Windows Analysis Report
SecuriteInfo.com.Variant.Lazy.448806.29655.2426.dll

Overview

General Information

Sample name:	SecuriteInfo.com.Variant.Lazy.448806.29655.2426.dll
Analysis ID:	1447256
MD5:	dd321c6e3355ce11073719c59ea45c6d
SHA1:	20b7d647f6d2da9ad9e7ab840f2fd48fc1b18d02
SHA256:	ac77fdbd4566518302879e9709f20c9436a3c5007bb4b94c328975390476c676
Tags:	dll
Infos:

Detection

Score:	80
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

System process connects to network (likely due to code injection or exploit)

Hides threads from debuggers

Machine Learning detection for sample

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Tries to evade analysis by execution special instruction (VM detection)

AV process strings found (often used to terminate AV products)

Checks if the current process is being debugged

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Entry point lies outside standard sections

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE file contains more sections than normal

PE file contains sections with non-standard names

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Classification

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: SecuriteInfo.com.Variant.Lazy.448806.29655.2426.dll

Avira: detected

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Variant.Lazy.448806.29655.2426.dll

ReversingLabs: Detection: 39%

Machine Learning detection for sample

Source: SecuriteInfo.com.Variant.Lazy.448806.29655.2426.dll

Joe Sandbox ML: detected

Uses 32bit PE files

Source: SecuriteInfo.com.Variant.Lazy.448806.29655.2426.dll

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, DLL, BYTES_REVERSED_HI

Source: unknown

HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.7:49707 version: TLS 1.2

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 34.117.186.192 443			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 173.255.201.196 9091			Jump to behavior

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.7:65485 -> 173.255.201.196:9091

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 34.117.186.192 34.117.186.192
Source: Joe Sandbox View	IP Address: 34.117.186.192 34.117.186.192

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: GOOGLE-AS-APGoogleAsiaPacificPteLtdSG GOOGLE-AS-APGoogleAsiaPacificPteLtdSG
Source: Joe Sandbox View	ASN Name: LINODE-APLinodeLLCUS LINODE-APLinodeLLCUS

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

May check the online IP address of the machine

Source: unknown	DNS query: name: ipinfo.io
Source: unknown	DNS query: name: ipinfo.io

Uses a known web browser user agent for HTTP communication

Source: global traffic

HTTP traffic detected: GET /json HTTP/1.1Accept: */*Accept-Language: en-chAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ipinfo.ioConnection: Keep-Alive

Source: unknown	TCP traffic detected without corresponding DNS query: 173.255.201.196
Source: unknown	TCP traffic detected without corresponding DNS query: 173.255.201.196
Source: unknown	TCP traffic detected without corresponding DNS query: 173.255.201.196
Source: unknown	TCP traffic detected without corresponding DNS query: 173.255.201.196
Source: unknown	TCP traffic detected without corresponding DNS query: 173.255.201.196
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: ipinfo.io

