Windows Analysis Report
ZaPNN51vQo.dll

Contains functionality to access PhysicalDrive, possible boot sector overwrite

Source: Joe Sandbox View

ASN Name: LEASEWEB-USA-WDCUS LEASEWEB-USA-WDCUS

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_04541A20 InternetOpenW,InternetOpenUrlW,CreateFileW,InternetReadFile,WriteFile,CloseHandle,InternetCloseHandle,InternetCloseHandle,

3_2_04541A20

Source: global traffic

DNS traffic detected: DNS query: safebrow.flnet.org

Source: Amcache.hve.9.dr

String found in binary or memory: http://upx.sf.net

Source: unknown	Network traffic detected: HTTP traffic on port 49997 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49997
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49996
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49995
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49994
Source: unknown	Network traffic detected: HTTP traffic on port 49995 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49996 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49883
Source: unknown	Network traffic detected: HTTP traffic on port 49994 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49824 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 49883 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49943 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49824
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49943

Operating System Destruction

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_045405D0 CreateFileW on filename \\.\PHYSICALDRIVE0	3_2_045405D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04C505D0 CreateFileW on filename \\.\PHYSICALDRIVE0	4_2_04C505D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_032205D0 CreateFileW on filename \\.\PHYSICALDRIVE0	17_2_032205D0

System Summary

Submitted sample is a known malware sample

Source: ZaPNN51vQo.dll

Initial file: MD5: f222320a45dad46987e5600556f42a49 Family: APT17 Alias: Aurora Panda, APT 17, Deputy Dog, Group 8, Hidden Lynx, Tailgater Team, Axiom, Winnti Group, Group 72, Group72, Tailgater, Ragebeast, Blackfly, Lead, Wicked Spider, APT 17, Dogfish, Wicked Panda, Barium, APT17 Description: APT17 is said to be a China-based threat group that has conducted network intrusions against U.S. government entities, the defense industry, law firms, information technology companies, mining companies, and non-government organizations. References: http://www.fireeye.com/blog/technical/cyber-exploits/2013/09/operation-deputydog-zero-day-cve-2013-3893-attack-against-japanese-targets.htmlhttp://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/hidden_lynx.pdfhttps://www2.fireeye.com/rs/fireye/images/APT17_Report.pdfData Source: https://github.com/RedDrip7/APT_Digital_Weapon

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_045405D0: CreateFileW,DeviceIoControl,CloseHandle,

3_2_045405D0

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0453E730 ExitWindowsEx,	3_2_0453E730
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04C4E730 ExitWindowsEx,	4_2_04C4E730
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_0321E730 ExitWindowsEx,	17_2_0321E730

Source: C:\Windows\SysWOW64\rundll32.exe

File created: C:\Windows\SysWOW64\KB1035627.dat

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04544460	3_2_04544460
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04545AC0	3_2_04545AC0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04541E80	3_2_04541E80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04545540	3_2_04545540
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04543710	3_2_04543710
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04542D20	3_2_04542D20
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_045471D0	3_2_045471D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04543DDD	3_2_04543DDD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_045431C0	3_2_045431C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04546190	3_2_04546190
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04543B8E	3_2_04543B8E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04C55AC0	4_2_04C55AC0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04C51E80	4_2_04C51E80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04C54460	4_2_04C54460
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04C531C0	4_2_04C531C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04C571D0	4_2_04C571D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04C53DDD	4_2_04C53DDD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04C53B8E	4_2_04C53B8E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04C56190	4_2_04C56190
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04C55540	4_2_04C55540
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04C52D20	4_2_04C52D20
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_03223710	17_2_03223710
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_03223B8E	17_2_03223B8E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_03221E80	17_2_03221E80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_03225AC0	17_2_03225AC0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_03222D20	17_2_03222D20
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_03225540	17_2_03225540
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_03226190	17_2_03226190
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_032231C0	17_2_032231C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_032271D0	17_2_032271D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_03223DDD	17_2_03223DDD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_03224460	17_2_03224460
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_04724460	18_2_04724460
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_04725AC0	18_2_04725AC0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_04721E80	18_2_04721E80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_04725540	18_2_04725540
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_04722D20	18_2_04722D20
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_04723710	18_2_04723710
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_047271D0	18_2_047271D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_04723DDD	18_2_04723DDD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_047231C0	18_2_047231C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_04726190	18_2_04726190
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_04723B8E	18_2_04723B8E

Source: C:\Windows\SysWOW64\rundll32.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5772 -s 672

Source: ZaPNN51vQo.dll

Binary or memory string: OriginalFilenamedllload.dll vs ZaPNN51vQo.dll

Source: ZaPNN51vQo.dll

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL

Source: classification engine

Classification label: mal100.evad.winDLL@19/21@1/1

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0453E6A0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,	3_2_0453E6A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04C4E6A0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,	4_2_04C4E6A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_0321E6A0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,	17_2_0321E6A0

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_0453CDA0 LoadLibraryW,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,SHGetFileInfo,GetDiskFreeSpaceExA,

3_2_0453CDA0

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_04541760 _wcsrev,LoadLibraryW,LoadLibraryW,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,CreateToolhelp32Snapshot,lstrcmpiW,CloseHandle,CloseHandle,

3_2_04541760

Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5780
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6188
Source: C:\Windows\SysWOW64\rundll32.exe	Mutant created: \Sessions\1\BaseNamedObjects\IEPASS
Source: C:\Windows\SysWOW64\rundll32.exe	Mutant created: \Sessions\1\BaseNamedObjects\UpdateWindow
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5772
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5264:120:WilError_03

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\43674aa7-5c7b-447f-a5c3-7a5cda7ac0c6

Source: ZaPNN51vQo.dll

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\ZaPNN51vQo.dll,loop

Source: ZaPNN51vQo.dll	Virustotal: Detection: 82%
Source: ZaPNN51vQo.dll	ReversingLabs: Detection: 68%

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\ZaPNN51vQo.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\ZaPNN51vQo.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\ZaPNN51vQo.dll,loop
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\ZaPNN51vQo.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5772 -s 672
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5780 -s 664
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\ZaPNN51vQo.dll,mydoor
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5772 -s 676
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5780 -s 668
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\ZaPNN51vQo.dll",loop
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\ZaPNN51vQo.dll",mydoor
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6188 -s 664
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\ZaPNN51vQo.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\ZaPNN51vQo.dll,loop	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\ZaPNN51vQo.dll,mydoor	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\ZaPNN51vQo.dll",loop	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\ZaPNN51vQo.dll",mydoor	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\ZaPNN51vQo.dll",#1	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_0453EB90 LoadLibraryA,LoadLibraryA,GetProcAddress,LdrInitializeThunk,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryW,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,Lo

Contains functionality to infect the boot sector

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04547600 push eax; ret	3_2_0454762E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_045476A4 push eax; ret	3_2_045476C2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04C576A4 push eax; ret	4_2_04C576C2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04C57600 push eax; ret	4_2_04C5762E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_04922C60 push eax; ret	17_2_04922C8E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_03227600 push eax; ret	17_2_0322762E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_032276A4 push eax; ret	17_2_032276C2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_03214288 push eax; ret	17_2_032142B6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_04727600 push eax; ret	18_2_0472762E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_047276A4 push eax; ret	18_2_047276C2

