal60.troj.winDLL@16/17@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 6 Number of non-executed functions: 15

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.42.73.29
Excluded domains from analysis (whitelisted): ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: u9R1HA4M7B.dll

Simulations

Behavior and APIs

Time	Type	Description
22:13:02	API Interceptor	4x Sleep call for process: WerFault.exe modified

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_u9R_ce3539d85b1c5ec68c954104cf626e03175e8a_93eaf31b_315cf41d-180d-42fe-9df9-a19be070e75b\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.691507820725168
Encrypted:	false
SSDEEP:	96:YMpeF5V7iEyKyQsjC4Rv1yHpSsQXIDcQZc6McEPcw3m/XaXz+HbHgSQgJjNZAX/F:YtFiEyQU03IFiXjMzuiFt+Z24lO8S
MD5:	8A3A2203271203DB330AE235CD9C2780
SHA1:	798FD9639100DFF358338774EB6B2343D718EC62
SHA-256:	7EEC08F070B28CB54416DFE842FE9093C419EDB1F306D76A7D437C3668FD4D79
SHA-512:	A189F7E6A2AF5C9844373707EBCFC9C03B2CE704D080B52089F4CED935B08E35B3CBBB1773AEB5344FD46385FD624494BE49ECDBD4F4124AF7EFD60E7CB8ECCE
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.6.4.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.8.5.4.9.5.7.7.7.3.8.9.5.7.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.5.8.5.4.9.5.7.8.0.2.0.2.0.4.8.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.1.5.c.f.4.1.d.-.1.8.0.d.-.4.2.f.e.-.9.d.f.9.-.a.1.9.b.e.0.7.0.e.7.5.b.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.3.6.7.6.6.5.7.-.6.d.3.7.-.4.8.b.0.-.b.c.f.5.-.4.8.a.7.f.e.c.c.c.2.4.e.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e._.u.9.R.1.H.A.4.M.7.B...d.l.l.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.d.0.0.-.0.0.0.1.-.0.0.1.4.-.6.c.3.8.-.d.5.f.6.4.c.9.7.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.d.d.3.9.9.a.e.4.6.3.0.3.3.4.3.f.9.f.0.d.a.1.8.9.a.e.e.1.1.c.6.7.b.d.8.6.8.2.2.2.!.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_u9R_ce3539d85b1c5ec68c954104cf626e03175e8a_93eaf31b_4d33789e-b009-45d7-956c-442afac19bec\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.69145670916839
Encrypted:	false
SSDEEP:	96:cfgFQ4G7iX3yKyOsjC4Rv1yHpSsQXIDcQZc6McEPcw3m/XaXz+HbHgSQgJjNZAX9:xuTiX3yOU03IFiXjMzuiFt+Z24lO8S
MD5:	47CA43A527FAB44968E7BCFFC3E686D9
SHA1:	F793A344B6B3C08DCA83ADDA6395C3A4FB53DB26
SHA-256:	7B1C00B8E9977C7AF71D5C803C303AC157BBBF383FDF23D20C1515305BCE166A
SHA-512:	F92B08388227F27E5B8DF685CFEECFEC6E13316A70A4F8DA80EF69F66E35EB06BE56E1D5FBEAFD2BDD1C695CD4240044427DF64EF12E6054972BC8F704ABE14E
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.6.4.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.8.5.4.9.5.7.1.9.3.7.4.8.8.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.5.8.5.4.9.5.7.2.4.9.9.9.8.2.3.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.d.3.3.7.8.9.e.-.b.0.0.9.-.4.5.d.7.-.9.5.6.c.-.4.4.2.a.f.a.c.1.9.b.e.c.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.e.e.f.9.8.3.8.-.9.6.3.d.-.4.e.d.b.-.8.f.6.c.-.3.4.f.9.0.5.8.7.c.5.7.0.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e._.u.9.R.1.H.A.4.M.7.B...d.l.l.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.9.2.0.-.0.0.0.1.-.0.0.1.4.-.e.6.e.0.-.3.c.f.3.4.c.9.7.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.d.d.3.9.9.a.e.4.6.3.0.3.3.4.3.f.9.f.0.d.a.1.8.9.a.e.e.1.1.c.6.7.b.d.8.6.8.2.2.2.!.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_u9R_ce3539d85b1c5ec68c954104cf626e03175e8a_93eaf31b_ab11d3bd-b6ac-4ab3-b71a-426236c34122\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.6915812318575917
Encrypted:	false
SSDEEP:	96:EJ0FkRF7iIyKyUsjC4Rv1yHpSsQXIDcQZc6McEPcw3m/XaXz+HbHgSQgJjNZAX/F:q0CRZiIyUU03IFiXjMzuiFt+Z24lO8S
MD5:	8BEA8537656AC778C06A92E0DAD1BC18
SHA1:	228A1EA00B56ACBDD9089CDF06DACDE68B1501D8
SHA-256:	72EE33AFF0DCAF01CB3FB66D74D064EF35294FC30F5DC60693BE526A6E8D72DB
SHA-512:	336BE3AF55177E90D14882587BE3E42B5539B29DECE651D0661B58ACCA3A2A24F1EFDD330482F4E9BE5DF01F4261357F061B92C135C53F7F71E012E100E6E886
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.6.4.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.8.5.4.9.5.7.4.6.4.3.1.0.1.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.5.8.5.4.9.5.7.4.9.5.5.5.8.5.1.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.b.1.1.d.3.b.d.-.b.6.a.c.-.4.a.b.3.-.b.7.1.a.-.4.2.6.2.3.6.c.3.4.1.2.2.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.8.2.0.1.4.7.4.-.0.f.b.7.-.4.8.8.0.-.a.b.1.d.-.2.6.b.4.b.5.d.6.d.4.3.6.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e._.u.9.R.1.H.A.4.M.7.B...d.l.l.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.c.8.0.-.0.0.0.1.-.0.0.1.4.-.c.3.0.f.-.0.9.f.5.4.c.9.7.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.d.d.3.9.9.a.e.4.6.3.0.3.3.4.3.f.9.f.0.d.a.1.8.9.a.e.e.1.1.c.6.7.b.d.8.6.8.2.2.2.!.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_u9R_ce3539d85b1c5ec68c954104cf626e03175e8a_93eaf31b_b8be7178-c123-40e8-8433-717dd469d09c\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.6913971916977464
Encrypted:	false
SSDEEP:	96:Q0FRyr7i6yKydsjC4Rv1yHpSsQXIDcQZc6McEPcw3m/XaXz+HbHgSQgJjNZAX/df:ZGi6ydU03IFiXjMzuiFt+Z24lO8S
MD5:	8933077FD0D2AD3EA2A9077E3385F1B9
SHA1:	121781D6D8E6933B254EFAD919053EC36232D639
SHA-256:	E8F9436E32E277A23A68F68EB1284749216C149A997A85E2BFB7FD538907D7BB
SHA-512:	9B37D2153B3B27D56DE2AEC75DD1BE01E3DB991A2CBA3181E08985D5718F8F28BF00E43853CFC429C1FF4D8D682D3825DC96C96BFD4B2B6C52F18ED133F351D4
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.6.4.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.8.5.4.9.5.7.1.9.3.1.9.0.9.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.5.8.5.4.9.5.7.2.4.9.4.4.0.0.5.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.8.b.e.7.1.7.8.-.c.1.2.3.-.4.0.e.8.-.8.4.3.3.-.7.1.7.d.d.4.6.9.d.0.9.c.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.e.1.e.5.a.2.9.-.8.4.7.6.-.4.4.d.6.-.b.b.e.5.-.0.2.1.a.5.7.0.f.f.d.5.5.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e._.u.9.R.1.H.A.4.M.7.B...d.l.l.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.9.2.0.-.0.0.0.1.-.0.0.1.4.-.b.e.6.e.-.3.e.f.3.4.c.9.7.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.d.d.3.9.9.a.e.4.6.3.0.3.3.4.3.f.9.f.0.d.a.1.8.9.a.e.e.1.1.c.6.7.b.d.8.6.8.2.2.2.!.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB829.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Thu Apr 25 20:12:52 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	49298
Entropy (8bit):	1.4305543567010404
Encrypted:	false
SSDEEP:	96:508RE3noYFvmtUFVzzGVoi7MTZW3l+2VFw7w0WIOnIpgYrvnnW:1+LJOMT92L3YDnW
MD5:	3C0C952B0F3CE49F3485708BCA29679C
SHA1:	C7C077B05CD6FFBFFB46369A310B2555792DCE12
SHA-256:	EB85B071341B1C1A21CADAFA50847DA6D7D6F6D1A1857E4FFF442A32B983574E
SHA-512:	B939FD445335A21AE282EA9AA73DF1A84CA4976EC2C44D5D79A09A095E81DDFA0FEE4BA8F13D07FBD664D0B28CCFF5DEE64D5822D7C9FB31E237765CDB64B4A0
Malicious:	false
Preview:	MDMP..a..... .......D.f........................................L#..........T.......8...........T...........H...J...........D...........0...............................................................................eJ..............Lw......................T....... ...C.f.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB82A.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Thu Apr 25 20:12:52 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	49006
Entropy (8bit):	1.4446868138846818
Encrypted:	false
SSDEEP:	96:508nE3O9dYFvmtUFVm9VRoi7MjIq5sK/uiVZVVQnf+ftBH0cAvA6LLQRooo+fWIC:1Np9wOMjT/uiVZVVQnGf/A
MD5:	D318BDAA4287A58C5D335EDC7C42AB51
SHA1:	2822B9C34CFB1FEB46531233A90C8B3BE69853D5
SHA-256:	60B288116C9410E08536908CC8343FE92931BC1ABE4C3CC10127416025123975
SHA-512:	85A422F1E754E1A871AD6DCE459883D7B027EC0806B0321C290582C783B7F022C887331CD732D682453800C7B02A760CBD0D5529A0E9402E4488EAF091142134
Malicious:	false
Preview:	MDMP..a..... .......D.f........................................L#..........T.......8...........T..........................D...........0...............................................................................eJ..............Lw......................T....... ...C.f.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB8D6.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8600
Entropy (8bit):	3.694221789035244
Encrypted:	false
SSDEEP:	192:R6l7wVeJBVyIj9s6Y0HLD80gmfDiNa/pD+89bLj0fdZm:R6lXJzyd6YIzgmfDiNeLwfq
MD5:	399F7C22B5FBF82A1497F8750D68E549
SHA1:	4C1D61EFDC5C7B68F8FF08C2427A905E185CD496
