Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Section_PE32_image_PpamPlatformSmm_PpamPlatformSmm_body.efi.dll

Overview

General Information

Sample name:Section_PE32_image_PpamPlatformSmm_PpamPlatformSmm_body.efi.dll
(renamed file extension from exe to dll)
Original sample name:Section_PE32_image_PpamPlatformSmm_PpamPlatformSmm_body.efi.exe
Analysis ID:1633798
MD5:888edd5353d9cfe059927c1a680af93e
SHA1:c0f36980aa49b4a6cf95888e9a960a212f7d4b7b
SHA256:dce0be7af3ecf8376d9ea08d2590a3354da5ba3ed441280e414e3b198f7dc403
Tags:efiexeuser-ihatethensa
Infos:

Detection

Score:48
Range:0 - 100
Confidence:100%

Signatures

Initial sample is a PE file and has a suspicious name
PE file has nameless sections
AV process strings found (often used to terminate AV products)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to query CPU information (cpuid)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
One or more processes crash
PE file contains sections with non-standard names
PE file does not import any functions
Sample execution stops while process was sleeping (likely an evasion)

Classification

Process Tree

  • System is w10x64
  • loaddll64.exe (PID: 6776 cmdline: loaddll64.exe "C:\Users\user\Desktop\Section_PE32_image_PpamPlatformSmm_PpamPlatformSmm_body.efi.dll" MD5: 763455F9DCB24DFEECC2B9D9F8D46D52)
    • conhost.exe (PID: 6804 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6932 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\Section_PE32_image_PpamPlatformSmm_PpamPlatformSmm_body.efi.dll",#1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • rundll32.exe (PID: 6964 cmdline: rundll32.exe "C:\Users\user\Desktop\Section_PE32_image_PpamPlatformSmm_PpamPlatformSmm_body.efi.dll",#1 MD5: EF3179D498793BF4234F708D3BE28633)
        • WerFault.exe (PID: 6176 cmdline: C:\Windows\system32\WerFault.exe -u -p 6964 -s 236 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
        • WerFault.exe (PID: 1196 cmdline: C:\Windows\system32\WerFault.exe -u -p 6964 -s 244 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
    • WerFault.exe (PID: 7100 cmdline: C:\Windows\system32\WerFault.exe -u -p 6776 -s 184 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results
Source: 57C8EDB95DF3F0AD4EE2DC2B8CFD4157.11.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab
Source: Amcache.hve.7.drString found in binary or memory: http://upx.sf.net

System Summary

barindex
Initial sample is a PE file and has a suspicious name
Source: initial sampleStatic PE information: Filename: Section_PE32_image_PpamPlatformSmm_PpamPlatformSmm_body.efi.dll
PE file has nameless sections
Source: Section_PE32_image_PpamPlatformSmm_PpamPlatformSmm_body.efi.dllStatic PE information: section name:
Source: C:\Windows\System32\WerFault.exeFile created: C:\Windows\AppCompat\Programs\Amcache.hve.tmpJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6776 -s 184
Source: Section_PE32_image_PpamPlatformSmm_PpamPlatformSmm_body.efi.dllStatic PE information: No import functions for PE file found
Source: classification engineClassification label: mal48.winDLL@9/17@0/0
Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6776
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6804:120:WilError_03
Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6964
Source: C:\Windows\System32\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\a06a3cef-41e4-41e8-bb40-48ae9d6633daJump to behavior
Source: Section_PE32_image_PpamPlatformSmm_PpamPlatformSmm_body.efi.dllStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll64.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Section_PE32_image_PpamPlatformSmm_PpamPlatformSmm_body.efi.dll",#1
Source: unknownProcess created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\Section_PE32_image_PpamPlatformSmm_PpamPlatformSmm_body.efi.dll"
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\Section_PE32_image_PpamPlatformSmm_PpamPlatformSmm_body.efi.dll",#1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Section_PE32_image_PpamPlatformSmm_PpamPlatformSmm_body.efi.dll",#1
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6776 -s 184
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6964 -s 236
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6964 -s 244
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\Section_PE32_image_PpamPlatformSmm_PpamPlatformSmm_body.efi.dll",#1Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Section_PE32_image_PpamPlatformSmm_PpamPlatformSmm_body.efi.dll",#1Jump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: apphelp.dllJump to behavior
Source: Section_PE32_image_PpamPlatformSmm_PpamPlatformSmm_body.efi.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Section_PE32_image_PpamPlatformSmm_PpamPlatformSmm_body.efi.dllStatic PE information: section name:
Source: Section_PE32_image_PpamPlatformSmm_PpamPlatformSmm_body.efi.dllStatic PE information: section name: .xdata
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00D61250 rdtsc 0_2_00D61250
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: Amcache.hve.7.drBinary or memory string: VMware
Source: Amcache.hve.7.drBinary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.7.drBinary or memory string: vmci.syshbin
Source: Amcache.hve.7.drBinary or memory string: VMware, Inc.
Source: Amcache.hve.7.drBinary or memory string: VMware20,1hbin@
Source: Amcache.hve.7.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.7.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.7.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.7.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.7.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.7.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.7.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.7.drBinary or memory string: vmci.sys
Source: Amcache.hve.7.drBinary or memory string: vmci.syshbin`
Source: Amcache.hve.7.drBinary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.7.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.7.drBinary or memory string: VMware20,1
Source: Amcache.hve.7.drBinary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.7.drBinary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.7.drBinary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.7.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.7.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.7.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.7.drBinary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.7.drBinary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.7.drBinary or memory string: VMware Virtual RAM
Source: Amcache.hve.7.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.7.drBinary or memory string: VMware-42 27 88 19 56 cc 59 1a-97 79 fb 8c bf a1 e2 9d
Source: Amcache.hve.7.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
Source: C:\Windows\System32\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00D61250 rdtsc 0_2_00D61250
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Section_PE32_image_PpamPlatformSmm_PpamPlatformSmm_body.efi.dll",#1Jump to behavior
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00D61140 cpuid 0_2_00D61140
Source: Amcache.hve.7.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.7.dr, Amcache.hve.LOG1.7.drBinary or memory string: msmpeng.exe
Source: Amcache.hve.7.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.7.dr, Amcache.hve.LOG1.7.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.7.dr, Amcache.hve.LOG1.7.drBinary or memory string: MsMpEng.exe