Persistence and Installation Behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: CreateFileW,DeviceIoControl,CloseHandle, \\.\PHYSICALDRIVE0	3_2_045405D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: CreateFileW,DeviceIoControl,CloseHandle, \\.\PHYSICALDRIVE0	4_2_04C505D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: CreateFileW,DeviceIoControl,CloseHandle, \\.\PHYSICALDRIVE0	17_2_032205D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: DeviceIoControl, \\.\PHYSICALDRIVE0	18_2_047205D0

Boot Survival

Contains functionality to infect the boot sector

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: CreateFileW,DeviceIoControl,CloseHandle, \\.\PHYSICALDRIVE0	3_2_045405D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: CreateFileW,DeviceIoControl,CloseHandle, \\.\PHYSICALDRIVE0	4_2_04C505D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: CreateFileW,DeviceIoControl,CloseHandle, \\.\PHYSICALDRIVE0	17_2_032205D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: DeviceIoControl, \\.\PHYSICALDRIVE0	18_2_047205D0

Source: C:\Windows\SysWOW64\rundll32.exe

Contains functionality to detect sleep reduction / modifications

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04541026	3_2_04541026
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_045413D8	3_2_045413D8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04C51026	4_2_04C51026
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04C513D8	4_2_04C513D8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_03221026	17_2_03221026
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_032213D8	17_2_032213D8

Found evasive API chain (may stop execution after checking mutex)

Source: C:\Windows\SysWOW64\rundll32.exe	Evasive API call chain: CreateMutex,DecisionNodes,Sleep			graph_3-3558
Source: C:\Windows\SysWOW64\rundll32.exe	Evasive API call chain: CreateMutex,DecisionNodes,ExitProcess			graph_18-4467

Found stalling execution ending in API Sleep call

Source: C:\Windows\SysWOW64\rundll32.exe

Stalling execution: Execution stalls by calling Sleep

graph_17-4647

Tries to delay execution (extensive OutputDebugStringW loop)

Source: C:\Windows\SysWOW64\rundll32.exe

Section loaded: OutputDebugStringW count: 141

Source: C:\Windows\SysWOW64\rundll32.exe	Window / User API: threadDelayed 651	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Window / User API: threadDelayed 9215	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Window / User API: foregroundWindowGot 1775	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)

graph_3-3886

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 17_2_032213D8

17_2_032213D8

Source: C:\Windows\SysWOW64\rundll32.exe TID: 2000	Thread sleep count: 651 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 2000	Thread sleep time: -325500s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 2000	Thread sleep count: 9215 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 2000	Thread sleep time: -4607500s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0453D880 lstrcpyW,FindFirstFileW,FindClose,FindClose,	3_2_0453D880
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0453D570 lstrlenW,wsprintfW,FindFirstFileW,wsprintfW,wsprintfW,wcslen,?_Grow@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAE_NI_N@Z,??2@YAPAXI@Z,??3@YAXPAX@Z,FindNextFileW,FindClose,	3_2_0453D570
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0453D930 FindFirstFileW,FindClose,CreateFileW,CloseHandle,	3_2_0453D930
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0453D120 wsprintfW,FindFirstFileW,DeleteFileW,wsprintfW,wsprintfW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	3_2_0453D120
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0453CFA0 LocalAlloc,wsprintfW,FindFirstFileW,LocalReAlloc,lstrcmpW,lstrcmpW,lstrlenW,FindNextFileW,LocalFree,FindClose,	3_2_0453CFA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04C4D880 lstrcpyW,FindFirstFileW,FindClose,FindClose,	4_2_04C4D880
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04C4CFA0 LocalAlloc,wsprintfW,FindFirstFileW,LocalReAlloc,lstrcmpW,lstrcmpW,lstrlenW,FindNextFileW,LocalFree,FindClose,	4_2_04C4CFA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04C4D570 lstrlenW,wsprintfW,FindFirstFileW,wsprintfW,wsprintfW,wcslen,?_Grow@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAE_NI_N@Z,??2@YAPAXI@Z,??3@YAXPAX@Z,FindNextFileW,FindClose,	4_2_04C4D570
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04C4D120 wsprintfW,FindFirstFileW,DeleteFileW,wsprintfW,wsprintfW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	4_2_04C4D120
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04C4D930 FindFirstFileW,FindClose,CreateFileW,CloseHandle,	4_2_04C4D930
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_0321CFA0 LocalAlloc,wsprintfW,FindFirstFileW,LocalReAlloc,lstrcmpW,lstrcmpW,lstrlenW,FindNextFileW,LocalFree,FindClose,	17_2_0321CFA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_0321D120 wsprintfW,FindFirstFileW,DeleteFileW,wsprintfW,wsprintfW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	17_2_0321D120
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_0321D930 FindFirstFileW,FindClose,CreateFileW,CloseHandle,	17_2_0321D930
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_0321D570 lstrlenW,wsprintfW,FindFirstFileW,wsprintfW,wsprintfW,wcslen,?_Grow@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAE_NI_N@Z,??2@YAPAXI@Z,??3@YAXPAX@Z,FindNextFileW,FindClose,	17_2_0321D570
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_0321D880 lstrcpyW,FindFirstFileW,FindClose,FindClose,	17_2_0321D880
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_0471D880 lstrcpyW,FindFirstFileW,FindClose,FindClose,	18_2_0471D880
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_0471D570 lstrlenW,FindFirstFileW,wcslen,?_Grow@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAE_NI_N@Z,??2@YAPAXI@Z,??3@YAXPAX@Z,FindNextFileW,FindClose,	18_2_0471D570
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_0471D930 FindFirstFileW,FindClose,CreateFileW,CloseHandle,	18_2_0471D930
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_0471D120 FindFirstFileW,DeleteFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	18_2_0471D120
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_0471CFA0 LocalAlloc,FindFirstFileW,LocalReAlloc,lstrcmpW,lstrcmpW,lstrlenW,FindNextFileW,LocalFree,FindClose,	18_2_0471CFA0

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_04540AC0 GetVersionExW,getsockname,GetVersionExW,lstrcpyW,lstrcpyW,GetSystemInfo,wsprintfW,GlobalMemoryStatus,GetTickCount,wsprintfW,wsprintfW,wsprintfW,wsprintfW,lstrcpyW,lstrlenW,mbstowcs,mbstowcs,lstrcpyW,mbstowcs,

3_2_04540AC0

Source: C:\Windows\System32\loaddll32.exe

Thread delayed: delay time: 120000

Source: Amcache.hve.9.dr	Binary or memory string: VMware
Source: Amcache.hve.9.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.9.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.9.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.9.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.9.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.9.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.9.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.9.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.9.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.9.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.9.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: rundll32.exe, 00000011.00000002.4489395546.0000000002E46000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Amcache.hve.9.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.9.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.9.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.9.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.9.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.9.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.9.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.9.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.9.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.9.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.9.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.9.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.9.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.9.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.9.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.9.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.9.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Windows\SysWOW64\rundll32.exe	API call chain: ExitProcess graph end node	graph_3-3559
Source: C:\Windows\SysWOW64\rundll32.exe	API call chain: ExitProcess graph end node	graph_4-4048
Source: C:\Windows\SysWOW64\rundll32.exe	API call chain: ExitProcess graph end node	graph_17-4643
Source: C:\Windows\SysWOW64\rundll32.exe	API call chain: ExitProcess graph end node	graph_17-4480
Source: C:\Windows\SysWOW64\rundll32.exe	API call chain: ExitProcess graph end node	graph_18-3923
Source: C:\Windows\SysWOW64\rundll32.exe	API call chain: ExitProcess graph end node	graph_18-4470

Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Source: C:\Windows\SysWOW64\rundll32.exe

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_0453F9CC LoadLibraryW,GetProcAddress,GetProcAddress,GetProcessHeap,HeapFree,

3_2_0453F9CC

HIPS / PFW / Operating System Protection Evasion

Source: C:\Windows\SysWOW64\rundll32.exe

Network Connect: 162.210.196.168 443

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\ZaPNN51vQo.dll",#1

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_04541026 __EH_prolog,GetInputState,GetCurrentThreadId,PostThreadMessageW,GetMessageW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,Sleep,GetTickCount,wsprintfW,strstr,WinExec,SetErrorMode,atoi,sprintf,OutputDebugStringA,Sleep,Sleep,Sleep,GetLocalTime,sprintf,OpenEventW,Sleep,Sleep,CloseHandle,atoi,atoi,atoi,atoi,GetTickCount,sprintf,GetTickCount,Sleep,GetTickCount,OpenEventW,WaitForSingleObject,Sleep,CloseHandle,SetErrorMode,

3_2_04541026

Source: C:\Windows\SysWOW64\rundll32.exe

3_2_04540AC0

Source: rundll32.exe	Binary or memory string: avcenter.exe
Source: rundll32.exe	Binary or memory string: kxetray.exe
Source: rundll32.exe	Binary or memory string: avp.exe
Source: Amcache.hve.9.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: rundll32.exe	Binary or memory string: ashdisp.exe
Source: Amcache.hve.9.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.9.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: rundll32.exe	Binary or memory string: mcshield.exe
Source: rundll32.exe	Binary or memory string: 360tray.exe
Source: rundll32.exe	Binary or memory string: tmbmsrv.exe
Source: rundll32.exe	Binary or memory string: ravmond.exe
Source: Amcache.hve.9.dr	Binary or memory string: MsMpEng.exe

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	11 Native API	2 Bootkit	1 Access Token Manipulation	1 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	12 Encrypted Channel	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	111 Process Injection	121 Virtualization/Sandbox Evasion	LSASS Memory	141 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	1 Access Token Manipulation	Security Account Manager	121 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	111 Process Injection	NTDS	1 Process Discovery	Distributed Component Object Model	Input Capture	2 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Obfuscated Files or Information	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Bootkit	Cached Domain Credentials	1 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Rundll32	DCSync	5 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
ZaPNN51vQo.dll	83%	Virustotal		Browse
ZaPNN51vQo.dll	68%	ReversingLabs	Win32.Backdoor.Moudoor
ZaPNN51vQo.dll	100%	Avira	HEUR/AGEN.1329518
ZaPNN51vQo.dll	100%	Joe Sandbox ML

Name	IP	Active	Malicious	Antivirus Detection	Reputation
safebrow.flnet.org	162.210.196.168	true	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://upx.sf.net	Amcache.hve.9.dr	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
162.210.196.168	safebrow.flnet.org	United States		30633	LEASEWEB-USA-WDCUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1579300
Start date and time:	2024-12-21 14:16:08 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 50s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	24
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	ZaPNN51vQo.dll renamed because original name is a hash value
Original Sample Name:	f222320a45dad46987e5600556f42a49.dll
Detection:	MAL
Classification:	mal100.evad.winDLL@19/21@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 39 Number of non-executed functions: 227
Cookbook Comments:	Found application associated with file extension: .dll Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.189.173.20, 20.190.177.148, 172.202.163.200, 13.107.246.63
Excluded domains from analysis (whitelisted): ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, otelrules.azureedge.net, blobcollector.events.data.trafficmanager.net, onedsblobprdwus15.westus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
08:17:04	API Interceptor	1x Sleep call for process: loaddll32.exe modified
08:17:29	API Interceptor	2x Sleep call for process: WerFault.exe modified
08:17:40	API Interceptor	6164940x Sleep call for process: rundll32.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
162.210.196.168	https://www.afghanhayatrestaurant.com.au/	Get hash	malicious	Unknown	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
LEASEWEB-USA-WDCUS	https://fsharetv.io	Get hash	malicious	Unknown	Browse	162.210.199.65
	loligang.x86.elf	Get hash	malicious	Mirai	Browse	108.62.121.120
	Opportunity Offering Pure Home Improvement Unique Guest Post Websites A... (107Ko).msg	Get hash	malicious	Unknown	Browse	162.210.199.153
	sora.sh4.elf	Get hash	malicious	Mirai	Browse	209.50.246.222
	arm.elf	Get hash	malicious	Mirai	Browse	108.62.17.4
	x86_64.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	64.131.85.12
	ns3.jpg.elf	Get hash	malicious	Muhstik, Tsunami	Browse	207.58.188.113
	nklmips.elf	Get hash	malicious	Unknown	Browse	216.38.56.139
	la.bot.powerpc.elf	Get hash	malicious	Unknown	Browse	207.244.103.181
	http://www.bollywoodhungama.com	Get hash	malicious	Unknown	Browse	162.210.196.208

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_c2f356c1f74475bc955dabae5ac8407876b0076_7522e4b5_1dac1649-4c86-4d4c-906d-33f6a6fc8dc8\Report.wer

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.8981412292614579
Encrypted:	false
SSDEEP:	192:CXiOO2L0BU/wjeTS1wmzuiFjZ24IO8dci:CiP2YBU/wjeTmzuiFjY4IO8dci
MD5:	AAE8C9BC4A36B28DB991EFA2B1109FFE
SHA1:	94C7AC22C39B233CFCD7C0DE0C6B6EAB3BFCDA93
SHA-256:	0BF25A1CEA14B9ECFA64EDA03310B0203FE2C005A3F1BFC00EEE211FD26A06E5
SHA-512:	5E66B693171F363EAFDF4DC9964A97D0061B82E928066F567671AAAF58C5E4F3684B31C9E1A0E0C6ACAC9DE74F7FCA67DD5A761E0B19EAFCA436FCCBFFFF833D
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.9.2.6.0.6.2.2.4.4.9.0.1.1.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.9.2.6.0.6.2.2.9.8.0.2.6.1.7.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.d.a.c.1.6.4.9.-.4.c.8.6.-.4.d.4.c.-.9.0.6.d.-.3.3.f.6.a.6.f.c.8.d.c.8.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.e.0.3.3.1.2.3.-.7.0.b.e.-.4.7.c.a.-.9.2.5.e.-.0.d.d.6.7.7.4.3.a.c.4.f.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.6.8.c.-.0.0.0.1.-.0.0.1.4.-.8.a.a.d.-.6.7.9.d.a.a.5.3.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.8.f.a.8.8.9.e.4.5.6.a.a.6.4.6.a.4.d.0.a.4.3.4.9.9.7.7.4.3.0.c.e.5.f.a.5.e.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_c2f356c1f74475bc955dabae5ac8407876b0076_7522e4b5_bfd95e3a-1a55-49e1-b8b1-e7ff874c411d\Report.wer