SHA-256:	7AE622F09E795D9B45D4CF4A8D191453BCBE996C39EDAF3F91BADCF0F5CB8F67
SHA-512:	4B767542314E7AD43619A685DFBFF91F014036E03A01F6FE9E411BAB0393E9E1BAD0D603F11E3A2AEE7233C24F9840B5161A72A3DAB9AC53D86BE5CCF927CAEA
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.2.3.3.6.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB904.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8592
Entropy (8bit):	3.692518340943735
Encrypted:	false
SSDEEP:	192:R6l7wVeJeqyO9I6YPEmgmfDiNa/pDy89bL/0fxFZm:R6lXJzyb6YsmgmfDiNSLMfxC
MD5:	661BEBB211BF8C149958FA50CC4AC0BE
SHA1:	1998505010E5B30504B715BF242553DCF224836C
SHA-256:	35FD8F87DEB0C70A1C33FFB850C5723E09AA5B6DCCB83340317BF85F5EE2AF18
SHA-512:	C1BF005C2026BB4406A0894351CE3D251B1758774CB0254B0D7ED419752EA7FAF80D521997BF47553000E7D515C475A0D3F9C6E08B4E7A835341B9C4510938F4
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.4.3.2.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB915.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4878
Entropy (8bit):	4.4745465336272705
Encrypted:	false
SSDEEP:	48:cvIwWl8zsaJg771I9QzWpW8VYIYm8M4JCJChYgFVyq8vhhYlptSTSmd:uIjfoI7XC7VMJHW0poOmd
MD5:	9F854996CCA1AEA2C513E1593B2E17FA
SHA1:	5888BF02473EE4E29EAAFD2C92BC09999F19EC2D
SHA-256:	C38F9884E6808791C18F306D5F7889D9A1C8DD8BEC98EBC59619F5705972737D
SHA-512:	DC6AFD63B73F42A7D755F2FAE3DAC4CD690B24603F7E02FB158D24781ECE3F645B93376F7972712D82A3F2472679056C71DBD21F301ADEBB8CA7339A5266D21D
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="295875" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB963.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4878
Entropy (8bit):	4.476671377387129
Encrypted:	false
SSDEEP:	48:cvIwWl8zsaJg771I9QzWpW8VY3Ym8M4JCJChYgFdyq8vhhY92ptSTSDd:uIjfoI7XC7V3JTWK2poODd
MD5:	B0B4A6445D4614F69B180861F1EF0557
SHA1:	CC2D4756E93415B32B57234D6F4DA2F07898B925
SHA-256:	2DC7646ECC73A8EF7C9717C2ED6F9C4D718185FE2BB4FE4CEA0E74A84F90C8C5
SHA-512:	F7A47A74FEB7AF879E6AD7D00026C16490DB387FBD243A6BCD2FCA20358021012C92A695DBAFCC4D95E9182319FB65B87C0CED8DD58FADFDAD8B56917AA006EA
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="295875" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC2B8.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Thu Apr 25 20:12:54 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	49954
Entropy (8bit):	1.4161045119296658
Encrypted:	false
SSDEEP:	96:57S8VE3lMwhCYFvmtUFVpKDdoi7MTLh4W+jC/ViuPU0HYuYWI1zGI5gVvx:Fhovhu2OMTwGpzAgj
MD5:	3EF44344739E09B50E7B0BC371D814E8
SHA1:	81ADCA826E2D835D6B80189D7665058AC10449BD
SHA-256:	71C4105DE28805D4C1186CC076529FAFEE1951C1CB5EC6EE0D1412679E99B2F7
SHA-512:	3A8D60F2C19A847144DF206DAB7E0B6BFF974C20205B04BE2387A3B6FEF0F2D58893E91560E0449D59063E03E0F2C573CA241EC43FD96C4FF507DD5138FBB002
Malicious:	false
Preview:	MDMP..a..... .......F.f........................................L#..........T.......8...........T...........H..............D...........0...............................................................................eJ..............Lw......................T...........F.f.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC2F7.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8590
Entropy (8bit):	3.6926324025637376
Encrypted:	false
SSDEEP:	192:R6l7wVeJHtuy49u6YPWmgmfDiNa/pDl89b9Ecf0c8/m:R6lXJkyL6YOmgmfDiNj9Xfj
MD5:	239D3584078842354ACECA5ED2026EB3
SHA1:	11C96A9C4795F9854264A65A6C55BE1CFC879910
SHA-256:	5D978513B12FB320F76117BA8D0B92AEABF0A5D27CF1F589B42D1F3DC42801A3
SHA-512:	EC979E551EF24E0A99D6179D916785A66FB941F46CC91124B670ADE156F0618FB0D25CA010BFA3F1FA23DED3DC9B3FD5C1B3B85260DCBD9B86E885CDB6334E59
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.2.9.6.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC337.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4878
Entropy (8bit):	4.474782354737111
Encrypted:	false
SSDEEP:	48:cvIwWl8zsaJg771I9QzWpW8VYqYm8M4JCJChYgFaAyyq8vhhYNptSTShhd:uIjfoI7XC7V6JGW8poOhhd
MD5:	56F62AFEDF619D829397221D1DB45761
SHA1:	BBC0C7824E44A3635CE4F32DC528CEF6606822A9
SHA-256:	AEAD2B780CFCA1D88457E1A81CA836D9863AA9E9EE4C906ADFE138E2FCC8291F
SHA-512:	6BE1E7175CB186BC9621A58FAF9B0F9845EE81621A402E7ED1D04A6A5E933A89104488F1AB629BD83526CA7D7FEE60207A3F40C0C735FC716623CFC6763BD2EF
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="295875" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WERCEDD.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Thu Apr 25 20:12:57 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	50338
Entropy (8bit):	1.3941467383715735
Encrypted:	false
SSDEEP:	192:UVzNSOMf5Nl7UHkowVFLhLaQDudKnzHqH+:anEVIHkowVFLRaQydKnzKe
MD5:	DDD663A0176BCB6357D1D93C8FC299E3
SHA1:	4176B2C1208340E5F3C9293870E46685754A20E0
SHA-256:	4C05ECF502625038D5859E2D8CAD26863B574DFEA8789912B79CAACA8575F312
SHA-512:	C1DA62825BC2AA8C03C3F276EE9A828AFB273781F74318E9E848D93F4C7AE90326D3CD949E3EF6DD862319F8C65409700FC970FEBF4C506AEDFD6CBD78FAC61C
Malicious:	false
Preview:	MDMP..a..... .......I.f........................................L#..........T.......8...........T...........H...Z...........D...........0...............................................................................eJ..............Lw......................T...........I.f.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERCF1D.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8592
Entropy (8bit):	3.692121538124629
Encrypted:	false
SSDEEP:	192:R6l7wVeJY9BX9HZ6YP5mgmfDiNa/pDP89bmXNf0im:R6lXJyBVZ6YxmgmfDiN5m9fQ
MD5:	A9FC48A7F4469AAF4597781D052C31C2
SHA1:	6449996442DB3FD57720646750A8468C80B4BD73
SHA-256:	98A8208FF6CAA3F48C371F2E67A0236E6396AB98334E22C1EFFB3D355C6F7E22
SHA-512:	C5EFC8C077DE27AFF823D9C64CC4E99E10807C6E185671737A5D736116D22D25AC1C99D5820D824F78856B2FBCD35A994CF5693DE0AA8D9A9D7E913FC6B2630A
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.4.2.4.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERCF5C.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4878
Entropy (8bit):	4.477570678344253
Encrypted:	false
SSDEEP:	48:cvIwWl8zsaJg771I9QzWpW8VY4Ym8M4JCJChYgFhyq8vhhYJzptSTSvd:uIjfoI7XC7VcJPWYpoOvd
MD5:	D5F2562CD3CDE7EF958BE7090239F038
SHA1:	8001EE7044F02E27D9434DB2C59E027E4E1D0CA3
SHA-256:	53CCBE6DA668C56BE2CF0178B6D6CA3ED038677046C0C400E67CB7795FCA4115
SHA-512:	3098D38457197A7688022747B7BF1A3395343815538DF860416AF8B8F758B6D9F1BA31C5173CC235B89E0FE67E220733C3BA8F6597AC001FCC4597CB9572B50A
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="295875" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.46638485134926
Encrypted:	false
SSDEEP:	6144:AIXfpi67eLPU9skLmb0b4zWSPKaJG8nAgejZMMhA2gX4WABl0uNcdwBCswSb9:FXD94zWlLZMM6YFHa+9
MD5:	77C80B1F231AF4272027EF8B96C953EC
SHA1:	14630FA9BF17B9359A5B20D77190E2843A8CB220
SHA-256:	CB12DE3570333B9AA5BED6CA5AB49B3FEBF7B47E51DF379A4D87AD98106A8772
SHA-512:	E95913C1991D9B6DC88F8C9C33A57F08C0259672BFAB3D9B285863FB3279A0A74FCD73EEA7F29516167CD07B8F609686560C4923304CB9BD15421236366D81DA
Malicious:	false
Preview:	regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtmr.s.L.................................................................................................................................................................................................................................................................................................................................................e.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Entropy (8bit):	6.4592932953759785
TrID:	Win64 Dynamic Link Library (generic) (102004/3) 86.43% Win64 Executable (generic) (12005/4) 10.17% Generic Win/DOS Executable (2004/3) 1.70% DOS Executable Generic (2002/1) 1.70% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.01%
File name:	u9R1HA4M7B.dll
File size:	98'736 bytes
MD5:	180669dd53e9169c7775d5acc4b79a9f
SHA1:	faf9e7a6bfd0e766230f6c615693829c86fa7ff3
SHA256:	f5cb3234eff0dbbd653d5cdce1d4b1026fa9574ebeaf16aaae3d4e921b6a7f9d
SHA512:	f77036135f9dde670b56d9ba3ae644c0232adadf657583e17ec45274dc619d0f31a5b2c96b9cf1729251361942c65f62a8cf97cddced472d48e3b0e53d3bce5c
SSDEEP:	1536:zxhUIePlHhRUzXyNC6+iv7u0/7eAD4AALuXvycecbni10DWZz:zvcUzXyNbhS0/7vD4Ax3ecbnG1
TLSH:	C4A33802F2A940B9D09EC2B48396E727B7B074089B6077CF17A54B251E97F909F3935B
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.&k..H8..H8..H8..I9..H8...8..H8..I8(.H8e.K9..H8e.L9..H8e.M9..H8e.H9..H8e..8..H8e.J9..H8Rich..H8................PE..d....9.....

