Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SecuriteInfo.com.Variant.Lazy.448806.8704.4188.dll

Overview

General Information

Sample name:SecuriteInfo.com.Variant.Lazy.448806.8704.4188.dll
Analysis ID:1447257
MD5:0c70cd43a7fde3c04399319adba55ebc
SHA1:99aab09ec5defa23610e25f52541addbec26f63d
SHA256:e899f50c216439cc5e7b4246d8dd81d8af3a8485b666edc47fc387e86ca0582b
Tags:dll
Infos:

Detection

Score:68
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Hides threads from debuggers
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Tries to evade analysis by execution special instruction (VM detection)
AV process strings found (often used to terminate AV products)
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Entry point lies outside standard sections
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains more sections than normal
PE file contains sections with non-standard names
Sample execution stops while process was sleeping (likely an evasion)
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 7340 cmdline: loaddll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.448806.8704.4188.dll" MD5: 51E6071F9CBA48E79F10C84515AAE618)
    • conhost.exe (PID: 7348 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 7388 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.448806.8704.4188.dll",#1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • rundll32.exe (PID: 7424 cmdline: rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.448806.8704.4188.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)
        • WerFault.exe (PID: 7604 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7424 -s 936 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • rundll32.exe (PID: 7408 cmdline: rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.448806.8704.4188.dll,TMethodImplementationIntercept MD5: 889B99C52A60DD49227C5E485A016679)
      • WerFault.exe (PID: 7616 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7408 -s 936 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • rundll32.exe (PID: 7596 cmdline: rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.448806.8704.4188.dll,__dbk_fcall_wrapper MD5: 889B99C52A60DD49227C5E485A016679)
      • WerFault.exe (PID: 7860 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7596 -s 796 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • rundll32.exe (PID: 7804 cmdline: rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.448806.8704.4188.dll,agzxqlovcrhc MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 7960 cmdline: rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.448806.8704.4188.dll",TMethodImplementationIntercept MD5: 889B99C52A60DD49227C5E485A016679)
      • WerFault.exe (PID: 1196 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7960 -s 928 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • rundll32.exe (PID: 7972 cmdline: rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.448806.8704.4188.dll",__dbk_fcall_wrapper MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 7980 cmdline: rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.448806.8704.4188.dll",agzxqlovcrhc MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 7988 cmdline: rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.448806.8704.4188.dll",dbkFCallWrapperAddr MD5: 889B99C52A60DD49227C5E485A016679)
      • WerFault.exe (PID: 5180 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7988 -s 936 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000013.00000002.1668678941.0000000004141000.00000020.00000001.01000000.00000003.sdmpJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
    0000000D.00000002.2658035882.0000000004341000.00000020.00000001.01000000.00000003.sdmpJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
      00000005.00000002.1509801187.00000000041B1000.00000020.00000001.01000000.00000003.sdmpJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
        00000004.00000002.1509418224.0000000004141000.00000020.00000001.01000000.00000003.sdmpJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
          00000010.00000002.1668206356.0000000004341000.00000020.00000001.01000000.00000003.sdmpJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security

            Sigma Signatures

            No Sigma rule has matched

            Snort Signatures

            No Snort rule has matched

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Multi AV Scanner detection for submitted file
            Source: SecuriteInfo.com.Variant.Lazy.448806.8704.4188.dllReversingLabs: Detection: 26%
            Source: SecuriteInfo.com.Variant.Lazy.448806.8704.4188.dllStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, DLL, BYTES_REVERSED_HI
            Source: unknownHTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.8:49712 version: TLS 1.2
            Source: C:\Windows\SysWOW64\WerFault.exeFile opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\
            Source: C:\Windows\SysWOW64\WerFault.exeFile opened: C:\ProgramData\Microsoft\Windows\
            Source: C:\Windows\SysWOW64\WerFault.exeFile opened: C:\ProgramData\Microsoft\Windows\WER\
            Source: C:\Windows\SysWOW64\WerFault.exeFile opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_bd87298c18d414cc6c2b7287a760e0b8abb64e54_7522e4b5_7a32ab89-01a8-4054-8f61-9419c35a1954\
            Source: C:\Windows\SysWOW64\WerFault.exeFile opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue
            Source: C:\Windows\SysWOW64\WerFault.exeFile opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_2228a5a8ddc1c13c5ac4b75142f1324ee78b030_7522e4b5_204f3382-03b1-49e6-8c19-9e378ccd33f7\

            Networking

            barindex
            System process connects to network (likely due to code injection or exploit)
            Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 34.117.186.192 443Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 173.255.201.196 9091Jump to behavior
            Source: global trafficTCP traffic: 192.168.2.8:49714 -> 173.255.201.196:9091
            Source: Joe Sandbox ViewIP Address: 34.117.186.192 34.117.186.192
            Source: Joe Sandbox ViewIP Address: 34.117.186.192 34.117.186.192
            Source: Joe Sandbox ViewASN Name: GOOGLE-AS-APGoogleAsiaPacificPteLtdSG GOOGLE-AS-APGoogleAsiaPacificPteLtdSG
            Source: Joe Sandbox ViewASN Name: LINODE-APLinodeLLCUS LINODE-APLinodeLLCUS
            Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
            Source: unknownDNS query: name: ipinfo.io
            Source: unknownDNS query: name: ipinfo.io
            Source: global trafficHTTP traffic detected: GET /json HTTP/1.1Accept: */*Accept-Language: en-chAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ipinfo.ioConnection: Keep-Alive
            Source: unknownTCP traffic detected without corresponding DNS query: 173.255.201.196
            Source: unknownTCP traffic detected without corresponding DNS query: 173.255.201.196
            Source: unknownTCP traffic detected without corresponding DNS query: 173.255.201.196
            Source: unknownTCP traffic detected without corresponding DNS query: 173.255.201.196
            Source: unknownTCP traffic detected without corresponding DNS query: 173.255.201.196
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: global trafficHTTP traffic detected: GET /json HTTP/1.1Accept: */*Accept-Language: en-chAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ipinfo.ioConnection: Keep-Alive
            Source: global trafficDNS traffic detected: DNS query: ipinfo.io
            Source: rundll32.exe, 00000004.00000002.1515192848.0000000006354000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.1516009328.00000000063C4000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000D.00000002.2661730580.0000000006554000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000010.00000002.1673193864.0000000006554000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000013.00000002.1673399182.0000000006354000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: http://fontawesome.io
            Source: rundll32.exe, 00000004.00000002.1515192848.0000000006354000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.1516009328.00000000063C4000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000D.00000002.2661730580.0000000006554000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000010.00000002.1673193864.0000000006554000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000013.00000002.1673399182.0000000006354000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: http://fontawesome.io/license/
            Source: rundll32.exe, 00000004.00000002.1515192848.0000000006354000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.1516009328.00000000063C4000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000D.00000002.2661730580.0000000006554000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000010.00000002.1673193864.0000000006554000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000013.00000002.1673399182.0000000006354000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: http://fontawesome.iohttp://fontawesome.iohttp://fontawesome.io/license/http://fontawesome.io/licens
            Source: loaddll32.exe, 00000000.00000003.1541296328.0000000005473000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1509418224.000000000415C000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.1515803822.0000000006503000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1516208100.0000000006703000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1509801187.00000000041CC000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000009.00000003.1483945447.00000000065C3000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.2658035882.000000000435C000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000010.00000002.1673395044.00000000068C3000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.1668206356.000000000435C000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000011.00000003.1661301893.0000000007353000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1679565793.0000000006A33000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000013.00000002.1673692607.0000000006693000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000013.00000002.1668678941.000000000415C000.00000020.00000001.01000000.00000003.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
            Source: rundll32.exe, 0000000D.00000002.2661780062.0000000006703000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/03p
            Source: rundll32.exe, 00000004.00000002.1509418224.000000000415C000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.1509801187.00000000041CC000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000D.00000002.2658035882.000000000435C000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000010.00000002.1668206356.000000000435C000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000013.00000002.1668678941.000000000415C000.00000020.00000001.01000000.00000003.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
            Source: rundll32.exe, 00000004.00000002.1509418224.000000000415C000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.1509801187.00000000041CC000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000D.00000002.2658035882.000000000435C000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000010.00000002.1668206356.000000000435C000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000013.00000002.1668678941.000000000415C000.00000020.00000001.01000000.00000003.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
            Source: rundll32.exe, 00000004.00000002.1509418224.000000000415C000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.1509801187.00000000041CC000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000D.00000002.2658035882.000000000435C000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000010.00000002.1668206356.000000000435C000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000013.00000002.1668678941.000000000415C000.00000020.00000001.01000000.00000003.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/http/
            Source: rundll32.exe, 00000004.00000002.1509418224.000000000415C000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.1509801187.00000000041CC000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000D.00000002.2658035882.000000000435C000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000010.00000002.1668206356.000000000435C000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000013.00000002.1668678941.000000000415C000.00000020.00000001.01000000.00000003.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/soap/
            Source: rundll32.exe, 00000004.00000002.1509418224.000000000415C000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.1509801187.00000000041CC000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000D.00000002.2658035882.000000000435C000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000010.00000002.1668206356.000000000435C000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000013.00000002.1668678941.000000000415C000.00000020.00000001.01000000.00000003.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/soap12/SV
            Source: Amcache.hve.10.drString found in binary or memory: http://upx.sf.net
            Source: rundll32.exe, 00000012.00000003.1679565793.0000000006A1D000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000013.00000002.1668678941.000000000415C000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000013.00000002.1673692607.000000000667D000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.borland.com/namespaces/Types
            Source: loaddll32.exe, 00000000.00000003.1541296328.000000000545D000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.1483945447.00000000065AD000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1661301893.000000000733D000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1679565793.0000000006A1D000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.borland.com/namespaces/TypesA
            Source: loaddll32.exe, 00000000.00000003.1541296328.000000000545D000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.1483945447.00000000065AD000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1661301893.000000000733D000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1679565793.0000000006A1D000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.borland.com/namespaces/Typesa
            Source: rundll32.exe, 00000004.00000002.1509418224.000000000415C000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.1509801187.00000000041CC000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000D.00000002.2658035882.000000000435C000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000010.00000002.1668206356.000000000435C000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000013.00000002.1668678941.000000000415C000.00000020.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.borland.com/rootpart.xml
            Source: rundll32.exe, 00000013.00000002.1668678941.000000000415C000.00000020.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.componentace.com
            Source: loaddll32.exe, 00000000.00000003.1541296328.00000000053E0000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1509418224.000000000415C000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.1515803822.0000000006470000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1516208100.0000000006670000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1509801187.00000000041CC000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000009.00000003.1483945447.0000000006530000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.2661780062.0000000006670000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.2658035882.000000000435C000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000010.00000002.1673395044.0000000006830000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.1668206356.000000000435C000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000011.00000003.1661301893.00000000072C0000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1679565793.00000000069A0000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000013.00000002.1673692607.0000000006600000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000013.00000002.1668678941.000000000415C000.00000020.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.indyproject.org/
            Source: rundll32.exe, 0000000D.00000002.2656393881.00000000007F5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/
            Source: rundll32.exe, 0000000D.00000002.2656393881.000000000081E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/json
            Source: rundll32.exe, 0000000D.00000002.2656393881.0000000000830000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.2661780062.000000000670A000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.2663792474.00000000085D3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.2661780062.0000000006622000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.2656393881.000000000084C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.2656072068.00000000003FA000.00000004.00000010.00020000.00000000.sdmp, json[1].json.13.drString found in binary or memory: https://ipinfo.io/missingauth
            Source: rundll32.exe, 0000000D.00000002.2656393881.00000000007F5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/x
            Source: rundll32.exe, 0000000D.00000002.2656393881.000000000081E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com
            Source: unknownNetwork traffic detected: HTTP traffic on port 49712 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49712
            Source: unknownHTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.8:49712 version: TLS 1.2
            Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7424 -s 936
            Source: SecuriteInfo.com.Variant.Lazy.448806.8704.4188.dllStatic PE information: Number of sections : 13 > 10
            Source: SecuriteInfo.com.Variant.Lazy.448806.8704.4188.dllStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, DLL, BYTES_REVERSED_HI
            Source: classification engineClassification label: mal68.evad.winDLL@25/22@1/2
            Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Users\user\AppData\Roaming\2402024Jump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7596
            Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7960
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7348:120:WilError_03
            Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7408
            Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7424
            Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7988
            Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\fac937cb-2259-49b6-b0c1-f46ac6f95113Jump to behavior
            Source: Yara matchFile source: 00000013.00000002.1668678941.0000000004141000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000002.2658035882.0000000004341000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.1509801187.00000000041B1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.1509418224.0000000004141000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.1668206356.0000000004341000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
            Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
            Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\DelphiJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\DelphiJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\DelphiJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\DelphiJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\DelphiJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\DelphiJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\DelphiJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\DelphiJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
            Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
            Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi
            Source: C:\Windows\System32\loaddll32.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.448806.8704.4188.dll,TMethodImplementationIntercept
            Source: SecuriteInfo.com.Variant.Lazy.448806.8704.4188.dllReversingLabs: Detection: 26%
            Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.448806.8704.4188.dll"
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.448806.8704.4188.dll",#1
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.448806.8704.4188.dll,TMethodImplementationIntercept
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.448806.8704.4188.dll",#1
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.448806.8704.4188.dll,__dbk_fcall_wrapper
            Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7424 -s 936
            Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7408 -s 936
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.448806.8704.4188.dll,agzxqlovcrhc
            Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7596 -s 796
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.448806.8704.4188.dll",TMethodImplementationIntercept
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.448806.8704.4188.dll",__dbk_fcall_wrapper
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.448806.8704.4188.dll",agzxqlovcrhc
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.448806.8704.4188.dll",dbkFCallWrapperAddr
            Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7960 -s 928
            Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7988 -s 936
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.448806.8704.4188.dll",#1Jump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.448806.8704.4188.dll,TMethodImplementationInterceptJump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.448806.8704.4188.dll,__dbk_fcall_wrapperJump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.448806.8704.4188.dll,agzxqlovcrhcJump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.448806.8704.4188.dll",TMethodImplementationInterceptJump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.448806.8704.4188.dll",__dbk_fcall_wrapperJump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.448806.8704.4188.dll",agzxqlovcrhcJump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.448806.8704.4188.dll",dbkFCallWrapperAddrJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.448806.8704.4188.dll",#1Jump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: netapi32.dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: shfolder.dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: security.dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: olepro32.dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: colorui.dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: mscms.dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: coloradapterclient.dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: compstui.dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: msimg32.dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: inetres.dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: msimg32.dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: windowscodecs.dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: textshaping.dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: dwmapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: SecuriteInfo.com.Variant.Lazy.448806.8704.4188.dllStatic PE information: Virtual size of .text is bigger than: 0x100000
            Source: SecuriteInfo.com.Variant.Lazy.448806.8704.4188.dllStatic file information: File size 20186112 > 1048576
            Source: SecuriteInfo.com.Variant.Lazy.448806.8704.4188.dllStatic PE information: Raw size of .awiodnn is bigger than: 0x100000 < 0x1192e00
            Source: initial sampleStatic PE information: section where entry point is pointing to: .awiodnn
            Source: SecuriteInfo.com.Variant.Lazy.448806.8704.4188.dllStatic PE information: section name: .didata
            Source: SecuriteInfo.com.Variant.Lazy.448806.8704.4188.dllStatic PE information: section name: .awiodnn
            Source: SecuriteInfo.com.Variant.Lazy.448806.8704.4188.dllStatic PE information: section name: .awiodnn
            Source: SecuriteInfo.com.Variant.Lazy.448806.8704.4188.dllStatic PE information: section name: .awiodnn