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.8982755158591433
Encrypted:	false
SSDEEP:	192:9Rii0OdL0BU/wjeTS1wmzuiFjZ24IO8dci:7iiFdYBU/wjeTmzuiFjY4IO8dci
MD5:	BA981C48FD83893B1A33FE0B2448EDEB
SHA1:	7CD9FB6B0D7EAFF015B42099DA5EE18CA8E80D97
SHA-256:	B3A33A96A56C4107B4008E0EB611108BF897765EF487971FB691A82F3DDC9C2B
SHA-512:	A85F8D3C54888A60FA9B20F5828F56075C8BC65791DA3D8975247561AEB4635DFFDF60661574B61AFD5396AF8F7B83932C32AA3711F5B054CAAA54C0B3870A78
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.9.2.6.0.6.2.2.4.7.1.8.5.0.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.9.2.6.0.6.2.3.0.0.3.1.0.1.8.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.f.d.9.5.e.3.a.-.1.a.5.5.-.4.9.e.1.-.b.8.b.1.-.e.7.f.f.8.7.4.c.4.1.1.d.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.5.c.4.8.9.8.7.-.6.e.2.f.-.4.1.b.5.-.a.8.c.c.-.d.0.8.a.a.d.0.0.7.8.c.8.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.6.9.4.-.0.0.0.1.-.0.0.1.4.-.1.8.0.8.-.6.6.9.d.a.a.5.3.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.8.f.a.8.8.9.e.4.5.6.a.a.6.4.6.a.4.d.0.a.4.3.4.9.9.7.7.4.3.0.c.e.5.f.a.5.e.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_e34a55adf2fb823c1abf802929e24e1fa3bd019_7522e4b5_7c394c0e-190d-4001-951d-d3c6ebbd43e0\Report.wer

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.8985970150865458
Encrypted:	false
SSDEEP:	192:QiOOZE0+5f6kjeTMVcmzuiFJZ24IO8dci:QiPZ/+5f6kjejmzuiFJY4IO8dci
MD5:	70C7FD0341E07ACDFE511FE50561AB1B
SHA1:	F1C01C42DCE193571C56A2132977BAD2E2EB9322
SHA-256:	0BEDCA58174C384406135B9AC5BACDD657D45252C5CAF21100EE2187FB5402DD
SHA-512:	1B271E20AA6B3C6CFAF35386119D6437F8A40EB2C59891D99C883D69D437D7EB27CAB17C2D29D03DBEA2C4109380B44C45D07D43936A24EA5094FC08965FB2BA
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.9.2.6.0.6.2.1.5.2.1.4.0.0.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.c.3.9.4.c.0.e.-.1.9.0.d.-.4.0.0.1.-.9.5.1.d.-.d.3.c.6.e.b.b.d.4.3.e.0.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.e.1.6.9.d.b.7.-.2.9.e.e.-.4.0.3.7.-.a.4.4.6.-.2.6.6.7.7.0.f.7.1.d.b.f.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.6.8.c.-.0.0.0.1.-.0.0.1.4.-.8.a.a.d.-.6.7.9.d.a.a.5.3.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.8.f.a.8.8.9.e.4.5.6.a.a.6.4.6.a.4.d.0.a.4.3.4.9.9.7.7.4.3.0.c.e.5.f.a.5.e.2.d.7.!.r.u.n.d.l.l.3.2...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.6././.0.8././.2.6.:.1.6.:.5.8.:.3.3.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_e34a55adf2fb823c1abf802929e24e1fa3bd019_7522e4b5_7e76728d-9671-42f5-bf34-d5dbfd148af8\Report.wer

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.8990606993300633
Encrypted:	false
SSDEEP:	192:Xi0O7E0+5f6kjeTMVcmzuiFJZ24IO8dci:XiF7/+5f6kjejmzuiFJY4IO8dci
MD5:	0ACA1E1F853E6F1FE99C0A10C40960C9
SHA1:	0B94113765E7C63D3CB9C4401BF9EC0753A4475D
SHA-256:	063590DD82DD8C93175A4D8878629208EEDDA6D387E02F8A6296027AC0D5D3DE
SHA-512:	4D3AE32FAA199EFEBA49754F4729D30BB300CE74467069C161B55A23EBAF892B339E01291081CEC0B15555BFAE2B704D53BD09DA567C459D5928AEDD6CFFA718
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.9.2.6.0.6.2.1.5.0.5.3.5.3.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.e.7.6.7.2.8.d.-.9.6.7.1.-.4.2.f.5.-.b.f.3.4.-.d.5.d.b.f.d.1.4.8.a.f.8.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.7.2.f.8.7.b.8.-.3.a.2.4.-.4.4.8.1.-.9.1.5.0.-.f.6.f.0.d.4.4.9.e.1.d.8.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.6.9.4.-.0.0.0.1.-.0.0.1.4.-.1.8.0.8.-.6.6.9.d.a.a.5.3.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.8.f.a.8.8.9.e.4.5.6.a.a.6.4.6.a.4.d.0.a.4.3.4.9.9.7.7.4.3.0.c.e.5.f.a.5.e.2.d.7.!.r.u.n.d.l.l.3.2...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.6././.0.8././.2.6.:.1.6.:.5.8.:.3.3.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_e34a55adf2fb823c1abf802929e24e1fa3bd019_7522e4b5_f12875f2-db89-4ad2-8bba-5c0285c555fe\Report.wer

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.8987801899816464
Encrypted:	false
SSDEEP:	192:2inO1E0+5f6kjeT8VcmzuiFJZ24IO8dci:2iO1/+5f6kjezmzuiFJY4IO8dci
MD5:	96E97F2B2D7D203E5AD2836F2B813323
SHA1:	E639714104274EE485B21168BD76C93E753FB228
SHA-256:	18DF8AABF6B48B017FA7A0DFA59815EEB1045771E1320FA6A8C2BA185F2E3BFB
SHA-512:	A2ABCFB2765129C742DFCB227A06E2C7EAC0F131A3DD21362B6DCC3B12DC741AD91CA78A93A2548C721260493D7EF2EBB8C9B3B5EE5F6CF1DA05FDDF010B9651
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.9.2.6.0.6.2.7.2.2.4.5.5.9.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.1.2.8.7.5.f.2.-.d.b.8.9.-.4.a.d.2.-.8.b.b.a.-.5.c.0.2.8.5.c.5.5.5.f.e.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.7.1.3.5.c.e.6.-.6.e.a.c.-.4.3.5.e.-.a.a.1.a.-.a.f.c.d.5.f.d.8.7.b.4.9.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.8.2.c.-.0.0.0.1.-.0.0.1.4.-.7.9.4.b.-.0.5.a.1.a.a.5.3.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.8.f.a.8.8.9.e.4.5.6.a.a.6.4.6.a.4.d.0.a.4.3.4.9.9.7.7.4.3.0.c.e.5.f.a.5.e.2.d.7.!.r.u.n.d.l.l.3.2...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.6././.0.8././.2.6.:.1.6.:.5.8.:.3.3.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9ABE.tmp.dmp

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Sat Dec 21 13:17:01 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	56812
Entropy (8bit):	1.8855354698986597
Encrypted:	false
SSDEEP:	96:5R8ttm2k45NE/uDz04GFrJ8v6J8M0hlSoi75I4v4kVGLnzrNzmR9Tndv9dpcHr60:8oRe6JcDO5H4hmzJFKVSxVkJdu3TCoI
MD5:	FF9B5FB07B12C68EE3905F395608DEA8
SHA1:	976E57918B69A35D2399B0B348A7BA762E76E377
SHA-256:	10098F05D688B2E3F700CFE2C77234C01BDFB23231878D6A4F24D630AC638941
SHA-512:	9B4865885526CCEE88A45062065B8026FB28860A4BC10D21D21204DC1FE0C84E82CBEA6D402F209993C8F5B116BE8E1051C1AF678AB46CAA9B600743A9AC2116
Malicious:	false
Preview:	MDMP..a..... ........fg....................................$...........T....1..........`.......8...........T...........x...t.......................................................................................................eJ......l.......GenuineIntel............T............fg.............................0..1...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9AED.tmp.dmp

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Sat Dec 21 13:17:01 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	59928
Entropy (8bit):	1.81903967441323
Encrypted:	false
SSDEEP:	192:86xTe6JN+O5H4De5NDzqBt4nEBkeP15MZrbFs:dy6p5HOenDzat4nsN1Ya
MD5:	9CBAC63E081042135349E1E6C2FCFCFB
SHA1:	8E73E7081D13B50D9090B246E1406CE8FD0C4FB6
SHA-256:	51F514100CDB2D741AC5379614F140CCE3DBE87EAD602B34D244CED5008582B2
SHA-512:	8CAC1F281FA8AE562050C87AEA7BBC1F9B75CBC93FEC89A028D87A8A1C2FF782688A737B299244DCD186ADB4A06841FAB6BEF02F541C812F53A954D2443F7048
Malicious:	false
Preview:	MDMP..a..... ........fg....................................$...........t....1..........`.......8...........T...............P.......................................................................................................eJ......l.......GenuineIntel............T............fg.............................0..1...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9BAA.tmp.WERInternalMetadata.xml

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8306
Entropy (8bit):	3.6974605904552393
Encrypted:	false
SSDEEP:	192:R6l7wVeJSQ6IgA6Y1P6ogmfTwdpB789b7esfUJm:R6lXJ16IgA6Y96ogmfTwO7dfX
MD5:	F4114CD731B0A59717C309E61A2144D9
SHA1:	3A9CBA62EB1607EA80ADE87E72B2BA0BF4AE8353
SHA-256:	A131B2C75E828C6557663170785BD5F8E74846016B6CAA160CB2CA2900CFDFB5
SHA-512:	39E0F650CDE35C2E14AE0D0C017601B93EC1F42993A5F001E5E1619128C198F54FE777B89C77AA475ECB6CADE607CE30401B61DEE87AA58F1E8D3367A0C3FEDC
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.7.7.2.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9BB9.tmp.WERInternalMetadata.xml

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8312
Entropy (8bit):	3.699094155473116
Encrypted:	false
SSDEEP:	192:R6l7wVeJ/26IodLgq6Y9p6ugmfTwdpBx89b7isfhJm:R6lXJ+6I4B6YT6ugmfTws7hfe
MD5:	965F370D7B7212510B35A7A248922CAC
SHA1:	4A6CD789359A5912E5A483FA7D3FADBEFF291326
SHA-256:	DD5FFB3EEE4B0BD5A4E5830BC90A107070BF7CC30275D10426CA1143B71C8D75
SHA-512:	B15BC0A6CC448FBE394CD86B3A8F0A83616B6CE17BD2C067FF0B99CF94DFCD1A360C89F5AD46E61D17DA7040D1487C2350D863C74DA5034D20DA2BEA1AA23E5C
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.7.8.0.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9BE9.tmp.xml

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4690
Entropy (8bit):	4.4942237715465225
Encrypted:	false
SSDEEP:	48:cvIwWl8zsBtJg77aI9B2WpW8VYwYm8M4JCdPTFTlQg+q8/ARGScS1d:uIjfBHI7fX7VoJ+KglJ31d
MD5:	899638CF0FBD6F972E90DADBCDEC5140
SHA1:	2D5E888CEC2BA8387AF8D9861F7A45CD3493B6F1
SHA-256:	D1B6E25C1BD1002CD934D7E7969051FCBAB4835F6B3C2E713E19E7FAB1F61E7E
SHA-512:	7AF1593147D9102E17FD9F36EC08D456394E2B4112156869F6B0CEC7A5854B0595256C97C2DDCFBCBBD5C3C3B0E1A6EF6FB9CA2C3BBAC7DB8766C3A07B81412B
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="641059" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9E77.tmp.dmp

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Sat Dec 21 13:17:02 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	94960
Entropy (8bit):	1.226480291800688
Encrypted:	false
SSDEEP:	192:PDCL68O5H4p5N7VecH/w3bsGBk/xyLALjJQ3o+B5D7:mOz5HqnwXbsWMygQ3Rz/
MD5:	12D75D6696397A8ACFF34FEC5140D1E8
SHA1:	1CC657230C98025294FF840829128982F7C3ED98
SHA-256:	5280D98D910584D4D8647D0D7E932E1FFB0A341E33080BD38A405154D89D4ED5
SHA-512:	6117D102C07FC00ACACABEFEC13BE06BACAA89C0F622D9803C1FA276FE2771951A24344229DF7973BFA033A71E2150D43F2AD3B467860AC3131FB50B839D6D17
Malicious:	false
Preview:	MDMP..a..... ........fg........................P...........$...(.......t...`...........`.......8...........T...............PX..........L...........8...............................................................................eJ..............GenuineIntel............T............fg.............................0..1...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9E97.tmp.dmp

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Sat Dec 21 13:17:02 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	91084
Entropy (8bit):	1.2659719255211135
Encrypted:	false
SSDEEP:	192:Pir6OQ9O5H48JWTxwvZaF72+jjUYyUcXF9nGjiTpYo:6uOQw5HjJWTxwgB7fUYyUcXF9nwiP
MD5:	41CA4096AB92B4AA4EB4445026BA5455
SHA1:	8F5C1CE72FF0C3BDB654E84685B46FEED754FB2B
SHA-256:	EB757696DE9C3E3A8269D4DF97A87DB2193AF5D22386310BC8499FA2EF0BCDCD
SHA-512:	47F83874ACAC7754C9A6CABE33E3AF5DD73D90000113387CD71EC68BCEE1C110EA246CA05C2EC992E36171150CDDCFDDA859A74814A38213E962F680F5A42A8A
Malicious:	false
Preview:	MDMP..a..... ........fg........................P...........$...(.......T...`...........`.......8...........T...........P...\|I..........L...........8...............................................................................eJ..............GenuineIntel............T............fg.............................0..1...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9F82.tmp.WERInternalMetadata.xml

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8306
Entropy (8bit):	3.7006622341924853
Encrypted:	false
SSDEEP:	192:R6l7wVeJSA6IgC26Y1K6ogmfTdmprQ89bAesfEgm:R6lXJl6Igz6YY6ogmfTdeAdfy
MD5:	D691B52EDF05FC1BF81AD28B9B577A8C
SHA1:	0B97DF3019C55CD8E9A31B9CEF2925650BDEE72A
SHA-256:	21207020CEABFD3440E1D8841C41F9ABC89F20B8FEDC616B329B8C7AE58C9808
SHA-512:	935E0AF7CFC16EC219D4AD1EE91FA4C9759AA74067AC1C768E5744EB92CBE4E9F4738B099121D182DE055232864E4E7324693902A9E15D70DE9CFB343F2C3AC3
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.7.7.2.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9FA1.tmp.WERInternalMetadata.xml