File Icon


Icon Hash:	7ae282899bbab082

Static PE Info

General

Entrypoint:	0x7fffe43ccf2a
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x7fffe43c0000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, DLL
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF
Time Stamp:	0xEFFF39AD [Sun Aug 4 18:57:49 2097 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	7f07fd94e5bb907093556781cc464017

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=Microsoft Code Signing PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	02/09/2021 19:33:02 01/09/2022 19:33:02
Subject Chain	CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Version:	3
Thumbprint MD5:	550C27BE6F1184B6CC93B4B4E2EA9D58
Thumbprint SHA-1:	C9CAEDC2CECF953E812C6446D41927B9864BB880
Thumbprint SHA-256:	63E8D95BCEE4522E6380E7F9305A676C0880AD93AD3BA9CB53FE43D6081A1025
Serial:	3300000255181DA42EE086FC15000000000255

Entrypoint Preview

Instruction
inc ecx
push edi
inc ecx
push esi
inc ecx
push ebp
inc ecx
push esp
push esi
push edi
push ebp
push ebx
dec eax
sub esp, 00000158h
movaps esp+00000140h, dqword ptr [xmm7]
movaps esp+00000130h, dqword ptr [xmm6]
dec eax
mov esi, ecx
dec eax
lea edi, dword ptr [esp+000000C0h]
dec eax
mov dword ptr [edi-08h], 0000000Ch
dec eax
mov eax, 00F7D404h
in eax, dx
js 00007FD858BB780Ch
outsd
dec eax
mov dword ptr [edi], eax
mov dword ptr [edi+08h], FCF1BF11h
inc ecx
mov esi, 00000001h
dec esp
mov dword ptr [edi+0Ch], esi
mov edx, 0000000Ch
dec eax
mov ecx, edi
call 00007FD858BB1960h
xor ebp, ebp
mov dword ptr [edi+0Ch], ebp
dec eax
lea ebx, dword ptr [esp+78h]
dec eax
mov dword ptr [ebx-08h], 0000001Ah
movups xmm6, dqword ptr [FFFF9EF2h]
movups dqword ptr [ebx], xmm6
movups xmm7, dqword ptr [FFFF9EF2h]
movups dqword ptr [ebx+0Ah], xmm7
dec esp
mov dword ptr [ebx+1Ch], esi
mov edx, 0000001Ah
dec eax
mov ecx, ebx
call 00007FD858BB1928h
mov dword ptr [ebx+1Ch], ebp
dec eax
mov ecx, ebx
call 00007FD858BB1AE7h
dec eax
mov ecx, eax
dec eax
mov edx, edi
call 00007FD858BB1B4Dh
call eax
dec eax
cmp dword ptr [esi], 00000000h
je 00007FD858BB78EEh
dec esp
lea esi, dword ptr [esp+70h]
dec ecx
mov dword ptr [esi+08h], 00000000h