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
DLL Side-Loading		11
Process Injection		1
Masquerading		OS Credential Dumping31
Security Software Discovery		Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		1
Virtualization/Sandbox Evasion		LSASS Memory1
Virtualization/Sandbox Evasion		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Rundll32		Security Account Manager11
System Information Discovery		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
Process Injection		NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
DLL Side-Loading		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1633798 Sample: Section_PE32_image_PpamPlat... Startdate: 10/03/2025 Architecture: WINDOWS Score: 48 22 Initial sample is a PE file and has a suspicious name 2->22 24 PE file has nameless sections 2->24 8 loaddll64.exe 1 2->8         started        process3 process4 10 cmd.exe 1 8->10         started        12 WerFault.exe 27 17 8->12         started        14 conhost.exe 8->14         started        process5 16 rundll32.exe 10->16         started        process6 18 WerFault.exe 40 17 16->18         started        20 WerFault.exe 17 16->20         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
Section_PE32_image_PpamPlatformSmm_PpamPlatformSmm_body.efi.dll0%VirustotalBrowse
Section_PE32_image_PpamPlatformSmm_PpamPlatformSmm_body.efi.dll0%ReversingLabs

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com
217.20.57.19
truefalse
    		high

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    http://upx.sf.netAmcache.hve.7.drfalse
      		high

      World Map of Contacted IPs

      No contacted IP infos

      General Information

      Joe Sandbox version:42.0.0 Malachite
      Analysis ID:1633798
      Start date and time:2025-03-10 16:40:13 +01:00
      Joe Sandbox product:CloudBasic
      Overall analysis duration:0h 4m 34s
      Hypervisor based Inspection enabled:false
      Report type:full
      Cookbook file name:default.jbs
      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
      Number of analysed new started processes analysed:22
      Number of new started drivers analysed:0
      Number of existing processes analysed:0
      Number of existing drivers analysed:0
      Number of injected processes analysed:0
      Technologies:
      • HCA enabled
      • EGA enabled
      • AMSI enabled
      Analysis Mode:default
      Analysis stop reason:Timeout
      Sample name:Section_PE32_image_PpamPlatformSmm_PpamPlatformSmm_body.efi.dll
      (renamed file extension from exe to dll)
      Original Sample Name:Section_PE32_image_PpamPlatformSmm_PpamPlatformSmm_body.efi.exe
      Detection:MAL
      Classification:mal48.winDLL@9/17@0/0
      EGA Information:Failed
      HCA Information:
      • Successful, ratio: 100%
      • Number of executed functions: 0
      • Number of non-executed functions: 2

      Warnings

      • Exclude process from analysis (whitelisted): MpCmdRun.exe, sppsvc.exe, WerFault.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
      • Excluded IPs from analysis (whitelisted): 40.71.93.126, 217.20.57.19, 40.71.69.253, 20.190.159.71, 172.202.163.200, 23.60.203.209
      • Excluded domains from analysis (whitelisted): onedsblobvmssprdeus02.eastus.cloudapp.azure.com, onedsblobvmssprdeus03.eastus.cloudapp.azure.com, fs.microsoft.com, login.live.com, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, c.pki.goog, wu-b-net.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
      • Execution Graph export aborted for target loaddll64.exe, PID 6776 because there are no executed function
      • Execution Graph export aborted for target rundll32.exe, PID 6964 because there are no executed function
      • Not all processes where analyzed, report is missing behavior information

      Simulations

      Behavior and APIs

      TimeTypeDescription
      11:41:28API Interceptor2x Sleep call for process: WerFault.exe modified

      Joe Sandbox View / Context

      IPs

      No context

      Domains

      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
      edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com221036299-043825-sanlccjavap0004-6531.xlsGet hashmaliciousUnknownBrowse
      • 217.20.57.34
      f1215469392.dllGet hashmaliciousUnknownBrowse
      • 217.20.57.19
      DIR-A_JY4878249#U00b7pdf.vbsGet hashmaliciousRemcos, GuLoaderBrowse
      • 84.201.210.39
      SecuriteInfo.com.Win64.DropperX-gen.32756.21147.exeGet hashmaliciousUnknownBrowse
      • 217.20.57.35
      Purchase Order.xla.xlsxGet hashmaliciousUnknownBrowse
      • 217.20.57.36
      Royal Mail Inland Claim Form V1.3.xlsmGet hashmaliciousUnknownBrowse
      • 217.20.57.18
      kDubrmi6B5.msiGet hashmaliciousMetastealerBrowse
      • 217.20.57.19
      Damage product 3.vbsGet hashmaliciousAsyncRAT, Batch Injector, VenomRATBrowse
      • 217.20.57.34
      skf7iF4.batGet hashmaliciousUnknownBrowse
      • 84.201.210.39
      ADFoyxP.exeGet hashmaliciousKeyLogger, StormKitty, VenomRATBrowse
      • 84.201.210.39

      ASNs

      No context

      JA3 Fingerprints

      No context

      Dropped Files

      No context

      Created / dropped Files

      C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_rundll32.exe_Sec_cb6e97ee80401c70599736bc83fecab6681b4ab4_583f14cf_3e5dd73f-eb22-4b73-a42a-49baa7b72b3d\Report.wer

