Windows Analysis Report
decrypt-main.dll.dll

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: global traffic

HTTP traffic detected: GET /bucketPc.zip HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: bucreate203920233.s3.sa-east-1.amazonaws.comConnection: Keep-Alive

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Windows\System32\rundll32.exe

Code function: 5_2_00815B40 Sleep,SleepEx,URLDownloadToFileW,Sleep,

5_2_00815B40

Source: global traffic

Source: unknown

DNS traffic detected: queries for: bucreate203920233.s3.sa-east-1.amazonaws.com

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not Foundx-amz-request-id: KGMPNF9Q2A4G276Ax-amz-id-2: oUwOBGcXcRaJOfg9RDvUMM390Opwe1X0G+WIoo1w9G6BKuiw2Othw5sAOuPb4cT9/PXSnCglEcE=Content-Type: application/xmlTransfer-Encoding: chunkedDate: Wed, 13 Mar 2024 16:01:21 GMTServer: AmazonS3Connection: close

Source: rundll32.exe, 00000005.00000003.2205682217.000001FA1F332000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micro
Source: Amcache.hve.10.dr	String found in binary or memory: http://upx.sf.net
Source: rundll32.exe, rundll32.exe, 00000014.00000002.2596173277.0000000000428000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000015.00000002.2277081579.0000000000428000.00000020.00000001.01000000.00000003.sdmp, decrypt-main.dll.dll	String found in binary or memory: http://www.delphiforfun.org/
Source: rundll32.exe, 00000005.00000002.2533961841.000001FA1D377000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bucreate203920233.s3.sa-east-1.amazonaws.com/
Source: rundll32.exe, 00000005.00000002.2533961841.000001FA1D377000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bucreate203920233.s3.sa-east-1.amazonaws.com/2
Source: rundll32.exe, 00000005.00000002.2533961841.000001FA1D38C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bucreate203920233.s3.sa-east-1.amazonaws.com/bucketPc.zip
Source: rundll32.exe, 00000005.00000002.2533961841.000001FA1D350000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bucreate203920233.s3.sa-east-1.amazonaws.com/bucketPc.zip)c
Source: rundll32.exe, 00000005.00000002.2533961841.000001FA1D38C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com

Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723

Source: unknown

HTTPS traffic detected: 52.95.163.36:443 -> 192.168.2.6:49723 version: TLS 1.2

Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_00414B50	5_2_00414B50
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_00438220	5_2_00438220
Source: C:\Windows\System32\rundll32.exe	Code function: 14_2_00414B50	14_2_00414B50
Source: C:\Windows\System32\rundll32.exe	Code function: 14_2_00438220	14_2_00438220
Source: C:\Windows\System32\rundll32.exe	Code function: 18_2_00414B50	18_2_00414B50
Source: C:\Windows\System32\rundll32.exe	Code function: 18_2_00438220	18_2_00438220
Source: C:\Windows\System32\rundll32.exe	Code function: 19_2_00414B50	19_2_00414B50
Source: C:\Windows\System32\rundll32.exe	Code function: 19_2_00438220	19_2_00438220

Source: C:\Windows\System32\rundll32.exe

Code function: String function: 004208C0 appears 96 times

Source: C:\Windows\System32\rundll32.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 948 -s 484

Source: C:\Windows\System32\loaddll64.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: kernel.appcore.dll	Jump to behavior

Source: classification engine

Classification label: mal56.evad.winDLL@26/17@1/1

Source: C:\Windows\System32\rundll32.exe

File created: C:\Program Files\Classic Shell

Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4072
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2016:120:WilError_03
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1756
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7028
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess948

Source: C:\Windows\System32\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\0d6c8920-a6c5-4adf-abdf-9453bbcaf51a

Source: decrypt-main.dll.dll

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll64.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior

Source: C:\Windows\System32\loaddll64.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Windows\System32\loaddll64.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\decrypt-main.dll.dll,HackCheck

Source: decrypt-main.dll.dll

ReversingLabs: Detection: 44%

Source: unknown	Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\decrypt-main.dll.dll"
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\decrypt-main.dll.dll",#1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\decrypt-main.dll.dll,HackCheck
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\decrypt-main.dll.dll",#1
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 948 -s 484
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 1756 -s 2000
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\decrypt-main.dll.dll,ServiceCrtMain
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\decrypt-main.dll.dll,TMethodImplementationIntercept
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 4072 -s 468
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\decrypt-main.dll.dll",HackCheck
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\decrypt-main.dll.dll",ServiceCrtMain
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\decrypt-main.dll.dll",TMethodImplementationIntercept
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\decrypt-main.dll.dll",dbkFCallWrapperAddr
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\decrypt-main.dll.dll",__dbk_fcall_wrapper
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7028 -s 468
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\decrypt-main.dll.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\decrypt-main.dll.dll,HackCheck	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\decrypt-main.dll.dll,ServiceCrtMain	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\decrypt-main.dll.dll,TMethodImplementationIntercept	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\decrypt-main.dll.dll",HackCheck	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\decrypt-main.dll.dll",ServiceCrtMain	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\decrypt-main.dll.dll",TMethodImplementationIntercept	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\decrypt-main.dll.dll",dbkFCallWrapperAddr	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\decrypt-main.dll.dll",__dbk_fcall_wrapper	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\decrypt-main.dll.dll",#1	Jump to behavior

Source: C:\Windows\System32\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\rundll32.exe	Directory created: C:\Program Files\Classic Shell			Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Directory created: C:\Program Files\Classic Shell\cache			Jump to behavior

Source: decrypt-main.dll.dll

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: decrypt-main.dll.dll

Static file information: File size 5330944 > 1048576

Source: decrypt-main.dll.dll

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x424000

Source: decrypt-main.dll.dll

Static PE information: section name: .didata

Source: C:\Windows\System32\loaddll64.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Windows\System32\rundll32.exe

File opened / queried: C:\Users\user\Desktop\VMware Workstation.lnk

Source: C:\Windows\System32\loaddll64.exe TID: 5328

Thread sleep time: -120000s >= -30000s

Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809	Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_00415080 FindFirstFileW,FindClose,	5_2_00415080
Source: C:\Windows\System32\rundll32.exe	Code function: 5_1_00415080 FindFirstFileW,	5_1_00415080
Source: C:\Windows\System32\rundll32.exe	Code function: 6_1_00415080 FindFirstFileW,	6_1_00415080
Source: C:\Windows\System32\rundll32.exe	Code function: 14_2_00415080 FindFirstFileW,FindClose,	14_2_00415080
Source: C:\Windows\System32\rundll32.exe	Code function: 18_2_00415080 FindFirstFileW,FindClose,	18_2_00415080
Source: C:\Windows\System32\rundll32.exe	Code function: 19_2_00415080 FindFirstFileW,FindClose,	19_2_00415080

Source: C:\Windows\System32\rundll32.exe

Code function: 5_1_00417CD0 GetSystemInfo,

5_1_00417CD0

Source: C:\Windows\System32\loaddll64.exe

Thread delayed: delay time: 120000

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_dec_e26d2cbdf0ab1647723bb3a38bd2737c2e0af57_b4dfb63c_b9ef1030-2491-4365-a391-35e17ec755ab\	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_dec_27d8c3fe9e4ce467db0e38d9cdded62657c28_b4dfb63c_07fe291b-769a-411f-9cce-c267542d2e67\	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue	Jump to behavior

Source: Amcache.hve.10.dr	Binary or memory string: VMware
Source: decrypt-main.dll.dll	Binary or memory string: \VMware Workstation.lnk
Source: Amcache.hve.10.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.10.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.10.dr	Binary or memory string: VMware, Inc.
Source: rundll32.exe, 00000012.00000002.4039185577.000001C24023E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: sers\user\Desktop\VMware Workstation.lnk
Source: Amcache.hve.10.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.10.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.10.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.10.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.10.dr	Binary or memory string: VMware-42 27 80 4d 99 30 0e 9c-c1 9b 2a 23 ea 1f c4 20
Source: rundll32.exe, 00000005.00000002.2533961841.000001FA1D377000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.2533961841.000001FA1D38C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.10.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: rundll32.exe, 00000013.00000002.4038907820.000001D5FC72C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: sers\user\Desktop\VMware Workstation.lnkp
Source: Amcache.hve.10.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: rundll32.exe, 00000005.00000002.2533961841.000001FA1D38C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.10.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.10.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.10.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.10.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.10.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.10.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: rundll32.exe, 00000013.00000002.4039085865.000001D5FE0A4000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: 0C:\Users\user\Desktop\VMware Workstation.lnk
Source: Amcache.hve.10.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.10.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.10.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.10.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.10.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.10.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.10.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.10.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.10.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.10.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.10.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.10.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Source: C:\Windows\System32\rundll32.exe