Rich Headers

Programming Language:

[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x14330	0x834	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x14b64	0x8c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x19000	0x3d0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x17000	0xb70	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x15a00	0x27b0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x1a000	0x1a0	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x12df0	0x70	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x12cb0	0x140	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x10000	0xfc00	04eb33aa9e6b038b535164fd05125e11	False	0.5051773313492064	data	6.435321041244554	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x11000	0x5000	0x4200	8fcb1166becbcee82e5ade4c005ba659	False	0.3974313446969697	SysEx File - ADA	4.843091866116115	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.data	0x16000	0x1000	0x400	317b92eb9b8980fbb7e3d768cb5131e1	False	0.1953125	DOS executable (block device driver =\344\377\177)	2.6154988641607586	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x17000	0x1000	0xc00	fc0281b543ce69732b9e511c59978715	False	0.4811197916666667	PEX Binary Archive	4.6976656411659	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
_RDATA	0x18000	0x1000	0x200	16cc8eb01a68a62dea3ee2c7c598cd9f	False	0.390625	data	2.7869372198389426	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x19000	0x1000	0x400	d461d102eb9f793e52452eca0d0f2a5c	False	0.412109375	data	3.195335377178025	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x1a000	0x1000	0x200	e2c21ce14270df72445259f3b4a18a3b	False	0.642578125	data	4.614856328897942	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x19060	0x36c	data	English	United States	0.4406392694063927

Imports

DLL	Import
api-ms-win-crt-runtime-l1-1-0.dll	terminate, abort
api-ms-win-crt-heap-l1-1-0.dll	calloc, malloc, free
api-ms-win-crt-string-l1-1-0.dll	strcpy_s, strncmp, wcsncmp
api-ms-win-crt-stdio-l1-1-0.dll	__stdio_common_vsprintf, __stdio_common_vsprintf_s
api-ms-win-crt-convert-l1-1-0.dll	atol
KERNEL32.dll	GetLastError, IsProcessorFeaturePresent, TerminateProcess, GetCurrentProcess, SetUnhandledExceptionFilter, UnhandledExceptionFilter, RtlVirtualUnwind, RtlCaptureContext, GetSystemTimeAsFileTime, GetCurrentThreadId, GetCurrentProcessId, QueryPerformanceCounter, RtlLookupFunctionEntry, RtlUnwindEx, GetModuleHandleW, GetModuleFileNameW, RtlUnwind, EncodePointer, RaiseException, RtlPcToFileHeader, InterlockedPushEntrySList, InterlockedFlushSList, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, GetProcAddress, SetLastError, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, LoadLibraryExW

Exports

Name	Ordinal	Address
_CreateFrameInfo	1	0x7fffe43cfba0
_CxxThrowException	2	0x7fffe43c6630
_FindAndUnlinkFrame	3	0x7fffe43cfbe0
_IsExceptionObjectToBeDestroyed	4	0x7fffe43c25a0
_SetWinRTOutOfMemoryExceptionCallback	5	0x7fffe43c25d0
__AdjustPointer	6	0x7fffe43c25e0
__BuildCatchObject	7	0x7fffe43c56e0
__BuildCatchObjectHelper	8	0x7fffe43c56f0
__C_specific_handler	9	0x7fffe43cef20
__C_specific_handler_noexcept	10	0x7fffe43cecd0
__CxxDetectRethrow	11	0x7fffe43c5710
__CxxExceptionFilter	12	0x7fffe43c5760
__CxxFrameHandler	13	0x7fffe43cfc90
__CxxFrameHandler2	14	0x7fffe43cfc90
__CxxFrameHandler3	15	0x7fffe43cfca0
__CxxQueryExceptionSize	16	0x7fffe43c5950
__CxxRegisterExceptionObject	17	0x7fffe43c5960
__CxxUnregisterExceptionObject	18	0x7fffe43c5a10
__DestructExceptionObject	19	0x7fffe43c2520
__FrameUnwindFilter	20	0x7fffe43c2610
__GetPlatformExceptionInfo	21	0x7fffe43c2680
__NLG_Dispatch2	22	0x7fffe43c1140
__NLG_Return2	23	0x7fffe43c1150
__RTCastToVoid	24	0x7fffe43c6110
__RTDynamicCast	25	0x7fffe43c6170
__RTtypeid	26	0x7fffe43c62e0
__TypeMatch	27	0x7fffe43c5700
__current_exception	28	0x7fffe43c26e0
__current_exception_context	29	0x7fffe43c2700
__intrinsic_setjmp	30	0x7fffe43d05f0
__intrinsic_setjmpex	31	0x7fffe43d06b0
__processing_throw	32	0x7fffe43c2720
__report_gsfailure	33	0x7fffe43d0370
__std_exception_copy	34	0x7fffe43c6390
__std_exception_destroy	35	0x7fffe43c6420
__std_terminate	36	0x7fffe43c2740
__std_type_info_compare	37	0x7fffe43c6470
__std_type_info_destroy_list	38	0x7fffe43c64a0
__std_type_info_hash	39	0x7fffe43c64d0
__std_type_info_name	40	0x7fffe43c6510
__telemetry_main_invoke_trigger	41	0x7fffe43c1d30
__telemetry_main_return_trigger	42	0x7fffe43c1d30
__unDName	43	0x7fffe43ceac0
__unDNameEx	44	0x7fffe43ceaf0
__uncaught_exception	45	0x7fffe43c66d0
__uncaught_exceptions	46	0x7fffe43c66f0
__vcrt_GetModuleFileNameW	47	0x7fffe43c6df0
__vcrt_GetModuleHandleW	48	0x7fffe43c6e00
__vcrt_InitializeCriticalSectionEx	49	0x7fffe43c6d80
__vcrt_LoadLibraryExW	50	0x7fffe43c6e10
_get_purecall_handler	51	0x7fffe43c6e20
_get_unexpected	52	0x7fffe43c6710
_is_exception_typeof	53	0x7fffe43c2750
_local_unwind	54	0x7fffe43c1de0
_purecall	55	0x7fffe43c6e30
_set_purecall_handler	56	0x7fffe43c6e50
_set_se_translator	57	0x7fffe43c5652
longjmp	58	0x7fffe43c1db0
memchr	59	0x7fffe43c1170
memcmp	60	0x7fffe43c11f0
memcpy	61	0x7fffe43c12f0
memmove	62	0x7fffe43c12f0
memset	63	0x7fffe43c19a0
set_unexpected	64	0x7fffe43c6740
strchr	65	0x7fffe43c1e10
strrchr	66	0x7fffe43c1e90
strstr	67	0x7fffe43c1fd0
unexpected	68	0x7fffe43c6770
wcschr	69	0x7fffe43c21d0
wcsrchr	70	0x7fffe43c2250
wcsstr	71	0x7fffe43c2300

