Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
40kib.dll

Overview

General Information

Sample name:40kib.dll
Analysis ID:1544180
MD5:27687a480b13f580a11e713f8b9ba343
SHA1:7d82bfafbb3a541900161dbe4a4191e169048dfb
SHA256:7c22665f392ed020a71dd27c7f7945bbb376697580ae50a0a31df0cdb8d9eb2c
Infos:

Detection

Score:72
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Hides threads from debuggers
Overwrites code with function prologues
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
AV process strings found (often used to terminate AV products)
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)
Entry point lies outside standard sections
One or more processes crash
PE file contains more sections than normal
PE file contains sections with non-standard names
Sample execution stops while process was sleeping (likely an evasion)
Uses 32bit PE files

Classification

Process Tree

  • System is w10x64native
  • loaddll32.exe (PID: 5916 cmdline: loaddll32.exe "C:\Users\user\Desktop\40kib.dll" MD5: 51E6071F9CBA48E79F10C84515AAE618)
    • conhost.exe (PID: 4276 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 1812 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\40kib.dll",#1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • rundll32.exe (PID: 4120 cmdline: rundll32.exe "C:\Users\user\Desktop\40kib.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)
        • WerFault.exe (PID: 5792 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4120 -s 1108 MD5: 40A149513D721F096DDF50C04DA2F01F)
    • rundll32.exe (PID: 8084 cmdline: rundll32.exe C:\Users\user\Desktop\40kib.dll,QStringClose MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 5556 cmdline: rundll32.exe C:\Users\user\Desktop\40kib.dll,QStringCmp MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 1456 cmdline: rundll32.exe C:\Users\user\Desktop\40kib.dll,QStringCreate MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 7700 cmdline: rundll32.exe "C:\Users\user\Desktop\40kib.dll",QStringClose MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 6308 cmdline: rundll32.exe "C:\Users\user\Desktop\40kib.dll",QStringCmp MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 5464 cmdline: rundll32.exe "C:\Users\user\Desktop\40kib.dll",QStringCreate MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 2836 cmdline: rundll32.exe "C:\Users\user\Desktop\40kib.dll",dbkFCallWrapperAddr MD5: 889B99C52A60DD49227C5E485A016679)
      • WerFault.exe (PID: 1684 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 2836 -s 1072 MD5: 40A149513D721F096DDF50C04DA2F01F)
    • rundll32.exe (PID: 3656 cmdline: rundll32.exe "C:\Users\user\Desktop\40kib.dll",__dbk_fcall_wrapper MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 2636 cmdline: rundll32.exe "C:\Users\user\Desktop\40kib.dll",WebkitSetVisible MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 1196 cmdline: rundll32.exe "C:\Users\user\Desktop\40kib.dll",WebkitSetTransparent MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 812 cmdline: rundll32.exe "C:\Users\user\Desktop\40kib.dll",WebkitSetGeometry MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 7920 cmdline: rundll32.exe "C:\Users\user\Desktop\40kib.dll",WebkitSetDrop MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 3484 cmdline: rundll32.exe "C:\Users\user\Desktop\40kib.dll",WebkitSetALTignore MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 3044 cmdline: rundll32.exe "C:\Users\user\Desktop\40kib.dll",WebkitRepaint MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 6440 cmdline: rundll32.exe "C:\Users\user\Desktop\40kib.dll",WebkitNavigate MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 4912 cmdline: rundll32.exe "C:\Users\user\Desktop\40kib.dll",WebkitLoadFinished MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 7272 cmdline: rundll32.exe "C:\Users\user\Desktop\40kib.dll",WebkitJavaScriptCallback MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 2684 cmdline: rundll32.exe "C:\Users\user\Desktop\40kib.dll",WebkitGetWindow MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 4288 cmdline: rundll32.exe "C:\Users\user\Desktop\40kib.dll",WebkitExecuteJavaScript MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 6880 cmdline: rundll32.exe "C:\Users\user\Desktop\40kib.dll",WebkitCreate MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 3316 cmdline: rundll32.exe "C:\Users\user\Desktop\40kib.dll",WebkitClose MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 2416 cmdline: rundll32.exe "C:\Users\user\Desktop\40kib.dll",WebUIResourceUnregister MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 5448 cmdline: rundll32.exe "C:\Users\user\Desktop\40kib.dll",WebUIResourceRegister MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 2408 cmdline: rundll32.exe "C:\Users\user\Desktop\40kib.dll",WebUIResourceEnum MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 1128 cmdline: rundll32.exe "C:\Users\user\Desktop\40kib.dll",WebUIResourceData MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 5864 cmdline: rundll32.exe "C:\Users\user\Desktop\40kib.dll",WebUICreate MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 2292 cmdline: rundll32.exe "C:\Users\user\Desktop\40kib.dll",WebUIClose MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 3164 cmdline: rundll32.exe "C:\Users\user\Desktop\40kib.dll",QStringSet MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 4688 cmdline: rundll32.exe "C:\Users\user\Desktop\40kib.dll",QStringGet MD5: 889B99C52A60DD49227C5E485A016679)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for submitted file
Source: 40kib.dllReversingLabs: Detection: 62%
Source: rundll32.exe, 00000004.00000002.7463283059.0000000061311000.00000020.00000001.01000000.00000003.sdmpBinary or memory string: -----BEGIN RSA PUBLIC KEY-----memstr_63242dbb-e
Source: 40kib.dllStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
Source: 40kib.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
Source: loaddll32.exe, 00000000.00000003.7545466258.0000000003473000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.7444950851.00000000055F1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.7462577639.00000000047A0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.7476104571.0000000005411000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.7500570990.0000000004A01000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.7831365166.00000000054C1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.7752211587.0000000004BD1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.7843341696.0000000005571000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.7821583480.0000000004E50000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000003.7805008026.0000000005741000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.7779148478.00000000054F1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.7798399853.0000000005331000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.7750150048.0000000005391000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.7740297571.0000000004A81000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000014.00000003.7803938286.0000000004D41000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000015.00000003.7850147318.00000000049B1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000016.00000003.7741597250.00000000055A1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.7839641762.0000000004D71000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000003.7816744739.0000000005151000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000019.00000003.7816684729.00000000047F1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001A.00000003.7812148018.00000000051D2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://fontawesome.io
Source: loaddll32.exe, 00000000.00000003.7545466258.0000000003473000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.7444950851.00000000055F1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.7462577639.00000000047A0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.7476104571.0000000005411000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.7500570990.0000000004A01000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.7831365166.00000000054C1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.7752211587.0000000004BD1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.7843341696.0000000005571000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.7821583480.0000000004E50000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000003.7805008026.0000000005741000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.7779148478.00000000054F1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.7798399853.0000000005331000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.7750150048.0000000005391000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.7740297571.0000000004A81000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000014.00000003.7803938286.0000000004D41000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000015.00000003.7850147318.00000000049B1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000016.00000003.7741597250.00000000055A1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.7839641762.0000000004D71000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000003.7816744739.0000000005151000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000019.00000003.7816684729.00000000047F1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001A.00000003.7812148018.00000000051D2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://fontawesome.io/license/
Source: loaddll32.exe, 00000000.00000003.7545466258.0000000003473000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.7444950851.00000000055F1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.7462577639.00000000047A0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.7476104571.0000000005411000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.7500570990.0000000004A01000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.7831365166.00000000054C1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.7752211587.0000000004BD1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.7843341696.0000000005571000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.7821583480.0000000004E50000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000003.7805008026.0000000005741000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.7779148478.00000000054F1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.7798399853.0000000005331000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.7750150048.0000000005391000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.7740297571.0000000004A81000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000014.00000003.7803938286.0000000004D41000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000015.00000003.7850147318.00000000049B1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000016.00000003.7741597250.00000000055A1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.7839641762.0000000004D71000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000003.7816744739.0000000005151000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000019.00000003.7816684729.00000000047F1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001A.00000003.7812148018.00000000051D2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://fontawesome.iohttp://fontawesome.iohttp://fontawesome.io/license/http://fontawesome.io/licens
Source: loaddll32.exe, 00000000.00000003.7541119120.000000000307D000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.7441719796.000000000519D000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.7463283059.0000000061A29000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.7461502765.00000000042FD000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.7472841146.0000000004F6D000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.7497796661.000000000451D000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.7741669489.00000000045DD000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.7831137774.0000000004F6D000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.7799284996.00000000049AD000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.7833366960.0000000061A29000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000F.00000003.7791419944.000000000524D000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.7766670150.0000000004EFD000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.7785903645.0000000004E4D000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.7740319449.0000000004F3D000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.7729000480.000000000461D000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000014.00000003.7790256730.00000000046FD000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000015.00000003.7838466412.000000000453D000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000016.00000003.7730092247.0000000004F8D000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.7826663110.000000000491D000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000018.00000003.7804157981.0000000004C8D000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000019.00000003.7804158992.000000000432D000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.indyproject.org/
Source: rundll32.exe, 00000004.00000002.7463283059.0000000061311000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.7833366960.0000000061311000.00000020.00000001.01000000.00000003.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1--F4MFA0VoMjrlKOrQBJllMDopSK92p-
Source: rundll32.exe, 00000004.00000002.7463283059.0000000061311000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.7833366960.0000000061311000.00000020.00000001.01000000.00000003.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1-iOSQjT44_UUyF5rl6JGizL5jWNy8gne
Source: rundll32.exe, 00000004.00000002.7463283059.0000000061311000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.7833366960.0000000061311000.00000020.00000001.01000000.00000003.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=12DW-nFp6uBo3zifmiESi18x3uXqgzYnu
Source: rundll32.exe, 00000004.00000002.7463283059.0000000061311000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.7833366960.0000000061311000.00000020.00000001.01000000.00000003.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=12hbi1wHJPMb7N54ewv-FMziqiI1pdohj
Source: rundll32.exe, 00000004.00000002.7463283059.0000000061311000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.7833366960.0000000061311000.00000020.00000001.01000000.00000003.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=13K15ZzfbiHo2_nQJWDeaR6bs-88Ex4ke
Source: rundll32.exe, 00000004.00000002.7463283059.0000000061311000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.7833366960.0000000061311000.00000020.00000001.01000000.00000003.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=13STRCM4xGalbZUoToD9AEsIf2LMn0zQ3
Source: rundll32.exe, 00000004.00000002.7463283059.0000000061311000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.7833366960.0000000061311000.00000020.00000001.01000000.00000003.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=13uLNkPwzmvDchyphVi80sNSec4hP-5y8
Source: rundll32.exe, 00000004.00000002.7463283059.0000000061311000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.7833366960.0000000061311000.00000020.00000001.01000000.00000003.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=14_BblvoYYSUuu3FQJmE706uJDDckissj
Source: rundll32.exe, 00000004.00000002.7463283059.0000000061311000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.7833366960.0000000061311000.00000020.00000001.01000000.00000003.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=16Kqbl2vlWamTAZ3tvnItoyS-mge8Rpz8
Source: rundll32.exe, 00000004.00000002.7463283059.0000000061311000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.7833366960.0000000061311000.00000020.00000001.01000000.00000003.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=17Z0xMja5i9kpIoIAbo09ylxHQ_GhVVVy
Source: rundll32.exe, 00000004.00000002.7463283059.0000000061311000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.7833366960.0000000061311000.00000020.00000001.01000000.00000003.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1AkiAAH6bSmRwAnjrCtE8sgC_tD5BsmYv
Source: rundll32.exe, 00000004.00000002.7463283059.0000000061311000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.7833366960.0000000061311000.00000020.00000001.01000000.00000003.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1Av3dvZUyh5RrGlmWqADxKKkV62O9Q0J7
Source: rundll32.exe, 00000004.00000002.7463283059.0000000061311000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.7833366960.0000000061311000.00000020.00000001.01000000.00000003.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1HhfYIn2HeZ3ujaAtoyraHnJbWxa0shSx
Source: rundll32.exe, 00000004.00000002.7463283059.0000000061311000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.7833366960.0000000061311000.00000020.00000001.01000000.00000003.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1HrvY1XzgByk0HXPxq4eUUMA30KY6UHUU
Source: rundll32.exe, 00000004.00000002.7463283059.0000000061311000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.7833366960.0000000061311000.00000020.00000001.01000000.00000003.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1I6BIaJsGGPMlnE5wye-wPGuBoN6sDYqfS
Source: rundll32.exe, 00000004.00000002.7463283059.0000000061311000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.7833366960.0000000061311000.00000020.00000001.01000000.00000003.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1Li90uyQO5NIWhjb7IgkvMihB_9yF8xql
Source: rundll32.exe, 00000004.00000002.7463283059.0000000061311000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.7833366960.0000000061311000.00000020.00000001.01000000.00000003.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1QrBIdxKh7w-iOrliq9_K9CVlUC3YNHdNU
Source: rundll32.exe, 00000004.00000002.7463283059.0000000061311000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.7833366960.0000000061311000.00000020.00000001.01000000.00000003.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1UF8RdVspwB0sWoZO4QgXwdshfp29vgVA
Source: rundll32.exe, 00000004.00000002.7463283059.0000000061311000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.7833366960.0000000061311000.00000020.00000001.01000000.00000003.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1VTKGhw5qXNh2DmhfjmJjGTSllsTTrOJW
Source: rundll32.exe, 00000004.00000002.7463283059.0000000061311000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.7833366960.0000000061311000.00000020.00000001.01000000.00000003.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1YCogkU8Av_wfl15TB4G6lq-XgerOPsrP
Source: rundll32.exe, 00000004.00000002.7463283059.0000000061311000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.7833366960.0000000061311000.00000020.00000001.01000000.00000003.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1YFVDOpe1Oyk0D-FTJKtc6Vhc08qysxxM
Source: rundll32.exe, 00000004.00000002.7463283059.0000000061311000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.7833366960.0000000061311000.00000020.00000001.01000000.00000003.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1_UFOoZ-uwZVw4LY4XGXYAoNqEBUJCrfs
Source: rundll32.exe, 00000004.00000002.7463283059.0000000061311000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.7833366960.0000000061311000.00000020.00000001.01000000.00000003.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1aRlo1_02LB06Kr_RAPSCHI4DX1ROKX4r
Source: rundll32.exe, 00000004.00000002.7463283059.0000000061311000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.7833366960.0000000061311000.00000020.00000001.01000000.00000003.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1bCvsOaCjHHuL6YWQ6jWCKh-sPeBXHGth
Source: rundll32.exe, 00000004.00000002.7463283059.0000000061311000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.7833366960.0000000061311000.00000020.00000001.01000000.00000003.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1d39BiXw2wNcoXhqR-mzNe6HjTQzfPSB2
Source: rundll32.exe, 00000004.00000002.7463283059.0000000061311000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.7833366960.0000000061311000.00000020.00000001.01000000.00000003.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1hJBTH9ZBK47ZO477SdV8lUCQs_lgVIy3
Source: rundll32.exe, 00000004.00000002.7463283059.0000000061311000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.7833366960.0000000061311000.00000020.00000001.01000000.00000003.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1jqT6NE5N9O2dIBh0yKdK8Et-glqsaL0H
Source: rundll32.exe, 00000004.00000002.7463283059.0000000061311000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.7833366960.0000000061311000.00000020.00000001.01000000.00000003.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1lQNCt3A2gFkbUl_282f2fU38KYu6Lv7b
Source: rundll32.exe, 00000004.00000002.7463283059.0000000061311000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.7833366960.0000000061311000.00000020.00000001.01000000.00000003.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1m5V-2ixfaDRNusMWGKoF9q3F5aU9WhOd
Source: rundll32.exe, 00000004.00000002.7463283059.0000000061311000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.7833366960.0000000061311000.00000020.00000001.01000000.00000003.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1o0UC8dT-3YFn9NBbYjFniQJp3-Q2GMgg
Source: rundll32.exe, 00000004.00000002.7463283059.0000000061311000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.7833366960.0000000061311000.00000020.00000001.01000000.00000003.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1oFGu0v-pph6aXW_jH5z5raZcuozE-NwP
Source: rundll32.exe, 00000004.00000002.7463283059.0000000061311000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.7833366960.0000000061311000.00000020.00000001.01000000.00000003.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1p9bf6JYW7cMzOx-kU2GKg_jUM-RIdTE0
Source: rundll32.exe, 00000004.00000002.7463283059.0000000061311000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.7833366960.0000000061311000.00000020.00000001.01000000.00000003.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1rhjOyVuGuWQRqf3mXVrSXmivxhU6q_iI
Source: rundll32.exe, 00000004.00000002.7463283059.0000000061311000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.7833366960.0000000061311000.00000020.00000001.01000000.00000003.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1uIe9zD2U6ZsefeYtpYDiFpqfBQjWGaM-
Source: rundll32.exe, 00000004.00000002.7463283059.0000000061311000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.7833366960.0000000061311000.00000020.00000001.01000000.00000003.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1uKiAnXTUejCWVfY_9cK1DruQdqX4RW1p
Source: rundll32.exe, 00000004.00000002.7463283059.0000000061311000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.7833366960.0000000061311000.00000020.00000001.01000000.00000003.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1uv91IKisZ2Q-Of1xJn7F2K3nWbsnTKCJ
Source: rundll32.exe, 00000004.00000002.7463283059.0000000061311000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.7833366960.0000000061311000.00000020.00000001.01000000.00000003.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1y_zhnuEMDrpJ0p1yxO06bQDkcySt2Zqm
Source: rundll32.exe, 00000004.00000002.7463283059.0000000061311000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.7833366960.0000000061311000.00000020.00000001.01000000.00000003.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1zT0cA5RJjA8bMCenecf7X-TlZJ9KSf-8
Source: rundll32.exe, 00000004.00000002.7463283059.0000000061311000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.7833366960.0000000061311000.00000020.00000001.01000000.00000003.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1zoNuWfLbmiKQ6Cv-CdYplhz9hLQOKgFu
Source: rundll32.exe, 00000004.00000002.7463283059.0000000061311000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.7833366960.0000000061311000.00000020.00000001.01000000.00000003.sdmpString found in binary or memory: https://ebaoffice.com.br/imagens/bo/inspecionando.phpU
Source: rundll32.exe, 0000000E.00000002.7833366960.0000000061311000.00000020.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.google.com.br/

