Edit tour

Windows Analysis Report
SecuriteInfo.com.Variant.Lazy.448806.29655.2426.dll

Overview

General Information

Sample name:	SecuriteInfo.com.Variant.Lazy.448806.29655.2426.dll
Analysis ID:	1447256
MD5:	dd321c6e3355ce11073719c59ea45c6d
SHA1:	20b7d647f6d2da9ad9e7ab840f2fd48fc1b18d02
SHA256:	ac77fdbd4566518302879e9709f20c9436a3c5007bb4b94c328975390476c676
Tags:	dll
Infos:

Detection

Score:	80
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

System process connects to network (likely due to code injection or exploit)

Hides threads from debuggers

Machine Learning detection for sample

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Tries to evade analysis by execution special instruction (VM detection)

AV process strings found (often used to terminate AV products)

Checks if the current process is being debugged

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Entry point lies outside standard sections

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE file contains more sections than normal

PE file contains sections with non-standard names

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Classification

Process Tree

System is w10x64

loaddll32.exe (PID: 5732 cmdline: loaddll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.448806.29655.2426.dll" MD5: 51E6071F9CBA48E79F10C84515AAE618)

conhost.exe (PID: 6636 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 6160 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.448806.29655.2426.dll",#1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

rundll32.exe (PID: 5456 cmdline: rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.448806.29655.2426.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)

WerFault.exe (PID: 7328 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5456 -s 936 MD5: C31336C1EFC2CCB44B4326EA793040F2)

rundll32.exe (PID: 564 cmdline: rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.448806.29655.2426.dll,TMethodImplementationIntercept MD5: 889B99C52A60DD49227C5E485A016679)

WerFault.exe (PID: 7336 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 564 -s 924 MD5: C31336C1EFC2CCB44B4326EA793040F2)

rundll32.exe (PID: 7092 cmdline: rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.448806.29655.2426.dll,__dbk_fcall_wrapper MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 7196 cmdline: rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.448806.29655.2426.dll,agzxqlovcrhc MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 7916 cmdline: rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.448806.29655.2426.dll",TMethodImplementationIntercept MD5: 889B99C52A60DD49227C5E485A016679)

WerFault.exe (PID: 7296 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7916 -s 928 MD5: C31336C1EFC2CCB44B4326EA793040F2)

rundll32.exe (PID: 7928 cmdline: rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.448806.29655.2426.dll",__dbk_fcall_wrapper MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 7936 cmdline: rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.448806.29655.2426.dll",agzxqlovcrhc MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 7952 cmdline: rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.448806.29655.2426.dll",dbkFCallWrapperAddr MD5: 889B99C52A60DD49227C5E485A016679)

WerFault.exe (PID: 8160 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7952 -s 928 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
0000001D.00000002.1665887158.00000000042B1000.00000020.00000001.01000000.00000004.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
00000010.00000002.2524492723.00000000041B1000.00000020.00000001.01000000.00000004.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
0000000B.00000002.1540160647.00000000043E1000.00000020.00000001.01000000.00000004.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
0000000A.00000002.1583698935.0000000004EE1000.00000020.00000001.01000000.00000004.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
0000001A.00000002.1678404184.0000000004291000.00000020.00000001.01000000.00000004.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security

HTTP traffic detected: GET /json HTTP/1.1Accept: */*Accept-Language: en-chAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ipinfo.ioConnection: Keep-Alive

Source: unknown	TCP traffic detected without corresponding DNS query: 173.255.201.196
Source: unknown	TCP traffic detected without corresponding DNS query: 173.255.201.196
Source: unknown	TCP traffic detected without corresponding DNS query: 173.255.201.196
Source: unknown	TCP traffic detected without corresponding DNS query: 173.255.201.196
Source: unknown	TCP traffic detected without corresponding DNS query: 173.255.201.196
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: ipinfo.io

Source: rundll32.exe, 0000000A.00000002.1625493649.00000000070F4000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 0000000B.00000002.1614720484.00000000065F4000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000010.00000002.2530376792.00000000063C4000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 0000001A.00000002.1682156876.00000000064A4000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 0000001D.00000002.1673820589.00000000064C4000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: http://fontawesome.io
Source: rundll32.exe, 0000000A.00000002.1625493649.00000000070F4000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 0000000B.00000002.1614720484.00000000065F4000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000010.00000002.2530376792.00000000063C4000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 0000001A.00000002.1682156876.00000000064A4000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 0000001D.00000002.1673820589.00000000064C4000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: http://fontawesome.io/license/
Source: rundll32.exe, 0000000A.00000002.1625493649.00000000070F4000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 0000000B.00000002.1614720484.00000000065F4000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000010.00000002.2530376792.00000000063C4000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 0000001A.00000002.1682156876.00000000064A4000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 0000001D.00000002.1673820589.00000000064C4000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: http://fontawesome.iohttp://fontawesome.iohttp://fontawesome.io/license/http://fontawesome.io/licens
Source: rundll32.exe, 0000000A.00000002.1626243662.0000000007413000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.1583698935.0000000004EFC000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 0000000B.00000002.1616546406.0000000006A63000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.1540160647.00000000043FC000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 0000000C.00000003.1369834301.0000000006A23000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.2524492723.00000000041CC000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 0000001A.00000002.1682430760.00000000067E3000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000001A.00000002.1678404184.00000000042AC000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 0000001B.00000003.1629543510.0000000007203000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000001C.00000003.1671213431.0000000006763000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000001D.00000002.1665887158.00000000042CC000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 0000001D.00000002.1674285395.0000000006833000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: rundll32.exe, 00000010.00000002.2530681866.0000000006703000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/03p
Source: rundll32.exe, 0000000A.00000002.1583698935.0000000004EFC000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 0000000B.00000002.1540160647.00000000043FC000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 00000010.00000002.2524492723.00000000041CC000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 0000001A.00000002.1678404184.00000000042AC000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 0000001D.00000002.1665887158.00000000042CC000.00000020.00000001.01000000.00000004.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: rundll32.exe, 0000000A.00000002.1583698935.0000000004EFC000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 0000000B.00000002.1540160647.00000000043FC000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 00000010.00000002.2524492723.00000000041CC000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 0000001A.00000002.1678404184.00000000042AC000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 0000001D.00000002.1665887158.00000000042CC000.00000020.00000001.01000000.00000004.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: rundll32.exe, 0000000A.00000002.1583698935.0000000004EFC000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 0000000B.00000002.1540160647.00000000043FC000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 00000010.00000002.2524492723.00000000041CC000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 0000001A.00000002.1678404184.00000000042AC000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 0000001D.00000002.1665887158.00000000042CC000.00000020.00000001.01000000.00000004.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/http/
Source: rundll32.exe, 0000000A.00000002.1583698935.0000000004EFC000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 0000000B.00000002.1540160647.00000000043FC000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 00000010.00000002.2524492723.00000000041CC000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 0000001A.00000002.1678404184.00000000042AC000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 0000001D.00000002.1665887158.00000000042CC000.00000020.00000001.01000000.00000004.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/soap/
Source: rundll32.exe, 0000000A.00000002.1583698935.0000000004EFC000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 0000000B.00000002.1540160647.00000000043FC000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 00000010.00000002.2524492723.00000000041CC000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 0000001A.00000002.1678404184.00000000042AC000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 0000001D.00000002.1665887158.00000000042CC000.00000020.00000001.01000000.00000004.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/soap12/SV
Source: Amcache.hve.21.dr	String found in binary or memory: http://upx.sf.net
Source: rundll32.exe, 0000001C.00000003.1671213431.000000000674D000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000001D.00000002.1674285395.000000000681D000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000001D.00000002.1665887158.00000000042CC000.00000020.00000001.01000000.00000004.sdmp	String found in binary or memory: http://www.borland.com/namespaces/Types
Source: rundll32.exe, 0000000C.00000003.1369834301.0000000006A0D000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000001B.00000003.1629543510.00000000071ED000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000001C.00000003.1671213431.000000000674D000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.borland.com/namespaces/TypesA
Source: rundll32.exe, 0000000C.00000003.1369834301.0000000006A0D000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000001B.00000003.1629543510.00000000071ED000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000001C.00000003.1671213431.000000000674D000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.borland.com/namespaces/Typesa
Source: rundll32.exe, 0000000A.00000002.1583698935.0000000004EFC000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 0000000B.00000002.1540160647.00000000043FC000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 00000010.00000002.2524492723.00000000041CC000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 0000001A.00000002.1678404184.00000000042AC000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 0000001D.00000002.1665887158.00000000042CC000.00000020.00000001.01000000.00000004.sdmp	String found in binary or memory: http://www.borland.com/rootpart.xml
Source: rundll32.exe, 0000001D.00000002.1665887158.00000000042CC000.00000020.00000001.01000000.00000004.sdmp	String found in binary or memory: http://www.componentace.com
Source: rundll32.exe, 0000000A.00000002.1583698935.0000000004EFC000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 0000000A.00000002.1626243662.0000000007380000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.1616546406.00000000069D0000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.1540160647.00000000043FC000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 0000000C.00000003.1369834301.0000000006990000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.2524492723.00000000041CC000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 00000010.00000002.2530681866.0000000006670000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000001A.00000002.1682430760.0000000006750000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000001A.00000002.1678404184.00000000042AC000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 0000001B.00000003.1629543510.0000000007170000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000001C.00000003.1671213431.00000000066D0000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000001D.00000002.1674285395.00000000067A0000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000001D.00000002.1665887158.00000000042CC000.00000020.00000001.01000000.00000004.sdmp	String found in binary or memory: http://www.indyproject.org/
Source: rundll32.exe, 00000010.00000002.2521309487.00000000028B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/
Source: rundll32.exe, 00000010.00000002.2533994178.0000000008DD3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.2521309487.00000000028DF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.2521309487.000000000290C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/json
Source: rundll32.exe, 00000010.00000002.2521309487.00000000028B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/json4
Source: rundll32.exe, 00000010.00000002.2521309487.00000000028DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/jsonK1
Source: rundll32.exe, 00000010.00000002.2521309487.00000000028B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/jsona
Source: rundll32.exe, 00000010.00000002.2530681866.000000000670A000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.2533559098.00000000086C0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.2530681866.0000000006622000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.2533994178.0000000008DD3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.2519664521.000000000267A000.00000004.00000010.00020000.00000000.sdmp, json[1].json.16.dr	String found in binary or memory: https://ipinfo.io/missingauth
Source: rundll32.exe, 00000010.00000002.2521309487.00000000028DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com

Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707

Source: unknown

HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.7:49707 version: TLS 1.2

Source: C:\Windows\SysWOW64\rundll32.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5456 -s 936

Source: SecuriteInfo.com.Variant.Lazy.448806.29655.2426.dll

Static PE information: Number of sections : 13 > 10

Source: SecuriteInfo.com.Variant.Lazy.448806.29655.2426.dll

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, DLL, BYTES_REVERSED_HI

Source: classification engine

Classification label: mal80.evad.winDLL@24/18@1/2

Source: C:\Windows\SysWOW64\rundll32.exe

File created: C:\Users\user\AppData\Roaming\2402024

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6636:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7916
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess564
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7952
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5456

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\46025cd7-0926-4b00-ac6d-0d897bed4e40

Jump to behavior

Source: Yara match	File source: 0000001D.00000002.1665887158.00000000042B1000.00000020.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2524492723.00000000041B1000.00000020.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1540160647.00000000043E1000.00000020.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1583698935.0000000004EE1000.00000020.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.1678404184.0000000004291000.00000020.00000001.01000000.00000004.sdmp, type: MEMORY

Source: C:\Windows\System32\loaddll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.448806.29655.2426.dll,TMethodImplementationIntercept

Source: SecuriteInfo.com.Variant.Lazy.448806.29655.2426.dll

ReversingLabs: Detection: 39%

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.448806.29655.2426.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.448806.29655.2426.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.448806.29655.2426.dll,TMethodImplementationIntercept
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.448806.29655.2426.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.448806.29655.2426.dll,__dbk_fcall_wrapper
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.448806.29655.2426.dll,agzxqlovcrhc
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5456 -s 936
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 564 -s 924
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.448806.29655.2426.dll",TMethodImplementationIntercept
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.448806.29655.2426.dll",__dbk_fcall_wrapper
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.448806.29655.2426.dll",agzxqlovcrhc
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.448806.29655.2426.dll",dbkFCallWrapperAddr
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7952 -s 928
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7916 -s 928
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.448806.29655.2426.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.448806.29655.2426.dll,TMethodImplementationIntercept	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.448806.29655.2426.dll,__dbk_fcall_wrapper	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.448806.29655.2426.dll,agzxqlovcrhc	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.448806.29655.2426.dll",TMethodImplementationIntercept	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.448806.29655.2426.dll",__dbk_fcall_wrapper	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.448806.29655.2426.dll",agzxqlovcrhc	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.448806.29655.2426.dll",dbkFCallWrapperAddr	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.448806.29655.2426.dll",#1	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: security.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: olepro32.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: colorui.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: mscms.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: coloradapterclient.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: compstui.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: inetres.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: SecuriteInfo.com.Variant.Lazy.448806.29655.2426.dll

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: SecuriteInfo.com.Variant.Lazy.448806.29655.2426.dll

Static file information: File size 18442752 > 1048576

Source: SecuriteInfo.com.Variant.Lazy.448806.29655.2426.dll

Static PE information: Raw size of .awiodnn is bigger than: 0x100000 < 0x1192e00

Source: initial sample

Static PE information: section where entry point is pointing to: .awiodnn

Source: SecuriteInfo.com.Variant.Lazy.448806.29655.2426.dll	Static PE information: section name: .didata
Source: SecuriteInfo.com.Variant.Lazy.448806.29655.2426.dll	Static PE information: section name: .awiodnn
Source: SecuriteInfo.com.Variant.Lazy.448806.29655.2426.dll	Static PE information: section name: .awiodnn
Source: SecuriteInfo.com.Variant.Lazy.448806.29655.2426.dll	Static PE information: section name: .awiodnn

Hooking and other Techniques for Hiding and Protection

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Source: C:\Windows\System32\loaddll32.exe	Memory written: PID: 5732 base: A90007 value: E9 EB DF D0 76	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Memory written: PID: 5732 base: 7779DFF0 value: E9 1E 20 2F 89	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 564 base: 3430007 value: E9 EB DF 36 74	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 564 base: 7779DFF0 value: E9 1E 20 C9 8B	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 5456 base: 2960007 value: E9 EB DF E3 74	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 5456 base: 7779DFF0 value: E9 1E 20 1C 8B	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 7092 base: 27F0007 value: E9 EB DF FA 74	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 7092 base: 7779DFF0 value: E9 1E 20 05 8B	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 7196 base: 2790007 value: E9 EB DF 00 75	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 7196 base: 7779DFF0 value: E9 1E 20 FF 8A	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 7916 base: 2790007 value: E9 EB DF 00 75	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 7916 base: 7779DFF0 value: E9 1E 20 FF 8A	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 7928 base: 31D0007 value: E9 EB DF 5C 74	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 7928 base: 7779DFF0 value: E9 1E 20 A3 8B	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 7936 base: 29B0007 value: E9 EB DF DE 74	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 7936 base: 7779DFF0 value: E9 1E 20 21 8B	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 7952 base: 28D0007 value: E9 EB DF EC 74	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 7952 base: 7779DFF0 value: E9 1E 20 13 8B	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Tries to evade analysis by execution special instruction (VM detection)

Source: C:\Windows\System32\loaddll32.exe

Special instruction interceptor: First address: 20BFA11 instructions rdtsc caused by: RDTSC with Trap Flag (TF)

Source: C:\Windows\SysWOW64\rundll32.exe TID: 7524	Thread sleep count: 84 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 7524	Thread sleep time: -74592s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 7524	Thread sleep count: 95 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 7524	Thread sleep time: -84455s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed

Source: C:\Windows\System32\loaddll32.exe

Thread delayed: delay time: 120000

Jump to behavior

Source: Amcache.hve.21.dr	Binary or memory string: VMware
Source: loaddll32.exe, 00000006.00000002.1588023503.0000000000D06000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}o
Source: SecuriteInfo.com.Variant.Lazy.448806.29655.2426.dll	Binary or memory string: vMCIA
Source: Amcache.hve.21.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: rundll32.exe, 0000001A.00000002.1677781104.00000000028AD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\j
Source: rundll32.exe, 00000010.00000002.2521309487.00000000028B7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.2521309487.000000000288B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.2521309487.00000000028F3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: rundll32.exe, 0000001D.00000002.1665417776.00000000029DA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: rundll32.exe, 0000000B.00000002.1539719633.00000000029BC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\o
Source: rundll32.exe, 0000000A.00000002.1583116938.000000000346A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}X
Source: Amcache.hve.21.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: rundll32.exe, 0000001C.00000002.1674372330.000000000283B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\!
Source: Amcache.hve.21.dr	Binary or memory string: vmci.sys
Source: rundll32.exe, 0000001B.00000002.1639924792.00000000033EC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\C
Source: loaddll32.exe, 00000006.00000002.1588023503.0000000000D06000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\
Source: rundll32.exe, 0000001B.00000002.1639924792.00000000033DA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}jb0!
Source: Amcache.hve.21.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.21.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.21.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.21.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.21.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.21.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.21.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: rundll32.exe, 0000001D.00000002.1665417776.00000000029DA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}y
Source: Amcache.hve.21.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.21.dr	Binary or memory string: VMware Virtual RAM
Source: rundll32.exe, 0000001D.00000002.1665417776.00000000029EC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}7
Source: Amcache.hve.21.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: rundll32.exe, 0000001C.00000002.1674372330.000000000283B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: Amcache.hve.21.dr	Binary or memory string: VMware-42 27 88 19 56 cc 59 1a-97 79 fb 8c bf a1 e2 9d
Source: Amcache.hve.21.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.21.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.21.dr	Binary or memory string: vmci.syshbin
Source: rundll32.exe, 0000000C.00000002.1383215472.0000000002BFC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: Amcache.hve.21.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.21.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.21.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.21.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: rundll32.exe, 0000001B.00000002.1639924792.00000000033EC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: Amcache.hve.21.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.21.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.21.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: rundll32.exe, 0000001C.00000002.1674372330.000000000283B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\;
Source: rundll32.exe, 0000001A.00000002.1677781104.000000000286A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: Amcache.hve.21.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.21.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.21.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.21.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: rundll32.exe, 0000001C.00000002.1674372330.000000000283B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}9

Source: C:\Windows\System32\loaddll32.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Windows\System32\loaddll32.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread information set: HideFromDebugger	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 34.117.186.192 443			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 173.255.201.196 9091			Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.448806.29655.2426.dll",#1

Jump to behavior

Source: rundll32.exe, 0000000A.00000002.1583698935.0000000004EFC000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 0000000B.00000002.1540160647.00000000043FC000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 00000010.00000002.2524492723.00000000041CC000.00000020.00000001.01000000.00000004.sdmp	Binary or memory string: Shell_TrayWndSVW
Source: rundll32.exe, 0000000A.00000002.1583698935.0000000004EFC000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 0000000B.00000002.1540160647.00000000043FC000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 00000010.00000002.2524492723.00000000041CC000.00000020.00000001.01000000.00000004.sdmp	Binary or memory string: Shell_TrayWndReBarWindow32MSTaskSwWClassToolbarWindow32SV

Source: Amcache.hve.21.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.21.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.21.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.21.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.21.dr	Binary or memory string: MsMpEng.exe