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Target ID:	0
Start time:	22:12:51
Start date:	25/04/2024
Path:	C:\Windows\System32\loaddll64.exe
Wow64 process (32bit):	false
Commandline:	loaddll64.exe "C:\Users\user\Desktop\u9R1HA4M7B.dll"
Imagebase:	0x7ff7db9a0000
File size:	165'888 bytes
MD5 hash:	763455F9DCB24DFEECC2B9D9F8D46D52
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	1
Start time:	22:12:51
Start date:	25/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	22:12:51
Start date:	25/04/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\u9R1HA4M7B.dll",#1
Imagebase:	0x7ff73f970000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	22:12:51
Start date:	25/04/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe C:\Users\user\Desktop\u9R1HA4M7B.dll,_CreateFrameInfo
Imagebase:	0x7ff6696e0000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	22:12:51
Start date:	25/04/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe "C:\Users\user\Desktop\u9R1HA4M7B.dll",#1
Imagebase:	0x7ff6696e0000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	22:12:51
Start date:	25/04/2024
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 2336 -s 140
Imagebase:	0x7ff799a50000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	22:12:51
Start date:	25/04/2024
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 6432 -s 232
Imagebase:	0x7ff799a50000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	22:12:54
Start date:	25/04/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe C:\Users\user\Desktop\u9R1HA4M7B.dll,_CxxThrowException
Imagebase:	0x7ff6696e0000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	22:12:54
Start date:	25/04/2024
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 7296 -s 128
Imagebase:	0x7ff799a50000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	22:12:57
Start date:	25/04/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe C:\Users\user\Desktop\u9R1HA4M7B.dll,_FindAndUnlinkFrame
Imagebase:	0x7ff6696e0000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	22:12:57
Start date:	25/04/2024
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 7424 -s 236
Imagebase:	0x7ff799a50000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	6.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	14.6%
Total number of Nodes:	492
Total number of Limit Nodes:	3

Executed Functions

Function 00007FFE146394D4 Relevance: 2.2, APIs: 1, Instructions: 706
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FFE1463D8FE: LoadLibraryW.KERNELBASE ref: 00007FFE1463D9B4

InternetOpenW.WININET ref: 00007FFE14639612

Memory Dump Source

Source File: 00000000.00000002.2912578002.00007FFE14631000.00000080.00000001.01000000.00000003.sdmp, Offset: 00007FFE14630000, based on PE: true

Associated: 00000000.00000002.2912565734.00007FFE14630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2912594295.00007FFE14641000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2912610133.00007FFE14646000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2912622905.00007FFE14647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffe14630000_loaddll64.jbxd

Similarity

API ID: InternetLibraryLoadOpen
String ID:
API String ID: 2559873147-0
Opcode ID: 20e1dbdd09d5958d660017d8841a168a689d9bdb755f05f00955baf37fa87c1d
Instruction ID: 432961c44121245b7795ef65f5fda845cfb7cf231637d1f190ccc6bfb3a73df5
Opcode Fuzzy Hash: 20e1dbdd09d5958d660017d8841a168a689d9bdb755f05f00955baf37fa87c1d
Instruction Fuzzy Hash: 9C62C132A18B8186E320DF16E68079E77A8FB95788F418125DF8C07B65DF3CD2A5D780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFE1463AC8A Relevance: 1.8, APIs: 1, Instructions: 342
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FFE1463D8FE: LoadLibraryW.KERNELBASE ref: 00007FFE1463D9B4

GetUserNameW.ADVAPI32 ref: 00007FFE1463AF5F

Memory Dump Source

Source File: 00000000.00000002.2912578002.00007FFE14631000.00000080.00000001.01000000.00000003.sdmp, Offset: 00007FFE14630000, based on PE: true

Associated: 00000000.00000002.2912565734.00007FFE14630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2912594295.00007FFE14641000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2912610133.00007FFE14646000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2912622905.00007FFE14647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffe14630000_loaddll64.jbxd

Similarity

API ID: LibraryLoadNameUser
String ID:
API String ID: 1809832340-0
Opcode ID: a880c3d595419ac887476e80232836b4afde2090bcb5e42b3edf12b565c1e7f8
Instruction ID: 969c8563623716b7175af25b76b0915377f5f4d5ab8726602c7a8e8c63183a5a
Opcode Fuzzy Hash: a880c3d595419ac887476e80232836b4afde2090bcb5e42b3edf12b565c1e7f8
Instruction Fuzzy Hash: 36F19162A08BC182E614DF27E4853BDB764FB96B98F018171DE9D07762CF7CE2468744

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFE1463A45A Relevance: 1.8, APIs: 1, Instructions: 276
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FFE1463D8FE: LoadLibraryW.KERNELBASE ref: 00007FFE1463D9B4

GetAdaptersAddresses.IPHLPAPI ref: 00007FFE1463A57F

Memory Dump Source

Source File: 00000000.00000002.2912578002.00007FFE14631000.00000080.00000001.01000000.00000003.sdmp, Offset: 00007FFE14630000, based on PE: true

Associated: 00000000.00000002.2912565734.00007FFE14630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2912594295.00007FFE14641000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2912610133.00007FFE14646000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2912622905.00007FFE14647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffe14630000_loaddll64.jbxd

Similarity

API ID: AdaptersAddressesLibraryLoad
String ID:
API String ID: 4060335641-0
Opcode ID: a43e441109bf4a2ecd04f2ee3ae635f63c087266646d45fc499c719ac9f09aed
Instruction ID: d0116771c82dcbdba3bb8046d023ec9e2586bd9d19c791bcd113246981676ed6
Opcode Fuzzy Hash: a43e441109bf4a2ecd04f2ee3ae635f63c087266646d45fc499c719ac9f09aed
Instruction Fuzzy Hash: B0D1C222A08BC585E7209F26E9403EE73A4FB96B88F01D135EE8D07766DF7DE1958740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFE1463CF2A Relevance: 2.0, APIs: 1, Instructions: 489
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeConsole.KERNELBASE ref: 00007FFE1463CFD9

Memory Dump Source

Source File: 00000000.00000002.2912578002.00007FFE14631000.00000080.00000001.01000000.00000003.sdmp, Offset: 00007FFE14630000, based on PE: true

Associated: 00000000.00000002.2912565734.00007FFE14630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2912594295.00007FFE14641000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2912610133.00007FFE14646000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2912622905.00007FFE14647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffe14630000_loaddll64.jbxd

Similarity

API ID: ConsoleFree
String ID:
API String ID: 771614528-0
Opcode ID: dc5e86d56edf007e984261fbdb4b8a74f16dfc301d523a74dd2a77c9adc3fda7
Instruction ID: a56fed3c08a8dd3f4d456959d5fc0783bdb1888c07b0a56114a86d536e335474
Opcode Fuzzy Hash: dc5e86d56edf007e984261fbdb4b8a74f16dfc301d523a74dd2a77c9adc3fda7
Instruction Fuzzy Hash: 78328A32A09BC586E750DF12E4487AE77A4FB5AB98F01C164EA8C07762DF7DD189C780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFE1463A9A7 Relevance: 1.7, APIs: 1, Instructions: 162
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FFE1463D8FE: LoadLibraryW.KERNELBASE ref: 00007FFE1463D9B4

GetTokenInformation.KERNELBASE ref: 00007FFE1463ABCF

Memory Dump Source

Source File: 00000000.00000002.2912578002.00007FFE14631000.00000080.00000001.01000000.00000003.sdmp, Offset: 00007FFE14630000, based on PE: true

Associated: 00000000.00000002.2912565734.00007FFE14630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2912594295.00007FFE14641000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2912610133.00007FFE14646000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2912622905.00007FFE14647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffe14630000_loaddll64.jbxd

Similarity

API ID: InformationLibraryLoadToken
String ID:
API String ID: 481147872-0
Opcode ID: d2fd2b693f489a54c8af0f09588d58e6d05490fe3dc4d717ac8ec058ad0d7189
Instruction ID: a5f180e9c7807f4f9aef4ad371782568521cc81826c632e9190e64bd7d97833f
Opcode Fuzzy Hash: d2fd2b693f489a54c8af0f09588d58e6d05490fe3dc4d717ac8ec058ad0d7189
Instruction Fuzzy Hash: B7718E22A08BC582E3218F16E9407ED7364FB96788F019125DF8D17765DF3DE2A6D740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFE1463D8FE Relevance: 1.6, APIs: 1, Instructions: 55
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNELBASE ref: 00007FFE1463D9B4

