Edit tour

Windows Analysis Report
tTdMHr6SlJ.dll

Overview

General Information

Sample name:	tTdMHr6SlJ.dll renamed because original name is a hash value
Original sample name:	40c708f5f85591eab36738ba4df9c46b296bd417bec2c4f5fabfc27b7b5fb317.dll
Analysis ID:	1578838
MD5:	b580bfbbff6e7e9e3cc6d04c397a6d68
SHA1:	0464dabfcf01bff7ec7696c844c2d47f95a2a154
SHA256:	40c708f5f85591eab36738ba4df9c46b296bd417bec2c4f5fabfc27b7b5fb317
Tags:	bankerdlllatamPAGAMENTOS-DIGITAIS-LTDAtrojanuser-johnk3r
Infos:

Detection

Score:	64
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

System process connects to network (likely due to code injection or exploit)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Creates a process in suspended mode (likely to inject code)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE / OLE file has an invalid certificate

PE file contains executable resources (Code or Archives)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Classification

Process Tree

System is w10x64

loaddll32.exe (PID: 6500 cmdline: loaddll32.exe "C:\Users\user\Desktop\tTdMHr6SlJ.dll" MD5: 51E6071F9CBA48E79F10C84515AAE618)

conhost.exe (PID: 6620 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 6596 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\tTdMHr6SlJ.dll",#1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

rundll32.exe (PID: 5748 cmdline: rundll32.exe "C:\Users\user\Desktop\tTdMHr6SlJ.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)

WerFault.exe (PID: 728 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5748 -s 784 MD5: C31336C1EFC2CCB44B4326EA793040F2)

rundll32.exe (PID: 2520 cmdline: rundll32.exe C:\Users\user\Desktop\tTdMHr6SlJ.dll,Address: 0x000025F0 MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 616 cmdline: rundll32.exe C:\Users\user\Desktop\tTdMHr6SlJ.dll,Address: 0x00060E00 MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 4404 cmdline: rundll32.exe C:\Users\user\Desktop\tTdMHr6SlJ.dll,Address: 0x00077A00 MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 768 cmdline: rundll32.exe "C:\Users\user\Desktop\tTdMHr6SlJ.dll",Address: 0x000025F0 MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 1532 cmdline: rundll32.exe "C:\Users\user\Desktop\tTdMHr6SlJ.dll",Address: 0x00060E00 MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 1680 cmdline: rundll32.exe "C:\Users\user\Desktop\tTdMHr6SlJ.dll",Address: 0x00077A00 MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 1852 cmdline: rundll32.exe "C:\Users\user\Desktop\tTdMHr6SlJ.dll",dbkFCallWrapperAddr MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 3436 cmdline: rundll32.exe "C:\Users\user\Desktop\tTdMHr6SlJ.dll",__dbk_fcall_wrapper MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 7092 cmdline: rundll32.exe "C:\Users\user\Desktop\tTdMHr6SlJ.dll",_Py_write_noraise MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 4836 cmdline: rundll32.exe "C:\Users\user\Desktop\tTdMHr6SlJ.dll",_Py_write MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 3920 cmdline: rundll32.exe "C:\Users\user\Desktop\tTdMHr6SlJ.dll",_Py_uop_symbols_test MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 1492 cmdline: rundll32.exe "C:\Users\user\Desktop\tTdMHr6SlJ.dll",_Py_union_type_or MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 5472 cmdline: rundll32.exe "C:\Users\user\Desktop\tTdMHr6SlJ.dll",_Py_strhex_bytes_with_sep MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 6976 cmdline: rundll32.exe "C:\Users\user\Desktop\tTdMHr6SlJ.dll",_Py_strhex MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 6980 cmdline: rundll32.exe "C:\Users\user\Desktop\tTdMHr6SlJ.dll",_Py_stat MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 1272 cmdline: rundll32.exe "C:\Users\user\Desktop\tTdMHr6SlJ.dll",_Py_set_inheritable_async_safe MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 7056 cmdline: rundll32.exe "C:\Users\user\Desktop\tTdMHr6SlJ.dll",_Py_set_inheritable MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 6000 cmdline: rundll32.exe "C:\Users\user\Desktop\tTdMHr6SlJ.dll",_Py_open_noraise MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 6020 cmdline: rundll32.exe "C:\Users\user\Desktop\tTdMHr6SlJ.dll",_Py_open MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 2928 cmdline: rundll32.exe "C:\Users\user\Desktop\tTdMHr6SlJ.dll",_Py_normpath MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 5512 cmdline: rundll32.exe "C:\Users\user\Desktop\tTdMHr6SlJ.dll",_Py_hashtable_steal MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 5364 cmdline: rundll32.exe "C:\Users\user\Desktop\tTdMHr6SlJ.dll",_Py_hashtable_size MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 5300 cmdline: rundll32.exe "C:\Users\user\Desktop\tTdMHr6SlJ.dll",_Py_hashtable_set MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 5324 cmdline: rundll32.exe "C:\Users\user\Desktop\tTdMHr6SlJ.dll",_Py_hashtable_new_full MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 5332 cmdline: rundll32.exe "C:\Users\user\Desktop\tTdMHr6SlJ.dll",_Py_hashtable_new MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 344 cmdline: rundll32.exe "C:\Users\user\Desktop\tTdMHr6SlJ.dll",_Py_hashtable_len MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 5704 cmdline: rundll32.exe "C:\Users\user\Desktop\tTdMHr6SlJ.dll",_Py_hashtable_hash_ptr MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 7184 cmdline: rundll32.exe "C:\Users\user\Desktop\tTdMHr6SlJ.dll",_Py_hashtable_get MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 7192 cmdline: rundll32.exe "C:\Users\user\Desktop\tTdMHr6SlJ.dll",_Py_hashtable_foreach MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 7204 cmdline: rundll32.exe "C:\Users\user\Desktop\tTdMHr6SlJ.dll",_Py_hashtable_destroy MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 7212 cmdline: rundll32.exe "C:\Users\user\Desktop\tTdMHr6SlJ.dll",_Py_hashtable_compare_direct MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 7220 cmdline: rundll32.exe "C:\Users\user\Desktop\tTdMHr6SlJ.dll",_Py_hashtable_clear MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 7228 cmdline: rundll32.exe "C:\Users\user\Desktop\tTdMHr6SlJ.dll",_Py_get_osfhandle MD5: 889B99C52A60DD49227C5E485A016679)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: tTdMHr6SlJ.dll

Avira: detected

Multi AV Scanner detection for submitted file

Source: tTdMHr6SlJ.dll	Virustotal: Detection: 32%			Perma Link
Source: tTdMHr6SlJ.dll	ReversingLabs: Detection: 47%

Source: tTdMHr6SlJ.dll

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, DLL, BYTES_REVERSED_HI

Source: tTdMHr6SlJ.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\rundll32.exe

