Edit tour

Windows Analysis Report
Section_PE32_image_Aint13_Aint13_body.efi.dll

Overview

General Information

Sample name:	Section_PE32_image_Aint13_Aint13_body.efi.dll (renamed file extension from exe to dll)
Original sample name:	Section_PE32_image_Aint13_Aint13_body.efi.exe
Analysis ID:	1634219
MD5:	74c3ef670d2eb28612ac533e499a0f07
SHA1:	83e90e25c70e8eae811ef3464811448b1c06a181
SHA256:	e999d4ddd349c69bead173461504e78734ab33d5890cc3835249ae79c0743247
Tags:	efiexeuser-ihatethensa
Infos:

Detection

Score:	48
Range:	0 - 100
Confidence:	100%

Signatures

Initial sample is a PE file and has a suspicious name

PE file has nameless sections

AV process strings found (often used to terminate AV products)

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to query CPU information (cpuid)

Creates a process in suspended mode (likely to inject code)

Detected non-DNS traffic on DNS port

Detected potential crypto function

One or more processes crash

PE file contains sections with non-standard names

PE file does not import any functions

Sample execution stops while process was sleeping (likely an evasion)

Classification

Process Tree

System is w10x64

loaddll64.exe (PID: 5876 cmdline: loaddll64.exe "C:\Users\user\Desktop\Section_PE32_image_Aint13_Aint13_body.efi.dll" MD5: 763455F9DCB24DFEECC2B9D9F8D46D52)

conhost.exe (PID: 1420 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 6824 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\Section_PE32_image_Aint13_Aint13_body.efi.dll",#1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

rundll32.exe (PID: 472 cmdline: rundll32.exe "C:\Users\user\Desktop\Section_PE32_image_Aint13_Aint13_body.efi.dll",#1 MD5: EF3179D498793BF4234F708D3BE28633)

WerFault.exe (PID: 3200 cmdline: C:\Windows\system32\WerFault.exe -u -p 472 -s 232 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

WerFault.exe (PID: 1688 cmdline: C:\Windows\system32\WerFault.exe -u -p 472 -s 248 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

WerFault.exe (PID: 924 cmdline: C:\Windows\system32\WerFault.exe -u -p 5876 -s 200 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Source: global traffic

TCP traffic: 192.168.2.8:60019 -> 162.159.36.2:53

Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: c.pki.goog

Source: Amcache.hve.10.dr

String found in binary or memory: http://upx.sf.net

System Summary

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: Section_PE32_image_Aint13_Aint13_body.efi.dll

PE file has nameless sections

Source: Section_PE32_image_Aint13_Aint13_body.efi.dll

Static PE information: section name:

Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_00960F14		1_2_00960F14
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_00AF0F14		5_2_00AF0F14

Source: C:\Windows\System32\loaddll64.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 5876 -s 200

Source: Section_PE32_image_Aint13_Aint13_body.efi.dll

Static PE information: No import functions for PE file found

Source: Section_PE32_image_Aint13_Aint13_body.efi.dll

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal48.winDLL@9/14@1/0

Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess472
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5876
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1420:120:WilError_03

Source: C:\Windows\System32\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\09472cb2-4ac1-4260-948c-b837e8c24a81

Jump to behavior

Source: Section_PE32_image_Aint13_Aint13_body.efi.dll

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll64.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Section_PE32_image_Aint13_Aint13_body.efi.dll",#1

Source: unknown	Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\Section_PE32_image_Aint13_Aint13_body.efi.dll"
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\Section_PE32_image_Aint13_Aint13_body.efi.dll",#1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Section_PE32_image_Aint13_Aint13_body.efi.dll",#1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 5876 -s 200
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 472 -s 232
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 472 -s 248
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\Section_PE32_image_Aint13_Aint13_body.efi.dll",#1	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Section_PE32_image_Aint13_Aint13_body.efi.dll",#1	Jump to behavior

Source: C:\Windows\System32\loaddll64.exe

Section loaded: apphelp.dll

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: Section_PE32_image_Aint13_Aint13_body.efi.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: Section_PE32_image_Aint13_Aint13_body.efi.dll	Static PE information: section name:
Source: Section_PE32_image_Aint13_Aint13_body.efi.dll	Static PE information: section name: .xdata

Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\loaddll64.exe

Code function: 1_2_009602D0 rdtsc

1_2_009602D0

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: Amcache.hve.10.dr	Binary or memory string: VMware
Source: Amcache.hve.10.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.10.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.10.dr	Binary or memory string: VMware-42 27 c5 9a 47 85 d6 84-53 49 ec ec 87 a6 6d 67
Source: Amcache.hve.10.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.10.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.10.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.10.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.10.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.10.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.10.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.10.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.10.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.10.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.10.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.10.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.10.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.10.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.10.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.10.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.10.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.10.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.10.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.10.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.10.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.10.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.10.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.10.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.10.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Windows\System32\loaddll64.exe

Code function: 1_2_009602D0 rdtsc

1_2_009602D0

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Section_PE32_image_Aint13_Aint13_body.efi.dll",#1