Memory Dump Source

Source File: 00000000.00000002.2912578002.00007FFE14631000.00000080.00000001.01000000.00000003.sdmp, Offset: 00007FFE14630000, based on PE: true

Associated: 00000000.00000002.2912565734.00007FFE14630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2912594295.00007FFE14641000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2912610133.00007FFE14646000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2912622905.00007FFE14647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffe14630000_loaddll64.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 836eacf668b753031e2e9b49169b404bd7541c116ac9aa742d299fba7097d187
Instruction ID: 783bbe68c1131eda8f3a28cf9bb7fd97737ca3486ae1ba1ff6a8a98135de9c80
Opcode Fuzzy Hash: 836eacf668b753031e2e9b49169b404bd7541c116ac9aa742d299fba7097d187
Instruction Fuzzy Hash: 4C11EF22A09B8A41FA00DF63E8447A82390AB56B98F45C075DE4C07796EF7CE28A8340

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00007FFE146385AC Relevance: 4.6, Strings: 3, Instructions: 900COMMON

Download Yara Rule

Strings

\, xrefs: 00007FFE146389E2
*, xrefs: 00007FFE14638535
@, xrefs: 00007FFE1463889C

Memory Dump Source

Source File: 00000000.00000002.2912578002.00007FFE14631000.00000080.00000001.01000000.00000003.sdmp, Offset: 00007FFE14630000, based on PE: true

Associated: 00000000.00000002.2912565734.00007FFE14630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2912594295.00007FFE14641000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2912610133.00007FFE14646000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2912622905.00007FFE14647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffe14630000_loaddll64.jbxd

Similarity

API ID:
String ID: *$@$\
API String ID: 0-2175568232
Opcode ID: 2507e6a3e91a4b5ec23ab95b040854a254022b3116a714520888954853478800
Instruction ID: f3e26c2c1d6560b9389e19d414256e1ac427ebc7bdc8077e3a4bc9b371f80c3f
Opcode Fuzzy Hash: 2507e6a3e91a4b5ec23ab95b040854a254022b3116a714520888954853478800
Instruction Fuzzy Hash: 34A2A132A0CBC686E7308B12E5407FE73A0FB96758F408125DA8D06BA5DF7DE599DB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFE14637957 Relevance: .2, Instructions: 235COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2912578002.00007FFE14631000.00000080.00000001.01000000.00000003.sdmp, Offset: 00007FFE14630000, based on PE: true

Associated: 00000000.00000002.2912565734.00007FFE14630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2912594295.00007FFE14641000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2912610133.00007FFE14646000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2912622905.00007FFE14647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffe14630000_loaddll64.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4ffcb6afab2a6f5a4f5130fad7f999fff8b8ea4eac12307599803bcf57c3d3a
Instruction ID: 1cb08f7cda3ab6d40bf87b7fb76bb92c5f0d443a81a938652f57646310d7b491
Opcode Fuzzy Hash: b4ffcb6afab2a6f5a4f5130fad7f999fff8b8ea4eac12307599803bcf57c3d3a
Instruction Fuzzy Hash: 8CB1BF32A08B8982E710DF52E5443AE73A4FB96B98F01C125DF8D07BA5DF7DD2958740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFE14632EF4 Relevance: 17.8, APIs: 7, Strings: 3, Instructions: 314
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 00007FFE14632F51

Part of subcall function 00007FFE14635250: __GetUnwindTryBlock.LIBCMT ref: 00007FFE14635293
Part of subcall function 00007FFE14635250: __SetUnwindTryBlock.LIBVCRUNTIME ref: 00007FFE146352B8

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00007FFE14633029
terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE14633036
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 00007FFE14633280
terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE146332AE
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE14633374
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FFE146333A9

Strings

csm, xrefs: 00007FFE14632FD2
csm, xrefs: 00007FFE14632F6B
csm, xrefs: 00007FFE1463304E

Memory Dump Source

Source File: 00000000.00000002.2912578002.00007FFE14631000.00000080.00000001.01000000.00000003.sdmp, Offset: 00007FFE14630000, based on PE: true

Associated: 00000000.00000002.2912565734.00007FFE14630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2912594295.00007FFE14641000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2912610133.00007FFE14646000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2912622905.00007FFE14647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffe14630000_loaddll64.jbxd

Similarity

API ID: BlockFrameHandler3::Unwindterminate$CatchExecutionHandlerIs_bad_exception_allowedSearchStateabortstd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 9366333-393685449
Opcode ID: d10aa1818771547dcfcda5e4828c70a9f24c76e86896b178365febc376a0b24e
Instruction ID: f0ba42a0d6643ad03aa6ce24af99d7f6638737764a6beed1e33ec6eacc448443
Opcode Fuzzy Hash: d10aa1818771547dcfcda5e4828c70a9f24c76e86896b178365febc376a0b24e
Instruction Fuzzy Hash: 76E17372A08B8186EB20DF66D4C02AD77A4FB46BACF104175DE8D57B65CF38E598C780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFE146333C0 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 314
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00007FFE1463355E
terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1463356B
terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE14633819
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE14633864
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FFE14633899

Strings

csm, xrefs: 00007FFE14633587
csm, xrefs: 00007FFE14633507
csm, xrefs: 00007FFE146334A5

Memory Dump Source

Source File: 00000000.00000002.2912578002.00007FFE14631000.00000080.00000001.01000000.00000003.sdmp, Offset: 00007FFE14630000, based on PE: true

Associated: 00000000.00000002.2912565734.00007FFE14630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2912594295.00007FFE14641000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2912610133.00007FFE14646000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2912622905.00007FFE14647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffe14630000_loaddll64.jbxd

Similarity

API ID: terminate$Is_bad_exception_allowedabortstd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 695522112-393685449
Opcode ID: 2d10f2b28d114e1b6bfb5ba4fbbc98b2e296e6a2ab0bc5ae6fc59eb7ee0c4e0f
Instruction ID: ad60c4b4a17f996477c2ea9d6b471558a66eeb6093141f08b89b0c9b9b7e7e8b
Opcode Fuzzy Hash: 2d10f2b28d114e1b6bfb5ba4fbbc98b2e296e6a2ab0bc5ae6fc59eb7ee0c4e0f
Instruction Fuzzy Hash: 57E19472A08BC28AE7119F36D4C02AD77A0FB46B6CF154175DA8D577A5CF38E489C780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFE146327F8 Relevance: 12.1, APIs: 8, Instructions: 148
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE146328B0
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE146328CE
__AdjustPointer.LIBCMT ref: 00007FFE1463290F
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1463291C
__AdjustPointer.LIBCMT ref: 00007FFE14632958
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1463296D
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE146329B2
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE146329B9

Memory Dump Source

Source File: 00000000.00000002.2912578002.00007FFE14631000.00000080.00000001.01000000.00000003.sdmp, Offset: 00007FFE14630000, based on PE: true

Associated: 00000000.00000002.2912565734.00007FFE14630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2912594295.00007FFE14641000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2912610133.00007FFE14646000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2912622905.00007FFE14647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffe14630000_loaddll64.jbxd

Similarity

API ID: abort$AdjustPointer
String ID:
API String ID: 1501936508-0
Opcode ID: b88db04e0c6b6a7fd0ecd5e4de718b47766377f5fcd0859342ed9c2ffefca775
Instruction ID: 832d2868bfba72fb70d7383e6294321d3371641e03aee4037cea8ea858944b19
Opcode Fuzzy Hash: b88db04e0c6b6a7fd0ecd5e4de718b47766377f5fcd0859342ed9c2ffefca775
Instruction Fuzzy Hash: 8A518E21E09ED681EF658B13A4C46786390EF46FACF0940B5CA8D067E5DE3CE44EC391