            Hooking and other Techniques for Hiding and Protection

            barindex
            Overwrites code with unconditional jumps - possibly settings hooks in foreign process
            Source: C:\Windows\System32\loaddll32.exeMemory written: PID: 7340 base: 13B0007 value: E9 EB DF 0E 76 Jump to behavior
            Source: C:\Windows\System32\loaddll32.exeMemory written: PID: 7340 base: 7749DFF0 value: E9 1E 20 F1 89 Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7408 base: 680007 value: E9 EB DF E1 76 Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7408 base: 7749DFF0 value: E9 1E 20 1E 89 Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7424 base: A90007 value: E9 EB DF A0 76 Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7424 base: 7749DFF0 value: E9 1E 20 5F 89 Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7596 base: 470007 value: E9 EB DF 02 77 Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7596 base: 7749DFF0 value: E9 1E 20 FD 88 Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7804 base: 9A0007 value: E9 EB DF AF 76 Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7804 base: 7749DFF0 value: E9 1E 20 50 89 Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7960 base: 740007 value: E9 EB DF D5 76 Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7960 base: 7749DFF0 value: E9 1E 20 2A 89 Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7972 base: 33C0007 value: E9 EB DF 0D 74 Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7972 base: 7749DFF0 value: E9 1E 20 F2 8B Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7980 base: 7E0007 value: E9 EB DF CB 76 Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7980 base: 7749DFF0 value: E9 1E 20 34 89 Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7988 base: 3E0007 value: E9 EB DF 0B 77
            Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7988 base: 7749DFF0 value: E9 1E 20 F4 88
            Source: C:\Windows\System32\loaddll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX

            Malware Analysis System Evasion

            barindex
            Tries to evade analysis by execution special instruction (VM detection)
            Source: C:\Windows\System32\loaddll32.exeSpecial instruction interceptor: First address: 291FA11 instructions rdtsc caused by: RDTSC with Trap Flag (TF)
            Source: C:\Windows\SysWOW64\rundll32.exe TID: 7932Thread sleep count: 72 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exe TID: 7932Thread sleep time: -63936s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exe TID: 7932Thread sleep count: 80 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exe TID: 7932Thread sleep time: -71120s >= -30000sJump to behavior
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\rundll32.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\rundll32.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\rundll32.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\rundll32.exeLast function: Thread delayed
            Source: C:\Windows\System32\loaddll32.exeThread delayed: delay time: 120000Jump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeFile opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\
            Source: C:\Windows\SysWOW64\WerFault.exeFile opened: C:\ProgramData\Microsoft\Windows\
            Source: C:\Windows\SysWOW64\WerFault.exeFile opened: C:\ProgramData\Microsoft\Windows\WER\
            Source: C:\Windows\SysWOW64\WerFault.exeFile opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_bd87298c18d414cc6c2b7287a760e0b8abb64e54_7522e4b5_7a32ab89-01a8-4054-8f61-9419c35a1954\
            Source: C:\Windows\SysWOW64\WerFault.exeFile opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue
            Source: C:\Windows\SysWOW64\WerFault.exeFile opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_2228a5a8ddc1c13c5ac4b75142f1324ee78b030_7522e4b5_204f3382-03b1-49e6-8c19-9e378ccd33f7\
            Source: rundll32.exe, 0000000D.00000002.2656393881.00000000007C9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW88
            Source: Amcache.hve.10.drBinary or memory string: VMware
            Source: rundll32.exe, 00000013.00000002.1667950909.0000000000769000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: tSTORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}f
            Source: Amcache.hve.10.drBinary or memory string: VMware Virtual USB Mouse
            Source: rundll32.exe, 00000012.00000002.1683004744.0000000002DC9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}`
            Source: SecuriteInfo.com.Variant.Lazy.448806.8704.4188.dllBinary or memory string: vMCIA
            Source: Amcache.hve.10.drBinary or memory string: vmci.syshbin
            Source: rundll32.exe, 0000000D.00000002.2656393881.00000000007F5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW1O
            Source: Amcache.hve.10.drBinary or memory string: VMware, Inc.
            Source: Amcache.hve.10.drBinary or memory string: VMware-42 27 c5 9a 47 85 d6 84-53 49 ec ec 87 a6 6d 67
            Source: Amcache.hve.10.drBinary or memory string: VMware20,1hbin@
            Source: Amcache.hve.10.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
            Source: Amcache.hve.10.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
            Source: Amcache.hve.10.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
            Source: rundll32.exe, 00000011.00000003.1668023213.0000000003419000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
            Source: rundll32.exe, 0000000D.00000002.2656393881.0000000000838000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
            Source: Amcache.hve.10.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
            Source: rundll32.exe, 00000009.00000002.1534039603.00000000005D9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: o[STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
            Source: rundll32.exe, 00000010.00000002.1666671073.0000000000799000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: wSTORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
            Source: Amcache.hve.10.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
            Source: Amcache.hve.10.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
            Source: rundll32.exe, 00000009.00000002.1534039603.00000000005D9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\8
            Source: Amcache.hve.10.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
            Source: rundll32.exe, 00000005.00000002.1509216007.000000000064A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: cSTORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
            Source: Amcache.hve.10.drBinary or memory string: vmci.sys
            Source: Amcache.hve.10.drBinary or memory string: vmci.syshbin`
            Source: Amcache.hve.10.drBinary or memory string: \driver\vmci,\driver\pci
            Source: rundll32.exe, 00000011.00000003.1668023213.0000000003419000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\
            Source: Amcache.hve.10.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
            Source: Amcache.hve.10.drBinary or memory string: VMware20,1
            Source: Amcache.hve.10.drBinary or memory string: Microsoft Hyper-V Generation Counter
            Source: Amcache.hve.10.drBinary or memory string: NECVMWar VMware SATA CD00
            Source: Amcache.hve.10.drBinary or memory string: VMware Virtual disk SCSI Disk Device
            Source: Amcache.hve.10.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
            Source: Amcache.hve.10.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
            Source: rundll32.exe, 00000011.00000002.1670431816.00000000033DA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:
            Source: Amcache.hve.10.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
            Source: Amcache.hve.10.drBinary or memory string: VMware PCI VMCI Bus Device
            Source: Amcache.hve.10.drBinary or memory string: VMware VMCI Bus Device
            Source: rundll32.exe, 0000000D.00000002.2656393881.00000000007C9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %SystemRoot%\system32\napinsp.dll00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000
            Source: Amcache.hve.10.drBinary or memory string: VMware Virtual RAM
            Source: Amcache.hve.10.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
            Source: rundll32.exe, 00000004.00000002.1509049172.0000000000769000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: tSTORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
            Source: Amcache.hve.10.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
            Source: C:\Windows\System32\loaddll32.exeProcess information queried: ProcessInformationJump to behavior

            Anti Debugging

            barindex
            Hides threads from debuggers
            Source: C:\Windows\System32\loaddll32.exeThread information set: HideFromDebuggerJump to behavior
            Source: C:\Windows\System32\loaddll32.exeThread information set: HideFromDebuggerJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeThread information set: HideFromDebuggerJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeThread information set: HideFromDebuggerJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeThread information set: HideFromDebuggerJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeThread information set: HideFromDebuggerJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeThread information set: HideFromDebuggerJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeThread information set: HideFromDebuggerJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeThread information set: HideFromDebuggerJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeThread information set: HideFromDebuggerJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeThread information set: HideFromDebuggerJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeThread information set: HideFromDebuggerJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeThread information set: HideFromDebuggerJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeThread information set: HideFromDebuggerJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeThread information set: HideFromDebuggerJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeThread information set: HideFromDebuggerJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeThread information set: HideFromDebugger
            Source: C:\Windows\SysWOW64\rundll32.exeThread information set: HideFromDebugger
            Source: C:\Windows\System32\loaddll32.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess queried: DebugObjectHandleJump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess queried: DebugObjectHandleJump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess queried: DebugObjectHandleJump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandleJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandleJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandleJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandleJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandleJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandleJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandleJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandleJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandleJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandleJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandleJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandleJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandleJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandleJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandleJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandleJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandleJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandleJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandleJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandleJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandleJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
            Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandle
            Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandle
            Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandle
            Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
            Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
            Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort

            HIPS / PFW / Operating System Protection Evasion

            barindex
            System process connects to network (likely due to code injection or exploit)
            Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 34.117.186.192 443Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 173.255.201.196 9091Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.448806.8704.4188.dll",#1Jump to behavior
            Source: rundll32.exe, 00000004.00000002.1509418224.000000000415C000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.1509801187.00000000041CC000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000D.00000002.2658035882.000000000435C000.00000020.00000001.01000000.00000003.sdmpBinary or memory string: Shell_TrayWndSVW
            Source: rundll32.exe, 00000004.00000002.1509418224.000000000415C000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.1509801187.00000000041CC000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000D.00000002.2658035882.000000000435C000.00000020.00000001.01000000.00000003.sdmpBinary or memory string: Shell_TrayWndReBarWindow32MSTaskSwWClassToolbarWindow32SV
            Source: Amcache.hve.10.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
            Source: Amcache.hve.10.drBinary or memory string: msmpeng.exe
            Source: Amcache.hve.10.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
            Source: Amcache.hve.10.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
            Source: Amcache.hve.10.drBinary or memory string: MsMpEng.exe

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
            DLL Side-Loading            		112
            Process Injection            		1
            Masquerading            		1
            Credential API Hooking            		221
            Security Software Discovery            		Remote Services1
            Credential API Hooking            		1
            Encrypted Channel            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
            DLL Side-Loading            		121
            Virtualization/Sandbox Evasion            		LSASS Memory2
            Process Discovery            		Remote Desktop ProtocolData from Removable Media1
            Non-Standard Port            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)112
            Process Injection            		Security Account Manager121
            Virtualization/Sandbox Evasion            		SMB/Windows Admin SharesData from Network Shared Drive1
            Ingress Tool Transfer            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
            Rundll32            		NTDS1
            System Network Configuration Discovery            		Distributed Component Object ModelInput Capture2
            Non-Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
            DLL Side-Loading            		LSA Secrets2
            File and Directory Discovery            		SSHKeylogging13
            Application Layer Protocol            		Scheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials11
            System Information Discovery            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1447257 Sample: SecuriteInfo.com.Variant.La... Startdate: 24/05/2024 Architecture: WINDOWS Score: 68 35 ipinfo.io 2->35 41 Multi AV Scanner detection for submitted file 2->41 9 loaddll32.exe 4 2->9         started        signatures3 process4 signatures5 47 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 9->47 49 Tries to evade analysis by execution special instruction (VM detection) 9->49 51 Hides threads from debuggers 9->51 12 rundll32.exe 17 9->12         started        16 cmd.exe 1 9->16         started        18 rundll32.exe 3 9->18         started        20 6 other processes 9->20 process6 dnsIp7 37 173.255.201.196, 49714, 9091 LINODE-APLinodeLLCUS United States 12->37 39 ipinfo.io 34.117.186.192, 443, 49712 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 12->39 53 System process connects to network (likely due to code injection or exploit) 12->53 55 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 12->55 57 Hides threads from debuggers 12->57 22 rundll32.exe 3 16->22         started        25 WerFault.exe 3 16 18->25         started        27 WerFault.exe 16 20->27         started        29 WerFault.exe 20->29         started        31 WerFault.exe 20->31         started        signatures8 process9 signatures10 43 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 22->43 45 Hides threads from debuggers 22->45 33 WerFault.exe 20 16 22->33         started        process11