Jump to behavior

Source: C:\Windows\System32\loaddll64.exe

Code function: 1_2_009613C0 cpuid

1_2_009613C0

Source: Amcache.hve.10.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.LOG1.10.dr, Amcache.hve.10.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.10.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.LOG1.10.dr, Amcache.hve.10.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.LOG1.10.dr, Amcache.hve.10.dr	Binary or memory string: MsMpEng.exe

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	11 Process Injection	1 Virtualization/Sandbox Evasion	OS Credential Dumping	31 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Rundll32	LSASS Memory	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Software Packing	Security Account Manager	11 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Process Injection	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Section_PE32_image_Aint13_Aint13_body.efi.dll	0%	Virustotal		Browse
Section_PE32_image_Aint13_Aint13_body.efi.dll	0%	ReversingLabs

Name	IP	Active	Malicious	Reputation
bg.microsoft.map.fastly.net	199.232.214.172	true	false	high
pki-goog.l.google.com	172.217.18.3	true	false	high
c.pki.goog	unknown	unknown	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://upx.sf.net	Amcache.hve.10.dr	false		high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1634219
Start date and time:	2025-03-10 20:55:37 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 40s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	22
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Section_PE32_image_Aint13_Aint13_body.efi.dll (renamed file extension from exe to dll)
Original Sample Name:	Section_PE32_image_Aint13_Aint13_body.efi.exe
Detection:	MAL
Classification:	mal48.winDLL@9/14@1/0
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 5

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, sppsvc.exe, WerFault.exe, RuntimeBroker.exe, WMIADAP.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 2.16.185.191, 131.107.255.255, 23.60.203.209, 104.40.69.76, 172.202.163.200, 4.245.163.56, 20.190.160.67
Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, ctldl.windowsupdate.com, onedsblobvmssprdwus03.westus.cloudapp.azure.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, dns.msftncsi.com, fe3cr.delivery.mp.microsoft.com, d.8.0.a.e.e.f.b.0.0.0.0.0.0.0.0.5.0.0.0.0.0.8.0.0.3.0.1.3.0.6.2.ip6.arpa, login.live.com, e16604.f.akamaiedge.net, blobcollector.events.data.trafficmanager.net, umwatson.events.data.microsoft.com, prod.fs.microsoft.com.akadns.net, wu-b-net.trafficmanager.net
Execution Graph export aborted for target loaddll64.exe, PID 5876 because there are no executed function
Execution Graph export aborted for target rundll32.exe, PID 472 because there are no executed function
Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

Time	Type	Description
15:57:51	API Interceptor	2x Sleep call for process: WerFault.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
pki-goog.l.google.com	x3xqeKOaAd.exe	Get hash	malicious	AsyncRAT, VenomRAT	Browse	142.250.186.163
	fg.exe	Get hash	malicious	XWorm	Browse	172.217.18.3
	zabwpkovl0.exe	Get hash	malicious	Unknown	Browse	142.250.184.195
	Legjong.exe	Get hash	malicious	Unknown	Browse	172.217.16.195
	sWr3wJ0SuB.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	142.250.184.195
	cexqIzhyvM.exe	Get hash	malicious	GuLoader	Browse	172.217.18.3
	KMSpico.exe	Get hash	malicious	LummaC Stealer	Browse	172.217.18.3
	KMSpico.exe	Get hash	malicious	LummaC Stealer	Browse	142.250.185.163
	uolmaTGkHh.exe	Get hash	malicious	AgentTesla	Browse	142.250.186.67
	VoaY6Clwfh.exe	Get hash	malicious	AgentTesla	Browse	142.250.185.163
bg.microsoft.map.fastly.net	Fd-Employee-Handbook(1).pdf	Get hash	malicious	Unknown	Browse	199.232.214.172
	PEDIDO DE OR#U00c7AMENTO (Universidade NOVA de Lisboa) 03-10-2025#U00b7pdf.vbs	Get hash	malicious	Remcos, GuLoader	Browse	199.232.214.172
	ANGEBOTSANFRAGE (Universit#U00e4t Klagenfurt) 10-03-2025#U00b7pdf.vbs	Get hash	malicious	Remcos, GuLoader	Browse	199.232.210.172
	Online Notification.pdf	Get hash	malicious	HTMLPhisher	Browse	199.232.210.172
	FW 188355..msg	Get hash	malicious	HTMLPhisher	Browse	199.232.214.172
	x3xqeKOaAd.exe	Get hash	malicious	AsyncRAT, VenomRAT	Browse	199.232.210.172
	PastePictures 1.xla	Get hash	malicious	Unknown	Browse	199.232.214.172
	POETDB24-25771.xla.xlsx	Get hash	malicious	Unknown	Browse	199.232.210.172
	CO894GOV2O25.vbs	Get hash	malicious	Remcos, GuLoader	Browse	199.232.210.172
	DIR-A_JY4878249#U00b7pdf.vbs	Get hash	malicious	Remcos, GuLoader	Browse	199.232.214.172