Network Connect: 23.94.207.151 80

Source: Joe Sandbox View

ASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS

Source: global traffic

HTTP traffic detected: POST /avs_coin/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencoded; Charset=UTF-8Accept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Content-Length: 135Host: 23.94.207.151

Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.207.151
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.207.151
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.207.151
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.207.151
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.207.151
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.207.151
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.207.151

Source: unknown

Source: rundll32.exe, rundll32.exe, 0000000F.00000002.2550112040.0000000004E00000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000002.2553116624.000000006B21B000.00000040.00000001.01000000.00000003.sdmp, rundll32.exe, 00000010.00000003.2257452714.0000000004730000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.2288243687.000000006B21B000.00000040.00000001.01000000.00000003.sdmp, rundll32.exe, 00000011.00000003.2264420411.0000000004F10000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.2291250631.000000006B21B000.00000040.00000001.01000000.00000003.sdmp, rundll32.exe, 00000012.00000003.2266552649.0000000004E00000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000013.00000002.2287482111.000000006B21B000.00000040.00000001.01000000.00000003.sdmp, rundll32.exe, 00000013.00000003.2264732668.00000000045F0000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000014.00000002.2290319174.000000006B21B000.00000040.00000001.01000000.00000003.sdmp, rundll32.exe, 00000014.00000003.2266446610.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000015.00000002.2289834003.000000006B21B000.00000040.00000001.01000000.00000003.sdmp, rundll32.exe, 00000015.00000003.2263378995.0000000004C50000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2263345211.0000000004420000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000017.00000002.2292637006.000000006B21B000.00000040.00000001.01000000.00000003.sdmp, rundll32.exe, 00000018.00000003.2264539454.0000000004C70000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000018.00000002.2292257586.000000006B21B000.00000040.00000001.01000000.00000003.sdmp, rundll32.exe, 00000019.00000002.2291050322.000000006B21B000.00000040.00000001.01000000.00000003.sdmp, rundll32.exe, 00000019.00000003.2266332664.0000000004EF0000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000001A.00000003.2267251234.0000000004440000.00000004.00001000.00020000.00000000.sdmp

String found in binary or memory: http://www.indyproject.org/

Source: C:\Windows\SysWOW64\rundll32.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5748 -s 784

Source: tTdMHr6SlJ.dll

Static PE information: invalid certificate

Source: tTdMHr6SlJ.dll	Static PE information: Resource name: RT_STRING type: DOS executable (COM, 0x8C-variant)
Source: tTdMHr6SlJ.dll	Static PE information: Resource name: RT_RCDATA type: COM executable for DOS

Source: tTdMHr6SlJ.dll

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, DLL, BYTES_REVERSED_HI

Source: classification engine

Classification label: mal64.evad.winDLL@99/5@0/1

Source: C:\Windows\SysWOW64\rundll32.exe

File created: C:\Users\user\AppData\Roaming\8DDDBE1C

Source: C:\Windows\SysWOW64\rundll32.exe	Mutant created: \Sessions\1\BaseNamedObjects\8DDDBE1C2024
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5748
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6620:120:WilError_03

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\73bc5757-e97e-429e-9c70-f1fcf459e01a

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\tTdMHr6SlJ.dll,Address: 0x000025F0

Source: tTdMHr6SlJ.dll	Virustotal: Detection: 32%
Source: tTdMHr6SlJ.dll	ReversingLabs: Detection: 47%

Source: rundll32.exe	String found in binary or memory: ISO_6937-2-add
Source: rundll32.exe	String found in binary or memory: NATS-DANO-ADD
Source: rundll32.exe	String found in binary or memory: NATS-SEFI-ADD
Source: rundll32.exe	String found in binary or memory: JIS_C6229-1984-hand-add
Source: rundll32.exe	String found in binary or memory: jp-ocr-hand-add
Source: rundll32.exe	String found in binary or memory: jp-ocr-b-add
Source: rundll32.exe	String found in binary or memory: JIS_C6229-1984-b-add

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\tTdMHr6SlJ.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\tTdMHr6SlJ.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\tTdMHr6SlJ.dll,Address: 0x000025F0
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\tTdMHr6SlJ.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5748 -s 784
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\tTdMHr6SlJ.dll,Address: 0x00060E00
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\tTdMHr6SlJ.dll,Address: 0x00077A00
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\tTdMHr6SlJ.dll",Address: 0x000025F0
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\tTdMHr6SlJ.dll",Address: 0x00060E00
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\tTdMHr6SlJ.dll",Address: 0x00077A00
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\tTdMHr6SlJ.dll",dbkFCallWrapperAddr
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\tTdMHr6SlJ.dll",__dbk_fcall_wrapper
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\tTdMHr6SlJ.dll",_Py_write_noraise
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\tTdMHr6SlJ.dll",_Py_write
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\tTdMHr6SlJ.dll",_Py_uop_symbols_test
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\tTdMHr6SlJ.dll",_Py_union_type_or
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\tTdMHr6SlJ.dll",_Py_strhex_bytes_with_sep
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\tTdMHr6SlJ.dll",_Py_strhex
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\tTdMHr6SlJ.dll",_Py_stat
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\tTdMHr6SlJ.dll",_Py_set_inheritable_async_safe
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\tTdMHr6SlJ.dll",_Py_set_inheritable
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\tTdMHr6SlJ.dll",_Py_open_noraise
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\tTdMHr6SlJ.dll",_Py_open
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\tTdMHr6SlJ.dll",_Py_normpath
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\tTdMHr6SlJ.dll",_Py_hashtable_steal
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\tTdMHr6SlJ.dll",_Py_hashtable_size
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\tTdMHr6SlJ.dll",_Py_hashtable_set
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\tTdMHr6SlJ.dll",_Py_hashtable_new_full
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\tTdMHr6SlJ.dll",_Py_hashtable_new
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\tTdMHr6SlJ.dll",_Py_hashtable_len
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\tTdMHr6SlJ.dll",_Py_hashtable_hash_ptr
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\tTdMHr6SlJ.dll",_Py_hashtable_get
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\tTdMHr6SlJ.dll",_Py_hashtable_foreach
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\tTdMHr6SlJ.dll",_Py_hashtable_destroy
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\tTdMHr6SlJ.dll",_Py_hashtable_compare_direct
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\tTdMHr6SlJ.dll",_Py_hashtable_clear
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\tTdMHr6SlJ.dll",_Py_get_osfhandle
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\tTdMHr6SlJ.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\tTdMHr6SlJ.dll,Address: 0x000025F0	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\tTdMHr6SlJ.dll,Address: 0x00060E00	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\tTdMHr6SlJ.dll,Address: 0x00077A00	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\tTdMHr6SlJ.dll",Address: 0x000025F0	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\tTdMHr6SlJ.dll",Address: 0x00060E00	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\tTdMHr6SlJ.dll",Address: 0x00077A00	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\tTdMHr6SlJ.dll",dbkFCallWrapperAddr	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\tTdMHr6SlJ.dll",__dbk_fcall_wrapper	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\tTdMHr6SlJ.dll",_Py_write_noraise	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\tTdMHr6SlJ.dll",_Py_write	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\tTdMHr6SlJ.dll",_Py_uop_symbols_test	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\tTdMHr6SlJ.dll",_Py_union_type_or	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\tTdMHr6SlJ.dll",_Py_strhex_bytes_with_sep	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\tTdMHr6SlJ.dll",_Py_strhex	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\tTdMHr6SlJ.dll",_Py_stat	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\tTdMHr6SlJ.dll",_Py_set_inheritable_async_safe	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\tTdMHr6SlJ.dll",_Py_set_inheritable	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\tTdMHr6SlJ.dll",_Py_open_noraise	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\tTdMHr6SlJ.dll",_Py_open	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\tTdMHr6SlJ.dll",_Py_normpath	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\tTdMHr6SlJ.dll",_Py_hashtable_steal	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\tTdMHr6SlJ.dll",_Py_hashtable_size	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\tTdMHr6SlJ.dll",_Py_hashtable_set	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\tTdMHr6SlJ.dll",_Py_hashtable_new_full	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\tTdMHr6SlJ.dll",_Py_hashtable_new	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\tTdMHr6SlJ.dll",_Py_hashtable_len	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\tTdMHr6SlJ.dll",_Py_hashtable_hash_ptr	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\tTdMHr6SlJ.dll",_Py_hashtable_get	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\tTdMHr6SlJ.dll",_Py_hashtable_foreach	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\tTdMHr6SlJ.dll",_Py_hashtable_destroy	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\tTdMHr6SlJ.dll",_Py_hashtable_compare_direct	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\tTdMHr6SlJ.dll",_Py_hashtable_clear	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\tTdMHr6SlJ.dll",_Py_get_osfhandle	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\tTdMHr6SlJ.dll",#1	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: magnification.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: d3d9.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: security.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: olepro32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32