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFE146329DC Relevance: 12.1, APIs: 8, Instructions: 148
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE14632A96
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE14632AB5
__AdjustPointer.LIBCMT ref: 00007FFE14632AF6
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE14632B03
__AdjustPointer.LIBCMT ref: 00007FFE14632B3F
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE14632B54
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE14632B99
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE14632BA0

Memory Dump Source

Source File: 00000000.00000002.2912578002.00007FFE14631000.00000080.00000001.01000000.00000003.sdmp, Offset: 00007FFE14630000, based on PE: true

Associated: 00000000.00000002.2912565734.00007FFE14630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2912594295.00007FFE14641000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2912610133.00007FFE14646000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2912622905.00007FFE14647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffe14630000_loaddll64.jbxd

Similarity

API ID: abort$AdjustPointer
String ID:
API String ID: 1501936508-0
Opcode ID: 4262ea040b79b22edfa10952e5ae927a693a25cf4043396a56cb8bfdb1d73783
Instruction ID: 241344451581d96d88d5244c64fcda05b3cc8694fc526c0d675a6c0d95c294a5
Opcode Fuzzy Hash: 4262ea040b79b22edfa10952e5ae927a693a25cf4043396a56cb8bfdb1d73783
Instruction Fuzzy Hash: 6C518121A09EC682EE65CF1795C46796394AF46FACF0984F5CA4E077A5DF3CE44AC380

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFE1463E600 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 194
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

`generic-type-, xrefs: 00007FFE1463E741
`template-parameter-, xrefs: 00007FFE1463E6FA
template-parameter-, xrefs: 00007FFE1463E6C7
generic-type-, xrefs: 00007FFE1463E70E

Memory Dump Source

Source File: 00000000.00000002.2912578002.00007FFE14631000.00000080.00000001.01000000.00000003.sdmp, Offset: 00007FFE14630000, based on PE: true

Associated: 00000000.00000002.2912565734.00007FFE14630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2912594295.00007FFE14641000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2912610133.00007FFE14646000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2912622905.00007FFE14647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffe14630000_loaddll64.jbxd

Similarity

API ID:
String ID: `generic-type-$`template-parameter-$generic-type-$template-parameter-
API String ID: 0-3207858774
Opcode ID: eed936bc1d4da6c0b8828b8f4035d54f265a4246433b67a75581729e220e8d8e
Instruction ID: ece7f52279d6cf6f28bec55da11d4729e0c2b639e357e9cc8c1cf1fb372ba8c4
Opcode Fuzzy Hash: eed936bc1d4da6c0b8828b8f4035d54f265a4246433b67a75581729e220e8d8e
Instruction Fuzzy Hash: 22915F32E08E8A95FB119F26D8D01B837A0EB5676CF4851B1DA4D037A5DF3CE949C790

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFE14633ACC Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 189
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EncodePointer.KERNEL32 ref: 00007FFE14633B3C
_CallSETranslator.LIBVCRUNTIME ref: 00007FFE14633B87
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE14633DB5

Strings

RCC, xrefs: 00007FFE14633B58
MOC, xrefs: 00007FFE14633B50

Memory Dump Source

Source File: 00000000.00000002.2912578002.00007FFE14631000.00000080.00000001.01000000.00000003.sdmp, Offset: 00007FFE14630000, based on PE: true

Associated: 00000000.00000002.2912565734.00007FFE14630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2912594295.00007FFE14641000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2912610133.00007FFE14646000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2912622905.00007FFE14647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffe14630000_loaddll64.jbxd

Similarity

API ID: CallEncodePointerTranslatorabort
String ID: MOC$RCC
API String ID: 292945357-2084237596
Opcode ID: fb1528fe5dcd96ae34c479703bf4cb42f91cf8fcc48aced62f74f6c53f905353
Instruction ID: 220e758ee37c0cab87e23a48fc37342d73f2ed3aa2cf592f5966ad5687efb761
Opcode Fuzzy Hash: fb1528fe5dcd96ae34c479703bf4cb42f91cf8fcc48aced62f74f6c53f905353
Instruction Fuzzy Hash: 0C91A073A08B858AE710CF66E8802AD77A0F705BACF14417AEE8D17764DF38D199CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFE146338B0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 146
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EncodePointer.KERNEL32 ref: 00007FFE146338FC
_CallSETranslator.LIBVCRUNTIME ref: 00007FFE1463394B
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE14633AC3

Strings

RCC, xrefs: 00007FFE14633919
MOC, xrefs: 00007FFE14633910

Memory Dump Source

Source File: 00000000.00000002.2912578002.00007FFE14631000.00000080.00000001.01000000.00000003.sdmp, Offset: 00007FFE14630000, based on PE: true

Associated: 00000000.00000002.2912565734.00007FFE14630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2912594295.00007FFE14641000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2912610133.00007FFE14646000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2912622905.00007FFE14647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffe14630000_loaddll64.jbxd

Similarity

API ID: CallEncodePointerTranslatorabort
String ID: MOC$RCC
API String ID: 292945357-2084237596
Opcode ID: 1b2764a8b34a61b78cb93bf783d995c710cf9a0488163cb67a3aa6f00ec1cb9a
Instruction ID: 9c30be3972ebf94c16477148c76edac059cce649b4d86c5419c7c5c90646a4f8
Opcode Fuzzy Hash: 1b2764a8b34a61b78cb93bf783d995c710cf9a0488163cb67a3aa6f00ec1cb9a
Instruction Fuzzy Hash: 59612B33A08B85CAE7148F66D4803AD77A0F745BACF044265DE4D17BA8DF78E599C780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFE14634268 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 163
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE146343E7

Strings

, xrefs: 00007FFE14634338
csm, xrefs: 00007FFE146342B7
csm, xrefs: 00007FFE14634421

Memory Dump Source

Source File: 00000000.00000002.2912578002.00007FFE14631000.00000080.00000001.01000000.00000003.sdmp, Offset: 00007FFE14630000, based on PE: true

Associated: 00000000.00000002.2912565734.00007FFE14630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2912594295.00007FFE14641000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2912610133.00007FFE14646000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2912622905.00007FFE14647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffe14630000_loaddll64.jbxd

Similarity

API ID: abort
String ID: $csm$csm
API String ID: 4206212132-1512788406
Opcode ID: bb1235440ca836f75756ab82136ebef4cbca7055a8801f356a81cb2fbc572e69
Instruction ID: 2e75c1f4e0491318a598d54abfda1cc926c9e8c2120b5ad5dd09bd5361f512ec
Opcode Fuzzy Hash: bb1235440ca836f75756ab82136ebef4cbca7055a8801f356a81cb2fbc572e69
Instruction Fuzzy Hash: A971A276909AD186D7208F26D0C067DBBA0FB06BACF148175DA4D47BA9CF3CD499C780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFE14634040 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 144COMMON

Download Yara Rule

APIs

abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE14634137
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 00007FFE14634147

Strings

csm, xrefs: 00007FFE1463408A
csm, xrefs: 00007FFE14634199

Memory Dump Source

Source File: 00000000.00000002.2912578002.00007FFE14631000.00000080.00000001.01000000.00000003.sdmp, Offset: 00007FFE14630000, based on PE: true