      Download File
      Process:C:\Windows\System32\WerFault.exe
      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
      Category:modified
      Size (bytes):65536
      Entropy (8bit):0.7331468236108095
      Encrypted:false
      SSDEEP:96:X+QF0x8ilxyKyGwMjX4Rv1y/fYQXIDcQ7c66cE6cw3QMJXaXz+HbHgSQgJjzRc/x:OQFbi7yGR01+gEMRjPzuiFrZ24lO8cX
      MD5:B55F6D9D368346873EDCE212BAD34A1F
      SHA1:CF46B8F61DB86CAC9CE2D88A410A75A5C135AEB2
      SHA-256:1E1AFAD6034BACF6F850B5D45928614DF271487D11BD6346B867E1E66B235E45
      SHA-512:820FB722D8CFEF87BE03F0537EE9A292AFCBBBB6BECE0AB29125151C1A8F9C23D2B6A8EBFAE5D95BA13883A343750AC1E2A561A97160774EE959A6B2722C6908
      Malicious:false
      Reputation:low
      Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.6.0.9.4.8.7.4.9.7.2.2.7.5.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.8.6.0.9.4.8.7.6.2.3.7.9.0.4.2.....R.e.p.o.r.t.S.t.a.t.u.s.=.2.6.8.4.3.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.e.5.d.d.7.3.f.-.e.b.2.2.-.4.b.7.3.-.a.4.2.a.-.4.9.b.a.a.7.b.7.2.b.3.d.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.1.9.8.a.4.7.c.-.f.b.c.6.-.4.d.0.5.-.a.d.2.a.-.a.0.f.0.6.5.c.2.8.4.b.8.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e._.S.e.c.t.i.o.n._.P.E.3.2._.i.m.a.g.e._.P.p.a.m.P.l.a.t.f.o.r.m.S.m.m._.P.p.a.m.P.l.a.t.f.o.r.m.S.m.m._.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.3.4.-.0.0.0.1.-.0.0.1.8.-.e.c.8.2.-.c.3.d.a.d.2.9.1.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.

      C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_loaddll64.exe_bd7aa0f2faa3b21546a1a136a4d8bcb6a2f9ae97_606702e6_884b95b2-e726-401c-b6eb-985f44cf410f\Report.wer

      Download File
      Process:C:\Windows\System32\WerFault.exe
      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
      Category:dropped
      Size (bytes):65536
      Entropy (8bit):0.664990769362184
      Encrypted:false
      SSDEEP:96:xoF6ap6bsthN67JfZQXIDcQ2c6HcEucw31D2v+HbHg/5tXZAX/d5FMT2SlPkpXmQ:6g66bk0IDUVjlzuiFrZ24lO81
      MD5:F6BECBA09D77949E0F4FDE56BA89518A
      SHA1:94CDECDA858A72714FB1E3C5EA28FF52A632BB96
      SHA-256:1A6DF986AD6C4C18782D85B56F56D02A8DA9BAC706A102EDD49397A481072425
      SHA-512:B5213D5ECC3622EDFB70CBBFA38D6CA9F567ACC7A1E5F5D0F458B952264E490F2FF2CE194E3C9A98283F243BCB9DF2C36B66998147CF6A4EC99B97332D7906A5
      Malicious:false
      Reputation:low
      Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.6.0.9.4.8.7.4.1.6.6.0.8.8.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.8.6.0.9.4.8.7.4.6.9.7.3.4.0.6.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.8.4.b.9.5.b.2.-.e.7.2.6.-.4.0.1.c.-.b.6.e.b.-.9.8.5.f.4.4.c.f.4.1.0.f.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.1.1.7.f.b.9.3.-.e.8.f.5.-.4.9.d.1.-.8.6.2.1.-.8.9.2.0.c.c.a.3.4.1.2.e.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.l.o.a.d.d.l.l.6.4...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.a.7.8.-.0.0.0.1.-.0.0.1.8.-.d.c.2.c.-.b.0.d.a.d.2.9.1.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.5.f.e.1.f.7.3.2.2.5.e.8.c.2.3.3.1.b.8.d.3.7.3.d.3.f.9.1.a.c.4.2.0.0.0.0.f.f.f.f.!.0.0.0.0.f.2.3.2.e.0.d.e.c.d.5.4.8.8.5.2.f.a.6.0.8.9.e.1.9.5.4.3.1.b.7.3.e.9.4.e.d.0.b.d.!.l.o.a.d.d.l.l.6.4...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.3././.0.9././.1.5.:.0.

      C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_Sec_a7372238bfecbec882613042a1b6f8dbbb411b_583f14cf_29f1e33c-3fd7-481f-8978-64fd700081e6\Report.wer

      Download File
      Process:C:\Windows\System32\WerFault.exe
      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
      Category:dropped
      Size (bytes):65536
      Entropy (8bit):0.7064708467069456
      Encrypted:false
      SSDEEP:96:v9cr8ilxyKyGsjX4Rv67JfZQXIDcQwc6wacEhcw34NXaXz+HbHgSQgJjzXZAX/dn:Vji7yGf0+jr0jazuiFyZ24lO8cX
      MD5:6CE1DF3F4520B9598511FEDF1EFCA94B
      SHA1:729B1F5F8B1A347352BEA8923ECED168C667B069
      SHA-256:DEA1F71882BF60B28340EAB1F6DA753C248D27684D0A860D1AF1532E65541141
      SHA-512:0B18CE55CEE47D57B4531354A501FF7BD0136DE3AF76522F6D4B28F7FACEBE4105C972EC711A4A537FB3730FCB5752CE3F3219C630226A31BAF69A6A489918CB
      Malicious:false
      Reputation:low
      Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.6.0.9.4.8.7.4.1.6.7.5.0.9.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.9.f.1.e.3.3.c.-.3.f.d.7.-.4.8.1.f.-.8.9.7.8.-.6.4.f.d.7.0.0.0.8.1.e.6.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.e.5.0.d.0.2.d.-.3.e.1.0.-.4.0.a.1.-.9.2.a.c.-.d.9.1.a.5.6.5.8.f.8.d.7.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e._.S.e.c.t.i.o.n._.P.E.3.2._.i.m.a.g.e._.P.p.a.m.P.l.a.t.f.o.r.m.S.m.m._.P.p.a.m.P.l.a.t.f.o.r.m.S.m.m._.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.3.4.-.0.0.0.1.-.0.0.1.8.-.e.c.8.2.-.c.3.d.a.d.2.9.1.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.d.d.3.9.9.a.e.4.6.3.0.3.3.4.3.f.9.f.0.d.a.1.8.9.a.e.e.1.1.c.6.7.b.d.8.6.8.2.2.2.!.r.u.n.d.l.l.3.2...e.x.e.