Source: rundll32.exe, 0000000A.00000002.1625493649.00000000070F4000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 0000000B.00000002.1614720484.00000000065F4000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000010.00000002.2530376792.00000000063C4000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 0000001A.00000002.1682156876.00000000064A4000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 0000001D.00000002.1673820589.00000000064C4000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: http://fontawesome.io
Source: rundll32.exe, 0000000A.00000002.1625493649.00000000070F4000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 0000000B.00000002.1614720484.00000000065F4000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000010.00000002.2530376792.00000000063C4000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 0000001A.00000002.1682156876.00000000064A4000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 0000001D.00000002.1673820589.00000000064C4000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: http://fontawesome.io/license/
Source: rundll32.exe, 0000000A.00000002.1625493649.00000000070F4000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 0000000B.00000002.1614720484.00000000065F4000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000010.00000002.2530376792.00000000063C4000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 0000001A.00000002.1682156876.00000000064A4000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 0000001D.00000002.1673820589.00000000064C4000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: http://fontawesome.iohttp://fontawesome.iohttp://fontawesome.io/license/http://fontawesome.io/licens
Source: rundll32.exe, 0000000A.00000002.1626243662.0000000007413000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.1583698935.0000000004EFC000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 0000000B.00000002.1616546406.0000000006A63000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.1540160647.00000000043FC000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 0000000C.00000003.1369834301.0000000006A23000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.2524492723.00000000041CC000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 0000001A.00000002.1682430760.00000000067E3000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000001A.00000002.1678404184.00000000042AC000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 0000001B.00000003.1629543510.0000000007203000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000001C.00000003.1671213431.0000000006763000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000001D.00000002.1665887158.00000000042CC000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 0000001D.00000002.1674285395.0000000006833000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: rundll32.exe, 00000010.00000002.2530681866.0000000006703000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/03p
Source: rundll32.exe, 0000000A.00000002.1583698935.0000000004EFC000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 0000000B.00000002.1540160647.00000000043FC000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 00000010.00000002.2524492723.00000000041CC000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 0000001A.00000002.1678404184.00000000042AC000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 0000001D.00000002.1665887158.00000000042CC000.00000020.00000001.01000000.00000004.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: rundll32.exe, 0000000A.00000002.1583698935.0000000004EFC000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 0000000B.00000002.1540160647.00000000043FC000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 00000010.00000002.2524492723.00000000041CC000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 0000001A.00000002.1678404184.00000000042AC000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 0000001D.00000002.1665887158.00000000042CC000.00000020.00000001.01000000.00000004.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: rundll32.exe, 0000000A.00000002.1583698935.0000000004EFC000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 0000000B.00000002.1540160647.00000000043FC000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 00000010.00000002.2524492723.00000000041CC000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 0000001A.00000002.1678404184.00000000042AC000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 0000001D.00000002.1665887158.00000000042CC000.00000020.00000001.01000000.00000004.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/http/
Source: rundll32.exe, 0000000A.00000002.1583698935.0000000004EFC000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 0000000B.00000002.1540160647.00000000043FC000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 00000010.00000002.2524492723.00000000041CC000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 0000001A.00000002.1678404184.00000000042AC000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 0000001D.00000002.1665887158.00000000042CC000.00000020.00000001.01000000.00000004.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/soap/
Source: rundll32.exe, 0000000A.00000002.1583698935.0000000004EFC000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 0000000B.00000002.1540160647.00000000043FC000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 00000010.00000002.2524492723.00000000041CC000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 0000001A.00000002.1678404184.00000000042AC000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 0000001D.00000002.1665887158.00000000042CC000.00000020.00000001.01000000.00000004.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/soap12/SV
Source: Amcache.hve.21.dr	String found in binary or memory: http://upx.sf.net
Source: rundll32.exe, 0000001C.00000003.1671213431.000000000674D000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000001D.00000002.1674285395.000000000681D000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000001D.00000002.1665887158.00000000042CC000.00000020.00000001.01000000.00000004.sdmp	String found in binary or memory: http://www.borland.com/namespaces/Types
Source: rundll32.exe, 0000000C.00000003.1369834301.0000000006A0D000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000001B.00000003.1629543510.00000000071ED000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000001C.00000003.1671213431.000000000674D000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.borland.com/namespaces/TypesA
Source: rundll32.exe, 0000000C.00000003.1369834301.0000000006A0D000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000001B.00000003.1629543510.00000000071ED000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000001C.00000003.1671213431.000000000674D000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.borland.com/namespaces/Typesa
Source: rundll32.exe, 0000000A.00000002.1583698935.0000000004EFC000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 0000000B.00000002.1540160647.00000000043FC000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 00000010.00000002.2524492723.00000000041CC000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 0000001A.00000002.1678404184.00000000042AC000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 0000001D.00000002.1665887158.00000000042CC000.00000020.00000001.01000000.00000004.sdmp	String found in binary or memory: http://www.borland.com/rootpart.xml
Source: rundll32.exe, 0000001D.00000002.1665887158.00000000042CC000.00000020.00000001.01000000.00000004.sdmp	String found in binary or memory: http://www.componentace.com
Source: rundll32.exe, 0000000A.00000002.1583698935.0000000004EFC000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 0000000A.00000002.1626243662.0000000007380000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.1616546406.00000000069D0000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.1540160647.00000000043FC000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 0000000C.00000003.1369834301.0000000006990000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.2524492723.00000000041CC000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 00000010.00000002.2530681866.0000000006670000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000001A.00000002.1682430760.0000000006750000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000001A.00000002.1678404184.00000000042AC000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 0000001B.00000003.1629543510.0000000007170000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000001C.00000003.1671213431.00000000066D0000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000001D.00000002.1674285395.00000000067A0000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000001D.00000002.1665887158.00000000042CC000.00000020.00000001.01000000.00000004.sdmp	String found in binary or memory: http://www.indyproject.org/
Source: rundll32.exe, 00000010.00000002.2521309487.00000000028B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/
Source: rundll32.exe, 00000010.00000002.2533994178.0000000008DD3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.2521309487.00000000028DF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.2521309487.000000000290C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/json
Source: rundll32.exe, 00000010.00000002.2521309487.00000000028B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/json4
Source: rundll32.exe, 00000010.00000002.2521309487.00000000028DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/jsonK1
Source: rundll32.exe, 00000010.00000002.2521309487.00000000028B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/jsona
Source: rundll32.exe, 00000010.00000002.2530681866.000000000670A000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.2533559098.00000000086C0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.2530681866.0000000006622000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.2533994178.0000000008DD3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.2519664521.000000000267A000.00000004.00000010.00020000.00000000.sdmp, json[1].json.16.dr	String found in binary or memory: https://ipinfo.io/missingauth
Source: rundll32.exe, 00000010.00000002.2521309487.00000000028DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com

Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707

Source: unknown

HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.7:49707 version: TLS 1.2

One or more processes crash

Source: C:\Windows\SysWOW64\rundll32.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5456 -s 936

PE file contains more sections than normal

Source: SecuriteInfo.com.Variant.Lazy.448806.29655.2426.dll

Static PE information: Number of sections : 13 > 10

Uses 32bit PE files

Source: SecuriteInfo.com.Variant.Lazy.448806.29655.2426.dll

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, DLL, BYTES_REVERSED_HI

Source: classification engine

Classification label: mal80.evad.winDLL@24/18@1/2

Source: C:\Windows\SysWOW64\rundll32.exe

File created: C:\Users\user\AppData\Roaming\2402024

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6636:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7916
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess564
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7952
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5456

Source: Yara match	File source: 0000001D.00000002.1665887158.00000000042B1000.00000020.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2524492723.00000000041B1000.00000020.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1540160647.00000000043E1000.00000020.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1583698935.0000000004EE1000.00000020.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.1678404184.0000000004291000.00000020.00000001.01000000.00000004.sdmp, type: MEMORY

Source: C:\Windows\System32\loaddll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi	Jump to behavior

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.448806.29655.2426.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.448806.29655.2426.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.448806.29655.2426.dll,TMethodImplementationIntercept
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.448806.29655.2426.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.448806.29655.2426.dll,__dbk_fcall_wrapper
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.448806.29655.2426.dll,agzxqlovcrhc
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5456 -s 936
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 564 -s 924
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.448806.29655.2426.dll",TMethodImplementationIntercept
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.448806.29655.2426.dll",__dbk_fcall_wrapper
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.448806.29655.2426.dll",agzxqlovcrhc
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.448806.29655.2426.dll",dbkFCallWrapperAddr
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7952 -s 928
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7916 -s 928
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.448806.29655.2426.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.448806.29655.2426.dll,TMethodImplementationIntercept	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.448806.29655.2426.dll,__dbk_fcall_wrapper	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.448806.29655.2426.dll,agzxqlovcrhc	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.448806.29655.2426.dll",TMethodImplementationIntercept	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.448806.29655.2426.dll",__dbk_fcall_wrapper	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.448806.29655.2426.dll",agzxqlovcrhc	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.448806.29655.2426.dll",dbkFCallWrapperAddr	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.448806.29655.2426.dll",#1	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: security.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: olepro32.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: colorui.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: mscms.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: coloradapterclient.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: compstui.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: inetres.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior

Source: SecuriteInfo.com.Variant.Lazy.448806.29655.2426.dll	Static PE information: section name: .didata
Source: SecuriteInfo.com.Variant.Lazy.448806.29655.2426.dll	Static PE information: section name: .awiodnn
Source: SecuriteInfo.com.Variant.Lazy.448806.29655.2426.dll	Static PE information: section name: .awiodnn
Source: SecuriteInfo.com.Variant.Lazy.448806.29655.2426.dll	Static PE information: section name: .awiodnn