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8312
Entropy (8bit):	3.6993079000322466
Encrypted:	false
SSDEEP:	192:R6l7wVeJ/q6IodR6Y9ET6LgmfTdmprT89bAisfetgm:R6lXJi6I4R6YuT6LgmfTdHAhfef
MD5:	F935F436F342F6E99D745675913E27B2
SHA1:	3E512E600A437D3FB15B50B4351A2720AA6C6A92
SHA-256:	DE64CC78921C74813900B526638C2C655513863B6567E6805FB6C13CE282255D
SHA-512:	4BE55F198C0083550A9847D29C904FE30CC9D827566F9DF15F06A463A049355BA7898BDE7FAE884E54AD0B80F2FF4953FB6485437A6AF61EBFFBEF27A388CD2F
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.7.8.0.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9FB2.tmp.xml

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4690
Entropy (8bit):	4.494005484603059
Encrypted:	false
SSDEEP:	48:cvIwWl8zsBtJg77aI9B2WpW8VYVYm8M4JCdPgF77B+q8/JDGScSid:uIjfBHI7fX7VhJ97BkJ3id
MD5:	0A0575527129D7BB4E943B0D22AFC866
SHA1:	AD40A6ABFC62E6D033B44E092518C8E24CDDED7C
SHA-256:	9084A9825DD6E041EE665EA7C7295A2D3B76E1B365B3273B167428C2BAC14D56
SHA-512:	FAF0F26B193862A648409EC211014CB2791287C331CDCF2DBF2B9C3F72A01B8A2ABAFD70F79672350A76AB88C97F4F67582C699DE89CDB6A6D186B636D2DEE0C
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="641059" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9FD1.tmp.xml

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4690
Entropy (8bit):	4.49436272265196
Encrypted:	false
SSDEEP:	48:cvIwWl8zsBtJg77aI9B2WpW8VY+Ym8M4JCdPgFtHy+q8/JRGScS1d:uIjfBHI7fX7VuJbSCJ31d
MD5:	777D85E7795ED078F7FF77851DED8A46
SHA1:	0D08413D67350FC52F2CBF412419CC0F0BA49A6C
SHA-256:	FA23D0137B107D8AED790CF4E2CD3EA54E04449CE7E0EF6ED49A2DD08432895B
SHA-512:	16ABBA95CB789BA1F8B531A3F5684C25567DF1FDAEF9AA6C0663EC08B939DAF2F7C78E63CD06D3A8C6EBCC5EA9B6D93075249E5C638C8FE08B826D3F5EB38D36
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="641059" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB125.tmp.dmp

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Sat Dec 21 13:17:07 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	56996
Entropy (8bit):	1.8872469928293278
Encrypted:	false
SSDEEP:	192:m/7e69qO5H4Jgizkhp6pBXmi0DWg8gTW71:B6X5HKzkS3mXDWgC
MD5:	B110056552437A7991C949809395783B
SHA1:	7705477328FB2EC6137BC6F19220B91D7200A213
SHA-256:	75E6ED0CCB72C74A8D6AF0855A97765F87279BB0077CA3B3E0E095E51EB38701
SHA-512:	D214E5B85D14CBA9CA0F69EC5DE816607943D673E6AAD3E383A15F1648F97FF52B5E591E85B2781E17D5351EDA283D3B35D9FABF7BB8FE95D2EB541E32263304
Malicious:	false
Preview:	MDMP..a..... ........fg....................................$...........t....1..........`.......8...........T...........x...,.......................................................................................................eJ......l.......GenuineIntel............T.......,....fg.............................0..1...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB1A3.tmp.WERInternalMetadata.xml

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8302
Entropy (8bit):	3.6983704414288825
Encrypted:	false
SSDEEP:	192:R6l7wVeJSk6IpX6Y1c6TgmfTwdpBO89bhbcosfhbjm:R6lXJB6IpX6YO6TgmfTw1hbcbfd6
MD5:	55813847C40652A68115D70BDE7BE47E
SHA1:	0E54C281C1996B7FA3C284CEE7205905BD3062A3
SHA-256:	51408961F03A9CA3222184B90E07893E8C708067D8F11FE9F07CC1A7E9AC30C1
SHA-512:	89098FF63FD811641DD2E5C2231150854A8F80DAE0D1C8880D7C6CF4B228F7F0598DEEAFA2D32A7ED41F868BB764581BEE760CBEB0D91D8F5C1B7990726D6ABC
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.1.8.8.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB211.tmp.xml

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4690
Entropy (8bit):	4.49303445300261
Encrypted:	false
SSDEEP:	48:cvIwWl8zsBtJg77aI9B2WpW8VY2Ym8M4JCdPTFZ+q8/AgXGScSld:uIjfBHI7fX7VyJsUJ3ld
MD5:	50309C44188CE6F599FFC2F76F5870CA
SHA1:	B9E2437B278F40AE1A096913C52DD0A3525775E7
SHA-256:	9B09CC51B6BDE15305F224548A3B57FF0BB104F3C08919A6B95726D31823283A
SHA-512:	30FF9716FE0F7BF9B06B17863285166F301E7BE658A73B46F0A53018CC8946D0501D25A822366A92B8D5A399A7A19904FB68929D18DEC2B07370CE176C3E4851
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="641059" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\SysWOW64\KB1035627.dat

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	data
Category:	dropped
Size (bytes):	33
Entropy (8bit):	4.0895524525606675
Encrypted:	false
SSDEEP:	3:aG2sqUq4Bgxf5wn:KsqUqc02n
MD5:	6086D1EEEEA7CCF5C7310ECE395A935C
SHA1:	F516E32F8EE8590C91B5F9DACDE2A58AF1B656F7
SHA-256:	C5CE9696D9AFC5532775BB106AB18E1FB738BE397AA2EFC12FB0BB466C996B9E
SHA-512:	CB7F7EA3D64D22A3D93C8488E409259B4E211DBA3B0C11285BD2109962EF0DDC6D8D65D129501F4A0F928D7450A1A79EDFBB72EB0F0E413912439206E3127DC9
Malicious:	false
Preview:	.........Z@........N.....N...ZTTS

C:\Windows\appcompat\Programs\Amcache.hve

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.422282233604746
Encrypted:	false
SSDEEP:	6144:FSvfpi6ceLP/9skLmb0OTyWSPHaJG8nAgeMZMMhA2fX4WABlEnNP0uhiTw:MvloTyW+EZMM6DFyl03w
MD5:	C84C586CAE823675310E60F4539A40C7
SHA1:	44541EFFE579C1833B26C724575438438DA4DC53
SHA-256:	D2F06293C6A01585CDC41AA8B66E07F480C7AB968E882FEA9BD4210BAC765EB6
SHA-512:	73568AB7A37A7D7C8C3B1FB8AC712C09CEC4D3A8AAC343CBE6D81AF7CA0600A10ADDA783EE48425B0592A987BB2FA0AF581D1FC87511B2ABD3E1D484EBE3AA83
Malicious:	false
Preview:	regf?...?....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm...S...............................................................................................................................................................................................................................................................................................................................................V..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.180102052260079
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	ZaPNN51vQo.dll
File size:	71'168 bytes
MD5:	f222320a45dad46987e5600556f42a49
SHA1:	0bc94ccb35d2dd80954b6dde717bcce305597ce6
SHA256:	a6c578970637169d77ab319744ba4ef283bfe55816013ee2f3e5036332b3d27d
SHA512:	8e3fffd667dad3a39ca73a818ac540c0c35cc5026995be67694cbb629bb1843c71edc6fd0b696efa6545e6b16b4b4b46e11cd4c8f5a12de8aaa3343540ad6415
SSDEEP:	1536:oXqWFQB0qJsjjhCc/tydPXM/193cPehWXlCiG8O+4ER06ou9F5hF:UJFQBQfhh6fMttcPbXEihB0d0Fb
TLSH:	8863E1A5DFED11B8E31F053C6CF3A27FA96E940B9594C1D78EC09A251CF01596C20B6B
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........Mb..Mb..Mb...m..Ob.."}..Lb...~..Lb.."}..Ib..Mb..^b.."}..Nb...A..Ib...d..Lb...B..Lb..RichMb..........................PE..L..

File Icon


Icon Hash:	7ae282899bbab082

Static PE Info

General

Entrypoint:	0x10001cf1
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x10000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL
DLL Characteristics:
Time Stamp:	0x4ECF4B3B [Fri Nov 25 08:00:59 2011 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	0421f871b79c3f74c54fb55e887e4204

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
push ebx
mov ebx, dword ptr [ebp+08h]
push esi
mov esi, dword ptr [ebp+0Ch]
push edi
mov edi, dword ptr [ebp+10h]
test esi, esi
jne 00007F0BB8B37DCBh
cmp dword ptr [10003374h], 00000000h
jmp 00007F0BB8B37DE8h
cmp esi, 01h
je 00007F0BB8B37DC7h
cmp esi, 02h
jne 00007F0BB8B37DE4h
mov eax, dword ptr [1000337Ch]
test eax, eax
je 00007F0BB8B37DCBh
push edi
push esi
push ebx
call eax
test eax, eax
je 00007F0BB8B37DCEh
push edi
push esi
push ebx
call 00007F0BB8B37CDAh
test eax, eax
jne 00007F0BB8B37DC6h
xor eax, eax
jmp 00007F0BB8B37E10h
push edi
push esi
push ebx
call 00007F0BB8B37334h
cmp esi, 01h
mov dword ptr [ebp+0Ch], eax
jne 00007F0BB8B37DCEh
test eax, eax
jne 00007F0BB8B37DF9h
push edi
push eax
push ebx
call 00007F0BB8B37CB6h
test esi, esi
je 00007F0BB8B37DC7h
cmp esi, 03h
jne 00007F0BB8B37DE8h
push edi
push esi
push ebx
call 00007F0BB8B37CA5h
test eax, eax
jne 00007F0BB8B37DC5h
and dword ptr [ebp+0Ch], eax
cmp dword ptr [ebp+0Ch], 00000000h
je 00007F0BB8B37DD3h
mov eax, dword ptr [1000337Ch]
test eax, eax
je 00007F0BB8B37DCAh
push edi
push esi
push ebx
call eax
mov dword ptr [ebp+0Ch], eax
mov eax, dword ptr [ebp+0Ch]
pop edi
pop esi
pop ebx
pop ebp
retn 000Ch
jmp dword ptr [1000203Ch]
jmp dword ptr [10002034h]
jmp dword ptr [10002030h]
jmp dword ptr [10002028h]
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
mov eax, 1000212Ch
jmp 00007F0BB9B37C3Bh

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804
[LNK] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x2370	0x54	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x2198	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x4000	0xf90c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x14000	0x1b4	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x54	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xdca	0xe00	4289c8cb1f962ddd2260d277ff6c0a88	False	0.6160714285714286	data	6.160781249961882	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x2000	0x3c4	0x400	b1628e5095c4270f1807d1f041acdce2	False	0.5068359375	data	4.074530964216063	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x3000	0x388	0x400	435bbf1f6172d6f1649360a5998efae0	False	0.373046875	data	3.6502615445783313	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x4000	0xf90c	0xfa00	28c52f39f08d495f87e5c4cb1ed52ac5	False	0.880171875	data	7.285714604095285	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x14000	0x1ea	0x200	9cf0dbc735e4272d675d3e4b44d56963	False	0.83984375	data	5.636323256414432	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
BIN	0x40b0	0xf542	data			0.889497658713726
RT_VERSION	0x135f4	0x318	data	Chinese	China	0.45202020202020204

Imports

DLL	Import
MSVCRT.dll	malloc, _initterm, free, ??1type_info@@UAE@XZ, ??3@YAXPAX@Z, _onexit, __dllonexit, _CxxThrowException, __CxxFrameHandler, _adjust_fdiv, ??2@YAPAXI@Z
KERNEL32.dll	VirtualProtect, CreateMutexA, GetLastError, ReleaseMutex, LoadLibraryA, GetProcAddress, FreeLibrary, GetModuleHandleA

Exports

Name	Ordinal	Address
loop	1	0x100010d0
mydoor	2	0x10001150

Possible Origin

Language of compilation system	Country where language is spoken	Map
Chinese	China

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-21T14:17:09.486589+0100	2016922	ET MALWARE Backdoor family PCRat/Gh0st CnC traffic	1	192.168.2.5	49709	162.210.196.168	443	TCP
2024-12-21T14:17:35.962286+0100	2016922	ET MALWARE Backdoor family PCRat/Gh0st CnC traffic	1	192.168.2.5	49764	162.210.196.168	443	TCP
2024-12-21T14:18:02.474110+0100	2016922	ET MALWARE Backdoor family PCRat/Gh0st CnC traffic	1	192.168.2.5	49824	162.210.196.168	443	TCP
2024-12-21T14:18:29.159467+0100	2016922	ET MALWARE Backdoor family PCRat/Gh0st CnC traffic	1	192.168.2.5	49883	162.210.196.168	443	TCP
2024-12-21T14:18:55.809706+0100	2016922	ET MALWARE Backdoor family PCRat/Gh0st CnC traffic	1	192.168.2.5	49943	162.210.196.168	443	TCP
2024-12-21T14:19:22.654246+0100	2016922	ET MALWARE Backdoor family PCRat/Gh0st CnC traffic	1	192.168.2.5	49994	162.210.196.168	443	TCP
2024-12-21T14:19:49.169615+0100	2016922	ET MALWARE Backdoor family PCRat/Gh0st CnC traffic	1	192.168.2.5	49995	162.210.196.168	443	TCP
2024-12-21T14:20:15.674833+0100	2016922	ET MALWARE Backdoor family PCRat/Gh0st CnC traffic	1	192.168.2.5	49996	162.210.196.168	443	TCP
2024-12-21T14:20:42.268921+0100	2016922	ET MALWARE Backdoor family PCRat/Gh0st CnC traffic	1	192.168.2.5	49997	162.210.196.168	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 21, 2024 14:17:09.365159035 CET	49709	443	192.168.2.5	162.210.196.168
Dec 21, 2024 14:17:09.365207911 CET	443	49709	162.210.196.168	192.168.2.5
Dec 21, 2024 14:17:09.366478920 CET	49709	443	192.168.2.5	162.210.196.168
Dec 21, 2024 14:17:09.486588955 CET	49709	443	192.168.2.5	162.210.196.168
Dec 21, 2024 14:17:09.486602068 CET	443	49709	162.210.196.168	192.168.2.5
Dec 21, 2024 14:17:09.486720085 CET	443	49709	162.210.196.168	192.168.2.5
Dec 21, 2024 14:17:35.880342960 CET	49764	443	192.168.2.5	162.210.196.168
Dec 21, 2024 14:17:35.880382061 CET	443	49764	162.210.196.168	192.168.2.5
Dec 21, 2024 14:17:35.880470991 CET	49764	443	192.168.2.5	162.210.196.168
Dec 21, 2024 14:17:35.962285995 CET	49764	443	192.168.2.5	162.210.196.168
Dec 21, 2024 14:17:35.962305069 CET	443	49764	162.210.196.168	192.168.2.5
Dec 21, 2024 14:17:35.962400913 CET	443	49764	162.210.196.168	192.168.2.5
Dec 21, 2024 14:18:02.364625931 CET	49824	443	192.168.2.5	162.210.196.168
Dec 21, 2024 14:18:02.364666939 CET	443	49824	162.210.196.168	192.168.2.5
Dec 21, 2024 14:18:02.364742994 CET	49824	443	192.168.2.5	162.210.196.168
Dec 21, 2024 14:18:02.474109888 CET	49824	443	192.168.2.5	162.210.196.168
Dec 21, 2024 14:18:02.474134922 CET	443	49824	162.210.196.168	192.168.2.5
Dec 21, 2024 14:18:02.474268913 CET	443	49824	162.210.196.168	192.168.2.5
Dec 21, 2024 14:18:29.006131887 CET	49883	443	192.168.2.5	162.210.196.168
Dec 21, 2024 14:18:29.006153107 CET	443	49883	162.210.196.168	192.168.2.5
Dec 21, 2024 14:18:29.006316900 CET	49883	443	192.168.2.5	162.210.196.168
Dec 21, 2024 14:18:29.159466982 CET	49883	443	192.168.2.5	162.210.196.168
Dec 21, 2024 14:18:29.159492016 CET	443	49883	162.210.196.168	192.168.2.5
Dec 21, 2024 14:18:29.159555912 CET	443	49883	162.210.196.168	192.168.2.5
Dec 21, 2024 14:18:55.708470106 CET	49943	443	192.168.2.5	162.210.196.168
Dec 21, 2024 14:18:55.708498955 CET	443	49943	162.210.196.168	192.168.2.5
Dec 21, 2024 14:18:55.708592892 CET	49943	443	192.168.2.5	162.210.196.168
Dec 21, 2024 14:18:55.809705973 CET	49943	443	192.168.2.5	162.210.196.168
Dec 21, 2024 14:18:55.809726000 CET	443	49943	162.210.196.168	192.168.2.5
Dec 21, 2024 14:18:55.809897900 CET	443	49943	162.210.196.168	192.168.2.5
Dec 21, 2024 14:19:22.354424953 CET	49994	443	192.168.2.5	162.210.196.168
Dec 21, 2024 14:19:22.354470015 CET	443	49994	162.210.196.168	192.168.2.5
Dec 21, 2024 14:19:22.354554892 CET	49994	443	192.168.2.5	162.210.196.168
Dec 21, 2024 14:19:22.654246092 CET	49994	443	192.168.2.5	162.210.196.168
Dec 21, 2024 14:19:22.654275894 CET	443	49994	162.210.196.168	192.168.2.5
Dec 21, 2024 14:19:22.654346943 CET	443	49994	162.210.196.168	192.168.2.5
Dec 21, 2024 14:19:49.068340063 CET	49995	443	192.168.2.5	162.210.196.168
Dec 21, 2024 14:19:49.068382025 CET	443	49995	162.210.196.168	192.168.2.5
Dec 21, 2024 14:19:49.068450928 CET	49995	443	192.168.2.5	162.210.196.168
Dec 21, 2024 14:19:49.169615030 CET	49995	443	192.168.2.5	162.210.196.168
Dec 21, 2024 14:19:49.169630051 CET	443	49995	162.210.196.168	192.168.2.5
Dec 21, 2024 14:19:49.169672966 CET	443	49995	162.210.196.168	192.168.2.5
Dec 21, 2024 14:20:15.568362951 CET	49996	443	192.168.2.5	162.210.196.168
Dec 21, 2024 14:20:15.568413019 CET	443	49996	162.210.196.168	192.168.2.5
Dec 21, 2024 14:20:15.568512917 CET	49996	443	192.168.2.5	162.210.196.168
Dec 21, 2024 14:20:15.674833059 CET	49996	443	192.168.2.5	162.210.196.168
Dec 21, 2024 14:20:15.674856901 CET	443	49996	162.210.196.168	192.168.2.5
Dec 21, 2024 14:20:15.674926043 CET	443	49996	162.210.196.168	192.168.2.5
Dec 21, 2024 14:20:42.115001917 CET	49997	443	192.168.2.5	162.210.196.168
Dec 21, 2024 14:20:42.115056038 CET	443	49997	162.210.196.168	192.168.2.5
Dec 21, 2024 14:20:42.115133047 CET	49997	443	192.168.2.5	162.210.196.168
Dec 21, 2024 14:20:42.268920898 CET	49997	443	192.168.2.5	162.210.196.168
Dec 21, 2024 14:20:42.268949032 CET	443	49997	162.210.196.168	192.168.2.5
Dec 21, 2024 14:20:42.269105911 CET	443	49997	162.210.196.168	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 21, 2024 14:17:08.518476963 CET	53728	53	192.168.2.5	1.1.1.1
Dec 21, 2024 14:17:09.359138966 CET	53	53728	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 21, 2024 14:17:08.518476963 CET	192.168.2.5	1.1.1.1	0xca44	Standard query (0)	safebrow.flnet.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 21, 2024 14:17:09.359138966 CET	1.1.1.1	192.168.2.5	0xca44	No error (0)	safebrow.flnet.org		162.210.196.168	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	08:16:58
Start date:	21/12/2024
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe "C:\Users\user\Desktop\ZaPNN51vQo.dll"
Imagebase:	0xb70000
File size:	126'464 bytes
MD5 hash:	51E6071F9CBA48E79F10C84515AAE618
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	1
Start time:	08:16:58
Start date:	21/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	2
Start time:	08:16:58
Start date:	21/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\ZaPNN51vQo.dll",#1
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	3
Start time:	08:16:58
Start date:	21/12/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\ZaPNN51vQo.dll,loop
Imagebase:	0x420000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	4
Start time:	08:16:58
Start date:	21/12/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\ZaPNN51vQo.dll",#1
Imagebase:	0x420000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	9
Start time:	08:17:01
Start date:	21/12/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 5772 -s 672
Imagebase:	0xdf0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	10
Start time:	08:17:01
Start date:	21/12/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 5780 -s 664
Imagebase:	0xdf0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	11
Start time:	08:17:01
Start date:	21/12/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\ZaPNN51vQo.dll,mydoor
Imagebase:	0x420000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	14
Start time:	08:17:02
Start date:	21/12/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 5772 -s 676
Imagebase:	0xdf0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	15
Start time:	08:17:02
Start date:	21/12/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 5780 -s 668
Imagebase:	0xdf0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	17
Start time:	08:17:04
Start date:	21/12/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\ZaPNN51vQo.dll",loop
Imagebase:	0x420000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Target ID:	18
Start time:	08:17:04
Start date:	21/12/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\ZaPNN51vQo.dll",mydoor
Imagebase:	0x420000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	21
Start time:	08:17:07
Start date:	21/12/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 6188 -s 664
Imagebase:	0xdf0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true