System Summary

barindex
PE file contains section with special chars
Source: 40kib.dllStatic PE information: section name: .:<e
Source: 40kib.dllStatic PE information: section name: .^yp
Source: 40kib.dllStatic PE information: section name: .-F~
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4120 -s 1108
Source: 40kib.dllStatic PE information: Number of sections : 13 > 10
Source: 40kib.dllStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
Source: classification engineClassification label: mal72.evad.winDLL@66/8@0/0
Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4120
Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2836
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4276:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4276:304:WilStaging_02
Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\aa07afd1-c175-46dc-a590-b2e9c1b8ec88Jump to behavior
Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\System32\loaddll32.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\40kib.dll,QStringClose
Source: 40kib.dllReversingLabs: Detection: 62%
Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\40kib.dll"
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\40kib.dll",#1
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\40kib.dll,QStringClose
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\40kib.dll",#1
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\40kib.dll,QStringCmp
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\40kib.dll,QStringCreate
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4120 -s 1108
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\40kib.dll",QStringClose
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\40kib.dll",QStringCmp
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\40kib.dll",QStringCreate
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\40kib.dll",dbkFCallWrapperAddr
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\40kib.dll",__dbk_fcall_wrapper
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\40kib.dll",WebkitSetVisible
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\40kib.dll",WebkitSetTransparent
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\40kib.dll",WebkitSetGeometry
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\40kib.dll",WebkitSetDrop
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\40kib.dll",WebkitSetALTignore
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\40kib.dll",WebkitRepaint
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\40kib.dll",WebkitNavigate
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\40kib.dll",WebkitLoadFinished
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\40kib.dll",WebkitJavaScriptCallback
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\40kib.dll",WebkitGetWindow
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\40kib.dll",WebkitExecuteJavaScript
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\40kib.dll",WebkitCreate
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\40kib.dll",WebkitClose
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\40kib.dll",WebUIResourceUnregister
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\40kib.dll",WebUIResourceRegister
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\40kib.dll",WebUIResourceEnum
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\40kib.dll",WebUIResourceData
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\40kib.dll",WebUICreate
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\40kib.dll",WebUIClose
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\40kib.dll",QStringSet
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\40kib.dll",QStringGet
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2836 -s 1072
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\40kib.dll",#1Jump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\40kib.dll,QStringCloseJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\40kib.dll,QStringCmpJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\40kib.dll,QStringCreateJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\40kib.dll",QStringCloseJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\40kib.dll",QStringCmpJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\40kib.dll",QStringCreateJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\40kib.dll",dbkFCallWrapperAddrJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\40kib.dll",__dbk_fcall_wrapperJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\40kib.dll",WebkitSetVisibleJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\40kib.dll",WebkitSetTransparentJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\40kib.dll",WebkitSetGeometryJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\40kib.dll",WebkitSetDropJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\40kib.dll",WebkitSetALTignoreJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\40kib.dll",WebkitRepaintJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\40kib.dll",WebkitNavigateJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\40kib.dll",WebkitLoadFinishedJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\40kib.dll",WebkitJavaScriptCallbackJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\40kib.dll",WebkitGetWindowJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\40kib.dll",WebkitExecuteJavaScriptJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\40kib.dll",WebkitCreateJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\40kib.dll",WebkitCloseJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\40kib.dll",WebUIResourceUnregisterJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\40kib.dll",WebUIResourceRegisterJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\40kib.dll",WebUIResourceEnumJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\40kib.dll",WebUIResourceDataJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\40kib.dll",WebUICreateJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\40kib.dll",WebUICloseJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\40kib.dll",QStringSetJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\40kib.dll",QStringGetJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\40kib.dll",#1Jump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: winmm.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: shfolder.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: wsock32.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: magnification.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: wtsapi32.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: d3d9.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: edgegdi.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: security.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: olepro32.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: colorui.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: mscms.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: coloradapterclient.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: compstui.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: msimg32.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: inetres.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: msimg32.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: windowscodecs.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: cscapi.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: 40kib.dllStatic PE information: Virtual size of .text is bigger than: 0x100000
Source: 40kib.dllStatic file information: File size 44391424 > 1048576
Source: 40kib.dllStatic PE information: Raw size of .-F~ is bigger than: 0x100000 < 0x2a39600
Source: 40kib.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
Source: initial sampleStatic PE information: section where entry point is pointing to: .-F~
Source: 40kib.dllStatic PE information: section name: .didata
Source: 40kib.dllStatic PE information: section name: .:<e
Source: 40kib.dllStatic PE information: section name: .^yp
Source: 40kib.dllStatic PE information: section name: .-F~

Hooking and other Techniques for Hiding and Protection

barindex
Overwrites code with function prologues
Source: C:\Windows\System32\loaddll32.exeMemory written: PID: 5916 base: 7732B950 value: 8B FF 55 8B EC Jump to behavior
Source: C:\Windows\System32\loaddll32.exeMemory written: PID: 5916 base: 76552FA0 value: 8B FF 55 8B EC Jump to behavior
Source: C:\Windows\System32\loaddll32.exeMemory written: PID: 5916 base: 7656CE10 value: 8B FF 55 8B EC Jump to behavior
Source: C:\Windows\System32\loaddll32.exeMemory written: PID: 5916 base: 76AB74C0 value: 8B FF 55 8B EC Jump to behavior
Source: C:\Windows\System32\loaddll32.exeMemory written: PID: 5916 base: 76ADEAC0 value: 8B FF 55 8B EC Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 8084 base: 7732B950 value: 8B FF 55 8B EC Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 8084 base: 76552FA0 value: 8B FF 55 8B EC Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 8084 base: 7656CE10 value: 8B FF 55 8B EC Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 8084 base: 76AB74C0 value: 8B FF 55 8B EC Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 8084 base: 76ADEAC0 value: 8B FF 55 8B EC Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5556 base: 7732B950 value: 8B FF 55 8B EC Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5556 base: 76552FA0 value: 8B FF 55 8B EC Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5556 base: 7656CE10 value: 8B FF 55 8B EC Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5556 base: 76AB74C0 value: 8B FF 55 8B EC Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5556 base: 76ADEAC0 value: 8B FF 55 8B EC Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 1456 base: 7732B950 value: 8B FF 55 8B EC Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 1456 base: 76552FA0 value: 8B FF 55 8B EC Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 1456 base: 7656CE10 value: 8B FF 55 8B EC Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 1456 base: 76AB74C0 value: 8B FF 55 8B EC Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 1456 base: 76ADEAC0 value: 8B FF 55 8B EC Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7700 base: 7732B950 value: 8B FF 55 8B EC Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7700 base: 76552FA0 value: 8B FF 55 8B EC Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7700 base: 7656CE10 value: 8B FF 55 8B EC Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7700 base: 76AB74C0 value: 8B FF 55 8B EC Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7700 base: 76ADEAC0 value: 8B FF 55 8B EC Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6308 base: 7732B950 value: 8B FF 55 8B EC Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6308 base: 76552FA0 value: 8B FF 55 8B EC Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6308 base: 7656CE10 value: 8B FF 55 8B EC Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6308 base: 76AB74C0 value: 8B FF 55 8B EC Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6308 base: 76ADEAC0 value: 8B FF 55 8B EC Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5464 base: 7732B950 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5464 base: 76552FA0 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5464 base: 7656CE10 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5464 base: 76AB74C0 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5464 base: 76ADEAC0 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 3656 base: 7732B950 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 3656 base: 76552FA0 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 3656 base: 7656CE10 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 3656 base: 76AB74C0 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 3656 base: 76ADEAC0 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 2636 base: 7732B950 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 2636 base: 76552FA0 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 2636 base: 7656CE10 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 2636 base: 76AB74C0 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 2636 base: 76ADEAC0 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 1196 base: 7732B950 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 1196 base: 76552FA0 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 1196 base: 7656CE10 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 1196 base: 76AB74C0 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 1196 base: 76ADEAC0 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 812 base: 7732B950 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 812 base: 76552FA0 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 812 base: 7656CE10 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 812 base: 76AB74C0 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 812 base: 76ADEAC0 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7920 base: 7732B950 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7920 base: 76552FA0 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7920 base: 7656CE10 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7920 base: 76AB74C0 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7920 base: 76ADEAC0 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 3484 base: 7732B950 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 3484 base: 76552FA0 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 3484 base: 7656CE10 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 3484 base: 76AB74C0 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 3484 base: 76ADEAC0 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 3044 base: 7732B950 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 3044 base: 76552FA0 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 3044 base: 7656CE10 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 3044 base: 76AB74C0 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 3044 base: 76ADEAC0 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6440 base: 7732B950 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6440 base: 76552FA0 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6440 base: 7656CE10 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6440 base: 76AB74C0 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6440 base: 76ADEAC0 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 4912 base: 7732B950 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 4912 base: 76552FA0 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 4912 base: 7656CE10 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 4912 base: 76AB74C0 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 4912 base: 76ADEAC0 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7272 base: 7732B950 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7272 base: 76552FA0 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7272 base: 7656CE10 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7272 base: 76AB74C0 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7272 base: 76ADEAC0 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 2684 base: 7732B950 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 2684 base: 76552FA0 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 2684 base: 7656CE10 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 2684 base: 76AB74C0 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 2684 base: 76ADEAC0 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 4288 base: 7732B950 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 4288 base: 76552FA0 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 4288 base: 7656CE10 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 4288 base: 76AB74C0 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 4288 base: 76ADEAC0 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6880 base: 7732B950 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6880 base: 76552FA0 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6880 base: 7656CE10 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6880 base: 76AB74C0 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6880 base: 76ADEAC0 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 3316 base: 7732B950 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 3316 base: 76552FA0 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 3316 base: 7656CE10 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 3316 base: 76AB74C0 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 3316 base: 76ADEAC0 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 2416 base: 7732B950 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 2416 base: 76552FA0 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 2416 base: 7656CE10 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 2416 base: 76AB74C0 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 2416 base: 76ADEAC0 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5448 base: 7732B950 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5448 base: 76552FA0 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5448 base: 7656CE10 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5448 base: 76AB74C0 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5448 base: 76ADEAC0 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 2408 base: 7732B950 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 2408 base: 76552FA0 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 2408 base: 7656CE10 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 2408 base: 76AB74C0 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 2408 base: 76ADEAC0 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 1128 base: 7732B950 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 1128 base: 76552FA0 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 1128 base: 7656CE10 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 1128 base: 76AB74C0 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 1128 base: 76ADEAC0 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5864 base: 7732B950 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5864 base: 76552FA0 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5864 base: 7656CE10 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5864 base: 76AB74C0 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5864 base: 76ADEAC0 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 2292 base: 7732B950 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 2292 base: 76552FA0 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 2292 base: 7656CE10 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 2292 base: 76AB74C0 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 2292 base: 76ADEAC0 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 3164 base: 7732B950 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 3164 base: 76552FA0 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 3164 base: 7656CE10 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 3164 base: 76AB74C0 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 3164 base: 76ADEAC0 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 4688 base: 7732B950 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 4688 base: 76552FA0 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 4688 base: 7656CE10 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 4688 base: 76AB74C0 value: 8B FF 55 8B EC
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 4688 base: 76ADEAC0 value: 8B FF 55 8B EC
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Source: C:\Windows\System32\loaddll32.exeMemory written: PID: 5916 base: 10E0005 value: E9 AB 2E 28 76 Jump to behavior
Source: C:\Windows\System32\loaddll32.exeMemory written: PID: 5916 base: 77362EB0 value: E9 5A D1 D7 89 Jump to behavior
Source: C:\Windows\System32\loaddll32.exeMemory written: PID: 5916 base: 1430007 value: E9 6B DC F6 75 Jump to behavior
Source: C:\Windows\System32\loaddll32.exeMemory written: PID: 5916 base: 7739DC70 value: E9 9E 23 09 8A Jump to behavior
Source: C:\Windows\System32\loaddll32.exeMemory written: PID: 5916 base: 1480005 value: E9 4B B9 EA 75 Jump to behavior
Source: C:\Windows\System32\loaddll32.exeMemory written: PID: 5916 base: 7732B950 value: E9 BA 46 15 8A Jump to behavior
Source: C:\Windows\System32\loaddll32.exeMemory written: PID: 5916 base: 1490008 value: E9 1B 8C EE 75 Jump to behavior
Source: C:\Windows\System32\loaddll32.exeMemory written: PID: 5916 base: 77378C20 value: E9 F0 73 11 8A Jump to behavior
Source: C:\Windows\System32\loaddll32.exeMemory written: PID: 5916 base: 14A0005 value: E9 9B 2F 0B 75 Jump to behavior
Source: C:\Windows\System32\loaddll32.exeMemory written: PID: 5916 base: 76552FA0 value: E9 6A D0 F4 8A Jump to behavior
Source: C:\Windows\System32\loaddll32.exeMemory written: PID: 5916 base: 14B0005 value: E9 0B CE 0B 75 Jump to behavior
Source: C:\Windows\System32\loaddll32.exeMemory written: PID: 5916 base: 7656CE10 value: E9 FA 31 F4 8A Jump to behavior
Source: C:\Windows\System32\loaddll32.exeMemory written: PID: 5916 base: 14C0005 value: E9 BB 74 5F 75 Jump to behavior
Source: C:\Windows\System32\loaddll32.exeMemory written: PID: 5916 base: 76AB74C0 value: E9 4A 8B A0 8A Jump to behavior
Source: C:\Windows\System32\loaddll32.exeMemory written: PID: 5916 base: 14D0005 value: E9 BB EA 60 75 Jump to behavior
Source: C:\Windows\System32\loaddll32.exeMemory written: PID: 5916 base: 76ADEAC0 value: E9 4A 15 9F 8A Jump to behavior
Source: C:\Windows\System32\loaddll32.exeMemory written: PID: 5916 base: 14E0005 value: E9 7B 2D E8 75 Jump to behavior
Source: C:\Windows\System32\loaddll32.exeMemory written: PID: 5916 base: 77362D80 value: E9 8A D2 17 8A Jump to behavior
Source: C:\Windows\System32\loaddll32.exeMemory written: PID: 5916 base: 14F0005 value: E9 0B 3E E7 75 Jump to behavior
Source: C:\Windows\System32\loaddll32.exeMemory written: PID: 5916 base: 77363E10 value: E9 FA C1 18 8A Jump to behavior
Source: C:\Windows\System32\loaddll32.exeMemory written: PID: 5916 base: 1500005 value: E9 FB 2E E6 75 Jump to behavior
Source: C:\Windows\System32\loaddll32.exeMemory written: PID: 5916 base: 77362F00 value: E9 0A D1 19 8A Jump to behavior
Source: C:\Windows\System32\loaddll32.exeMemory written: PID: 5916 base: 1510005 value: E9 DB 2C E5 75 Jump to behavior
Source: C:\Windows\System32\loaddll32.exeMemory written: PID: 5916 base: 77362CE0 value: E9 2A D3 1A 8A Jump to behavior
Source: C:\Windows\System32\loaddll32.exeMemory written: PID: 5916 base: 2DD0005 value: E9 EB 29 59 74 Jump to behavior
Source: C:\Windows\System32\loaddll32.exeMemory written: PID: 5916 base: 773629F0 value: E9 1A D6 A6 8B Jump to behavior
Source: C:\Windows\System32\loaddll32.exeMemory written: PID: 5916 base: 2DE0005 value: E9 9B 2A 58 74 Jump to behavior
Source: C:\Windows\System32\loaddll32.exeMemory written: PID: 5916 base: 77362AA0 value: E9 6A D5 A7 8B Jump to behavior
Source: C:\Windows\System32\loaddll32.exeMemory written: PID: 5916 base: 2DF0005 value: E9 3B 2E 57 74 Jump to behavior
Source: C:\Windows\System32\loaddll32.exeMemory written: PID: 5916 base: 77362E40 value: E9 CA D1 A8 8B Jump to behavior
Source: C:\Windows\System32\loaddll32.exeMemory written: PID: 5916 base: 2E00005 value: E9 1B 2C 56 74 Jump to behavior
Source: C:\Windows\System32\loaddll32.exeMemory written: PID: 5916 base: 77362C20 value: E9 EA D3 A9 8B Jump to behavior
Source: C:\Windows\System32\loaddll32.exeMemory written: PID: 5916 base: 2E10005 value: E9 FB 2C 55 74 Jump to behavior
Source: C:\Windows\System32\loaddll32.exeMemory written: PID: 5916 base: 77362D00 value: E9 0A D3 AA 8B Jump to behavior
Source: C:\Windows\System32\loaddll32.exeMemory written: PID: 5916 base: 2E30005 value: E9 CB 3D 53 74 Jump to behavior
Source: C:\Windows\System32\loaddll32.exeMemory written: PID: 5916 base: 77363DD0 value: E9 3A C2 AC 8B Jump to behavior
Source: C:\Windows\System32\loaddll32.exeMemory written: PID: 5916 base: 2E40005 value: E9 4B 2E 52 74 Jump to behavior
Source: C:\Windows\System32\loaddll32.exeMemory written: PID: 5916 base: 77362E50 value: E9 BA D1 AD 8B Jump to behavior
Source: C:\Windows\System32\loaddll32.exeMemory written: PID: 5916 base: 2E50005 value: E9 BB 2E 51 74 Jump to behavior
Source: C:\Windows\System32\loaddll32.exeMemory written: PID: 5916 base: 77362EC0 value: E9 4A D1 AE 8B Jump to behavior
Source: C:\Windows\System32\loaddll32.exeMemory written: PID: 5916 base: 2E60005 value: E9 2B 2C 50 74 Jump to behavior
Source: C:\Windows\System32\loaddll32.exeMemory written: PID: 5916 base: 77362C30 value: E9 DA D3 AF 8B Jump to behavior
Source: C:\Windows\System32\loaddll32.exeMemory written: PID: 5916 base: 2E70005 value: E9 EB 3A 4F 74 Jump to behavior
Source: C:\Windows\System32\loaddll32.exeMemory written: PID: 5916 base: 77363AF0 value: E9 1A C5 B0 8B Jump to behavior
Source: C:\Windows\System32\loaddll32.exeMemory written: PID: 5916 base: 2E80005 value: E9 4B 2C 4E 74 Jump to behavior
Source: C:\Windows\System32\loaddll32.exeMemory written: PID: 5916 base: 77362C50 value: E9 BA D3 B1 8B Jump to behavior
Source: C:\Windows\System32\loaddll32.exeMemory written: PID: 5916 base: 2E90005 value: E9 6B 46 4D 74 Jump to behavior
Source: C:\Windows\System32\loaddll32.exeMemory written: PID: 5916 base: 77364670 value: E9 9A B9 B2 8B Jump to behavior
Source: C:\Windows\System32\loaddll32.exeMemory written: PID: 5916 base: 2EA0005 value: E9 DB 2B 4C 74 Jump to behavior
Source: C:\Windows\System32\loaddll32.exeMemory written: PID: 5916 base: 77362BE0 value: E9 2A D4 B3 8B Jump to behavior
Source: C:\Windows\System32\loaddll32.exeMemory written: PID: 5916 base: 2EB0005 value: E9 7B 2A 4B 74 Jump to behavior
Source: C:\Windows\System32\loaddll32.exeMemory written: PID: 5916 base: 77362A80 value: E9 8A D5 B4 8B Jump to behavior
Source: C:\Windows\System32\loaddll32.exeMemory written: PID: 5916 base: 2EC0005 value: E9 8B 2A 4A 74 Jump to behavior
Source: C:\Windows\System32\loaddll32.exeMemory written: PID: 5916 base: 77362A90 value: E9 7A D5 B5 8B Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 8084 base: 3510005 value: E9 AB 2E E5 73 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 8084 base: 77362EB0 value: E9 5A D1 1A 8C Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 8084 base: 4E10007 value: E9 6B DC 58 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 8084 base: 7739DC70 value: E9 9E 23 A7 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 8084 base: 4E20005 value: E9 4B B9 50 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 8084 base: 7732B950 value: E9 BA 46 AF 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 8084 base: 4E30008 value: E9 1B 8C 54 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 8084 base: 77378C20 value: E9 F0 73 AB 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 8084 base: 4F90005 value: E9 9B 2F 5C 71 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 8084 base: 76552FA0 value: E9 6A D0 A3 8E Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 8084 base: 4FB0005 value: E9 0B CE 5B 71 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 8084 base: 7656CE10 value: E9 FA 31 A4 8E Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 8084 base: 4FC0005 value: E9 BB 74 AF 71 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 8084 base: 76AB74C0 value: E9 4A 8B 50 8E Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 8084 base: 4FD0005 value: E9 BB EA B0 71 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 8084 base: 76ADEAC0 value: E9 4A 15 4F 8E Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 8084 base: 4FE0005 value: E9 7B 2D 38 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 8084 base: 77362D80 value: E9 8A D2 C7 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 8084 base: 4FF0005 value: E9 0B 3E 37 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 8084 base: 77363E10 value: E9 FA C1 C8 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 8084 base: 5000005 value: E9 FB 2E 36 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 8084 base: 77362F00 value: E9 0A D1 C9 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 8084 base: 5010005 value: E9 DB 2C 35 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 8084 base: 77362CE0 value: E9 2A D3 CA 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 8084 base: 5020005 value: E9 EB 29 34 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 8084 base: 773629F0 value: E9 1A D6 CB 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 8084 base: 5030005 value: E9 9B 2A 33 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 8084 base: 77362AA0 value: E9 6A D5 CC 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 8084 base: 5040005 value: E9 3B 2E 32 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 8084 base: 77362E40 value: E9 CA D1 CD 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 8084 base: 5050005 value: E9 1B 2C 31 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 8084 base: 77362C20 value: E9 EA D3 CE 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 8084 base: 5060005 value: E9 FB 2C 30 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 8084 base: 77362D00 value: E9 0A D3 CF 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 8084 base: 5070005 value: E9 CB 3D 2F 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 8084 base: 77363DD0 value: E9 3A C2 D0 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 8084 base: 5080005 value: E9 4B 2E 2E 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 8084 base: 77362E50 value: E9 BA D1 D1 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 8084 base: 5090005 value: E9 BB 2E 2D 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 8084 base: 77362EC0 value: E9 4A D1 D2 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 8084 base: 50A0005 value: E9 2B 2C 2C 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 8084 base: 77362C30 value: E9 DA D3 D3 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 8084 base: 50B0005 value: E9 EB 3A 2B 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 8084 base: 77363AF0 value: E9 1A C5 D4 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 8084 base: 50C0005 value: E9 4B 2C 2A 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 8084 base: 77362C50 value: E9 BA D3 D5 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 8084 base: 50D0005 value: E9 6B 46 29 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 8084 base: 77364670 value: E9 9A B9 D6 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 8084 base: 50E0005 value: E9 DB 2B 28 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 8084 base: 77362BE0 value: E9 2A D4 D7 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 8084 base: 50F0005 value: E9 7B 2A 27 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 8084 base: 77362A80 value: E9 8A D5 D8 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 8084 base: 5100005 value: E9 8B 2A 26 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 8084 base: 77362A90 value: E9 7A D5 D9 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 4120 base: AF0005 value: E9 AB 2E 87 76 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 4120 base: 77362EB0 value: E9 5A D1 78 89 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 4120 base: B50007 value: E9 6B DC 84 76 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 4120 base: 7739DC70 value: E9 9E 23 7B 89 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 4120 base: 40E0005 value: E9 4B B9 24 73 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 4120 base: 7732B950 value: E9 BA 46 DB 8C Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 4120 base: 40F0008 value: E9 1B 8C 28 73 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 4120 base: 77378C20 value: E9 F0 73 D7 8C Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 4120 base: 4100005 value: E9 9B 2F 45 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 4120 base: 76552FA0 value: E9 6A D0 BA 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 4120 base: 4110005 value: E9 0B CE 45 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 4120 base: 7656CE10 value: E9 FA 31 BA 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 4120 base: 4120005 value: E9 BB 74 99 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 4120 base: 76AB74C0 value: E9 4A 8B 66 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 4120 base: 4130005 value: E9 BB EA 9A 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 4120 base: 76ADEAC0 value: E9 4A 15 65 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 4120 base: 4140005 value: E9 7B 2D 22 73 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 4120 base: 77362D80 value: E9 8A D2 DD 8C Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 4120 base: 4150005 value: E9 0B 3E 21 73 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 4120 base: 77363E10 value: E9 FA C1 DE 8C Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 4120 base: 4160005 value: E9 FB 2E 20 73 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 4120 base: 77362F00 value: E9 0A D1 DF 8C Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 4120 base: 4170005 value: E9 DB 2C 1F 73 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 4120 base: 77362CE0 value: E9 2A D3 E0 8C Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 4120 base: 4180005 value: E9 EB 29 1E 73 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 4120 base: 773629F0 value: E9 1A D6 E1 8C Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 4120 base: 4190005 value: E9 9B 2A 1D 73 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 4120 base: 77362AA0 value: E9 6A D5 E2 8C Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 4120 base: 41A0005 value: E9 3B 2E 1C 73 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 4120 base: 77362E40 value: E9 CA D1 E3 8C Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 4120 base: 41B0005 value: E9 1B 2C 1B 73 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 4120 base: 77362C20 value: E9 EA D3 E4 8C Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 4120 base: 41C0005 value: E9 FB 2C 1A 73 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 4120 base: 77362D00 value: E9 0A D3 E5 8C Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 4120 base: 41D0005 value: E9 CB 3D 19 73 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 4120 base: 77363DD0 value: E9 3A C2 E6 8C Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 4120 base: 41E0005 value: E9 4B 2E 18 73 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 4120 base: 77362E50 value: E9 BA D1 E7 8C Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 4120 base: 41F0005 value: E9 BB 2E 17 73 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 4120 base: 77362EC0 value: E9 4A D1 E8 8C Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 4120 base: 4200005 value: E9 2B 2C 16 73 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 4120 base: 77362C30 value: E9 DA D3 E9 8C Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 4120 base: 4210005 value: E9 EB 3A 15 73 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 4120 base: 77363AF0 value: E9 1A C5 EA 8C Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 4120 base: 4220005 value: E9 4B 2C 14 73 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 4120 base: 77362C50 value: E9 BA D3 EB 8C Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 4120 base: 4230005 value: E9 6B 46 13 73 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 4120 base: 77364670 value: E9 9A B9 EC 8C Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 4120 base: 4240005 value: E9 DB 2B 12 73 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 4120 base: 77362BE0 value: E9 2A D4 ED 8C Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 4120 base: 4250005 value: E9 7B 2A 11 73 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 4120 base: 77362A80 value: E9 8A D5 EE 8C Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 4120 base: 4260005 value: E9 8B 2A 10 73 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 4120 base: 77362A90 value: E9 7A D5 EF 8C Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5556 base: 4B90005 value: E9 AB 2E 7D 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5556 base: 77362EB0 value: E9 5A D1 82 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5556 base: 4BA0007 value: E9 6B DC 7F 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5556 base: 7739DC70 value: E9 9E 23 80 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5556 base: 4BB0005 value: E9 4B B9 77 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5556 base: 7732B950 value: E9 BA 46 88 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5556 base: 4D50008 value: E9 1B 8C 62 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5556 base: 77378C20 value: E9 F0 73 9D 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5556 base: 4D60005 value: E9 9B 2F 7F 71 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5556 base: 76552FA0 value: E9 6A D0 80 8E Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5556 base: 4D70005 value: E9 0B CE 7F 71 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5556 base: 7656CE10 value: E9 FA 31 80 8E Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5556 base: 4D80005 value: E9 BB 74 D3 71 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5556 base: 76AB74C0 value: E9 4A 8B 2C 8E Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5556 base: 4D90005 value: E9 BB EA D4 71 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5556 base: 76ADEAC0 value: E9 4A 15 2B 8E Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5556 base: 4DB0005 value: E9 7B 2D 5B 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5556 base: 77362D80 value: E9 8A D2 A4 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5556 base: 4DC0005 value: E9 0B 3E 5A 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5556 base: 77363E10 value: E9 FA C1 A5 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5556 base: 4DD0005 value: E9 FB 2E 59 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5556 base: 77362F00 value: E9 0A D1 A6 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5556 base: 4DE0005 value: E9 DB 2C 58 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5556 base: 77362CE0 value: E9 2A D3 A7 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5556 base: 4DF0005 value: E9 EB 29 57 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5556 base: 773629F0 value: E9 1A D6 A8 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5556 base: 4E00005 value: E9 9B 2A 56 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5556 base: 77362AA0 value: E9 6A D5 A9 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5556 base: 4E10005 value: E9 3B 2E 55 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5556 base: 77362E40 value: E9 CA D1 AA 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5556 base: 4E20005 value: E9 1B 2C 54 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5556 base: 77362C20 value: E9 EA D3 AB 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5556 base: 4E30005 value: E9 FB 2C 53 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5556 base: 77362D00 value: E9 0A D3 AC 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5556 base: 4E40005 value: E9 CB 3D 52 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5556 base: 77363DD0 value: E9 3A C2 AD 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5556 base: 4E50005 value: E9 4B 2E 51 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5556 base: 77362E50 value: E9 BA D1 AE 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5556 base: 4E60005 value: E9 BB 2E 50 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5556 base: 77362EC0 value: E9 4A D1 AF 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5556 base: 4E70005 value: E9 2B 2C 4F 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5556 base: 77362C30 value: E9 DA D3 B0 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5556 base: 4E80005 value: E9 EB 3A 4E 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5556 base: 77363AF0 value: E9 1A C5 B1 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5556 base: 4E90005 value: E9 4B 2C 4D 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5556 base: 77362C50 value: E9 BA D3 B2 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5556 base: 4EA0005 value: E9 6B 46 4C 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5556 base: 77364670 value: E9 9A B9 B3 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5556 base: 4EB0005 value: E9 DB 2B 4B 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5556 base: 77362BE0 value: E9 2A D4 B4 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5556 base: 4EC0005 value: E9 7B 2A 4A 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5556 base: 77362A80 value: E9 8A D5 B5 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5556 base: 4ED0005 value: E9 8B 2A 49 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5556 base: 77362A90 value: E9 7A D5 B6 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 1456 base: 8B0005 value: E9 AB 2E AB 76 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 1456 base: 77362EB0 value: E9 5A D1 54 89 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 1456 base: 8C0007 value: E9 6B DC AD 76 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 1456 base: 7739DC70 value: E9 9E 23 52 89 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 1456 base: B60005 value: E9 4B B9 7C 76 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 1456 base: 7732B950 value: E9 BA 46 83 89 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 1456 base: 41F0008 value: E9 1B 8C 18 73 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 1456 base: 77378C20 value: E9 F0 73 E7 8C Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 1456 base: 4310005 value: E9 9B 2F 24 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 1456 base: 76552FA0 value: E9 6A D0 DB 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 1456 base: 4320005 value: E9 0B CE 24 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 1456 base: 7656CE10 value: E9 FA 31 DB 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 1456 base: 4330005 value: E9 BB 74 78 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 1456 base: 76AB74C0 value: E9 4A 8B 87 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 1456 base: 4340005 value: E9 BB EA 79 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 1456 base: 76ADEAC0 value: E9 4A 15 86 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 1456 base: 4350005 value: E9 7B 2D 01 73 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 1456 base: 77362D80 value: E9 8A D2 FE 8C Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 1456 base: 4360005 value: E9 0B 3E 00 73 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 1456 base: 77363E10 value: E9 FA C1 FF 8C Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 1456 base: 4370005 value: E9 FB 2E FF 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 1456 base: 77362F00 value: E9 0A D1 00 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 1456 base: 4380005 value: E9 DB 2C FE 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 1456 base: 77362CE0 value: E9 2A D3 01 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 1456 base: 4390005 value: E9 EB 29 FD 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 1456 base: 773629F0 value: E9 1A D6 02 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 1456 base: 43A0005 value: E9 9B 2A FC 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 1456 base: 77362AA0 value: E9 6A D5 03 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 1456 base: 43B0005 value: E9 3B 2E FB 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 1456 base: 77362E40 value: E9 CA D1 04 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 1456 base: 43D0005 value: E9 1B 2C F9 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 1456 base: 77362C20 value: E9 EA D3 06 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 1456 base: 43E0005 value: E9 FB 2C F8 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 1456 base: 77362D00 value: E9 0A D3 07 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 1456 base: 43F0005 value: E9 CB 3D F7 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 1456 base: 77363DD0 value: E9 3A C2 08 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 1456 base: 4400005 value: E9 4B 2E F6 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 1456 base: 77362E50 value: E9 BA D1 09 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 1456 base: 4410005 value: E9 BB 2E F5 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 1456 base: 77362EC0 value: E9 4A D1 0A 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 1456 base: 4420005 value: E9 2B 2C F4 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 1456 base: 77362C30 value: E9 DA D3 0B 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 1456 base: 4430005 value: E9 EB 3A F3 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 1456 base: 77363AF0 value: E9 1A C5 0C 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 1456 base: 4440005 value: E9 4B 2C F2 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 1456 base: 77362C50 value: E9 BA D3 0D 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 1456 base: 4450005 value: E9 6B 46 F1 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 1456 base: 77364670 value: E9 9A B9 0E 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 1456 base: 4460005 value: E9 DB 2B F0 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 1456 base: 77362BE0 value: E9 2A D4 0F 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 1456 base: 4470005 value: E9 7B 2A EF 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 1456 base: 77362A80 value: E9 8A D5 10 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 1456 base: 4480005 value: E9 8B 2A EE 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 1456 base: 77362A90 value: E9 7A D5 11 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7700 base: 32E0005 value: E9 AB 2E 08 74 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7700 base: 77362EB0 value: E9 5A D1 F7 8B Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7700 base: 4C50007 value: E9 6B DC 74 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7700 base: 7739DC70 value: E9 9E 23 8B 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7700 base: 4D70005 value: E9 4B B9 5B 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7700 base: 7732B950 value: E9 BA 46 A4 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7700 base: 4DC0008 value: E9 1B 8C 5B 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7700 base: 77378C20 value: E9 F0 73 A4 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7700 base: 4DD0005 value: E9 9B 2F 78 71 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7700 base: 76552FA0 value: E9 6A D0 87 8E Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7700 base: 4DE0005 value: E9 0B CE 78 71 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7700 base: 7656CE10 value: E9 FA 31 87 8E Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7700 base: 4DF0005 value: E9 BB 74 CC 71 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7700 base: 76AB74C0 value: E9 4A 8B 33 8E Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7700 base: 4E00005 value: E9 BB EA CD 71 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7700 base: 76ADEAC0 value: E9 4A 15 32 8E Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7700 base: 4E20005 value: E9 7B 2D 54 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7700 base: 77362D80 value: E9 8A D2 AB 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7700 base: 4E30005 value: E9 0B 3E 53 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7700 base: 77363E10 value: E9 FA C1 AC 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7700 base: 4E40005 value: E9 FB 2E 52 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7700 base: 77362F00 value: E9 0A D1 AD 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7700 base: 4E50005 value: E9 DB 2C 51 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7700 base: 77362CE0 value: E9 2A D3 AE 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7700 base: 4E60005 value: E9 EB 29 50 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7700 base: 773629F0 value: E9 1A D6 AF 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7700 base: 4E70005 value: E9 9B 2A 4F 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7700 base: 77362AA0 value: E9 6A D5 B0 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7700 base: 4E80005 value: E9 3B 2E 4E 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7700 base: 77362E40 value: E9 CA D1 B1 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7700 base: 4E90005 value: E9 1B 2C 4D 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7700 base: 77362C20 value: E9 EA D3 B2 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7700 base: 4EA0005 value: E9 FB 2C 4C 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7700 base: 77362D00 value: E9 0A D3 B3 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7700 base: 4EB0005 value: E9 CB 3D 4B 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7700 base: 77363DD0 value: E9 3A C2 B4 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7700 base: 4EC0005 value: E9 4B 2E 4A 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7700 base: 77362E50 value: E9 BA D1 B5 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7700 base: 4ED0005 value: E9 BB 2E 49 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7700 base: 77362EC0 value: E9 4A D1 B6 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7700 base: 4EE0005 value: E9 2B 2C 48 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7700 base: 77362C30 value: E9 DA D3 B7 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7700 base: 4EF0005 value: E9 EB 3A 47 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7700 base: 77363AF0 value: E9 1A C5 B8 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7700 base: 4F00005 value: E9 4B 2C 46 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7700 base: 77362C50 value: E9 BA D3 B9 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7700 base: 4F10005 value: E9 6B 46 45 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7700 base: 77364670 value: E9 9A B9 BA 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7700 base: 4F20005 value: E9 DB 2B 44 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7700 base: 77362BE0 value: E9 2A D4 BB 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7700 base: 4F30005 value: E9 7B 2A 43 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7700 base: 77362A80 value: E9 8A D5 BC 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7700 base: 4F40005 value: E9 8B 2A 42 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7700 base: 77362A90 value: E9 7A D5 BD 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6308 base: 7A0005 value: E9 AB 2E BC 76 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6308 base: 77362EB0 value: E9 5A D1 43 89 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6308 base: A80007 value: E9 6B DC 91 76 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6308 base: 7739DC70 value: E9 9E 23 6E 89 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6308 base: A90005 value: E9 4B B9 89 76 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6308 base: 7732B950 value: E9 BA 46 76 89 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6308 base: AA0008 value: E9 1B 8C 8D 76 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6308 base: 77378C20 value: E9 F0 73 72 89 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6308 base: AB0005 value: E9 9B 2F AA 75 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6308 base: 76552FA0 value: E9 6A D0 55 8A Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6308 base: B10005 value: E9 0B CE A5 75 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6308 base: 7656CE10 value: E9 FA 31 5A 8A Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6308 base: B20005 value: E9 BB 74 F9 75 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6308 base: 76AB74C0 value: E9 4A 8B 06 8A Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6308 base: B30005 value: E9 BB EA FA 75 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6308 base: 76ADEAC0 value: E9 4A 15 05 8A Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6308 base: B40005 value: E9 7B 2D 82 76 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6308 base: 77362D80 value: E9 8A D2 7D 89 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6308 base: B50005 value: E9 0B 3E 81 76 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6308 base: 77363E10 value: E9 FA C1 7E 89 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6308 base: B60005 value: E9 FB 2E 80 76 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6308 base: 77362F00 value: E9 0A D1 7F 89 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6308 base: 4440005 value: E9 DB 2C F2 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6308 base: 77362CE0 value: E9 2A D3 0D 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6308 base: 4450005 value: E9 EB 29 F1 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6308 base: 773629F0 value: E9 1A D6 0E 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6308 base: 4460005 value: E9 9B 2A F0 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6308 base: 77362AA0 value: E9 6A D5 0F 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6308 base: 4470005 value: E9 3B 2E EF 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6308 base: 77362E40 value: E9 CA D1 10 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6308 base: 4480005 value: E9 1B 2C EE 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6308 base: 77362C20 value: E9 EA D3 11 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6308 base: 4490005 value: E9 FB 2C ED 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6308 base: 77362D00 value: E9 0A D3 12 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6308 base: 44A0005 value: E9 CB 3D EC 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6308 base: 77363DD0 value: E9 3A C2 13 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6308 base: 44B0005 value: E9 4B 2E EB 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6308 base: 77362E50 value: E9 BA D1 14 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6308 base: 44C0005 value: E9 BB 2E EA 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6308 base: 77362EC0 value: E9 4A D1 15 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6308 base: 44E0005 value: E9 2B 2C E8 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6308 base: 77362C30 value: E9 DA D3 17 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6308 base: 44F0005 value: E9 EB 3A E7 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6308 base: 77363AF0 value: E9 1A C5 18 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6308 base: 4500005 value: E9 4B 2C E6 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6308 base: 77362C50 value: E9 BA D3 19 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6308 base: 4510005 value: E9 6B 46 E5 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6308 base: 77364670 value: E9 9A B9 1A 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6308 base: 4520005 value: E9 DB 2B E4 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6308 base: 77362BE0 value: E9 2A D4 1B 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6308 base: 4530005 value: E9 7B 2A E3 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6308 base: 77362A80 value: E9 8A D5 1C 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6308 base: 4540005 value: E9 8B 2A E2 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6308 base: 77362A90 value: E9 7A D5 1D 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5464 base: 3160005 value: E9 AB 2E 20 74
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5464 base: 77362EB0 value: E9 5A D1 DF 8B
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5464 base: 4BE0007 value: E9 6B DC 7B 72
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5464 base: 7739DC70 value: E9 9E 23 84 8D
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5464 base: 4BF0005 value: E9 4B B9 73 72
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5464 base: 7732B950 value: E9 BA 46 8C 8D
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5464 base: 4C40008 value: E9 1B 8C 73 72
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5464 base: 77378C20 value: E9 F0 73 8C 8D
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5464 base: 4C50005 value: E9 9B 2F 90 71
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5464 base: 76552FA0 value: E9 6A D0 6F 8E
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5464 base: 4D70005 value: E9 0B CE 7F 71
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5464 base: 7656CE10 value: E9 FA 31 80 8E
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5464 base: 4D90005 value: E9 BB 74 D2 71
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5464 base: 76AB74C0 value: E9 4A 8B 2D 8E
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5464 base: 4DA0005 value: E9 BB EA D3 71
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5464 base: 76ADEAC0 value: E9 4A 15 2C 8E
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5464 base: 4DB0005 value: E9 7B 2D 5B 72
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5464 base: 77362D80 value: E9 8A D2 A4 8D
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5464 base: 4DC0005 value: E9 0B 3E 5A 72
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5464 base: 77363E10 value: E9 FA C1 A5 8D
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5464 base: 4DD0005 value: E9 FB 2E 59 72
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5464 base: 77362F00 value: E9 0A D1 A6 8D
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5464 base: 4DE0005 value: E9 DB 2C 58 72
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5464 base: 77362CE0 value: E9 2A D3 A7 8D
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5464 base: 4DF0005 value: E9 EB 29 57 72
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5464 base: 773629F0 value: E9 1A D6 A8 8D
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5464 base: 4E00005 value: E9 9B 2A 56 72
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5464 base: 77362AA0 value: E9 6A D5 A9 8D
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5464 base: 4E10005 value: E9 3B 2E 55 72
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5464 base: 77362E40 value: E9 CA D1 AA 8D
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5464 base: 4E20005 value: E9 1B 2C 54 72
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5464 base: 77362C20 value: E9 EA D3 AB 8D
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5464 base: 4E30005 value: E9 FB 2C 53 72
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5464 base: 77362D00 value: E9 0A D3 AC 8D
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5464 base: 4E40005 value: E9 CB 3D 52 72
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5464 base: 77363DD0 value: E9 3A C2 AD 8D
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5464 base: 4E50005 value: E9 4B 2E 51 72
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5464 base: 77362E50 value: E9 BA D1 AE 8D
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5464 base: 4E60005 value: E9 BB 2E 50 72
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5464 base: 77362EC0 value: E9 4A D1 AF 8D
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5464 base: 4E70005 value: E9 2B 2C 4F 72
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5464 base: 77362C30 value: E9 DA D3 B0 8D
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5464 base: 4E80005 value: E9 EB 3A 4E 72
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5464 base: 77363AF0 value: E9 1A C5 B1 8D
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5464 base: 4E90005 value: E9 4B 2C 4D 72
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5464 base: 77362C50 value: E9 BA D3 B2 8D
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5464 base: 4EA0005 value: E9 6B 46 4C 72
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5464 base: 77364670 value: E9 9A B9 B3 8D
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5464 base: 4EB0005 value: E9 DB 2B 4B 72
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5464 base: 77362BE0 value: E9 2A D4 B4 8D
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5464 base: 4EC0005 value: E9 7B 2A 4A 72
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5464 base: 77362A80 value: E9 8A D5 B5 8D
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5464 base: 4ED0005 value: E9 8B 2A 49 72
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5464 base: 77362A90 value: E9 7A D5 B6 8D
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 2836 base: 2CA0005 value: E9 AB 2E 6C 74
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 2836 base: 77362EB0 value: E9 5A D1 93 8B
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 2836 base: 4620007 value: E9 6B DC D7 72
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 2836 base: 7739DC70 value: E9 9E 23 28 8D
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 2836 base: 4630005 value: E9 4B B9 CF 72
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 2836 base: 7732B950 value: E9 BA 46 30 8D
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 2836 base: 4680008 value: E9 1B 8C CF 72
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 2836 base: 77378C20 value: E9 F0 73 30 8D
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 2836 base: 4690005 value: E9 9B 2F EC 71
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 2836 base: 76552FA0 value: E9 6A D0 13 8E
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 2836 base: 46A0005 value: E9 0B CE EC 71
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 2836 base: 7656CE10 value: E9 FA 31 13 8E
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 2836 base: 46B0005 value: E9 BB 74 40 72
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 2836 base: 76AB74C0 value: E9 4A 8B BF 8D
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 2836 base: 46C0005 value: E9 BB EA 41 72
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 2836 base: 76ADEAC0 value: E9 4A 15 BE 8D
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 2836 base: 46D0005 value: E9 7B 2D C9 72
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 2836 base: 77362D80 value: E9 8A D2 36 8D
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 2836 base: 46F0005 value: E9 0B 3E C7 72
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 2836 base: 77363E10 value: E9 FA C1 38 8D
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 2836 base: 4700005 value: E9 FB 2E C6 72
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 2836 base: 77362F00 value: E9 0A D1 39 8D
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 2836 base: 4710005 value: E9 DB 2C C5 72
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 2836 base: 77362CE0 value: E9 2A D3 3A 8D
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 2836 base: 4720005 value: E9 EB 29 C4 72
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 2836 base: 773629F0 value: E9 1A D6 3B 8D
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 2836 base: 4730005 value: E9 9B 2A C3 72
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 2836 base: 77362AA0 value: E9 6A D5 3C 8D
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 2836 base: 4740005 value: E9 3B 2E C2 72
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 2836 base: 77362E40 value: E9 CA D1 3D 8D
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 2836 base: 4750005 value: E9 1B 2C C1 72
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 2836 base: 77362C20 value: E9 EA D3 3E 8D
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 2836 base: 4760005 value: E9 FB 2C C0 72
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 2836 base: 77362D00 value: E9 0A D3 3F 8D
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 2836 base: 4770005 value: E9 CB 3D BF 72
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 2836 base: 77363DD0 value: E9 3A C2 40 8D
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 2836 base: 4780005 value: E9 4B 2E BE 72
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 2836 base: 77362E50 value: E9 BA D1 41 8D
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 2836 base: 4790005 value: E9 BB 2E BD 72
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 2836 base: 77362EC0 value: E9 4A D1 42 8D
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 2836 base: 47A0005 value: E9 2B 2C BC 72
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 2836 base: 77362C30 value: E9 DA D3 43 8D
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 2836 base: 47B0005 value: E9 EB 3A BB 72
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 2836 base: 77363AF0 value: E9 1A C5 44 8D
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 2836 base: 47C0005 value: E9 4B 2C BA 72
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 2836 base: 77362C50 value: E9 BA D3 45 8D
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 2836 base: 48E0005 value: E9 6B 46 A8 72
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 2836 base: 77364670 value: E9 9A B9 57 8D
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 2836 base: 48F0005 value: E9 DB 2B A7 72
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 2836 base: 77362BE0 value: E9 2A D4 58 8D
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 2836 base: 4900005 value: E9 7B 2A A6 72
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 2836 base: 77362A80 value: E9 8A D5 59 8D
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 2836 base: 4910005 value: E9 8B 2A A5 72
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 2836 base: 77362A90 value: E9 7A D5 5A 8D
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 3656 base: 3370005 value: E9 AB 2E FF 73
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 3656 base: 77362EB0 value: E9 5A D1 00 8C
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 3656 base: 3380007 value: E9 6B DC 01 74
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 3656 base: 7739DC70 value: E9 9E 23 FE 8B
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 3656 base: 3620005 value: E9 4B B9 D0 73
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 3656 base: 7732B950 value: E9 BA 46 2F 8C
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 3656 base: 3630008 value: E9 1B 8C D4 73
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 3656 base: 77378C20 value: E9 F0 73 2B 8C
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 3656 base: 4F30005 value: E9 9B 2F 62 71
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 3656 base: 76552FA0 value: E9 6A D0 9D 8E
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 3656 base: 4F40005 value: E9 0B CE 62 71
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 3656 base: 7656CE10 value: E9 FA 31 9D 8E
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 3656 base: 5060005 value: E9 BB 74 A5 71
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 3656 base: 76AB74C0 value: E9 4A 8B 5A 8E
Source: C:\Windows\System32\loaddll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

barindex
Switches to a custom stack to bypass stack traces
Source: C:\Windows\System32\loaddll32.exeAPI/Special instruction interceptor: Address: 672765E0
Source: C:\Windows\System32\loaddll32.exeAPI/Special instruction interceptor: Address: 64A3E88E
Source: C:\Windows\System32\loaddll32.exeAPI/Special instruction interceptor: Address: 64D73247
Source: C:\Windows\System32\loaddll32.exeAPI/Special instruction interceptor: Address: 6713B2B9
Source: C:\Windows\System32\loaddll32.exeAPI/Special instruction interceptor: Address: 6730B92D
Source: C:\Windows\System32\loaddll32.exeAPI/Special instruction interceptor: Address: 64A0642E
Source: C:\Windows\System32\loaddll32.exeAPI/Special instruction interceptor: Address: 6719DA37
Source: C:\Windows\System32\loaddll32.exeAPI/Special instruction interceptor: Address: 649EF902
Source: C:\Windows\System32\loaddll32.exeAPI/Special instruction interceptor: Address: 673213B9
Source: C:\Windows\System32\loaddll32.exeAPI/Special instruction interceptor: Address: 64A3A0AE
Source: C:\Windows\System32\loaddll32.exeAPI/Special instruction interceptor: Address: 64AF20E0
Source: C:\Windows\System32\loaddll32.exeAPI/Special instruction interceptor: Address: 649B59CF
Source: C:\Windows\System32\loaddll32.exeAPI/Special instruction interceptor: Address: 64B3045E
Source: C:\Windows\System32\loaddll32.exeAPI/Special instruction interceptor: Address: 64D6BC34
Source: C:\Windows\System32\loaddll32.exeAPI/Special instruction interceptor: Address: 64DC3445
Source: C:\Windows\System32\loaddll32.exeAPI/Special instruction interceptor: Address: 6730B7B5
Source: C:\Windows\System32\loaddll32.exeAPI/Special instruction interceptor: Address: 670E6802
Source: C:\Windows\System32\loaddll32.exeAPI/Special instruction interceptor: Address: 649B20EB
Source: C:\Windows\System32\loaddll32.exeAPI/Special instruction interceptor: Address: 64EBB853
Source: C:\Windows\System32\loaddll32.exeAPI/Special instruction interceptor: Address: 672E5AC4
Source: C:\Windows\System32\loaddll32.exeAPI/Special instruction interceptor: Address: 673843CA
Source: C:\Windows\System32\loaddll32.exeAPI/Special instruction interceptor: Address: 64A60A9C
Source: C:\Windows\System32\loaddll32.exeAPI/Special instruction interceptor: Address: 672E1B7A
Source: C:\Windows\System32\loaddll32.exeAPI/Special instruction interceptor: Address: 672BD8E4
Source: C:\Windows\System32\loaddll32.exeAPI/Special instruction interceptor: Address: 64DB5ADA
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: rundll32.exe, 00000004.00000002.7463283059.0000000061311000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.7833366960.0000000061311000.00000020.00000001.01000000.00000003.sdmpBinary or memory string: PROCESSHACKER.EXEU
Source: rundll32.exe, 00000004.00000002.7463283059.0000000061311000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.7833366960.0000000061311000.00000020.00000001.01000000.00000003.sdmpBinary or memory string: WIRESHARK.EXE
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\loaddll32.exeThread delayed: delay time: 120000Jump to behavior
Source: 40kib.dllBinary or memory string: hgFSy
Source: C:\Windows\System32\loaddll32.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging

barindex
Hides threads from debuggers
Source: C:\Windows\System32\loaddll32.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Windows\System32\loaddll32.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread information set: HideFromDebugger
Source: C:\Windows\SysWOW64\rundll32.exeThread information set: HideFromDebugger
Source: C:\Windows\SysWOW64\rundll32.exeThread information set: HideFromDebugger
Source: C:\Windows\SysWOW64\rundll32.exeThread information set: HideFromDebugger
Source: C:\Windows\SysWOW64\rundll32.exeThread information set: HideFromDebugger
Source: C:\Windows\SysWOW64\rundll32.exeThread information set: HideFromDebugger
Source: C:\Windows\SysWOW64\rundll32.exeThread information set: HideFromDebugger
Source: C:\Windows\SysWOW64\rundll32.exeThread information set: HideFromDebugger
Source: C:\Windows\SysWOW64\rundll32.exeThread information set: HideFromDebugger
Source: C:\Windows\SysWOW64\rundll32.exeThread information set: HideFromDebugger
Source: C:\Windows\SysWOW64\rundll32.exeThread information set: HideFromDebugger
Source: C:\Windows\SysWOW64\rundll32.exeThread information set: HideFromDebugger
Source: C:\Windows\SysWOW64\rundll32.exeThread information set: HideFromDebugger
Source: C:\Windows\SysWOW64\rundll32.exeThread information set: HideFromDebugger
Source: C:\Windows\SysWOW64\rundll32.exeThread information set: HideFromDebugger
Source: C:\Windows\SysWOW64\rundll32.exeThread information set: HideFromDebugger
Source: C:\Windows\SysWOW64\rundll32.exeThread information set: HideFromDebugger
Source: C:\Windows\SysWOW64\rundll32.exeThread information set: HideFromDebugger
Source: C:\Windows\SysWOW64\rundll32.exeThread information set: HideFromDebugger
Source: C:\Windows\SysWOW64\rundll32.exeThread information set: HideFromDebugger
Source: C:\Windows\SysWOW64\rundll32.exeThread information set: HideFromDebugger
Source: C:\Windows\SysWOW64\rundll32.exeThread information set: HideFromDebugger
Source: C:\Windows\SysWOW64\rundll32.exeThread information set: HideFromDebugger
Source: C:\Windows\SysWOW64\rundll32.exeThread information set: HideFromDebugger
Source: C:\Windows\SysWOW64\rundll32.exeThread information set: HideFromDebugger
Source: C:\Windows\SysWOW64\rundll32.exeThread information set: HideFromDebugger
Source: C:\Windows\SysWOW64\rundll32.exeThread information set: HideFromDebugger
Source: C:\Windows\SysWOW64\rundll32.exeThread information set: HideFromDebugger
Source: C:\Windows\SysWOW64\rundll32.exeThread information set: HideFromDebugger
Source: C:\Windows\SysWOW64\rundll32.exeThread information set: HideFromDebugger
Source: C:\Windows\SysWOW64\rundll32.exeThread information set: HideFromDebugger
Source: C:\Windows\SysWOW64\rundll32.exeThread information set: HideFromDebugger
Source: C:\Windows\SysWOW64\rundll32.exeThread information set: HideFromDebugger
Source: C:\Windows\SysWOW64\rundll32.exeThread information set: HideFromDebugger
Source: C:\Windows\SysWOW64\rundll32.exeThread information set: HideFromDebugger
Source: C:\Windows\SysWOW64\rundll32.exeThread information set: HideFromDebugger
Source: C:\Windows\SysWOW64\rundll32.exeThread information set: HideFromDebugger
Source: C:\Windows\SysWOW64\rundll32.exeThread information set: HideFromDebugger
Source: C:\Windows\SysWOW64\rundll32.exeThread information set: HideFromDebugger
Source: C:\Windows\SysWOW64\rundll32.exeThread information set: HideFromDebugger
Source: C:\Windows\SysWOW64\rundll32.exeThread information set: HideFromDebugger
Source: C:\Windows\SysWOW64\rundll32.exeThread information set: HideFromDebugger
Source: C:\Windows\SysWOW64\rundll32.exeThread information set: HideFromDebugger
Source: C:\Windows\SysWOW64\rundll32.exeThread information set: HideFromDebugger
Source: C:\Windows\SysWOW64\rundll32.exeThread information set: HideFromDebugger
Source: C:\Windows\SysWOW64\rundll32.exeThread information set: HideFromDebugger
Source: C:\Windows\SysWOW64\rundll32.exeThread information set: HideFromDebugger
Source: C:\Windows\SysWOW64\rundll32.exeThread information set: HideFromDebugger
Source: C:\Windows\System32\loaddll32.exeSystem information queried: KernelDebuggerInformationJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess queried: DebugObjectHandleJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess queried: DebugObjectHandleJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess queried: DebugObjectHandleJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandleJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandleJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandleJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandleJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandleJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandleJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandleJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandleJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandleJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandleJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandleJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandleJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandleJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandleJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandleJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandleJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandleJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandleJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandle
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandle
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandle
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandle
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandle
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandle
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandle
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandle
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandle
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandle
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandle
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandle
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandle
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandle
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandle
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandle
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandle
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandle
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandle
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandle
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandle
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandle
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandle
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandle
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandle
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandle
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandle
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandle
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandle
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandle
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandle
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandle
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandle
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandle
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandle
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandle
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandle
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandle
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandle
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandle
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandle
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandle
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandle
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandle
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandle
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandle
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandle
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandle
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandle
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandle
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandle
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandle
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandle
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandle
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandle
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandle
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandle
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandle
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandle
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandle
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandle
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandle
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandle
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandle
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandle
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandle
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandle
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandle
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandle
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandle
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandle
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandle
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\40kib.dll",#1Jump to behavior
Source: rundll32.exe, 00000004.00000002.7463283059.0000000061311000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.7833366960.0000000061311000.00000020.00000001.01000000.00000003.sdmpBinary or memory string: Shell_TrayWndSVW
Source: rundll32.exe, 00000004.00000002.7463283059.0000000061311000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.7833366960.0000000061311000.00000020.00000001.01000000.00000003.sdmpBinary or memory string: Shell_TrayWnd
Source: rundll32.exe, 00000004.00000002.7463283059.0000000061311000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.7833366960.0000000061311000.00000020.00000001.01000000.00000003.sdmpBinary or memory string: Shell_TrayWndU
Source: rundll32.exe, 00000004.00000002.7463283059.0000000061311000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.7833366960.0000000061311000.00000020.00000001.01000000.00000003.sdmpBinary or memory string: Shell_TrayWndReBarWindow32MSTaskSwWClassToolbarWindow32SV
Source: rundll32.exe, 00000004.00000002.7463283059.0000000061311000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.7833366960.0000000061311000.00000020.00000001.01000000.00000003.sdmpBinary or memory string: Wireshark.exe

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
DLL Side-Loading		12
Process Injection		1
Rundll32		1
Credential API Hooking		331
Security Software Discovery		Remote Services1
Credential API Hooking		Data ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		121
Virtualization/Sandbox Evasion		LSASS Memory2
Process Discovery		Remote Desktop Protocol1
Archive Collected Data		Junk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)12
Process Injection		Security Account Manager121
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
DLL Side-Loading		NTDS1
File and Directory Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA Secrets11
System Information Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
40kib.dll62%ReversingLabsWin32.Spyware.Casbaneiro

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://fontawesome.ioloaddll32.exe, 00000000.00000003.7545466258.0000000003473000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.7444950851.00000000055F1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.7462577639.00000000047A0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.7476104571.0000000005411000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.7500570990.0000000004A01000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.7831365166.00000000054C1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.7752211587.0000000004BD1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.7843341696.0000000005571000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.7821583480.0000000004E50000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000003.7805008026.0000000005741000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.7779148478.00000000054F1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.7798399853.0000000005331000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.7750150048.0000000005391000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.7740297571.0000000004A81000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000014.00000003.7803938286.0000000004D41000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000015.00000003.7850147318.00000000049B1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000016.00000003.7741597250.00000000055A1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.7839641762.0000000004D71000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000003.7816744739.0000000005151000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000019.00000003.7816684729.00000000047F1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001A.00000003.7812148018.00000000051D2000.00000004.00000020.00020000.00000000.sdmpfalse
    		unknown
    http://fontawesome.io/license/loaddll32.exe, 00000000.00000003.7545466258.0000000003473000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.7444950851.00000000055F1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.7462577639.00000000047A0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.7476104571.0000000005411000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.7500570990.0000000004A01000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.7831365166.00000000054C1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.7752211587.0000000004BD1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.7843341696.0000000005571000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.7821583480.0000000004E50000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000003.7805008026.0000000005741000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.7779148478.00000000054F1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.7798399853.0000000005331000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.7750150048.0000000005391000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.7740297571.0000000004A81000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000014.00000003.7803938286.0000000004D41000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000015.00000003.7850147318.00000000049B1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000016.00000003.7741597250.00000000055A1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.7839641762.0000000004D71000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000003.7816744739.0000000005151000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000019.00000003.7816684729.00000000047F1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001A.00000003.7812148018.00000000051D2000.00000004.00000020.00020000.00000000.sdmpfalse
      		unknown
      https://www.google.com.br/rundll32.exe, 0000000E.00000002.7833366960.0000000061311000.00000020.00000001.01000000.00000003.sdmpfalse
        		unknown
        http://www.indyproject.org/loaddll32.exe, 00000000.00000003.7541119120.000000000307D000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.7441719796.000000000519D000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.7463283059.0000000061A29000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.7461502765.00000000042FD000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.7472841146.0000000004F6D000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.7497796661.000000000451D000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.7741669489.00000000045DD000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.7831137774.0000000004F6D000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.7799284996.00000000049AD000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.7833366960.0000000061A29000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000F.00000003.7791419944.000000000524D000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.7766670150.0000000004EFD000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.7785903645.0000000004E4D000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.7740319449.0000000004F3D000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.7729000480.000000000461D000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000014.00000003.7790256730.00000000046FD000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000015.00000003.7838466412.000000000453D000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000016.00000003.7730092247.0000000004F8D000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.7826663110.000000000491D000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000018.00000003.7804157981.0000000004C8D000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000019.00000003.7804158992.000000000432D000.00000004.00001000.00020000.00000000.sdmpfalse
          		unknown
          http://fontawesome.iohttp://fontawesome.iohttp://fontawesome.io/license/http://fontawesome.io/licensloaddll32.exe, 00000000.00000003.7545466258.0000000003473000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.7444950851.00000000055F1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.7462577639.00000000047A0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.7476104571.0000000005411000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.7500570990.0000000004A01000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.7831365166.00000000054C1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.7752211587.0000000004BD1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.7843341696.0000000005571000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.7821583480.0000000004E50000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000003.7805008026.0000000005741000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.7779148478.00000000054F1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.7798399853.0000000005331000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.7750150048.0000000005391000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.7740297571.0000000004A81000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000014.00000003.7803938286.0000000004D41000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000015.00000003.7850147318.00000000049B1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000016.00000003.7741597250.00000000055A1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.7839641762.0000000004D71000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000003.7816744739.0000000005151000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000019.00000003.7816684729.00000000047F1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001A.00000003.7812148018.00000000051D2000.00000004.00000020.00020000.00000000.sdmpfalse
            		unknown
            https://ebaoffice.com.br/imagens/bo/inspecionando.phpUrundll32.exe, 00000004.00000002.7463283059.0000000061311000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.7833366960.0000000061311000.00000020.00000001.01000000.00000003.sdmpfalse
              		unknown

              World Map of Contacted IPs

              No contacted IP infos

              General Information

              Joe Sandbox version:41.0.0 Charoite
              Analysis ID:1544180
              Start date and time:2024-10-29 00:26:02 +01:00
              Joe Sandbox product:CloudBasic
              Overall analysis duration:0h 9m 0s
              Hypervisor based Inspection enabled:false
              Report type:full
              Cookbook file name:default.jbs
              Analysis system description:Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, Chrome 128, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
              Number of analysed new started processes analysed:39
              Number of new started drivers analysed:0
              Number of existing processes analysed:0
              Number of existing drivers analysed:0
              Number of injected processes analysed:0
              Technologies:
              • HCA enabled
              • EGA enabled
              • AMSI enabled
              Analysis Mode:default
              Analysis stop reason:Power Change
              Sample name:40kib.dll
              Detection:MAL
              Classification:mal72.evad.winDLL@66/8@0/0
              EGA Information:Failed
              HCA Information:
              • Successful, ratio: 100%
              • Number of executed functions: 0
              • Number of non-executed functions: 0
              Cookbook Comments:
              • Found application associated with file extension: .dll

              Warnings

              • Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, svchost.exe
              • Excluded IPs from analysis (whitelisted): 52.182.143.212, 20.42.65.92
              • Excluded domains from analysis (whitelisted): onedsblobprdeus17.eastus.cloudapp.azure.com, onedsblobprdcus15.centralus.cloudapp.azure.com, login.live.com, blobcollector.events.data.trafficmanager.net, umwatson.events.data.microsoft.com
              • Not all processes where analyzed, report is missing behavior information
              • Report size exceeded maximum capacity and may have missing behavior information.
              • VT rate limit hit for: 40kib.dll

              Simulations

              Behavior and APIs

              TimeTypeDescription
              19:28:27API Interceptor2x Sleep call for process: WerFault.exe modified
              19:28:35API Interceptor1x Sleep call for process: loaddll32.exe modified

              Joe Sandbox View / Context

              IPs

              No context

              Domains

              No context

              ASNs

              No context

              JA3 Fingerprints

              No context

              Dropped Files

              No context

              Created / dropped Files

              C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_c45968dd972f034b0d58970c2639dd9e5ad84_7522e4b5_7e537b57-2eda-4deb-93d0-2358b7fc65a7\Report.wer

              Download File
              Process:C:\Windows\SysWOW64\WerFault.exe
              File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
              Category:dropped
              Size (bytes):65536
              Entropy (8bit):1.1311330152254047
              Encrypted:false
              SSDEEP:192:H4FiiOvtFmBUW4jeTh4m2SKnUDu76zfAIO84ci/:YFiDvtUBUW4jeWUDu76zfAIO84ci
              MD5:F7B2B7AA837CEA83A150268908A25509
              SHA1:3D204AC1F0470C8D3BCA5B22967831E2A23855C9
              SHA-256:A6A1D44557C7F4272CD1CA023D607851CE32E03373A2D0075E91F02A1EEE7B89
              SHA-512:737770E511C3DE2F5ACA81045B7F75C2B3D230F1609A53679DEE07912BD1FB842E543F6794F185871BD21C46E803899A15E957DC977B0306C161B575E1923706
              Malicious:false
              Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.4.6.3.1.7.0.5.8.4.2.6.8.2.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.4.6.3.1.7.0.6.2.3.3.2.0.8.0.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.e.5.3.7.b.5.7.-.2.e.d.a.-.4.d.e.b.-.9.3.d.0.-.2.3.5.8.b.7.f.c.6.5.a.7.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.3.9.2.c.f.9.6.-.a.5.d.6.-.4.9.2.e.-.9.e.a.c.-.c.8.7.3.2.8.9.3.5.8.2.1.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.0.1.8.-.0.0.0.1.-.0.0.4.d.-.4.4.1.8.-.e.b.0.f.9.1.2.9.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.8.f.a.8.8.9.e.4.5.6.a.a.6.4.6.a.4.d.0.a.4.3.4.9.9.7.7.4.3.0.c.e.5.f.a.5.e.2.d.7.!.r.

              C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_c45968dd972f034b0d58970c2639dd9e5ad84_7522e4b5_f3c91801-50ac-4dfe-8bb6-077029f28d06\Report.wer

              Download File
              Process:C:\Windows\SysWOW64\WerFault.exe
              File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
              Category:dropped
              Size (bytes):65536
              Entropy (8bit):1.1313794886561543
              Encrypted:false
              SSDEEP:192:QyZiCQOVtFmBUW4jeTUnc2ltnUDu765fAIO84ci:Q4iCBVtUBUW4jeOUDu765fAIO84ci
              MD5:DDA2ED357936AA5EE029E97397820B75
              SHA1:F29A727D93D9758D591C983ED2EE848EAF640F7C
              SHA-256:0EB4B7B00C6DE8C7BC9C00CEEE28CCA754E113BFBE7B17E73B128389CA219122
              SHA-512:42909FF51D6DA212BE03891FE733F34045B9D153DE2F9E01BD5A14472C70C56AC0E73661494A7B8912F040EC5DD2D94AFC01CA615BD5337D6C36CB36C0666172
              Malicious:false
              Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.4.6.3.1.7.3.8.2.8.0.5.5.5.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.4.6.3.1.7.3.9.4.3.6.5.5.9.3.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.3.c.9.1.8.0.1.-.5.0.a.c.-.4.d.f.e.-.8.b.b.6.-.0.7.7.0.2.9.f.2.8.d.0.6.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.a.7.8.5.b.c.5.-.8.9.8.3.-.4.a.f.3.-.a.d.9.9.-.1.a.e.5.6.b.a.4.e.b.b.5.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.b.1.4.-.0.0.0.1.-.0.0.4.d.-.9.a.c.9.-.c.2.1.b.9.1.2.9.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.8.f.a.8.8.9.e.4.5.6.a.a.6.4.6.a.4.d.0.a.4.3.4.9.9.7.7.4.3.0.c.e.5.f.a.5.e.2.d.7.!.r.

              C:\ProgramData\Microsoft\Windows\WER\Temp\WER24EC.tmp.dmp

              Download File
              Process:C:\Windows\SysWOW64\WerFault.exe
              File Type:Mini DuMP crash report, 15 streams, Mon Oct 28 23:28:25 2024, 0x1205a4 type
              Category:dropped
              Size (bytes):74770
              Entropy (8bit):1.8134315570781725
              Encrypted:false
              SSDEEP:384:HWiyetTSg5HKgdl0dOeYMoDkW56eMmQ4:HFx5Kgdl0dJZoDFil
              MD5:7655AD28CBDC4E96414A9FFF6BA508C4
              SHA1:1829EBBE12AA759ABEF2837B41EE1E4E4A6A9F89
              SHA-256:6C0DBDB0B4DE9606235C130D57002AB8549BC3CEBC9DE823D46E5B2B991006C8
              SHA-512:9C595EB45E70E5F831AE16ADA71633ACF621D86BF8031FD3744FD1FFA0FDA8213C654305A8A1E88109666BD107F1614F124BDCAE4AB90D4D124E72120565C7B1
              Malicious:false
              Preview:MDMP..a..... ......... g............$...............8...........0&...........F..........`.......8...........T............*..Z............&...........(..............................................................................bJ.......)......GenuineIntel...........T............. g.............................0..=...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

              C:\ProgramData\Microsoft\Windows\WER\Temp\WER25A8.tmp.WERInternalMetadata.xml

              Download File
              Process:C:\Windows\SysWOW64\WerFault.exe
              File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
              Category:dropped
              Size (bytes):8334
              Entropy (8bit):3.6892089670369046
              Encrypted:false
              SSDEEP:192:R9l7lZNiSjp6br6YxDS64ngmf8FCxprH89bqysfBaOm:R9lnNikp636YVS64ngmf8FvqxfBq
              MD5:C58E9E9FE95BE3B5644DB475460E658D
              SHA1:B81A717D6E15B56FA011B76F6A8FC6D56B0C5F8D
              SHA-256:0B22D53BC32471D9004DBA98239739715F51984A5775D91B7C97EBB91188C4A1
              SHA-512:1492F63A3CA924AAAFC305EA08BB51176EF5A4A80CDB6B4F1A27C848C3CD4F0032CFE93EEEDA64626EC035FFD9FD68BF4ABA75CEA0D4B988530C4D51992585D3
              Malicious:false
              Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.2.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...1.1.6.5...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.1.6.5.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.1.2.0.<./.P.i.

              C:\ProgramData\Microsoft\Windows\WER\Temp\WER25E8.tmp.xml

              Download File
              Process:C:\Windows\SysWOW64\WerFault.exe
              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
              Category:dropped
              Size (bytes):4890
              Entropy (8bit):4.476161547390543
              Encrypted:false
              SSDEEP:48:cvIwwtl8zsUe702I7VFJ5WS2Cfjk76s3rm8M4JCdPbFA7T+q8vjPIXGScS6d:uILf57GySPfcJN7TKsJ36d
              MD5:1150F6D577A7F0260C85CE17F751D71A
              SHA1:0BE48E005A6A929DDFE73E5F480C283B14A700FA
              SHA-256:8AD537E7D0430E0DAE42C257F3D809ACA8D8BCD8E8E005803583FE74255A401B
              SHA-512:7D7ADA53F0416585D4EE79A119BD34D8DDFC669BA3244364DB763BC07D96E4747668318DC19B0387BC7B8453E859211B97268C84CEE4CE7B99F93FB0452ADBCC
              Malicious:false
              Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19042" />.. <arg nm="vercsdbld" val="1165" />.. <arg nm="verqfe" val="1165" />.. <arg nm="csdbld" val="1165" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="242" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="222907719" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="

              C:\ProgramData\Microsoft\Windows\WER\Temp\WERA392.tmp.dmp

              Download File
              Process:C:\Windows\SysWOW64\WerFault.exe
              File Type:Mini DuMP crash report, 15 streams, Mon Oct 28 23:28:58 2024, 0x1205a4 type
              Category:dropped
              Size (bytes):72938
              Entropy (8bit):1.8551024552686066
              Encrypted:false
              SSDEEP:192:eTdyKvfQhMnhGMRO5H4VZAmbkeD1qv/od6ILmwzfaMf0HvP0724wHrY9lSIWk+Aq:mdy0E5H6AmBD3v7wHrSS15AEP
              MD5:8B73D3C57EAE31C6A50EDB5AB2E12F8F
              SHA1:0F3F28FF4C5269BA55D3F2C534C6D1E951F2857D
              SHA-256:77B82F88D457735477DA05F9A4724C4D743D74B9D13913D455981BB86CD8C8FA
              SHA-512:6E2E781836498E83D8F2555F8E9AAC5D9B182589EF2AE374F8C650D203F22229D8EBBE63BB351BC42BF1478E003FCEEE0900EA1909F582AD20A79133D3A550F2
              Malicious:false
              Preview:MDMP..a..... .......:. g............$...............8...........0&...........F..........`.......8...........T...........h*...............&...........(..............................................................................bJ.......)......GenuineIntel...........T...........#. g.............................0..=...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

              C:\ProgramData\Microsoft\Windows\WER\Temp\WERA539.tmp.WERInternalMetadata.xml

              Download File
              Process:C:\Windows\SysWOW64\WerFault.exe
              File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
              Category:dropped
              Size (bytes):8342
              Entropy (8bit):3.6909379505840905
              Encrypted:false
              SSDEEP:192:R9l7lZNiCs6HS6YBPz6Egmf8FCxprr89bj4sf7Bm:R9lnNix6y6YBL6Egmf8F7jrfQ
              MD5:02D7E86C400267D5E4C99F15E4F241BB
              SHA1:F85B650F993E9E60259F777315BFCBE4FC17D5CF
              SHA-256:EE298FC9FB37D54909EFBE686FE87608B8FC5E03B27FA7EE02C5372694320001
              SHA-512:0ED5DA823412D8E071D3AE63D47B2AF2C177B0A2B6FC02A336C6F13FCB2883CBBF7975156D870B2363808BCD15073C99B6EC7BA5A4B9A523E79D03D26876AE88
              Malicious:false
              Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.2.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...1.1.6.5...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.1.6.5.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.2.8.3.6.<./.P.i.

              C:\ProgramData\Microsoft\Windows\WER\Temp\WERA597.tmp.xml

              Download File
              Process:C:\Windows\SysWOW64\WerFault.exe
              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
              Category:dropped
              Size (bytes):4890
              Entropy (8bit):4.475800127902078
              Encrypted:false
              SSDEEP:48:cvIwwtl8zs4e702I7VFJ5WS2Cfjkns3rm8M4JCdPbFk+q8vjPRGScS2d:uILft7GySPfLJvKtJ32d
              MD5:1AAC4745A817239E635BBEEEE8B1E392
              SHA1:F3C3662CE81AD07EFA8EA1CB0246DE15318FB886
              SHA-256:B560D4CCB65D6616C888EE89496A1685C870B6744E42E55CE80119D10018BF1F
              SHA-512:B1813EAEA22A1ED3FF244DAAA70ED298E8ED1A9A4D12D259FB3C6DC5CBF5F5389D3BE4F519145E693DFA4AAB015F7A78A4ABD69A3F0EBFB5BF214225A3DC046A
              Malicious:false
              Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19042" />.. <arg nm="vercsdbld" val="1165" />.. <arg nm="verqfe" val="1165" />.. <arg nm="csdbld" val="1165" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="242" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="222907720" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="

              Static File Info

              General

              File type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
              Entropy (8bit):7.993942230122859
              TrID:
              • Win32 Dynamic Link Library (generic) (1002004/3) 99.60%
              • Generic Win/DOS Executable (2004/3) 0.20%
              • DOS Executable Generic (2002/1) 0.20%
              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
              File name:40kib.dll
              File size:44'391'424 bytes
              MD5:27687a480b13f580a11e713f8b9ba343
              SHA1:7d82bfafbb3a541900161dbe4a4191e169048dfb
              SHA256:7c22665f392ed020a71dd27c7f7945bbb376697580ae50a0a31df0cdb8d9eb2c
              SHA512:17bb61850d589e8364ba8de95054c20ccda663a20213ab4228460d361c8ccecd5a08b9ce1c3b240153e062558553dbe47140a91ad7aea20cfb7f3230ace8120e
              SSDEEP:786432:RDYOZ8WW6esq/z/elaMLiXDsfV5u0kzskFONoMHCurxkqttj27:A6es4/erLXE0kJFOyMVymjW
              TLSH:3AA7339E7AC740D6CAC704B48B227BD732F2696684D64436B9C933CEF0F1F65613A486
              File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........PE..L......f...........!.....Lr..................`r...@.......................................@................................

              File Icon

              Icon Hash:1f7949c9c9693907

              Static PE Info

              General

              Entrypoint:0x3bf09e3
              Entrypoint Section:.-F~
              Digitally signed:false
              Imagebase:0x400000
              Subsystem:windows gui
              Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
              DLL Characteristics:DYNAMIC_BASE, NX_COMPAT
              Time Stamp:0x66FC9EAC [Wed Oct 2 01:15:24 2024 UTC]
              TLS Callbacks:
              CLR (.Net) Version:
              OS Version Major:6
              OS Version Minor:0
              File Version Major:6
              File Version Minor:0
              Subsystem Version Major:6
              Subsystem Version Minor:0
              Import Hash:5679d8e241bca605be7b4e83bd6d01eb

              Entrypoint Preview

              Instruction
              call 00007FDCA8AC1724h
              pop eax
              or dword ptr [esp+edx*8-04h], 72B33827h
              adc esi, ecx
              movzx ecx, dx
              mov eax, edx
              mov dx, word ptr [edi+edx*2+02h]
              lea edi, dword ptr [edi+ecx+05h]
              neg ax
              dec ax
              xor dx, bx
              dec word ptr [esp+ecx*4+01h]
              sub dx, 3503h
              shr word ptr [esp+ecx+01h], FFCFh
              rol ax, cl
              not dx
              sub ecx, AC9F92B6h
              rol dx, 1
              dec dx
              push eax
              cwde
              not dx
              rol dx, 1
              neg word ptr [esp+ecx-53606D45h]
              xor bx, dx
              mov word ptr [ebp+ecx-53606D4Bh], dx
              pop ecx
              mov dword ptr [esp+ecx*8-0007FFE8h], esi
              retn 0004h
              inc ecx
              mov esi, 92069294h
              inc ecx
              movsx eax, dh
              dec edx
              lea esi, dword ptr [F82BE933h+esi*2]
              inc esp
              movzx eax, word ptr [ebp+00h]
              shr esi, 1Ch
              dec edi
              lea ecx, dword ptr [esi+esi*4+76B982BBh]
              inc esp
              movzx esp, al
              inc bp
              xor eax, ebx
              inc ecx
              movsx edi, ah
              inc ecx
              not dh
              inc eax
              xor bh, dh
              inc cx
              adc eax, C149E19Ch
              out B3h, al
              push eax
              inc cx
              neg eax
              inc cx
              ror eax, 1
              dec eax
              shr dword ptr [esp+esi*4-04h], FFFFFFF4h
              inc cx
              neg eax
              inc esp
              xor byte ptr [esp+esi], dh
              jno 00007FDCA8AC71E0h

              Data Directories

              NameVirtual AddressVirtual Size Is in Section
              IMAGE_DIRECTORY_ENTRY_EXPORT0x37f84800x2e6.-F~
              IMAGE_DIRECTORY_ENTRY_IMPORT0x378426c0x190.-F~
              IMAGE_DIRECTORY_ENTRY_RESOURCE0x60820000x1b7e0.rsrc
              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
              IMAGE_DIRECTORY_ENTRY_BASERELOC0x609e0000x758.reloc
              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_IAT0x36470000x9c.^yp
              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x5e9f1940x200.-F~
              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

              Sections

              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
              .text0x10000x71ce580x0d41d8cd98f00b204e9800998ecf8427eunknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              .itext0x71e0000x7a0c0x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              .data0x7260000x2b4e00x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              .bss0x7520000x8be00x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              .idata0x75b0000x452c0x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              .didata0x7600000xf6a0x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              .edata0x7610000x2e60x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .rdata0x7620000x450x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .:<e0x7630000x2ee3d440x0d41d8cd98f00b204e9800998ecf8427eunknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              .^yp0x36470000xb40x20084d52dc072ccce677220dfd7beb91e74False0.2109375data1.433155205326029IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              .-F~0x36480000x2a394c00x2a39600cc155b0d41e296ace14460db7fd60d22unknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              .rsrc0x60820000x1b7e00x1b800eac1988b5b64794b33d3681ccf6181f6False0.7651189630681818data7.210623503874518IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .reloc0x609e0000x7580x800937b171f4e674e7dbdb67ba9a8d6385fFalse0.46435546875data4.336103650211605IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

              Resources

              NameRVASizeTypeLanguageCountryZLIB Complexity
              RT_ICON0x60823240x1628Device independent bitmap graphic, 64 x 128 x 8, image size 4096, 256 important colorsEnglishUnited States0.5627644569816643
              RT_ICON0x608394c0xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsEnglishUnited States0.6388592750533049
              RT_ICON0x60847f40x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsEnglishUnited States0.7536101083032491
              RT_ICON0x608509c0x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colorsEnglishUnited States0.6474654377880185
              RT_ICON0x60857640x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsEnglishUnited States0.5223988439306358
              RT_ICON0x6085ccc0xead1PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States1.000249530051736
              RT_ICON0x60947a00x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16896EnglishUnited States0.40139348134152103
              RT_ICON0x60989c80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.46856846473029046
              RT_ICON0x609af700x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.5349437148217636
              RT_ICON0x609c0180x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400EnglishUnited States0.6221311475409836
              RT_ICON0x609c9a00x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.724290780141844
              RT_GROUP_ICON0x609ce080xa0dataEnglishUnited States0.65625
              RT_VERSION0x609cea80x228dataEnglishUnited States0.519927536231884
              RT_MANIFEST0x609d0d00x710XML 1.0 document, ASCII text, with CRLF, LF line terminatorsEnglishUnited States0.4032079646017699

              Imports

              DLLImport
              winmm.dlltimeGetTime
              wininet.dllInternetGetConnectedState
              comctl32.dllFlatSB_SetScrollInfo
              shell32.dllSHGetMalloc
              user32.dllCopyImage
              version.dllGetFileVersionInfoSizeW
              URLMON.DLLHlinkNavigateString
              oleaut32.dllSafeArrayPutElement
              netapi32.dllNetWkstaGetInfo
              msvcrt.dllmemcpy
              advapi32.dllRegSetValueExW
              winhttp.dllWinHttpGetIEProxyConfigForCurrentUser
              kernel32.dllGetVersion, GetVersionExW
              SHFolder.dllSHGetFolderPathW
              wsock32.dllgethostbyaddr
              gdiplus.dllGdiplusShutdown
              ole32.dllIsAccelerator
              gdi32.dllAddFontMemResourceEx
              Magnification.dllMagSetWindowSource

              Exports

              NameOrdinalAddress
              QStringClose260xb0a550
              QStringCmp250xb0a554
              QStringCreate240xb0a558
              QStringGet230xb0a55c
              QStringSet220xb0a560
              WebUIClose80xb0a598
              WebUICreate70xb0a59c
              WebUIResourceData60xb0a5a0
              WebUIResourceEnum50xb0a5a4
              WebUIResourceRegister40xb0a5a8
              WebUIResourceUnregister30xb0a5ac
              WebkitClose210xb0a564
              WebkitCreate200xb0a568
              WebkitExecuteJavaScript190xb0a56c
              WebkitGetWindow180xb0a570
              WebkitJavaScriptCallback170xb0a574
              WebkitLoadFinished160xb0a578
              WebkitNavigate150xb0a57c
              WebkitRepaint140xb0a580
              WebkitSetALTignore130xb0a584
              WebkitSetDrop120xb0a588
              WebkitSetGeometry110xb0a58c
              WebkitSetTransparent100xb0a590
              WebkitSetVisible90xb0a594
              __dbk_fcall_wrapper20x411838
              dbkFCallWrapperAddr10xb55648

              Possible Origin

              Language of compilation systemCountry where language is spokenMap
              EnglishUnited States

              Network Behavior

              No network behavior found

              Statistics

              CPU Usage

              Click to jump to process

              Memory Usage

              Click to jump to process

              High Level Behavior Distribution

              Click to dive into process behavior distribution

              Behavior

              Click to jump to process

              System Behavior

              General

              Target ID:0
              Start time:19:28:15
              Start date:28/10/2024
              Path:C:\Windows\System32\loaddll32.exe
              Wow64 process (32bit):true
              Commandline:loaddll32.exe "C:\Users\user\Desktop\40kib.dll"
              Imagebase:0x330000
              File size:126'464 bytes
              MD5 hash:51E6071F9CBA48E79F10C84515AAE618
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:Borland Delphi
              Reputation:high
              Has exited:true

              General

              Target ID:1
              Start time:19:28:15
              Start date:28/10/2024
              Path:C:\Windows\System32\conhost.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Imagebase:0x7ff6a4fe0000
              File size:875'008 bytes
              MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high
              Has exited:true

              General

              Target ID:2
              Start time:19:28:15
              Start date:28/10/2024
              Path:C:\Windows\SysWOW64\cmd.exe
              Wow64 process (32bit):true
              Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\40kib.dll",#1
              Imagebase:0xed0000
              File size:236'544 bytes
              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high
              Has exited:true

              General

              Target ID:3
              Start time:19:28:15
              Start date:28/10/2024
              Path:C:\Windows\SysWOW64\rundll32.exe
              Wow64 process (32bit):true
              Commandline:rundll32.exe C:\Users\user\Desktop\40kib.dll,QStringClose
              Imagebase:0xb70000
              File size:61'440 bytes
              MD5 hash:889B99C52A60DD49227C5E485A016679
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:Borland Delphi
              Reputation:high
              Has exited:true

              General

              Target ID:4
              Start time:19:28:15
              Start date:28/10/2024
              Path:C:\Windows\SysWOW64\rundll32.exe
              Wow64 process (32bit):true
              Commandline:rundll32.exe "C:\Users\user\Desktop\40kib.dll",#1
              Imagebase:0xb70000
              File size:61'440 bytes
              MD5 hash:889B99C52A60DD49227C5E485A016679
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:Borland Delphi
              Reputation:high
              Has exited:true

              General

              Target ID:6
              Start time:19:28:18
              Start date:28/10/2024
              Path:C:\Windows\SysWOW64\rundll32.exe
              Wow64 process (32bit):true
              Commandline:rundll32.exe C:\Users\user\Desktop\40kib.dll,QStringCmp
              Imagebase:0xb70000
              File size:61'440 bytes
              MD5 hash:889B99C52A60DD49227C5E485A016679
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:Borland Delphi
              Reputation:high
              Has exited:true

              General

              Target ID:7
              Start time:19:28:21
              Start date:28/10/2024
              Path:C:\Windows\SysWOW64\rundll32.exe
              Wow64 process (32bit):true
              Commandline:rundll32.exe C:\Users\user\Desktop\40kib.dll,QStringCreate
              Imagebase:0xb70000
              File size:61'440 bytes
              MD5 hash:889B99C52A60DD49227C5E485A016679
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:Borland Delphi
              Reputation:high
              Has exited:true

              General

              Target ID:10
              Start time:19:28:25
              Start date:28/10/2024
              Path:C:\Windows\SysWOW64\WerFault.exe
              Wow64 process (32bit):true
              Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 4120 -s 1108
              Imagebase:0x4a0000
              File size:482'640 bytes
              MD5 hash:40A149513D721F096DDF50C04DA2F01F
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high
              Has exited:true

              General

              Target ID:11
              Start time:19:28:34
              Start date:28/10/2024
              Path:C:\Windows\SysWOW64\rundll32.exe
              Wow64 process (32bit):true
              Commandline:rundll32.exe "C:\Users\user\Desktop\40kib.dll",QStringClose
              Imagebase:0x7ff6a4fe0000
              File size:61'440 bytes
              MD5 hash:889B99C52A60DD49227C5E485A016679
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:Borland Delphi
              Reputation:high
              Has exited:true

              General

              Target ID:12
              Start time:19:28:34
              Start date:28/10/2024
              Path:C:\Windows\SysWOW64\rundll32.exe
              Wow64 process (32bit):true
              Commandline:rundll32.exe "C:\Users\user\Desktop\40kib.dll",QStringCmp
              Imagebase:0xb70000
              File size:61'440 bytes
              MD5 hash:889B99C52A60DD49227C5E485A016679
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:Borland Delphi
              Reputation:high
              Has exited:true

              General

              Target ID:13
              Start time:19:28:35
              Start date:28/10/2024
              Path:C:\Windows\SysWOW64\rundll32.exe
              Wow64 process (32bit):true
              Commandline:rundll32.exe "C:\Users\user\Desktop\40kib.dll",QStringCreate
              Imagebase:0xb70000
              File size:61'440 bytes
              MD5 hash:889B99C52A60DD49227C5E485A016679
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:Borland Delphi
              Reputation:high
              Has exited:true

              General

              Target ID:14
              Start time:19:28:35
              Start date:28/10/2024
              Path:C:\Windows\SysWOW64\rundll32.exe
              Wow64 process (32bit):true
              Commandline:rundll32.exe "C:\Users\user\Desktop\40kib.dll",dbkFCallWrapperAddr
              Imagebase:0xb70000
              File size:61'440 bytes
              MD5 hash:889B99C52A60DD49227C5E485A016679
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:Borland Delphi
              Has exited:true

              General

              Target ID:15
              Start time:19:28:35
              Start date:28/10/2024
              Path:C:\Windows\SysWOW64\rundll32.exe
              Wow64 process (32bit):true
              Commandline:rundll32.exe "C:\Users\user\Desktop\40kib.dll",__dbk_fcall_wrapper
              Imagebase:0xb70000
              File size:61'440 bytes
              MD5 hash:889B99C52A60DD49227C5E485A016679
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:Borland Delphi
              Has exited:true

              General

              Target ID:16
              Start time:19:28:35
              Start date:28/10/2024
              Path:C:\Windows\SysWOW64\rundll32.exe
              Wow64 process (32bit):true
              Commandline:rundll32.exe "C:\Users\user\Desktop\40kib.dll",WebkitSetVisible
              Imagebase:0xb70000
              File size:61'440 bytes
              MD5 hash:889B99C52A60DD49227C5E485A016679
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:Borland Delphi
              Has exited:true

              General

              Target ID:17
              Start time:19:28:35
              Start date:28/10/2024
              Path:C:\Windows\SysWOW64\rundll32.exe
              Wow64 process (32bit):true
              Commandline:rundll32.exe "C:\Users\user\Desktop\40kib.dll",WebkitSetTransparent
              Imagebase:0xb70000
              File size:61'440 bytes
              MD5 hash:889B99C52A60DD49227C5E485A016679
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:Borland Delphi
              Has exited:true

              General

              Target ID:18
              Start time:19:28:35
              Start date:28/10/2024
              Path:C:\Windows\SysWOW64\rundll32.exe
              Wow64 process (32bit):true
              Commandline:rundll32.exe "C:\Users\user\Desktop\40kib.dll",WebkitSetGeometry
              Imagebase:0xb70000
              File size:61'440 bytes
              MD5 hash:889B99C52A60DD49227C5E485A016679
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:Borland Delphi
              Has exited:true

              General

              Target ID:19
              Start time:19:28:35
              Start date:28/10/2024
              Path:C:\Windows\SysWOW64\rundll32.exe
              Wow64 process (32bit):true
              Commandline:rundll32.exe "C:\Users\user\Desktop\40kib.dll",WebkitSetDrop
              Imagebase:0xb70000
              File size:61'440 bytes
              MD5 hash:889B99C52A60DD49227C5E485A016679
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:Borland Delphi
              Has exited:true

              General

              Target ID:20
              Start time:19:28:35
              Start date:28/10/2024
              Path:C:\Windows\SysWOW64\rundll32.exe
              Wow64 process (32bit):true
              Commandline:rundll32.exe "C:\Users\user\Desktop\40kib.dll",WebkitSetALTignore
              Imagebase:0xb70000
              File size:61'440 bytes
              MD5 hash:889B99C52A60DD49227C5E485A016679
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:Borland Delphi
              Has exited:true

              General

              Target ID:21
              Start time:19:28:35
              Start date:28/10/2024
              Path:C:\Windows\SysWOW64\rundll32.exe
              Wow64 process (32bit):true
              Commandline:rundll32.exe "C:\Users\user\Desktop\40kib.dll",WebkitRepaint
              Imagebase:0xb70000
              File size:61'440 bytes
              MD5 hash:889B99C52A60DD49227C5E485A016679
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:Borland Delphi
              Has exited:true

              General

              Target ID:22
              Start time:19:28:35
              Start date:28/10/2024
              Path:C:\Windows\SysWOW64\rundll32.exe
              Wow64 process (32bit):true
              Commandline:rundll32.exe "C:\Users\user\Desktop\40kib.dll",WebkitNavigate
              Imagebase:0xb70000
              File size:61'440 bytes
              MD5 hash:889B99C52A60DD49227C5E485A016679
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:Borland Delphi
              Has exited:true

              General

              Target ID:23
              Start time:19:28:35
              Start date:28/10/2024
              Path:C:\Windows\SysWOW64\rundll32.exe
              Wow64 process (32bit):true
              Commandline:rundll32.exe "C:\Users\user\Desktop\40kib.dll",WebkitLoadFinished
              Imagebase:0xb70000
              File size:61'440 bytes
              MD5 hash:889B99C52A60DD49227C5E485A016679
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:Borland Delphi
              Has exited:true

              General

              Target ID:24
              Start time:19:28:35
              Start date:28/10/2024
              Path:C:\Windows\SysWOW64\rundll32.exe
              Wow64 process (32bit):true
              Commandline:rundll32.exe "C:\Users\user\Desktop\40kib.dll",WebkitJavaScriptCallback
              Imagebase:0xb70000
              File size:61'440 bytes
              MD5 hash:889B99C52A60DD49227C5E485A016679
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:Borland Delphi
              Has exited:true

              General

              Target ID:25
              Start time:19:28:35
              Start date:28/10/2024
              Path:C:\Windows\SysWOW64\rundll32.exe
              Wow64 process (32bit):true
              Commandline:rundll32.exe "C:\Users\user\Desktop\40kib.dll",WebkitGetWindow
              Imagebase:0xb70000
              File size:61'440 bytes
              MD5 hash:889B99C52A60DD49227C5E485A016679
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:Borland Delphi
              Has exited:true

              General

              Target ID:26
              Start time:19:28:35
              Start date:28/10/2024
              Path:C:\Windows\SysWOW64\rundll32.exe
              Wow64 process (32bit):true
              Commandline:rundll32.exe "C:\Users\user\Desktop\40kib.dll",WebkitExecuteJavaScript
              Imagebase:0xb70000
              File size:61'440 bytes
              MD5 hash:889B99C52A60DD49227C5E485A016679
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:Borland Delphi
              Has exited:true

              General

              Target ID:27
              Start time:19:28:35
              Start date:28/10/2024
              Path:C:\Windows\SysWOW64\rundll32.exe
              Wow64 process (32bit):true
              Commandline:rundll32.exe "C:\Users\user\Desktop\40kib.dll",WebkitCreate
              Imagebase:0xb70000
              File size:61'440 bytes
              MD5 hash:889B99C52A60DD49227C5E485A016679
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:Borland Delphi
              Has exited:true

              General

              Target ID:28
              Start time:19:28:35
              Start date:28/10/2024
              Path:C:\Windows\SysWOW64\rundll32.exe
              Wow64 process (32bit):true
              Commandline:rundll32.exe "C:\Users\user\Desktop\40kib.dll",WebkitClose
              Imagebase:0xb70000
              File size:61'440 bytes
              MD5 hash:889B99C52A60DD49227C5E485A016679
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:Borland Delphi
              Has exited:true

              General

              Target ID:29
              Start time:19:28:35
              Start date:28/10/2024
              Path:C:\Windows\SysWOW64\rundll32.exe
              Wow64 process (32bit):true
              Commandline:rundll32.exe "C:\Users\user\Desktop\40kib.dll",WebUIResourceUnregister
              Imagebase:0xb70000
              File size:61'440 bytes
              MD5 hash:889B99C52A60DD49227C5E485A016679
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:Borland Delphi
              Has exited:true

              General

              Target ID:30
              Start time:19:28:35
              Start date:28/10/2024
              Path:C:\Windows\SysWOW64\rundll32.exe
              Wow64 process (32bit):true
              Commandline:rundll32.exe "C:\Users\user\Desktop\40kib.dll",WebUIResourceRegister
              Imagebase:0xb70000
              File size:61'440 bytes
              MD5 hash:889B99C52A60DD49227C5E485A016679
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:Borland Delphi
              Has exited:true

              General

              Target ID:31
              Start time:19:28:35
              Start date:28/10/2024
              Path:C:\Windows\SysWOW64\rundll32.exe
              Wow64 process (32bit):true
              Commandline:rundll32.exe "C:\Users\user\Desktop\40kib.dll",WebUIResourceEnum
              Imagebase:0xb70000
              File size:61'440 bytes
              MD5 hash:889B99C52A60DD49227C5E485A016679
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:Borland Delphi
              Has exited:true

              General

              Target ID:32
              Start time:19:28:35
              Start date:28/10/2024
              Path:C:\Windows\SysWOW64\rundll32.exe
              Wow64 process (32bit):true
              Commandline:rundll32.exe "C:\Users\user\Desktop\40kib.dll",WebUIResourceData
              Imagebase:0xb70000
              File size:61'440 bytes
              MD5 hash:889B99C52A60DD49227C5E485A016679
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:Borland Delphi
              Has exited:true

              General

              Target ID:33
              Start time:19:28:35
              Start date:28/10/2024
              Path:C:\Windows\SysWOW64\rundll32.exe
              Wow64 process (32bit):true
              Commandline:rundll32.exe "C:\Users\user\Desktop\40kib.dll",WebUICreate
              Imagebase:0xb70000
              File size:61'440 bytes
              MD5 hash:889B99C52A60DD49227C5E485A016679
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:Borland Delphi
              Has exited:true

              General

              Target ID:34
              Start time:19:28:35
              Start date:28/10/2024
              Path:C:\Windows\SysWOW64\rundll32.exe
              Wow64 process (32bit):true
              Commandline:rundll32.exe "C:\Users\user\Desktop\40kib.dll",WebUIClose
              Imagebase:0xb70000
              File size:61'440 bytes
              MD5 hash:889B99C52A60DD49227C5E485A016679
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:Borland Delphi
              Has exited:true

              General

              Target ID:35
              Start time:19:28:35
              Start date:28/10/2024
              Path:C:\Windows\SysWOW64\rundll32.exe
              Wow64 process (32bit):true
              Commandline:rundll32.exe "C:\Users\user\Desktop\40kib.dll",QStringSet
              Imagebase:0xb70000
              File size:61'440 bytes
              MD5 hash:889B99C52A60DD49227C5E485A016679
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:Borland Delphi
              Has exited:true

              General

              Target ID:36
              Start time:19:28:35
              Start date:28/10/2024
              Path:C:\Windows\SysWOW64\rundll32.exe
              Wow64 process (32bit):true
              Commandline:rundll32.exe "C:\Users\user\Desktop\40kib.dll",QStringGet
              Imagebase:0xb70000
              File size:61'440 bytes
              MD5 hash:889B99C52A60DD49227C5E485A016679
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:Borland Delphi
              Has exited:true

              General

              Target ID:38
              Start time:19:28:58
              Start date:28/10/2024
              Path:C:\Windows\SysWOW64\WerFault.exe
              Wow64 process (32bit):true
              Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 2836 -s 1072
              Imagebase:0x4a0000
              File size:482'640 bytes
              MD5 hash:40A149513D721F096DDF50C04DA2F01F
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Has exited:true

              Disassembly

              No disassembly