Network Connect: 52.95.163.36 443

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\decrypt-main.dll.dll",#1

Source: C:\Windows\System32\rundll32.exe	Code function: GetUserDefaultUILanguage,GetLocaleInfoW,	5_2_00415230
Source: C:\Windows\System32\rundll32.exe	Code function: IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	5_2_004142E0
Source: C:\Windows\System32\rundll32.exe	Code function: GetUserDefaultUILanguage,GetLocaleInfoW,	14_2_00415230
Source: C:\Windows\System32\rundll32.exe	Code function: IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	14_2_004142E0
Source: C:\Windows\System32\rundll32.exe	Code function: GetUserDefaultUILanguage,GetLocaleInfoW,	18_2_00415230
Source: C:\Windows\System32\rundll32.exe	Code function: IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	18_2_004142E0
Source: C:\Windows\System32\rundll32.exe	Code function: GetUserDefaultUILanguage,GetLocaleInfoW,	19_2_00415230
Source: C:\Windows\System32\rundll32.exe	Code function: IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	19_2_004142E0

Source: Amcache.hve.10.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.10.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.10.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.10.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.10.dr	Binary or memory string: MsMpEng.exe

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	111 Process Injection	2 Masquerading	OS Credential Dumping	31 Security Software Discovery	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	31 Virtualization/Sandbox Evasion	LSASS Memory	31 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	4 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	111 Process Injection	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Deobfuscate/Decode Files or Information	NTDS	22 System Information Discovery	Distributed Component Object Model	Input Capture	14 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Obfuscated Files or Information	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Rundll32	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
decrypt-main.dll.dll	45%	ReversingLabs	Win64.Adware.RedCap

Source	Detection	Scanner	Label	Link
http://crl.micro	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
s3-r-w.sa-east-1.amazonaws.com	52.95.163.36	true	false		high
bucreate203920233.s3.sa-east-1.amazonaws.com	unknown	unknown	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://bucreate203920233.s3.sa-east-1.amazonaws.com/bucketPc.zip	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://bucreate203920233.s3.sa-east-1.amazonaws.com/bucketPc.zip)c	rundll32.exe, 00000005.00000002.2533961841.000001FA1D350000.00000004.00000020.00020000.00000000.sdmp	false		high
http://upx.sf.net	Amcache.hve.10.dr	false		high
http://crl.micro	rundll32.exe, 00000005.00000003.2205682217.000001FA1F332000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.delphiforfun.org/	rundll32.exe, rundll32.exe, 00000014.00000002.2596173277.0000000000428000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000015.00000002.2277081579.0000000000428000.00000020.00000001.01000000.00000003.sdmp, decrypt-main.dll.dll	false		high
https://bucreate203920233.s3.sa-east-1.amazonaws.com/	rundll32.exe, 00000005.00000002.2533961841.000001FA1D377000.00000004.00000020.00020000.00000000.sdmp	false		high
https://bucreate203920233.s3.sa-east-1.amazonaws.com/2	rundll32.exe, 00000005.00000002.2533961841.000001FA1D377000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
52.95.163.36	s3-r-w.sa-east-1.amazonaws.com	United States		16509	AMAZON-02US	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1408464
Start date and time:	2024-03-13 17:00:19 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 52s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	32
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	decrypt-main.dll.dll renamed because original name is a hash value
Original Sample Name:	decrypt-main.dll.exe
Detection:	MAL
Classification:	mal56.evad.winDLL@26/17@1/1
EGA Information:	Successful, ratio: 57.1%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .dll Sleeps bigger than 100000000ms are automatically reduced to 1000ms

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, RuntimeBroker.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.42.65.92, 52.182.143.212
Excluded domains from analysis (whitelisted): client.wns.windows.com, onedsblobprdeus17.eastus.cloudapp.azure.com, onedsblobprdcus15.centralus.cloudapp.azure.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, tile-service.weather.microsoft.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target rundll32.exe, PID 4072 because it is empty
Execution Graph export aborted for target rundll32.exe, PID 7028 because it is empty
Execution Graph export aborted for target rundll32.exe, PID 948 because it is empty
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: decrypt-main.dll.dll

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
s3-r-w.sa-east-1.amazonaws.com	appdata -MpSvc.dll	Get hash	malicious	Unknown	Browse	3.5.234.32
	appdata -MpSvc.dll	Get hash	malicious	Unknown	Browse	3.5.233.174
	00023948209303294#U00ac320302282349843984903.exe	Get hash	malicious	Unknown	Browse	3.5.232.137
	00023948209303294#U00ac320302282349843984903.exe	Get hash	malicious	Unknown	Browse	16.12.1.14
	0219830219301290321012notas.exe	Get hash	malicious	Unknown	Browse	3.5.232.21
	0219830219301290321012notas.exe	Get hash	malicious	Unknown	Browse	3.5.234.1
	0923840932020004-3-0.exe	Get hash	malicious	Unknown	Browse	3.5.232.185
	WKYC506_2389030007-00901003007010_777380775_#U00b2.exe	Get hash	malicious	Unknown	Browse	52.95.163.114
	WKYC506_2389030007-00901003007010_777380775_#U00b2.exe	Get hash	malicious	Unknown	Browse	16.12.0.34

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AMAZON-02US	K1Zy8G0qc9.elf	Get hash	malicious	Gafgyt	Browse	34.243.160.129
	http://www.appliedchip.sa.com/ujgcbwgpip/nnwt2533uesekxt/aGgsGAM1rJDuWVBdVh1dKJWAZCvQCU2pDgRa7zmgHJ0/7sv5N0n1ZnaIRYSVbZ2ydPYUo8nqg1WkfjRfcseTbBNZvzw2ZIkMjyEARIwtw95I	Get hash	malicious	Unknown	Browse	18.238.49.28
	YYh2P0kLYU.elf	Get hash	malicious	Gafgyt	Browse	54.217.10.153
	u2tYT9wtaT.elf	Get hash	malicious	Gafgyt	Browse	54.171.230.55
	Zimbra Web Client Sign In13.htm	Get hash	malicious	Unknown	Browse	18.238.49.126
	KbmRPY5t1V.elf	Get hash	malicious	Gafgyt	Browse	34.243.160.129
	linux_arm7.elf	Get hash	malicious	Chaos	Browse	34.254.182.186
	jqytEdh6Gw.elf	Get hash	malicious	Gafgyt	Browse	34.249.145.219
	na.elf	Get hash	malicious	Mirai	Browse	65.0.213.204
	na.elf	Get hash	malicious	Mirai	Browse	18.152.28.104

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
37f463bf4616ecd445d4a1937da06e19	E-dekont.exe	Get hash	malicious	AgentTesla	Browse	52.95.163.36
	MT103.exe	Get hash	malicious	AgentTesla	Browse	52.95.163.36
	BL copy.exe	Get hash	malicious	FormBook, GuLoader	Browse	52.95.163.36
	2257HVL2300001691.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	52.95.163.36
	Bibeskftigelserne221.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	52.95.163.36
	https://us02web.zoom.us/j/81580289193?pwd=VjdCRUE1bjQ4dEpWUkpOR0poRm12dz09	Get hash	malicious	Unknown	Browse	52.95.163.36
	Interviewed.exe	Get hash	malicious	FormBook, GuLoader	Browse	52.95.163.36
	Scanned PO Copy.vbs	Get hash	malicious	FormBook, GuLoader	Browse	52.95.163.36
	EandP_approval_0311202401266.vbs	Get hash	malicious	XWorm	Browse	52.95.163.36

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_dec_2270e996a4650153f925c744fbbf6c68415b9_b4dfb63c_09e72ab3-6283-447a-8caf-2530b1926e5b\Report.wer

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.8483375234553934
Encrypted:	false
SSDEEP:	96:vmFjk6EuiCyKynsjZ4RvSCppfxPQXIDcQtZc6t1ZcEmcw3HXaXz+HbHgSQgJjy+s:u7iCynJ4097Z8jjaWwzuiFvZ24lO8J
MD5:	B60AC78A03E76A14A229B35C584EBB11
SHA1:	497663699930AA1D7848CA3BD192A217FCF17E11
SHA-256:	4F006979B75F107471EDC79A8C1B009BBB36C44EF69526B3013CF7545C89CDD3
SHA-512:	E4B282F6A9F1BC677829DF56EAF125CD6447C963B52E3355FE4B4EDF6CD0401EF62710A122748423CA4D49DB734C10CBDEA1BB010EAB1FF72E02D9BBB6993784
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.4.8.1.9.2.8.8.4.0.1.2.4.4.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.5.4.8.1.9.2.8.8.9.4.8.1.2.9.7.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.9.e.7.2.a.b.3.-.6.2.8.3.-.4.4.7.a.-.8.c.a.f.-.2.5.3.0.b.1.9.2.6.e.5.b.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.6.9.e.3.e.1.6.-.d.a.8.e.-.4.5.5.8.-.b.f.3.6.-.0.c.c.b.f.3.c.2.4.f.f.0.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e._.d.e.c.r.y.p.t.-.m.a.i.n...d.l.l...d.l.l.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.7.4.-.0.0.0.1.-.0.0.1.5.-.3.5.1.d.-.f.6.b.4.5.f.7.5.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.d.d.3.9.9.a.e.4.6.3.0.3.3.4.3.f.9.f.0.d.a.1.8.9.a.e.e.1.1.c.6.7.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_dec_2270e996a4650153f925c744fbbf6c68415b9_b4dfb63c_5726b548-f0b8-44b7-8e4c-0a50bf69bd56\Report.wer