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	112 Process Injection	1 Masquerading	1 Credential API Hooking	221 Security Software Discovery	Remote Services	1 Credential API Hooking	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	121 Virtualization/Sandbox Evasion	LSASS Memory	2 Process Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	112 Process Injection	Security Account Manager	121 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Rundll32	NTDS	1 System Network Configuration Discovery	Distributed Component Object Model	Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	13 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	Steganography	Cached Domain Credentials	11 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
SecuriteInfo.com.Variant.Lazy.448806.29655.2426.dll	39%	ReversingLabs	Win32.Infostealer.Generic
SecuriteInfo.com.Variant.Lazy.448806.29655.2426.dll	100%	Avira	HEUR/AGEN.1360814
SecuriteInfo.com.Variant.Lazy.448806.29655.2426.dll	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
https://ipinfo.io/missingauth	0%	URL Reputation	safe
http://fontawesome.io	0%	URL Reputation	safe
http://fontawesome.io/license/	0%	URL Reputation	safe
http://www.borland.com/namespaces/Types	0%	URL Reputation	safe
https://ipinfo.io/	0%	URL Reputation	safe
http://schemas.xmlsoap.org/soap/encoding/	0%	URL Reputation	safe
http://schemas.xmlsoap.org/wsdl/	0%	URL Reputation	safe
https://ipinfo.io/json	0%	URL Reputation	safe
http://schemas.xmlsoap.org/soap/envelope/	0%	URL Reputation	safe
http://upx.sf.net	0%	URL Reputation	safe
http://www.indyproject.org/	0%	URL Reputation	safe
http://fontawesome.iohttp://fontawesome.iohttp://fontawesome.io/license/http://fontawesome.io/licens	0%	Avira URL Cloud	safe
http://schemas.xmlsoap.org/wsdl/http/	0%	Avira URL Cloud	safe
http://schemas.xmlsoap.org/soap/encoding/03p	0%	Avira URL Cloud	safe
https://ipinfo.io/jsona	0%	Avira URL Cloud	safe
http://www.borland.com/rootpart.xml	0%	Avira URL Cloud	safe
http://schemas.xmlsoap.org/wsdl/soap12/SV	0%	Avira URL Cloud	safe
https://ipinfo.io/jsonK1	0%	Avira URL Cloud	safe
http://www.componentace.com	0%	Avira URL Cloud	safe
http://schemas.xmlsoap.org/wsdl/soap/	0%	Avira URL Cloud	safe
https://ipinfo.io/json4	0%	Avira URL Cloud	safe
http://www.borland.com/namespaces/TypesA	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
ipinfo.io	34.117.186.192	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://ipinfo.io/json	true	URL Reputation: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://ipinfo.io/missingauth	rundll32.exe, 00000010.00000002.2530681866.000000000670A000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.2533559098.00000000086C0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.2530681866.0000000006622000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.2533994178.0000000008DD3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.2519664521.000000000267A000.00000004.00000010.00020000.00000000.sdmp, json[1].json.16.dr	false	URL Reputation: safe	unknown
http://fontawesome.io	rundll32.exe, 0000000A.00000002.1625493649.00000000070F4000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 0000000B.00000002.1614720484.00000000065F4000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000010.00000002.2530376792.00000000063C4000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 0000001A.00000002.1682156876.00000000064A4000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 0000001D.00000002.1673820589.00000000064C4000.00000002.00000001.01000000.00000004.sdmp	false	URL Reputation: safe	unknown
http://fontawesome.io/license/	rundll32.exe, 0000000A.00000002.1625493649.00000000070F4000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 0000000B.00000002.1614720484.00000000065F4000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000010.00000002.2530376792.00000000063C4000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 0000001A.00000002.1682156876.00000000064A4000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 0000001D.00000002.1673820589.00000000064C4000.00000002.00000001.01000000.00000004.sdmp	false	URL Reputation: safe	unknown
http://www.borland.com/namespaces/Types	rundll32.exe, 0000001C.00000003.1671213431.000000000674D000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000001D.00000002.1674285395.000000000681D000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000001D.00000002.1665887158.00000000042CC000.00000020.00000001.01000000.00000004.sdmp	false	URL Reputation: safe	unknown
http://fontawesome.iohttp://fontawesome.iohttp://fontawesome.io/license/http://fontawesome.io/licens	rundll32.exe, 0000000A.00000002.1625493649.00000000070F4000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 0000000B.00000002.1614720484.00000000065F4000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000010.00000002.2530376792.00000000063C4000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 0000001A.00000002.1682156876.00000000064A4000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 0000001D.00000002.1673820589.00000000064C4000.00000002.00000001.01000000.00000004.sdmp	false	Avira URL Cloud: safe	unknown
https://ipinfo.io/	rundll32.exe, 00000010.00000002.2521309487.00000000028B7000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/soap/encoding/	rundll32.exe, 0000000A.00000002.1626243662.0000000007413000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.1583698935.0000000004EFC000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 0000000B.00000002.1616546406.0000000006A63000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.1540160647.00000000043FC000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 0000000C.00000003.1369834301.0000000006A23000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.2524492723.00000000041CC000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 0000001A.00000002.1682430760.00000000067E3000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000001A.00000002.1678404184.00000000042AC000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 0000001B.00000003.1629543510.0000000007203000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000001C.00000003.1671213431.0000000006763000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000001D.00000002.1665887158.00000000042CC000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 0000001D.00000002.1674285395.0000000006833000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/wsdl/http/	rundll32.exe, 0000000A.00000002.1583698935.0000000004EFC000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 0000000B.00000002.1540160647.00000000043FC000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 00000010.00000002.2524492723.00000000041CC000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 0000001A.00000002.1678404184.00000000042AC000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 0000001D.00000002.1665887158.00000000042CC000.00000020.00000001.01000000.00000004.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/soap/encoding/03p	rundll32.exe, 00000010.00000002.2530681866.0000000006703000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/wsdl/	rundll32.exe, 0000000A.00000002.1583698935.0000000004EFC000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 0000000B.00000002.1540160647.00000000043FC000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 00000010.00000002.2524492723.00000000041CC000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 0000001A.00000002.1678404184.00000000042AC000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 0000001D.00000002.1665887158.00000000042CC000.00000020.00000001.01000000.00000004.sdmp	false	URL Reputation: safe	unknown
https://ipinfo.io/jsonK1	rundll32.exe, 00000010.00000002.2521309487.00000000028DF000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/soap/envelope/	rundll32.exe, 0000000A.00000002.1583698935.0000000004EFC000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 0000000B.00000002.1540160647.00000000043FC000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 00000010.00000002.2524492723.00000000041CC000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 0000001A.00000002.1678404184.00000000042AC000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 0000001D.00000002.1665887158.00000000042CC000.00000020.00000001.01000000.00000004.sdmp	false	URL Reputation: safe	unknown
http://www.borland.com/rootpart.xml	rundll32.exe, 0000000A.00000002.1583698935.0000000004EFC000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 0000000B.00000002.1540160647.00000000043FC000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 00000010.00000002.2524492723.00000000041CC000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 0000001A.00000002.1678404184.00000000042AC000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 0000001D.00000002.1665887158.00000000042CC000.00000020.00000001.01000000.00000004.sdmp	false	Avira URL Cloud: safe	unknown
https://ipinfo.io/jsona	rundll32.exe, 00000010.00000002.2521309487.00000000028B7000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://upx.sf.net	Amcache.hve.21.dr	false	URL Reputation: safe	unknown
http://www.componentace.com	rundll32.exe, 0000001D.00000002.1665887158.00000000042CC000.00000020.00000001.01000000.00000004.sdmp	false	Avira URL Cloud: safe	unknown
http://www.indyproject.org/	rundll32.exe, 0000000A.00000002.1583698935.0000000004EFC000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 0000000A.00000002.1626243662.0000000007380000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.1616546406.00000000069D0000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.1540160647.00000000043FC000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 0000000C.00000003.1369834301.0000000006990000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.2524492723.00000000041CC000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 00000010.00000002.2530681866.0000000006670000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000001A.00000002.1682430760.0000000006750000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000001A.00000002.1678404184.00000000042AC000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 0000001B.00000003.1629543510.0000000007170000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000001C.00000003.1671213431.00000000066D0000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000001D.00000002.1674285395.00000000067A0000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000001D.00000002.1665887158.00000000042CC000.00000020.00000001.01000000.00000004.sdmp	false	URL Reputation: safe	unknown
https://ipinfo.io/json4	rundll32.exe, 00000010.00000002.2521309487.00000000028B7000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/wsdl/soap12/SV	rundll32.exe, 0000000A.00000002.1583698935.0000000004EFC000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 0000000B.00000002.1540160647.00000000043FC000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 00000010.00000002.2524492723.00000000041CC000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 0000001A.00000002.1678404184.00000000042AC000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 0000001D.00000002.1665887158.00000000042CC000.00000020.00000001.01000000.00000004.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/wsdl/soap/	rundll32.exe, 0000000A.00000002.1583698935.0000000004EFC000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 0000000B.00000002.1540160647.00000000043FC000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 00000010.00000002.2524492723.00000000041CC000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 0000001A.00000002.1678404184.00000000042AC000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 0000001D.00000002.1665887158.00000000042CC000.00000020.00000001.01000000.00000004.sdmp	false	Avira URL Cloud: safe	unknown
http://www.borland.com/namespaces/TypesA	rundll32.exe, 0000000C.00000003.1369834301.0000000006A0D000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000001B.00000003.1629543510.00000000071ED000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000001C.00000003.1671213431.000000000674D000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.borland.com/namespaces/Typesa	rundll32.exe, 0000000C.00000003.1369834301.0000000006A0D000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000001B.00000003.1629543510.00000000071ED000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000001C.00000003.1671213431.000000000674D000.00000004.00001000.00020000.00000000.sdmp	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
34.117.186.192	ipinfo.io	United States		139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	true
173.255.201.196	unknown	United States		63949	LINODE-APLinodeLLCUS	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1447256
Start date and time:	2024-05-24 17:38:13 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 20s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	37
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SecuriteInfo.com.Variant.Lazy.448806.29655.2426.dll
Detection:	MAL
Classification:	mal80.evad.winDLL@24/18@1/2
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .dll

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, MoUsoCoreWorker.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 2.19.126.151, 2.19.126.137, 52.168.117.173, 93.184.221.240, 104.208.16.94
Excluded domains from analysis (whitelisted): onedsblobprdeus16.eastus.cloudapp.azure.com, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, wu.ec.azureedge.net, ctldl.windowsupdate.com, time.windows.com, a767.dspw65.akamai.net, wu.azureedge.net, fe3cr.delivery.mp.microsoft.com, download.windowsupdate.com.edgesuite.net, ocsp.digicert.com, login.live.com, blobcollector.events.data.trafficmanager.net, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, umwatson.events.data.microsoft.com, wu-b-net.trafficmanager.net, onedsblobprdcus16.centralus.cloudapp.azure.com
Execution Graph export aborted for target loaddll32.exe, PID 5732 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: SecuriteInfo.com.Variant.Lazy.448806.29655.2426.dll

Simulations

Behavior and APIs

Time	Type	Description
11:39:24	API Interceptor	215x Sleep call for process: rundll32.exe modified
13:00:52	API Interceptor	4x Sleep call for process: WerFault.exe modified
13:00:52	API Interceptor	1x Sleep call for process: loaddll32.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
34.117.186.192	SecuriteInfo.com.Win32.Evo-gen.24318.16217.exe	Get hash	malicious	Unknown	Browse	ipinfo.io/json
	SecuriteInfo.com.Win32.Evo-gen.28489.31883.exe	Get hash	malicious	Unknown	Browse	ipinfo.io/json
	Raptor.HardwareService.Setup 1.msi	Get hash	malicious	Unknown	Browse	ipinfo.io/ip
	Conferma_Pdf_Editor.exe	Get hash	malicious	Planet Stealer	Browse	ipinfo.io/
	Conferma_Pdf_Editor.exe	Get hash	malicious	Planet Stealer	Browse	ipinfo.io/
	w.sh	Get hash	malicious	Xmrig	Browse	/ip
	Raptor.HardwareService.Setup_2.3.6.0.msi	Get hash	malicious	Unknown	Browse	ipinfo.io/ip
	Raptor.HardwareService.Setup_2.3.6.0.msi	Get hash	malicious	Unknown	Browse	ipinfo.io/ip
	uUsgzQ3DoW.exe	Get hash	malicious	RedLine	Browse	ipinfo.io/ip
	8BZBgbeCcz.exe	Get hash	malicious	RedLine	Browse	ipinfo.io/ip
173.255.201.196	factboletaeletricge.msi	Get hash	malicious	Unknown	Browse
	factboletaeletricge.msi	Get hash	malicious	Unknown	Browse
	ansrnotificacaonova.msi	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ipinfo.io	notfcacion.detallada_online.nu.msi_notfcacion.detallada_online.nu.msi_46956.msi	Get hash	malicious	Unknown	Browse	34.117.186.192
	factboletaeletricge.msi	Get hash	malicious	Unknown	Browse	34.117.186.192
	SecuriteInfo.com.Win64.Evo-gen.30302.14698.exe	Get hash	malicious	CryptOne, Djvu, GCleaner, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine	Browse	34.117.186.192
	B8Zt27YJRD.exe	Get hash	malicious	LummaC, RisePro Stealer	Browse	34.117.186.192
	WaGiUWSpyO.exe	Get hash	malicious	LummaC, RisePro Stealer	Browse	34.117.186.192
	ufvxGe0K5E.exe	Get hash	malicious	LummaC, RisePro Stealer	Browse	34.117.186.192
	eoZWxnJJyo.exe	Get hash	malicious	LummaC, RisePro Stealer	Browse	34.117.186.192
	BI6oo9z4In.exe	Get hash	malicious	CryptOne, Djvu, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine, RisePro Stealer	Browse	34.117.186.192
	tMO4FVIc9l.exe	Get hash	malicious	LummaC, RisePro Stealer	Browse	34.117.186.192
	https://article.badgercrypto.org/	Get hash	malicious	Unknown	Browse	34.117.186.192