      C:\ProgramData\Microsoft\Windows\WER\Temp\WER24B7.tmp.dmp

      Download File
      Process:C:\Windows\System32\WerFault.exe
      File Type:Mini DuMP crash report, 15 streams, Mon Mar 10 15:41:14 2025, 0x1205a4 type
      Category:dropped
      Size (bytes):49230
      Entropy (8bit):1.3983505876630722
      Encrypted:false
      SSDEEP:96:5i804SxZ0BhBSPinQsU+i7uNSzSOGHE1ItrNQ7O++eodxCWIHUI4vde:LLSKnQslOuNHOUy7v2d1vd
      MD5:05374FD4593EC816987C19F57D217773
      SHA1:BF66208308F8203B8497D024D6E1807C37CD82EB
      SHA-256:6E79CD683B10DDDC9B163030496705E18580A4D8FDA1AAC92065DE12E9D3F746
      SHA-512:6A1D58392AA7174AB1942CDBEE09C5DCB24E3D293B429A7B38C0F15B56701B03746A338C774A3E3AF6CD496FD1E4A69C51C12B93A0C71777EA9F530B53F7C8BB
      Malicious:false
      Reputation:low
      Preview:MDMP..a..... ..........g........................d...........$................"..........`.......8...........T..........................0...........................................................................................eJ..............Lw......................T.......x......g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

      C:\ProgramData\Microsoft\Windows\WER\Temp\WER24B8.tmp.dmp

      Download File
      Process:C:\Windows\System32\WerFault.exe
      File Type:Mini DuMP crash report, 14 streams, Mon Mar 10 15:41:14 2025, 0x1205a4 type
      Category:dropped
      Size (bytes):55340
      Entropy (8bit):1.6367250531001085
      Encrypted:false
      SSDEEP:96:5n8OBD2Bvv9wxZYeFhXv8Btoi7MMW6E76Zmf/d2S5vcqw5J0vVjfuHscRrdky+le:uOUN6vcaOMh6Lmf/KYiIy+lS/SJtQb
      MD5:E0F3A20536CD98ABB3BAD1FFC9AA62BA
      SHA1:745A70836207ED4E22DFB1C03B1BCA38DFA36A29
      SHA-256:601F92E09C02C7EC49270ACD75E90841CDE9D357B930A8EA98D87A3220E8C016
      SHA-512:BBDEA39EC76C87FF101550C84BEB82272DC4D5F9177D8282F66B4FDED0C5D9AF0638087A7F1F07F68CEB6F392119C3635F1C12E16F150E9926A287FC21E9D6BE
      Malicious:false
      Reputation:low
      Preview:MDMP..a..... ..........g.........................................#..........T.......8...........T...............l...........D...........0...............................................................................eJ..............Lw......................T.......4......g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

      C:\ProgramData\Microsoft\Windows\WER\Temp\WER25C2.tmp.WERInternalMetadata.xml

      Download File
      Process:C:\Windows\System32\WerFault.exe
      File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
      Category:dropped
      Size (bytes):8678
      Entropy (8bit):3.697239447143092
      Encrypted:false
      SSDEEP:192:R6l7wVeJYE6peI6Y9ft0gmfBLfpBOx89bJRLf5pDm:R6lXJr6gI6Y1egmfBLxJNf5A
      MD5:75A713B2F529C90997F4930AA8C12C63
      SHA1:FCBC854F3A7395687E31377D075579DA7CF8AEB5
      SHA-256:150F7DE1054A7CE032C7605B5EC6D70B9028A37E0CE4A0E25DB0F8A1F070C579
      SHA-512:728B76C0ED018D64852840796CE9F4D09C45F8E03D9AAF073AFC92433294E369FC93D96DA2E725CD2EA41B93CE5ECF52AE754D78FAFF9D0B24A40E4B81A8F21E
      Malicious:false
      Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.9.6.4.<./.P.i.

      C:\ProgramData\Microsoft\Windows\WER\Temp\WER25D1.tmp.WERInternalMetadata.xml

      Download File
      Process:C:\Windows\System32\WerFault.exe
      File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
      Category:dropped
      Size (bytes):8596
      Entropy (8bit):3.6980520528932925
      Encrypted:false
      SSDEEP:192:R6l7wVeJZTt6Y+ueHgmfkVpDj89bJpLfMDm:R6lXJdt6YHeHgmfk0JFfV
      MD5:38692A5796F4B84B5E71622C2EBF1BE2
      SHA1:275C9038E2D0A08223C5E6A52BB3D1C6BFFCDE4A
      SHA-256:A6326F4FAF07CA45BB42728CF36C5E7FAF6CB0392697897424881B09D49B0163
      SHA-512:8ACC4191FC17C6FC68BE7FACDA122AC0476303C2E2F357788ED46EB36AAB44351FA2543811DC01057F6918B3F04C01B587F3A8B0E13A036BB8760E4E0A71B5D3
      Malicious:false
      Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.7.7.6.<./.P.i.

      C:\ProgramData\Microsoft\Windows\WER\Temp\WER2601.tmp.xml

      Download File
      Process:C:\Windows\System32\WerFault.exe
      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
      Category:dropped
      Size (bytes):4730
      Entropy (8bit):4.480942284130292
      Encrypted:false
      SSDEEP:48:cvIwWl8zsuJg771I9fkSyWpW8VYSYm8M4J8fFgrRxjyq85PjFV1xbd:uIjfkI7/O7VSJtaF7xbd
      MD5:5FC1AC92BCB115B77E66293122EB96CE
      SHA1:06FCF564990707BE8C9D8476037DD1C2E15EFA34
      SHA-256:328363F43CCCCF0C84CC30636D7B046A6899629DCC4313813A233C710BED98DB
      SHA-512:91DD686F50711D366BC65C7CFFEF2C526D729B6276FF0FC38281FC13B9F1AECD0F0F0BD83DD04BBED4832DBE49933E56ABB43CC56666E8D545D3BA1CEFE775DC
      Malicious:false
      Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="754963" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