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.8484596487229368
Encrypted:	false
SSDEEP:	96:KAVFlguixyKy4sjZ4RvSCppfxPQXIDcQtZc6t1ZcEmcw3HXaXz+HbHgSQgJjy+Um:XFixy4J4097Z8jjKuwzuiFvZ24lO8J
MD5:	79909763CBF12F206BF63ECF43B1FB11
SHA1:	C92CE75905489B4BFF4C237B8463988E62580BAB
SHA-256:	742601A0F4D65897EEBB1886D0A46C2BCA813C12B02BEC6067C725AF30C9D4EF
SHA-512:	6A4792CB4374BD06285D286783A09A960D34D8E478E4455B320A30BD6933CDC718700634A65120501ED0915787CC1C1A74BE56B0E29AC511E53B05AE93EA7EAA
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.4.8.1.9.2.8.5.1.4.1.4.1.1.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.5.4.8.1.9.2.8.5.6.2.5.7.6.8.0.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.7.2.6.b.5.4.8.-.f.0.b.8.-.4.4.b.7.-.8.e.4.c.-.0.a.5.0.b.f.6.9.b.d.5.6.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.3.b.1.e.1.f.4.-.0.d.8.7.-.4.6.8.c.-.9.b.c.8.-.1.2.a.1.e.b.0.1.1.a.7.0.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e._.d.e.c.r.y.p.t.-.m.a.i.n...d.l.l...d.l.l.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.f.e.8.-.0.0.0.1.-.0.0.1.5.-.9.e.b.6.-.1.5.b.3.5.f.7.5.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.d.d.3.9.9.a.e.4.6.3.0.3.3.4.3.f.9.f.0.d.a.1.8.9.a.e.e.1.1.c.6.7.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_dec_27d8c3fe9e4ce467db0e38d9cdded62657c28_b4dfb63c_07fe291b-769a-411f-9cce-c267542d2e67\Report.wer

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.85223844785682
Encrypted:	false
SSDEEP:	96:NbFcPui7yKyRsjZ4RvSCpxL6tQXIDcQkc6wZcEGcw3OsUZXaXz+HbHgSQgJjy+UQ:phi7yRD06UZMKFBjauwzuiFvZ24lO8W
MD5:	098DBCF2F81F6DBE0FED3342DCC607C2
SHA1:	FB669304A0FC72250BFBED5F06AE2C51A4DBD0FE
SHA-256:	3045B5E1D97EDD97C1F229FFC555EA6577B52BAF68A654B1B5849BF264835D35
SHA-512:	9524BD7B95F9FA8D4A70019C0AA529539C89AFF51F3EE597445B70A7F1D5E1DE8099CA5647E6E067AD3F9488840AD982458105219C7F8B82F2C89B5026664A0A
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.6.4.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.4.8.1.9.2.7.9.3.0.4.9.9.4.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.5.4.8.1.9.2.8.0.1.1.7.4.9.0.1.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.7.f.e.2.9.1.b.-.7.6.9.a.-.4.1.1.f.-.9.c.c.e.-.c.2.6.7.5.4.2.d.2.e.6.7.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.5.a.f.9.2.1.b.-.8.b.6.c.-.4.4.0.9.-.b.e.3.1.-.c.9.c.8.6.6.5.d.8.0.1.5.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e._.d.e.c.r.y.p.t.-.m.a.i.n...d.l.l...d.l.l.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.3.b.4.-.0.0.0.1.-.0.0.1.5.-.9.b.a.b.-.7.9.a.f.5.f.7.5.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.d.d.3.9.9.a.e.4.6.3.0.3.3.4.3.f.9.f.0.d.a.1.8.9.a.e.e.1.1.c.6.7.b.d.8.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_dec_e26d2cbdf0ab1647723bb3a38bd2737c2e0af57_b4dfb63c_b9ef1030-2491-4365-a391-35e17ec755ab\Report.wer

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.1056140293456171
Encrypted:	false
SSDEEP:	192:KOKizyXDI03+3h6jaun1jfNzuiFvZ24lO8J:9KiGXDj3+3ojNNzuiFvY4lO8J
MD5:	17AEEB550D2C297189F741778D996C72
SHA1:	646F9DB8B5F3526AC0406AA3B7FB4A45447A8383
SHA-256:	F9345968C01B0271CB3D520A63E8ED10B175905040E732612C01A2151CB12233
SHA-512:	F23CCA4B3B12FDA0D2CD052672653E956E27BA3C5B35CD3B698A8C117C7B438E34C2C5D3AA9E6BDCE39520FB8F045F61B703DA6DF8921C04B29E9290036F3A57
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.4.8.1.9.2.8.1.7.1.8.9.0.9.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.5.4.8.1.9.2.8.2.5.4.7.0.4.0.6.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.9.e.f.1.0.3.0.-.2.4.9.1.-.4.3.6.5.-.a.3.9.1.-.3.5.e.1.7.e.c.7.5.5.a.b.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.c.a.5.d.9.5.1.-.3.8.5.c.-.4.8.e.d.-.9.a.e.b.-.9.2.d.5.e.0.5.2.b.9.b.b.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e._.d.e.c.r.y.p.t.-.m.a.i.n...d.l.l...d.l.l.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.6.d.c.-.0.0.0.1.-.0.0.1.5.-.e.c.b.f.-.7.7.a.f.5.f.7.5.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.d.d.3.9.9.a.e.4.6.3.0.3.3.4.3.f.9.f.0.d.a.1.8.9.a.e.e.1.1.c.6.7.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER811A.tmp.dmp

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Wed Mar 13 16:01:19 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	58416
Entropy (8bit):	1.6978597331169087
Encrypted:	false
SSDEEP:	192:ACJ7XqkUu9jgOMNMBKOtj6S5s9aer8uIKVMMEZvuT:fXNUu9kMBK0880+Myvi
MD5:	74F49ABF11E187DD6AD61AF8C87B299E
SHA1:	282F639186C50783AB5ABD564C13CC5A03E044FC
SHA-256:	82BAFB0F67FE74A52BEF8C0119B1151362F89C4A0A40738A89DF813118FD1C4E
SHA-512:	D31531B01205BF4B6C1F902F6CA3013B990976431BBAB5E4792C9CEFEC6D44FAF48D29015A2D94191957F4F29B150EF7FBDFDEA7D8901E2C0C2909EB34BA8AB2
Malicious:	false
Preview:	MDMP..a..... ..........e........................................~...........T.......8...........T........... ............... ...........................................................................................eJ..............Lw......................T..............e.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER8206.tmp.WERInternalMetadata.xml

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8828
Entropy (8bit):	3.693836017561133
Encrypted:	false
SSDEEP:	192:R6l7wVeJIlBCui6YBB+fgmf2INmFJTprO89bBe9fZLm:R6lXJ6Qui6YnOgmf2Iu3BUfo
MD5:	46DE451CB5999E8EFB852980329FA17E
SHA1:	AA56940B4D7DDC4ABEF364F0BFFF595AB931A8A6
SHA-256:	F63B5B49262B43745AB27D591ADAF0B908C3CD28C225AECDBA3480BD5FF1F371
SHA-512:	ECB448FEA6371CFC433EA35E484ED6415281CBE32888D869509BBFA359DA4C0BCD10A0BAAC34867418F5FF74DB6313A9CBC3C06D117B06DF47E6D7615B7A4198
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.9.4.8.<./.P.i.d.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER8235.tmp.xml

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4902
Entropy (8bit):	4.471607699568587
Encrypted:	false
SSDEEP:	48:cvIwWl8zsXJg771I98nWpW8VYnYm8M4JC2CU/FzHyq8vhUJptSTSAd:uIjf5I73W7V3JdHWmpoOAd
MD5:	D29537DE1C7795CCC732F4FF62504B61
SHA1:	9CCE56500279AB5376655C2795028D990C9847D0
SHA-256:	9F10953F83CA135BB2A3D145B8C8A4C2C5A1D68FBB2C0550A2ED2A448041D5E9
SHA-512:	4D2C79F81335090378F1ECF40F49125C569CEA4029F893251B050EB226B76727578953DD9AADBC7DB3288212AB567E0CC5AF06E766E9F1EE2921EA124E4BD951
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="233704" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WER8A80.tmp.dmp

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Wed Mar 13 16:01:22 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	163588
Entropy (8bit):	1.6184346238812257
Encrypted:	false
SSDEEP:	384:ZWLOkMsWB5RXru2dNnEsMZMaICFZJYtehoJgJoCXenV4IBd5GlHyMrSY:COHsWBrS2dY4ehoJgJoCIxBnwGY
MD5:	F832A489AE7765676B2BD98A3C134C20
SHA1:	A3CB6C65F2920DAA2498FB0F82767F58B1B63840
SHA-256:	99570DC45147AD45D4AF6149AB0C81E5E555C92EA4EE559A585869733566B690
SHA-512:	71A62E1CAF7CF4E32D0757C3AF6CB9ED0C74B9758F28CAF620418E6268D3599763B5E5E7A30B72A2045C405628314257E681AE4739020A5162639615A971397E
Malicious:	false
Preview:	MDMP..a..... ..........e....................................4...._..........T.......8...........T............L...2..........p%..........\'..............................................................................eJ.......'......Lw......................T..............e.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER8C95.tmp.WERInternalMetadata.xml