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_loaddll64.exe_ab5ddeb6cd5546b85a9ea025cb2fba93c2de51d_606702e6_436f37c2-65a6-4b72-b2cd-2812efad0661\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.6589388349883617
Encrypted:	false
SSDEEP:	96:3qF9ap6ksthNy7JfuQXIDcQ8c6scEZcw3B2v+HbHg/5BZAX/d5FMT2SlPkpXmTA5:aX66kz0Coj9jJzuiFRZ24lO81
MD5:	80B03727865B9EFD5F1AAC89F29B52A7
SHA1:	425B679B467E8DC550429B0886CC344B7961B2AA
SHA-256:	B30B030E2E31764DD66650EEB2FDCB5400419B90D64DDD1509C8BA44F7D576CA
SHA-512:	1155FE114879C4C7DA5C7AEA0644E1F0624D979196341DE40955C780E64E9C75CDEBAB1383E28F52AE1E701346273C4C1761EEDAFA0692488EF0D4644A020FFB
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.6.1.1.0.2.6.0.7.1.0.7.3.6.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.8.6.1.1.0.2.6.2.8.6.6.9.6.0.0.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.3.6.f.3.7.c.2.-.6.5.a.6.-.4.b.7.2.-.b.2.c.d.-.2.8.1.2.e.f.a.d.0.6.6.1.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.b.9.8.8.3.2.3.-.a.a.1.d.-.4.e.d.5.-.a.a.3.c.-.4.7.5.0.7.7.6.d.0.8.2.5.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.l.o.a.d.d.l.l.6.4...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.6.f.4.-.0.0.0.1.-.0.0.1.8.-.2.8.9.5.-.b.3.a.c.f.6.9.1.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.5.f.e.1.f.7.3.2.2.5.e.8.c.2.3.3.1.b.8.d.3.7.3.d.3.f.9.1.a.c.4.2.0.0.0.0.f.f.f.f.!.0.0.0.0.f.2.3.2.e.0.d.e.c.d.5.4.8.8.5.2.f.a.6.0.8.9.e.1.9.5.4.3.1.b.7.3.e.9.4.e.d.0.b.d.!.l.o.a.d.d.l.l.6.4...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.3././.0.9././.1.5.:.0.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_Sec_bd9a9f2527cbdb4bd82640a14bcbeecf44a8e8a2_ee61a992_d1f62f74-60e6-4086-b8b9-c5f7261b7b97\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.6959877784356832
Encrypted:	false
SSDEEP:	96:zpxi2iWyKygsjh4Rvy7JfuQXIDcQcc6dbcE9cw3uD/XaXz+HbHgSQgJjPZAX/d55:HiWygu0SZb3sj+zuiFRZ24lO8E
MD5:	16FC94F7CB0A28956B0133ED82E5E56E
SHA1:	37CD87ECCCD472B62809B30D5658F23D3FF00F7A
SHA-256:	BBF89164C5E3CAC9B52CF21487BDA191DF1392B1CFB4ECBAA93B135E8A79DAD9
SHA-512:	9C64E2472EC500936AB6C3646A082691FBFA30850B21CF339657161FC6DD60ED7FA5F7EC903AD029747563DCFA2E3D9526335516E0ADE6EF3064B67A592DB4CD
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.6.1.1.0.2.6.0.6.7.2.1.0.5.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.1.f.6.2.f.7.4.-.6.0.e.6.-.4.0.8.6.-.b.8.b.9.-.c.5.f.7.2.6.1.b.7.b.9.7.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.7.e.0.7.b.b.a.-.e.1.2.c.-.4.8.e.8.-.8.f.9.1.-.f.0.c.8.a.b.a.2.0.f.b.b.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e._.S.e.c.t.i.o.n._.P.E.3.2._.i.m.a.g.e._.A.i.n.t.1.3._.A.i.n.t.1.3._.b.o.d.y...e.f.i...d.l.l.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.1.d.8.-.0.0.0.1.-.0.0.1.8.-.9.c.d.b.-.2.0.a.d.f.6.9.1.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.d.d.3.9.9.a.e.4.6.3.0.3.3.4.3.f.9.f.0.d.a.1.8.9.a.e.e.1.1.c.6.7.b.d.8.6.8.2.2.2.!.r.u.n.d.l.l.3.2...e.x.e.....T.a.r.g.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_Sec_e15a93ebc0909c5ad68642ebeeb88be86ae8ecb5_ee61a992_f603aa77-d393-48c3-ab9b-a9dd5dfcd5cf\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.6999825282712056
Encrypted:	false
SSDEEP:	96:2cFgWG2iWyKygsjh4Rv1y/fYQXIDcQ7c66cE6cw3QMJXaXz+HbHgSQgJjPZAX/d6:H+EiWygg01+gEMRj+zuiFRZ24lO8E
MD5:	3DDBBAB0D398821BB99E8FE965535917
SHA1:	6EA5863F4CBD9B8650A02A3F14E0A5CECDE2FD86
SHA-256:	3F5D8ECAE03E5AA58C8E8C29B2ABF0D41ACE2EA2E31477CFBF50403CCC6D5A4D
SHA-512:	1FD6CD0438F3E475B640C05D310DC5D2585D334881FB602717889DF6634C05AB3943171319DB038BADC88138967D5CAEF96672E9164C510E9534AFA7C6F082E5
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.6.1.1.0.2.6.3.1.8.4.9.6.2.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.8.6.1.1.0.2.6.3.6.2.2.4.6.7.7.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.6.0.3.a.a.7.7.-.d.3.9.3.-.4.8.c.3.-.a.b.9.b.-.a.9.d.d.5.d.f.c.d.5.c.f.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.b.9.1.b.d.5.2.-.8.a.d.4.-.4.f.f.3.-.b.3.6.1.-.a.6.0.d.f.4.8.3.5.b.5.9.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e._.S.e.c.t.i.o.n._.P.E.3.2._.i.m.a.g.e._.A.i.n.t.1.3._.A.i.n.t.1.3._.b.o.d.y...e.f.i...d.l.l.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.1.d.8.-.0.0.0.1.-.0.0.1.8.-.9.c.d.b.-.2.0.a.d.f.6.9.1.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.d.d.3.9.9.a.e.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER8E79.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Mon Mar 10 19:57:41 2025, 0x1205a4 type
Category:	dropped
Size (bytes):	56920
Entropy (8bit):	1.5671175611109107
Encrypted:	false
SSDEEP:	96:5o8ub/Obv9wEiFVCspbtoi7Mtu7vXuZV7EtX/QcS0DLLP2rDjzcewH/O9yq9/aW3:RrCpbaOMtqXu8tXFNfeEwZP
MD5:	4ECC87651CE88720AE7E262FFFA03D47
SHA1:	C2B83F70545C086FA0FB41FF1E08368813E04CB5
SHA-256:	3206368E8F911E9C5B56A8F4E33BAF418AE205E48CA85C813FE56A2CB7EA248E
SHA-512:	CCE4C683619E079FEA7EEF38C6E4DFECCD863F381B0C6BF33FEA0B275C1CCE7BC2F8D138102803C8E250BD0D6FF93BC67C0762715D95619892A47348F941BDE9
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... .......5D.g.........................................#..........T.......8...........T...........................D...........0...............................................................................eJ..............Lw......................T...........3D.g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER8E98.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Mon Mar 10 19:57:41 2025, 0x1205a4 type
Category:	dropped
Size (bytes):	50850
Entropy (8bit):	1.35568383151671
Encrypted:	false
SSDEEP:	96:598iNyK4MMkwwcajUi7KgbjOQcSHWIHJ24R5g3K/bNN8b:8i44jUOKg/icR5gKbNOb
MD5:	AC2B1D0D2FE59D50958A02840B6B7C99
SHA1:	8190958C235FE193E1347274D449D5599E8C1A67
SHA-256:	C0A5D092E86F9E4E3EE3F90AA3D10386CDAF606943C4A0C0B8BFDDAD13301B0D