      C:\ProgramData\Microsoft\Windows\WER\Temp\WER27E3.tmp.dmp

      Download File
      Process:C:\Windows\System32\WerFault.exe
      File Type:Mini DuMP crash report, 14 streams, Mon Mar 10 15:41:15 2025, 0x1205a4 type
      Category:dropped
      Size (bytes):55880
      Entropy (8bit):1.6161988988145348
      Encrypted:false
      SSDEEP:192:bUHhNNaOM+A5yU3noq5iXy+lS/tJsk/u:0NfGsU3ncXy+U/fR/
      MD5:292C59C5F502815F71730FF50C0A7F50
      SHA1:9564892789123102CE61CC2CF1B116DF1F3635B8
      SHA-256:34FE65857108363CA073E9430EF7758B903D84AFDCBCF6A350EE9E7356F74F82
      SHA-512:B5C77F6F0130100D344433586FD982B378E43153386514E99EDFE3FD3780F090C991D4BED877CD3D31352591C3C6E342AFF0BA07C28EB46ECC4C74D397DB9441
      Malicious:false
      Preview:MDMP..a..... ..........g.........................................#..........T.......8...........T...............`...........D...........0...............................................................................eJ..............Lw......................T.......4......g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

      C:\ProgramData\Microsoft\Windows\WER\Temp\WER2833.tmp.WERInternalMetadata.xml

      Download File
      Process:C:\Windows\System32\WerFault.exe
      File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
      Category:dropped
      Size (bytes):8590
      Entropy (8bit):3.6973602201447204
      Encrypted:false
      SSDEEP:192:R6l7wVeJYk6KGI6Y9Pt0gmfBixNMkprT89bARLfcYAm:R6lXJz6DI6YFegmfBixNMFANfcm
      MD5:C203640082ACBF40F56EFAE4A8266063
      SHA1:F6362E2165E0EFA0259BE167A84F90713B5E420D
      SHA-256:F126255E82BAFB86774D6C0AF5BA31B4DE68E5E36F479232440A98F88F3E8D99
      SHA-512:B370D91A37A38C21B0AAA23F9FAFD535426264CD43DB6950BC2BFF7376423AB3ED68213C38EF5BCF8FB032DB1F21BF4064896660299845674DB03ADF9896D746
      Malicious:false
      Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.9.6.4.<./.P.i.

      C:\ProgramData\Microsoft\Windows\WER\Temp\WER2891.tmp.xml

      Download File
      Process:C:\Windows\System32\WerFault.exe
      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
      Category:dropped
      Size (bytes):4870
      Entropy (8bit):4.529118529647523
      Encrypted:false
      SSDEEP:48:cvIwWl8zsuJg771I9fkSyWpW8VYDjPYm8M4JCHot6FqYyq85m/ChsptSTSNd:uIjfkI7/O7VfJtq0hspoONd
      MD5:65551073E8B3F7B91E62671E684249B9
      SHA1:B85B99497807A11AACA0B3E21AEE8776DAD2D11F
      SHA-256:09FB82870CA51FB97798C207D9FCADBC9F3386B896E2CC06418CBD5723A7C685
      SHA-512:CC6D5D5A83899FAC735E71B43D39DED54C9AFDE5061C003F37931092A23F68FB311D97E36292D6CF585D81BF197F767B87F4CC6A272BB9EDDA74BC88A018C143
      Malicious:false
      Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="754963" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

      C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

      Download File
      Process:C:\Windows\System32\WerFault.exe
      File Type:data
      Category:dropped
      Size (bytes):340
      Entropy (8bit):3.544866006301853
      Encrypted:false
      SSDEEP:6:kK98euEG7DNfUN+SkQlPlEGYRMY9z+s3Ql2DUeXJlOW1:FDuNLkPlE99SCQl2DUeXJlOA
      MD5:9A894D7EBF6BDA9950AB5F6892974789
      SHA1:1EF7CF495902DD64658BE23C47D7E2310543739F
      SHA-256:E36BD52BA0D54A0D189DB4CED130B7AD558B44466CFB46E1067A0F15EABC6201
      SHA-512:8D77E4D2C1C6C7C5465F2DDBD203D60C4012CFFF95AF243AF78DA3B960A15EDF1200913CB23A965FF99D0CEA85AA8573C4830E86EA35FC13B171626829A51D67
      Malicious:false
      Preview:p...... ..........`....(................................................<..... ........~..MG......&.....6.........h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.d.i.s.a.l.l.o.w.e.d.c.e.r.t.s.t.l...c.a.b...".0.6.c.f.c.c.5.4.d.4.7.d.b.1.:.0."...

      C:\Windows\appcompat\Programs\Amcache.hve

      Download File
      Process:C:\Windows\System32\WerFault.exe
      File Type:MS Windows registry file, NT/2000 or above
      Category:dropped
      Size (bytes):1835008
      Entropy (8bit):4.422063226017657
      Encrypted:false
      SSDEEP:6144:l+ifpi6ceLPL9skLmb0mGSWSPtaJG8nAgexk8tq2QqZaKqFIeC/7ocXstA:Ai58GSWIZLI2QqYwj18C
      MD5:C1EC7F9FF3325753513F1576BE4CBA39
      SHA1:8B48A173ABCCB3EE1CC33D5E306021C3ADDD4DB4
      SHA-256:E0026929F0EEDA61BC09D1089ED57BE31225534398D76EB5A1E32E793BBE0A2B
      SHA-512:8E24A4C1DBECE6EBDE0514CEFAD50F9785F6B43D3E7FCBAF3BA342465AC5D957CD27DB486F3699CBAF17F256572B14251613B8EFD73D9AF4E71DF491A65F3DB0
      Malicious:false
      Preview:regfH...H....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm....d...............................................................................................................................................................................................................................................................................................................................................XY..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