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            SecuriteInfo.com.Variant.Lazy.448806.8704.4188.dll26%ReversingLabs

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            https://ipinfo.io/missingauth0%URL Reputationsafe
            http://fontawesome.io0%URL Reputationsafe
            http://fontawesome.io/license/0%URL Reputationsafe
            http://www.borland.com/namespaces/Types0%URL Reputationsafe
            https://ipinfo.io/0%URL Reputationsafe
            http://schemas.xmlsoap.org/soap/encoding/0%URL Reputationsafe
            http://schemas.xmlsoap.org/wsdl/0%URL Reputationsafe
            https://ipinfo.io/json0%URL Reputationsafe
            http://schemas.xmlsoap.org/soap/envelope/0%URL Reputationsafe
            http://upx.sf.net0%URL Reputationsafe
            http://www.indyproject.org/0%URL Reputationsafe
            http://fontawesome.iohttp://fontawesome.iohttp://fontawesome.io/license/http://fontawesome.io/licens0%Avira URL Cloudsafe
            https://ipinfo.io/x0%Avira URL Cloudsafe
            http://schemas.xmlsoap.org/wsdl/soap/0%Avira URL Cloudsafe
            http://schemas.xmlsoap.org/wsdl/soap12/SV0%Avira URL Cloudsafe
            http://schemas.xmlsoap.org/wsdl/http/0%Avira URL Cloudsafe
            http://schemas.xmlsoap.org/soap/encoding/03p0%Avira URL Cloudsafe
            http://www.borland.com/rootpart.xml0%Avira URL Cloudsafe
            http://www.borland.com/namespaces/TypesA0%Avira URL Cloudsafe
            http://www.componentace.com0%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            ipinfo.io
            		34.117.186.192
            		truetrue
              		unknown

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              https://ipinfo.io/jsontrue
              • URL Reputation: safe
              		unknown

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              https://ipinfo.io/missingauthrundll32.exe, 0000000D.00000002.2656393881.0000000000830000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.2661780062.000000000670A000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.2663792474.00000000085D3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.2661780062.0000000006622000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.2656393881.000000000084C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.2656072068.00000000003FA000.00000004.00000010.00020000.00000000.sdmp, json[1].json.13.drfalse
              • URL Reputation: safe
              		unknown
              https://ipinfo.io/xrundll32.exe, 0000000D.00000002.2656393881.00000000007F5000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://fontawesome.iorundll32.exe, 00000004.00000002.1515192848.0000000006354000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.1516009328.00000000063C4000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000D.00000002.2661730580.0000000006554000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000010.00000002.1673193864.0000000006554000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000013.00000002.1673399182.0000000006354000.00000002.00000001.01000000.00000003.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://fontawesome.io/license/rundll32.exe, 00000004.00000002.1515192848.0000000006354000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.1516009328.00000000063C4000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000D.00000002.2661730580.0000000006554000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000010.00000002.1673193864.0000000006554000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000013.00000002.1673399182.0000000006354000.00000002.00000001.01000000.00000003.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://www.borland.com/namespaces/Typesrundll32.exe, 00000012.00000003.1679565793.0000000006A1D000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000013.00000002.1668678941.000000000415C000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000013.00000002.1673692607.000000000667D000.00000004.00001000.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://fontawesome.iohttp://fontawesome.iohttp://fontawesome.io/license/http://fontawesome.io/licensrundll32.exe, 00000004.00000002.1515192848.0000000006354000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.1516009328.00000000063C4000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000D.00000002.2661730580.0000000006554000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000010.00000002.1673193864.0000000006554000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000013.00000002.1673399182.0000000006354000.00000002.00000001.01000000.00000003.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://ipinfo.io/rundll32.exe, 0000000D.00000002.2656393881.00000000007F5000.00000004.00000020.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://schemas.xmlsoap.org/soap/encoding/loaddll32.exe, 00000000.00000003.1541296328.0000000005473000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1509418224.000000000415C000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.1515803822.0000000006503000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1516208100.0000000006703000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1509801187.00000000041CC000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000009.00000003.1483945447.00000000065C3000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.2658035882.000000000435C000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000010.00000002.1673395044.00000000068C3000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.1668206356.000000000435C000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000011.00000003.1661301893.0000000007353000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1679565793.0000000006A33000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000013.00000002.1673692607.0000000006693000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000013.00000002.1668678941.000000000415C000.00000020.00000001.01000000.00000003.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://schemas.xmlsoap.org/wsdl/http/rundll32.exe, 00000004.00000002.1509418224.000000000415C000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.1509801187.00000000041CC000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000D.00000002.2658035882.000000000435C000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000010.00000002.1668206356.000000000435C000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000013.00000002.1668678941.000000000415C000.00000020.00000001.01000000.00000003.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://schemas.xmlsoap.org/soap/encoding/03prundll32.exe, 0000000D.00000002.2661780062.0000000006703000.00000004.00001000.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://schemas.xmlsoap.org/wsdl/rundll32.exe, 00000004.00000002.1509418224.000000000415C000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.1509801187.00000000041CC000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000D.00000002.2658035882.000000000435C000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000010.00000002.1668206356.000000000435C000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000013.00000002.1668678941.000000000415C000.00000020.00000001.01000000.00000003.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://schemas.xmlsoap.org/soap/envelope/rundll32.exe, 00000004.00000002.1509418224.000000000415C000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.1509801187.00000000041CC000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000D.00000002.2658035882.000000000435C000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000010.00000002.1668206356.000000000435C000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000013.00000002.1668678941.000000000415C000.00000020.00000001.01000000.00000003.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://www.borland.com/rootpart.xmlrundll32.exe, 00000004.00000002.1509418224.000000000415C000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.1509801187.00000000041CC000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000D.00000002.2658035882.000000000435C000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000010.00000002.1668206356.000000000435C000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000013.00000002.1668678941.000000000415C000.00000020.00000001.01000000.00000003.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://upx.sf.netAmcache.hve.10.drfalse
              • URL Reputation: safe
              		unknown
              http://www.componentace.comrundll32.exe, 00000013.00000002.1668678941.000000000415C000.00000020.00000001.01000000.00000003.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://www.indyproject.org/loaddll32.exe, 00000000.00000003.1541296328.00000000053E0000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1509418224.000000000415C000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.1515803822.0000000006470000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1516208100.0000000006670000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1509801187.00000000041CC000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000009.00000003.1483945447.0000000006530000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.2661780062.0000000006670000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.2658035882.000000000435C000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000010.00000002.1673395044.0000000006830000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.1668206356.000000000435C000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000011.00000003.1661301893.00000000072C0000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1679565793.00000000069A0000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000013.00000002.1673692607.0000000006600000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000013.00000002.1668678941.000000000415C000.00000020.00000001.01000000.00000003.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://schemas.xmlsoap.org/wsdl/soap12/SVrundll32.exe, 00000004.00000002.1509418224.000000000415C000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.1509801187.00000000041CC000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000D.00000002.2658035882.000000000435C000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000010.00000002.1668206356.000000000435C000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000013.00000002.1668678941.000000000415C000.00000020.00000001.01000000.00000003.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://schemas.xmlsoap.org/wsdl/soap/rundll32.exe, 00000004.00000002.1509418224.000000000415C000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.1509801187.00000000041CC000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000D.00000002.2658035882.000000000435C000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000010.00000002.1668206356.000000000435C000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000013.00000002.1668678941.000000000415C000.00000020.00000001.01000000.00000003.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://www.borland.com/namespaces/TypesAloaddll32.exe, 00000000.00000003.1541296328.000000000545D000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.1483945447.00000000065AD000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1661301893.000000000733D000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1679565793.0000000006A1D000.00000004.00001000.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://www.borland.com/namespaces/Typesaloaddll32.exe, 00000000.00000003.1541296328.000000000545D000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.1483945447.00000000065AD000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1661301893.000000000733D000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1679565793.0000000006A1D000.00000004.00001000.00020000.00000000.sdmpfalse
                		unknown

                World Map of Contacted IPs

                • No. of IPs < 25%
                • 25% < No. of IPs < 50%
                • 50% < No. of IPs < 75%
                • 75% < No. of IPs

                Public IPs

                IPDomainCountryFlagASNASN NameMalicious
                34.117.186.192
                		ipinfo.ioUnited States
                		139070GOOGLE-AS-APGoogleAsiaPacificPteLtdSGtrue
                173.255.201.196
                		unknownUnited States
                		63949LINODE-APLinodeLLCUStrue

                General Information

                Joe Sandbox version:40.0.0 Tourmaline
                Analysis ID:1447257
                Start date and time:2024-05-24 17:38:17 +02:00
                Joe Sandbox product:CloudBasic
                Overall analysis duration:0h 7m 16s
                Hypervisor based Inspection enabled:false
                Report type:full
                Cookbook file name:default.jbs
                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                Number of analysed new started processes analysed:29
                Number of new started drivers analysed:0
                Number of existing processes analysed:0
                Number of existing drivers analysed:0
                Number of injected processes analysed:0
                Technologies:
                • HCA enabled
                • EGA enabled
                • AMSI enabled
                Analysis Mode:default
                Analysis stop reason:Timeout
                Sample name:SecuriteInfo.com.Variant.Lazy.448806.8704.4188.dll
                Detection:MAL
                Classification:mal68.evad.winDLL@25/22@1/2
                EGA Information:Failed
                HCA Information:
                • Successful, ratio: 100%
                • Number of executed functions: 0
                • Number of non-executed functions: 0
                Cookbook Comments:
                • Found application associated with file extension: .dll

                Warnings

                • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                • Excluded IPs from analysis (whitelisted): 20.189.173.21, 20.42.65.92
                • Excluded domains from analysis (whitelisted): onedsblobprdeus17.eastus.cloudapp.azure.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, onedsblobprdwus16.westus.cloudapp.azure.com, umwatson.events.data.microsoft.com, dns.msftncsi.com, fe3cr.delivery.mp.microsoft.com
                • Not all processes where analyzed, report is missing behavior information
                • Report size exceeded maximum capacity and may have missing behavior information.
                • Report size getting too big, too many NtOpenKeyEx calls found.
                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                • Report size getting too big, too many NtQueryValueKey calls found.
                • VT rate limit hit for: SecuriteInfo.com.Variant.Lazy.448806.8704.4188.dll

                Simulations

                Behavior and APIs

                TimeTypeDescription
                11:39:24API Interceptor5x Sleep call for process: WerFault.exe modified
                11:39:27API Interceptor187x Sleep call for process: rundll32.exe modified
                11:39:27API Interceptor1x Sleep call for process: loaddll32.exe modified

                Joe Sandbox View / Context

                IPs

                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                34.117.186.192SecuriteInfo.com.Win32.Evo-gen.24318.16217.exeGet hashmaliciousUnknownBrowse
                • ipinfo.io/json
                SecuriteInfo.com.Win32.Evo-gen.28489.31883.exeGet hashmaliciousUnknownBrowse
                • ipinfo.io/json
                Raptor.HardwareService.Setup 1.msiGet hashmaliciousUnknownBrowse
                • ipinfo.io/ip
                Conferma_Pdf_Editor.exeGet hashmaliciousPlanet StealerBrowse
                • ipinfo.io/
                Conferma_Pdf_Editor.exeGet hashmaliciousPlanet StealerBrowse
                • ipinfo.io/
                w.shGet hashmaliciousXmrigBrowse
                • /ip
                Raptor.HardwareService.Setup_2.3.6.0.msiGet hashmaliciousUnknownBrowse
                • ipinfo.io/ip
                Raptor.HardwareService.Setup_2.3.6.0.msiGet hashmaliciousUnknownBrowse
                • ipinfo.io/ip
                uUsgzQ3DoW.exeGet hashmaliciousRedLineBrowse
                • ipinfo.io/ip
                8BZBgbeCcz.exeGet hashmaliciousRedLineBrowse
                • ipinfo.io/ip
                173.255.201.196factboletaeletricge.msiGet hashmaliciousUnknownBrowse
                  factboletaeletricge.msiGet hashmaliciousUnknownBrowse
                    ansrnotificacaonova.msiGet hashmaliciousUnknownBrowse

                      Domains

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      ipinfo.ionotfcacion.detallada_online.nu.msi_notfcacion.detallada_online.nu.msi_46956.msiGet hashmaliciousUnknownBrowse
                      • 34.117.186.192
                      factboletaeletricge.msiGet hashmaliciousUnknownBrowse
                      • 34.117.186.192
                      SecuriteInfo.com.Win64.Evo-gen.30302.14698.exeGet hashmaliciousCryptOne, Djvu, GCleaner, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLineBrowse
                      • 34.117.186.192
                      B8Zt27YJRD.exeGet hashmaliciousLummaC, RisePro StealerBrowse
                      • 34.117.186.192
                      WaGiUWSpyO.exeGet hashmaliciousLummaC, RisePro StealerBrowse
                      • 34.117.186.192
                      ufvxGe0K5E.exeGet hashmaliciousLummaC, RisePro StealerBrowse
                      • 34.117.186.192
                      eoZWxnJJyo.exeGet hashmaliciousLummaC, RisePro StealerBrowse
                      • 34.117.186.192
                      BI6oo9z4In.exeGet hashmaliciousCryptOne, Djvu, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine, RisePro StealerBrowse
                      • 34.117.186.192
                      tMO4FVIc9l.exeGet hashmaliciousLummaC, RisePro StealerBrowse
                      • 34.117.186.192
                      https://article.badgercrypto.org/Get hashmaliciousUnknownBrowse
                      • 34.117.186.192

                      ASNs

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      GOOGLE-AS-APGoogleAsiaPacificPteLtdSGnotfcacion.detallada_online.nu.msi_notfcacion.detallada_online.nu.msi_46956.msiGet hashmaliciousUnknownBrowse
                      • 34.117.186.192
                      SecuriteInfo.com.Win64.DropperX-gen.29167.15583.exeGet hashmaliciousPureLog StealerBrowse
                      • 34.117.186.192
                      factboletaeletricge.msiGet hashmaliciousUnknownBrowse
                      • 34.117.186.192
                      SecuriteInfo.com.Win64.Evo-gen.30302.14698.exeGet hashmaliciousCryptOne, Djvu, GCleaner, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLineBrowse
                      • 34.117.186.192
                      lgX7lgUL1w.exeGet hashmaliciousNeoreklami, PureLog Stealer, SmokeLoaderBrowse
                      • 34.117.186.192
                      B8Zt27YJRD.exeGet hashmaliciousLummaC, RisePro StealerBrowse
                      • 34.117.186.192
                      WaGiUWSpyO.exeGet hashmaliciousLummaC, RisePro StealerBrowse
                      • 34.117.186.192
                      ufvxGe0K5E.exeGet hashmaliciousLummaC, RisePro StealerBrowse
                      • 34.117.186.192
                      eoZWxnJJyo.exeGet hashmaliciousLummaC, RisePro StealerBrowse
                      • 34.117.186.192
                      BI6oo9z4In.exeGet hashmaliciousCryptOne, Djvu, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine, RisePro StealerBrowse
                      • 34.117.186.192
                      LINODE-APLinodeLLCUSfactboletaeletricge.msiGet hashmaliciousUnknownBrowse
                      • 173.255.201.196
                      http://172.104.75.98/owa/Get hashmaliciousOutlook Phishing, HTMLPhisherBrowse
                      • 172.104.75.98
                      http://cardiolog.siteGet hashmaliciousUnknownBrowse
                      • 139.162.57.105
                      http://waithebattology.siteGet hashmaliciousUnknownBrowse
                      • 139.162.57.105
                      http://waithebattology.siteGet hashmaliciousUnknownBrowse
                      • 139.162.57.105
                      https://filesonline.phibraimplementos.com.br/?username=dveon@bigge.com&gclid=EAIaIQobChMIycO8zICjgQMVjiJECB0P2wITEAEYASAAEgKIsvD_BwEGet hashmaliciousHTMLPhisherBrowse
                      • 69.164.194.201
                      FRA.0038222.exeGet hashmaliciousFormBook, GuLoaderBrowse
                      • 139.162.5.234
                      https://dazyorganic.com/Get hashmaliciousHTMLPhisherBrowse
                      • 66.228.52.194
                      http://info.ipreo.com/Privacy-Policy.htmlGet hashmaliciousUnknownBrowse
                      • 139.162.185.124
                      New Order.docGet hashmaliciousFormBookBrowse
                      • 45.33.6.223

                      JA3 Fingerprints

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      37f463bf4616ecd445d4a1937da06e19Service Engineer.zipGet hashmaliciousUnknownBrowse
                      • 34.117.186.192
                      file.exeGet hashmaliciousBabuk, Djvu, SmokeLoaderBrowse
                      • 34.117.186.192
                      notfcacion.detallada_online.nu.msi_notfcacion.detallada_online.nu.msi_46956.msiGet hashmaliciousUnknownBrowse
                      • 34.117.186.192
                      factboletaeletricge.msiGet hashmaliciousUnknownBrowse
                      • 34.117.186.192
                      PDFixers.exeGet hashmaliciousUnknownBrowse
                      • 34.117.186.192
                      SecuriteInfo.com.Win64.Evo-gen.30302.14698.exeGet hashmaliciousCryptOne, Djvu, GCleaner, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLineBrowse
                      • 34.117.186.192
                      SecuriteInfo.com.Win32.Malware-gen.198.6512.exeGet hashmaliciousPureLog Stealer, VidarBrowse
                      • 34.117.186.192
                      BI6oo9z4In.exeGet hashmaliciousCryptOne, Djvu, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine, RisePro StealerBrowse
                      • 34.117.186.192
                      Offer Document 25.lnkGet hashmaliciousUnknownBrowse
                      • 34.117.186.192
                      nF54KOU30R.exeGet hashmaliciousRHADAMANTHYSBrowse
                      • 34.117.186.192

                      Dropped Files

                      No context

                      Created / dropped Files

                      C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_2228a5a8ddc1c13c5ac4b75142f1324ee78b030_7522e4b5_204f3382-03b1-49e6-8c19-9e378ccd33f7\Report.wer

                      Download File
                      Process:C:\Windows\SysWOW64\WerFault.exe
                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):65536
                      Entropy (8bit):0.9721415750666942
                      Encrypted:false
                      SSDEEP:192:rFsiVONd0WbkbjeTX+VZzuiFsZ24IO8dci:JsiMNeWbkbjewzuiFsY4IO8dci
                      MD5:C485441825D9AC9880A92D50F8B74C32
                      SHA1:0DDAB8DD554368D622B79627FDA0F7F8F3496016
                      SHA-256:5F3EA6A3B4962F5F3921CAA9CCF7B4B89EDA1512B612DEE749CC323928D6879D
                      SHA-512:31488A03B549F73DFCBBF8812285B855D56AC1DD25B280F1630405766032F95B10CFB4F8A5B9A2634D122286EDF806F5D7122B569C82578C7C1F3CFCCCAAB98E
                      Malicious:false
                      Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.1.0.3.8.7.6.3.0.5.0.7.7.2.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.1.0.3.8.7.6.3.7.5.3.8.9.0.2.....R.e.p.o.r.t.S.t.a.t.u.s.=.6.5.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.0.4.f.3.3.8.2.-.0.3.b.1.-.4.9.e.6.-.8.c.1.9.-.9.e.3.7.8.c.c.d.3.3.f.7.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.0.c.b.2.8.4.4.-.c.f.e.1.-.4.e.e.f.-.a.e.d.1.-.e.4.5.c.5.7.2.1.0.0.d.8.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.d.a.c.-.0.0.0.1.-.0.0.1.4.-.7.4.7.b.-.8.9.8.9.f.0.a.d.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.8.f.a.8.8.9.e.4.5.6.a.a.6.4.6.a.4.d.0.a.4.3.4.9.9.7.7.4.3.0.c.e.5.f.a.5.e.

                      C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_bd87298c18d414cc6c2b7287a760e0b8abb64e54_7522e4b5_7a32ab89-01a8-4054-8f61-9419c35a1954\Report.wer

                      Download File
                      Process:C:\Windows\SysWOW64\WerFault.exe
                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):65536
                      Entropy (8bit):1.0481855237814248
                      Encrypted:false
                      SSDEEP:192:JgiAOd5P0BU/wjeTUeUEZr0vzuiFsZ24IO8dci:Kixd58BU/wjeuzuiFsY4IO8dci
                      MD5:303F049C7C79685BF3B69D6EC109C8BA
                      SHA1:2442D3C91C4BE5627AF99B586610C1D9E550407A
                      SHA-256:6059539F2A7EBB2CA592EFE9FB6E11D5DFB095A7906091507FEB59AF9B331A60
                      SHA-512:C8716EAB9BA30F003AF208FF142DBB0990529C03B2CA7E761315BD6E80C52904392E79B930C97EEBA7B724F51F74FEB9CC9CFCC217D57F6379588E5C5AE5B7EF
                      Malicious:false
                      Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.1.0.3.8.7.5.7.9.4.2.3.9.1.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.1.0.3.8.7.5.8.6.7.6.7.7.7.2.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.a.3.2.a.b.8.9.-.0.1.a.8.-.4.0.5.4.-.8.f.6.1.-.9.4.1.9.c.3.5.a.1.9.5.4.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.c.8.2.c.5.6.2.-.a.d.3.7.-.4.e.3.b.-.b.a.4.3.-.f.7.6.f.0.8.d.4.c.b.e.2.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.c.f.0.-.0.0.0.1.-.0.0.1.4.-.8.1.a.b.-.b.7.8.7.f.0.a.d.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.8.f.a.8.8.9.e.4.5.6.a.a.6.4.6.a.4.d.0.a.4.3.4.9.9.7.7.4.3.0.c.e.5.f.a.5.e.

                      C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_bd87298c18d414cc6c2b7287a760e0b8abb64e54_7522e4b5_90d72470-b177-46bf-9f0b-b6028d95ef01\Report.wer

                      Download File
                      Process:C:\Windows\SysWOW64\WerFault.exe
                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):65536
                      Entropy (8bit):1.0482319613205413
                      Encrypted:false
                      SSDEEP:192:UtIVbiZOJ5P0BU/wjeTUeUEZr0vzuiFsZ24IO8dci:UtCiwJ58BU/wjeuzuiFsY4IO8dci
                      MD5:773A4A4045C1B812A56FCA4F8E60BC1C
                      SHA1:DA7210B10323697E8901A89B2CB4BC3DC4DAF8CF
                      SHA-256:2B665D0BF63EC91058282F90D71529CC1C6D0061434D59C01E2EE94BF4B88BB6
                      SHA-512:5392F0A07AD22619D26892101CFB358A7BD25C7308800D00936933914386F3EB8CB8AFF32D1DD0A305A68900E5BA0AE0220FCB591FD08BCCFBF4E2EF6CB0256B
                      Malicious:false
                      Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.1.0.3.8.7.7.8.1.1.4.1.7.7.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.1.0.3.8.7.7.8.8.9.5.4.2.4.3.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.0.d.7.2.4.7.0.-.b.1.7.7.-.4.6.b.f.-.9.f.0.b.-.b.6.0.2.8.d.9.5.e.f.0.1.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.a.2.9.a.f.6.f.-.1.2.5.2.-.4.9.0.f.-.a.e.9.b.-.5.9.1.a.7.1.a.b.4.b.d.3.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.f.1.8.-.0.0.0.1.-.0.0.1.4.-.b.0.6.0.-.7.6.8.f.f.0.a.d.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.8.f.a.8.8.9.e.4.5.6.a.a.6.4.6.a.4.d.0.a.4.3.4.9.9.7.7.4.3.0.c.e.5.f.a.5.e.

                      C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_c03efb850abe777212f3815fca896ce0efaa7b_7522e4b5_1201804e-7563-4311-b12d-bcb49866fd44\Report.wer

                      Download File
                      Process:C:\Windows\SysWOW64\WerFault.exe
                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):65536
                      Entropy (8bit):1.0533640284844923
                      Encrypted:false
                      SSDEEP:192:Z1JP4GiJOP5v0BU/wjeTUeUEZr0vzuiFsZ24IO84ci:Z1xtigP5cBU/wjeuzuiFsY4IO84ci
                      MD5:AAFA0FB48C516784916402FC1221C513
                      SHA1:5769E57A3A5FB06503ED0950D55A3824A3448C30
                      SHA-256:9030A49A4A60971508E770056F1C75F2806A0E29C743558C61812338E20A5278
                      SHA-512:EAF3F8D88FC5EE54616A061856A2B0333A9F04CCC53009C3C056FBFDAC3AE657142CC5FDE9E1869D91AC134E3B2002720B05D462B5E41438776FE6CEB6F89FAB
                      Malicious:false
                      Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.1.0.3.8.7.7.8.3.5.2.4.4.1.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.1.0.3.8.7.7.9.1.0.2.4.5.2.7.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.2.0.1.8.0.4.e.-.7.5.6.3.-.4.3.1.1.-.b.1.2.d.-.b.c.b.4.9.8.6.6.f.d.4.4.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.8.0.d.6.6.3.6.-.d.8.4.5.-.4.0.7.0.-.9.1.0.6.-.9.6.6.3.6.b.8.9.c.c.5.5.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.f.3.4.-.0.0.0.1.-.0.0.1.4.-.e.8.5.9.-.8.2.8.f.f.0.a.d.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.8.f.a.8.8.9.e.4.5.6.a.a.6.4.6.a.4.d.0.a.4.3.4.9.9.7.7.4.3.0.c.e.5.f.a.5.e.2.d.7.!.r.

                      C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_c03efb850abe777212f3815fca896ce0efaa7b_7522e4b5_4ae3d656-a02c-418a-a49d-9c30ac129c96\Report.wer

                      Download File
                      Process:C:\Windows\SysWOW64\WerFault.exe
                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):65536
                      Entropy (8bit):1.0530900594671968
                      Encrypted:false
                      SSDEEP:192:WVDijOS5v0BU/wjeTUeUEZr0vzuiFsZ24IO84ci:SDiqS5cBU/wjeuzuiFsY4IO84ci
                      MD5:6DE57BEDCA758C363737125E3E16AA8A
                      SHA1:CF082228A47BDE0345A2217FEB3A02AE23224485
                      SHA-256:EEEB639F789CB65F904385916C6FE92D343FAE993E0C3A65BDC105C6CEF4791F
                      SHA-512:2B1D1FB148A424C3D0BD8516250E4EFA0EE83660873E1959DADA3258B588EA7B8685F8AB750C0EB79C9B9C185A43CA05177869249358082DE98C79391483A189
                      Malicious:false
                      Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.1.0.3.8.7.5.7.9.1.0.9.4.9.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.1.0.3.8.7.5.8.7.5.4.7.0.3.5.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.a.e.3.d.6.5.6.-.a.0.2.c.-.4.1.8.a.-.a.4.9.d.-.9.c.3.0.a.c.1.2.9.c.9.6.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.0.a.a.1.6.4.c.-.5.c.b.5.-.4.6.2.9.-.a.e.7.2.-.2.8.6.e.f.c.3.e.9.a.6.5.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.d.0.0.-.0.0.0.1.-.0.0.1.4.-.f.4.0.4.-.b.a.8.7.f.0.a.d.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.8.f.a.8.8.9.e.4.5.6.a.a.6.4.6.a.4.d.0.a.4.3.4.9.9.7.7.4.3.0.c.e.5.f.a.5.e.2.d.7.!.r.

                      C:\ProgramData\Microsoft\Windows\WER\Temp\WERA1DC.tmp.dmp

                      Download File
                      Process:C:\Windows\SysWOW64\WerFault.exe
                      File Type:Mini DuMP crash report, 15 streams, Fri May 24 15:39:18 2024, 0x1205a4 type
                      Category:dropped
                      Size (bytes):69654
                      Entropy (8bit):1.8453281229078684
                      Encrypted:false
                      SSDEEP:192:P8A7AWu9WnXkEHTXZ3cYVpohO5H4RAIkvib21pClJkA0DTd3tSFZxpuvgrQcC:9kWuI993cK/5Hzl/pEknTdqZ7ig0d
                      MD5:050AD646FBC087337CF860CCD0CBB30E
                      SHA1:8584A5EE87FB30B0AB8D44C861FE586E6E9468ED
                      SHA-256:BCB7336839177ECAC24076CB95C0C1C766F5A33B2A18777F4185B08BC76D37AE
                      SHA-512:23E7FDDDFC733A1A91538C9223355A5DBAE9C3261A05DC94E2D60167603BA0232752F94AD70AD84A8C94D5684073FD94C91EB6D40FCE32D12E5B53BCF06A06A3
                      Malicious:false
                      Preview:MDMP..a..... .........Pf............$...........|...8............ ..........v?..........`.......8...........T............$..N............!..........l#..............................................................................eJ.......$......GenuineIntel............T.............Pf.............................0..1...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\ProgramData\Microsoft\Windows\WER\Temp\WERA20B.tmp.dmp

                      Download File
                      Process:C:\Windows\SysWOW64\WerFault.exe
                      File Type:Mini DuMP crash report, 15 streams, Fri May 24 15:39:18 2024, 0x1205a4 type
                      Category:dropped
                      Size (bytes):71202
                      Entropy (8bit):1.8463849746047454
                      Encrypted:false
                      SSDEEP:384:oJRWuT893cY5HzorzJGz88FtD0dNDppUE:EzToMY5zorzJT8F+Dp2E
                      MD5:F75B3E4B4E7A78B1492EF537EBD00AF9
                      SHA1:21DC9A3ECF8E1A691513277CC1FB9143F4681E3A
                      SHA-256:9D0E47711283334C274CD77C13ACF9C93AE2770BB844C8136B7839B8B8C7B6DF
                      SHA-512:D0EC4A62BBB2341B90A8B8250123E19E7470C4184A15D58752DD7148DC0077808935CF1D04E999D7B94E44B28C5635D876F02562C72F16807AD83B85D3C34407
                      Malicious:false
                      Preview:MDMP..a..... .........Pf............$...........|...8............ ..........v?..........`.......8...........T...........x$...............!..........l#..............................................................................eJ.......$......GenuineIntel............T.............Pf.............................0..1...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\ProgramData\Microsoft\Windows\WER\Temp\WERA393.tmp.WERInternalMetadata.xml

                      Download File
                      Process:C:\Windows\SysWOW64\WerFault.exe
                      File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):8366
                      Entropy (8bit):3.6973231748011757
                      Encrypted:false
                      SSDEEP:192:R6l7wVeJWx6y6Yi+6VsW2gmfTvqprw89bqhsfQOm:R6lXJw6y6Yb6ugmfTvCqafg
                      MD5:8022A4B13760C0674AE4FDC46B96CB1E
                      SHA1:A46AEB3C2B2AD029AD0A89973DE4667314E837E9
                      SHA-256:C5BB835EE1A6CCF78FF126DF6AA94B3114DB2F47E72B101AD94C9C8627EB4D7D
                      SHA-512:C8EA57FE80B0290FB535E3E019B8C5A466250700F2F5238BFB6B2D7106C39542A93CD4FED7B1229E6D83D8CE526B065E9D875C4E43F9CAB7D012CAB3AE55FE97
                      Malicious:false
                      Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.4.0.8.<./.P.i.

                      C:\ProgramData\Microsoft\Windows\WER\Temp\WERA3A2.tmp.WERInternalMetadata.xml

                      Download File
                      Process:C:\Windows\SysWOW64\WerFault.exe
                      File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):8418
                      Entropy (8bit):3.6933651036123427
                      Encrypted:false
                      SSDEEP:192:R6l7wVeJYx6a6Yn56Ygmf8qqprD89bqmsf+Om:R6lXJO6a6Y56Ygmf8qrqFf+
                      MD5:2692C19A39D3E74ED9BFE62C7B44F00C
                      SHA1:44FC7193658C3276C90DDE257F23BC5FDAE13381
                      SHA-256:A7D792B48D9D306F0E93E8185121E904461BAC9D39B0AD6E1EF68DA80B030FF3
                      SHA-512:D27D0CA726756328075E5B872CF07A79DBE2D61027B4D05850C1C236C9156BB2C2FC3E5E802BAF1C99C6C808E3BA67E3D80884524AF42F30C71FCEC205B7CCC2
                      Malicious:false
                      Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.4.2.4.<./.P.i.

                      C:\ProgramData\Microsoft\Windows\WER\Temp\WERA3B3.tmp.xml

                      Download File
                      Process:C:\Windows\SysWOW64\WerFault.exe
                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):4722
                      Entropy (8bit):4.49433923437722
                      Encrypted:false
                      SSDEEP:48:cvIwWl8zsvJg77aI9qNWpW8VYbYm8M4JCdPrkFun+q8/RYCGScSld:uIjfRI7U87VvJwp2nJ3ld
                      MD5:1BFF397B6C11830E81458F2F89785D87
                      SHA1:1015C26F8D961F4CDDD8924A4CE157CCC6B6BDDA
                      SHA-256:CFF82066D1AE02868BBF870FC964E284ABC4E0A6A30F913E1A426739A054AF41
                      SHA-512:E6819ECDDE9E1B38D550428192220157494095A28A689EE665A366F2DF79AEFFA14BA85FC1B7F4604214C76E44752E664897130035664A2BEEE560C56B12D8A9
                      Malicious:false
                      Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="337361" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                      C:\ProgramData\Microsoft\Windows\WER\Temp\WERA3C2.tmp.xml

                      Download File
                      Process:C:\Windows\SysWOW64\WerFault.exe
                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):4823
                      Entropy (8bit):4.477951942074988
                      Encrypted:false
                      SSDEEP:48:cvIwWl8zsvJg77aI9qNWpW8VYgYm8M4JCdPreFNxz+q8vjPr8GScSSd:uIjfRI7U87V8Jw2xzKn8J3Sd
                      MD5:7E1EF7DB86ABEF5E530424F7B99EF4FE
                      SHA1:27EBE95E87CA99BB97AF0406ABC3B0CA4D71ACB7
                      SHA-256:7C44183FA1C1DBB947DF962C9532171A13FD1A2C4818B714A1C9C48148E0A710
                      SHA-512:A43A3AAF4396642E54B53C1582597400CC113C90591C72ABD7A80EA68912E7CF99EEB7FF555045FA723BB330F6AA6617BF8DA5EE028A2054EBE31E7D266B56A0
                      Malicious:false
                      Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="337361" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                      C:\ProgramData\Microsoft\Windows\WER\Temp\WERB5D1.tmp.dmp

                      Download File
                      Process:C:\Windows\SysWOW64\WerFault.exe
                      File Type:Mini DuMP crash report, 15 streams, Fri May 24 15:39:23 2024, 0x1205a4 type
                      Category:dropped
                      Size (bytes):29348
                      Entropy (8bit):2.6856702516118296
                      Encrypted:false
                      SSDEEP:192:CnmZmAPXFG+Gst789/O5H4QYfntZeZ4d/7vlZR:7ZRtGst7O25HdUt8ZmTl
                      MD5:9E637107E90F5BBA351775821C4B1DFC
                      SHA1:A11121E86EF2140DAA8E7B4126E962F10C038E86
                      SHA-256:503D9058D49ACA1C0DFA8CEDF8F4B407DF1C0382184181B4DE95B848D967039A
                      SHA-512:AB2D17C51EC66E95997A2BA211833FBF0924B45C2B10525F9E771AFB3EFFADA149DBA27928FDBD8BB5E1EFB545E22CD052AF579DC1F735CED72E12633DE416B0
                      Malicious:false
                      Preview:MDMP..a..... .........Pf............4...............H...........d.......T....-..........`.......8...........T...........`...D^......................................................................................................eJ......t ......GenuineIntel............T.............Pf.............................0..1...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\ProgramData\Microsoft\Windows\WER\Temp\WERB6AD.tmp.WERInternalMetadata.xml

                      Download File
                      Process:C:\Windows\SysWOW64\WerFault.exe
                      File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):8296
                      Entropy (8bit):3.680659209819454
                      Encrypted:false
                      SSDEEP:192:R6l7wVeJIg6Q7o6Yit6QogmfT7opru89bqksfpum:R6lXJ/6Q7o6Y46/gmfT7qqXfZ
                      MD5:ADBD7747FC76CAE2445FD928C9B73925
                      SHA1:90DD9D74408C56A776FB593DDCBB126B4949ADF2
                      SHA-256:2C1DF071C280BD9A70FC1C6C972E9AD8686840CDAAECCA9CB120609818A7941F
                      SHA-512:7D1318036F5B9631B6E285B1532FA3571013615BDA22136C5CAE2F172A443B6088AD966F4CD31333EE41D93D5AFFBBD28E76E5B6E403190EEEEA350FCC4DD82E
                      Malicious:false
                      Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.5.9.6.<./.P.i.

                      C:\ProgramData\Microsoft\Windows\WER\Temp\WERB76A.tmp.xml

                      Download File
                      Process:C:\Windows\SysWOW64\WerFault.exe
                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):4646
                      Entropy (8bit):4.4588731848787235
                      Encrypted:false
                      SSDEEP:48:cvIwWl8zssrJg77aI9qNWpW8VYHYm8M4JCdPcFa+q8/ubGScSOd:uIjfsFI7U87VbJ85J3Od
                      MD5:4A83A59AA52D4A56659B974AD7C05CC3
                      SHA1:56305F05F0B2AF08A446ED26814A4FD8A4099655
                      SHA-256:ECDA38F877BA19F1AC7D2EA058B49DF214058A09120CEABD8E6F6865D6752713
                      SHA-512:B8ABB25C6C82C27F354459C1A68F50DE187F08AD116E99E2C5DBAD148884C84E8273A42524B380F548C8BC6A375172A5E74923A0171FCC18C6CF1C495A4BD40A
                      Malicious:false
                      Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="337362" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                      C:\ProgramData\Microsoft\Windows\WER\Temp\WERF0A8.tmp.dmp

                      Download File
                      Process:C:\Windows\SysWOW64\WerFault.exe
                      File Type:Mini DuMP crash report, 15 streams, Fri May 24 15:39:38 2024, 0x1205a4 type
                      Category:dropped
                      Size (bytes):71386
                      Entropy (8bit):1.8448209217935583
                      Encrypted:false
                      SSDEEP:192:L/9AWu/hnXHEHTXZ3cYbF5kuXO5H4RA+AJ+p9d8Z5shidzwnJokyDwvc:DiWuJU93ccu5Hz+5p9d8Z5VdEJo9H
                      MD5:C9A193F60161AF60E2892B6FBCD4B2C6
                      SHA1:2B78E47D42539E3DF6BB8897882D16BFC531C229
                      SHA-256:2E933DF1E6870E698E49FCBD4D350361C7ABAB1FF57908EE2B5A021A32C1A9AE
                      SHA-512:7DD7B4A8943B80B338817E3A7C98A351BB78F48C85B327FBF7671E43FFDE8328B7EE72FAFC0B764920F3FB1DB171E6281D9DEF940D0F5210160CADBF06037C62
                      Malicious:false
                      Preview:MDMP..a..... .........Pf............$...........|...8............ ..........v?..........`.......8...........T...........x$..b............!..........l#..............................................................................eJ.......$......GenuineIntel............T.............Pf.............................0..1...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\ProgramData\Microsoft\Windows\WER\Temp\WERF1B2.tmp.dmp

                      Download File
                      Process:C:\Windows\SysWOW64\WerFault.exe
                      File Type:Mini DuMP crash report, 15 streams, Fri May 24 15:39:38 2024, 0x1205a4 type
                      Category:dropped
                      Size (bytes):69794
                      Entropy (8bit):1.8376728136381084
                      Encrypted:false
                      SSDEEP:192:L+LKAWuCBnXsyEHTXZ3cYw8KXO5H4RAMf6tV3Lh7gDEcYesy4UTEcTr4Jr:8tWukcP93cm5HzpV3FgDpYe5gI
                      MD5:200135E6F7A969EC6714504A9B62A706
                      SHA1:7F6C00F189B36196D834F3155C31357CDA5E40A1
                      SHA-256:72240A65C762A8491A3C551CAE3F368EF2FF3781EB89942CBDE01C34F0066713
                      SHA-512:7095399145C71DD694CAA96977792828CBBB86B39ED9005BE22C9DE59E56EBE3C81100A6D9DA44F000EB73320B1FDFFCB5B9455D9D612A38E573B639B3B908A2
                      Malicious:false
                      Preview:MDMP..a..... .........Pf............$...........|...8............ ..........v?..........`.......8...........T...........x$..*............!..........l#..............................................................................eJ.......$......GenuineIntel............T.......4.....Pf.............................0..1...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\ProgramData\Microsoft\Windows\WER\Temp\WERF1C2.tmp.WERInternalMetadata.xml

                      Download File
                      Process:C:\Windows\SysWOW64\WerFault.exe
                      File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):8368
                      Entropy (8bit):3.696684513878704
                      Encrypted:false
                      SSDEEP:192:R6l7wVeJdM6pU6YSw630gmfTvqprt89bIOsf64m:R6lXJ2666Yd630gmfTv1INf0
                      MD5:EE820B289AE2A5C6A2FDB89232626FC4
                      SHA1:532DFAA2CEEE4CC7A57CC4CA8685E529DA9F3EDF
                      SHA-256:FD098AC234C345AE3375EF5F5347AD3EE2C690B2148994F0A570F59CA72C8D45
                      SHA-512:B2CF72A6541BEADE89DF352F3BECEC1DEABD5AF5FEA0FFE884AFF24CA2CF9FBD0B8ADCDC208BC3D70A164073E5BBB5C8B67B20526274D0B0BE1FEA536A2D3A3F
                      Malicious:false
                      Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.9.6.0.<./.P.i.

                      C:\ProgramData\Microsoft\Windows\WER\Temp\WERF221.tmp.xml

                      Download File
                      Process:C:\Windows\SysWOW64\WerFault.exe
                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):4722
                      Entropy (8bit):4.493571975094495
                      Encrypted:false
                      SSDEEP:48:cvIwWl8zssrJg77aI9qNWpW8VYYYm8M4JCdPrkFP+q8/RYHGScSpd:uIjfsFI7U87VsJwy2aJ3pd
                      MD5:08A706D3980F2C76C4635D0D2ED8B399
                      SHA1:C3CFE30A9024CF44802662718BCB96AEDBB135CC
                      SHA-256:C16DDB1E71D8614952889B13E61A064D78452755CADDBDBF09BF790DEBEC95EF
                      SHA-512:46A8958786BF3C0EED9349FE78EFBB7AA3FD6CAA42551E4BC6BC5C7918AF2B6776B0CE8CCECAABB0D156C51A8A065F6E39286FCB869286720F335665724C4721
                      Malicious:false
                      Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="337362" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                      C:\ProgramData\Microsoft\Windows\WER\Temp\WERF2EB.tmp.WERInternalMetadata.xml

                      Download File
                      Process:C:\Windows\SysWOW64\WerFault.exe
                      File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):8432
                      Entropy (8bit):3.6933767740935224
                      Encrypted:false
                      SSDEEP:192:R6l7wVeJr56S6YSw630gmf8qqpr189bIVsf0G4m:R6lXJl6S6Yd630gmf8q9Iuf0w
                      MD5:A3D02B8302AFDBD6B4E259822701194F
                      SHA1:854A82C79BE9217CBA7772B327F9DA052AC91F15
                      SHA-256:8BC2937B694531154F67FBDCC8DF2F97D2BFA913B1872E70EBB9BDC7A59D1913
                      SHA-512:449E40382C46755CD6390441C199E246326DC43E43E7F28E247023A4C7B66BDD47A30C6707CEB88A18F905788542738151332CB8F8D7911F13DED75DAD031CC6
                      Malicious:false
                      Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.9.8.8.<./.P.i.

                      C:\ProgramData\Microsoft\Windows\WER\Temp\WERF31B.tmp.xml

                      Download File
                      Process:C:\Windows\SysWOW64\WerFault.exe
                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):4823
                      Entropy (8bit):4.4805644328836065
                      Encrypted:false
                      SSDEEP:48:cvIwWl8zssrJg77aI9qNWpW8VY6oYm8M4JCdPreF2+q8vjPrz6GScS6d:uIjfsFI7U87VRFJwRKnz6J36d
                      MD5:8A412D21674A523459EDDA7C9D15DD5E
                      SHA1:B83F90454D855DAA9160E60F42F157BB0B292F24
                      SHA-256:5A7611A6DA3C80FCDB27E48362BE72814B29EE00370406E3F9FF5152B9006290
                      SHA-512:DF58CE93902E3716C0AEB20CB9C26B198B92F5331FD4C34CEC1993BC101846BD3422786D096573B44CE251F0D5ABF64BD04D27EE4E82A56C5A238CD2CB885469
                      Malicious:false
                      Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="337362" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\json[1].json

                      Download File
                      Process:C:\Windows\SysWOW64\rundll32.exe
                      File Type:JSON data
                      Category:dropped
                      Size (bytes):321
                      Entropy (8bit):4.984656309586536
                      Encrypted:false
                      SSDEEP:6:kXFJ192gIJAuuuthkP//f4IoWzqs4jW1CRW35jY:kxEgIOuHhA/XvoPPWV5k
                      MD5:C8B5480265AA24848B266AB720648A09
                      SHA1:4440EDB7429D588DE5A1A0D00D8D82FD6DE41A47
                      SHA-256:A15CE3E76A7C7592E79A8C78E240F012E59E68F3D60179D54F8603B0660CA5D0
                      SHA-512:EF171430C530BF1DCA63586FD80C999211BEA360984DEFA60C823400844D784F2D23D2B39C15B92E0A84462C4FE7F2392087D5E0283DE71DD3D6CD534BA220AE
                      Malicious:false
                      Preview:{. "ip": "8.46.123.175",. "hostname": "static-cpe-8-46-123-175.centurylink.com",. "city": "New York City",. "region": "New York",. "country": "US",. "loc": "40.7143,-74.0060",. "org": "AS3356 Level 3 Parent, LLC",. "postal": "10001",. "timezone": "America/New_York",. "readme": "https://ipinfo.io/missingauth".}

                      C:\Windows\appcompat\Programs\Amcache.hve

                      Download File
                      Process:C:\Windows\SysWOW64\WerFault.exe
                      File Type:MS Windows registry file, NT/2000 or above
                      Category:dropped
                      Size (bytes):1835008
                      Entropy (8bit):4.372879603478601
                      Encrypted:false
                      SSDEEP:6144:AFVfpi6ceLP/9skLmb0ayWWSPtaJG8nAge35OlMMhA2AX4WABlguNEiL:YV1QyWWI/glMM6kF7Kq
                      MD5:A46E9C105F4EA41A5874570C408F8C1E
                      SHA1:35AD46BC344446E361C27F515019ED6757087E0B
                      SHA-256:A5B0F3C97F2F68B7A98DE315D1704C8C809A31C4EE51197163E1D31B178BA47C
                      SHA-512:8A933D27EA79AAA71FEB58C8D264DA5C31E7717FF7FB3A39466FF37310A999D027F84EEB2B9AFD5F5040339E2E1973FC7C5FFE05F0D639B9D89A108E5111649D
                      Malicious:false
                      Preview:regfD...D....\.Z.................... ....0......\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtmn)................................................................................................................................................................................................................................................................................................................................................8..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      Static File Info

                      General

                      File type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                      Entropy (8bit):7.862937263187656
                      TrID:
                      • Win32 Dynamic Link Library (generic) (1002004/3) 99.40%
                      • Win16/32 Executable Delphi generic (2074/23) 0.21%
                      • Generic Win/DOS Executable (2004/3) 0.20%
                      • DOS Executable Generic (2002/1) 0.20%
                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                      File name:SecuriteInfo.com.Variant.Lazy.448806.8704.4188.dll
                      File size:20'186'112 bytes
                      MD5:0c70cd43a7fde3c04399319adba55ebc
                      SHA1:99aab09ec5defa23610e25f52541addbec26f63d
                      SHA256:e899f50c216439cc5e7b4246d8dd81d8af3a8485b666edc47fc387e86ca0582b
                      SHA512:d64804222f44de861e612bc21a1f8daadf39ccfde42994dc535e411a730b9342e3f6b1aaff43a0b83e80b51450bcd18478f7665484972e28e91485fbd8514379
                      SSDEEP:393216:ef3QoUxZDkTGXvOc1q4D7cjYwu9PLc8c:6AoUxZdf1q8cjM4/
                      TLSH:C317235239C780E9C4C501B0872B7BD703F7A96647A648BB6AC478CA74F0EF2613AD57
                      File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

                      File Icon

                      Icon Hash:7ae282899bbab082

                      Static PE Info

                      General

                      Entrypoint:0x14f0fcc
                      Entrypoint Section:.awiodnn
                      Digitally signed:false
                      Imagebase:0x400000
                      Subsystem:windows gui
                      Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, DLL, BYTES_REVERSED_HI
                      DLL Characteristics:
                      Time Stamp:0x66507A66 [Fri May 24 11:30:46 2024 UTC]
                      TLS Callbacks:
                      CLR (.Net) Version:
                      OS Version Major:5
                      OS Version Minor:0
                      File Version Major:5
                      File Version Minor:0
                      Subsystem Version Major:5
                      Subsystem Version Minor:0
                      Import Hash:5f49db71e572e695a22e4576af626af2

                      Entrypoint Preview

                      Instruction
                      call 00007F76FCC160D1h
                      inc ebp
                      lea eax, dword ptr [eax+edx*4-63AE0DCBh]
                      inc ebp
                      sub dh, ah
                      inc ecx
                      ror eax, 1
                      inc ebp
                      movsx ebx, ah
                      dec edi
                      lea ebp, dword ptr [esi+77348BBEh]
                      inc esi
                      lea eax, dword ptr [edx+eax+683166DDh]
                      dec edi
                      lea ebp, dword ptr [esp-09F864F0h]
                      inc ecx
                      bswap eax
                      inc ecx
                      shr esp, cl
                      inc ecx
                      neg eax
                      push ebx
                      inc esp
                      xor dword ptr [esp+edx*2-050CB964h], eax
                      pop ebx
                      dec ebp
                      arpl ax, ax
                      call 00007F76FCC8A35Eh
                      inc ebp
                      mov ebx, dword ptr [edx]
                      dec ecx
                      add edx, 00000004h
                      mov esi, F69C7BA5h
                      inc esp
                      xor ebx, ebx
                      inc ecx
                      rol ebx, 02h
                      inc eax
                      movzx eax, dh
                      inc ecx
                      dec ebx
                      movzx edx, al
                      xchg edx, esi
                      push esi
                      inc ecx
                      xor ebx, 1F1206ADh
                      mov ebp, 960654B8h
                      inc ecx
                      dec ebx
                      push ebp
                      dec esp
                      lea ebp, dword ptr [36B56DBAh+esi*2]
                      push eax
                      dec eax
                      mov dword ptr [esp+esi-00000095h], ebx
                      call 00007F76FD311C72h
                      inc ecx
                      mov esp, 7EAD408Bh
                      inc cx
                      shl esp, 6Dh
                      inc ecx
                      movsx eax, ah
                      dec ecx
                      add eax, edi
                      dec edi
                      lea ecx, dword ptr [esp+41889422h]
                      dec ebx
                      mov dword ptr [esp+edi-7EAD6008h], eax
                      inc ebp
                      movzx ebp, ah
                      inc ecx
                      movsx ecx, sp
                      inc ecx
                      push ebp
                      inc ebx
                      mov edx, dword ptr [edx-7EAD6000h]

                      Data Directories

                      NameVirtual AddressVirtual Size Is in Section
                      IMAGE_DIRECTORY_ENTRY_EXPORT0x126b3400xb1.awiodnn
                      IMAGE_DIRECTORY_ENTRY_IMPORT0x11302140x118.awiodnn
                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x22140000x89334.rsrc
                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x229e0000x6b0.reloc
                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_IAT0x10800000x6c.awiodnn
                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x135f6280x200.awiodnn
                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                      Sections

                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                      .text0x10000x7b00d40x0d41d8cd98f00b204e9800998ecf8427eunknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      .itext0x7b20000x71800x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      .data0x7ba0000x1cc180x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      .bss0x7d70000x8997c0x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      .idata0x8610000x406c0x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      .didata0x8660000xdaa0x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      .edata0x8670000xb10x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .rdata0x8680000x450x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .awiodnn0x8690000x816adb0x0d41d8cd98f00b204e9800998ecf8427eunknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      .awiodnn0x10800000x840x200740274560702729ce191083a138d2c06False0.15234375data1.0134749699845145IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      .awiodnn0x10810000x1192d400x1192e0053db11ff88bb86aa892f97e788225122unknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      .rsrc0x22140000x893340x2e00021982f75e6bbe7d342842baa41c489eFalse0.268257472826087data3.3956402494632494IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .reloc0x229e0000x6b00x800969ad4e3172b56d11c7307e3c9fac5fbFalse0.44189453125data4.0418186869731345IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                      Resources

                      NameRVASizeTypeLanguageCountryZLIB Complexity
                      UNICODEDATA0x2216c500x723fdata0.032407407407407406
                      UNICODEDATA0x221de900x7ebdempty0
                      UNICODEDATA0x2225d500x6a8empty0
                      UNICODEDATA0x22263f80xaf7dempty0
                      UNICODEDATA0x22313780xd3cfempty0
                      UNICODEDATA0x223e7480x14c5empty0
                      RT_CURSOR0x223fc100x134emptyEnglishUnited States0
                      RT_CURSOR0x223fd440x134emptyEnglishUnited States0
                      RT_CURSOR0x223fe780x134emptyEnglishUnited States0
                      RT_CURSOR0x223ffac0x134emptyEnglishUnited States0
                      RT_CURSOR0x22400e00x134emptyEnglishUnited States0
                      RT_CURSOR0x22402140x134emptyEnglishUnited States0
                      RT_CURSOR0x22403480x134emptyEnglishUnited States0
                      RT_CURSOR0x224047c0x134empty0
                      RT_CURSOR0x22405b00x134empty0
                      RT_CURSOR0x22406e40x134emptyEnglishUnited States0
                      RT_CURSOR0x22408180x134emptyEnglishUnited States0
                      RT_BITMAP0x224094c0x1d0emptyEnglishUnited States0
                      RT_BITMAP0x2240b1c0x1e4emptyEnglishUnited States0
                      RT_BITMAP0x2240d000x1d0emptyEnglishUnited States0
                      RT_BITMAP0x2240ed00x1d0emptyEnglishUnited States0
                      RT_BITMAP0x22410a00x1d0emptyEnglishUnited States0
                      RT_BITMAP0x22412700x1d0emptyEnglishUnited States0
                      RT_BITMAP0x22414400x1d0emptyEnglishUnited States0
                      RT_BITMAP0x22416100x1d0emptyEnglishUnited States0
                      RT_BITMAP0x22417e00x1d0emptyEnglishUnited States0
                      RT_BITMAP0x22419b00x1d0emptyEnglishUnited States0
                      RT_BITMAP0x2241b800xc0emptyEnglishUnited States0
                      RT_BITMAP0x2241c400xe0emptyEnglishUnited States0
                      RT_BITMAP0x2241d200xe0emptyEnglishUnited States0
                      RT_BITMAP0x2241e000xe0emptyEnglishUnited States0
                      RT_BITMAP0x2241ee00xc0emptyEnglishUnited States0
                      RT_BITMAP0x2241fa00xc0emptyEnglishUnited States0
                      RT_BITMAP0x22420600xe0emptyEnglishUnited States0
                      RT_BITMAP0x22421400xc58emptyEnglishUnited States0
                      RT_BITMAP0x2242d980xc0emptyEnglishUnited States0
                      RT_BITMAP0x2242e580xe0emptyEnglishUnited States0
                      RT_BITMAP0x2242f380xe8emptyEnglishUnited States0
                      RT_BITMAP0x22430200xc0emptyEnglishUnited States0
                      RT_BITMAP0x22430e00x4b8emptyEnglishUnited States0
                      RT_BITMAP0x22435980x4b8emptyEnglishUnited States0
                      RT_BITMAP0x2243a500x4b8emptyEnglishUnited States0
                      RT_BITMAP0x2243f080x4b8emptyEnglishUnited States0
                      RT_BITMAP0x22443c00x4b8emptyEnglishUnited States0
                      RT_BITMAP0x22448780x628emptyEnglishUnited States0
                      RT_BITMAP0x2244ea00x628emptyEnglishUnited States0
                      RT_BITMAP0x22454c80x628emptyEnglishUnited States0
                      RT_BITMAP0x2245af00x628emptyEnglishUnited States0
                      RT_BITMAP0x22461180x628emptyEnglishUnited States0
                      RT_BITMAP0x22467400x628emptyEnglishUnited States0
                      RT_BITMAP0x2246d680x628emptyEnglishUnited States0
                      RT_BITMAP0x22473900x628emptyEnglishUnited States0
                      RT_BITMAP0x22479b80x628emptyEnglishUnited States0
                      RT_BITMAP0x2247fe00x628emptyEnglishUnited States0
                      RT_BITMAP0x22486080xe0emptyEnglishUnited States0
                      RT_DIALOG0x22486e80x52empty0
                      RT_DIALOG0x224873c0x52empty0
                      RT_STRING0x22487900x4cempty0
                      RT_STRING0x22487dc0xaaempty0
                      RT_STRING0x22488880x186empty0
                      RT_STRING0x2248a100x1ceempty0
                      RT_STRING0x2248be00x146empty0
                      RT_STRING0x2248d280x7eempty0
                      RT_STRING0x2248da80x24empty0
                      RT_STRING0x2248dcc0x210empty0
                      RT_STRING0x2248fdc0x440empty0
                      RT_STRING0x224941c0x490empty0
                      RT_STRING0x22498ac0x458empty0
                      RT_STRING0x2249d040x764empty0
                      RT_STRING0x224a4680x44cempty0
                      RT_STRING0x224a8b40x47cempty0
                      RT_STRING0x224ad300x478empty0
                      RT_STRING0x224b1a80x44cempty0
                      RT_STRING0x224b5f40x57cempty0
                      RT_STRING0x224bb700x440empty0
                      RT_STRING0x224bfb00x3dcempty0
                      RT_STRING0x224c38c0x334empty0
                      RT_STRING0x224c6c00x490empty0
                      RT_STRING0x224cb500x6f4empty0
                      RT_STRING0x224d2440x5d0empty0
                      RT_STRING0x224d8140x3f8empty0
                      RT_STRING0x224dc0c0x464empty0
                      RT_STRING0x224e0700x50cempty0
                      RT_STRING0x224e57c0x6e4empty0
                      RT_STRING0x224ec600x7a0empty0
                      RT_STRING0x224f4000x734empty0
                      RT_STRING0x224fb340x4dcempty0
                      RT_STRING0x22500100x604empty0
                      RT_STRING0x22506140x618empty0
                      RT_STRING0x2250c2c0x7a8empty0
                      RT_STRING0x22513d40x5acempty0
                      RT_STRING0x22519800xd10empty0
                      RT_STRING0x22526900x5ecempty0
                      RT_STRING0x2252c7c0x698empty0
                      RT_STRING0x22533140x76cempty0
                      RT_STRING0x2253a800x680empty0
                      RT_STRING0x22541000x524empty0
                      RT_STRING0x22546240x59cempty0
                      RT_STRING0x2254bc00x4e8empty0
                      RT_STRING0x22550a80x3e4empty0
                      RT_STRING0x225548c0x524empty0
                      RT_STRING0x22559b00x840empty0
                      RT_STRING0x22561f00xaa8empty0
                      RT_STRING0x2256c980x1c8empty0
                      RT_STRING0x2256e600x17cempty0
                      RT_STRING0x2256fdc0x11cempty0
                      RT_STRING0x22570f80x100empty0
                      RT_STRING0x22571f80x2a8empty0
                      RT_STRING0x22574a00x49cempty0
                      RT_STRING0x225793c0x3f0empty0
                      RT_STRING0x2257d2c0x47cempty0
                      RT_STRING0x22581a80x57cempty0
                      RT_STRING0x22587240x284empty0
                      RT_STRING0x22589a80x234empty0
                      RT_STRING0x2258bdc0x194empty0
                      RT_STRING0x2258d700x120empty0
                      RT_STRING0x2258e900xf0empty0
                      RT_STRING0x2258f800x2dcempty0
                      RT_STRING0x225925c0x884empty0
                      RT_STRING0x2259ae00x888empty0
                      RT_STRING0x225a3680x7fcempty0
                      RT_STRING0x225ab640x810empty0
                      RT_STRING0x225b3740x9b4empty0
                      RT_STRING0x225bd280x968empty0
                      RT_STRING0x225c6900x590empty0
                      RT_STRING0x225cc200x3acempty0
                      RT_STRING0x225cfcc0x26cempty0
                      RT_STRING0x225d2380x4d8empty0
                      RT_STRING0x225d7100x31cempty0
                      RT_STRING0x225da2c0x3acempty0
                      RT_STRING0x225ddd80x520empty0
                      RT_STRING0x225e2f80xe04empty0
                      RT_STRING0x225f0fc0xb40empty0
                      RT_STRING0x225fc3c0xae4empty0
                      RT_STRING0x22607200x8acempty0
                      RT_STRING0x2260fcc0x798empty0
                      RT_STRING0x22617640x2b8empty0
                      RT_STRING0x2261a1c0x350empty0
                      RT_STRING0x2261d6c0x468empty0
                      RT_STRING0x22621d40x3a0empty0
                      RT_STRING0x22625740x3fcempty0
                      RT_STRING0x22629700x3e8empty0
                      RT_STRING0x2262d580x388empty0
                      RT_STRING0x22630e00x364empty0
                      RT_STRING0x22634440x2ecempty0
                      RT_STRING0x22637300x4b4empty0
                      RT_STRING0x2263be40x56cempty0
                      RT_STRING0x22641500x468empty0
                      RT_STRING0x22645b80x4acempty0
                      RT_STRING0x2264a640x544empty0
                      RT_STRING0x2264fa80x368empty0
                      RT_STRING0x22653100x3a4empty0
                      RT_STRING0x22656b40x2a8empty0
                      RT_STRING0x226595c0xbcempty0
                      RT_STRING0x2265a180x1f8empty0
                      RT_STRING0x2265c100x198empty0
                      RT_STRING0x2265da80x3ccempty0
                      RT_STRING0x22661740x3b8empty0
                      RT_STRING0x226652c0x444empty0
                      RT_STRING0x22669700x4a0empty0
                      RT_STRING0x2266e100x328empty0
                      RT_STRING0x22671380x3a4empty0
                      RT_STRING0x22674dc0x694empty0
                      RT_STRING0x2267b700x3ecempty0
                      RT_STRING0x2267f5c0x368empty0
                      RT_STRING0x22682c40x31cempty0
                      RT_STRING0x22685e00x42cempty0
                      RT_STRING0x2268a0c0x200empty0
                      RT_STRING0x2268c0c0xc4empty0
                      RT_STRING0x2268cd00x150empty0
                      RT_STRING0x2268e200x3e8empty0
                      RT_STRING0x22692080x498empty0
                      RT_STRING0x22696a00x2f8empty0
                      RT_STRING0x22699980x2f0empty0
                      RT_STRING0x2269c880x3c0empty0
                      RT_RCDATA0x226a0480xcbfemptyEnglishUnited States0
                      RT_RCDATA0x226ad080x3a5emptyEnglishUnited States0
                      RT_RCDATA0x226b0b00x286acemptyEnglishUnited States0
                      RT_RCDATA0x229375c0x10empty0
                      RT_RCDATA0x229376c0x2320empty0
                      RT_RCDATA0x2295a8c0x5eaemptyEnglishUnited States0
                      RT_RCDATA0x22960780x5c9emptyEnglishUnited States0
                      RT_RCDATA0x22966440x314emptyEnglishUnited States0
                      RT_RCDATA0x22969580xb88emptyEnglishUnited States0
                      RT_RCDATA0x22974e00xabcemptyEnglishUnited States0
                      RT_RCDATA0x2297f9c0x572empty0
                      RT_RCDATA0x22985100x970empty0
                      RT_RCDATA0x2298e800x12dfempty0
                      RT_RCDATA0x229a1600x1984empty0
                      RT_RCDATA0x229bae40x15b4empty0
                      RT_RCDATA0x229d0980x1c0empty0
                      RT_GROUP_CURSOR0x229d2580x14emptyEnglishUnited States0
                      RT_GROUP_CURSOR0x229d26c0x14empty0
                      RT_GROUP_CURSOR0x229d2800x14empty0
                      RT_GROUP_CURSOR0x229d2940x14emptyEnglishUnited States0
                      RT_GROUP_CURSOR0x229d2a80x14emptyEnglishUnited States0
                      RT_GROUP_CURSOR0x229d2bc0x14emptyEnglishUnited States0
                      RT_GROUP_CURSOR0x229d2d00x14emptyEnglishUnited States0
                      RT_GROUP_CURSOR0x229d2e40x14emptyEnglishUnited States0
                      RT_GROUP_CURSOR0x229d2f80x14emptyEnglishUnited States0
                      RT_GROUP_CURSOR0x229d30c0x14emptyEnglishUnited States0
                      RT_GROUP_CURSOR0x229d3200x14emptyEnglishUnited States0

                      Imports

                      DLLImport
                      comctl32.dllFlatSB_SetScrollInfo
                      shell32.dllSHGetMalloc
                      user32.dllCopyImage
                      version.dllGetFileVersionInfoSizeW
                      oleaut32.dllSafeArrayPutElement
                      advapi32.dllRegSetValueExW
                      netapi32.dllNetWkstaGetInfo
                      msvcrt.dllmemcpy
                      winhttp.dllWinHttpGetIEProxyConfigForCurrentUser
                      kernel32.dllGetVersion, GetVersionExW
                      SHFolder.dllSHGetFolderPathW
                      ole32.dllCreateBindCtx
                      gdi32.dllAddFontMemResourceEx

                      Exports

                      NameOrdinalAddress
                      TMethodImplementationIntercept30x4c4a2c
                      __dbk_fcall_wrapper20x41170c
                      agzxqlovcrhc40xb9f2e4
                      dbkFCallWrapperAddr10xbda640

                      Possible Origin

                      Language of compilation systemCountry where language is spokenMap
                      EnglishUnited States

                      Network Behavior

                      Network Port Distribution

                      TCP Packets

                      TimestampSource PortDest PortSource IPDest IP
                      May 24, 2024 17:39:34.544544935 CEST49712443192.168.2.834.117.186.192
                      May 24, 2024 17:39:34.544559956 CEST4434971234.117.186.192192.168.2.8
                      May 24, 2024 17:39:34.544619083 CEST49712443192.168.2.834.117.186.192
                      May 24, 2024 17:39:34.560435057 CEST49712443192.168.2.834.117.186.192
                      May 24, 2024 17:39:34.560445070 CEST4434971234.117.186.192192.168.2.8
                      May 24, 2024 17:39:35.100684881 CEST4434971234.117.186.192192.168.2.8
                      May 24, 2024 17:39:35.100824118 CEST49712443192.168.2.834.117.186.192
                      May 24, 2024 17:39:35.198493004 CEST49712443192.168.2.834.117.186.192
                      May 24, 2024 17:39:35.198510885 CEST4434971234.117.186.192192.168.2.8
                      May 24, 2024 17:39:35.198947906 CEST4434971234.117.186.192192.168.2.8
                      May 24, 2024 17:39:35.198997021 CEST49712443192.168.2.834.117.186.192
                      May 24, 2024 17:39:35.214198112 CEST49712443192.168.2.834.117.186.192
                      May 24, 2024 17:39:35.254520893 CEST4434971234.117.186.192192.168.2.8
                      May 24, 2024 17:39:35.358411074 CEST4434971234.117.186.192192.168.2.8
                      May 24, 2024 17:39:35.358463049 CEST49712443192.168.2.834.117.186.192
                      May 24, 2024 17:39:35.358473063 CEST4434971234.117.186.192192.168.2.8
                      May 24, 2024 17:39:35.358513117 CEST49712443192.168.2.834.117.186.192
                      May 24, 2024 17:39:35.358516932 CEST4434971234.117.186.192192.168.2.8
                      May 24, 2024 17:39:35.358558893 CEST49712443192.168.2.834.117.186.192
                      May 24, 2024 17:39:35.402060032 CEST49712443192.168.2.834.117.186.192
                      May 24, 2024 17:39:35.402075052 CEST4434971234.117.186.192192.168.2.8
                      May 24, 2024 17:39:38.448262930 CEST497149091192.168.2.8173.255.201.196
                      May 24, 2024 17:39:38.453541040 CEST909149714173.255.201.196192.168.2.8
                      May 24, 2024 17:39:38.453613043 CEST497149091192.168.2.8173.255.201.196
                      May 24, 2024 17:39:39.446803093 CEST497149091192.168.2.8173.255.201.196
                      May 24, 2024 17:39:39.476803064 CEST909149714173.255.201.196192.168.2.8
                      May 24, 2024 17:39:39.612803936 CEST909149714173.255.201.196192.168.2.8
                      May 24, 2024 17:39:39.612863064 CEST497149091192.168.2.8173.255.201.196
                      May 24, 2024 17:39:40.447156906 CEST497149091192.168.2.8173.255.201.196
                      May 24, 2024 17:39:40.457139015 CEST909149714173.255.201.196192.168.2.8

                      UDP Packets

                      TimestampSource PortDest PortSource IPDest IP
                      May 24, 2024 17:39:34.456716061 CEST5072953192.168.2.81.1.1.1
                      May 24, 2024 17:39:34.535418987 CEST53507291.1.1.1192.168.2.8
                      May 24, 2024 17:39:41.517644882 CEST53635891.1.1.1192.168.2.8

                      DNS Queries

                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                      May 24, 2024 17:39:34.456716061 CEST192.168.2.81.1.1.10x2395Standard query (0)ipinfo.ioA (IP address)IN (0x0001)false

                      DNS Answers

                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                      May 24, 2024 17:39:34.535418987 CEST1.1.1.1192.168.2.80x2395No error (0)ipinfo.io34.117.186.192A (IP address)IN (0x0001)false

                      HTTP Request Dependency Graph

                      • ipinfo.io

                      HTTPS Proxied Packets

                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      0192.168.2.84971234.117.186.1924437804C:\Windows\SysWOW64\rundll32.exe
                      TimestampBytes transferredDirectionData
                      2024-05-24 15:39:35 UTC297OUTGET /json HTTP/1.1
                      Accept: */*
                      Accept-Language: en-ch
                      Accept-Encoding: gzip, deflate
                      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                      Host: ipinfo.io
                      Connection: Keep-Alive
                      2024-05-24 15:39:35 UTC401INHTTP/1.1 200 OK
                      server: nginx/1.24.0
                      date: Fri, 24 May 2024 15:39:35 GMT
                      content-type: application/json; charset=utf-8
                      Content-Length: 321
                      access-control-allow-origin: *
                      x-content-type-options: nosniff
                      x-envoy-upstream-service-time: 4
                      via: 1.1 google
                      strict-transport-security: max-age=2592000; includeSubDomains
                      Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                      Connection: close
                      2024-05-24 15:39:35 UTC321INData Raw: 7b 0a 20 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 37 35 22 2c 0a 20 20 22 68 6f 73 74 6e 61 6d 65 22 3a 20 22 73 74 61 74 69 63 2d 63 70 65 2d 38 2d 34 36 2d 31 32 33 2d 31 37 35 2e 63 65 6e 74 75 72 79 6c 69 6e 6b 2e 63 6f 6d 22 2c 0a 20 20 22 63 69 74 79 22 3a 20 22 4e 65 77 20 59 6f 72 6b 20 43 69 74 79 22 2c 0a 20 20 22 72 65 67 69 6f 6e 22 3a 20 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 53 22 2c 0a 20 20 22 6c 6f 63 22 3a 20 22 34 30 2e 37 31 34 33 2c 2d 37 34 2e 30 30 36 30 22 2c 0a 20 20 22 6f 72 67 22 3a 20 22 41 53 33 33 35 36 20 4c 65 76 65 6c 20 33 20 50 61 72 65 6e 74 2c 20 4c 4c 43 22 2c 0a 20 20 22 70 6f 73 74 61 6c 22 3a 20 22 31 30 30 30 31 22 2c 0a 20 20 22 74 69 6d 65 7a 6f 6e 65 22 3a
                      Data Ascii: { "ip": "8.46.123.175", "hostname": "static-cpe-8-46-123-175.centurylink.com", "city": "New York City", "region": "New York", "country": "US", "loc": "40.7143,-74.0060", "org": "AS3356 Level 3 Parent, LLC", "postal": "10001", "timezone":


                      Statistics

                      CPU Usage

                      Click to jump to process

                      Memory Usage

                      Click to jump to process

                      High Level Behavior Distribution

                      Click to dive into process behavior distribution

                      Behavior

                      Click to jump to process

                      System Behavior

                      General

                      Target ID:0
                      Start time:11:39:14
                      Start date:24/05/2024
                      Path:C:\Windows\System32\loaddll32.exe
                      Wow64 process (32bit):true
                      Commandline:loaddll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.448806.8704.4188.dll"
                      Imagebase:0x130000
                      File size:126'464 bytes
                      MD5 hash:51E6071F9CBA48E79F10C84515AAE618
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:Borland Delphi
                      Reputation:high
                      Has exited:true

                      General

                      Target ID:1
                      Start time:11:39:14
                      Start date:24/05/2024
                      Path:C:\Windows\System32\conhost.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Imagebase:0x7ff6ee680000
                      File size:862'208 bytes
                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:true

                      General

                      Target ID:2
                      Start time:11:39:14
                      Start date:24/05/2024
                      Path:C:\Windows\SysWOW64\cmd.exe
                      Wow64 process (32bit):true
                      Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.448806.8704.4188.dll",#1
                      Imagebase:0xa40000
                      File size:236'544 bytes
                      MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:true

                      General

                      Target ID:4
                      Start time:11:39:14
                      Start date:24/05/2024
                      Path:C:\Windows\SysWOW64\rundll32.exe
                      Wow64 process (32bit):true
                      Commandline:rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.448806.8704.4188.dll,TMethodImplementationIntercept
                      Imagebase:0xb80000
                      File size:61'440 bytes
                      MD5 hash:889B99C52A60DD49227C5E485A016679
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:Borland Delphi
                      Yara matches:
                      • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000004.00000002.1509418224.0000000004141000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
                      Reputation:high
                      Has exited:true

                      General

                      Target ID:5
                      Start time:11:39:14
                      Start date:24/05/2024
                      Path:C:\Windows\SysWOW64\rundll32.exe
                      Wow64 process (32bit):true
                      Commandline:rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.448806.8704.4188.dll",#1
                      Imagebase:0xb80000
                      File size:61'440 bytes
                      MD5 hash:889B99C52A60DD49227C5E485A016679
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:Borland Delphi
                      Yara matches:
                      • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000005.00000002.1509801187.00000000041B1000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
                      Reputation:high
                      Has exited:true

                      General

                      Target ID:9
                      Start time:11:39:17
                      Start date:24/05/2024
                      Path:C:\Windows\SysWOW64\rundll32.exe
                      Wow64 process (32bit):true
                      Commandline:rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.448806.8704.4188.dll,__dbk_fcall_wrapper
                      Imagebase:0xb80000
                      File size:61'440 bytes
                      MD5 hash:889B99C52A60DD49227C5E485A016679
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:Borland Delphi
                      Reputation:high
                      Has exited:true

                      General

                      Target ID:10
                      Start time:11:39:17
                      Start date:24/05/2024
                      Path:C:\Windows\SysWOW64\WerFault.exe
                      Wow64 process (32bit):true
                      Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7424 -s 936
                      Imagebase:0xb40000
                      File size:483'680 bytes
                      MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:true

                      General

                      Target ID:11
                      Start time:11:39:17
                      Start date:24/05/2024
                      Path:C:\Windows\SysWOW64\WerFault.exe
                      Wow64 process (32bit):true
                      Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7408 -s 936
                      Imagebase:0xb40000
                      File size:483'680 bytes
                      MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:true

                      General

                      Target ID:13
                      Start time:11:39:20
                      Start date:24/05/2024
                      Path:C:\Windows\SysWOW64\rundll32.exe
                      Wow64 process (32bit):true
                      Commandline:rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.448806.8704.4188.dll,agzxqlovcrhc
                      Imagebase:0xb80000
                      File size:61'440 bytes
                      MD5 hash:889B99C52A60DD49227C5E485A016679
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:Borland Delphi
                      Yara matches:
                      • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 0000000D.00000002.2658035882.0000000004341000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
                      Reputation:high
                      Has exited:false

                      General

                      Target ID:15
                      Start time:11:39:22
                      Start date:24/05/2024
                      Path:C:\Windows\SysWOW64\WerFault.exe
                      Wow64 process (32bit):true
                      Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7596 -s 796
                      Imagebase:0xb40000
                      File size:483'680 bytes
                      MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:true

                      General

                      Target ID:16
                      Start time:11:39:27
                      Start date:24/05/2024
                      Path:C:\Windows\SysWOW64\rundll32.exe
                      Wow64 process (32bit):true
                      Commandline:rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.448806.8704.4188.dll",TMethodImplementationIntercept
                      Imagebase:0xb80000
                      File size:61'440 bytes
                      MD5 hash:889B99C52A60DD49227C5E485A016679
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:Borland Delphi
                      Yara matches:
                      • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000010.00000002.1668206356.0000000004341000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
                      Reputation:high
                      Has exited:true

                      General

                      Target ID:17
                      Start time:11:39:27
                      Start date:24/05/2024
                      Path:C:\Windows\SysWOW64\rundll32.exe
                      Wow64 process (32bit):true
                      Commandline:rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.448806.8704.4188.dll",__dbk_fcall_wrapper
                      Imagebase:0xb80000
                      File size:61'440 bytes
                      MD5 hash:889B99C52A60DD49227C5E485A016679
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:Borland Delphi
                      Reputation:high
                      Has exited:true

                      General

                      Target ID:18
                      Start time:11:39:27
                      Start date:24/05/2024
                      Path:C:\Windows\SysWOW64\rundll32.exe
                      Wow64 process (32bit):true
                      Commandline:rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.448806.8704.4188.dll",agzxqlovcrhc
                      Imagebase:0xb80000
                      File size:61'440 bytes
                      MD5 hash:889B99C52A60DD49227C5E485A016679
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:Borland Delphi
                      Reputation:high
                      Has exited:true

                      General

                      Target ID:19
                      Start time:11:39:27
                      Start date:24/05/2024
                      Path:C:\Windows\SysWOW64\rundll32.exe
                      Wow64 process (32bit):true
                      Commandline:rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.448806.8704.4188.dll",dbkFCallWrapperAddr
                      Imagebase:0xb80000
                      File size:61'440 bytes
                      MD5 hash:889B99C52A60DD49227C5E485A016679
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:Borland Delphi
                      Yara matches:
                      • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000013.00000002.1668678941.0000000004141000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
                      Has exited:true

                      General

                      Target ID:23
                      Start time:11:39:37
                      Start date:24/05/2024
                      Path:C:\Windows\SysWOW64\WerFault.exe
                      Wow64 process (32bit):true
                      Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7960 -s 928
                      Imagebase:0xb40000
                      File size:483'680 bytes
                      MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      General

                      Target ID:25
                      Start time:11:39:38
                      Start date:24/05/2024
                      Path:C:\Windows\SysWOW64\WerFault.exe
                      Wow64 process (32bit):true
                      Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7988 -s 936
                      Imagebase:0xb40000
                      File size:483'680 bytes
                      MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      Disassembly

                      No disassembly