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	9004
Entropy (8bit):	3.70717518240535
Encrypted:	false
SSDEEP:	192:R6l7wVeJQGQ6Yj5Hgmf3R4l00ETprH89bh/CfMLm:R6lXJ5Q6YdHgmf3R4lHhKft
MD5:	22E35C2335E5C40D1529A3B7919257C4
SHA1:	A357F8961D2D63D11100E3F2BCE5F8F23E054A2F
SHA-256:	A1EFF4B56D97802E31CB95A67ADC8BACA350FB7C0E5771AA738368FAD292D8B7
SHA-512:	CC22D4A41FA788E6C9FCDF9C4E70E5E5D7DC051B213977CFEC9A2EA33882D1C5BF7657CFE8D63B8E0DDF3CA6B42F3913F5320FE78A7309EB5DD5A9C721DA7667
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.1.7.5.6.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER8CC5.tmp.xml

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4788
Entropy (8bit):	4.50536706303624
Encrypted:	false
SSDEEP:	48:cvIwWl8zsXJg771I98nWpW8VYZYm8M4JC2CU6Fhcyq85mcxWptSTSsd:uIjf5I73W7VJJ5sWpoOsd
MD5:	21AA7917931AFA014E3553A5455D49C2
SHA1:	AE00E3F1032701317BF4E43A0F85A4786458FEF3
SHA-256:	B6ADE658C07F63295A5BBFFE21518CF3702BB8DDDA72C7C581BF12135309E0AD
SHA-512:	A134863F99CC4B301B155C680629C7B7D4BDDA99073193E7EC96220248141EC663622EF155FE2C0C7A9B75BDCBB9A510682FDABE5465160E2AD4FBE4A55CE71C
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="233704" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WER97DE.tmp.dmp

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Wed Mar 13 16:01:25 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	70812
Entropy (8bit):	1.5692295042160604
Encrypted:	false
SSDEEP:	192:G8/3G5NPQQtXOM6MHlE6ss1t4hm2y56bEvw3ZfmOPFHg5PQt5b8d:D25lQQonMHlE6ss/eVmOPa5PO4
MD5:	C43A2CC32EBEE32B578A2A821875327C
SHA1:	F237A11EBE05C0BEA4FC5CA42F1B62E2C1F56737
SHA-256:	1E170FA9881962697DA90D3BB6570C347D60F4E323E39F8D098A90DF75A984D9
SHA-512:	0F4919B6327EC5FB937D7CD891A595A07900175B2F40495D5C9A8C87C5207C2E23315A7DE8D03906459A23A03B97313062BD8AC62CD4457D68E5F2065D56843E
Malicious:	false
Preview:	MDMP..a..... ..........e....................................$...~3..........T.......8...........T...........................P...........<...............................................................................eJ..............Lw......................T..............e.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER989B.tmp.WERInternalMetadata.xml

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8986
Entropy (8bit):	3.7027868828474215
Encrypted:	false
SSDEEP:	192:R6l7wVeJclaPe6YjvmHgmf3rWFvTprO89buECf36m:R6lXJuaPe6YjmHgmf3rWFBupfb
MD5:	1800297F9C73CA0EA1ABE0843F926951
SHA1:	50DE789B56AB3CC66269F7DDA54DA277A61C92E3
SHA-256:	88AB867B617604B34862CF1551B48DFCC17F96985CF883934FA497F6E97F347F
SHA-512:	58F4432C0C13397788A3DFEA8A8EC7F184EF9331147B2E7DD8C3C70D1F0F278706FD12C1C9839E65A3E2A729E53DDBB91DD99E43838CCBFC433A430D948E26AE
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.0.7.2.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER98DA.tmp.xml

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4784
Entropy (8bit):	4.482119788685306
Encrypted:	false
SSDEEP:	48:cvIwWl8zsXJg771I98nWpW8VYiYm8M4JC2CUKFtyq85mQexptSTSxd:uIjf5I73W7VyJy9xpoOxd
MD5:	1E73CDF4B2014414B98D87159C136466
SHA1:	BE515FF804A463832779C7B8FFE4AA53779AFEE3
SHA-256:	F1E02908BC88E9B32BF6DBCB240A1B14DC264CBC1C264CBE9A2382BB348BED52
SHA-512:	6A69C055C3FC29045FF8D1534E2955FF4DDFAE98659F79CF2BBA316060CC064D78B5C9C12D6031E946F5F421BFDE9447C9F5D666CBF5BDF5117A7CBEB8A95EE9
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="233704" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA4B0.tmp.dmp

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Wed Mar 13 16:01:28 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	61372
Entropy (8bit):	1.6756530960994802
Encrypted:	false
SSDEEP:	192:Hq4CXqkUup/4OMdM499HSddfGduA0ENksckYHismDaHiFMEqz5OC/:KPXNUupgM69ATmDatBVOW
MD5:	00CAE3143F69C76F94BBF8D7DEA44FCC
SHA1:	AE52379B006B8F8864525735DE52720165836E18
SHA-256:	2F12CF8949E6CBA0A38EFDBBE61D5FF660635AC22008FFAF46AF98681202EC2A
SHA-512:	9816F04003CA21F1B23E6D6BA443F69FF2BBAADEC8175DF7656319AF4013852382DAC14A87D8EEC60DD3DE3FC1D525184E792CB6A898A3B1497135DB5FA7FD76
Malicious:	false
Preview:	MDMP..a..... ..........e........................................~...........T.......8...........T........................... ...........................................................................................eJ..............Lw......................T.......t......e.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA58B.tmp.WERInternalMetadata.xml

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	9006
Entropy (8bit):	3.702694951219571
Encrypted:	false
SSDEEP:	192:R6l7wVeJwD9u3g6YjDl+MNgmf3rWFvTprB89bbnCfnJm:R6lXJU9u3g6Yvl+MNgmf3rWFIbCfk
MD5:	3C2A36D680AB34330AF96A1F977469F1
SHA1:	40C3E6F3845161F1BC81898FC2604D0BEA352324
SHA-256:	95F7AEE090A233A67320BCC3DC40D295259557947758D0D1F426ED7583373FBF
SHA-512:	D87E8992817FC5B2B24FD9CEBFF532B686BCEBCE07C38CD56873DDB837710423FF48623EF63FAC1EA519239757D96A2BCFABC149ACB24D7483D61E9D740A3F0F
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.0.2.8.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA5CB.tmp.xml

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4784
Entropy (8bit):	4.485551881260071
Encrypted:	false
SSDEEP:	48:cvIwWl8zsXJg771I98nWpW8VYpYm8M4JC2CUKFJ7yq85mQNptSTSQd:uIjf5I73W7V9JO+poOQd
MD5:	1FA5F96464C95C1B89419DD8C6DC4613
SHA1:	9B0ACE800C8A3F6557C6A5C8DEAF14DFF991ABE5
SHA-256:	7B9577F8C6829676AF0561636074F79A998460C809E0E5C004681F2F48BD787E
SHA-512:	2831545F38427D43A61DD2EC7EE4B38636FBC119A0BBE142FB0ED895519945D58720760F981C1D56071C7D56086E7DD139D21895976C0E5F4F9D87B270D09147
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="233704" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve

Process:	C:\Windows\System32\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.469524156333331
Encrypted:	false
SSDEEP:	6144:UzZfpi6ceLPx9skLmb0fYZWSP3aJG8nAgeiJRMMhA2zX4WABluuNMjDH5S:aZHtYZWOKnMM6bFpaj4
MD5:	6ACFB84F3F9E763CC9A22DEA3DCE603C
SHA1:	62AED76D34EAA0E5CF43C888753E6F7EF82BEB2B
SHA-256:	8042A5C3B3E6FAA6EC04D1014FBC4B3A49E6095F8E68A0AE13BE9430025B3566
SHA-512:	A3E96F0238569F824B3CBA0A79673618E1FC8B4F0FB4E09E958833DCF0DF377EB638FE021DE3EE16A65FB6D444F0888340DDD4C393F5C2A6726EE93CA58F3EFD
Malicious:	false
Preview:	regfK...K....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm&.._u........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Entropy (8bit):	5.979646090579889
TrID:	Win64 Dynamic Link Library (generic) (102004/3) 86.43% Win64 Executable (generic) (12005/4) 10.17% Generic Win/DOS Executable (2004/3) 1.70% DOS Executable Generic (2002/1) 1.70% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.01%
File name:	decrypt-main.dll.dll
File size:	5'330'944 bytes
MD5:	1715ba4aa4ff4c70e66943076f3236ac
SHA1:	f57bfbe116f915e5525c5eff36b5eb5969282171
SHA256:	faebf87c3ff1345bbd5910fe4633b2b49dc83fe62b400ecaa102594d5edb39f0
SHA512:	ad06e05a1cdc6a92af67c8b96ff708bb92e25e5b021478c7e7f1df13eca9223d107f1de9467d1d24efcf831602ab816d491e68d37b98883b8410642583f7ef48
SSDEEP:	49152:5DEhDXc+rWZtaJ8CifXdpbnaSl+lcOFo66bJeaE3g6XGTkN6h:5WUaJri/zfTsRq
TLSH:	233639BB76A482A9C16EC13ED0E38F00D933B1B61733C6E7629143652E469D46F3F661
File Content Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win64..$7.......................................................................................................................................