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	notfcacion.detallada_online.nu.msi_notfcacion.detallada_online.nu.msi_46956.msi	Get hash	malicious	Unknown	Browse	34.117.186.192
	SecuriteInfo.com.Win64.DropperX-gen.29167.15583.exe	Get hash	malicious	PureLog Stealer	Browse	34.117.186.192
	factboletaeletricge.msi	Get hash	malicious	Unknown	Browse	34.117.186.192
	SecuriteInfo.com.Win64.Evo-gen.30302.14698.exe	Get hash	malicious	CryptOne, Djvu, GCleaner, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine	Browse	34.117.186.192
	lgX7lgUL1w.exe	Get hash	malicious	Neoreklami, PureLog Stealer, SmokeLoader	Browse	34.117.186.192
	B8Zt27YJRD.exe	Get hash	malicious	LummaC, RisePro Stealer	Browse	34.117.186.192
	WaGiUWSpyO.exe	Get hash	malicious	LummaC, RisePro Stealer	Browse	34.117.186.192
	ufvxGe0K5E.exe	Get hash	malicious	LummaC, RisePro Stealer	Browse	34.117.186.192
	eoZWxnJJyo.exe	Get hash	malicious	LummaC, RisePro Stealer	Browse	34.117.186.192
	BI6oo9z4In.exe	Get hash	malicious	CryptOne, Djvu, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine, RisePro Stealer	Browse	34.117.186.192
LINODE-APLinodeLLCUS	factboletaeletricge.msi	Get hash	malicious	Unknown	Browse	173.255.201.196
	http://172.104.75.98/owa/	Get hash	malicious	Outlook Phishing, HTMLPhisher	Browse	172.104.75.98
	http://cardiolog.site	Get hash	malicious	Unknown	Browse	139.162.57.105
	http://waithebattology.site	Get hash	malicious	Unknown	Browse	139.162.57.105
	http://waithebattology.site	Get hash	malicious	Unknown	Browse	139.162.57.105
	https://filesonline.phibraimplementos.com.br/?username=dveon@bigge.com&gclid=EAIaIQobChMIycO8zICjgQMVjiJECB0P2wITEAEYASAAEgKIsvD_BwE	Get hash	malicious	HTMLPhisher	Browse	69.164.194.201
	FRA.0038222.exe	Get hash	malicious	FormBook, GuLoader	Browse	139.162.5.234
	https://dazyorganic.com/	Get hash	malicious	HTMLPhisher	Browse	66.228.52.194
	http://info.ipreo.com/Privacy-Policy.html	Get hash	malicious	Unknown	Browse	139.162.185.124
	New Order.doc	Get hash	malicious	FormBook	Browse	45.33.6.223

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
37f463bf4616ecd445d4a1937da06e19	Service Engineer.zip	Get hash	malicious	Unknown	Browse	34.117.186.192
	file.exe	Get hash	malicious	Babuk, Djvu, SmokeLoader	Browse	34.117.186.192
	notfcacion.detallada_online.nu.msi_notfcacion.detallada_online.nu.msi_46956.msi	Get hash	malicious	Unknown	Browse	34.117.186.192
	factboletaeletricge.msi	Get hash	malicious	Unknown	Browse	34.117.186.192
	PDFixers.exe	Get hash	malicious	Unknown	Browse	34.117.186.192
	SecuriteInfo.com.Win64.Evo-gen.30302.14698.exe	Get hash	malicious	CryptOne, Djvu, GCleaner, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine	Browse	34.117.186.192
	SecuriteInfo.com.Win32.Malware-gen.198.6512.exe	Get hash	malicious	PureLog Stealer, Vidar	Browse	34.117.186.192
	BI6oo9z4In.exe	Get hash	malicious	CryptOne, Djvu, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine, RisePro Stealer	Browse	34.117.186.192
	Offer Document 25.lnk	Get hash	malicious	Unknown	Browse	34.117.186.192
	nF54KOU30R.exe	Get hash	malicious	RHADAMANTHYS	Browse	34.117.186.192

Dropped Files

⊘No context

Source: Joe Sandbox View	IP Address: 34.117.186.192 34.117.186.192
Source: Joe Sandbox View	IP Address: 34.117.186.192 34.117.186.192

Source: Joe Sandbox View	ASN Name: GOOGLE-AS-APGoogleAsiaPacificPteLtdSG GOOGLE-AS-APGoogleAsiaPacificPteLtdSG
Source: Joe Sandbox View	ASN Name: LINODE-APLinodeLLCUS LINODE-APLinodeLLCUS

Source: unknown	DNS query: name: ipinfo.io
Source: unknown	DNS query: name: ipinfo.io

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.0537652819705703
Encrypted:	false
SSDEEP:	192:+Di7Of2v0BU/wjeTxeUEZr0vzuiFsZ24IO84ci:iiCf2cBU/wjebzuiFsY4IO84ci
MD5:	DE1818675E034D151A4C7F4A2D5BEDA9
SHA1:	D18B1CD70530EF53A626B29CA3032FD771DC70D6
SHA-256:	8AD08F54952BE72561E7C22A6676E120628E3EE435C871D07D0FDF0C7640572F
SHA-512:	F3F0CB43327A3D2DE5FF7DAC4805AF42DF9D7B7F0906449F20CA5BE82E4A14FB2F97468C070C99F0D42CD48D586F4E0761967F1BC3A54D57908D6C55C8DB7BEF
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.1.0.3.8.7.5.8.2.8.1.1.4.5.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.1.0.3.8.7.5.9.4.3.7.3.8.0.8.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.f.b.1.a.3.7.c.-.5.4.5.8.-.4.b.5.2.-.b.d.c.c.-.4.8.9.2.a.c.2.6.b.3.a.2.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.9.a.7.8.1.4.2.-.1.2.c.0.-.4.c.2.9.-.9.9.7.5.-.6.1.b.a.2.f.f.6.6.0.8.b.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.5.5.0.-.0.0.0.1.-.0.0.1.4.-.9.7.8.e.-.d.d.8.5.f.0.a.d.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.8.f.a.8.8.9.e.4.5.6.a.a.6.4.6.a.4.d.0.a.4.3.4.9.9.7.7.4.3.0.c.e.5.f.a.5.e.2.d.7.!.r.

