Windows Analysis Report
40kib.dll

Overview

General Information

Sample name: 40kib.dll
Analysis ID: 1544180
MD5: 27687a480b13f580a11e713f8b9ba343
SHA1: 7d82bfafbb3a541900161dbe4a4191e169048dfb
SHA256: 7c22665f392ed020a71dd27c7f7945bbb376697580ae50a0a31df0cdb8d9eb2c
Infos:

Detection

Score: 72
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Hides threads from debuggers
Overwrites code with function prologues
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
AV process strings found (often used to terminate AV products)
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)
Entry point lies outside standard sections
One or more processes crash
PE file contains more sections than normal
PE file contains sections with non-standard names
Sample execution stops while process was sleeping (likely an evasion)
Uses 32bit PE files

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: 40kib.dll ReversingLabs: Detection: 62%
Source: rundll32.exe, 00000004.00000002.7463283059.0000000061311000.00000020.00000001.01000000.00000003.sdmp Binary or memory string: -----BEGIN RSA PUBLIC KEY----- memstr_63242dbb-e
Uses 32bit PE files
Source: 40kib.dll Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
Source: 40kib.dll Static PE information: DYNAMIC_BASE, NX_COMPAT
Source: loaddll32.exe, 00000000.00000003.7545466258.0000000003473000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.7444950851.00000000055F1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.7462577639.00000000047A0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.7476104571.0000000005411000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.7500570990.0000000004A01000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.7831365166.00000000054C1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.7752211587.0000000004BD1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.7843341696.0000000005571000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.7821583480.0000000004E50000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000003.7805008026.0000000005741000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.7779148478.00000000054F1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.7798399853.0000000005331000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.7750150048.0000000005391000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.7740297571.0000000004A81000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000014.00000003.7803938286.0000000004D41000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000015.00000003.7850147318.00000000049B1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000016.00000003.7741597250.00000000055A1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.7839641762.0000000004D71000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000003.7816744739.0000000005151000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000019.00000003.7816684729.00000000047F1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001A.00000003.7812148018.00000000051D2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://fontawesome.io
Source: loaddll32.exe, 00000000.00000003.7545466258.0000000003473000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.7444950851.00000000055F1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.7462577639.00000000047A0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.7476104571.0000000005411000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.7500570990.0000000004A01000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.7831365166.00000000054C1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.7752211587.0000000004BD1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.7843341696.0000000005571000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.7821583480.0000000004E50000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000003.7805008026.0000000005741000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.7779148478.00000000054F1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.7798399853.0000000005331000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.7750150048.0000000005391000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.7740297571.0000000004A81000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000014.00000003.7803938286.0000000004D41000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000015.00000003.7850147318.00000000049B1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000016.00000003.7741597250.00000000055A1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.7839641762.0000000004D71000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000003.7816744739.0000000005151000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000019.00000003.7816684729.00000000047F1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001A.00000003.7812148018.00000000051D2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://fontawesome.io/license/
Source: loaddll32.exe, 00000000.00000003.7545466258.0000000003473000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.7444950851.00000000055F1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.7462577639.00000000047A0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.7476104571.0000000005411000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.7500570990.0000000004A01000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.7831365166.00000000054C1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.7752211587.0000000004BD1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.7843341696.0000000005571000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.7821583480.0000000004E50000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000003.7805008026.0000000005741000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.7779148478.00000000054F1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.7798399853.0000000005331000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.7750150048.0000000005391000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.7740297571.0000000004A81000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000014.00000003.7803938286.0000000004D41000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000015.00000003.7850147318.00000000049B1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000016.00000003.7741597250.00000000055A1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.7839641762.0000000004D71000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000003.7816744739.0000000005151000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000019.00000003.7816684729.00000000047F1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001A.00000003.7812148018.00000000051D2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://fontawesome.iohttp://fontawesome.iohttp://fontawesome.io/license/http://fontawesome.io/licens
Source: loaddll32.exe, 00000000.00000003.7541119120.000000000307D000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.7441719796.000000000519D000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.7463283059.0000000061A29000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.7461502765.00000000042FD000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.7472841146.0000000004F6D000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.7497796661.000000000451D000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.7741669489.00000000045DD000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.7831137774.0000000004F6D000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.7799284996.00000000049AD000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.7833366960.0000000061A29000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000F.00000003.7791419944.000000000524D000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.7766670150.0000000004EFD000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.7785903645.0000000004E4D000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.7740319449.0000000004F3D000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.7729000480.000000000461D000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000014.00000003.7790256730.00000000046FD000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000015.00000003.7838466412.000000000453D000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000016.00000003.7730092247.0000000004F8D000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.7826663110.000000000491D000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000018.00000003.7804157981.0000000004C8D000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000019.00000003.7804158992.000000000432D000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.indyproject.org/
Source: rundll32.exe, 00000004.00000002.7463283059.0000000061311000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.7833366960.0000000061311000.00000020.00000001.01000000.00000003.sdmp String found in binary or memory: https://drive.google.com/uc?export=download&id=1--F4MFA0VoMjrlKOrQBJllMDopSK92p-
Source: rundll32.exe, 00000004.00000002.7463283059.0000000061311000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.7833366960.0000000061311000.00000020.00000001.01000000.00000003.sdmp String found in binary or memory: https://drive.google.com/uc?export=download&id=1-iOSQjT44_UUyF5rl6JGizL5jWNy8gne
Source: rundll32.exe, 00000004.00000002.7463283059.0000000061311000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.7833366960.0000000061311000.00000020.00000001.01000000.00000003.sdmp String found in binary or memory: https://drive.google.com/uc?export=download&id=12DW-nFp6uBo3zifmiESi18x3uXqgzYnu
Source: rundll32.exe, 00000004.00000002.7463283059.0000000061311000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.7833366960.0000000061311000.00000020.00000001.01000000.00000003.sdmp String found in binary or memory: https://drive.google.com/uc?export=download&id=12hbi1wHJPMb7N54ewv-FMziqiI1pdohj
Source: rundll32.exe, 00000004.00000002.7463283059.0000000061311000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.7833366960.0000000061311000.00000020.00000001.01000000.00000003.sdmp String found in binary or memory: https://drive.google.com/uc?export=download&id=13K15ZzfbiHo2_nQJWDeaR6bs-88Ex4ke
Source: rundll32.exe, 00000004.00000002.7463283059.0000000061311000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.7833366960.0000000061311000.00000020.00000001.01000000.00000003.sdmp String found in binary or memory: https://drive.google.com/uc?export=download&id=13STRCM4xGalbZUoToD9AEsIf2LMn0zQ3
Source: rundll32.exe, 00000004.00000002.7463283059.0000000061311000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.7833366960.0000000061311000.00000020.00000001.01000000.00000003.sdmp String found in binary or memory: https://drive.google.com/uc?export=download&id=13uLNkPwzmvDchyphVi80sNSec4hP-5y8
Source: rundll32.exe, 00000004.00000002.7463283059.0000000061311000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.7833366960.0000000061311000.00000020.00000001.01000000.00000003.sdmp String found in binary or memory: https://drive.google.com/uc?export=download&id=14_BblvoYYSUuu3FQJmE706uJDDckissj
Source: rundll32.exe, 00000004.00000002.7463283059.0000000061311000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.7833366960.0000000061311000.00000020.00000001.01000000.00000003.sdmp String found in binary or memory: https://drive.google.com/uc?export=download&id=16Kqbl2vlWamTAZ3tvnItoyS-mge8Rpz8
Source: rundll32.exe, 00000004.00000002.7463283059.0000000061311000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.7833366960.0000000061311000.00000020.00000001.01000000.00000003.sdmp String found in binary or memory: https://drive.google.com/uc?export=download&id=17Z0xMja5i9kpIoIAbo09ylxHQ_GhVVVy
Source: rundll32.exe, 00000004.00000002.7463283059.0000000061311000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.7833366960.0000000061311000.00000020.00000001.01000000.00000003.sdmp String found in binary or memory: https://drive.google.com/uc?export=download&id=1AkiAAH6bSmRwAnjrCtE8sgC_tD5BsmYv
Source: rundll32.exe, 00000004.00000002.7463283059.0000000061311000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.7833366960.0000000061311000.00000020.00000001.01000000.00000003.sdmp String found in binary or memory: https://drive.google.com/uc?export=download&id=1Av3dvZUyh5RrGlmWqADxKKkV62O9Q0J7
Source: rundll32.exe, 00000004.00000002.7463283059.0000000061311000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.7833366960.0000000061311000.00000020.00000001.01000000.00000003.sdmp String found in binary or memory: https://drive.google.com/uc?export=download&id=1HhfYIn2HeZ3ujaAtoyraHnJbWxa0shSx
Source: rundll32.exe, 00000004.00000002.7463283059.0000000061311000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.7833366960.0000000061311000.00000020.00000001.01000000.00000003.sdmp String found in binary or memory: https://drive.google.com/uc?export=download&id=1HrvY1XzgByk0HXPxq4eUUMA30KY6UHUU
Source: rundll32.exe, 00000004.00000002.7463283059.0000000061311000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.7833366960.0000000061311000.00000020.00000001.01000000.00000003.sdmp String found in binary or memory: https://drive.google.com/uc?export=download&id=1I6BIaJsGGPMlnE5wye-wPGuBoN6sDYqfS
Source: rundll32.exe, 00000004.00000002.7463283059.0000000061311000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.7833366960.0000000061311000.00000020.00000001.01000000.00000003.sdmp String found in binary or memory: https://drive.google.com/uc?export=download&id=1Li90uyQO5NIWhjb7IgkvMihB_9yF8xql
Source: rundll32.exe, 00000004.00000002.7463283059.0000000061311000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.7833366960.0000000061311000.00000020.00000001.01000000.00000003.sdmp String found in binary or memory: https://drive.google.com/uc?export=download&id=1QrBIdxKh7w-iOrliq9_K9CVlUC3YNHdNU
Source: rundll32.exe, 00000004.00000002.7463283059.0000000061311000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.7833366960.0000000061311000.00000020.00000001.01000000.00000003.sdmp String found in binary or memory: https://drive.google.com/uc?export=download&id=1UF8RdVspwB0sWoZO4QgXwdshfp29vgVA
Source: rundll32.exe, 00000004.00000002.7463283059.0000000061311000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.7833366960.0000000061311000.00000020.00000001.01000000.00000003.sdmp String found in binary or memory: https://drive.google.com/uc?export=download&id=1VTKGhw5qXNh2DmhfjmJjGTSllsTTrOJW
Source: rundll32.exe, 00000004.00000002.7463283059.0000000061311000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.7833366960.0000000061311000.00000020.00000001.01000000.00000003.sdmp String found in binary or memory: https://drive.google.com/uc?export=download&id=1YCogkU8Av_wfl15TB4G6lq-XgerOPsrP
Source: rundll32.exe, 00000004.00000002.7463283059.0000000061311000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.7833366960.0000000061311000.00000020.00000001.01000000.00000003.sdmp String found in binary or memory: https://drive.google.com/uc?export=download&id=1YFVDOpe1Oyk0D-FTJKtc6Vhc08qysxxM
Source: rundll32.exe, 00000004.00000002.7463283059.0000000061311000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.7833366960.0000000061311000.00000020.00000001.01000000.00000003.sdmp String found in binary or memory: https://drive.google.com/uc?export=download&id=1_UFOoZ-uwZVw4LY4XGXYAoNqEBUJCrfs
Source: rundll32.exe, 00000004.00000002.7463283059.0000000061311000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.7833366960.0000000061311000.00000020.00000001.01000000.00000003.sdmp String found in binary or memory: https://drive.google.com/uc?export=download&id=1aRlo1_02LB06Kr_RAPSCHI4DX1ROKX4r
Source: rundll32.exe, 00000004.00000002.7463283059.0000000061311000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.7833366960.0000000061311000.00000020.00000001.01000000.00000003.sdmp String found in binary or memory: https://drive.google.com/uc?export=download&id=1bCvsOaCjHHuL6YWQ6jWCKh-sPeBXHGth
Source: rundll32.exe, 00000004.00000002.7463283059.0000000061311000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.7833366960.0000000061311000.00000020.00000001.01000000.00000003.sdmp String found in binary or memory: https://drive.google.com/uc?export=download&id=1d39BiXw2wNcoXhqR-mzNe6HjTQzfPSB2
Source: rundll32.exe, 00000004.00000002.7463283059.0000000061311000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.7833366960.0000000061311000.00000020.00000001.01000000.00000003.sdmp String found in binary or memory: https://drive.google.com/uc?export=download&id=1hJBTH9ZBK47ZO477SdV8lUCQs_lgVIy3
Source: rundll32.exe, 00000004.00000002.7463283059.0000000061311000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.7833366960.0000000061311000.00000020.00000001.01000000.00000003.sdmp String found in binary or memory: https://drive.google.com/uc?export=download&id=1jqT6NE5N9O2dIBh0yKdK8Et-glqsaL0H
Source: rundll32.exe, 00000004.00000002.7463283059.0000000061311000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.7833366960.0000000061311000.00000020.00000001.01000000.00000003.sdmp String found in binary or memory: https://drive.google.com/uc?export=download&id=1lQNCt3A2gFkbUl_282f2fU38KYu6Lv7b
Source: rundll32.exe, 00000004.00000002.7463283059.0000000061311000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.7833366960.0000000061311000.00000020.00000001.01000000.00000003.sdmp String found in binary or memory: https://drive.google.com/uc?export=download&id=1m5V-2ixfaDRNusMWGKoF9q3F5aU9WhOd
Source: rundll32.exe, 00000004.00000002.7463283059.0000000061311000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.7833366960.0000000061311000.00000020.00000001.01000000.00000003.sdmp String found in binary or memory: https://drive.google.com/uc?export=download&id=1o0UC8dT-3YFn9NBbYjFniQJp3-Q2GMgg
Source: rundll32.exe, 00000004.00000002.7463283059.0000000061311000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.7833366960.0000000061311000.00000020.00000001.01000000.00000003.sdmp String found in binary or memory: https://drive.google.com/uc?export=download&id=1oFGu0v-pph6aXW_jH5z5raZcuozE-NwP
Source: rundll32.exe, 00000004.00000002.7463283059.0000000061311000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.7833366960.0000000061311000.00000020.00000001.01000000.00000003.sdmp String found in binary or memory: https://drive.google.com/uc?export=download&id=1p9bf6JYW7cMzOx-kU2GKg_jUM-RIdTE0
Source: rundll32.exe, 00000004.00000002.7463283059.0000000061311000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.7833366960.0000000061311000.00000020.00000001.01000000.00000003.sdmp String found in binary or memory: https://drive.google.com/uc?export=download&id=1rhjOyVuGuWQRqf3mXVrSXmivxhU6q_iI
Source: rundll32.exe, 00000004.00000002.7463283059.0000000061311000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.7833366960.0000000061311000.00000020.00000001.01000000.00000003.sdmp String found in binary or memory: https://drive.google.com/uc?export=download&id=1uIe9zD2U6ZsefeYtpYDiFpqfBQjWGaM-
Source: rundll32.exe, 00000004.00000002.7463283059.0000000061311000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.7833366960.0000000061311000.00000020.00000001.01000000.00000003.sdmp String found in binary or memory: https://drive.google.com/uc?export=download&id=1uKiAnXTUejCWVfY_9cK1DruQdqX4RW1p
Source: rundll32.exe, 00000004.00000002.7463283059.0000000061311000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.7833366960.0000000061311000.00000020.00000001.01000000.00000003.sdmp String found in binary or memory: https://drive.google.com/uc?export=download&id=1uv91IKisZ2Q-Of1xJn7F2K3nWbsnTKCJ
Source: rundll32.exe, 00000004.00000002.7463283059.0000000061311000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.7833366960.0000000061311000.00000020.00000001.01000000.00000003.sdmp String found in binary or memory: https://drive.google.com/uc?export=download&id=1y_zhnuEMDrpJ0p1yxO06bQDkcySt2Zqm
Source: rundll32.exe, 00000004.00000002.7463283059.0000000061311000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.7833366960.0000000061311000.00000020.00000001.01000000.00000003.sdmp String found in binary or memory: https://drive.google.com/uc?export=download&id=1zT0cA5RJjA8bMCenecf7X-TlZJ9KSf-8
Source: rundll32.exe, 00000004.00000002.7463283059.0000000061311000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.7833366960.0000000061311000.00000020.00000001.01000000.00000003.sdmp String found in binary or memory: https://drive.google.com/uc?export=download&id=1zoNuWfLbmiKQ6Cv-CdYplhz9hLQOKgFu
Source: rundll32.exe, 00000004.00000002.7463283059.0000000061311000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.7833366960.0000000061311000.00000020.00000001.01000000.00000003.sdmp String found in binary or memory: https://ebaoffice.com.br/imagens/bo/inspecionando.phpU
Source: rundll32.exe, 0000000E.00000002.7833366960.0000000061311000.00000020.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.google.com.br/

System Summary
barindex
PE file contains section with special chars
Source: 40kib.dll Static PE information: section name: .:<e
Source: 40kib.dll Static PE information: section name: .^yp
Source: 40kib.dll Static PE information: section name: .-F~
One or more processes crash
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4120 -s 1108
PE file contains more sections than normal
Source: 40kib.dll Static PE information: Number of sections : 13 > 10
Uses 32bit PE files
Source: 40kib.dll Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
Source: classification engine Classification label: mal72.evad.winDLL@66/8@0/0
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4120
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2836
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4276:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4276:304:WilStaging_02
Source: C:\Windows\SysWOW64\WerFault.exe File created: C:\ProgramData\Microsoft\Windows\WER\Temp\aa07afd1-c175-46dc-a590-b2e9c1b8ec88 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\System32\loaddll32.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\40kib.dll,QStringClose
Source: 40kib.dll ReversingLabs: Detection: 62%
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\40kib.dll"
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\40kib.dll",#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\40kib.dll,QStringClose
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\40kib.dll",#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\40kib.dll,QStringCmp
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\40kib.dll,QStringCreate
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4120 -s 1108
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\40kib.dll",QStringClose
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\40kib.dll",QStringCmp
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\40kib.dll",QStringCreate
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\40kib.dll",dbkFCallWrapperAddr
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\40kib.dll",__dbk_fcall_wrapper
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\40kib.dll",WebkitSetVisible
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\40kib.dll",WebkitSetTransparent
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\40kib.dll",WebkitSetGeometry
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\40kib.dll",WebkitSetDrop
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\40kib.dll",WebkitSetALTignore
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\40kib.dll",WebkitRepaint
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\40kib.dll",WebkitNavigate
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\40kib.dll",WebkitLoadFinished
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\40kib.dll",WebkitJavaScriptCallback
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\40kib.dll",WebkitGetWindow
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\40kib.dll",WebkitExecuteJavaScript
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\40kib.dll",WebkitCreate
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\40kib.dll",WebkitClose
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\40kib.dll",WebUIResourceUnregister
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\40kib.dll",WebUIResourceRegister
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\40kib.dll",WebUIResourceEnum
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\40kib.dll",WebUIResourceData
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\40kib.dll",WebUICreate
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\40kib.dll",WebUIClose
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\40kib.dll",QStringSet
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\40kib.dll",QStringGet
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2836 -s 1072
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\40kib.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\40kib.dll,QStringClose Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\40kib.dll,QStringCmp Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\40kib.dll,QStringCreate Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\40kib.dll",QStringClose Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\40kib.dll",QStringCmp Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\40kib.dll",QStringCreate Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\40kib.dll",dbkFCallWrapperAddr Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\40kib.dll",__dbk_fcall_wrapper Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\40kib.dll",WebkitSetVisible Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\40kib.dll",WebkitSetTransparent Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\40kib.dll",WebkitSetGeometry Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\40kib.dll",WebkitSetDrop Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\40kib.dll",WebkitSetALTignore Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\40kib.dll",WebkitRepaint Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\40kib.dll",WebkitNavigate Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\40kib.dll",WebkitLoadFinished Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\40kib.dll",WebkitJavaScriptCallback Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\40kib.dll",WebkitGetWindow Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\40kib.dll",WebkitExecuteJavaScript Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\40kib.dll",WebkitCreate Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\40kib.dll",WebkitClose Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\40kib.dll",WebUIResourceUnregister Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\40kib.dll",WebUIResourceRegister Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\40kib.dll",WebUIResourceEnum Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\40kib.dll",WebUIResourceData Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\40kib.dll",WebUICreate Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\40kib.dll",WebUIClose Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\40kib.dll",QStringSet Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\40kib.dll",QStringGet Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\40kib.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: magnification.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: d3d9.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: security.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: olepro32.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: colorui.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: mscms.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: coloradapterclient.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: compstui.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: msimg32.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: inetres.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: msimg32.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: cscapi.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: 40kib.dll Static PE information: Virtual size of .text is bigger than: 0x100000
Source: 40kib.dll Static file information: File size 44391424 > 1048576
Source: 40kib.dll Static PE information: Raw size of .-F~ is bigger than: 0x100000 < 0x2a39600
Source: 40kib.dll Static PE information: DYNAMIC_BASE, NX_COMPAT
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .-F~
PE file contains sections with non-standard names
Source: 40kib.dll Static PE information: section name: .didata
Source: 40kib.dll Static PE information: section name: .:<e
Source: 40kib.dll Static PE information: section name: .^yp
Source: 40kib.dll Static PE information: section name: .-F~

Hooking and other Techniques for Hiding and Protection
barindex
Overwrites code with function prologues
Source: C:\Windows\System32\loaddll32.exe Memory written: PID: 5916 base: 7732B950 value: 8B FF 55 8B EC Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Memory written: PID: 5916 base: 76552FA0 value: 8B FF 55 8B EC Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Memory written: PID: 5916 base: 7656CE10 value: 8B FF 55 8B EC Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Memory written: PID: 5916 base: 76AB74C0 value: 8B FF 55 8B EC Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Memory written: PID: 5916 base: 76ADEAC0 value: 8B FF 55 8B EC Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 8084 base: 7732B950 value: 8B FF 55 8B EC Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 8084 base: 76552FA0 value: 8B FF 55 8B EC Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 8084 base: 7656CE10 value: 8B FF 55 8B EC Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 8084 base: 76AB74C0 value: 8B FF 55 8B EC Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 8084 base: 76ADEAC0 value: 8B FF 55 8B EC Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5556 base: 7732B950 value: 8B FF 55 8B EC Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5556 base: 76552FA0 value: 8B FF 55 8B EC Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5556 base: 7656CE10 value: 8B FF 55 8B EC Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5556 base: 76AB74C0 value: 8B FF 55 8B EC Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5556 base: 76ADEAC0 value: 8B FF 55 8B EC Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 1456 base: 7732B950 value: 8B FF 55 8B EC Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 1456 base: 76552FA0 value: 8B FF 55 8B EC Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 1456 base: 7656CE10 value: 8B FF 55 8B EC Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 1456 base: 76AB74C0 value: 8B FF 55 8B EC Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 1456 base: 76ADEAC0 value: 8B FF 55 8B EC Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 7700 base: 7732B950 value: 8B FF 55 8B EC Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 7700 base: 76552FA0 value: 8B FF 55 8B EC Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 7700 base: 7656CE10 value: 8B FF 55 8B EC Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 7700 base: 76AB74C0 value: 8B FF 55 8B EC Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 7700 base: 76ADEAC0 value: 8B FF 55 8B EC Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 6308 base: 7732B950 value: 8B FF 55 8B EC Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 6308 base: 76552FA0 value: 8B FF 55 8B EC Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 6308 base: 7656CE10 value: 8B FF 55 8B EC Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 6308 base: 76AB74C0 value: 8B FF 55 8B EC Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 6308 base: 76ADEAC0 value: 8B FF 55 8B EC Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5464 base: 7732B950 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5464 base: 76552FA0 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5464 base: 7656CE10 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5464 base: 76AB74C0 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5464 base: 76ADEAC0 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 3656 base: 7732B950 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 3656 base: 76552FA0 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 3656 base: 7656CE10 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 3656 base: 76AB74C0 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 3656 base: 76ADEAC0 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 2636 base: 7732B950 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 2636 base: 76552FA0 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 2636 base: 7656CE10 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 2636 base: 76AB74C0 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 2636 base: 76ADEAC0 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 1196 base: 7732B950 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 1196 base: 76552FA0 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 1196 base: 7656CE10 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 1196 base: 76AB74C0 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 1196 base: 76ADEAC0 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 812 base: 7732B950 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 812 base: 76552FA0 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 812 base: 7656CE10 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 812 base: 76AB74C0 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 812 base: 76ADEAC0 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 7920 base: 7732B950 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 7920 base: 76552FA0 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 7920 base: 7656CE10 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 7920 base: 76AB74C0 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 7920 base: 76ADEAC0 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 3484 base: 7732B950 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 3484 base: 76552FA0 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 3484 base: 7656CE10 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 3484 base: 76AB74C0 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 3484 base: 76ADEAC0 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 3044 base: 7732B950 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 3044 base: 76552FA0 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 3044 base: 7656CE10 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 3044 base: 76AB74C0 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 3044 base: 76ADEAC0 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 6440 base: 7732B950 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 6440 base: 76552FA0 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 6440 base: 7656CE10 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 6440 base: 76AB74C0 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 6440 base: 76ADEAC0 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 4912 base: 7732B950 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 4912 base: 76552FA0 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 4912 base: 7656CE10 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 4912 base: 76AB74C0 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 4912 base: 76ADEAC0 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 7272 base: 7732B950 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 7272 base: 76552FA0 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 7272 base: 7656CE10 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 7272 base: 76AB74C0 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 7272 base: 76ADEAC0 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 2684 base: 7732B950 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 2684 base: 76552FA0 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 2684 base: 7656CE10 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 2684 base: 76AB74C0 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 2684 base: 76ADEAC0 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 4288 base: 7732B950 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 4288 base: 76552FA0 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 4288 base: 7656CE10 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 4288 base: 76AB74C0 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 4288 base: 76ADEAC0 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 6880 base: 7732B950 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 6880 base: 76552FA0 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 6880 base: 7656CE10 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 6880 base: 76AB74C0 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 6880 base: 76ADEAC0 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 3316 base: 7732B950 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 3316 base: 76552FA0 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 3316 base: 7656CE10 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 3316 base: 76AB74C0 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 3316 base: 76ADEAC0 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 2416 base: 7732B950 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 2416 base: 76552FA0 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 2416 base: 7656CE10 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 2416 base: 76AB74C0 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 2416 base: 76ADEAC0 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5448 base: 7732B950 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5448 base: 76552FA0 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5448 base: 7656CE10 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5448 base: 76AB74C0 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5448 base: 76ADEAC0 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 2408 base: 7732B950 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 2408 base: 76552FA0 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 2408 base: 7656CE10 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 2408 base: 76AB74C0 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 2408 base: 76ADEAC0 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 1128 base: 7732B950 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 1128 base: 76552FA0 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 1128 base: 7656CE10 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 1128 base: 76AB74C0 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 1128 base: 76ADEAC0 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5864 base: 7732B950 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5864 base: 76552FA0 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5864 base: 7656CE10 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5864 base: 76AB74C0 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5864 base: 76ADEAC0 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 2292 base: 7732B950 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 2292 base: 76552FA0 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 2292 base: 7656CE10 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 2292 base: 76AB74C0 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 2292 base: 76ADEAC0 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 3164 base: 7732B950 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 3164 base: 76552FA0 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 3164 base: 7656CE10 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 3164 base: 76AB74C0 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 3164 base: 76ADEAC0 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 4688 base: 7732B950 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 4688 base: 76552FA0 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 4688 base: 7656CE10 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 4688 base: 76AB74C0 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 4688 base: 76ADEAC0 value: 8B FF 55 8B EC
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Source: C:\Windows\System32\loaddll32.exe Memory written: PID: 5916 base: 10E0005 value: E9 AB 2E 28 76 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Memory written: PID: 5916 base: 77362EB0 value: E9 5A D1 D7 89 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Memory written: PID: 5916 base: 1430007 value: E9 6B DC F6 75 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Memory written: PID: 5916 base: 7739DC70 value: E9 9E 23 09 8A Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Memory written: PID: 5916 base: 1480005 value: E9 4B B9 EA 75 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Memory written: PID: 5916 base: 7732B950 value: E9 BA 46 15 8A Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Memory written: PID: 5916 base: 1490008 value: E9 1B 8C EE 75 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Memory written: PID: 5916 base: 77378C20 value: E9 F0 73 11 8A Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Memory written: PID: 5916 base: 14A0005 value: E9 9B 2F 0B 75 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Memory written: PID: 5916 base: 76552FA0 value: E9 6A D0 F4 8A Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Memory written: PID: 5916 base: 14B0005 value: E9 0B CE 0B 75 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Memory written: PID: 5916 base: 7656CE10 value: E9 FA 31 F4 8A Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Memory written: PID: 5916 base: 14C0005 value: E9 BB 74 5F 75 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Memory written: PID: 5916 base: 76AB74C0 value: E9 4A 8B A0 8A Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Memory written: PID: 5916 base: 14D0005 value: E9 BB EA 60 75 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Memory written: PID: 5916 base: 76ADEAC0 value: E9 4A 15 9F 8A Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Memory written: PID: 5916 base: 14E0005 value: E9 7B 2D E8 75 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Memory written: PID: 5916 base: 77362D80 value: E9 8A D2 17 8A Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Memory written: PID: 5916 base: 14F0005 value: E9 0B 3E E7 75 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Memory written: PID: 5916 base: 77363E10 value: E9 FA C1 18 8A Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Memory written: PID: 5916 base: 1500005 value: E9 FB 2E E6 75 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Memory written: PID: 5916 base: 77362F00 value: E9 0A D1 19 8A Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Memory written: PID: 5916 base: 1510005 value: E9 DB 2C E5 75 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Memory written: PID: 5916 base: 77362CE0 value: E9 2A D3 1A 8A Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Memory written: PID: 5916 base: 2DD0005 value: E9 EB 29 59 74 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Memory written: PID: 5916 base: 773629F0 value: E9 1A D6 A6 8B Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Memory written: PID: 5916 base: 2DE0005 value: E9 9B 2A 58 74 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Memory written: PID: 5916 base: 77362AA0 value: E9 6A D5 A7 8B Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Memory written: PID: 5916 base: 2DF0005 value: E9 3B 2E 57 74 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Memory written: PID: 5916 base: 77362E40 value: E9 CA D1 A8 8B Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Memory written: PID: 5916 base: 2E00005 value: E9 1B 2C 56 74 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Memory written: PID: 5916 base: 77362C20 value: E9 EA D3 A9 8B Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Memory written: PID: 5916 base: 2E10005 value: E9 FB 2C 55 74 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Memory written: PID: 5916 base: 77362D00 value: E9 0A D3 AA 8B Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Memory written: PID: 5916 base: 2E30005 value: E9 CB 3D 53 74 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Memory written: PID: 5916 base: 77363DD0 value: E9 3A C2 AC 8B Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Memory written: PID: 5916 base: 2E40005 value: E9 4B 2E 52 74 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Memory written: PID: 5916 base: 77362E50 value: E9 BA D1 AD 8B Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Memory written: PID: 5916 base: 2E50005 value: E9 BB 2E 51 74 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Memory written: PID: 5916 base: 77362EC0 value: E9 4A D1 AE 8B Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Memory written: PID: 5916 base: 2E60005 value: E9 2B 2C 50 74 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Memory written: PID: 5916 base: 77362C30 value: E9 DA D3 AF 8B Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Memory written: PID: 5916 base: 2E70005 value: E9 EB 3A 4F 74 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Memory written: PID: 5916 base: 77363AF0 value: E9 1A C5 B0 8B Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Memory written: PID: 5916 base: 2E80005 value: E9 4B 2C 4E 74 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Memory written: PID: 5916 base: 77362C50 value: E9 BA D3 B1 8B Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Memory written: PID: 5916 base: 2E90005 value: E9 6B 46 4D 74 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Memory written: PID: 5916 base: 77364670 value: E9 9A B9 B2 8B Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Memory written: PID: 5916 base: 2EA0005 value: E9 DB 2B 4C 74 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Memory written: PID: 5916 base: 77362BE0 value: E9 2A D4 B3 8B Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Memory written: PID: 5916 base: 2EB0005 value: E9 7B 2A 4B 74 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Memory written: PID: 5916 base: 77362A80 value: E9 8A D5 B4 8B Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Memory written: PID: 5916 base: 2EC0005 value: E9 8B 2A 4A 74 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Memory written: PID: 5916 base: 77362A90 value: E9 7A D5 B5 8B Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 8084 base: 3510005 value: E9 AB 2E E5 73 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 8084 base: 77362EB0 value: E9 5A D1 1A 8C Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 8084 base: 4E10007 value: E9 6B DC 58 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 8084 base: 7739DC70 value: E9 9E 23 A7 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 8084 base: 4E20005 value: E9 4B B9 50 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 8084 base: 7732B950 value: E9 BA 46 AF 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 8084 base: 4E30008 value: E9 1B 8C 54 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 8084 base: 77378C20 value: E9 F0 73 AB 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 8084 base: 4F90005 value: E9 9B 2F 5C 71 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 8084 base: 76552FA0 value: E9 6A D0 A3 8E Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 8084 base: 4FB0005 value: E9 0B CE 5B 71 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 8084 base: 7656CE10 value: E9 FA 31 A4 8E Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 8084 base: 4FC0005 value: E9 BB 74 AF 71 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 8084 base: 76AB74C0 value: E9 4A 8B 50 8E Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 8084 base: 4FD0005 value: E9 BB EA B0 71 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 8084 base: 76ADEAC0 value: E9 4A 15 4F 8E Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 8084 base: 4FE0005 value: E9 7B 2D 38 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 8084 base: 77362D80 value: E9 8A D2 C7 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 8084 base: 4FF0005 value: E9 0B 3E 37 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 8084 base: 77363E10 value: E9 FA C1 C8 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 8084 base: 5000005 value: E9 FB 2E 36 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 8084 base: 77362F00 value: E9 0A D1 C9 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 8084 base: 5010005 value: E9 DB 2C 35 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 8084 base: 77362CE0 value: E9 2A D3 CA 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 8084 base: 5020005 value: E9 EB 29 34 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 8084 base: 773629F0 value: E9 1A D6 CB 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 8084 base: 5030005 value: E9 9B 2A 33 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 8084 base: 77362AA0 value: E9 6A D5 CC 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 8084 base: 5040005 value: E9 3B 2E 32 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 8084 base: 77362E40 value: E9 CA D1 CD 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 8084 base: 5050005 value: E9 1B 2C 31 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 8084 base: 77362C20 value: E9 EA D3 CE 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 8084 base: 5060005 value: E9 FB 2C 30 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 8084 base: 77362D00 value: E9 0A D3 CF 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 8084 base: 5070005 value: E9 CB 3D 2F 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 8084 base: 77363DD0 value: E9 3A C2 D0 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 8084 base: 5080005 value: E9 4B 2E 2E 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 8084 base: 77362E50 value: E9 BA D1 D1 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 8084 base: 5090005 value: E9 BB 2E 2D 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 8084 base: 77362EC0 value: E9 4A D1 D2 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 8084 base: 50A0005 value: E9 2B 2C 2C 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 8084 base: 77362C30 value: E9 DA D3 D3 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 8084 base: 50B0005 value: E9 EB 3A 2B 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 8084 base: 77363AF0 value: E9 1A C5 D4 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 8084 base: 50C0005 value: E9 4B 2C 2A 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 8084 base: 77362C50 value: E9 BA D3 D5 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 8084 base: 50D0005 value: E9 6B 46 29 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 8084 base: 77364670 value: E9 9A B9 D6 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 8084 base: 50E0005 value: E9 DB 2B 28 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 8084 base: 77362BE0 value: E9 2A D4 D7 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 8084 base: 50F0005 value: E9 7B 2A 27 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 8084 base: 77362A80 value: E9 8A D5 D8 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 8084 base: 5100005 value: E9 8B 2A 26 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 8084 base: 77362A90 value: E9 7A D5 D9 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 4120 base: AF0005 value: E9 AB 2E 87 76 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 4120 base: 77362EB0 value: E9 5A D1 78 89 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 4120 base: B50007 value: E9 6B DC 84 76 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 4120 base: 7739DC70 value: E9 9E 23 7B 89 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 4120 base: 40E0005 value: E9 4B B9 24 73 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 4120 base: 7732B950 value: E9 BA 46 DB 8C Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 4120 base: 40F0008 value: E9 1B 8C 28 73 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 4120 base: 77378C20 value: E9 F0 73 D7 8C Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 4120 base: 4100005 value: E9 9B 2F 45 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 4120 base: 76552FA0 value: E9 6A D0 BA 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 4120 base: 4110005 value: E9 0B CE 45 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 4120 base: 7656CE10 value: E9 FA 31 BA 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 4120 base: 4120005 value: E9 BB 74 99 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 4120 base: 76AB74C0 value: E9 4A 8B 66 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 4120 base: 4130005 value: E9 BB EA 9A 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 4120 base: 76ADEAC0 value: E9 4A 15 65 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 4120 base: 4140005 value: E9 7B 2D 22 73 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 4120 base: 77362D80 value: E9 8A D2 DD 8C Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 4120 base: 4150005 value: E9 0B 3E 21 73 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 4120 base: 77363E10 value: E9 FA C1 DE 8C Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 4120 base: 4160005 value: E9 FB 2E 20 73 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 4120 base: 77362F00 value: E9 0A D1 DF 8C Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 4120 base: 4170005 value: E9 DB 2C 1F 73 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 4120 base: 77362CE0 value: E9 2A D3 E0 8C Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 4120 base: 4180005 value: E9 EB 29 1E 73 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 4120 base: 773629F0 value: E9 1A D6 E1 8C Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 4120 base: 4190005 value: E9 9B 2A 1D 73 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 4120 base: 77362AA0 value: E9 6A D5 E2 8C Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 4120 base: 41A0005 value: E9 3B 2E 1C 73 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 4120 base: 77362E40 value: E9 CA D1 E3 8C Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 4120 base: 41B0005 value: E9 1B 2C 1B 73 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 4120 base: 77362C20 value: E9 EA D3 E4 8C Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 4120 base: 41C0005 value: E9 FB 2C 1A 73 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 4120 base: 77362D00 value: E9 0A D3 E5 8C Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 4120 base: 41D0005 value: E9 CB 3D 19 73 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 4120 base: 77363DD0 value: E9 3A C2 E6 8C Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 4120 base: 41E0005 value: E9 4B 2E 18 73 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 4120 base: 77362E50 value: E9 BA D1 E7 8C Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 4120 base: 41F0005 value: E9 BB 2E 17 73 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 4120 base: 77362EC0 value: E9 4A D1 E8 8C Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 4120 base: 4200005 value: E9 2B 2C 16 73 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 4120 base: 77362C30 value: E9 DA D3 E9 8C Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 4120 base: 4210005 value: E9 EB 3A 15 73 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 4120 base: 77363AF0 value: E9 1A C5 EA 8C Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 4120 base: 4220005 value: E9 4B 2C 14 73 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 4120 base: 77362C50 value: E9 BA D3 EB 8C Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 4120 base: 4230005 value: E9 6B 46 13 73 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 4120 base: 77364670 value: E9 9A B9 EC 8C Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 4120 base: 4240005 value: E9 DB 2B 12 73 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 4120 base: 77362BE0 value: E9 2A D4 ED 8C Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 4120 base: 4250005 value: E9 7B 2A 11 73 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 4120 base: 77362A80 value: E9 8A D5 EE 8C Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 4120 base: 4260005 value: E9 8B 2A 10 73 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 4120 base: 77362A90 value: E9 7A D5 EF 8C Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5556 base: 4B90005 value: E9 AB 2E 7D 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5556 base: 77362EB0 value: E9 5A D1 82 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5556 base: 4BA0007 value: E9 6B DC 7F 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5556 base: 7739DC70 value: E9 9E 23 80 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5556 base: 4BB0005 value: E9 4B B9 77 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5556 base: 7732B950 value: E9 BA 46 88 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5556 base: 4D50008 value: E9 1B 8C 62 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5556 base: 77378C20 value: E9 F0 73 9D 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5556 base: 4D60005 value: E9 9B 2F 7F 71 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5556 base: 76552FA0 value: E9 6A D0 80 8E Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5556 base: 4D70005 value: E9 0B CE 7F 71 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5556 base: 7656CE10 value: E9 FA 31 80 8E Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5556 base: 4D80005 value: E9 BB 74 D3 71 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5556 base: 76AB74C0 value: E9 4A 8B 2C 8E Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5556 base: 4D90005 value: E9 BB EA D4 71 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5556 base: 76ADEAC0 value: E9 4A 15 2B 8E Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5556 base: 4DB0005 value: E9 7B 2D 5B 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5556 base: 77362D80 value: E9 8A D2 A4 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5556 base: 4DC0005 value: E9 0B 3E 5A 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5556 base: 77363E10 value: E9 FA C1 A5 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5556 base: 4DD0005 value: E9 FB 2E 59 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5556 base: 77362F00 value: E9 0A D1 A6 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5556 base: 4DE0005 value: E9 DB 2C 58 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5556 base: 77362CE0 value: E9 2A D3 A7 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5556 base: 4DF0005 value: E9 EB 29 57 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5556 base: 773629F0 value: E9 1A D6 A8 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5556 base: 4E00005 value: E9 9B 2A 56 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5556 base: 77362AA0 value: E9 6A D5 A9 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5556 base: 4E10005 value: E9 3B 2E 55 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5556 base: 77362E40 value: E9 CA D1 AA 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5556 base: 4E20005 value: E9 1B 2C 54 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5556 base: 77362C20 value: E9 EA D3 AB 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5556 base: 4E30005 value: E9 FB 2C 53 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5556 base: 77362D00 value: E9 0A D3 AC 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5556 base: 4E40005 value: E9 CB 3D 52 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5556 base: 77363DD0 value: E9 3A C2 AD 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5556 base: 4E50005 value: E9 4B 2E 51 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5556 base: 77362E50 value: E9 BA D1 AE 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5556 base: 4E60005 value: E9 BB 2E 50 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5556 base: 77362EC0 value: E9 4A D1 AF 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5556 base: 4E70005 value: E9 2B 2C 4F 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5556 base: 77362C30 value: E9 DA D3 B0 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5556 base: 4E80005 value: E9 EB 3A 4E 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5556 base: 77363AF0 value: E9 1A C5 B1 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5556 base: 4E90005 value: E9 4B 2C 4D 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5556 base: 77362C50 value: E9 BA D3 B2 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5556 base: 4EA0005 value: E9 6B 46 4C 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5556 base: 77364670 value: E9 9A B9 B3 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5556 base: 4EB0005 value: E9 DB 2B 4B 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5556 base: 77362BE0 value: E9 2A D4 B4 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5556 base: 4EC0005 value: E9 7B 2A 4A 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5556 base: 77362A80 value: E9 8A D5 B5 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5556 base: 4ED0005 value: E9 8B 2A 49 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5556 base: 77362A90 value: E9 7A D5 B6 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 1456 base: 8B0005 value: E9 AB 2E AB 76 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 1456 base: 77362EB0 value: E9 5A D1 54 89 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 1456 base: 8C0007 value: E9 6B DC AD 76 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 1456 base: 7739DC70 value: E9 9E 23 52 89 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 1456 base: B60005 value: E9 4B B9 7C 76 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 1456 base: 7732B950 value: E9 BA 46 83 89 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 1456 base: 41F0008 value: E9 1B 8C 18 73 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 1456 base: 77378C20 value: E9 F0 73 E7 8C Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 1456 base: 4310005 value: E9 9B 2F 24 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 1456 base: 76552FA0 value: E9 6A D0 DB 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 1456 base: 4320005 value: E9 0B CE 24 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 1456 base: 7656CE10 value: E9 FA 31 DB 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 1456 base: 4330005 value: E9 BB 74 78 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 1456 base: 76AB74C0 value: E9 4A 8B 87 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 1456 base: 4340005 value: E9 BB EA 79 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 1456 base: 76ADEAC0 value: E9 4A 15 86 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 1456 base: 4350005 value: E9 7B 2D 01 73 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 1456 base: 77362D80 value: E9 8A D2 FE 8C Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 1456 base: 4360005 value: E9 0B 3E 00 73 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 1456 base: 77363E10 value: E9 FA C1 FF 8C Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 1456 base: 4370005 value: E9 FB 2E FF 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 1456 base: 77362F00 value: E9 0A D1 00 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 1456 base: 4380005 value: E9 DB 2C FE 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 1456 base: 77362CE0 value: E9 2A D3 01 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 1456 base: 4390005 value: E9 EB 29 FD 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 1456 base: 773629F0 value: E9 1A D6 02 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 1456 base: 43A0005 value: E9 9B 2A FC 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 1456 base: 77362AA0 value: E9 6A D5 03 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 1456 base: 43B0005 value: E9 3B 2E FB 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 1456 base: 77362E40 value: E9 CA D1 04 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 1456 base: 43D0005 value: E9 1B 2C F9 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 1456 base: 77362C20 value: E9 EA D3 06 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 1456 base: 43E0005 value: E9 FB 2C F8 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 1456 base: 77362D00 value: E9 0A D3 07 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 1456 base: 43F0005 value: E9 CB 3D F7 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 1456 base: 77363DD0 value: E9 3A C2 08 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 1456 base: 4400005 value: E9 4B 2E F6 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 1456 base: 77362E50 value: E9 BA D1 09 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 1456 base: 4410005 value: E9 BB 2E F5 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 1456 base: 77362EC0 value: E9 4A D1 0A 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 1456 base: 4420005 value: E9 2B 2C F4 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 1456 base: 77362C30 value: E9 DA D3 0B 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 1456 base: 4430005 value: E9 EB 3A F3 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 1456 base: 77363AF0 value: E9 1A C5 0C 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 1456 base: 4440005 value: E9 4B 2C F2 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 1456 base: 77362C50 value: E9 BA D3 0D 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 1456 base: 4450005 value: E9 6B 46 F1 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 1456 base: 77364670 value: E9 9A B9 0E 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 1456 base: 4460005 value: E9 DB 2B F0 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 1456 base: 77362BE0 value: E9 2A D4 0F 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 1456 base: 4470005 value: E9 7B 2A EF 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 1456 base: 77362A80 value: E9 8A D5 10 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 1456 base: 4480005 value: E9 8B 2A EE 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 1456 base: 77362A90 value: E9 7A D5 11 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 7700 base: 32E0005 value: E9 AB 2E 08 74 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 7700 base: 77362EB0 value: E9 5A D1 F7 8B Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 7700 base: 4C50007 value: E9 6B DC 74 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 7700 base: 7739DC70 value: E9 9E 23 8B 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 7700 base: 4D70005 value: E9 4B B9 5B 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 7700 base: 7732B950 value: E9 BA 46 A4 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 7700 base: 4DC0008 value: E9 1B 8C 5B 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 7700 base: 77378C20 value: E9 F0 73 A4 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 7700 base: 4DD0005 value: E9 9B 2F 78 71 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 7700 base: 76552FA0 value: E9 6A D0 87 8E Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 7700 base: 4DE0005 value: E9 0B CE 78 71 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 7700 base: 7656CE10 value: E9 FA 31 87 8E Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 7700 base: 4DF0005 value: E9 BB 74 CC 71 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 7700 base: 76AB74C0 value: E9 4A 8B 33 8E Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 7700 base: 4E00005 value: E9 BB EA CD 71 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 7700 base: 76ADEAC0 value: E9 4A 15 32 8E Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 7700 base: 4E20005 value: E9 7B 2D 54 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 7700 base: 77362D80 value: E9 8A D2 AB 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 7700 base: 4E30005 value: E9 0B 3E 53 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 7700 base: 77363E10 value: E9 FA C1 AC 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 7700 base: 4E40005 value: E9 FB 2E 52 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 7700 base: 77362F00 value: E9 0A D1 AD 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 7700 base: 4E50005 value: E9 DB 2C 51 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 7700 base: 77362CE0 value: E9 2A D3 AE 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 7700 base: 4E60005 value: E9 EB 29 50 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 7700 base: 773629F0 value: E9 1A D6 AF 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 7700 base: 4E70005 value: E9 9B 2A 4F 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 7700 base: 77362AA0 value: E9 6A D5 B0 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 7700 base: 4E80005 value: E9 3B 2E 4E 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 7700 base: 77362E40 value: E9 CA D1 B1 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 7700 base: 4E90005 value: E9 1B 2C 4D 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 7700 base: 77362C20 value: E9 EA D3 B2 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 7700 base: 4EA0005 value: E9 FB 2C 4C 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 7700 base: 77362D00 value: E9 0A D3 B3 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 7700 base: 4EB0005 value: E9 CB 3D 4B 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 7700 base: 77363DD0 value: E9 3A C2 B4 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 7700 base: 4EC0005 value: E9 4B 2E 4A 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 7700 base: 77362E50 value: E9 BA D1 B5 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 7700 base: 4ED0005 value: E9 BB 2E 49 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 7700 base: 77362EC0 value: E9 4A D1 B6 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 7700 base: 4EE0005 value: E9 2B 2C 48 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 7700 base: 77362C30 value: E9 DA D3 B7 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 7700 base: 4EF0005 value: E9 EB 3A 47 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 7700 base: 77363AF0 value: E9 1A C5 B8 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 7700 base: 4F00005 value: E9 4B 2C 46 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 7700 base: 77362C50 value: E9 BA D3 B9 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 7700 base: 4F10005 value: E9 6B 46 45 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 7700 base: 77364670 value: E9 9A B9 BA 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 7700 base: 4F20005 value: E9 DB 2B 44 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 7700 base: 77362BE0 value: E9 2A D4 BB 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 7700 base: 4F30005 value: E9 7B 2A 43 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 7700 base: 77362A80 value: E9 8A D5 BC 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 7700 base: 4F40005 value: E9 8B 2A 42 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 7700 base: 77362A90 value: E9 7A D5 BD 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 6308 base: 7A0005 value: E9 AB 2E BC 76 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 6308 base: 77362EB0 value: E9 5A D1 43 89 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 6308 base: A80007 value: E9 6B DC 91 76 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 6308 base: 7739DC70 value: E9 9E 23 6E 89 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 6308 base: A90005 value: E9 4B B9 89 76 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 6308 base: 7732B950 value: E9 BA 46 76 89 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 6308 base: AA0008 value: E9 1B 8C 8D 76 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 6308 base: 77378C20 value: E9 F0 73 72 89 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 6308 base: AB0005 value: E9 9B 2F AA 75 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 6308 base: 76552FA0 value: E9 6A D0 55 8A Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 6308 base: B10005 value: E9 0B CE A5 75 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 6308 base: 7656CE10 value: E9 FA 31 5A 8A Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 6308 base: B20005 value: E9 BB 74 F9 75 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 6308 base: 76AB74C0 value: E9 4A 8B 06 8A Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 6308 base: B30005 value: E9 BB EA FA 75 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 6308 base: 76ADEAC0 value: E9 4A 15 05 8A Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 6308 base: B40005 value: E9 7B 2D 82 76 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 6308 base: 77362D80 value: E9 8A D2 7D 89 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 6308 base: B50005 value: E9 0B 3E 81 76 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 6308 base: 77363E10 value: E9 FA C1 7E 89 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 6308 base: B60005 value: E9 FB 2E 80 76 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 6308 base: 77362F00 value: E9 0A D1 7F 89 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 6308 base: 4440005 value: E9 DB 2C F2 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 6308 base: 77362CE0 value: E9 2A D3 0D 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 6308 base: 4450005 value: E9 EB 29 F1 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 6308 base: 773629F0 value: E9 1A D6 0E 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 6308 base: 4460005 value: E9 9B 2A F0 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 6308 base: 77362AA0 value: E9 6A D5 0F 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 6308 base: 4470005 value: E9 3B 2E EF 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 6308 base: 77362E40 value: E9 CA D1 10 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 6308 base: 4480005 value: E9 1B 2C EE 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 6308 base: 77362C20 value: E9 EA D3 11 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 6308 base: 4490005 value: E9 FB 2C ED 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 6308 base: 77362D00 value: E9 0A D3 12 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 6308 base: 44A0005 value: E9 CB 3D EC 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 6308 base: 77363DD0 value: E9 3A C2 13 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 6308 base: 44B0005 value: E9 4B 2E EB 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 6308 base: 77362E50 value: E9 BA D1 14 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 6308 base: 44C0005 value: E9 BB 2E EA 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 6308 base: 77362EC0 value: E9 4A D1 15 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 6308 base: 44E0005 value: E9 2B 2C E8 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 6308 base: 77362C30 value: E9 DA D3 17 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 6308 base: 44F0005 value: E9 EB 3A E7 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 6308 base: 77363AF0 value: E9 1A C5 18 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 6308 base: 4500005 value: E9 4B 2C E6 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 6308 base: 77362C50 value: E9 BA D3 19 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 6308 base: 4510005 value: E9 6B 46 E5 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 6308 base: 77364670 value: E9 9A B9 1A 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 6308 base: 4520005 value: E9 DB 2B E4 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 6308 base: 77362BE0 value: E9 2A D4 1B 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 6308 base: 4530005 value: E9 7B 2A E3 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 6308 base: 77362A80 value: E9 8A D5 1C 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 6308 base: 4540005 value: E9 8B 2A E2 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 6308 base: 77362A90 value: E9 7A D5 1D 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5464 base: 3160005 value: E9 AB 2E 20 74
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5464 base: 77362EB0 value: E9 5A D1 DF 8B
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5464 base: 4BE0007 value: E9 6B DC 7B 72
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5464 base: 7739DC70 value: E9 9E 23 84 8D
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5464 base: 4BF0005 value: E9 4B B9 73 72
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5464 base: 7732B950 value: E9 BA 46 8C 8D
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5464 base: 4C40008 value: E9 1B 8C 73 72
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5464 base: 77378C20 value: E9 F0 73 8C 8D
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5464 base: 4C50005 value: E9 9B 2F 90 71
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5464 base: 76552FA0 value: E9 6A D0 6F 8E
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5464 base: 4D70005 value: E9 0B CE 7F 71
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5464 base: 7656CE10 value: E9 FA 31 80 8E
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5464 base: 4D90005 value: E9 BB 74 D2 71
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5464 base: 76AB74C0 value: E9 4A 8B 2D 8E
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5464 base: 4DA0005 value: E9 BB EA D3 71
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5464 base: 76ADEAC0 value: E9 4A 15 2C 8E
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5464 base: 4DB0005 value: E9 7B 2D 5B 72
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5464 base: 77362D80 value: E9 8A D2 A4 8D
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5464 base: 4DC0005 value: E9 0B 3E 5A 72
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5464 base: 77363E10 value: E9 FA C1 A5 8D
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5464 base: 4DD0005 value: E9 FB 2E 59 72
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5464 base: 77362F00 value: E9 0A D1 A6 8D
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5464 base: 4DE0005 value: E9 DB 2C 58 72
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5464 base: 77362CE0 value: E9 2A D3 A7 8D
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5464 base: 4DF0005 value: E9 EB 29 57 72
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5464 base: 773629F0 value: E9 1A D6 A8 8D
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5464 base: 4E00005 value: E9 9B 2A 56 72
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5464 base: 77362AA0 value: E9 6A D5 A9 8D
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5464 base: 4E10005 value: E9 3B 2E 55 72
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5464 base: 77362E40 value: E9 CA D1 AA 8D
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5464 base: 4E20005 value: E9 1B 2C 54 72
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5464 base: 77362C20 value: E9 EA D3 AB 8D
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5464 base: 4E30005 value: E9 FB 2C 53 72
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5464 base: 77362D00 value: E9 0A D3 AC 8D
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5464 base: 4E40005 value: E9 CB 3D 52 72
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5464 base: 77363DD0 value: E9 3A C2 AD 8D
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5464 base: 4E50005 value: E9 4B 2E 51 72
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5464 base: 77362E50 value: E9 BA D1 AE 8D
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5464 base: 4E60005 value: E9 BB 2E 50 72
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5464 base: 77362EC0 value: E9 4A D1 AF 8D
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5464 base: 4E70005 value: E9 2B 2C 4F 72
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5464 base: 77362C30 value: E9 DA D3 B0 8D
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5464 base: 4E80005 value: E9 EB 3A 4E 72
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5464 base: 77363AF0 value: E9 1A C5 B1 8D
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5464 base: 4E90005 value: E9 4B 2C 4D 72
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5464 base: 77362C50 value: E9 BA D3 B2 8D
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5464 base: 4EA0005 value: E9 6B 46 4C 72
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5464 base: 77364670 value: E9 9A B9 B3 8D
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5464 base: 4EB0005 value: E9 DB 2B 4B 72
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5464 base: 77362BE0 value: E9 2A D4 B4 8D
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5464 base: 4EC0005 value: E9 7B 2A 4A 72
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5464 base: 77362A80 value: E9 8A D5 B5 8D
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5464 base: 4ED0005 value: E9 8B 2A 49 72
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5464 base: 77362A90 value: E9 7A D5 B6 8D
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 2836 base: 2CA0005 value: E9 AB 2E 6C 74
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 2836 base: 77362EB0 value: E9 5A D1 93 8B
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 2836 base: 4620007 value: E9 6B DC D7 72
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 2836 base: 7739DC70 value: E9 9E 23 28 8D
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 2836 base: 4630005 value: E9 4B B9 CF 72
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 2836 base: 7732B950 value: E9 BA 46 30 8D
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 2836 base: 4680008 value: E9 1B 8C CF 72
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 2836 base: 77378C20 value: E9 F0 73 30 8D
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 2836 base: 4690005 value: E9 9B 2F EC 71
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 2836 base: 76552FA0 value: E9 6A D0 13 8E
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 2836 base: 46A0005 value: E9 0B CE EC 71
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 2836 base: 7656CE10 value: E9 FA 31 13 8E
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 2836 base: 46B0005 value: E9 BB 74 40 72
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 2836 base: 76AB74C0 value: E9 4A 8B BF 8D
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 2836 base: 46C0005 value: E9 BB EA 41 72
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 2836 base: 76ADEAC0 value: E9 4A 15 BE 8D
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 2836 base: 46D0005 value: E9 7B 2D C9 72
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 2836 base: 77362D80 value: E9 8A D2 36 8D
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 2836 base: 46F0005 value: E9 0B 3E C7 72
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 2836 base: 77363E10 value: E9 FA C1 38 8D
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 2836 base: 4700005 value: E9 FB 2E C6 72
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 2836 base: 77362F00 value: E9 0A D1 39 8D
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 2836 base: 4710005 value: E9 DB 2C C5 72
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 2836 base: 77362CE0 value: E9 2A D3 3A 8D
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 2836 base: 4720005 value: E9 EB 29 C4 72
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 2836 base: 773629F0 value: E9 1A D6 3B 8D
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 2836 base: 4730005 value: E9 9B 2A C3 72
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 2836 base: 77362AA0 value: E9 6A D5 3C 8D
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 2836 base: 4740005 value: E9 3B 2E C2 72
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 2836 base: 77362E40 value: E9 CA D1 3D 8D
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 2836 base: 4750005 value: E9 1B 2C C1 72
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 2836 base: 77362C20 value: E9 EA D3 3E 8D
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 2836 base: 4760005 value: E9 FB 2C C0 72
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 2836 base: 77362D00 value: E9 0A D3 3F 8D
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 2836 base: 4770005 value: E9 CB 3D BF 72
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 2836 base: 77363DD0 value: E9 3A C2 40 8D
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 2836 base: 4780005 value: E9 4B 2E BE 72
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 2836 base: 77362E50 value: E9 BA D1 41 8D
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 2836 base: 4790005 value: E9 BB 2E BD 72
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 2836 base: 77362EC0 value: E9 4A D1 42 8D
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 2836 base: 47A0005 value: E9 2B 2C BC 72
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 2836 base: 77362C30 value: E9 DA D3 43 8D
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 2836 base: 47B0005 value: E9 EB 3A BB 72
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 2836 base: 77363AF0 value: E9 1A C5 44 8D
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 2836 base: 47C0005 value: E9 4B 2C BA 72
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 2836 base: 77362C50 value: E9 BA D3 45 8D
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 2836 base: 48E0005 value: E9 6B 46 A8 72
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 2836 base: 77364670 value: E9 9A B9 57 8D
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 2836 base: 48F0005 value: E9 DB 2B A7 72
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 2836 base: 77362BE0 value: E9 2A D4 58 8D
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 2836 base: 4900005 value: E9 7B 2A A6 72
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 2836 base: 77362A80 value: E9 8A D5 59 8D
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 2836 base: 4910005 value: E9 8B 2A A5 72
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 2836 base: 77362A90 value: E9 7A D5 5A 8D
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 3656 base: 3370005 value: E9 AB 2E FF 73
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 3656 base: 77362EB0 value: E9 5A D1 00 8C
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 3656 base: 3380007 value: E9 6B DC 01 74
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 3656 base: 7739DC70 value: E9 9E 23 FE 8B
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 3656 base: 3620005 value: E9 4B B9 D0 73
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 3656 base: 7732B950 value: E9 BA 46 2F 8C
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 3656 base: 3630008 value: E9 1B 8C D4 73
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 3656 base: 77378C20 value: E9 F0 73 2B 8C
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 3656 base: 4F30005 value: E9 9B 2F 62 71
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 3656 base: 76552FA0 value: E9 6A D0 9D 8E
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 3656 base: 4F40005 value: E9 0B CE 62 71
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 3656 base: 7656CE10 value: E9 FA 31 9D 8E
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 3656 base: 5060005 value: E9 BB 74 A5 71
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 3656 base: 76AB74C0 value: E9 4A 8B 5A 8E
Source: C:\Windows\System32\loaddll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Switches to a custom stack to bypass stack traces
Source: C:\Windows\System32\loaddll32.exe API/Special instruction interceptor: Address: 672765E0
Source: C:\Windows\System32\loaddll32.exe API/Special instruction interceptor: Address: 64A3E88E
Source: C:\Windows\System32\loaddll32.exe API/Special instruction interceptor: Address: 64D73247
Source: C:\Windows\System32\loaddll32.exe API/Special instruction interceptor: Address: 6713B2B9
Source: C:\Windows\System32\loaddll32.exe API/Special instruction interceptor: Address: 6730B92D
Source: C:\Windows\System32\loaddll32.exe API/Special instruction interceptor: Address: 64A0642E
Source: C:\Windows\System32\loaddll32.exe API/Special instruction interceptor: Address: 6719DA37
Source: C:\Windows\System32\loaddll32.exe API/Special instruction interceptor: Address: 649EF902
Source: C:\Windows\System32\loaddll32.exe API/Special instruction interceptor: Address: 673213B9
Source: C:\Windows\System32\loaddll32.exe API/Special instruction interceptor: Address: 64A3A0AE
Source: C:\Windows\System32\loaddll32.exe API/Special instruction interceptor: Address: 64AF20E0
Source: C:\Windows\System32\loaddll32.exe API/Special instruction interceptor: Address: 649B59CF
Source: C:\Windows\System32\loaddll32.exe API/Special instruction interceptor: Address: 64B3045E
Source: C:\Windows\System32\loaddll32.exe API/Special instruction interceptor: Address: 64D6BC34
Source: C:\Windows\System32\loaddll32.exe API/Special instruction interceptor: Address: 64DC3445
Source: C:\Windows\System32\loaddll32.exe API/Special instruction interceptor: Address: 6730B7B5
Source: C:\Windows\System32\loaddll32.exe API/Special instruction interceptor: Address: 670E6802
Source: C:\Windows\System32\loaddll32.exe API/Special instruction interceptor: Address: 649B20EB
Source: C:\Windows\System32\loaddll32.exe API/Special instruction interceptor: Address: 64EBB853
Source: C:\Windows\System32\loaddll32.exe API/Special instruction interceptor: Address: 672E5AC4
Source: C:\Windows\System32\loaddll32.exe API/Special instruction interceptor: Address: 673843CA
Source: C:\Windows\System32\loaddll32.exe API/Special instruction interceptor: Address: 64A60A9C
Source: C:\Windows\System32\loaddll32.exe API/Special instruction interceptor: Address: 672E1B7A
Source: C:\Windows\System32\loaddll32.exe API/Special instruction interceptor: Address: 672BD8E4
Source: C:\Windows\System32\loaddll32.exe API/Special instruction interceptor: Address: 64DB5ADA
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: rundll32.exe, 00000004.00000002.7463283059.0000000061311000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.7833366960.0000000061311000.00000020.00000001.01000000.00000003.sdmp Binary or memory string: PROCESSHACKER.EXEU
Source: rundll32.exe, 00000004.00000002.7463283059.0000000061311000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.7833366960.0000000061311000.00000020.00000001.01000000.00000003.sdmp Binary or memory string: WIRESHARK.EXE
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 120000 Jump to behavior
Source: 40kib.dll Binary or memory string: hgFSy
Source: C:\Windows\System32\loaddll32.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Hides threads from debuggers
Source: C:\Windows\System32\loaddll32.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Thread information set: HideFromDebugger
Source: C:\Windows\SysWOW64\rundll32.exe Thread information set: HideFromDebugger
Source: C:\Windows\SysWOW64\rundll32.exe Thread information set: HideFromDebugger
Source: C:\Windows\SysWOW64\rundll32.exe Thread information set: HideFromDebugger
Source: C:\Windows\SysWOW64\rundll32.exe Thread information set: HideFromDebugger
Source: C:\Windows\SysWOW64\rundll32.exe Thread information set: HideFromDebugger
Source: C:\Windows\SysWOW64\rundll32.exe Thread information set: HideFromDebugger
Source: C:\Windows\SysWOW64\rundll32.exe Thread information set: HideFromDebugger
Source: C:\Windows\SysWOW64\rundll32.exe Thread information set: HideFromDebugger
Source: C:\Windows\SysWOW64\rundll32.exe Thread information set: HideFromDebugger
Source: C:\Windows\SysWOW64\rundll32.exe Thread information set: HideFromDebugger
Source: C:\Windows\SysWOW64\rundll32.exe Thread information set: HideFromDebugger
Source: C:\Windows\SysWOW64\rundll32.exe Thread information set: HideFromDebugger
Source: C:\Windows\SysWOW64\rundll32.exe Thread information set: HideFromDebugger
Source: C:\Windows\SysWOW64\rundll32.exe Thread information set: HideFromDebugger
Source: C:\Windows\SysWOW64\rundll32.exe Thread information set: HideFromDebugger
Source: C:\Windows\SysWOW64\rundll32.exe Thread information set: HideFromDebugger
Source: C:\Windows\SysWOW64\rundll32.exe Thread information set: HideFromDebugger
Source: C:\Windows\SysWOW64\rundll32.exe Thread information set: HideFromDebugger
Source: C:\Windows\SysWOW64\rundll32.exe Thread information set: HideFromDebugger
Source: C:\Windows\SysWOW64\rundll32.exe Thread information set: HideFromDebugger
Source: C:\Windows\SysWOW64\rundll32.exe Thread information set: HideFromDebugger
Source: C:\Windows\SysWOW64\rundll32.exe Thread information set: HideFromDebugger
Source: C:\Windows\SysWOW64\rundll32.exe Thread information set: HideFromDebugger
Source: C:\Windows\SysWOW64\rundll32.exe Thread information set: HideFromDebugger
Source: C:\Windows\SysWOW64\rundll32.exe Thread information set: HideFromDebugger
Source: C:\Windows\SysWOW64\rundll32.exe Thread information set: HideFromDebugger
Source: C:\Windows\SysWOW64\rundll32.exe Thread information set: HideFromDebugger
Source: C:\Windows\SysWOW64\rundll32.exe Thread information set: HideFromDebugger
Source: C:\Windows\SysWOW64\rundll32.exe Thread information set: HideFromDebugger
Source: C:\Windows\SysWOW64\rundll32.exe Thread information set: HideFromDebugger
Source: C:\Windows\SysWOW64\rundll32.exe Thread information set: HideFromDebugger
Source: C:\Windows\SysWOW64\rundll32.exe Thread information set: HideFromDebugger
Source: C:\Windows\SysWOW64\rundll32.exe Thread information set: HideFromDebugger
Source: C:\Windows\SysWOW64\rundll32.exe Thread information set: HideFromDebugger
Source: C:\Windows\SysWOW64\rundll32.exe Thread information set: HideFromDebugger
Source: C:\Windows\SysWOW64\rundll32.exe Thread information set: HideFromDebugger
Source: C:\Windows\SysWOW64\rundll32.exe Thread information set: HideFromDebugger
Source: C:\Windows\SysWOW64\rundll32.exe Thread information set: HideFromDebugger
Source: C:\Windows\SysWOW64\rundll32.exe Thread information set: HideFromDebugger
Source: C:\Windows\SysWOW64\rundll32.exe Thread information set: HideFromDebugger
Source: C:\Windows\SysWOW64\rundll32.exe Thread information set: HideFromDebugger
Source: C:\Windows\SysWOW64\rundll32.exe Thread information set: HideFromDebugger
Source: C:\Windows\SysWOW64\rundll32.exe Thread information set: HideFromDebugger
Source: C:\Windows\SysWOW64\rundll32.exe Thread information set: HideFromDebugger
Source: C:\Windows\SysWOW64\rundll32.exe Thread information set: HideFromDebugger
Source: C:\Windows\SysWOW64\rundll32.exe Thread information set: HideFromDebugger
Source: C:\Windows\SysWOW64\rundll32.exe Thread information set: HideFromDebugger
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))
Source: C:\Windows\System32\loaddll32.exe System information queried: KernelDebuggerInformation Jump to behavior
Checks if the current process is being debugged
Source: C:\Windows\System32\loaddll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugObjectHandle
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugObjectHandle
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugObjectHandle
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugObjectHandle
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugObjectHandle
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugObjectHandle
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugObjectHandle
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugObjectHandle
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugObjectHandle
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugObjectHandle
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugObjectHandle
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugObjectHandle
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugObjectHandle
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugObjectHandle
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugObjectHandle
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugObjectHandle
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugObjectHandle
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugObjectHandle
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugObjectHandle
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugObjectHandle
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugObjectHandle
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugObjectHandle
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugObjectHandle
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugObjectHandle
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugObjectHandle
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugObjectHandle
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugObjectHandle
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugObjectHandle
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugObjectHandle
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugObjectHandle
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugObjectHandle
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugObjectHandle
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugObjectHandle
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugObjectHandle
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugObjectHandle
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugObjectHandle
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugObjectHandle
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugObjectHandle
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugObjectHandle
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugObjectHandle
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugObjectHandle
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugObjectHandle
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugObjectHandle
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugObjectHandle
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugObjectHandle
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugObjectHandle
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugObjectHandle
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugObjectHandle
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugObjectHandle
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugObjectHandle
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugObjectHandle
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugObjectHandle
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugObjectHandle
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugObjectHandle
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugObjectHandle
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugObjectHandle
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugObjectHandle
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugObjectHandle
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugObjectHandle
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugObjectHandle
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugObjectHandle
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugObjectHandle
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugObjectHandle
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugObjectHandle
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugObjectHandle
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugObjectHandle
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugObjectHandle
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugObjectHandle
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugObjectHandle
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugObjectHandle
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugObjectHandle
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugObjectHandle
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\40kib.dll",#1 Jump to behavior
Source: rundll32.exe, 00000004.00000002.7463283059.0000000061311000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.7833366960.0000000061311000.00000020.00000001.01000000.00000003.sdmp Binary or memory string: Shell_TrayWndSVW
Source: rundll32.exe, 00000004.00000002.7463283059.0000000061311000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.7833366960.0000000061311000.00000020.00000001.01000000.00000003.sdmp Binary or memory string: Shell_TrayWnd
Source: rundll32.exe, 00000004.00000002.7463283059.0000000061311000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.7833366960.0000000061311000.00000020.00000001.01000000.00000003.sdmp Binary or memory string: Shell_TrayWndU
Source: rundll32.exe, 00000004.00000002.7463283059.0000000061311000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.7833366960.0000000061311000.00000020.00000001.01000000.00000003.sdmp Binary or memory string: Shell_TrayWndReBarWindow32MSTaskSwWClassToolbarWindow32SV
AV process strings found (often used to terminate AV products)
Source: rundll32.exe, 00000004.00000002.7463283059.0000000061311000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.7833366960.0000000061311000.00000020.00000001.01000000.00000003.sdmp Binary or memory string: Wireshark.exe
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1544180 Sample: 40kib.dll Startdate: 29/10/2024 Architecture: WINDOWS Score: 72 27 Multi AV Scanner detection for submitted file 2->27 29 PE file contains section with special chars 2->29 8 loaddll32.exe 4 2->8         started        process3 signatures4 37 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 8->37 39 Overwrites code with function prologues 8->39 41 Hides threads from debuggers 8->41 43 Switches to a custom stack to bypass stack traces 8->43 11 cmd.exe 1 8->11         started        13 rundll32.exe 3 8->13         started        16 rundll32.exe 3 8->16         started        18 28 other processes 8->18 process5 signatures6 20 rundll32.exe 3 11->20         started        45 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 13->45 47 Overwrites code with function prologues 13->47 49 Hides threads from debuggers 13->49 23 WerFault.exe 18->23         started        process7 signatures8 31 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 20->31 33 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 20->33 35 Hides threads from debuggers 20->35 25 WerFault.exe 22 16 20->25         started        process9
No contacted IP infos