File Icon


Icon Hash:	7ae282899bbab082

Static PE Info

General

Entrypoint:	0x8167d0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, DLL
DLL Characteristics:
Time Stamp:	0x65E92BED [Thu Mar 7 02:52:29 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	2
File Version Major:	5
File Version Minor:	2
Subsystem Version Major:	5
Subsystem Version Minor:	2
Import Hash:	e015ba11e1ddaa5380318c50a8051d1f

Entrypoint Preview

Instruction
push ebp
dec eax
sub esp, 00000180h
dec eax
mov ebp, esp
dec eax
mov dword ptr [ebp+30h], ecx
mov dword ptr [ebp+3Ch], edx
dec esp
mov dword ptr [ebp+40h], eax
nop
dec eax
lea ecx, dword ptr [ebp+48h]
call 00007FDD90EB2F65h
cmp eax, 01h
setle cl
dec eax
movzx ecx, cl
mov dword ptr [ebp+0000017Ch], ecx
test eax, eax
jne 00007FDD912B9FA2h
dec eax
lea ecx, dword ptr [ebp+48h]
dec eax
lea edx, dword ptr [00000051h]
dec esp
mov eax, dword ptr [ebp+30h]
inc esp
mov ecx, dword ptr [ebp+3Ch]
dec eax
mov eax, dword ptr [ebp+40h]
dec eax
mov dword ptr [esp+20h], eax
call 00007FDD90EBD580h
jmp 00007FDD912B9F7Ah
nop
nop
call 00007FDD90EB2787h
nop
call 00007FDD90EB3081h
mov eax, dword ptr [ebp+0000017Ch]
dec eax
lea esp, dword ptr [ebp+00000180h]
pop ebp
ret
dec eax
lea eax, dword ptr [eax+00h]
dec eax
lea eax, dword ptr [00000000h+eax]
dec eax
sub esp, 28h
call 00007FDD90EB268Ch
dec eax
add esp, 28h
ret
add byte ptr [eax], al
enter 0000h, 00h
add byte ptr [eax], al
add byte ptr [eax], al
nop
push 00000081h
add byte ptr [eax], al
jnc 00007FDD912B9F8Ch
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
adc byte ptr [ebp-7Fh], dh
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ebx+00h], dh
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
test al, 48h
add byte ptr [eax], 00000000h
add byte ptr [eax], al
add byte ptr [eax-54h], ah
inc ecx
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x49b000	0xcc	.edata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x494000	0x5134	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x513000	0x13400	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x4d4000	0x3e160	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x49d000	0x36e34	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x495500	0x1308	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x49a000	0xf2a	.didata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x423f70	0x424000	b7f27458062548a6937770656e7e3fc1	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x425000	0x62620	0x62800	9a2bac6930b172b6685b28ba442630cd	False	0.26204344463832485	data	4.902591015474462	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.bss	0x488000	0xbf9c	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x494000	0x5134	0x5200	703a5e532c59ee1f8016d0490c2480cd	False	0.2421875	data	4.251729395494642	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.didata	0x49a000	0xf2a	0x1000	c373d4d2586c9b286933e221aadd59bc	False	0.253662109375	data	3.24473098416006	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.edata	0x49b000	0xcc	0x200	09500bfbbf513ed005e4bb6dff2efa39	False	0.345703125	data	2.4492227742982298	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rdata	0x49c000	0x44	0x200	c8956fe83c39059a06fbaa227b86bb22	False	0.15625	data	1.1709274092963795	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x49d000	0x36e34	0x37000	099680a7bdd7617d15c3ab408e1cbd03	False	0.46367631392045455	data	6.45364680864244	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.pdata	0x4d4000	0x3e160	0x3e200	fb0adaccc8febc7d9f0cb5f536122620	False	0.4902186556841046	data	6.396233810440188	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x513000	0x13400	0x13400	bb501744d3457770d2c2e99247451795	False	0.24665178571428573	data	5.0560496894268265	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_CURSOR	0x51432c	0x134	Targa image data - Map 64 x 65536 x 1 +32 "\001"	English	United States	0.38636363636363635
RT_CURSOR	0x514460	0x134	data	English	United States	0.4642857142857143
RT_CURSOR	0x514594	0x134	data	English	United States	0.4805194805194805
RT_CURSOR	0x5146c8	0x134	data	English	United States	0.38311688311688313
RT_CURSOR	0x5147fc	0x134	data	English	United States	0.36038961038961037
RT_CURSOR	0x514930	0x134	data	English	United States	0.4090909090909091
RT_CURSOR	0x514a64	0x134	Targa image data - RGB 64 x 65536 x 1 +32 "\001"	English	United States	0.4967532467532468
RT_BITMAP	0x514b98	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.43103448275862066
RT_BITMAP	0x514d68	0x1e4	Device independent bitmap graphic, 36 x 19 x 4, image size 380	English	United States	0.46487603305785125
RT_BITMAP	0x514f4c	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.43103448275862066
RT_BITMAP	0x51511c	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.39870689655172414
RT_BITMAP	0x5152ec	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.4245689655172414
RT_BITMAP	0x5154bc	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.5021551724137931
RT_BITMAP	0x51568c	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.5064655172413793
RT_BITMAP	0x51585c	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.39655172413793105
RT_BITMAP	0x515a2c	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.5344827586206896
RT_BITMAP	0x515bfc	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.39655172413793105
RT_BITMAP	0x515dcc	0x5c	Device independent bitmap graphic, 6 x 11 x 1, image size 44	English	United States	0.391304347826087
RT_BITMAP	0x515e28	0x5c	Device independent bitmap graphic, 6 x 11 x 1, image size 44	English	United States	0.532608695652174
RT_BITMAP	0x515e84	0x5c	Device independent bitmap graphic, 6 x 11 x 1, image size 44	English	United States	0.4782608695652174
RT_BITMAP	0x515ee0	0x5c	Device independent bitmap graphic, 6 x 11 x 1, image size 44	English	United States	0.5543478260869565
RT_BITMAP	0x515f3c	0x5c	Device independent bitmap graphic, 6 x 11 x 1, image size 44	English	United States	0.4673913043478261
RT_BITMAP	0x515f98	0x46e	Device independent bitmap graphic, 28 x 13 x 24, image size 1094, resolution 2834 x 2834 px/m	English	United States	0.328042328042328
RT_BITMAP	0x516408	0x46e	Device independent bitmap graphic, 28 x 13 x 24, image size 1094, resolution 2834 x 2834 px/m	English	United States	0.3289241622574956
RT_BITMAP	0x516878	0x46e	Device independent bitmap graphic, 28 x 13 x 24, image size 1094, resolution 2834 x 2834 px/m	English	United States	0.40476190476190477
RT_BITMAP	0x516ce8	0x46e	Device independent bitmap graphic, 28 x 13 x 24, image size 1094, resolution 2834 x 2834 px/m	English	United States	0.09435626102292768
RT_BITMAP	0x517158	0x46e	Device independent bitmap graphic, 28 x 13 x 24, image size 1094, resolution 2834 x 2834 px/m	English	United States	0.23721340388007053
RT_BITMAP	0x5175c8	0x46e	Device independent bitmap graphic, 28 x 13 x 24, image size 1094, resolution 2834 x 2834 px/m	English	United States	0.29188712522045857
RT_BITMAP	0x517a38	0x46e	Device independent bitmap graphic, 28 x 13 x 24, image size 1094, resolution 2834 x 2834 px/m	English	United States	0.1675485008818342
RT_BITMAP	0x517ea8	0x46e	Device independent bitmap graphic, 28 x 13 x 24, image size 1094, resolution 2834 x 2834 px/m	English	United States	0.2892416225749559
RT_BITMAP	0x518318	0x46e	Device independent bitmap graphic, 28 x 13 x 24, image size 1094, resolution 2834 x 2834 px/m	English	United States	0.2751322751322751
RT_BITMAP	0x518788	0x46e	Device independent bitmap graphic, 28 x 13 x 24, image size 1094, resolution 2834 x 2834 px/m	English	United States	0.30776014109347444
RT_BITMAP	0x518bf8	0x46e	Device independent bitmap graphic, 28 x 13 x 24, image size 1094, resolution 2834 x 2834 px/m	English	United States	0.2777777777777778
RT_BITMAP	0x519068	0x46e	Device independent bitmap graphic, 28 x 13 x 24, image size 1094, resolution 2834 x 2834 px/m	English	United States	0.41887125220458554
RT_STRING	0x5194d8	0x624	data			0.3333333333333333
RT_STRING	0x519afc	0xb3c	data			0.2437413073713491
RT_STRING	0x51a638	0x22c	data			0.4172661870503597
RT_STRING	0x51a864	0x33c	data			0.43719806763285024
RT_STRING	0x51aba0	0x488	data			0.32413793103448274
RT_STRING	0x51b028	0x508	data			0.2694099378881988
RT_STRING	0x51b530	0x494	data			0.40017064846416384
RT_STRING	0x51b9c4	0x3dc	data			0.3248987854251012
RT_STRING	0x51bda0	0x358	data			0.4485981308411215
RT_STRING	0x51c0f8	0x404	StarOffice Gallery theme l, 1677731072 objects, 1st l			0.41245136186770426
RT_STRING	0x51c4fc	0xa0	data			0.7125
RT_STRING	0x51c59c	0xe4	data			0.6359649122807017
RT_STRING	0x51c680	0x2c4	data			0.4138418079096045
RT_STRING	0x51c944	0x254	data			0.4865771812080537
RT_STRING	0x51cb98	0x3d0	data			0.3698770491803279
RT_STRING	0x51cf68	0x3b8	data			0.3760504201680672
RT_STRING	0x51d320	0x47c	data			0.3423344947735192
RT_STRING	0x51d79c	0x38c	data			0.3634361233480176
RT_STRING	0x51db28	0x2c4	data			0.3559322033898305
RT_STRING	0x51ddec	0x3f8	data			0.39173228346456695
RT_STRING	0x51e1e4	0x524	data			0.3844984802431611
RT_STRING	0x51e708	0x4ac	data			0.31605351170568563
RT_STRING	0x51ebb4	0x3b0	data			0.3707627118644068
RT_STRING	0x51ef64	0x39c	data			0.32142857142857145
RT_STRING	0x51f300	0x40c	data			0.3735521235521235
RT_STRING	0x51f70c	0xf4	data			0.5491803278688525
RT_STRING	0x51f800	0xc4	data			0.6275510204081632
RT_STRING	0x51f8c4	0x268	data			0.48863636363636365
RT_STRING	0x51fb2c	0x434	data			0.3308550185873606
RT_STRING	0x51ff60	0x360	data			0.38425925925925924
RT_STRING	0x5202c0	0x2ec	data			0.37566844919786097
RT_STRING	0x5205ac	0x31c	data			0.34296482412060303
RT_RCDATA	0x5208c8	0x10	data			1.5
RT_RCDATA	0x5208d8	0x7c8	data			0.5281124497991968
RT_RCDATA	0x5210a0	0x2	data	English	United States	5.0
RT_RCDATA	0x5210a4	0xc45	Delphi compiled form 'TFJustificativa'			0.3081821076090417
RT_RCDATA	0x521cec	0x2291	Delphi compiled form 'TFReceber'			0.15323765397220024
RT_RCDATA	0x523f80	0xb75	Delphi compiled form 'TF_Abundant'			0.4302761677463348
RT_RCDATA	0x524af8	0xcc9	Delphi compiled form 'TF_FlatLandPianoMovers'			0.43568591506263366
RT_RCDATA	0x5257c4	0x494	Delphi compiled form 'TLoginDialog'			0.48976109215017066
RT_RCDATA	0x525c58	0x3c4	Delphi compiled form 'TPasswordDialog'			0.4678423236514523
RT_GROUP_CURSOR	0x52601c	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.25
RT_GROUP_CURSOR	0x526030	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.25
RT_GROUP_CURSOR	0x526044	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x526058	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x52606c	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x526080	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x526094	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_VERSION	0x5260a8	0x218	data	English	United States	0.48134328358208955

Imports

DLL	Import
oleaut32.dll	SysFreeString, SysReAllocStringLen, SysAllocStringLen
advapi32.dll	RegQueryValueExW, RegOpenKeyExW, RegCloseKey
user32.dll	CharNextW, LoadStringW
kernel32.dll	Sleep, VirtualFree, VirtualAlloc, lstrlenW, VirtualQuery, QueryPerformanceCounter, GetTickCount, GetSystemInfo, GetVersion, CompareStringW, IsValidLocale, SetThreadLocale, GetSystemDefaultUILanguage, GetUserDefaultUILanguage, GetLocaleInfoW, WideCharToMultiByte, MultiByteToWideChar, GetACP, LoadLibraryExW, GetStartupInfoW, GetProcAddress, GetModuleHandleW, GetModuleFileNameW, GetCommandLineW, FreeLibrary, GetLastError, UnhandledExceptionFilter, RtlUnwindEx, RtlUnwind, RaiseException, ExitProcess, ExitThread, SwitchToThread, GetCurrentThreadId, CreateThread, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, FindFirstFileW, FindClose, WriteFile, GetStdHandle, CloseHandle
kernel32.dll	GetProcAddress, RaiseException, LoadLibraryA, GetLastError, TlsSetValue, TlsGetValue, TlsFree, TlsAlloc, LocalFree, LocalAlloc, FreeLibrary
user32.dll	SetClassLongPtrW, GetClassLongPtrW, SetWindowLongPtrW, GetWindowLongPtrW, CreateWindowExW, WindowFromPoint, WaitMessage, ValidateRect, UpdateWindow, UnregisterClassW, UnhookWindowsHookEx, TranslateMessage, TranslateMDISysAccel, TrackPopupMenu, SystemParametersInfoW, ShowWindow, ShowScrollBar, ShowOwnedPopups, ShowCaret, SetWindowRgn, SetWindowsHookExW, SetWindowTextW, SetWindowPos, SetWindowPlacement, SetTimer, SetScrollRange, SetScrollPos, SetScrollInfo, SetRect, SetPropW, SetParent, SetMenuItemInfoW, SetMenu, SetKeyboardState, SetForegroundWindow, SetFocus, SetCursorPos, SetCursor, SetClipboardData, SetCaretPos, SetCapture, SetActiveWindow, SendMessageA, SendMessageW, ScrollWindowEx, ScrollWindow, ScreenToClient, RemovePropW, RemoveMenu, ReleaseDC, ReleaseCapture, RegisterWindowMessageW, RegisterClipboardFormatW, RegisterClassW, RedrawWindow, PostQuitMessage, PostMessageW, PeekMessageA, PeekMessageW, OpenClipboard, MsgWaitForMultipleObjectsEx, MsgWaitForMultipleObjects, MoveWindow, MessageBoxW, MessageBeep, MapWindowPoints, MapVirtualKeyW, LoadStringW, LoadKeyboardLayoutW, LoadImageW, LoadIconW, LoadCursorW, LoadBitmapW, KillTimer, IsZoomed, IsWindowVisible, IsWindowUnicode, IsWindowEnabled, IsWindow, IsIconic, IsDialogMessageA, IsDialogMessageW, IsClipboardFormatAvailable, IsChild, IsCharAlphaNumericW, IsCharAlphaW, InvalidateRect, InsertMenuItemW, InsertMenuW, HideCaret, GetWindowThreadProcessId, GetWindowTextW, GetWindowRect, GetWindowPlacement, GetWindowDC, GetTopWindow, GetSystemMetrics, GetSystemMenu, GetSysColorBrush, GetSysColor, GetSubMenu, GetScrollRange, GetScrollPos, GetScrollInfo, GetScrollBarInfo, GetPropW, GetParent, GetWindow, GetMessageTime, GetMessagePos, GetMessageExtraInfo, GetMessageW, GetMenuStringW, GetMenuState, GetMenuItemInfoW, GetMenuItemID, GetMenuItemCount, GetMenu, GetLastActivePopup, GetKeyboardState, GetKeyboardLayoutNameW, GetKeyboardLayoutList, GetKeyboardLayout, GetKeyState, GetKeyNameTextW, GetIconInfo, GetForegroundWindow, GetFocus, GetDoubleClickTime, GetDlgCtrlID, GetDesktopWindow, GetDCEx, GetDC, GetCursorPos, GetCursor, GetClipboardData, GetClientRect, GetClassNameW, GetClassInfoExW, GetClassInfoW, GetCaretPos, GetCapture, GetActiveWindow, FrameRect, FindWindowExW, FindWindowW, FillRect, EnumWindows, EnumThreadWindows, EnumClipboardFormats, EnumChildWindows, EndPaint, EndMenu, EnableWindow, EnableScrollBar, EnableMenuItem, EmptyClipboard, DrawTextExW, DrawTextW, DrawMenuBar, DrawIconEx, DrawIcon, DrawFrameControl, DrawFocusRect, DrawEdge, DispatchMessageA, DispatchMessageW, DestroyWindow, DestroyMenu, DestroyIcon, DestroyCursor, DestroyCaret, DeleteMenu, DefWindowProcW, DefMDIChildProcW, DefFrameProcW, CreatePopupMenu, CreateMenu, CreateIcon, CreateCaret, CreateAcceleratorTableW, CountClipboardFormats, CopyImage, CopyIcon, CloseClipboard, ClientToScreen, ChildWindowFromPoint, CheckMenuItem, CharUpperBuffW, CharUpperW, CharNextW, CharLowerBuffW, CharLowerW, CallWindowProcW, CallNextHookEx, BeginPaint, AdjustWindowRectEx, ActivateKeyboardLayout
gdi32.dll	UnrealizeObject, StretchDIBits, StretchBlt, StartPage, StartDocW, SetWindowOrgEx, SetWindowExtEx, SetWinMetaFileBits, SetViewportOrgEx, SetViewportExtEx, SetTextColor, SetStretchBltMode, SetRectRgn, SetROP2, SetPixel, SetMapMode, SetEnhMetaFileBits, SetDIBits, SetDIBColorTable, SetBrushOrgEx, SetBkMode, SetBkColor, SetAbortProc, SelectPalette, SelectObject, SelectClipRgn, SaveDC, RoundRect, RestoreDC, ResizePalette, Rectangle, RectVisible, RealizePalette, Polyline, Polygon, PolyPolyline, PolyBezierTo, PolyBezier, PlayEnhMetaFile, Pie, PatBlt, MoveToEx, MaskBlt, LineTo, IntersectClipRect, GetWindowOrgEx, GetWinMetaFileBits, GetTextMetricsW, GetTextExtentPointW, GetTextExtentPoint32W, GetSystemPaletteEntries, GetStretchBltMode, GetStockObject, GetRgnBox, GetPixel, GetPaletteEntries, GetObjectW, GetNearestPaletteIndex, GetNearestColor, GetEnhMetaFilePaletteEntries, GetEnhMetaFileHeader, GetEnhMetaFileDescriptionW, GetEnhMetaFileBits, GetDeviceCaps, GetDIBits, GetDIBColorTable, GetCurrentPositionEx, GetClipBox, GetBrushOrgEx, GetBitmapBits, GdiFlush, FrameRgn, ExtTextOutW, ExtFloodFill, ExtCreatePen, ExcludeClipRect, EnumFontsW, EnumFontFamiliesExW, EndPage, EndDoc, Ellipse, DeleteObject, DeleteEnhMetaFile, DeleteDC, CreateSolidBrush, CreateRectRgn, CreatePenIndirect, CreatePalette, CreateICW, CreateHalftonePalette, CreateFontIndirectW, CreateDIBitmap, CreateDIBSection, CreateDCW, CreateCompatibleDC, CreateCompatibleBitmap, CreateBrushIndirect, CreateBitmap, CopyEnhMetaFileW, Chord, BitBlt, ArcTo, Arc, AngleArc, AbortDoc
version.dll	VerQueryValueW, GetFileVersionInfoSizeW, GetFileVersionInfoW
kernel32.dll	lstrcmpW, WriteFile, WinExec, WideCharToMultiByte, WaitForSingleObject, WaitForMultipleObjectsEx, VirtualQueryEx, VirtualQuery, VirtualProtect, VirtualFree, VirtualAlloc, VerSetConditionMask, VerifyVersionInfoW, UnmapViewOfFile, TryEnterCriticalSection, TerminateProcess, SystemTimeToFileTime, SwitchToThread, SuspendThread, Sleep, SizeofResource, SetThreadPriority, SetThreadLocale, SetLastError, SetFileTime, SetFilePointer, SetFileAttributesW, SetEvent, SetErrorMode, SetEndOfFile, ResumeThread, ResetEvent, RemoveDirectoryW, ReadFile, RaiseException, QueryPerformanceFrequency, QueryPerformanceCounter, QueryDosDeviceW, IsDebuggerPresent, OpenProcess, MulDiv, MapViewOfFile, LockResource, LocalFree, LocalFileTimeToFileTime, LoadResource, LoadLibraryW, LeaveCriticalSection, IsValidLocale, InitializeCriticalSection, HeapSize, HeapFree, HeapDestroy, HeapCreate, HeapAlloc, GlobalUnlock, GlobalSize, GlobalLock, GlobalFree, GlobalFindAtomW, GlobalDeleteAtom, GlobalAlloc, GlobalAddAtomW, GetVolumeInformationW, GetVersionExW, GetVersion, GetTimeZoneInformation, GetTickCount, GetThreadPriority, GetThreadLocale, GetStdHandle, GetProcAddress, GetModuleHandleW, GetModuleFileNameW, GetLogicalDrives, GetLogicalDriveStringsW, GetLocaleInfoW, GetLocalTime, GetLastError, GetFullPathNameW, GetFileSize, GetFileAttributesExW, GetFileAttributesW, GetExitCodeThread, GetExitCodeProcess, GetDriveTypeW, GetDiskFreeSpaceW, GetDateFormatW, GetCurrentThreadId, GetCurrentThread, GetCurrentProcessId, GetCurrentProcess, GetCPInfoExW, GetCPInfo, GetACP, FreeResource, FreeLibrary, FormatMessageW, FindResourceW, FindNextFileW, FindFirstFileW, FindClose, FileTimeToSystemTime, FileTimeToLocalFileTime, FileTimeToDosDateTime, EnumSystemLocalesW, EnumResourceNamesW, EnumCalendarInfoW, EnterCriticalSection, DeleteFileW, DeleteCriticalSection, CreateThread, CreateFileMappingW, CreateFileW, CreateEventW, CreateDirectoryW, CompareStringW, CloseHandle
advapi32.dll	RegUnLoadKeyW, RegSetValueExW, RegSaveKeyW, RegRestoreKeyW, RegReplaceKeyW, RegQueryValueExW, RegQueryInfoKeyW, RegOpenKeyExW, RegLoadKeyW, RegFlushKey, RegEnumValueW, RegEnumKeyExW, RegDeleteValueW, RegDeleteKeyW, RegCreateKeyExW, RegConnectRegistryW, RegCloseKey
kernel32.dll	Sleep
netapi32.dll	NetApiBufferFree, NetWkstaGetInfo
oleaut32.dll	SafeArrayPtrOfIndex, SafeArrayPutElement, SafeArrayGetElement, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayCreate, VariantChangeType, VariantCopyInd, VariantCopy, VariantClear, VariantInit
oleaut32.dll	GetErrorInfo, SysFreeString
ole32.dll	OleUninitialize, OleInitialize, CoTaskMemFree, CoTaskMemAlloc, CoCreateInstance, CoUninitialize, CoInitialize, IsEqualGUID
comctl32.dll	InitializeFlatSB, FlatSB_SetScrollProp, FlatSB_SetScrollPos, FlatSB_SetScrollInfo, FlatSB_GetScrollPos, FlatSB_GetScrollInfo, _TrackMouseEvent, ImageList_GetImageInfo, ImageList_SetIconSize, ImageList_GetIconSize, ImageList_Write, ImageList_Read, ImageList_GetDragImage, ImageList_DragShowNolock, ImageList_DragMove, ImageList_DragLeave, ImageList_DragEnter, ImageList_EndDrag, ImageList_BeginDrag, ImageList_Copy, ImageList_LoadImageW, ImageList_GetIcon, ImageList_Remove, ImageList_DrawEx, ImageList_Replace, ImageList_Draw, ImageList_SetOverlayImage, ImageList_GetBkColor, ImageList_SetBkColor, ImageList_ReplaceIcon, ImageList_Add, ImageList_SetImageCount, ImageList_GetImageCount, ImageList_Destroy, ImageList_Create, InitCommonControls
user32.dll	EnumDisplayMonitors, GetMonitorInfoW, MonitorFromPoint, MonitorFromRect, MonitorFromWindow
msvcrt.dll	memset, memcpy
shell32.dll	ShellExecuteExW, ShellExecuteW, Shell_NotifyIconW
URLMON.DLL	URLDownloadToFileW
shell32.dll	SHGetSpecialFolderLocation, SHGetPathFromIDListW
winspool.drv	OpenPrinterW, EnumPrintersW, DocumentPropertiesW, ClosePrinter
winspool.drv	GetDefaultPrinterW
kernel32.dll	MulDiv

Exports

Name	Ordinal	Address
HackCheck	5	0x816700
ServiceCrtMain	4	0x816700
TMethodImplementationIntercept	3	0x498cf0
__dbk_fcall_wrapper	2	0x419ae0
dbkFCallWrapperAddr	1	0x88e290

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 13, 2024 17:01:21.588476896 CET	49723	443	192.168.2.6	52.95.163.36
Mar 13, 2024 17:01:21.588501930 CET	443	49723	52.95.163.36	192.168.2.6
Mar 13, 2024 17:01:21.588551998 CET	49723	443	192.168.2.6	52.95.163.36
Mar 13, 2024 17:01:21.602117062 CET	49723	443	192.168.2.6	52.95.163.36
Mar 13, 2024 17:01:21.602127075 CET	443	49723	52.95.163.36	192.168.2.6
Mar 13, 2024 17:01:22.214008093 CET	443	49723	52.95.163.36	192.168.2.6
Mar 13, 2024 17:01:22.214097023 CET	49723	443	192.168.2.6	52.95.163.36
Mar 13, 2024 17:01:22.338424921 CET	49723	443	192.168.2.6	52.95.163.36
Mar 13, 2024 17:01:22.338453054 CET	443	49723	52.95.163.36	192.168.2.6
Mar 13, 2024 17:01:22.338777065 CET	443	49723	52.95.163.36	192.168.2.6
Mar 13, 2024 17:01:22.338825941 CET	49723	443	192.168.2.6	52.95.163.36
Mar 13, 2024 17:01:22.356600046 CET	49723	443	192.168.2.6	52.95.163.36
Mar 13, 2024 17:01:22.404232979 CET	443	49723	52.95.163.36	192.168.2.6
Mar 13, 2024 17:01:22.562319040 CET	443	49723	52.95.163.36	192.168.2.6
Mar 13, 2024 17:01:22.562382936 CET	49723	443	192.168.2.6	52.95.163.36
Mar 13, 2024 17:01:22.562407017 CET	443	49723	52.95.163.36	192.168.2.6
Mar 13, 2024 17:01:22.562437057 CET	443	49723	52.95.163.36	192.168.2.6
Mar 13, 2024 17:01:22.562485933 CET	49723	443	192.168.2.6	52.95.163.36
Mar 13, 2024 17:01:22.575414896 CET	49723	443	192.168.2.6	52.95.163.36
Mar 13, 2024 17:01:22.575432062 CET	443	49723	52.95.163.36	192.168.2.6
Mar 13, 2024 17:01:22.575443029 CET	49723	443	192.168.2.6	52.95.163.36
Mar 13, 2024 17:01:22.575481892 CET	49723	443	192.168.2.6	52.95.163.36

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 13, 2024 17:01:21.449564934 CET	50556	53	192.168.2.6	1.1.1.1
Mar 13, 2024 17:01:21.575541019 CET	53	50556	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Mar 13, 2024 17:01:21.449564934 CET	192.168.2.6	1.1.1.1	0xc3fc	Standard query (0)	bucreate203920233.s3.sa-east-1.amazonaws.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Mar 13, 2024 17:01:21.575541019 CET	1.1.1.1	192.168.2.6	0xc3fc	No error (0)	bucreate203920233.s3.sa-east-1.amazonaws.com	s3-r-w.sa-east-1.amazonaws.com		CNAME (Canonical name)	IN (0x0001)	false
Mar 13, 2024 17:01:21.575541019 CET	1.1.1.1	192.168.2.6	0xc3fc	No error (0)	s3-r-w.sa-east-1.amazonaws.com		52.95.163.36	A (IP address)	IN (0x0001)	false
Mar 13, 2024 17:01:21.575541019 CET	1.1.1.1	192.168.2.6	0xc3fc	No error (0)	s3-r-w.sa-east-1.amazonaws.com		16.12.1.50	A (IP address)	IN (0x0001)	false
Mar 13, 2024 17:01:21.575541019 CET	1.1.1.1	192.168.2.6	0xc3fc	No error (0)	s3-r-w.sa-east-1.amazonaws.com		52.95.165.122	A (IP address)	IN (0x0001)	false
Mar 13, 2024 17:01:21.575541019 CET	1.1.1.1	192.168.2.6	0xc3fc	No error (0)	s3-r-w.sa-east-1.amazonaws.com		52.95.165.11	A (IP address)	IN (0x0001)	false
Mar 13, 2024 17:01:21.575541019 CET	1.1.1.1	192.168.2.6	0xc3fc	No error (0)	s3-r-w.sa-east-1.amazonaws.com		16.12.1.54	A (IP address)	IN (0x0001)	false
Mar 13, 2024 17:01:21.575541019 CET	1.1.1.1	192.168.2.6	0xc3fc	No error (0)	s3-r-w.sa-east-1.amazonaws.com		16.12.2.54	A (IP address)	IN (0x0001)	false
Mar 13, 2024 17:01:21.575541019 CET	1.1.1.1	192.168.2.6	0xc3fc	No error (0)	s3-r-w.sa-east-1.amazonaws.com		16.12.2.50	A (IP address)	IN (0x0001)	false
Mar 13, 2024 17:01:21.575541019 CET	1.1.1.1	192.168.2.6	0xc3fc	No error (0)	s3-r-w.sa-east-1.amazonaws.com		52.95.164.27	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

bucreate203920233.s3.sa-east-1.amazonaws.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49723	52.95.163.36	443	1756	C:\Windows\System32\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
2024-03-13 16:01:22 UTC	336	OUT	GET /bucketPc.zip HTTP/1.1 Accept: / UA-CPU: AMD64 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: bucreate203920233.s3.sa-east-1.amazonaws.com Connection: Keep-Alive
2024-03-13 16:01:22 UTC	285	IN	HTTP/1.1 404 Not Found x-amz-request-id: KGMPNF9Q2A4G276A x-amz-id-2: oUwOBGcXcRaJOfg9RDvUMM390Opwe1X0G+WIoo1w9G6BKuiw2Othw5sAOuPb4cT9/PXSnCglEcE= Content-Type: application/xml Transfer-Encoding: chunked Date: Wed, 13 Mar 2024 16:01:21 GMT Server: AmazonS3 Connection: close
2024-03-13 16:01:22 UTC	319	IN	Data Raw: 31 33 33 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0a 3c 45 72 72 6f 72 3e 3c 43 6f 64 65 3e 4e 6f 53 75 63 68 42 75 63 6b 65 74 3c 2f 43 6f 64 65 3e 3c 4d 65 73 73 61 67 65 3e 54 68 65 20 73 70 65 63 69 66 69 65 64 20 62 75 63 6b 65 74 20 64 6f 65 73 20 6e 6f 74 20 65 78 69 73 74 3c 2f 4d 65 73 73 61 67 65 3e 3c 42 75 63 6b 65 74 4e 61 6d 65 3e 62 75 63 72 65 61 74 65 32 30 33 39 32 30 32 33 33 3c 2f 42 75 63 6b 65 74 4e 61 6d 65 3e 3c 52 65 71 75 65 73 74 49 64 3e 4b 47 4d 50 4e 46 39 51 32 41 34 47 32 37 36 41 3c 2f 52 65 71 75 65 73 74 49 64 3e 3c 48 6f 73 74 49 64 3e 6f 55 77 4f 42 47 63 58 63 52 61 4a 4f 66 67 39 52 44 76 55 4d 4d 33 39 30 4f 70 77 65 31 58 30 47 2b 57 49 Data Ascii: 133<?xml version="1.0" encoding="UTF-8"?><Error><Code>NoSuchBucket</Code><Message>The specified bucket does not exist</Message><BucketName>bucreate203920233</BucketName><RequestId>KGMPNF9Q2A4G276A</RequestId><HostId>oUwOBGcXcRaJOfg9RDvUMM390Opwe1X0G+WI

Target ID:	1
Start time:	17:01:18
Start date:	13/03/2024
Path:	C:\Windows\System32\loaddll64.exe
Wow64 process (32bit):	false
Commandline:	loaddll64.exe "C:\Users\user\Desktop\decrypt-main.dll.dll"
Imagebase:	0x7ff7768a0000
File size:	165'888 bytes
MD5 hash:	763455F9DCB24DFEECC2B9D9F8D46D52
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	moderate
Has exited:	true

Target ID:	2
Start time:	17:01:18
Start date:	13/03/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	4
Start time:	17:01:18
Start date:	13/03/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\decrypt-main.dll.dll",#1
Imagebase:	0x7ff7d1d90000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	5
Start time:	17:01:18
Start date:	13/03/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe C:\Users\user\Desktop\decrypt-main.dll.dll,HackCheck
Imagebase:	0x7ff7b8b10000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	high
Has exited:	true

Target ID:	6
Start time:	17:01:18
Start date:	13/03/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe "C:\Users\user\Desktop\decrypt-main.dll.dll",#1
Imagebase:	0x7ff7b8b10000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	high
Has exited:	true

Target ID:	10
Start time:	17:01:19
Start date:	13/03/2024
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 948 -s 484
Imagebase:	0x7ff774430000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	13
Start time:	17:01:21
Start date:	13/03/2024
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 1756 -s 2000
Imagebase:	0x7ff774430000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	14
Start time:	17:01:21
Start date:	13/03/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe C:\Users\user\Desktop\decrypt-main.dll.dll,ServiceCrtMain
Imagebase:	0x7ff7b8b10000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	high
Has exited:	false

Target ID:	15
Start time:	17:01:24
Start date:	13/03/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe C:\Users\user\Desktop\decrypt-main.dll.dll,TMethodImplementationIntercept
Imagebase:	0x7ff7b8b10000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	high
Has exited:	true

Target ID:	17
Start time:	17:01:25
Start date:	13/03/2024
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 4072 -s 468
Imagebase:	0x7ff774430000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	18
Start time:	17:01:27
Start date:	13/03/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe "C:\Users\user\Desktop\decrypt-main.dll.dll",HackCheck
Imagebase:	0x7ff7b8b10000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	high
Has exited:	false

Target ID:	19
Start time:	17:01:27
Start date:	13/03/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe "C:\Users\user\Desktop\decrypt-main.dll.dll",ServiceCrtMain
Imagebase:	0x7ff7b8b10000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	high
Has exited:	false

Target ID:	20
Start time:	17:01:27
Start date:	13/03/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe "C:\Users\user\Desktop\decrypt-main.dll.dll",TMethodImplementationIntercept
Imagebase:	0x7ff7b8b10000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	high
Has exited:	true

Target ID:	21
Start time:	17:01:27
Start date:	13/03/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe "C:\Users\user\Desktop\decrypt-main.dll.dll",dbkFCallWrapperAddr
Imagebase:	0x7ff7b8b10000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Has exited:	true

Target ID:	23
Start time:	17:01:28
Start date:	13/03/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe "C:\Users\user\Desktop\decrypt-main.dll.dll",__dbk_fcall_wrapper
Imagebase:	0x7ff7b8b10000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Has exited:	true

Target ID:	25
Start time:	17:01:28
Start date:	13/03/2024
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 7028 -s 468
Imagebase:	0x7ff774430000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true