SHA-512:	E03D78F2FF520111CAA0F8D2B4446A279B189A05312E949AFCEDAAAD122F6453E62DA5E55811C9DC9EB73F39DC877A2CBBF87065742A5DFC10B269CFB41ECC1A
Malicious:	false
Preview:	MDMP..a..... .......5D.g........................d...........$...............h"..........`.......8...........T...........................0...........................................................................................eJ..............Lw......................T...........2D.g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER91C6.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8634
Entropy (8bit):	3.7008429003697128
Encrypted:	false
SSDEEP:	192:R6l7wVeJ0SytJ46YzFZ0gmf36LSypBr89biT7faWm:R6lXJpys6YRKgmf36wiPfi
MD5:	3A213AB483E4830E75A22A6BAADE6915
SHA1:	E93B970D2005DE6BDC0BF78FC9E8289A19F30ED5
SHA-256:	8EF61E1D5A731D9102448938545DD4483F02CAAACB6BC4C5CD303B613E1DB219
SHA-512:	6BB5179A840A8ADCACD4D450B92A7B4AD27C1D0AA78B0E7B527AA21520EF6C73E4B2FC2A127D54670252E14886A051BA8605E17DA622FD838E810621A0CFC3DA
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.7.2.<./.P.i.d.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9281.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8758
Entropy (8bit):	3.70049847378338
Encrypted:	false
SSDEEP:	192:R6l7wVeJtyV6YNO7hWgmfhKJypDO89biq0fPWm:R6lXJYV6Yk7AgmfhKJIiBfn
MD5:	A0A132E0628EB8DC91485D9E3B34189F
SHA1:	C5C068286D2B73D628FC07F2A05098C3D032B52B
SHA-256:	B4B2B34B4EBBA99F3BA9ACE3E9D028CAA85E0487D8B4EC46EC8B1E990A0A6853
SHA-512:	98A3A5B210F5F9FBBBEA47CFDC3D2DF85EA76C65210AA6E2B3AEA5527277DF157D3E9AD5704314BFFCEC2AC58A0F5BBCCB7CCC461C4FC1F31C1D2FAF0AE59A91
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.8.7.6.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9551.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4908
Entropy (8bit):	4.546425864682787
Encrypted:	false
SSDEEP:	48:cvIwWl8zszJg771I9lyWpW8VYvPYm8M4JCeCswFpyq85mHEptSTSDd:uIjfNI7aT7VSSJQGpoODd
MD5:	5A9D4C122AFF2D67A64AFC1831268590
SHA1:	ADBE58034DE8F11DDCDE0C5BA5F95A5575962618
SHA-256:	B612A58D491D5E1878466D205E737345188DFA03804176B84B5220C2D3913637
SHA-512:	400CB79973C6CA15A98901F014C9D6FB8BE9F606F247649FC5B408BF58C6909EEFD500D0065A1CA757008E8CC6D2C9CA9629CF87942C86C9801F15CB6823D3C1
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="755220" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WER95CF.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4694
Entropy (8bit):	4.465760340437216
Encrypted:	false
SSDEEP:	48:cvIwWl8zszJg771I9lyWpW8VY3Ym8M4J8wF2yq851UFFV1xid:uIjfNI7aT7VfJkvF7xid
MD5:	538860FEDE71CFF7FF151C1FACF81CF9
SHA1:	81AFD1722A9742B7450A589E3645F1F85B90EA52
SHA-256:	404DCE00BD8354B0F3A67212DF254D8F5EAE7CC04059ECA0563B124F01EEC564
SHA-512:	6862DC136C4314FBBB12711DB4EBC8FDA00855E5561F2D937479812BE193330FEE5C463F18AC321759ADF51BA498AF377927D186F516C3E51A29E4A7F90F2A82
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="755220" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WER983D.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Mon Mar 10 19:57:43 2025, 0x1205a4 type
Category:	dropped
Size (bytes):	57524
Entropy (8bit):	1.5497701611655574
Encrypted:	false
SSDEEP:	96:5K8IL/Obv9wEiFVR0i5toi7MJ/etXUqU41OklRDjzce7MH/O9cq9/GkGWIO7IBdG:jFYH5aOMJ/etXU4X2w+aH
MD5:	16DAD2A89088485C0DB03635A7F12C09
SHA1:	0E46DF66B58B2BD7490BB9CFF30F6E1B5212FE6E
SHA-256:	048B1F27B4644452E09DFEFEA8589CE0F3286E697C891538D63AF8A305600ABC
SHA-512:	58BB2855740572599406CA25589CADF2C72D2091BB169D8FCD8E7416942CA83F89B2331D8114C54279FB634513B950505FFBEF59173E9A11E9DFCF2A7152AB93
Malicious:	false
Preview:	MDMP..a..... .......7D.g.........................................#..........T.......8...........T...........................D...........0...............................................................................eJ..............Lw......................T...........3D.g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER988C.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8580
Entropy (8bit):	3.6978020413077695
Encrypted:	false
SSDEEP:	192:R6l7wVeJ0Ty9H46YzeZ0gmf3ixNM2pr189bwTyfp3wm:R6lXJIyy6YqKgmf3ixNMBwGfr
MD5:	6E15C5110DD438D4FF6AE1DB2CD75BA8
SHA1:	260038A94717915F7EA2F37A2B05F0586C19A140
SHA-256:	3F2FE6C8FF83D7572ACC39C95084FEFC4FF9E160EF797D22E6E1AD31121B9C9B
SHA-512:	77487416DB9E8F07A2B20AA551D30A2401E2F693FFABD5375D7B7033733CF06EB7C125A14C3C967610556A4F3A86A33E66D5C5B18EA5445A34C027F47CF6CD66
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.7.2.<./.P.i.d.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER98EB.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4852
Entropy (8bit):	4.525871731419069
Encrypted:	false
SSDEEP:	48:cvIwWl8zszJg771I9lyWpW8VYFYm8M4JCeCst6FVyq85mLChptSTSDd:uIjfNI7aT7VtJFykhpoODd
MD5:	190DCA8E9D0ABBD2A1ECC57C5890C911
SHA1:	ACDE16D29572EC8191860387F0DE58029613068F
SHA-256:	796F0A50857BAAF5380A1CC6411551A8135916C8BC5CE8E6A28D6DD7838D82BB
SHA-512:	18F8AF729CB44E2DEDBA398DEA1722AD3308AC78CD263CD71A437D6B947146557626AC85E47A130D48C97F955708AA42ED6C0EFD3A96CAD8774D10DE3F98B2FC
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="755220" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.380123848749643
Encrypted:	false
SSDEEP:	6144:IjVfpi6ceLP/9skLmb0hyWWSPtaJG8nAge3nONQqZaK2FIeC/7ZcXtOZ:6V1LyWWI/ONQqYMjydE
MD5:	BD271E6DDA2567B6C2A4B7992D65CAC4
SHA1:	494E2C9F278FE66F0D12D5BE182BB8A584BE765F
SHA-256:	53E2DC677D99423BBE368CDD2413D7F3D6B3FB7D10C3D208664EAA7540470A9E
SHA-512:	AB5D686FA25E553C80BBA5CBC1225B582CA98D74BE1D1DE82F872B91B47CEBDFBF7B63A4615BC82A369A61254D9C86B824824AE155531FF789035AD50D75A3CC
Malicious:	false
Preview:	regfE...E....\.Z.................... ....@......\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtmNW..e.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve.LOG1