      C:\Windows\appcompat\Programs\Amcache.hve.LOG1

      Download File
      Process:C:\Windows\System32\WerFault.exe
      File Type:MS Windows registry file, NT/2000 or above
      Category:dropped
      Size (bytes):32768
      Entropy (8bit):3.990646499382837
      Encrypted:false
      SSDEEP:768:FHBDoyAXCuSgs89MRJeesN/HVi9HlCdrz7bs9Ng+g:FHnks822NIHlIZ
      MD5:04CE2078078F12F1B8DFE2C8EB31EB26
      SHA1:2A141253A792B4D3EB33869F5BC48E70E9585C23
      SHA-256:FC8ECA6F2B8AA37203DC0FA5C6FF7971EBDD37428566F3507ED271313A5B6147
      SHA-512:ED19D83ACFCB6980F816C6B8FA47555A99E10CC375DCA1CDA982886C35C5C0DB7E31C37F2E446F8989BE68667C2890FA39330EB31466A963107F6DA5AFC557A4
      Malicious:false
      Preview:regfG...G....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm....d...............................................................................................................................................................................................................................................................................................................................................^Y..HvLE.~......G............J-....B.r...j.........p...............P.......p...0..hbin.................\.Z............nk,..\.Z....................h...................................<.......&...{11517B7C-E79D-4e20-961B-75A811715ADD}..`...sk..........N...........\...l.............H.........?...................?...................?........... ... ........... ... ...................$.N..........vk..4...`...........CreatingCommand.....O.n.e.D.r.i.v.e.S.e.t.u.p...e.x.e. ./.s.i.l.e.n.t...

      C:\Windows\appcompat\Programs\Amcache.hve.tmp

      Download File
      Process:C:\Windows\System32\WerFault.exe
      File Type:MS Windows registry file, NT/2000 or above
      Category:dropped
      Size (bytes):16384
      Entropy (8bit):1.6173629731555446
      Encrypted:false
      SSDEEP:48:tHVXDTwTvlV9lkZbjQa0dGj3jesM7iS3eXrOMcl+pl5pl50pl7laa/57ABj/6khl:t5DTwTNLIb0aBDWTEo+L5L50LyBXs
      MD5:4465702D1B5CDE698A14905A772C28C0
      SHA1:A8A26E53871AF66607BBCF02EAA03B1339AE796C
      SHA-256:E786DA89D373831ADF59569EFF2B03981E1CC5F06BCA1823488A3B4C9C12D25F
      SHA-512:28BFBA3FB5431ED1DD00922F6AFE3857889F72F59E3B63CFE5FF66BE4F32B3F6569D7F21BC2E41718663DBBE14A47452D6CC5E5BD1D379B906D43976D70FF97F
      Malicious:false
      Preview:regf........Vb..................... .... ......C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...t.m.p....|.}X....0.......|.}X....0...........|.}X....0......rmtmVb....................................................................................................................................................................................................................................................................................................................................................s........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

      C:\Windows\appcompat\Programs\Amcache.hve.tmp.LOG1

      Download File
      Process:C:\Windows\System32\WerFault.exe
      File Type:MS Windows registry file, NT/2000 or above
      Category:dropped
      Size (bytes):8192
      Entropy (8bit):0.9639845816996314
      Encrypted:false
      SSDEEP:24:IuHVEKRws74Enw1T+fPTvl+fBOcP2K0Fu/Utlk:bHVJ8NTwTvl6Wlk
      MD5:8BB398A147C063F59635CEA5E0D3F1E4
      SHA1:88BD89EC00E9CE3FEEE13B6390790EB668AB30C8
      SHA-256:160BC515C7EA07FCBEAD55B4B1F2629156A2E9C808678BB65557FC5C258DFD7E
      SHA-512:DAB7873E36C0D089562C146EF0F67EC159864BC43EF775C070FBDE3C848AA0EEBA3F413E69524D9B3EF0CA6F1D368E79E5005D2795A9F51F2DE41F49BD1D3228
      Malicious:false
      Preview:regf........Vb..................... ...........C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...t.m.p....|.}X....0.......|.}X....0...........|.}X....0......rmtmVb..................................................................................................................................................................................................................................................................................................................................................-.sHvLE.....................;.G.......^..........hbin................Vb.............nk,.Vb.................................8.......................f.......&...{11517B7C-E79D-4e20-961B-75A811715ADD}..`...sk......................\...l.............H.........?...................?...................?........... ... ........... ... ...................$.N..........vk..f...`..........GCreatingCommandH....C.:.\.W.i.n.d.o.w.s.\.s.y.s.t.e.m.3.2.\.W.e.r.F.a.u.l.t...e.x.e. .-.u. .-.p. .6.7.7.

      C:\Windows\appcompat\Programs\Amcache.hve.tmp.LOG2

      Download File
      Process:C:\Windows\System32\WerFault.exe
      File Type:MS Windows registry file, NT/2000 or above
      Category:dropped
      Size (bytes):16384
      Entropy (8bit):1.6344901528790148
      Encrypted:false
      SSDEEP:48:bHVbDTwTvlV9lkZbjQa0dGj3jesM7iS3eXrOMcl+pl5pl50pl7laa/57ABj/6khl:btDTwTNLIb0aBDWTEo+L5L50LyBXs
      MD5:37751A6260BB16F8C63C5AC091A6DBCB
      SHA1:CFCE8E38D76B098968B9043199EEDA98D0341AAB
      SHA-256:72ED08402C40FAA28237B4BC1769274D738C7094C8AB6D4FB86E8CECEE985212
      SHA-512:B0BEC5B6B9DA7E8F27A27B5D0DE5A527865605EB669A78FF90C6181DB2FB2EEA93500D50259B5D646B15DB99257C30F6980422CA3B61E2F222976BD921E67AD8
      Malicious:false
      Preview:regf........Vb..................... .... ......C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...t.m.p....|.}X....0.......|.}X....0...........|.}X....0......rmtmVb....................................................................................................................................................................................................................................................................................................................................................sHvLE............. .............J.?2........ ..hbin................Vb.............nk,.Vb.................................8.......................f.......&...{11517B7C-E79D-4e20-961B-75A811715ADD}..`...sk......................\...l.............H.........?...................?...................?........... ... ........... ... ...................$.N..........vk..f...`..........GCreatingCommandH....C.:.\.W.i.n.d.o.w.s.\.s.y.s.t.e.m.3.2.\.W.e.r.F.a.u.l.t...e.x.e. .-.u. .-.p. .6.7.7.

      Static File Info

      General

      File type:MS-DOS executable PE32+ executable (DLL) (EFI boot service driver) x86-64, for MS Windows
      Entropy (8bit):4.310692378560271
      TrID:
      • Win64 Dynamic Link Library (generic) (102004/3) 84.94%
      • Win64 Executable (generic) (12005/4) 10.00%
      • DOS Executable Borland Pascal 7.0x (2037/25) 1.70%
      • Generic Win/DOS Executable (2004/3) 1.67%
      • DOS Executable Generic (2002/1) 1.67%
      File name:Section_PE32_image_PpamPlatformSmm_PpamPlatformSmm_body.efi.dll
      File size:8'704 bytes
      MD5:888edd5353d9cfe059927c1a680af93e
      SHA1:c0f36980aa49b4a6cf95888e9a960a212f7d4b7b
      SHA256:dce0be7af3ecf8376d9ea08d2590a3354da5ba3ed441280e414e3b198f7dc403
      SHA512:faf1fc48c64014b5bd25c7eefb077f4892a06e5c15b82767fbb1edea92fe4b9f8339767a2f7c27eba200bd8bf346573dd8fdf71926b8909ff308c85acb9c03f3
      SSDEEP:96:z64mroazjQf+OaVUk5bOp93qpXTCZHZLFZjKV5mi9kEp2VvJc:z6kQA+OaVz5baq5TCZHZZZjAp2c
      TLSH:F102D74B56C510E8D7FAC2398AC17A2977B6B431576547CF1B601A0F2B33AE4A23E701
      File Content Preview:MZ..............................................................................................................................................................................................PE..d................." .......................................

      File Icon

      Icon Hash:7ae282899bbab082

      Static PE Info

      General

      Entrypoint:0x1318
      Entrypoint Section:.text
      Digitally signed:false
      Imagebase:0x0
      Subsystem:efi boot service driver
      Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, DLL
      DLL Characteristics:
      Time Stamp:0x0 [Thu Jan 1 00:00:00 1970 UTC]
      TLS Callbacks:
      CLR (.Net) Version:
      OS Version Major:0
      OS Version Minor:0
      File Version Major:0
      File Version Minor:0
      Subsystem Version Major:0
      Subsystem Version Minor:0
      Import Hash:

      Entrypoint Preview

      Instruction
      dec eax
      mov dword ptr [esp+08h], ebx
      dec eax
      mov dword ptr [esp+10h], esi
      push edi
      dec eax
      sub esp, 20h
      mov eax, dword ptr [00001DDBh]
      dec eax
      mov ebx, edx
      dec eax
      mov edi, ecx
      test eax, eax
      je 00007FDAE4C68503h
      cmp dword ptr [edx+08h], eax
      jnc 00007FDAE4C684FEh
      dec eax
      mov eax, 00000019h
      add byte ptr [eax], al
      add byte ptr [eax-5C17A415h], al
      pop es
      add byte ptr [eax], al
      cmp byte ptr [00001DB8h], 00000000h
      je 00007FDAE4C6851Eh
      dec eax
      mov eax, dword ptr [000020ABh]
      dec esp
      lea eax, dword ptr [esp+40h]
      dec eax
      lea edx, dword ptr [00001D17h]
      dec eax
      mov ecx, edi
      call dword ptr [eax+00000098h]
      dec eax
      mov eax, dword ptr [esp+40h]
      dec eax
      lea ecx, dword ptr [FFFFFF62h]
      dec eax
      mov dword ptr [eax+58h], ecx
      dec eax
      mov edx, ebx
      dec eax
      mov ecx, edi
      call 00007FDAE4C68D48h
      dec eax
      mov esi, eax
      dec eax
      test eax, eax
      jns 00007FDAE4C684FDh
      dec eax
      mov edx, ebx
      dec eax
      mov ecx, edi
      call 00007FDAE4C68D05h
      dec eax
      mov eax, esi
      dec eax
      mov ebx, dword ptr [esp+30h]
      dec eax
      mov esi, dword ptr [esp+38h]
      dec eax
      add esp, 20h
      pop edi
      ret
      int3
      dec eax
      mov eax, dword ptr [edx+60h]
      dec eax
      mov dword ptr [00002049h], eax
      xor eax, eax
      dec eax
      mov dword ptr [00002048h], ecx
      dec eax
      mov dword ptr [00002031h], edx
      ret
      xor eax, eax
      ret
      int3
      dec eax
      sub esp, 28h
      dec eax
      mov eax, dword ptr [edx+60h]
      dec esp
      lea eax, dword ptr [esp+00h]

      Data Directories

      NameVirtual AddressVirtual Size Is in Section
      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
      IMAGE_DIRECTORY_ENTRY_IMPORT0x00x0
      IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
      IMAGE_DIRECTORY_ENTRY_BASERELOC0x60000xc.reloc
      IMAGE_DIRECTORY_ENTRY_DEBUG0x32d00x1c.data
      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
      IMAGE_DIRECTORY_ENTRY_IAT0x00x0
      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

      Sections

      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
      .text0x10000x11b00x1200b9d28a08accc02643a0f1d7d9cdb3c75False0.546875data5.90861597128108IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
      .data0x30000x4d80x60005848e60616df05bdc1dd20495f8f2b6False0.30859375data2.444172782874819IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      0x40000x1380x200bf619eac0cdf3f68d496ea9344137e8bFalse0.02734375data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
      .xdata0x50000xb00x200bf619eac0cdf3f68d496ea9344137e8bFalse0.02734375data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
      .reloc0x60000xc0x2000d0051f3219e43345b83f489d0cbfe98False0.044921875data0.07763316234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

      Network Behavior

      DNS Answers

      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
      Mar 10, 2025 16:41:27.970633030 CET1.1.1.1192.168.2.70xd9aaNo error (0)edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com217.20.57.19A (IP address)IN (0x0001)false
      Mar 10, 2025 16:41:27.970633030 CET1.1.1.1192.168.2.70xd9aaNo error (0)edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com217.20.57.18A (IP address)IN (0x0001)false
      Mar 10, 2025 16:41:27.970633030 CET1.1.1.1192.168.2.70xd9aaNo error (0)edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com84.201.210.39A (IP address)IN (0x0001)false
      Mar 10, 2025 16:41:27.970633030 CET1.1.1.1192.168.2.70xd9aaNo error (0)edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com217.20.57.36A (IP address)IN (0x0001)false
      Mar 10, 2025 16:41:27.970633030 CET1.1.1.1192.168.2.70xd9aaNo error (0)edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com217.20.57.35A (IP address)IN (0x0001)false
      Mar 10, 2025 16:41:27.970633030 CET1.1.1.1192.168.2.70xd9aaNo error (0)edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com217.20.57.20A (IP address)IN (0x0001)false
      Mar 10, 2025 16:41:27.970633030 CET1.1.1.1192.168.2.70xd9aaNo error (0)edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com84.201.210.23A (IP address)IN (0x0001)false
      Mar 10, 2025 16:41:27.970633030 CET1.1.1.1192.168.2.70xd9aaNo error (0)edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com217.20.57.34A (IP address)IN (0x0001)false

      Statistics

      CPU Usage

      Click to jump to process

      Memory Usage

      Click to jump to process

      High Level Behavior Distribution

      Click to dive into process behavior distribution

      Behavior

      Click to jump to process

      System Behavior

      General

      Target ID:0
      Start time:11:41:13
      Start date:10/03/2025
      Path:C:\Windows\System32\loaddll64.exe
      Wow64 process (32bit):false
      Commandline:loaddll64.exe "C:\Users\user\Desktop\Section_PE32_image_PpamPlatformSmm_PpamPlatformSmm_body.efi.dll"
      Imagebase:0x7ff67c3e0000
      File size:165'888 bytes
      MD5 hash:763455F9DCB24DFEECC2B9D9F8D46D52
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:high
      Has exited:true

      General

      Target ID:1
      Start time:11:41:13
      Start date:10/03/2025
      Path:C:\Windows\System32\conhost.exe
      Wow64 process (32bit):false
      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Imagebase:0x7ff642da0000
      File size:862'208 bytes
      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:high
      Has exited:true

      General

      Target ID:2
      Start time:11:41:13
      Start date:10/03/2025
      Path:C:\Windows\System32\cmd.exe
      Wow64 process (32bit):false
      Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\Section_PE32_image_PpamPlatformSmm_PpamPlatformSmm_body.efi.dll",#1
      Imagebase:0x7ff6ce640000
      File size:289'792 bytes
      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:high
      Has exited:true

      General

      Target ID:4
      Start time:11:41:13
      Start date:10/03/2025
      Path:C:\Windows\System32\rundll32.exe
      Wow64 process (32bit):false
      Commandline:rundll32.exe "C:\Users\user\Desktop\Section_PE32_image_PpamPlatformSmm_PpamPlatformSmm_body.efi.dll",#1
      Imagebase:0x7ff778630000
      File size:71'680 bytes
      MD5 hash:EF3179D498793BF4234F708D3BE28633
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:high
      Has exited:true

      General

      Target ID:7
      Start time:11:41:13
      Start date:10/03/2025
      Path:C:\Windows\System32\WerFault.exe
      Wow64 process (32bit):false
      Commandline:C:\Windows\system32\WerFault.exe -u -p 6776 -s 184
      Imagebase:0x7ff79a730000
      File size:570'736 bytes
      MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:high
      Has exited:true

      General

      Target ID:8
      Start time:11:41:13
      Start date:10/03/2025
      Path:C:\Windows\System32\WerFault.exe
      Wow64 process (32bit):false
      Commandline:C:\Windows\system32\WerFault.exe -u -p 6964 -s 236
      Imagebase:0x7ff79a730000
      File size:570'736 bytes
      MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:high
      Has exited:true

      General

      Target ID:11
      Start time:11:41:14
      Start date:10/03/2025
      Path:C:\Windows\System32\WerFault.exe
      Wow64 process (32bit):false
      Commandline:C:\Windows\system32\WerFault.exe -u -p 6964 -s 244
      Imagebase:0x7ff79a730000
      File size:570'736 bytes
      MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:high
      Has exited:true

      Disassembly

      Reset < >

        Non-executed Functions

        Function 00D61140 Relevance: .0, Instructions: 20COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.1125085636.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
        • Associated: 00000000.00000002.1125029439.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1125115418.0000000000D63000.00000004.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_d60000_loaddll64.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 83129312bc2a4d2a692c2173f9ef2908ec5b37fb0caac11a698c29c987d0a743
        • Instruction ID: 6a2b3e9a087770bdf399e9760558be184d3d960363561abc234b58723bfc5420
        • Opcode Fuzzy Hash: 83129312bc2a4d2a692c2173f9ef2908ec5b37fb0caac11a698c29c987d0a743
        • Instruction Fuzzy Hash: 6ED017FA21A7408F8B06CE1D98909397AA1E282F54B9C8034AF0E87300D63E44818720
        Function 00D61250 Relevance: .0, Instructions: 4COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.1125085636.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
        • Associated: 00000000.00000002.1125029439.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1125115418.0000000000D63000.00000004.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_d60000_loaddll64.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 65642f6ac5f80987d77bc9ca947e98ce9271ef434a71309184ece8f00ad157cd
        • Instruction ID: f988002b6f32405c9862b9e46c886e4dfb8d3f2078c4d670929f3849cad84152
        • Opcode Fuzzy Hash: 65642f6ac5f80987d77bc9ca947e98ce9271ef434a71309184ece8f00ad157cd
        • Instruction Fuzzy Hash: