Windows Analysis Report
SecuriteInfo.com.Variant.Lazy.448806.8704.4188.dll

Overview

General Information

Sample name:	SecuriteInfo.com.Variant.Lazy.448806.8704.4188.dll
Analysis ID:	1447257
MD5:	0c70cd43a7fde3c04399319adba55ebc
SHA1:	99aab09ec5defa23610e25f52541addbec26f63d
SHA256:	e899f50c216439cc5e7b4246d8dd81d8af3a8485b666edc47fc387e86ca0582b
Tags:	dll
Infos:

Detection

Score:	68
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

System process connects to network (likely due to code injection or exploit)

Hides threads from debuggers

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Tries to evade analysis by execution special instruction (VM detection)

AV process strings found (often used to terminate AV products)

Checks if the current process is being debugged

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Entry point lies outside standard sections

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE file contains more sections than normal

PE file contains sections with non-standard names

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Classification

Signatures

AV Detection

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Variant.Lazy.448806.8704.4188.dll

ReversingLabs: Detection: 26%

Uses 32bit PE files

Source: SecuriteInfo.com.Variant.Lazy.448806.8704.4188.dll

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, DLL, BYTES_REVERSED_HI

Source: unknown

HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.8:49712 version: TLS 1.2

Source: C:\Windows\SysWOW64\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\
Source: C:\Windows\SysWOW64\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\
Source: C:\Windows\SysWOW64\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\
Source: C:\Windows\SysWOW64\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_bd87298c18d414cc6c2b7287a760e0b8abb64e54_7522e4b5_7a32ab89-01a8-4054-8f61-9419c35a1954\
Source: C:\Windows\SysWOW64\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue
Source: C:\Windows\SysWOW64\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_2228a5a8ddc1c13c5ac4b75142f1324ee78b030_7522e4b5_204f3382-03b1-49e6-8c19-9e378ccd33f7\

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 34.117.186.192 443			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 173.255.201.196 9091			Jump to behavior

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.8:49714 -> 173.255.201.196:9091

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 34.117.186.192 34.117.186.192
Source: Joe Sandbox View	IP Address: 34.117.186.192 34.117.186.192

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: GOOGLE-AS-APGoogleAsiaPacificPteLtdSG GOOGLE-AS-APGoogleAsiaPacificPteLtdSG
Source: Joe Sandbox View	ASN Name: LINODE-APLinodeLLCUS LINODE-APLinodeLLCUS

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

May check the online IP address of the machine

Source: unknown	DNS query: name: ipinfo.io
Source: unknown	DNS query: name: ipinfo.io

Uses a known web browser user agent for HTTP communication

Source: global traffic

HTTP traffic detected: GET /json HTTP/1.1Accept: */*Accept-Language: en-chAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ipinfo.ioConnection: Keep-Alive

Source: unknown	TCP traffic detected without corresponding DNS query: 173.255.201.196
Source: unknown	TCP traffic detected without corresponding DNS query: 173.255.201.196
Source: unknown	TCP traffic detected without corresponding DNS query: 173.255.201.196
Source: unknown	TCP traffic detected without corresponding DNS query: 173.255.201.196
Source: unknown	TCP traffic detected without corresponding DNS query: 173.255.201.196
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: ipinfo.io

Source: rundll32.exe, 00000004.00000002.1515192848.0000000006354000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.1516009328.00000000063C4000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000D.00000002.2661730580.0000000006554000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000010.00000002.1673193864.0000000006554000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000013.00000002.1673399182.0000000006354000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://fontawesome.io
Source: rundll32.exe, 00000004.00000002.1515192848.0000000006354000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.1516009328.00000000063C4000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000D.00000002.2661730580.0000000006554000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000010.00000002.1673193864.0000000006554000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000013.00000002.1673399182.0000000006354000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://fontawesome.io/license/
Source: rundll32.exe, 00000004.00000002.1515192848.0000000006354000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.1516009328.00000000063C4000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000D.00000002.2661730580.0000000006554000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000010.00000002.1673193864.0000000006554000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000013.00000002.1673399182.0000000006354000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://fontawesome.iohttp://fontawesome.iohttp://fontawesome.io/license/http://fontawesome.io/licens
Source: loaddll32.exe, 00000000.00000003.1541296328.0000000005473000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1509418224.000000000415C000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.1515803822.0000000006503000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1516208100.0000000006703000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1509801187.00000000041CC000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000009.00000003.1483945447.00000000065C3000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.2658035882.000000000435C000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000010.00000002.1673395044.00000000068C3000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.1668206356.000000000435C000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000011.00000003.1661301893.0000000007353000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1679565793.0000000006A33000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000013.00000002.1673692607.0000000006693000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000013.00000002.1668678941.000000000415C000.00000020.00000001.01000000.00000003.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: rundll32.exe, 0000000D.00000002.2661780062.0000000006703000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/03p
Source: rundll32.exe, 00000004.00000002.1509418224.000000000415C000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.1509801187.00000000041CC000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000D.00000002.2658035882.000000000435C000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000010.00000002.1668206356.000000000435C000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000013.00000002.1668678941.000000000415C000.00000020.00000001.01000000.00000003.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: rundll32.exe, 00000004.00000002.1509418224.000000000415C000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.1509801187.00000000041CC000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000D.00000002.2658035882.000000000435C000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000010.00000002.1668206356.000000000435C000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000013.00000002.1668678941.000000000415C000.00000020.00000001.01000000.00000003.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: rundll32.exe, 00000004.00000002.1509418224.000000000415C000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.1509801187.00000000041CC000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000D.00000002.2658035882.000000000435C000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000010.00000002.1668206356.000000000435C000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000013.00000002.1668678941.000000000415C000.00000020.00000001.01000000.00000003.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/http/
Source: rundll32.exe, 00000004.00000002.1509418224.000000000415C000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.1509801187.00000000041CC000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000D.00000002.2658035882.000000000435C000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000010.00000002.1668206356.000000000435C000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000013.00000002.1668678941.000000000415C000.00000020.00000001.01000000.00000003.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/soap/
Source: rundll32.exe, 00000004.00000002.1509418224.000000000415C000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.1509801187.00000000041CC000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000D.00000002.2658035882.000000000435C000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000010.00000002.1668206356.000000000435C000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000013.00000002.1668678941.000000000415C000.00000020.00000001.01000000.00000003.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/soap12/SV
Source: Amcache.hve.10.dr	String found in binary or memory: http://upx.sf.net
Source: rundll32.exe, 00000012.00000003.1679565793.0000000006A1D000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000013.00000002.1668678941.000000000415C000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000013.00000002.1673692607.000000000667D000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.borland.com/namespaces/Types
Source: loaddll32.exe, 00000000.00000003.1541296328.000000000545D000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.1483945447.00000000065AD000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1661301893.000000000733D000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1679565793.0000000006A1D000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.borland.com/namespaces/TypesA
Source: loaddll32.exe, 00000000.00000003.1541296328.000000000545D000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.1483945447.00000000065AD000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1661301893.000000000733D000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1679565793.0000000006A1D000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.borland.com/namespaces/Typesa
Source: rundll32.exe, 00000004.00000002.1509418224.000000000415C000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.1509801187.00000000041CC000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000D.00000002.2658035882.000000000435C000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000010.00000002.1668206356.000000000435C000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000013.00000002.1668678941.000000000415C000.00000020.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.borland.com/rootpart.xml
Source: rundll32.exe, 00000013.00000002.1668678941.000000000415C000.00000020.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.componentace.com
Source: loaddll32.exe, 00000000.00000003.1541296328.00000000053E0000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1509418224.000000000415C000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.1515803822.0000000006470000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1516208100.0000000006670000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1509801187.00000000041CC000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000009.00000003.1483945447.0000000006530000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.2661780062.0000000006670000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.2658035882.000000000435C000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000010.00000002.1673395044.0000000006830000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.1668206356.000000000435C000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000011.00000003.1661301893.00000000072C0000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1679565793.00000000069A0000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000013.00000002.1673692607.0000000006600000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000013.00000002.1668678941.000000000415C000.00000020.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.indyproject.org/
Source: rundll32.exe, 0000000D.00000002.2656393881.00000000007F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/
Source: rundll32.exe, 0000000D.00000002.2656393881.000000000081E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/json
Source: rundll32.exe, 0000000D.00000002.2656393881.0000000000830000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.2661780062.000000000670A000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.2663792474.00000000085D3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.2661780062.0000000006622000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.2656393881.000000000084C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.2656072068.00000000003FA000.00000004.00000010.00020000.00000000.sdmp, json[1].json.13.dr	String found in binary or memory: https://ipinfo.io/missingauth
Source: rundll32.exe, 0000000D.00000002.2656393881.00000000007F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/x
Source: rundll32.exe, 0000000D.00000002.2656393881.000000000081E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com

Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712

Source: unknown

HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.8:49712 version: TLS 1.2

One or more processes crash

Source: C:\Windows\SysWOW64\rundll32.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7424 -s 936

PE file contains more sections than normal

Source: SecuriteInfo.com.Variant.Lazy.448806.8704.4188.dll

Static PE information: Number of sections : 13 > 10

Uses 32bit PE files

Source: SecuriteInfo.com.Variant.Lazy.448806.8704.4188.dll

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, DLL, BYTES_REVERSED_HI

Source: classification engine

Classification label: mal68.evad.winDLL@25/22@1/2

Source: C:\Windows\SysWOW64\rundll32.exe

File created: C:\Users\user\AppData\Roaming\2402024

Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7596
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7960
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7348:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7408
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7424
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7988

Source: Yara match	File source: 00000013.00000002.1668678941.0000000004141000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2658035882.0000000004341000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1509801187.00000000041B1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1509418224.0000000004141000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.1668206356.0000000004341000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY

Source: C:\Windows\System32\loaddll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.448806.8704.4188.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.448806.8704.4188.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.448806.8704.4188.dll,TMethodImplementationIntercept
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.448806.8704.4188.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.448806.8704.4188.dll,__dbk_fcall_wrapper
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7424 -s 936
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7408 -s 936
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.448806.8704.4188.dll,agzxqlovcrhc
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7596 -s 796
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.448806.8704.4188.dll",TMethodImplementationIntercept
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.448806.8704.4188.dll",__dbk_fcall_wrapper
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.448806.8704.4188.dll",agzxqlovcrhc
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.448806.8704.4188.dll",dbkFCallWrapperAddr
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7960 -s 928
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7988 -s 936
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.448806.8704.4188.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.448806.8704.4188.dll,TMethodImplementationIntercept	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.448806.8704.4188.dll,__dbk_fcall_wrapper	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.448806.8704.4188.dll,agzxqlovcrhc	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.448806.8704.4188.dll",TMethodImplementationIntercept	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.448806.8704.4188.dll",__dbk_fcall_wrapper	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.448806.8704.4188.dll",agzxqlovcrhc	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.448806.8704.4188.dll",dbkFCallWrapperAddr	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.448806.8704.4188.dll",#1	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: security.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: olepro32.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: colorui.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: mscms.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: coloradapterclient.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: compstui.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: inetres.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior

Source: SecuriteInfo.com.Variant.Lazy.448806.8704.4188.dll	Static PE information: section name: .didata
Source: SecuriteInfo.com.Variant.Lazy.448806.8704.4188.dll	Static PE information: section name: .awiodnn
Source: SecuriteInfo.com.Variant.Lazy.448806.8704.4188.dll	Static PE information: section name: .awiodnn
Source: SecuriteInfo.com.Variant.Lazy.448806.8704.4188.dll	Static PE information: section name: .awiodnn

Source: C:\Windows\System32\loaddll32.exe	Memory written: PID: 7340 base: 13B0007 value: E9 EB DF 0E 76	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Memory written: PID: 7340 base: 7749DFF0 value: E9 1E 20 F1 89	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 7408 base: 680007 value: E9 EB DF E1 76	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 7408 base: 7749DFF0 value: E9 1E 20 1E 89	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 7424 base: A90007 value: E9 EB DF A0 76	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 7424 base: 7749DFF0 value: E9 1E 20 5F 89	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 7596 base: 470007 value: E9 EB DF 02 77	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 7596 base: 7749DFF0 value: E9 1E 20 FD 88	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 7804 base: 9A0007 value: E9 EB DF AF 76	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 7804 base: 7749DFF0 value: E9 1E 20 50 89	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 7960 base: 740007 value: E9 EB DF D5 76	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 7960 base: 7749DFF0 value: E9 1E 20 2A 89	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 7972 base: 33C0007 value: E9 EB DF 0D 74	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 7972 base: 7749DFF0 value: E9 1E 20 F2 8B	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 7980 base: 7E0007 value: E9 EB DF CB 76	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 7980 base: 7749DFF0 value: E9 1E 20 34 89	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 7988 base: 3E0007 value: E9 EB DF 0B 77
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 7988 base: 7749DFF0 value: E9 1E 20 F4 88

Source: C:\Windows\SysWOW64\rundll32.exe TID: 7932	Thread sleep count: 72 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 7932	Thread sleep time: -63936s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 7932	Thread sleep count: 80 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 7932	Thread sleep time: -71120s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed

Source: rundll32.exe, 0000000D.00000002.2656393881.00000000007C9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW88
Source: Amcache.hve.10.dr	Binary or memory string: VMware
Source: rundll32.exe, 00000013.00000002.1667950909.0000000000769000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: tSTORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}f
Source: Amcache.hve.10.dr	Binary or memory string: VMware Virtual USB Mouse
Source: rundll32.exe, 00000012.00000002.1683004744.0000000002DC9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}`
Source: SecuriteInfo.com.Variant.Lazy.448806.8704.4188.dll	Binary or memory string: vMCIA
Source: Amcache.hve.10.dr	Binary or memory string: vmci.syshbin
Source: rundll32.exe, 0000000D.00000002.2656393881.00000000007F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW1O
Source: Amcache.hve.10.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.10.dr	Binary or memory string: VMware-42 27 c5 9a 47 85 d6 84-53 49 ec ec 87 a6 6d 67
Source: Amcache.hve.10.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.10.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.10.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.10.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: rundll32.exe, 00000011.00000003.1668023213.0000000003419000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: rundll32.exe, 0000000D.00000002.2656393881.0000000000838000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.10.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: rundll32.exe, 00000009.00000002.1534039603.00000000005D9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: o[STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: rundll32.exe, 00000010.00000002.1666671073.0000000000799000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: wSTORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: Amcache.hve.10.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.10.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: rundll32.exe, 00000009.00000002.1534039603.00000000005D9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\8
Source: Amcache.hve.10.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: rundll32.exe, 00000005.00000002.1509216007.000000000064A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: cSTORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: Amcache.hve.10.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.10.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.10.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: rundll32.exe, 00000011.00000003.1668023213.0000000003419000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\
Source: Amcache.hve.10.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.10.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.10.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.10.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.10.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.10.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.10.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: rundll32.exe, 00000011.00000002.1670431816.00000000033DA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:
Source: Amcache.hve.10.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.10.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.10.dr	Binary or memory string: VMware VMCI Bus Device
Source: rundll32.exe, 0000000D.00000002.2656393881.00000000007C9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %SystemRoot%\system32\napinsp.dll00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000
Source: Amcache.hve.10.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.10.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: rundll32.exe, 00000004.00000002.1509049172.0000000000769000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: tSTORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: Amcache.hve.10.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Windows\System32\loaddll32.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread information set: HideFromDebugger
Source: C:\Windows\SysWOW64\rundll32.exe	Thread information set: HideFromDebugger

Source: C:\Windows\System32\loaddll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugObjectHandle
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugObjectHandle
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugObjectHandle
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort

Source: rundll32.exe, 00000004.00000002.1509418224.000000000415C000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.1509801187.00000000041CC000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000D.00000002.2658035882.000000000435C000.00000020.00000001.01000000.00000003.sdmp	Binary or memory string: Shell_TrayWndSVW
Source: rundll32.exe, 00000004.00000002.1509418224.000000000415C000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.1509801187.00000000041CC000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000D.00000002.2658035882.000000000435C000.00000020.00000001.01000000.00000003.sdmp	Binary or memory string: Shell_TrayWndReBarWindow32MSTaskSwWClassToolbarWindow32SV

Source: Amcache.hve.10.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.10.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.10.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.10.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.10.dr	Binary or memory string: MsMpEng.exe

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
34.117.186.192	ipinfo.io	United States		139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	true
173.255.201.196	unknown	United States		63949	LINODE-APLinodeLLCUS	true

ID:	1447257
Product:	CloudBasic
Start time:	17:38:17
Start date:	24.05.2024
Sample:	SecuriteInfo.com.Variant.Lazy.448806.8704.4188.dll
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	0c70cd43a7fde3c04399319adba55ebc
SHA1:	99aab09ec5defa23610e25f52541addbec26f63d
SHA256:	e899f50c216439cc5e7b4246d8dd81d8af3a8485b666edc47fc387e86ca0582b
Filetype:	Win32 Dynamic Link Library (generic) (1002004/3) 99.40%

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_2228a5a8ddc1c13c5ac4b75142f1324ee78b030_7522e4b5_204f3382-03b1-49e6-8c19-9e378ccd33f7\Report.wer	Unicode text, UTF-16, little-endian text, with CRLF line terminators	C485441825D9AC9880A92D50F8B74C32	0DDAB8DD554368D622B79627FDA0F7F8F3496016	5F3EA6A3B4962F5F3921CAA9CCF7B4B89EDA1512B612DEE749CC323928D6879D
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_bd87298c18d414cc6c2b7287a760e0b8abb64e54_7522e4b5_7a32ab89-01a8-4054-8f61-9419c35a1954\Report.wer	Unicode text, UTF-16, little-endian text, with CRLF line terminators	303F049C7C79685BF3B69D6EC109C8BA	2442D3C91C4BE5627AF99B586610C1D9E550407A	6059539F2A7EBB2CA592EFE9FB6E11D5DFB095A7906091507FEB59AF9B331A60
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_bd87298c18d414cc6c2b7287a760e0b8abb64e54_7522e4b5_90d72470-b177-46bf-9f0b-b6028d95ef01\Report.wer	Unicode text, UTF-16, little-endian text, with CRLF line terminators	773A4A4045C1B812A56FCA4F8E60BC1C	DA7210B10323697E8901A89B2CB4BC3DC4DAF8CF	2B665D0BF63EC91058282F90D71529CC1C6D0061434D59C01E2EE94BF4B88BB6
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_c03efb850abe777212f3815fca896ce0efaa7b_7522e4b5_1201804e-7563-4311-b12d-bcb49866fd44\Report.wer	Unicode text, UTF-16, little-endian text, with CRLF line terminators	AAFA0FB48C516784916402FC1221C513	5769E57A3A5FB06503ED0950D55A3824A3448C30	9030A49A4A60971508E770056F1C75F2806A0E29C743558C61812338E20A5278
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_c03efb850abe777212f3815fca896ce0efaa7b_7522e4b5_4ae3d656-a02c-418a-a49d-9c30ac129c96\Report.wer	Unicode text, UTF-16, little-endian text, with CRLF line terminators	6DE57BEDCA758C363737125E3E16AA8A	CF082228A47BDE0345A2217FEB3A02AE23224485	EEEB639F789CB65F904385916C6FE92D343FAE993E0C3A65BDC105C6CEF4791F
C:\ProgramData\Microsoft\Windows\WER\Temp\WERA1DC.tmp.dmp	Mini DuMP crash report, 15 streams, Fri May 24 15:39:18 2024, 0x1205a4 type	050AD646FBC087337CF860CCD0CBB30E	8584A5EE87FB30B0AB8D44C861FE586E6E9468ED	BCB7336839177ECAC24076CB95C0C1C766F5A33B2A18777F4185B08BC76D37AE
C:\ProgramData\Microsoft\Windows\WER\Temp\WERA20B.tmp.dmp	Mini DuMP crash report, 15 streams, Fri May 24 15:39:18 2024, 0x1205a4 type	F75B3E4B4E7A78B1492EF537EBD00AF9	21DC9A3ECF8E1A691513277CC1FB9143F4681E3A	9D0E47711283334C274CD77C13ACF9C93AE2770BB844C8136B7839B8B8C7B6DF
C:\ProgramData\Microsoft\Windows\WER\Temp\WERA393.tmp.WERInternalMetadata.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators	8022A4B13760C0674AE4FDC46B96CB1E	A46AEB3C2B2AD029AD0A89973DE4667314E837E9	C5BB835EE1A6CCF78FF126DF6AA94B3114DB2F47E72B101AD94C9C8627EB4D7D
C:\ProgramData\Microsoft\Windows\WER\Temp\WERA3A2.tmp.WERInternalMetadata.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators	2692C19A39D3E74ED9BFE62C7B44F00C	44FC7193658C3276C90DDE257F23BC5FDAE13381	A7D792B48D9D306F0E93E8185121E904461BAC9D39B0AD6E1EF68DA80B030FF3
C:\ProgramData\Microsoft\Windows\WER\Temp\WERA3B3.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	1BFF397B6C11830E81458F2F89785D87	1015C26F8D961F4CDDD8924A4CE157CCC6B6BDDA	CFF82066D1AE02868BBF870FC964E284ABC4E0A6A30F913E1A426739A054AF41
C:\ProgramData\Microsoft\Windows\WER\Temp\WERA3C2.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	7E1EF7DB86ABEF5E530424F7B99EF4FE	27EBE95E87CA99BB97AF0406ABC3B0CA4D71ACB7	7C44183FA1C1DBB947DF962C9532171A13FD1A2C4818B714A1C9C48148E0A710
C:\ProgramData\Microsoft\Windows\WER\Temp\WERB5D1.tmp.dmp	Mini DuMP crash report, 15 streams, Fri May 24 15:39:23 2024, 0x1205a4 type	9E637107E90F5BBA351775821C4B1DFC	A11121E86EF2140DAA8E7B4126E962F10C038E86	503D9058D49ACA1C0DFA8CEDF8F4B407DF1C0382184181B4DE95B848D967039A
C:\ProgramData\Microsoft\Windows\WER\Temp\WERB6AD.tmp.WERInternalMetadata.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators	ADBD7747FC76CAE2445FD928C9B73925	90DD9D74408C56A776FB593DDCBB126B4949ADF2	2C1DF071C280BD9A70FC1C6C972E9AD8686840CDAAECCA9CB120609818A7941F
C:\ProgramData\Microsoft\Windows\WER\Temp\WERB76A.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	4A83A59AA52D4A56659B974AD7C05CC3	56305F05F0B2AF08A446ED26814A4FD8A4099655	ECDA38F877BA19F1AC7D2EA058B49DF214058A09120CEABD8E6F6865D6752713
C:\ProgramData\Microsoft\Windows\WER\Temp\WERF0A8.tmp.dmp	Mini DuMP crash report, 15 streams, Fri May 24 15:39:38 2024, 0x1205a4 type	C9A193F60161AF60E2892B6FBCD4B2C6	2B78E47D42539E3DF6BB8897882D16BFC531C229	2E933DF1E6870E698E49FCBD4D350361C7ABAB1FF57908EE2B5A021A32C1A9AE
C:\ProgramData\Microsoft\Windows\WER\Temp\WERF1B2.tmp.dmp	Mini DuMP crash report, 15 streams, Fri May 24 15:39:38 2024, 0x1205a4 type	200135E6F7A969EC6714504A9B62A706	7F6C00F189B36196D834F3155C31357CDA5E40A1	72240A65C762A8491A3C551CAE3F368EF2FF3781EB89942CBDE01C34F0066713
C:\ProgramData\Microsoft\Windows\WER\Temp\WERF1C2.tmp.WERInternalMetadata.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators	EE820B289AE2A5C6A2FDB89232626FC4	532DFAA2CEEE4CC7A57CC4CA8685E529DA9F3EDF	FD098AC234C345AE3375EF5F5347AD3EE2C690B2148994F0A570F59CA72C8D45
C:\ProgramData\Microsoft\Windows\WER\Temp\WERF221.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	08A706D3980F2C76C4635D0D2ED8B399	C3CFE30A9024CF44802662718BCB96AEDBB135CC	C16DDB1E71D8614952889B13E61A064D78452755CADDBDBF09BF790DEBEC95EF
C:\ProgramData\Microsoft\Windows\WER\Temp\WERF2EB.tmp.WERInternalMetadata.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators	A3D02B8302AFDBD6B4E259822701194F	854A82C79BE9217CBA7772B327F9DA052AC91F15	8BC2937B694531154F67FBDCC8DF2F97D2BFA913B1872E70EBB9BDC7A59D1913
C:\ProgramData\Microsoft\Windows\WER\Temp\WERF31B.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	8A412D21674A523459EDDA7C9D15DD5E	B83F90454D855DAA9160E60F42F157BB0B292F24	5A7611A6DA3C80FCDB27E48362BE72814B29EE00370406E3F9FF5152B9006290
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\json[1].json	JSON data	C8B5480265AA24848B266AB720648A09	4440EDB7429D588DE5A1A0D00D8D82FD6DE41A47	A15CE3E76A7C7592E79A8C78E240F012E59E68F3D60179D54F8603B0660CA5D0
C:\Windows\appcompat\Programs\Amcache.hve	MS Windows registry file, NT/2000 or above	A46E9C105F4EA41A5874570C408F8C1E	35AD46BC344446E361C27F515019ED6757087E0B	A5B0F3C97F2F68B7A98DE315D1704C8C809A31C4EE51197163E1D31B178BA47C

Windows Analysis Report SecuriteInfo.com.Variant.Lazy.448806.8704.4188.dll

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Lowering of HIPS / PFW / Operating System Security Settings

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
SecuriteInfo.com.Variant.Lazy.448806.8704.4188.dll