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	28672
Entropy (8bit):	4.222611444481694
Encrypted:	false
SSDEEP:	768:VQcADoyUX5AUpawR9DvI8DC1ysk8oPg94f:VQc1AkXTpd
MD5:	130CED4B68D5446BDBF96A02209AF410
SHA1:	56530414B698BBC4A925500140C49B16A03C94FE
SHA-256:	DF2A7101703C672BD16997BC0C2F78A48259A6A7B6D25288D95264214BAA5DEB
SHA-512:	CBD811440A7D9296692FA00820EE84CC84A9776E17C1243620EC12382AFBD7A296B0831798E5B720E919BE12B6F304526E3AB49E64945036D34B8C66314A9D33
Malicious:	false
Preview:	regfD...D....\.Z.................... ....@......\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtmNW..e.................................................................................................................................................................................................................................................................................................................................................HvLE.n......D....@.......!.....7.M.............@...................0..hbin.................\.Z............nk,..\.Z....................h...................................<.......&...{11517B7C-E79D-4e20-961B-75A811715ADD}..`...sk..........C...........\...l.............H.........?...................?...................?........... ... ........... ... ...................$.N..........vk..4...`...........CreatingCommand.....O.n.e.D.r.i.v.e.S.e.t.u.p...e.x.e. ./.s.i.l.e.n.t.......vk..

Static File Info

General

File type:	MS-DOS executable PE32+ executable (DLL) (EFI boot service driver) x86-64, for MS Windows
Entropy (8bit):	5.627952660291064
TrID:	Win64 Dynamic Link Library (generic) (102004/3) 84.94% Win64 Executable (generic) (12005/4) 10.00% DOS Executable Borland Pascal 7.0x (2037/25) 1.70% Generic Win/DOS Executable (2004/3) 1.67% DOS Executable Generic (2002/1) 1.67%
File name:	Section_PE32_image_Aint13_Aint13_body.efi.dll
File size:	6'272 bytes
MD5:	74c3ef670d2eb28612ac533e499a0f07
SHA1:	83e90e25c70e8eae811ef3464811448b1c06a181
SHA256:	e999d4ddd349c69bead173461504e78734ab33d5890cc3835249ae79c0743247
SHA512:	b86a587041026b4ba1815597e8748eb35da7265008050b52f0043c145e16fb5a211f403458fb1b553d258e5a1214a668db5bfbb7fba8c3fb8e46af52fe717ebe
SSDEEP:	96:JiIyQcSiy+lQiSHpsviZzxzE98EQVgcLKnI2osnRA2rEFO/dNZNlnhhzuhMqf:JiIWnywnSHWvSZG2KnVRAMSOlNZNc
TLSH:	12D15D8826249BA9C51B803DCB4FA895EFF930490311A5EF5BE409D47FA3AD1373D340
File Content Preview:	MZ......................................................................................................................................................................................PE..d................." ........`...........`........... ... ..........

File Icon


Icon Hash:	7ae282899bbab082

Static PE Info

General

Entrypoint:	0x310
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x0
Subsystem:	efi boot service driver
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, DLL
DLL Characteristics:
Time Stamp:	0x0 [Thu Jan 1 00:00:00 1970 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	0
OS Version Minor:	0
File Version Major:	0
File Version Minor:	0
Subsystem Version Major:	0
Subsystem Version Minor:	0
Import Hash:

Entrypoint Preview

Instruction
dec eax
mov dword ptr [esp+10h], ebx
push edi
dec eax
sub esp, 20h
dec eax
mov edi, edx
dec eax
mov ebx, ecx
call 00007FD54D4D96C0h
dec eax
cmp dword ptr [000012DBh], 00000000h
dec eax
mov dword ptr [esp+30h], ebx
jne 00007FD54D4D9671h
dec eax
mov dword ptr [000012CDh], edi
dec esp
mov edx, dword ptr [edi+60h]
dec eax
mov eax, dword ptr [edi+58h]
dec esp
mov dword ptr [000012AEh], edx
dec eax
mov dword ptr [000012AFh], eax
jmp 00007FD54D4D9659h
dec esp
mov edx, dword ptr [0000129Eh]
dec eax
lea eax, dword ptr [000001A3h]
inc ebp
xor eax, eax
dec esp
lea ecx, dword ptr [000012A5h]
dec eax
mov dword ptr [0000129Eh], eax
dec eax
lea edx, dword ptr [000011B7h]
dec eax
lea ecx, dword ptr [esp+30h]
inc ecx
call dword ptr [edx+00000080h]
dec eax
mov ebx, dword ptr [esp+38h]
dec eax
add esp, 20h
pop edi
ret
dec eax
mov dword ptr [esp+08h], ebx
push edi
dec eax
sub esp, 20h
dec eax
mov eax, dword ptr [edx+60h]
dec eax
mov dword ptr [00001243h], eax
dec eax
mov dword ptr [00001234h], edx
call 00007FD54D4DA5E4h
call 00007FD54D4DA5DFh
dec eax
mov edx, dword ptr [000011BBh]
inc ecx
mov ecx, 0000FFFFh
dec esp
mov eax, dword ptr [000011A6h]
jmp 00007FD54D4D965Fh
cmp cx, 0004h
je 00007FD54D4D9664h
movzx ecx, word ptr [eax+02h]
dec eax

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x1590	0x1c	.data
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x260	0x12b0	0x12c0	6ec25811e2899bd27bb5f92db7502c31	False	0.7179166666666666	data	6.391732365504973	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x1520	0x1c8	0x1e0	2e70b7def055da7c0ccc5f0e54b122bb	False	0.24375	data	2.0181868199634048	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
	0x1700	0x90	0xa0	cb415e05b85be31494ae1bc233beb58b	False	0.075	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.xdata	0x17a0	0xd4	0xe0	59763dea4943fa0a7ec51296d5f2c7b3	False	0.05357142857142857	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 10, 2025 20:57:36.565864086 CET	60019	53	192.168.2.8	162.159.36.2
Mar 10, 2025 20:57:36.570688009 CET	53	60019	162.159.36.2	192.168.2.8
Mar 10, 2025 20:57:36.570779085 CET	60019	53	192.168.2.8	162.159.36.2
Mar 10, 2025 20:57:36.575639963 CET	53	60019	162.159.36.2	192.168.2.8
Mar 10, 2025 20:57:37.143471956 CET	60019	53	192.168.2.8	162.159.36.2
Mar 10, 2025 20:57:37.148807049 CET	53	60019	162.159.36.2	192.168.2.8
Mar 10, 2025 20:57:37.148916960 CET	60019	53	192.168.2.8	162.159.36.2

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 10, 2025 20:57:10.487943888 CET	61916	53	192.168.2.8	1.1.1.1
Mar 10, 2025 20:57:10.495505095 CET	53	61916	1.1.1.1	192.168.2.8
Mar 10, 2025 20:57:36.565309048 CET	53	63867	162.159.36.2	192.168.2.8
Mar 10, 2025 20:57:37.428683043 CET	53	56961	1.1.1.1	192.168.2.8

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Mar 10, 2025 20:57:10.487943888 CET	192.168.2.8	1.1.1.1	0x59b8	Standard query (0)	c.pki.goog	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Mar 10, 2025 20:57:08.520780087 CET	1.1.1.1	192.168.2.8	0xdaab	No error (0)	bg.microsoft.map.fastly.net		199.232.214.172	A (IP address)	IN (0x0001)	false
Mar 10, 2025 20:57:08.520780087 CET	1.1.1.1	192.168.2.8	0xdaab	No error (0)	bg.microsoft.map.fastly.net		199.232.210.172	A (IP address)	IN (0x0001)	false
Mar 10, 2025 20:57:10.495505095 CET	1.1.1.1	192.168.2.8	0x59b8	No error (0)	c.pki.goog	pki-goog.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Mar 10, 2025 20:57:10.495505095 CET	1.1.1.1	192.168.2.8	0x59b8	No error (0)	pki-goog.l.google.com		172.217.18.3	A (IP address)	IN (0x0001)	false

Target ID:	1
Start time:	15:57:38
Start date:	10/03/2025
Path:	C:\Windows\System32\loaddll64.exe
Wow64 process (32bit):	false
Commandline:	loaddll64.exe "C:\Users\user\Desktop\Section_PE32_image_Aint13_Aint13_body.efi.dll"
Imagebase:	0x7ff748510000
File size:	165'888 bytes
MD5 hash:	763455F9DCB24DFEECC2B9D9F8D46D52
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	15:57:38
Start date:	10/03/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6e60e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	15:57:38
Start date:	10/03/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\Section_PE32_image_Aint13_Aint13_body.efi.dll",#1
Imagebase:	0x7ff677ae0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	15:57:39
Start date:	10/03/2025
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe "C:\Users\user\Desktop\Section_PE32_image_Aint13_Aint13_body.efi.dll",#1
Imagebase:	0x7ff7bc420000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	15:57:40
Start date:	10/03/2025
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 5876 -s 200
Imagebase:	0x7ff64b0b0000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	15:57:40
Start date:	10/03/2025
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 472 -s 232
Imagebase:	0x7ff64b0b0000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	15:57:43
Start date:	10/03/2025
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 472 -s 248
Imagebase:	0x7ff64b0b0000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Function 00960F14 Relevance: .2, Instructions: 248COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1680726629.0000000000960000.00000080.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_960000_loaddll64.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f5c80ec179ca41ad808e4c8e72d8bc9e4276eb584ae1d9c401b20456e4fb9a2
Instruction ID: 779b22ebcf451e8fa2834d43e40b04fc2d197e910bbb50e53dac832bd6e96d3d
Opcode Fuzzy Hash: 4f5c80ec179ca41ad808e4c8e72d8bc9e4276eb584ae1d9c401b20456e4fb9a2
Instruction Fuzzy Hash: 76C14736701B898AEB14CF6AE84079D77B1F788B88F494126DE4E53B29DF39E049D740

Function 009613C0 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1680726629.0000000000960000.00000080.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_960000_loaddll64.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5f2986eb292e7b94bfe77c9d9b8189d8bde8b947c7a976c7289107ac6cd9e70
Instruction ID: 06192bb0fed88f6066db508b34147762a810a132e3069f15c792ad1d760d0232
Opcode Fuzzy Hash: f5f2986eb292e7b94bfe77c9d9b8189d8bde8b947c7a976c7289107ac6cd9e70
Instruction Fuzzy Hash: E3E012F27057908B9358CFAA8950C6E77A4F29578074EA035AE0AD7705E2324D40CB10

Function 009602D0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1680726629.0000000000960000.00000080.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_960000_loaddll64.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65642f6ac5f80987d77bc9ca947e98ce9271ef434a71309184ece8f00ad157cd
Instruction ID: f988002b6f32405c9862b9e46c886e4dfb8d3f2078c4d670929f3849cad84152
Opcode Fuzzy Hash: 65642f6ac5f80987d77bc9ca947e98ce9271ef434a71309184ece8f00ad157cd
Instruction Fuzzy Hash:

Function 0096069C Relevance: 6.4, Strings: 5, Instructions: 122COMMON

Download Yara Rule

Strings

FAT3, xrefs: 009607B6
FAT , xrefs: 009607AA
MSDO, xrefs: 00960784
NTFS, xrefs: 00960794
MSWI, xrefs: 0096078C

Memory Dump Source

Source File: 00000001.00000002.1680726629.0000000000960000.00000080.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_960000_loaddll64.jbxd

Similarity

API ID:
String ID: FAT $FAT3$MSDO$MSWI$NTFS
API String ID: 0-158003111
Opcode ID: a6db3b3e1516305a276709573db8c2d34c57341ee005fb19ccfefd0632bde21d
Instruction ID: f78e321c74c6f7b90bb20fac13fbaf37b415172c4b14709d159486cd0f21493d
Opcode Fuzzy Hash: a6db3b3e1516305a276709573db8c2d34c57341ee005fb19ccfefd0632bde21d
Instruction Fuzzy Hash: 9A4106237057D485DB29CF2AD48076ABFA5E3D5F84F0C8026DAC507B65DB39C492CB90

Analysis Process: rundll32.exePID: 472, Parent PID: 6824COMMON

Non-executed Functions

Function 00AF069C Relevance: 6.4, Strings: 5, Instructions: 122COMMON

Download Yara Rule

Strings

NTFS, xrefs: 00AF0794
MSWI, xrefs: 00AF078C
FAT , xrefs: 00AF07AA
FAT3, xrefs: 00AF07B6
MSDO, xrefs: 00AF0784

Memory Dump Source

Source File: 00000005.00000002.1671795647.0000000000AF0000.00000080.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_af0000_rundll32.jbxd

Similarity

API ID:
String ID: FAT $FAT3$MSDO$MSWI$NTFS
API String ID: 0-158003111
Opcode ID: a6db3b3e1516305a276709573db8c2d34c57341ee005fb19ccfefd0632bde21d
Instruction ID: 0062c69f695f896a96c9448b4292755c67171d9f7b3c9002b36ac13ed120b542
Opcode Fuzzy Hash: a6db3b3e1516305a276709573db8c2d34c57341ee005fb19ccfefd0632bde21d
Instruction Fuzzy Hash: 5A41F5237057D885DB258FAA9400B79BFA5E395F84F0DC066EBC447B66DB38C482CB91

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: `rundll32.exe {DLLname, DLLfunction}` ).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Section_PE32_image_Aint13_Aint13_body.efi.dll

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_loaddll64.exe_ab5ddeb6cd5546b85a9ea025cb2fba93c2de51d_606702e6_436f37c2-65a6-4b72-b2cd-2812efad0661\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_Sec_bd9a9f2527cbdb4bd82640a14bcbeecf44a8e8a2_ee61a992_d1f62f74-60e6-4086-b8b9-c5f7261b7b97\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_Sec_e15a93ebc0909c5ad68642ebeeb88be86ae8ecb5_ee61a992_f603aa77-d393-48c3-ab9b-a9dd5dfcd5cf\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER8E79.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER8E98.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER91C6.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9281.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9551.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER95CF.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER983D.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER988C.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER98EB.tmp.xml

C:\Windows\appcompat\Programs\Amcache.hve

C:\Windows\appcompat\Programs\Amcache.hve.LOG1

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

Windows Analysis Report
Section_PE32_image_Aint13_Aint13_body.efi.dll