Source: C:\Windows\SysWOW64\rundll32.exe

Window found: window name: TEdit

Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: tTdMHr6SlJ.dll

Static file information: File size 5321824 > 1048576

Source: tTdMHr6SlJ.dll

Static PE information: Raw size of UPX1 is bigger than: 0x100000 < 0x4edc00

Source: tTdMHr6SlJ.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Source: C:\Windows\System32\loaddll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Windows\SysWOW64\rundll32.exe TID: 7560	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\SysWOW64\rundll32.exe TID: 7564	Thread sleep time: -30000s >= -30000s

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\rundll32.exe

Network Connect: 23.94.207.151 80

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\tTdMHr6SlJ.dll",#1

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Windows\SysWOW64\rundll32.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	111 Process Injection	1 Masquerading	OS Credential Dumping	2 Security Software Discovery	Remote Services	Data from Local System	1 Non-Application Layer Protocol	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	Boot or Logon Initialization Scripts	1 DLL Side-Loading	2 Virtualization/Sandbox Evasion	LSASS Memory	2 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	11 Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	111 Process Injection	Security Account Manager	11 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Obfuscated Files or Information	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Rundll32	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Software Packing	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
tTdMHr6SlJ.dll	32%	Virustotal		Browse
tTdMHr6SlJ.dll	47%	ReversingLabs	Win32.Trojan.Generic
tTdMHr6SlJ.dll	100%	Avira	TR/Spy.Banker.Gen

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.indyproject.org/	rundll32.exe, rundll32.exe, 0000000F.00000002.2550112040.0000000004E00000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000002.2553116624.000000006B21B000.00000040.00000001.01000000.00000003.sdmp, rundll32.exe, 00000010.00000003.2257452714.0000000004730000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.2288243687.000000006B21B000.00000040.00000001.01000000.00000003.sdmp, rundll32.exe, 00000011.00000003.2264420411.0000000004F10000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.2291250631.000000006B21B000.00000040.00000001.01000000.00000003.sdmp, rundll32.exe, 00000012.00000003.2266552649.0000000004E00000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000013.00000002.2287482111.000000006B21B000.00000040.00000001.01000000.00000003.sdmp, rundll32.exe, 00000013.00000003.2264732668.00000000045F0000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000014.00000002.2290319174.000000006B21B000.00000040.00000001.01000000.00000003.sdmp, rundll32.exe, 00000014.00000003.2266446610.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000015.00000002.2289834003.000000006B21B000.00000040.00000001.01000000.00000003.sdmp, rundll32.exe, 00000015.00000003.2263378995.0000000004C50000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2263345211.0000000004420000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000017.00000002.2292637006.000000006B21B000.00000040.00000001.01000000.00000003.sdmp, rundll32.exe, 00000018.00000003.2264539454.0000000004C70000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000018.00000002.2292257586.000000006B21B000.00000040.00000001.01000000.00000003.sdmp, rundll32.exe, 00000019.00000002.2291050322.000000006B21B000.00000040.00000001.01000000.00000003.sdmp, rundll32.exe, 00000019.00000003.2266332664.0000000004EF0000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000001A.00000003.2267251234.0000000004440000.00000004.00001000.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
23.94.207.151	unknown	United States		36352	AS-COLOCROSSINGUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1578838
Start date and time:	2024-12-20 15:36:25 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 10m 8s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	42
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	tTdMHr6SlJ.dll renamed because original name is a hash value
Original Sample Name:	40c708f5f85591eab36738ba4df9c46b296bd417bec2c4f5fabfc27b7b5fb317.dll
Detection:	MAL
Classification:	mal64.evad.winDLL@99/5@0/1
EGA Information:	Failed
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .dll Sleeps bigger than 100000000ms are automatically reduced to 1000ms Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.189.173.20, 40.126.53.16, 13.107.246.43, 4.245.163.56
Excluded domains from analysis (whitelisted): ocsp.digicert.com, login.live.com, otelrules.azureedge.net, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, onedsblobprdwus15.westus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
23.94.207.151	e5mIhMkcj5.exe	Get hash	malicious	Unknown	Browse	23.94.207.151/avs_pro/index.php
	PVKDyWHOaX.exe	Get hash	malicious	Unknown	Browse	23.94.207.151/avs_pro/index.php
	RcFBMph6zu.exe	Get hash	malicious	Unknown	Browse	23.94.207.151/avs_pro/index.php
	e5mIhMkcj5.exe	Get hash	malicious	Unknown	Browse	23.94.207.151/avs_pro/index.php

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AS-COLOCROSSINGUS	e5mIhMkcj5.exe	Get hash	malicious	Unknown	Browse	23.94.207.151
	PVKDyWHOaX.exe	Get hash	malicious	Unknown	Browse	23.94.207.151
	RcFBMph6zu.exe	Get hash	malicious	Unknown	Browse	23.94.207.151
	e5mIhMkcj5.exe	Get hash	malicious	Unknown	Browse	23.94.207.151
	arm7.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	107.174.209.17
	uctgkfb7.exe	Get hash	malicious	XWorm	Browse	192.210.175.202
	file.exe	Get hash	malicious	Remcos	Browse	107.173.4.16
	SwiftCopy_PaymtRecpt121228.exe	Get hash	malicious	Remcos	Browse	192.210.150.17
	Document.xla	Get hash	malicious	Unknown	Browse	172.245.123.12

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_72f21b7e9475e46c6bdb39196dc2c11aee5efe_7522e4b5_4da9a78c-a0d7-4d79-b73a-5a52c1307695\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9908452829818605
Encrypted:	false
SSDEEP:	192:xUWiUOnI0BU/wjeTFCKZrwtzuiFdZ24IO8dci:NilnjBU/wjeMzuiFdY4IO8dci
MD5:	2AAE74C2BC5C7882F878CE09B0BFABB4
SHA1:	655672E9D6E4DC7C6840C26BDDB833A37DD8F3AC
SHA-256:	3B3BF519213CE40AF68F013B51DCC2F1399ABBC2174066554C4B14913A5F9D35
SHA-512:	A53E340FFD3F62BA3621476C9A34F9C6B2EB351201DF17F5AD97F7B50F431BCDD903E4452DB9662A36A6AEEFD83EB1E2944F148E3D0FEE9EC0AC2899C0FA59C1
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.9.1.7.9.0.4.6.5.3.8.8.3.8.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.9.1.7.9.0.4.7.0.3.8.8.2.4.3.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.d.a.9.a.7.8.c.-.a.0.d.7.-.4.d.7.9.-.b.7.3.a.-.5.a.5.2.c.1.3.0.7.6.9.5.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.8.3.3.a.9.e.d.-.f.e.6.5.-.4.f.4.e.-.9.4.0.2.-.3.b.7.a.e.5.d.3.8.8.d.c.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.6.7.4.-.0.0.0.1.-.0.0.1.4.-.c.c.3.2.-.2.d.b.0.e.c.5.2.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.8.f.a.8.8.9.e.4.5.6.a.a.6.4.6.a.4.d.0.a.4.3.4.9.9.7.7.4.3.0.c.e.5.f.a.5.e.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERDAE4.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Fri Dec 20 14:37:26 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	48346
Entropy (8bit):	1.935149866196534
Encrypted:	false
SSDEEP:	192:7IjQjr7JBsX+xOYiO5H4K3Col5Tl2BDvYKZXnolBOo0t:8jQjr7rDOY95HbyolxlrKZYlBkt
MD5:	CE393C4F730FA0761B1303677427116D
SHA1:	A56E0E91D3F6EC2DA256F9CCA7C02AAE570B54D0
SHA-256:	FC4893A870499198470E5CA11D5E73C38D64230F822E91A4FB390AB8D8433C76
SHA-512:	FC971AEB38AA8D457CDCFC8680701CAE04974363EED39045CB5808D930C35F6057181559549254CE008FA51FBCAE441D9466E6473A2F683CE1E502F01380B100
Malicious:	false
Preview:	MDMP..a..... .......&.eg........................`................1..........T.......8...........T.......................................................................................................................eJ....... ......GenuineIntel............T.......t...%.eg.............................0..=...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERDBEF.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8272
Entropy (8bit):	3.6950933049163925
Encrypted:	false
SSDEEP:	192:R6l7wVeJLt6FUl6Yve6r5gmfTUBHprt89bKPsfNmum:R6lXJh6U6YW6VgmfTUGK0fI
MD5:	5F551D08DAD975D001C0BBACEB9401B9
SHA1:	C816223E2FDD267518C975D0A0D05E449023709A
SHA-256:	0A5F4461BCB1B77FBF687CB598B2C57E910D1F34DD7A59C48B05AD20481BDADE
SHA-512:	A44EF02705C6AF659EA2DFE683A2DFCDE2C12AE76F22154AE19A74770545B1148D225E04C12BD59271F7B9C05B34013BBB92A09C951CD3AC1C1629AAA5210865
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.7.4.8.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERDC1F.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4650
Entropy (8bit):	4.470866571238924
Encrypted:	false
SSDEEP:	48:cvIwWl8zs+iJg77aI9zYWpW8VYVYm8M4JCdPpLF5+q8/ME4lGScSid:uIjf+wI7hR7VtJqrgaJ3id
MD5:	A6E181AB0A7F7BFAA00DF17685230046
SHA1:	930F07D5F0F688FFAF3CEF7D26FEB97F4F938F2B
SHA-256:	5D775B6FE69AC238520B0BAF50D9FEF0410BC21C1B41BAC6CD70B9BEB3C6DE79
SHA-512:	AB3BEB9F1015BC6410CE6D31E7F50750BAF3AA306177F86434F74480A630948E2BD5E2CEA4BC2FA0B1FFD83B7564D03E81CE36CBC2AA3C5A9875D54E7D855156
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="639700" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.42230054678525
Encrypted:	false
SSDEEP:	6144:GSvfpi6ceLP/9skLmb0OTyWSPHaJG8nAgeMZMMhA2fX4WABlEnNP0uhiTw:lvloTyW+EZMM6DFyl03w
MD5:	ED46E50A17DBC89B78FE5B4E1EE027CC
SHA1:	8D7B83D82788108A54131D9177B8643038C228CB
SHA-256:	CB1A9FD572780B075EBA23692961B8D50326911FF7104C0AE0ADE203CAA851EB
SHA-512:	5117A64250C3C7AFCE84AC7414F696E55AED221D7DE0C58B22ECC671DF8E81701A80D3EDC57F1592AF84190A21A7DED6204CC3D11467582420F8F72EC2804DA3
Malicious:	false
Preview:	regf>...>....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.z..R................................................................................................................................................................................................................................................................................................................................................m.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, UPX compressed
Entropy (8bit):	7.896719028366084
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 96.66% UPX compressed Win32 Executable (30571/9) 2.95% Generic Win/DOS Executable (2004/3) 0.19% DOS Executable Generic (2002/1) 0.19% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	tTdMHr6SlJ.dll
File size:	5'321'824 bytes
MD5:	b580bfbbff6e7e9e3cc6d04c397a6d68
SHA1:	0464dabfcf01bff7ec7696c844c2d47f95a2a154
SHA256:	40c708f5f85591eab36738ba4df9c46b296bd417bec2c4f5fabfc27b7b5fb317
SHA512:	1c5d8cad440dfdbf306e704f9223ab6f7e325bb15bb4470ea33b427f96e0e64a9c343bb1127b1417fcfc211922020107e4976f676d48ffb2b067ab81bdf1d2eb
SSDEEP:	98304:AHMsLSN04xZqM0mebAuqhOq69XtM0sAfkiPOl2GOs/+QwfprvTT2z7hk+/rlsKVg:vsLSKGq9mmq8JtbkV/+BpM75r2KVNCY+
TLSH:	943622290603A099F3DD147C8FE4AB500267D083B9DB2512EFDDFCA583F99A699D324D
File Content Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

File Icon


Icon Hash:	7ae282899bbab082

Static PE Info

General

Entrypoint:	0x19cf8f0
Entrypoint Section:	UPX1
Digitally signed:	true
Imagebase:	0x40000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, DLL, BYTES_REVERSED_HI
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x675F94FF [Mon Dec 16 02:48:31 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	082af2927a8eeb5b190b8dc0d066da58

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=GlobalSign GCC R45 EV CodeSigning CA 2020, O=GlobalSign nv-sa, C=BE
Signature Validation Error:	A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file
Error Number:	-2146762495
Not Before, Not After	13/12/2024 22:10:46 14/12/2025 22:10:46
Subject Chain	E=pagamentosdigitaais@gmail.com, CN=PAGAMENTOS DIGITAIS LTDA, O=PAGAMENTOS DIGITAIS LTDA, L=JOAO PESSOA, S=PARAIBA, C=BR, OID.1.3.6.1.4.1.311.60.2.1.3=BR, SERIALNUMBER=55.972.702/0001-29, OID.2.5.4.15=Private Organization
Version:	3
Thumbprint MD5:	FC24237D18BE5D7114AA3DCDAAE6AD6C
Thumbprint SHA-1:	3C9DB92427EA2A17F23D86D1B5704C90C1949548
Thumbprint SHA-256:	19BAF25862979BC0C7CB3971187128986BEB6DB4A4C6986B452A286850E570B0
Serial:	0B98FD483EA0DD6E7C6A6317

Entrypoint Preview

Instruction
cmp byte ptr [esp+08h], 00000001h
jne 00007FF85CC5688Fh
pushad
mov esi, 014E2000h
lea edi, dword ptr [esi-014A1000h]
push edi
or ebp, FFFFFFFFh
jmp 00007FF85CC566BFh
nop
nop
nop
mov al, byte ptr [esi]
inc esi
mov byte ptr [edi], al
inc edi
add ebx, ebx
jne 00007FF85CC566B9h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007FF85CC5669Fh
mov eax, 00000001h
add ebx, ebx
jne 00007FF85CC566B9h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc eax, eax
add ebx, ebx
jnc 00007FF85CC566BDh
jne 00007FF85CC566DAh
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007FF85CC566D1h
dec eax
add ebx, ebx
jne 00007FF85CC566B9h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc eax, eax
jmp 00007FF85CC56686h
add ebx, ebx
jne 00007FF85CC566B9h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc ecx, ecx
jmp 00007FF85CC56704h
xor ecx, ecx
sub eax, 03h
jc 00007FF85CC566C3h
shl eax, 08h
mov al, byte ptr [esi]
inc esi
xor eax, FFFFFFFFh
je 00007FF85CC56727h
sar eax, 1
mov ebp, eax
jmp 00007FF85CC566BDh
add ebx, ebx
jne 00007FF85CC566B9h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007FF85CC5667Eh
inc ecx
add ebx, ebx
jne 00007FF85CC566B9h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007FF85CC56670h
add ebx, ebx
jne 00007FF85CC566B9h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc ecx, ecx
add ebx, ebx
jnc 00007FF85CC566A1h
jne 00007FF85CC566BBh
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jnc 00007FF85CC56696h
add ecx, 02h
cmp ebp, 00000000h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x1992598	0x21ba0	.rsrc
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1992270	0x328	.rsrc
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x1990000	0x2270	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x512200	0x1260	UPX0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x19b4138	0xc	.rsrc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x321000	0xa9a	UPX0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
UPX0	0x1000	0x14a1000	0x0	d41d8cd98f00b204e9800998ecf8427e	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
UPX1	0x14a2000	0x4ee000	0x4edc00	27ae6b626c5d9841ee922abd19f08ff9	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x1990000	0x25000	0x24200	e463c18f66cdea756520655423f3286e	False	0.2667941717128028	data	5.910857732211721	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_CURSOR	0x38b270	0x134	empty	Portuguese	Brazil	0
RT_CURSOR	0x38b3a4	0x134	empty	English	United States	0
RT_CURSOR	0x38b4d8	0x134	empty	English	United States	0
RT_CURSOR	0x38b60c	0x134	empty	English	United States	0
RT_CURSOR	0x38b740	0x134	empty	English	United States	0
RT_CURSOR	0x38b874	0x134	empty	English	United States	0
RT_CURSOR	0x38b9a8	0x134	empty	English	United States	0
RT_CURSOR	0x38badc	0x134	empty	English	United States	0
RT_BITMAP	0x38bc10	0xe1f2c	empty	Portuguese	Brazil	0
RT_BITMAP	0x46db3c	0x1d0	empty	English	United States	0
RT_BITMAP	0x46dd0c	0x1e4	empty	English	United States	0
RT_BITMAP	0x46def0	0x1d0	empty	English	United States	0
RT_BITMAP	0x46e0c0	0x1d0	empty	English	United States	0
RT_BITMAP	0x46e290	0x1d0	empty	English	United States	0
RT_BITMAP	0x46e460	0x1d0	empty	English	United States	0
RT_BITMAP	0x46e630	0x1d0	empty	English	United States	0
RT_BITMAP	0x46e800	0x1d0	empty	English	United States	0
RT_BITMAP	0x46e9d0	0x1d0	empty	English	United States	0
RT_BITMAP	0x46eba0	0x1d0	empty	English	United States	0
RT_BITMAP	0x46ed70	0xe4c04	empty	Portuguese	Brazil	0
RT_BITMAP	0x553974	0xe44d8	empty	Portuguese	Brazil	0
RT_BITMAP	0x637e4c	0xe44d0	empty	Portuguese	Brazil	0
RT_BITMAP	0x71c31c	0xe4c64	empty	Portuguese	Brazil	0
RT_BITMAP	0x800f80	0xe1f2c	empty	Portuguese	Brazil	0
RT_BITMAP	0x8e2eac	0xe1f2c	empty	Portuguese	Brazil	0
RT_BITMAP	0x9c4dd8	0xe1f2c	empty	Portuguese	Brazil	0
RT_BITMAP	0xaa6d04	0xe35a8	empty	Portuguese	Brazil	0
RT_BITMAP	0xb8a2ac	0xe3d48	empty	Portuguese	Brazil	0
RT_BITMAP	0xc6dff4	0xe1f2c	empty	Portuguese	Brazil	0
RT_BITMAP	0xd4ff20	0xe4c64	empty	Portuguese	Brazil	0
RT_BITMAP	0xe34b84	0xddb88	empty	Portuguese	Brazil	0
RT_BITMAP	0xf1270c	0xe4c64	empty	Portuguese	Brazil	0
RT_BITMAP	0xff7370	0xe4c64	empty	Portuguese	Brazil	0
RT_BITMAP	0x10dbfd4	0xc8a28	empty	Portuguese	Brazil	0
RT_BITMAP	0x11a49fc	0xe982c	empty	Portuguese	Brazil	0
RT_BITMAP	0x128e228	0xc8a28	empty	Portuguese	Brazil	0
RT_BITMAP	0x1356c50	0xe3d48	empty	Portuguese	Brazil	0
RT_BITMAP	0x143a998	0xe1f2c	empty	Portuguese	Brazil	0
RT_BITMAP	0x151c8c4	0xe3d4c	data	Portuguese	Brazil	0.976133631091432
RT_BITMAP	0x1600610	0xe982c	data	Portuguese	Brazil	0.9776049181356251
RT_STRING	0x16e9e3c	0x42c	data			1.0102996254681649
RT_STRING	0x16ea268	0xa98	data			0.9778761061946902
RT_STRING	0x16ead00	0x994	data			1.0
RT_STRING	0x16eb694	0xd28	data			0.9958432304038005
RT_STRING	0x16ec3bc	0xc38	data			1.0015984654731458
RT_STRING	0x16ecff4	0xad0	data			1.0025289017341041
RT_STRING	0x16edac4	0x818	data			1.0053088803088803
RT_STRING	0x16ee2dc	0x820	data			1.0052884615384616
RT_STRING	0x16eeafc	0x2fc	data			1.0143979057591623
RT_STRING	0x16eedf8	0x320	data			1.01375
RT_STRING	0x16ef118	0x3e4	data			1.0110441767068272
RT_STRING	0x16ef4fc	0x3d8	data			1.011178861788618
RT_STRING	0x16ef8d4	0x400	data			1.0107421875
RT_STRING	0x16efcd4	0x478	data			1.0096153846153846
RT_STRING	0x16f014c	0x398	data			1.0119565217391304
RT_STRING	0x16f04e4	0x3e4	data			1.0110441767068272
RT_STRING	0x16f08c8	0x2e4	data			1.0108108108108107
RT_STRING	0x16f0bac	0x318	data			1.0075757575757576
RT_STRING	0x16f0ec4	0x454	data			1.009927797833935
RT_STRING	0x16f1318	0x300	data			1.0143229166666667
RT_STRING	0x16f1618	0x43c	data			0.9972324723247232
RT_STRING	0x16f1a54	0xa0	data			1.06875
RT_STRING	0x16f1af4	0xe4	data			1.0482456140350878
RT_STRING	0x16f1bd8	0x1b4	data			1.025229357798165
RT_STRING	0x16f1d8c	0x310	data			1.0140306122448979
RT_STRING	0x16f209c	0x410	data			1.001923076923077
RT_STRING	0x16f24ac	0x368	data			1.0126146788990826
RT_STRING	0x16f2814	0x4b4	data			1.0091362126245846
RT_STRING	0x16f2cc8	0x2e8	data			1.0147849462365592
RT_STRING	0x16f2fb0	0x3f8	data			1.0108267716535433
RT_STRING	0x16f33a8	0x498	data			1.0093537414965987
RT_STRING	0x16f3840	0x5e0	data			1.007313829787234
RT_STRING	0x16f3e20	0x4dc	data			1.0088424437299035
RT_STRING	0x16f42fc	0x380	data			1.0122767857142858
RT_STRING	0x16f467c	0x3c0	data			1.0114583333333333
RT_STRING	0x16f4a3c	0x414	data			1.010536398467433
RT_STRING	0x16f4e50	0x108	data			1.0416666666666667
RT_STRING	0x16f4f58	0xcc	data			1.053921568627451
RT_STRING	0x16f5024	0x244	DOS executable (COM, 0x8C-variant)			1.0189655172413794
RT_STRING	0x16f5268	0x414	data			1.010536398467433
RT_STRING	0x16f567c	0x37c	data			1.0123318385650224
RT_STRING	0x16f59f8	0x2ec	data			1.0147058823529411
RT_STRING	0x16f5ce4	0x364	data			1.012672811059908
RT_RCDATA	0x16f6048	0xb3f8	data	Portuguese	Brazil	0.9909489494703941
RT_RCDATA	0x1701440	0x482b	data	Portuguese	Brazil	0.975426251691475
RT_RCDATA	0x1705c6c	0x9d9d	data	Portuguese	Brazil	0.978685964955761
RT_RCDATA	0x170fa0c	0xd02f	data	Portuguese	Brazil	0.9738437001594896
RT_RCDATA	0x171ca3c	0x2700f	data	Portuguese	Brazil	0.9771718651218397
RT_RCDATA	0x1743a4c	0xe6c6	data	Portuguese	Brazil	0.974423643319002
RT_RCDATA	0x1752114	0x5c11	data	Portuguese	Brazil	0.9845135559421274
RT_RCDATA	0x1757d28	0x10	data			1.5
RT_RCDATA	0x1757d38	0x6532	data	Portuguese	Brazil	0.9871072338454412
RT_RCDATA	0x175e26c	0x8f8c	COM executable for DOS	Portuguese	Brazil	0.9830739087841516
RT_RCDATA	0x17671f8	0x7df5	data	Portuguese	Brazil	0.9838734687548457
RT_RCDATA	0x176eff0	0x3f33	data	Portuguese	Brazil	0.9821991470424625
RT_RCDATA	0x1772f24	0x53b4a	data	Portuguese	Brazil	0.9807267148498795
RT_RCDATA	0x17c6a70	0x10ed9	data	Portuguese	Brazil	0.9846546576863724
RT_RCDATA	0x17d794c	0xa073	data	Portuguese	Brazil	0.9876323797930615
RT_RCDATA	0x17e19c0	0x5f78	data	Portuguese	Brazil	0.9877250409165302
RT_RCDATA	0x17e7938	0x91db	data	Portuguese	Brazil	0.9875197514662953
RT_RCDATA	0x17f0b14	0x4e45	data	Portuguese	Brazil	0.98597594450267
RT_RCDATA	0x17f595c	0x82b7	data	Portuguese	Brazil	0.9864626602516212
RT_RCDATA	0x17fdc14	0x943c	data	Portuguese	Brazil	0.9883524823442605
RT_RCDATA	0x1807050	0x485b	data	Portuguese	Brazil	0.9847216973492415
RT_RCDATA	0x180b8ac	0x95ef	data	Portuguese	Brazil	0.9844462392204882
RT_RCDATA	0x1814e9c	0xa010	data	Portuguese	Brazil	0.9855525185474424
RT_RCDATA	0x181eeac	0x107c	data			0.9931279620853081
RT_RCDATA	0x181ff28	0x9e23	data	Portuguese	Brazil	0.9848578415631253
RT_RCDATA	0x1829d4c	0x48ac	data	Portuguese	Brazil	0.9841431950118255
RT_RCDATA	0x182e5f8	0xc252	data	Portuguese	Brazil	0.9854862702528846
RT_RCDATA	0x183a84c	0x6fe0	data	Portuguese	Brazil	0.9824022346368715
RT_RCDATA	0x184182c	0xb5a9	data	Portuguese	Brazil	0.985334910224707
RT_RCDATA	0x184cdd8	0x176c9	data	Portuguese	Brazil	0.9852415446349471
RT_RCDATA	0x18644a4	0x9a56	data	Portuguese	Brazil	0.9850923816755252
RT_RCDATA	0x186defc	0x2a5	data			1.016248153618907
RT_RCDATA	0x186e1a4	0xb37a	data	Portuguese	Brazil	0.9831323727854437
RT_RCDATA	0x1879520	0x640d	data	Portuguese	Brazil	0.9828602662710343
RT_RCDATA	0x187f930	0x1d8	data			1.0233050847457628
RT_RCDATA	0x187fb08	0x1be	data			1.0246636771300448
RT_RCDATA	0x187fcc8	0x1be	data			1.0246636771300448
RT_RCDATA	0x187fe88	0x1be	data			1.0246636771300448
RT_RCDATA	0x1880048	0x1be	data			1.0246636771300448
RT_RCDATA	0x1880208	0x1be	data			1.0246636771300448
RT_RCDATA	0x18803c8	0x1be	data			1.0246636771300448
RT_RCDATA	0x1880588	0x2f9	data			1.014454664914586
RT_RCDATA	0x1880884	0x13a93	data	Portuguese	Brazil	0.9879301138691933
RT_RCDATA	0x1894318	0x1342f	data	Portuguese	Brazil	0.9831294758856708
RT_RCDATA	0x18a7748	0xd5bf	data	Portuguese	Brazil	0.9833695791224255
RT_RCDATA	0x18b4d08	0x677	data	Portuguese	Brazil	1.0066465256797583
RT_RCDATA	0x18b5380	0xb0a0	data	Portuguese	Brazil	0.9845408704883227
RT_RCDATA	0x18c0420	0x11557	data	Portuguese	Brazil	0.9833096240792124
RT_RCDATA	0x18d1978	0xda6a	data	Portuguese	Brazil	0.984154236863755
RT_RCDATA	0x18df3e4	0xda85	data	Portuguese	Brazil	0.9855562110080263
RT_RCDATA	0x18ece6c	0x5a42	OpenPGP Secret Key	Portuguese	Brazil	0.9869730805851294
RT_RCDATA	0x18f28b0	0x5341	data	Portuguese	Brazil	0.986627879697837
RT_RCDATA	0x18f7bf4	0x67af	data	Portuguese	Brazil	0.9848924386843989
RT_RCDATA	0x18fe3a4	0x3ff7b	data	Portuguese	Brazil	0.9864280507306945
RT_RCDATA	0x193e320	0xbe92	data	Portuguese	Brazil	0.9915344566064035
RT_RCDATA	0x194a1b4	0xae2b	data	Portuguese	Brazil	0.9892345302442416
RT_RCDATA	0x1954fe0	0x516f	data	Portuguese	Brazil	0.993620185158536
RT_RCDATA	0x195a150	0x6371	data	Portuguese	Brazil	0.9819303138625918
RT_RCDATA	0x19604c4	0x8fd1	data	Portuguese	Brazil	0.9829155009913898
RT_GROUP_CURSOR	0x1969498	0x14	data	Portuguese	Brazil	1.45
RT_GROUP_CURSOR	0x19694ac	0x14	data	English	United States	1.4
RT_GROUP_CURSOR	0x19694c0	0x14	Non-ISO extended-ASCII text, with no line terminators	English	United States	1.45
RT_GROUP_CURSOR	0x19694d4	0x14	Non-ISO extended-ASCII text, with no line terminators	English	United States	1.45
RT_GROUP_CURSOR	0x19694e8	0x14	data	English	United States	1.45
RT_GROUP_CURSOR	0x19694fc	0x14	data	English	United States	1.45
RT_GROUP_CURSOR	0x1969510	0x14	data	English	United States	1.45
RT_GROUP_CURSOR	0x1969524	0x14	data	English	United States	1.35

Imports

DLL	Import
advapi32.dll	RegCloseKey
comctl32.dll	ImageList_Add
gdi32.dll	Pie
KERNEL32.DLL	LoadLibraryA, GetProcAddress, VirtualProtect
Magnification.dll	MagInitialize
msvcrt.dll	memset
netapi32.dll	NetWkstaGetInfo
ole32.dll	OleDraw
oleaut32.dll	VariantCopy
shell32.dll	SHGetFolderPathW
user32.dll	GetDC
version.dll	VerQueryValueW
winspool.drv	OpenPrinterW
wsock32.dll	send

Possible Origin

Language of compilation system	Country where language is spoken	Map
Portuguese	Brazil
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 20, 2024 15:37:41.419331074 CET	49713	80	192.168.2.5	23.94.207.151
Dec 20, 2024 15:37:41.539230108 CET	80	49713	23.94.207.151	192.168.2.5
Dec 20, 2024 15:37:41.539338112 CET	49713	80	192.168.2.5	23.94.207.151
Dec 20, 2024 15:37:41.539638996 CET	49713	80	192.168.2.5	23.94.207.151
Dec 20, 2024 15:37:41.539638996 CET	49713	80	192.168.2.5	23.94.207.151
Dec 20, 2024 15:37:41.659385920 CET	80	49713	23.94.207.151	192.168.2.5
Dec 20, 2024 15:37:41.659934998 CET	80	49713	23.94.207.151	192.168.2.5
Dec 20, 2024 15:37:42.843063116 CET	80	49713	23.94.207.151	192.168.2.5
Dec 20, 2024 15:37:43.002609015 CET	49713	80	192.168.2.5	23.94.207.151
Dec 20, 2024 15:37:47.844748974 CET	80	49713	23.94.207.151	192.168.2.5
Dec 20, 2024 15:37:47.845736027 CET	49713	80	192.168.2.5	23.94.207.151
Dec 20, 2024 15:37:47.847261906 CET	49713	80	192.168.2.5	23.94.207.151
Dec 20, 2024 15:37:47.967044115 CET	80	49713	23.94.207.151	192.168.2.5

HTTP Request Dependency Graph

23.94.207.151

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49713	23.94.207.151	80	6976	C:\Windows\SysWOW64\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
Dec 20, 2024 15:37:41.539638996 CET	251	OUT	POST /avs_coin/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded; Charset=UTF-8 Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Content-Length: 135 Host: 23.94.207.151
Dec 20, 2024 15:37:41.539638996 CET	135	OUT	Data Raw: 6f 70 3d 45 36 53 6d 36 4f 6a 31 4d 56 70 43 54 79 56 79 61 32 77 52 61 41 78 78 63 6e 4e 36 66 46 73 6f 4d 56 6b 6a 42 6c 6c 66 56 6c 78 44 52 68 59 47 43 42 6c 62 57 30 4a 4b 57 42 68 65 52 56 64 66 46 41 4d 43 64 56 46 4e 47 54 5a 50 49 53 38 Data Ascii: op=E6Sm6Oj1MVpCTyVya2wRaAxxcnN6fFsoMVkjBllfVlxDRhYGCBlbW0JKWBheRVdfFAMCdVFNGTZPIS8YfnV9ZGcVcnJ+fCQvKSglcmsDAhwFBxkFCAteS1xDQmIHCwYDaRY=
Dec 20, 2024 15:37:42.843063116 CET	203	IN	HTTP/1.1 200 OK Date: Fri, 20 Dec 2024 14:37:42 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 0 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8

Target ID:	0
Start time:	09:37:25
Start date:	20/12/2024
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe "C:\Users\user\Desktop\tTdMHr6SlJ.dll"
Imagebase:	0x8c0000
File size:	126'464 bytes
MD5 hash:	51E6071F9CBA48E79F10C84515AAE618
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	1
Start time:	09:37:25
Start date:	20/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	09:37:25
Start date:	20/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\tTdMHr6SlJ.dll",#1
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	09:37:25
Start date:	20/12/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\tTdMHr6SlJ.dll,Address: 0x000025F0
Imagebase:	0x970000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	09:37:25
Start date:	20/12/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\tTdMHr6SlJ.dll",#1
Imagebase:	0x970000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	09:37:26
Start date:	20/12/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 5748 -s 784
Imagebase:	0x210000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	09:37:28
Start date:	20/12/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\tTdMHr6SlJ.dll,Address: 0x00060E00
Imagebase:	0x970000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	09:37:31
Start date:	20/12/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\tTdMHr6SlJ.dll,Address: 0x00077A00
Imagebase:	0x970000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	09:37:35
Start date:	20/12/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\tTdMHr6SlJ.dll",Address: 0x000025F0
Imagebase:	0x970000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	09:37:35
Start date:	20/12/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\tTdMHr6SlJ.dll",Address: 0x00060E00
Imagebase:	0x970000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	09:37:35
Start date:	20/12/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\tTdMHr6SlJ.dll",Address: 0x00077A00
Imagebase:	0x970000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	09:37:35
Start date:	20/12/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\tTdMHr6SlJ.dll",dbkFCallWrapperAddr
Imagebase:	0x970000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	09:37:35
Start date:	20/12/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\tTdMHr6SlJ.dll",__dbk_fcall_wrapper
Imagebase:	0x970000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	09:37:35
Start date:	20/12/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\tTdMHr6SlJ.dll",_Py_write_noraise
Imagebase:	0x970000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	09:37:35
Start date:	20/12/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\tTdMHr6SlJ.dll",_Py_write
Imagebase:	0x970000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	09:37:35
Start date:	20/12/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\tTdMHr6SlJ.dll",_Py_uop_symbols_test
Imagebase:	0x970000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	09:37:35
Start date:	20/12/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\tTdMHr6SlJ.dll",_Py_union_type_or
Imagebase:	0x970000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	09:37:35
Start date:	20/12/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\tTdMHr6SlJ.dll",_Py_strhex_bytes_with_sep
Imagebase:	0x970000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	09:37:35
Start date:	20/12/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\tTdMHr6SlJ.dll",_Py_strhex
Imagebase:	0x970000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Has exited:	false

Show Windows behavior

Target ID:	23
Start time:	09:37:35
Start date:	20/12/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\tTdMHr6SlJ.dll",_Py_stat
Imagebase:	0x970000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	09:37:35
Start date:	20/12/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\tTdMHr6SlJ.dll",_Py_set_inheritable_async_safe
Imagebase:	0x970000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	09:37:35
Start date:	20/12/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\tTdMHr6SlJ.dll",_Py_set_inheritable
Imagebase:	0x970000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	09:37:35
Start date:	20/12/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\tTdMHr6SlJ.dll",_Py_open_noraise
Imagebase:	0x970000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	09:37:35
Start date:	20/12/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\tTdMHr6SlJ.dll",_Py_open
Imagebase:	0x970000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	09:37:35
Start date:	20/12/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\tTdMHr6SlJ.dll",_Py_normpath
Imagebase:	0x970000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Has exited:	true

Show Windows behavior

Target ID:	29
Start time:	09:37:35
Start date:	20/12/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\tTdMHr6SlJ.dll",_Py_hashtable_steal
Imagebase:	0x970000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Has exited:	true

Show Windows behavior

Target ID:	30
Start time:	09:37:35
Start date:	20/12/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\tTdMHr6SlJ.dll",_Py_hashtable_size
Imagebase:	0x970000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Has exited:	true

Show Windows behavior

Target ID:	31
Start time:	09:37:35
Start date:	20/12/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\tTdMHr6SlJ.dll",_Py_hashtable_set
Imagebase:	0x970000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Has exited:	true

Show Windows behavior

Target ID:	32
Start time:	09:37:35
Start date:	20/12/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\tTdMHr6SlJ.dll",_Py_hashtable_new_full
Imagebase:	0x970000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Has exited:	true

Show Windows behavior

Target ID:	33
Start time:	09:37:35
Start date:	20/12/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\tTdMHr6SlJ.dll",_Py_hashtable_new
Imagebase:	0x970000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Has exited:	true

Show Windows behavior

Target ID:	34
Start time:	09:37:35
Start date:	20/12/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\tTdMHr6SlJ.dll",_Py_hashtable_len
Imagebase:	0x970000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Has exited:	true

Show Windows behavior

Target ID:	35
Start time:	09:37:35
Start date:	20/12/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\tTdMHr6SlJ.dll",_Py_hashtable_hash_ptr
Imagebase:	0x970000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Has exited:	true

Show Windows behavior

Target ID:	36
Start time:	09:37:35
Start date:	20/12/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\tTdMHr6SlJ.dll",_Py_hashtable_get
Imagebase:	0x970000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Has exited:	true

Show Windows behavior

Target ID:	37
Start time:	09:37:35
Start date:	20/12/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\tTdMHr6SlJ.dll",_Py_hashtable_foreach
Imagebase:	0x970000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Has exited:	true

Show Windows behavior

Target ID:	38
Start time:	09:37:35
Start date:	20/12/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\tTdMHr6SlJ.dll",_Py_hashtable_destroy
Imagebase:	0x970000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Has exited:	true

Show Windows behavior

Target ID:	39
Start time:	09:37:35
Start date:	20/12/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\tTdMHr6SlJ.dll",_Py_hashtable_compare_direct
Imagebase:	0x970000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Has exited:	true

Show Windows behavior

Target ID:	40
Start time:	09:37:35
Start date:	20/12/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\tTdMHr6SlJ.dll",_Py_hashtable_clear
Imagebase:	0x970000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Has exited:	true

Show Windows behavior

Target ID:	41
Start time:	09:37:35
Start date:	20/12/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\tTdMHr6SlJ.dll",_Py_get_osfhandle
Imagebase:	0x970000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: `rundll32.exe {DLLname, DLLfunction}` ).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report tTdMHr6SlJ.dll

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_72f21b7e9475e46c6bdb39196dc2c11aee5efe_7522e4b5_4da9a78c-a0d7-4d79-b73a-5a52c1307695\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WERDAE4.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERDBEF.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERDC1F.tmp.xml

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

HTTP Request Dependency Graph

HTTP Packets

Statistics

CPU Usage

Windows Analysis Report
tTdMHr6SlJ.dll