Source: C:\Windows\System32\loaddll32.exe	Memory written: PID: 5732 base: A90007 value: E9 EB DF D0 76	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Memory written: PID: 5732 base: 7779DFF0 value: E9 1E 20 2F 89	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 564 base: 3430007 value: E9 EB DF 36 74	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 564 base: 7779DFF0 value: E9 1E 20 C9 8B	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 5456 base: 2960007 value: E9 EB DF E3 74	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 5456 base: 7779DFF0 value: E9 1E 20 1C 8B	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 7092 base: 27F0007 value: E9 EB DF FA 74	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 7092 base: 7779DFF0 value: E9 1E 20 05 8B	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 7196 base: 2790007 value: E9 EB DF 00 75	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 7196 base: 7779DFF0 value: E9 1E 20 FF 8A	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 7916 base: 2790007 value: E9 EB DF 00 75	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 7916 base: 7779DFF0 value: E9 1E 20 FF 8A	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 7928 base: 31D0007 value: E9 EB DF 5C 74	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 7928 base: 7779DFF0 value: E9 1E 20 A3 8B	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 7936 base: 29B0007 value: E9 EB DF DE 74	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 7936 base: 7779DFF0 value: E9 1E 20 21 8B	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 7952 base: 28D0007 value: E9 EB DF EC 74	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 7952 base: 7779DFF0 value: E9 1E 20 13 8B	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe TID: 7524	Thread sleep count: 84 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 7524	Thread sleep time: -74592s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 7524	Thread sleep count: 95 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 7524	Thread sleep time: -84455s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed

Source: Amcache.hve.21.dr	Binary or memory string: VMware
Source: loaddll32.exe, 00000006.00000002.1588023503.0000000000D06000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}o
Source: SecuriteInfo.com.Variant.Lazy.448806.29655.2426.dll	Binary or memory string: vMCIA
Source: Amcache.hve.21.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: rundll32.exe, 0000001A.00000002.1677781104.00000000028AD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\j
Source: rundll32.exe, 00000010.00000002.2521309487.00000000028B7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.2521309487.000000000288B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.2521309487.00000000028F3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: rundll32.exe, 0000001D.00000002.1665417776.00000000029DA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: rundll32.exe, 0000000B.00000002.1539719633.00000000029BC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\o
Source: rundll32.exe, 0000000A.00000002.1583116938.000000000346A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}X
Source: Amcache.hve.21.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: rundll32.exe, 0000001C.00000002.1674372330.000000000283B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\!
Source: Amcache.hve.21.dr	Binary or memory string: vmci.sys
Source: rundll32.exe, 0000001B.00000002.1639924792.00000000033EC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\C
Source: loaddll32.exe, 00000006.00000002.1588023503.0000000000D06000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\
Source: rundll32.exe, 0000001B.00000002.1639924792.00000000033DA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}jb0!
Source: Amcache.hve.21.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.21.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.21.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.21.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.21.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.21.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.21.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: rundll32.exe, 0000001D.00000002.1665417776.00000000029DA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}y
Source: Amcache.hve.21.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.21.dr	Binary or memory string: VMware Virtual RAM
Source: rundll32.exe, 0000001D.00000002.1665417776.00000000029EC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}7
Source: Amcache.hve.21.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: rundll32.exe, 0000001C.00000002.1674372330.000000000283B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: Amcache.hve.21.dr	Binary or memory string: VMware-42 27 88 19 56 cc 59 1a-97 79 fb 8c bf a1 e2 9d
Source: Amcache.hve.21.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.21.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.21.dr	Binary or memory string: vmci.syshbin
Source: rundll32.exe, 0000000C.00000002.1383215472.0000000002BFC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: Amcache.hve.21.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.21.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.21.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.21.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: rundll32.exe, 0000001B.00000002.1639924792.00000000033EC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: Amcache.hve.21.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.21.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.21.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: rundll32.exe, 0000001C.00000002.1674372330.000000000283B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\;
Source: rundll32.exe, 0000001A.00000002.1677781104.000000000286A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: Amcache.hve.21.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.21.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.21.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.21.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: rundll32.exe, 0000001C.00000002.1674372330.000000000283B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}9

Source: C:\Windows\System32\loaddll32.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread information set: HideFromDebugger	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior

Source: rundll32.exe, 0000000A.00000002.1583698935.0000000004EFC000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 0000000B.00000002.1540160647.00000000043FC000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 00000010.00000002.2524492723.00000000041CC000.00000020.00000001.01000000.00000004.sdmp	Binary or memory string: Shell_TrayWndSVW
Source: rundll32.exe, 0000000A.00000002.1583698935.0000000004EFC000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 0000000B.00000002.1540160647.00000000043FC000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 00000010.00000002.2524492723.00000000041CC000.00000020.00000001.01000000.00000004.sdmp	Binary or memory string: Shell_TrayWndReBarWindow32MSTaskSwWClassToolbarWindow32SV

Source: Amcache.hve.21.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.21.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.21.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.21.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.21.dr	Binary or memory string: MsMpEng.exe

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
34.117.186.192	ipinfo.io	United States		139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	true
173.255.201.196	unknown	United States		63949	LINODE-APLinodeLLCUS	true

ID:	1447256
Product:	CloudBasic
Start time:	17:38:13
Start date:	24.05.2024
Sample:	SecuriteInfo.com.Variant.Lazy.448806.29655.2426.dll
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	dd321c6e3355ce11073719c59ea45c6d
SHA1:	20b7d647f6d2da9ad9e7ab840f2fd48fc1b18d02
SHA256:	ac77fdbd4566518302879e9709f20c9436a3c5007bb4b94c328975390476c676
Filetype:	Win32 Dynamic Link Library (generic) (1002004/3) 99.40%

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_5846ff3f27e0cd291f852844950cb54b87e166d_7522e4b5_3fb1a37c-5458-4b52-bdcc-4892ac26b3a2\Report.wer	Unicode text, UTF-16, little-endian text, with CRLF line terminators	DE1818675E034D151A4C7F4A2D5BEDA9	D18B1CD70530EF53A626B29CA3032FD771DC70D6	8AD08F54952BE72561E7C22A6676E120628E3EE435C871D07D0FDF0C7640572F
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_5846ff3f27e0cd291f852844950cb54b87e166d_7522e4b5_c78fdc5a-8f48-48bd-8bd7-6ade83bfbcf6\Report.wer	Unicode text, UTF-16, little-endian text, with CRLF line terminators	448306750E5522EA9F9B332DCD410D96	95CDDEC6795F69E219862F2DE2DA2A08BFA4A068	7C73C779E23636B0B3F29B42F12600A056372A7FA4F153679926380F2F01F61E
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_94a81f56e41f80eabdc4f62591f2f87b03014a3_7522e4b5_727f85bd-9bfd-4ad9-bee0-d83a42000635\Report.wer	Unicode text, UTF-16, little-endian text, with CRLF line terminators	99E016D8C814BEE9E6FCB0A04F7EE162	9F817A19288E9A1058C2DBFC69D8F9EF11E75A69	3ADC200932C8FEADBEF588B7982CA999970928F2C558ADBB7EE0AC8FF9B474B5
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_94a81f56e41f80eabdc4f62591f2f87b03014a3_7522e4b5_ab76d196-46d2-43ab-b3e8-5db75a2b7a3d\Report.wer	Unicode text, UTF-16, little-endian text, with CRLF line terminators	DC062027A296D88A8F24742749A04A3C	6BFEC2A725BE323316C8BD85D988A1CEFC5F5265	AAB5C5675B838F8632504C22F04DA1FE8555BCF9398D3F9B004EAE917193C2BB
C:\ProgramData\Microsoft\Windows\WER\Temp\WER7230.tmp.dmp	Mini DuMP crash report, 15 streams, Fri May 24 15:39:18 2024, 0x1205a4 type	D5AFCB05812BA6BAE3DC9186FD1FA7CD	EE6637A3F61BCD2875748A1B92DAD1AD3DAF61F0	090B2E62EAA2B91137A4870441726F2052A999881C2EE4314597049720DA0656
C:\ProgramData\Microsoft\Windows\WER\Temp\WER7240.tmp.dmp	Mini DuMP crash report, 15 streams, Fri May 24 15:39:18 2024, 0x1205a4 type	DD6584C920647E9DB0DF9288D03332F0	DBC0BC304264719C80EEAA99ABDD05ED77EDC75C	589B8F7FF7429B2F87A9778DF1213E402C6B54A297F642728085D35B7B548BD7
C:\ProgramData\Microsoft\Windows\WER\Temp\WER7379.tmp.WERInternalMetadata.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators	C2DFF03EDCCDCE5D83A9556FF014A509	507FB842521F6AD03F7650AE9F79CC512BACE9BD	4FF5E14939010EC7BBC5B5A234F945F146F5E1FF82BFC24FE15A21BE4260F6AF
C:\ProgramData\Microsoft\Windows\WER\Temp\WER73B9.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	C213BDBCE1AC221D9EFA37C4BC358B6B	A2653B773CE985BC825E84DCBD969F78FE885930	222463B172591CE60FB5BA886FF552E010A6D268DB156E4E862829A8C7D591F3
C:\ProgramData\Microsoft\Windows\WER\Temp\WER7425.tmp.WERInternalMetadata.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators	D8E8221C43475270F95AAB0923FD064A	087B0FD6E9090B1422FF512FAC8C4DDB917086A3	FD844E6A4BD86B83ED5159F43BCF9851519CEA29C5B3126831F1DDA0A0250159
C:\ProgramData\Microsoft\Windows\WER\Temp\WER759D.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	ABF1159138DBD4782A7D10E77C99EFE8	99FB23926BB1FE51A60C15D49A371A0BBDB94374	82BC8FA14F843FD81F82E6B45EDBBB3ADA36893E8F5DA2DA348DCDAEBC00EA3E
C:\ProgramData\Microsoft\Windows\WER\Temp\WERE0C9.tmp.dmp	Mini DuMP crash report, 15 streams, Fri May 24 17:01:01 2024, 0x1205a4 type	2439F125B962D03817700F4E7A364591	E96EEDFCA856A45F5D8E24424DA9191C455D594B	FF6923FF38F8B320FF2CD666DD47FD8FF752B0F75C23BA34DBC9C740C8799FE8
C:\ProgramData\Microsoft\Windows\WER\Temp\WERE1A5.tmp.WERInternalMetadata.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators	4B1D0AB42F0A4D35DC9F04A949E72735	29F8B8E06F9A7F7DF29FCA6054FCF905344D9DD7	91DC97013233C33E7A8EF309D43A0D5C33D467D44BFA654D895EA14C28BB9588
C:\ProgramData\Microsoft\Windows\WER\Temp\WERE1C5.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	D443A81637BCF9DF341F696D43631968	D4E97D9DFD44BB512AFA49AAABCFAE5C0C0371AB	B71E3682CC7D2553CE8CE429CAF0FAD23E75632E97ABFE74ACCB22C853320D26
C:\ProgramData\Microsoft\Windows\WER\Temp\WERE230.tmp.dmp	Mini DuMP crash report, 15 streams, Fri May 24 17:01:02 2024, 0x1205a4 type	17868FF80DFFEB38ACD482470CFEB8F3	592B85F94E40FD4383B7AA160588D09DE5177973	3867218BFAFA31068D44DBD74AF155D879A758A36BED4CC7A811485F9F0BB2D1
C:\ProgramData\Microsoft\Windows\WER\Temp\WERE2FC.tmp.WERInternalMetadata.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators	F66E124E39B9534E1FC7690DAEAFBF7F	2EC7F3C228249D757EBE57BF6A2011E9D12067F8	EC3426E134AA0689B3CB8B98C996898967B0FA213EEF6565BDDB44F20B567E28
C:\ProgramData\Microsoft\Windows\WER\Temp\WERE34B.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	9C041BE1069D305D533A851A36D5D449	8F5FC85DB36CBB827DF61B56A1D196D654A7E742	E13879CAF90134216212ECBF185896B222C419CBD3D796F1FBE6C365851316BC
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\json[1].json	JSON data	C8B5480265AA24848B266AB720648A09	4440EDB7429D588DE5A1A0D00D8D82FD6DE41A47	A15CE3E76A7C7592E79A8C78E240F012E59E68F3D60179D54F8603B0660CA5D0
C:\Windows\appcompat\Programs\Amcache.hve	MS Windows registry file, NT/2000 or above	D1090C391DAA8CAEB09A1B3DBD84AA86	08595225795AF6239F26121E0DD66A0818FBD7D9	44DC9BD54978B0CE7741FE096CDC02979D78693942040AC3D31B6E226D6A18DA

Windows Analysis Report SecuriteInfo.com.Variant.Lazy.448806.29655.2426.dll

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Lowering of HIPS / PFW / Operating System Security Settings

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
SecuriteInfo.com.Variant.Lazy.448806.29655.2426.dll