Associated: 00000000.00000002.2912565734.00007FFE14630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2912594295.00007FFE14641000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2912610133.00007FFE14646000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2912622905.00007FFE14647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffe14630000_loaddll64.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwindabort
String ID: csm$csm
API String ID: 300979864-3733052814
Opcode ID: 11c4ce4d55e2cf51e2b9c0d4075d348971100c6bb06491b44300c400f97ac44e
Instruction ID: 3f73e96598363af4709798170caeb2d928cedbb198b1c6e68d4f4d237be25f9d
Opcode Fuzzy Hash: 11c4ce4d55e2cf51e2b9c0d4075d348971100c6bb06491b44300c400f97ac44e
Instruction Fuzzy Hash: 2751873A908BC286EB648F129484378B790FB52BACF144275DA9C57BE5CF3CE858C740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFE1463EF20 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 144COMMONLIBRARYCODE

Download Yara Rule

APIs

_IsNonwritableInCurrentImage.LIBCMT ref: 00007FFE1463EFE0
RtlUnwindEx.KERNEL32(?,?,?,?,?,?,?,00007FFE1463ECE5), ref: 00007FFE1463F02F

Strings

f, xrefs: 00007FFE1463EF5E
csm, xrefs: 00007FFE1463EFC6

Memory Dump Source

Source File: 00000000.00000002.2912578002.00007FFE14631000.00000080.00000001.01000000.00000003.sdmp, Offset: 00007FFE14630000, based on PE: true

Associated: 00000000.00000002.2912565734.00007FFE14630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2912594295.00007FFE14641000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2912610133.00007FFE14646000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2912622905.00007FFE14647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffe14630000_loaddll64.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind
String ID: csm$f
API String ID: 451473138-629598281
Opcode ID: 3c182f2a73cf73eb0fd9e76035c4ca511a55fdd1c88c4ba15caaff3faffd7406
Instruction ID: 23cda5e668ff43e6fece06ee86a5c6b65b8fc1cb7efbfc5e113a2b5971b782fd
Opcode Fuzzy Hash: 3c182f2a73cf73eb0fd9e76035c4ca511a55fdd1c88c4ba15caaff3faffd7406
Instruction Fuzzy Hash: 9A51FA32B09A82C6DB18CF1AD4A4A693795FB42BACF108074DF4E43758DF79E849C780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFE14632610 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 28COMMON

Download Yara Rule

APIs

terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1463264E

Strings

MOC, xrefs: 00007FFE14632628
RCC, xrefs: 00007FFE14632620
csm, xrefs: 00007FFE14632630

Memory Dump Source

Source File: 00000000.00000002.2912578002.00007FFE14631000.00000080.00000001.01000000.00000003.sdmp, Offset: 00007FFE14630000, based on PE: true

Associated: 00000000.00000002.2912565734.00007FFE14630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2912594295.00007FFE14641000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2912610133.00007FFE14646000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2912622905.00007FFE14647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffe14630000_loaddll64.jbxd

Similarity

API ID: terminate
String ID: MOC$RCC$csm
API String ID: 1821763600-2671469338
Opcode ID: 7565ead2df15cda5b943c79179a3e7111ba46512fcdc4fe07fd8da32d148abe8
Instruction ID: eb0a6ed466591c36afa5f3b9e519fdecfa211e586aa8795861ac7389ca720e6b
Opcode Fuzzy Hash: 7565ead2df15cda5b943c79179a3e7111ba46512fcdc4fe07fd8da32d148abe8
Instruction Fuzzy Hash: 44F04431A14A87C2D7605B62E2C50683674EF4AB6CF1950B1D74C063A2CF3CD898CAC1

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFE14634930 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

_CreateFrameInfo.LIBVCRUNTIME ref: 00007FFE14634A06
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE14634A64

Strings

csm, xrefs: 00007FFE14634B0A

Memory Dump Source

Source File: 00000000.00000002.2912578002.00007FFE14631000.00000080.00000001.01000000.00000003.sdmp, Offset: 00007FFE14630000, based on PE: true

Associated: 00000000.00000002.2912565734.00007FFE14630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2912594295.00007FFE14641000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2912610133.00007FFE14646000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2912622905.00007FFE14647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffe14630000_loaddll64.jbxd

Similarity

API ID: CreateFrameInfoabort
String ID: csm
API String ID: 4073398722-1018135373
Opcode ID: eefe240a7fab66cb33b389892f171675d2c3754d40d927b59bda2d4bfb984a61
Instruction ID: a2e1ba1d4acabdc1ad418c5b90a5e9dec21f16557d7ed6786a4d704cb4a2901a
Opcode Fuzzy Hash: eefe240a7fab66cb33b389892f171675d2c3754d40d927b59bda2d4bfb984a61
Instruction Fuzzy Hash: F4516E37619B8686D6209B16E58026E77B4FB8ABB8F100174DB8D07BA5CF3CE455CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFE1463ECD0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFE1463EF20: _IsNonwritableInCurrentImage.LIBCMT ref: 00007FFE1463EFE0
Part of subcall function 00007FFE1463EF20: RtlUnwindEx.KERNEL32(?,?,?,?,?,?,?,00007FFE1463ECE5), ref: 00007FFE1463F02F

terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1463ED0A

Strings

csm, xrefs: 00007FFE1463ECEB
f, xrefs: 00007FFE1463ECE5

Memory Dump Source

Source File: 00000000.00000002.2912578002.00007FFE14631000.00000080.00000001.01000000.00000003.sdmp, Offset: 00007FFE14630000, based on PE: true

Associated: 00000000.00000002.2912565734.00007FFE14630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2912594295.00007FFE14641000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2912610133.00007FFE14646000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2912622905.00007FFE14647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffe14630000_loaddll64.jbxd

Similarity

API ID: CurrentImageNonwritableUnwindterminate
String ID: csm$f
API String ID: 3503160786-629598281
Opcode ID: 4324f3b8dec270d7fe627d3bc1aa05acc39fc06cb4de1d1a3df777bc5be6cc49
Instruction ID: c9c2c629d9b7517cfc1f60316fe6e83d1d32cbf1074552de2124e2fa3f2b0f68
Opcode Fuzzy Hash: 4324f3b8dec270d7fe627d3bc1aa05acc39fc06cb4de1d1a3df777bc5be6cc49
Instruction Fuzzy Hash: 61E06C31D08FC681DB605B52F5C017D6754EF16B7CF154075D64C06796CF3CE8948691

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: `rundll32.exe {DLLname, DLLfunction}` ).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report u9R1HA4M7B.dll

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Initial Sample

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_u9R_ce3539d85b1c5ec68c954104cf626e03175e8a_93eaf31b_315cf41d-180d-42fe-9df9-a19be070e75b\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_u9R_ce3539d85b1c5ec68c954104cf626e03175e8a_93eaf31b_4d33789e-b009-45d7-956c-442afac19bec\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_u9R_ce3539d85b1c5ec68c954104cf626e03175e8a_93eaf31b_ab11d3bd-b6ac-4ab3-b71a-426236c34122\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_u9R_ce3539d85b1c5ec68c954104cf626e03175e8a_93eaf31b_b8be7178-c123-40e8-8433-717dd469d09c\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB829.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB82A.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB8D6.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB904.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB915.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB963.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC2B8.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC2F7.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC337.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERCEDD.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERCF1D.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERCF5C.tmp.xml

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Windows Analysis Report
u9R1HA4M7B.dll

Function 00007FFE146394D4 Relevance: 2.2, APIs: 1, Instructions: 706
networkCOMMON

Function 00007FFE1463AC8A Relevance: 1.8, APIs: 1, Instructions: 342
COMMON

Function 00007FFE1463A45A Relevance: 1.8, APIs: 1, Instructions: 276
COMMON

Function 00007FFE1463CF2A Relevance: 2.0, APIs: 1, Instructions: 489
COMMON

Function 00007FFE1463A9A7 Relevance: 1.7, APIs: 1, Instructions: 162
COMMON

Function 00007FFE1463D8FE Relevance: 1.6, APIs: 1, Instructions: 55
libraryCOMMON