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	321
Entropy (8bit):	4.984656309586536
Encrypted:	false
SSDEEP:	6:kXFJ192gIJAuuuthkP//f4IoWzqs4jW1CRW35jY:kxEgIOuHhA/XvoPPWV5k
MD5:	C8B5480265AA24848B266AB720648A09
SHA1:	4440EDB7429D588DE5A1A0D00D8D82FD6DE41A47
SHA-256:	A15CE3E76A7C7592E79A8C78E240F012E59E68F3D60179D54F8603B0660CA5D0
SHA-512:	EF171430C530BF1DCA63586FD80C999211BEA360984DEFA60C823400844D784F2D23D2B39C15B92E0A84462C4FE7F2392087D5E0283DE71DD3D6CD534BA220AE
Malicious:	false
Preview:	{. "ip": "8.46.123.175",. "hostname": "static-cpe-8-46-123-175.centurylink.com",. "city": "New York City",. "region": "New York",. "country": "US",. "loc": "40.7143,-74.0060",. "org": "AS3356 Level 3 Parent, LLC",. "postal": "10001",. "timezone": "America/New_York",. "readme": "https://ipinfo.io/missingauth".}

File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.869937008402487
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.40% Win16/32 Executable Delphi generic (2074/23) 0.21% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	SecuriteInfo.com.Variant.Lazy.448806.29655.2426.dll
File size:	18'442'752 bytes
MD5:	dd321c6e3355ce11073719c59ea45c6d
SHA1:	20b7d647f6d2da9ad9e7ab840f2fd48fc1b18d02
SHA256:	ac77fdbd4566518302879e9709f20c9436a3c5007bb4b94c328975390476c676
SHA512:	26c214259f967d18ad9527554a4b6fe6852e97a5058d01b8ff78b6696259cfc5503b0416213b7ddb9946c15d49c1dc513aa065d9190aca28053c6f2483cb443c
SSDEEP:	196608:efdkMmLLoUxFaQNtkZKFD/OGXvnOhW11KzB/POy4vbJqeJOQ7vaYwuAkHnvznheP:ef3QoUxZDkTGXvOc1q4D7cjYwu9PLc8
TLSH:	3307238A29C741E9D5C109B4C72737D703F392A6869A88356EC535CAB0F1FF2706EC96
File Content Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

Entrypoint:	0x14f0fcc
Entrypoint Section:	.awiodnn
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, DLL, BYTES_REVERSED_HI
DLL Characteristics:
Time Stamp:	0x66507A66 [Fri May 24 11:30:46 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	5f49db71e572e695a22e4576af626af2

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x126b340	0xb1	.awiodnn
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1130214	0x118	.awiodnn
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x2214000	0x89334	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x229e000	0x6b0	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1080000	0x6c	.awiodnn
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x135f628	0x200	.awiodnn
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x7b00d4	0x0	d41d8cd98f00b204e9800998ecf8427e	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.itext	0x7b2000	0x7180	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x7ba000	0x1cc18	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.bss	0x7d7000	0x8997c	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x861000	0x406c	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.didata	0x866000	0xdaa	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.edata	0x867000	0xb1	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rdata	0x868000	0x45	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.awiodnn	0x869000	0x816adb	0x0	d41d8cd98f00b204e9800998ecf8427e	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.awiodnn	0x1080000	0x84	0x200	740274560702729ce191083a138d2c06	False	0.15234375	data	1.0134749699845145	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.awiodnn	0x1081000	0x1192d40	0x1192e00	53db11ff88bb86aa892f97e788225122	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x2214000	0x89334	0x2e00	021982f75e6bbe7d342842baa41c489e	False	0.268257472826087	data	3.3956402494632494	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x229e000	0x6b0	0x800	969ad4e3172b56d11c7307e3c9fac5fb	False	0.44189453125	data	4.0418186869731345	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
UNICODEDATA	0x2216c50	0x723f	data			0.032407407407407406
UNICODEDATA	0x221de90	0x7ebd	empty			0
UNICODEDATA	0x2225d50	0x6a8	empty			0
UNICODEDATA	0x22263f8	0xaf7d	empty			0
UNICODEDATA	0x2231378	0xd3cf	empty			0
UNICODEDATA	0x223e748	0x14c5	empty			0
RT_CURSOR	0x223fc10	0x134	empty	English	United States	0
RT_CURSOR	0x223fd44	0x134	empty	English	United States	0
RT_CURSOR	0x223fe78	0x134	empty	English	United States	0
RT_CURSOR	0x223ffac	0x134	empty	English	United States	0
RT_CURSOR	0x22400e0	0x134	empty	English	United States	0
RT_CURSOR	0x2240214	0x134	empty	English	United States	0
RT_CURSOR	0x2240348	0x134	empty	English	United States	0
RT_CURSOR	0x224047c	0x134	empty			0
RT_CURSOR	0x22405b0	0x134	empty			0
RT_CURSOR	0x22406e4	0x134	empty	English	United States	0
RT_CURSOR	0x2240818	0x134	empty	English	United States	0
RT_BITMAP	0x224094c	0x1d0	empty	English	United States	0
RT_BITMAP	0x2240b1c	0x1e4	empty	English	United States	0
RT_BITMAP	0x2240d00	0x1d0	empty	English	United States	0
RT_BITMAP	0x2240ed0	0x1d0	empty	English	United States	0
RT_BITMAP	0x22410a0	0x1d0	empty	English	United States	0
RT_BITMAP	0x2241270	0x1d0	empty	English	United States	0
RT_BITMAP	0x2241440	0x1d0	empty	English	United States	0
RT_BITMAP	0x2241610	0x1d0	empty	English	United States	0
RT_BITMAP	0x22417e0	0x1d0	empty	English	United States	0
RT_BITMAP	0x22419b0	0x1d0	empty	English	United States	0
RT_BITMAP	0x2241b80	0xc0	empty	English	United States	0
RT_BITMAP	0x2241c40	0xe0	empty	English	United States	0
RT_BITMAP	0x2241d20	0xe0	empty	English	United States	0
RT_BITMAP	0x2241e00	0xe0	empty	English	United States	0
RT_BITMAP	0x2241ee0	0xc0	empty	English	United States	0
RT_BITMAP	0x2241fa0	0xc0	empty	English	United States	0
RT_BITMAP	0x2242060	0xe0	empty	English	United States	0
RT_BITMAP	0x2242140	0xc58	empty	English	United States	0
RT_BITMAP	0x2242d98	0xc0	empty	English	United States	0
RT_BITMAP	0x2242e58	0xe0	empty	English	United States	0
RT_BITMAP	0x2242f38	0xe8	empty	English	United States	0
RT_BITMAP	0x2243020	0xc0	empty	English	United States	0
RT_BITMAP	0x22430e0	0x4b8	empty	English	United States	0
RT_BITMAP	0x2243598	0x4b8	empty	English	United States	0
RT_BITMAP	0x2243a50	0x4b8	empty	English	United States	0
RT_BITMAP	0x2243f08	0x4b8	empty	English	United States	0
RT_BITMAP	0x22443c0	0x4b8	empty	English	United States	0
RT_BITMAP	0x2244878	0x628	empty	English	United States	0
RT_BITMAP	0x2244ea0	0x628	empty	English	United States	0
RT_BITMAP	0x22454c8	0x628	empty	English	United States	0
RT_BITMAP	0x2245af0	0x628	empty	English	United States	0
RT_BITMAP	0x2246118	0x628	empty	English	United States	0
RT_BITMAP	0x2246740	0x628	empty	English	United States	0
RT_BITMAP	0x2246d68	0x628	empty	English	United States	0
RT_BITMAP	0x2247390	0x628	empty	English	United States	0
RT_BITMAP	0x22479b8	0x628	empty	English	United States	0
RT_BITMAP	0x2247fe0	0x628	empty	English	United States	0
RT_BITMAP	0x2248608	0xe0	empty	English	United States	0
RT_DIALOG	0x22486e8	0x52	empty			0
RT_DIALOG	0x224873c	0x52	empty			0
RT_STRING	0x2248790	0x4c	empty			0
RT_STRING	0x22487dc	0xaa	empty			0
RT_STRING	0x2248888	0x186	empty			0
RT_STRING	0x2248a10	0x1ce	empty			0
RT_STRING	0x2248be0	0x146	empty			0
RT_STRING	0x2248d28	0x7e	empty			0
RT_STRING	0x2248da8	0x24	empty			0
RT_STRING	0x2248dcc	0x210	empty			0
RT_STRING	0x2248fdc	0x440	empty			0
RT_STRING	0x224941c	0x490	empty			0
RT_STRING	0x22498ac	0x458	empty			0
RT_STRING	0x2249d04	0x764	empty			0
RT_STRING	0x224a468	0x44c	empty			0
RT_STRING	0x224a8b4	0x47c	empty			0
RT_STRING	0x224ad30	0x478	empty			0
RT_STRING	0x224b1a8	0x44c	empty			0
RT_STRING	0x224b5f4	0x57c	empty			0
RT_STRING	0x224bb70	0x440	empty			0
RT_STRING	0x224bfb0	0x3dc	empty			0
RT_STRING	0x224c38c	0x334	empty			0
RT_STRING	0x224c6c0	0x490	empty			0
RT_STRING	0x224cb50	0x6f4	empty			0
RT_STRING	0x224d244	0x5d0	empty			0
RT_STRING	0x224d814	0x3f8	empty			0
RT_STRING	0x224dc0c	0x464	empty			0
RT_STRING	0x224e070	0x50c	empty			0
RT_STRING	0x224e57c	0x6e4	empty			0
RT_STRING	0x224ec60	0x7a0	empty			0
RT_STRING	0x224f400	0x734	empty			0
RT_STRING	0x224fb34	0x4dc	empty			0
RT_STRING	0x2250010	0x604	empty			0
RT_STRING	0x2250614	0x618	empty			0
RT_STRING	0x2250c2c	0x7a8	empty			0
RT_STRING	0x22513d4	0x5ac	empty			0
RT_STRING	0x2251980	0xd10	empty			0
RT_STRING	0x2252690	0x5ec	empty			0
RT_STRING	0x2252c7c	0x698	empty			0
RT_STRING	0x2253314	0x76c	empty			0
RT_STRING	0x2253a80	0x680	empty			0
RT_STRING	0x2254100	0x524	empty			0
RT_STRING	0x2254624	0x59c	empty			0
RT_STRING	0x2254bc0	0x4e8	empty			0
RT_STRING	0x22550a8	0x3e4	empty			0
RT_STRING	0x225548c	0x524	empty			0
RT_STRING	0x22559b0	0x840	empty			0
RT_STRING	0x22561f0	0xaa8	empty			0
RT_STRING	0x2256c98	0x1c8	empty			0
RT_STRING	0x2256e60	0x17c	empty			0
RT_STRING	0x2256fdc	0x11c	empty			0
RT_STRING	0x22570f8	0x100	empty			0
RT_STRING	0x22571f8	0x2a8	empty			0
RT_STRING	0x22574a0	0x49c	empty			0
RT_STRING	0x225793c	0x3f0	empty			0
RT_STRING	0x2257d2c	0x47c	empty			0
RT_STRING	0x22581a8	0x57c	empty			0
RT_STRING	0x2258724	0x284	empty			0
RT_STRING	0x22589a8	0x234	empty			0
RT_STRING	0x2258bdc	0x194	empty			0
RT_STRING	0x2258d70	0x120	empty			0
RT_STRING	0x2258e90	0xf0	empty			0
RT_STRING	0x2258f80	0x2dc	empty			0
RT_STRING	0x225925c	0x884	empty			0
RT_STRING	0x2259ae0	0x888	empty			0
RT_STRING	0x225a368	0x7fc	empty			0
RT_STRING	0x225ab64	0x810	empty			0
RT_STRING	0x225b374	0x9b4	empty			0
RT_STRING	0x225bd28	0x968	empty			0
RT_STRING	0x225c690	0x590	empty			0
RT_STRING	0x225cc20	0x3ac	empty			0
RT_STRING	0x225cfcc	0x26c	empty			0
RT_STRING	0x225d238	0x4d8	empty			0
RT_STRING	0x225d710	0x31c	empty			0
RT_STRING	0x225da2c	0x3ac	empty			0
RT_STRING	0x225ddd8	0x520	empty			0
RT_STRING	0x225e2f8	0xe04	empty			0
RT_STRING	0x225f0fc	0xb40	empty			0
RT_STRING	0x225fc3c	0xae4	empty			0
RT_STRING	0x2260720	0x8ac	empty			0
RT_STRING	0x2260fcc	0x798	empty			0
RT_STRING	0x2261764	0x2b8	empty			0
RT_STRING	0x2261a1c	0x350	empty			0
RT_STRING	0x2261d6c	0x468	empty			0
RT_STRING	0x22621d4	0x3a0	empty			0
RT_STRING	0x2262574	0x3fc	empty			0
RT_STRING	0x2262970	0x3e8	empty			0
RT_STRING	0x2262d58	0x388	empty			0
RT_STRING	0x22630e0	0x364	empty			0
RT_STRING	0x2263444	0x2ec	empty			0
RT_STRING	0x2263730	0x4b4	empty			0
RT_STRING	0x2263be4	0x56c	empty			0
RT_STRING	0x2264150	0x468	empty			0
RT_STRING	0x22645b8	0x4ac	empty			0
RT_STRING	0x2264a64	0x544	empty			0
RT_STRING	0x2264fa8	0x368	empty			0
RT_STRING	0x2265310	0x3a4	empty			0
RT_STRING	0x22656b4	0x2a8	empty			0
RT_STRING	0x226595c	0xbc	empty			0
RT_STRING	0x2265a18	0x1f8	empty			0
RT_STRING	0x2265c10	0x198	empty			0
RT_STRING	0x2265da8	0x3cc	empty			0
RT_STRING	0x2266174	0x3b8	empty			0
RT_STRING	0x226652c	0x444	empty			0
RT_STRING	0x2266970	0x4a0	empty			0
RT_STRING	0x2266e10	0x328	empty			0
RT_STRING	0x2267138	0x3a4	empty			0
RT_STRING	0x22674dc	0x694	empty			0
RT_STRING	0x2267b70	0x3ec	empty			0
RT_STRING	0x2267f5c	0x368	empty			0
RT_STRING	0x22682c4	0x31c	empty			0
RT_STRING	0x22685e0	0x42c	empty			0
RT_STRING	0x2268a0c	0x200	empty			0
RT_STRING	0x2268c0c	0xc4	empty			0
RT_STRING	0x2268cd0	0x150	empty			0
RT_STRING	0x2268e20	0x3e8	empty			0
RT_STRING	0x2269208	0x498	empty			0
RT_STRING	0x22696a0	0x2f8	empty			0
RT_STRING	0x2269998	0x2f0	empty			0
RT_STRING	0x2269c88	0x3c0	empty			0
RT_RCDATA	0x226a048	0xcbf	empty	English	United States	0
RT_RCDATA	0x226ad08	0x3a5	empty	English	United States	0
RT_RCDATA	0x226b0b0	0x286ac	empty	English	United States	0
RT_RCDATA	0x229375c	0x10	empty			0
RT_RCDATA	0x229376c	0x2320	empty			0
RT_RCDATA	0x2295a8c	0x5ea	empty	English	United States	0
RT_RCDATA	0x2296078	0x5c9	empty	English	United States	0
RT_RCDATA	0x2296644	0x314	empty	English	United States	0
RT_RCDATA	0x2296958	0xb88	empty	English	United States	0
RT_RCDATA	0x22974e0	0xabc	empty	English	United States	0
RT_RCDATA	0x2297f9c	0x572	empty			0
RT_RCDATA	0x2298510	0x970	empty			0
RT_RCDATA	0x2298e80	0x12df	empty			0
RT_RCDATA	0x229a160	0x1984	empty			0
RT_RCDATA	0x229bae4	0x15b4	empty			0
RT_RCDATA	0x229d098	0x1c0	empty			0
RT_GROUP_CURSOR	0x229d258	0x14	empty	English	United States	0
RT_GROUP_CURSOR	0x229d26c	0x14	empty			0
RT_GROUP_CURSOR	0x229d280	0x14	empty			0
RT_GROUP_CURSOR	0x229d294	0x14	empty	English	United States	0
RT_GROUP_CURSOR	0x229d2a8	0x14	empty	English	United States	0
RT_GROUP_CURSOR	0x229d2bc	0x14	empty	English	United States	0
RT_GROUP_CURSOR	0x229d2d0	0x14	empty	English	United States	0
RT_GROUP_CURSOR	0x229d2e4	0x14	empty	English	United States	0
RT_GROUP_CURSOR	0x229d2f8	0x14	empty	English	United States	0
RT_GROUP_CURSOR	0x229d30c	0x14	empty	English	United States	0
RT_GROUP_CURSOR	0x229d320	0x14	empty	English	United States	0

DLL	Import
comctl32.dll	FlatSB_SetScrollInfo
shell32.dll	SHGetMalloc
user32.dll	CopyImage
version.dll	GetFileVersionInfoSizeW
oleaut32.dll	SafeArrayPutElement
advapi32.dll	RegSetValueExW
netapi32.dll	NetWkstaGetInfo
msvcrt.dll	memcpy
winhttp.dll	WinHttpGetIEProxyConfigForCurrentUser
kernel32.dll	GetVersion, GetVersionExW
SHFolder.dll	SHGetFolderPathW
ole32.dll	CreateBindCtx
gdi32.dll	AddFontMemResourceEx

Name	Ordinal	Address
TMethodImplementationIntercept	3	0x4c4a2c
__dbk_fcall_wrapper	2	0x41170c
agzxqlovcrhc	4	0xb9f2e4
dbkFCallWrapperAddr	1	0xbda640

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 24, 2024 17:39:27.571630001 CEST	49707	443	192.168.2.7	34.117.186.192
May 24, 2024 17:39:27.571737051 CEST	443	49707	34.117.186.192	192.168.2.7
May 24, 2024 17:39:27.571841002 CEST	49707	443	192.168.2.7	34.117.186.192
May 24, 2024 17:39:27.726546049 CEST	49707	443	192.168.2.7	34.117.186.192
May 24, 2024 17:39:27.726603985 CEST	443	49707	34.117.186.192	192.168.2.7
May 24, 2024 17:39:28.278702974 CEST	443	49707	34.117.186.192	192.168.2.7
May 24, 2024 17:39:28.278862000 CEST	49707	443	192.168.2.7	34.117.186.192
May 24, 2024 17:39:28.377594948 CEST	49707	443	192.168.2.7	34.117.186.192
May 24, 2024 17:39:28.377681017 CEST	443	49707	34.117.186.192	192.168.2.7
May 24, 2024 17:39:28.378415108 CEST	443	49707	34.117.186.192	192.168.2.7
May 24, 2024 17:39:28.378506899 CEST	49707	443	192.168.2.7	34.117.186.192
May 24, 2024 17:39:28.383111000 CEST	49707	443	192.168.2.7	34.117.186.192
May 24, 2024 17:39:28.430507898 CEST	443	49707	34.117.186.192	192.168.2.7
May 24, 2024 17:39:28.541400909 CEST	443	49707	34.117.186.192	192.168.2.7
May 24, 2024 17:39:28.541486025 CEST	49707	443	192.168.2.7	34.117.186.192
May 24, 2024 17:39:28.541552067 CEST	443	49707	34.117.186.192	192.168.2.7
May 24, 2024 17:39:28.541614056 CEST	443	49707	34.117.186.192	192.168.2.7
May 24, 2024 17:39:28.541626930 CEST	49707	443	192.168.2.7	34.117.186.192
May 24, 2024 17:39:28.541695118 CEST	49707	443	192.168.2.7	34.117.186.192
May 24, 2024 17:39:28.555932045 CEST	49707	443	192.168.2.7	34.117.186.192
May 24, 2024 17:39:28.555969954 CEST	443	49707	34.117.186.192	192.168.2.7
May 24, 2024 17:39:31.580338955 CEST	65485	9091	192.168.2.7	173.255.201.196
May 24, 2024 17:39:31.609389067 CEST	9091	65485	173.255.201.196	192.168.2.7
May 24, 2024 17:39:31.609472990 CEST	65485	9091	192.168.2.7	173.255.201.196
May 24, 2024 17:39:32.607170105 CEST	65485	9091	192.168.2.7	173.255.201.196
May 24, 2024 17:39:32.612821102 CEST	9091	65485	173.255.201.196	192.168.2.7
May 24, 2024 17:39:32.790781975 CEST	9091	65485	173.255.201.196	192.168.2.7
May 24, 2024 17:39:32.790878057 CEST	65485	9091	192.168.2.7	173.255.201.196
May 24, 2024 17:39:33.606779099 CEST	65485	9091	192.168.2.7	173.255.201.196
May 24, 2024 17:39:33.612426043 CEST	9091	65485	173.255.201.196	192.168.2.7

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 24, 2024 17:39:27.293054104 CEST	57788	53	192.168.2.7	1.1.1.1
May 24, 2024 17:39:27.300326109 CEST	53	57788	1.1.1.1	192.168.2.7
May 24, 2024 17:39:31.473427057 CEST	53	56892	1.1.1.1	192.168.2.7

Timestamp	Bytes transferred	Direction	Data
2024-05-24 15:39:28 UTC	297	OUT	GET /json HTTP/1.1 Accept: / Accept-Language: en-ch Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: ipinfo.io Connection: Keep-Alive
2024-05-24 15:39:28 UTC	401	IN	HTTP/1.1 200 OK server: nginx/1.24.0 date: Fri, 24 May 2024 15:39:28 GMT content-type: application/json; charset=utf-8 Content-Length: 321 access-control-allow-origin: * x-content-type-options: nosniff x-envoy-upstream-service-time: 2 via: 1.1 google strict-transport-security: max-age=2592000; includeSubDomains Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-05-24 15:39:28 UTC	321	IN	Data Raw: 7b 0a 20 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 37 35 22 2c 0a 20 20 22 68 6f 73 74 6e 61 6d 65 22 3a 20 22 73 74 61 74 69 63 2d 63 70 65 2d 38 2d 34 36 2d 31 32 33 2d 31 37 35 2e 63 65 6e 74 75 72 79 6c 69 6e 6b 2e 63 6f 6d 22 2c 0a 20 20 22 63 69 74 79 22 3a 20 22 4e 65 77 20 59 6f 72 6b 20 43 69 74 79 22 2c 0a 20 20 22 72 65 67 69 6f 6e 22 3a 20 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 53 22 2c 0a 20 20 22 6c 6f 63 22 3a 20 22 34 30 2e 37 31 34 33 2c 2d 37 34 2e 30 30 36 30 22 2c 0a 20 20 22 6f 72 67 22 3a 20 22 41 53 33 33 35 36 20 4c 65 76 65 6c 20 33 20 50 61 72 65 6e 74 2c 20 4c 4c 43 22 2c 0a 20 20 22 70 6f 73 74 61 6c 22 3a 20 22 31 30 30 30 31 22 2c 0a 20 20 22 74 69 6d 65 7a 6f 6e 65 22 3a Data Ascii: { "ip": "8.46.123.175", "hostname": "static-cpe-8-46-123-175.centurylink.com", "city": "New York City", "region": "New York", "country": "US", "loc": "40.7143,-74.0060", "org": "AS3356 Level 3 Parent, LLC", "postal": "10001", "timezone":

Target ID:	6
Start time:	11:39:10
Start date:	24/05/2024
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.448806.29655.2426.dll"
Imagebase:	0xb70000
File size:	126'464 bytes
MD5 hash:	51E6071F9CBA48E79F10C84515AAE618
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	high
Has exited:	true

Target ID:	9
Start time:	11:39:11
Start date:	24/05/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.448806.29655.2426.dll",#1
Imagebase:	0x410000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	12
Start time:	11:39:14
Start date:	24/05/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.448806.29655.2426.dll,__dbk_fcall_wrapper
Imagebase:	0xf0000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	high
Has exited:	true

Target ID:	16
Start time:	11:39:17
Start date:	24/05/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.448806.29655.2426.dll,agzxqlovcrhc
Imagebase:	0xf0000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000010.00000002.2524492723.00000000041B1000.00000020.00000001.01000000.00000004.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Target ID:	20
Start time:	11:39:18
Start date:	24/05/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 5456 -s 936
Imagebase:	0xf10000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.Variant.Lazy.448806.29655.2426.dll

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_5846ff3f27e0cd291f852844950cb54b87e166d_7522e4b5_3fb1a37c-5458-4b52-bdcc-4892ac26b3a2\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_5846ff3f27e0cd291f852844950cb54b87e166d_7522e4b5_c78fdc5a-8f48-48bd-8bd7-6ade83bfbcf6\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_94a81f56e41f80eabdc4f62591f2f87b03014a3_7522e4b5_727f85bd-9bfd-4ad9-bee0-d83a42000635\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_94a81f56e41f80eabdc4f62591f2f87b03014a3_7522e4b5_ab76d196-46d2-43ab-b3e8-5db75a2b7a3d\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7230.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7240.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7379.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER73B9.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7425.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER759D.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE0C9.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE1A5.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE1C5.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE230.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE2FC.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE34B.tmp.xml

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\json[1].json

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Windows Analysis Report
SecuriteInfo.com.Variant.Lazy.448806.29655.2426.dll

Target ID:	31
Start time:	13:01:01
Start date:	24/05/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7952 -s 928
Imagebase:	0xf10000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: `rundll32.exe {DLLname, DLLfunction}` ).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	Process: OS API Execution, Process: Process Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre