Edit tour

Windows Analysis Report
hidapi.dll

Overview

General Information

Sample name:	hidapi.dll
Analysis ID:	1666525
MD5:	9c97d28644225ca0ceebe0304275c8dd
SHA1:	5b53080de0745d6915d6d42fa1e3ff098640d877
SHA256:	cac6a08b3e3ff515cb372a899fd8e22e286bf23edbb030fc85e4aa1ae3abf13c
Infos:

Detection

Score:	56
Range:	0 - 100
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Joe Sandbox ML detected suspicious sample

PE file has nameless sections

Checks if the current process is being debugged

Creates a process in suspended mode (likely to inject code)

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE file contains an invalid checksum

PE file contains sections with non-standard names

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Classification

Process Tree

System is w10x64

loaddll32.exe (PID: 7900 cmdline: loaddll32.exe "C:\Users\user\Desktop\hidapi.dll" MD5: 51E6071F9CBA48E79F10C84515AAE618)

conhost.exe (PID: 7908 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7952 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\hidapi.dll",#1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

rundll32.exe (PID: 7976 cmdline: rundll32.exe "C:\Users\user\Desktop\hidapi.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)

WerFault.exe (PID: 3216 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7976 -s 716 MD5: C31336C1EFC2CCB44B4326EA793040F2)

rundll32.exe (PID: 7968 cmdline: rundll32.exe C:\Users\user\Desktop\hidapi.dll,hid_close MD5: 889B99C52A60DD49227C5E485A016679)

WerFault.exe (PID: 8116 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7968 -s 724 MD5: C31336C1EFC2CCB44B4326EA793040F2)

rundll32.exe (PID: 8108 cmdline: rundll32.exe C:\Users\user\Desktop\hidapi.dll,hid_enumerate MD5: 889B99C52A60DD49227C5E485A016679)

WerFault.exe (PID: 3928 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 8108 -s 724 MD5: C31336C1EFC2CCB44B4326EA793040F2)

rundll32.exe (PID: 8160 cmdline: rundll32.exe C:\Users\user\Desktop\hidapi.dll,hid_error MD5: 889B99C52A60DD49227C5E485A016679)

WerFault.exe (PID: 1480 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 8160 -s 728 MD5: C31336C1EFC2CCB44B4326EA793040F2)

rundll32.exe (PID: 5152 cmdline: rundll32.exe "C:\Users\user\Desktop\hidapi.dll",hid_close MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 5812 cmdline: rundll32.exe "C:\Users\user\Desktop\hidapi.dll",hid_enumerate MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 3108 cmdline: rundll32.exe "C:\Users\user\Desktop\hidapi.dll",hid_error MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 1332 cmdline: rundll32.exe "C:\Users\user\Desktop\hidapi.dll",hid_write MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 1816 cmdline: rundll32.exe "C:\Users\user\Desktop\hidapi.dll",hid_winapi_get_container_id MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 1920 cmdline: rundll32.exe "C:\Users\user\Desktop\hidapi.dll",hid_version_str MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 2140 cmdline: rundll32.exe "C:\Users\user\Desktop\hidapi.dll",hid_version MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 1928 cmdline: rundll32.exe "C:\Users\user\Desktop\hidapi.dll",hid_set_nonblocking MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 1896 cmdline: rundll32.exe "C:\Users\user\Desktop\hidapi.dll",hid_send_feature_report MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 2228 cmdline: rundll32.exe "C:\Users\user\Desktop\hidapi.dll",hid_read_timeout MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 2180 cmdline: rundll32.exe "C:\Users\user\Desktop\hidapi.dll",hid_read MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 3040 cmdline: rundll32.exe "C:\Users\user\Desktop\hidapi.dll",hid_open_path MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 2260 cmdline: rundll32.exe "C:\Users\user\Desktop\hidapi.dll",hid_open MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 5312 cmdline: rundll32.exe "C:\Users\user\Desktop\hidapi.dll",hid_init MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 4224 cmdline: rundll32.exe "C:\Users\user\Desktop\hidapi.dll",hid_get_serial_number_string MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 3756 cmdline: rundll32.exe "C:\Users\user\Desktop\hidapi.dll",hid_get_product_string MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 2968 cmdline: rundll32.exe "C:\Users\user\Desktop\hidapi.dll",hid_get_manufacturer_string MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 3884 cmdline: rundll32.exe "C:\Users\user\Desktop\hidapi.dll",hid_get_input_report MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 5452 cmdline: rundll32.exe "C:\Users\user\Desktop\hidapi.dll",hid_get_indexed_string MD5: 889B99C52A60DD49227C5E485A016679)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
hidapi.dll	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000025.00000001.1892266397.0000000000401000.00000020.00000001.01000000.00000003.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
0000001D.00000001.1892071164.0000000000401000.00000020.00000001.01000000.00000003.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
00000018.00000002.2500139149.0000000000401000.00000020.00000001.01000000.00000003.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
00000022.00000001.1892139598.0000000000401000.00000020.00000001.01000000.00000003.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
0000001B.00000002.2502924761.00000000044F1000.00000020.00000001.01000000.00000003.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
00000028.00000002.2502925309.00000000041D1000.00000020.00000001.01000000.00000003.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
0000001E.00000001.1817364369.0000000000401000.00000020.00000001.01000000.00000003.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
00000024.00000002.2503362964.0000000004731000.00000020.00000001.01000000.00000003.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
00000019.00000002.2503289996.0000000003FC1000.00000020.00000001.01000000.00000003.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
00000022.00000002.2500040759.0000000000401000.00000020.00000001.01000000.00000003.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
00000029.00000001.1892321944.0000000000401000.00000020.00000001.01000000.00000003.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
00000020.00000001.1892385941.0000000000401000.00000020.00000001.01000000.00000003.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
00000023.00000001.1892203798.0000000000401000.00000020.00000001.01000000.00000003.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
00000029.00000002.2500138061.0000000000401000.00000020.00000001.01000000.00000003.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
0000001A.00000001.1754659029.0000000000401000.00000020.00000001.01000000.00000003.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
00000026.00000002.2500903884.0000000000401000.00000020.00000001.01000000.00000003.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
0000001D.00000002.2500737297.0000000000401000.00000020.00000001.01000000.00000003.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
0000001C.00000002.2503788059.0000000004071000.00000020.00000001.01000000.00000003.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
00000027.00000002.2503192278.0000000004691000.00000020.00000001.01000000.00000003.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
00000004.00000002.1719749651.0000000004221000.00000020.00000001.01000000.00000003.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
0000001A.00000002.2500502017.0000000000401000.00000020.00000001.01000000.00000003.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
00000007.00000002.1719038974.0000000004721000.00000020.00000001.01000000.00000003.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
00000003.00000002.1718998180.00000000047B1000.00000020.00000001.01000000.00000003.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
00000026.00000001.1892443379.0000000000401000.00000020.00000001.01000000.00000003.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
0000001F.00000002.2502447548.0000000004271000.00000020.00000001.01000000.00000003.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
00000018.00000001.1741951778.0000000000401000.00000020.00000001.01000000.00000003.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
00000025.00000002.2501065568.0000000000401000.00000020.00000001.01000000.00000003.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
0000001E.00000002.2499868685.0000000000401000.00000020.00000001.01000000.00000003.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
00000023.00000002.2500827944.0000000000401000.00000020.00000001.01000000.00000003.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
00000017.00000002.2502551494.0000000004021000.00000020.00000001.01000000.00000003.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
00000008.00000002.1732064823.0000000004571000.00000020.00000001.01000000.00000003.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
00000020.00000002.2500030056.0000000000401000.00000020.00000001.01000000.00000003.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
00000021.00000002.2502750467.0000000004351000.00000020.00000001.01000000.00000003.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
Click to see the 28 entries

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

• AV Detection
• Compliance
• Spreading
• System Summary
• Data Obfuscation
• Hooking and other Techniques for Hiding and Protection
• Malware Analysis System Evasion
• Anti Debugging
• HIPS / PFW / Operating System Protection Evasion

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: hidapi.dll

Virustotal: Detection: 8%

Perma Link

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Neural Call Log Analysis: 82.9%

Source: hidapi.dll

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, DLL, BYTES_REVERSED_HI

Source:	Binary string: wntdll.pdbUGP source: loaddll32.exe, 00000000.00000002.1817765604.00000000029C0000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.1722013895.0000000004FA0000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1722375481.0000000004960000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.1722029534.0000000004EF0000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000008.00000002.2126270839.0000000004CD0000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000017.00000002.2515139657.0000000004720000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000018.00000002.2512310888.0000000004D20000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000019.00000002.2516047242.00000000047C0000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 0000001A.00000002.2512220256.0000000004B10000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 0000001B.00000002.2515212093.0000000004CC0000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 0000001C.00000002.2515778407.0000000004870000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: loaddll32.exe, 00000000.00000002.1817765604.00000000029C0000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.1722013895.0000000004FA0000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1722375481.0000000004960000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.1722029534.0000000004EF0000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000008.00000002.2126270839.0000000004CD0000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000017.00000002.2515139657.0000000004720000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000018.00000002.2512310888.0000000004D20000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000019.00000002.2516047242.00000000047C0000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 0000001A.00000002.2512220256.0000000004B10000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 0000001B.00000002.2515212093.0000000004CC0000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 0000001C.00000002.2515778407.0000000004870000.00000040.00001000.00020000.00000000.sdmp

Source: C:\Windows\SysWOW64\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_26afe25ca778a3fd3cbaf2dcbce7b2d3cdba1037_7522e4b5_8a9cc253-1938-42b3-a616-ad04c3ecfe4d\	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_22b1de1da1a1c744f42077ffe7b39ed57c765dd_7522e4b5_87d24227-51de-4654-b404-177066ae5055\	Jump to behavior

System Summary

PE file has nameless sections

Source: hidapi.dll

Static PE information: section name:

Source: C:\Windows\SysWOW64\rundll32.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7968 -s 724

Source: hidapi.dll

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, DLL, BYTES_REVERSED_HI

Source: classification engine

Classification label: mal56.winDLL@58/17@0/0

Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess8160
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7908:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7968
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7976
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess8108

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\163e11cc-6ffb-448d-b956-2d5281eb3495

Jump to behavior

Source: Yara match	File source: hidapi.dll, type: SAMPLE
Source: Yara match	File source: 00000025.00000001.1892266397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000001.1892071164.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.2500139149.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000001.1892139598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.2502924761.00000000044F1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000002.2502925309.00000000041D1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000001.1817364369.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.2503362964.0000000004731000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.2503289996.0000000003FC1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.2500040759.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000001.1892321944.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000001.1892385941.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000001.1892203798.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000002.2500138061.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000001.1754659029.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000002.2500903884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.2500737297.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.2503788059.0000000004071000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.2503192278.0000000004691000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1719749651.0000000004221000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.2500502017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1719038974.0000000004721000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1718998180.00000000047B1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000001.1892443379.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.2502447548.0000000004271000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000001.1741951778.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000002.2501065568.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.2499868685.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.2500827944.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.2502551494.0000000004021000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1732064823.0000000004571000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.2500030056.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.2502750467.0000000004351000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\hidapi.dll,hid_close

Source: hidapi.dll

Virustotal: Detection: 8%

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\hidapi.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\hidapi.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\hidapi.dll,hid_close
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\hidapi.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\hidapi.dll,hid_enumerate
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\hidapi.dll,hid_error
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7968 -s 724
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7976 -s 716
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 8108 -s 724
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 8160 -s 728
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\hidapi.dll",hid_close
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\hidapi.dll",hid_enumerate
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\hidapi.dll",hid_error
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\hidapi.dll",hid_write
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\hidapi.dll",hid_winapi_get_container_id
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\hidapi.dll",hid_version_str
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\hidapi.dll",hid_version
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\hidapi.dll",hid_set_nonblocking
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\hidapi.dll",hid_send_feature_report
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\hidapi.dll",hid_read_timeout
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\hidapi.dll",hid_read
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\hidapi.dll",hid_open_path
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\hidapi.dll",hid_open
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\hidapi.dll",hid_init
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\hidapi.dll",hid_get_serial_number_string
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\hidapi.dll",hid_get_product_string
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\hidapi.dll",hid_get_manufacturer_string
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\hidapi.dll",hid_get_input_report
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\hidapi.dll",hid_get_indexed_string
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\hidapi.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\hidapi.dll,hid_close	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\hidapi.dll,hid_enumerate	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\hidapi.dll,hid_error	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\hidapi.dll",hid_close	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\hidapi.dll",hid_enumerate	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\hidapi.dll",hid_error	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\hidapi.dll",hid_write	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\hidapi.dll",hid_winapi_get_container_id	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\hidapi.dll",hid_version_str	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\hidapi.dll",hid_version	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\hidapi.dll",hid_set_nonblocking	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\hidapi.dll",hid_send_feature_report	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\hidapi.dll",hid_read_timeout	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\hidapi.dll",hid_read	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\hidapi.dll",hid_open_path	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\hidapi.dll",hid_open	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\hidapi.dll",hid_init	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\hidapi.dll",hid_get_serial_number_string	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\hidapi.dll",hid_get_product_string	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\hidapi.dll",hid_get_manufacturer_string	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\hidapi.dll",hid_get_input_report	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\hidapi.dll",hid_get_indexed_string	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\hidapi.dll",#1	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior

Source: hidapi.dll

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: hidapi.dll

Static file information: File size 6084720 > 1048576

Source: hidapi.dll

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x455800

Source: hidapi.dll

Static PE information: More than 200 imports for user32.dll

Source:	Binary string: wntdll.pdbUGP source: loaddll32.exe, 00000000.00000002.1817765604.00000000029C0000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.1722013895.0000000004FA0000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1722375481.0000000004960000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.1722029534.0000000004EF0000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000008.00000002.2126270839.0000000004CD0000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000017.00000002.2515139657.0000000004720000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000018.00000002.2512310888.0000000004D20000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000019.00000002.2516047242.00000000047C0000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 0000001A.00000002.2512220256.0000000004B10000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 0000001B.00000002.2515212093.0000000004CC0000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 0000001C.00000002.2515778407.0000000004870000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: loaddll32.exe, 00000000.00000002.1817765604.00000000029C0000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.1722013895.0000000004FA0000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1722375481.0000000004960000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.1722029534.0000000004EF0000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000008.00000002.2126270839.0000000004CD0000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000017.00000002.2515139657.0000000004720000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000018.00000002.2512310888.0000000004D20000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000019.00000002.2516047242.00000000047C0000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 0000001A.00000002.2512220256.0000000004B10000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 0000001B.00000002.2515212093.0000000004CC0000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 0000001C.00000002.2515778407.0000000004870000.00000040.00001000.00020000.00000000.sdmp

Source: hidapi.dll

Static PE information: real checksum: 0x562316 should be: 0x5dd778

Source: hidapi.dll	Static PE information: section name: .didata
Source: hidapi.dll	Static PE information: section name:

Source: hidapi.dll

Static PE information: section name: .itext entropy: 7.925779295024618

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Windows\SysWOW64\rundll32.exe TID: 7972	Thread sleep count: 68 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 7972	Thread sleep time: -34000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 7980	Thread sleep count: 67 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 7980	Thread sleep time: -33500s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 8112	Thread sleep count: 68 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 8112	Thread sleep time: -34000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 8164	Thread sleep count: 68 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 8164	Thread sleep time: -34000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 4320	Thread sleep count: 45 > 30
Source: C:\Windows\SysWOW64\rundll32.exe TID: 3016	Thread sleep count: 43 > 30
Source: C:\Windows\SysWOW64\rundll32.exe TID: 3480	Thread sleep count: 47 > 30
Source: C:\Windows\SysWOW64\rundll32.exe TID: 4020	Thread sleep count: 43 > 30
Source: C:\Windows\SysWOW64\rundll32.exe TID: 1904	Thread sleep count: 43 > 30
Source: C:\Windows\SysWOW64\rundll32.exe TID: 3152	Thread sleep count: 43 > 30
Source: C:\Windows\SysWOW64\rundll32.exe TID: 1880	Thread sleep count: 41 > 30
Source: C:\Windows\SysWOW64\rundll32.exe TID: 1912	Thread sleep count: 44 > 30
Source: C:\Windows\SysWOW64\rundll32.exe TID: 2144	Thread sleep count: 41 > 30
Source: C:\Windows\SysWOW64\rundll32.exe TID: 3760	Thread sleep count: 41 > 30
Source: C:\Windows\SysWOW64\rundll32.exe TID: 4692	Thread sleep count: 42 > 30
Source: C:\Windows\SysWOW64\rundll32.exe TID: 3148	Thread sleep count: 41 > 30
Source: C:\Windows\SysWOW64\rundll32.exe TID: 4204	Thread sleep count: 42 > 30
Source: C:\Windows\SysWOW64\rundll32.exe TID: 2436	Thread sleep count: 42 > 30
Source: C:\Windows\SysWOW64\rundll32.exe TID: 3116	Thread sleep count: 41 > 30
Source: C:\Windows\SysWOW64\rundll32.exe TID: 2756	Thread sleep count: 41 > 30
Source: C:\Windows\SysWOW64\rundll32.exe TID: 3892	Thread sleep count: 42 > 30
Source: C:\Windows\SysWOW64\rundll32.exe TID: 2896	Thread sleep count: 42 > 30
Source: C:\Windows\SysWOW64\rundll32.exe TID: 7496	Thread sleep count: 43 > 30

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed

Source: C:\Windows\System32\loaddll32.exe

Thread delayed: delay time: 120000

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_26afe25ca778a3fd3cbaf2dcbce7b2d3cdba1037_7522e4b5_8a9cc253-1938-42b3-a616-ad04c3ecfe4d\	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_22b1de1da1a1c744f42077ffe7b39ed57c765dd_7522e4b5_87d24227-51de-4654-b404-177066ae5055\	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\hidapi.dll",#1

Jump to behavior

Source: rundll32.exe, 00000003.00000002.1718998180.00000000047B1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.1719749651.0000000004221000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000007.00000002.1719038974.0000000004721000.00000020.00000001.01000000.00000003.sdmp	Binary or memory string: Shell_TrayWndS
Source: rundll32.exe, 00000003.00000002.1718998180.00000000047B1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.1719749651.0000000004221000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000007.00000002.1719038974.0000000004721000.00000020.00000001.01000000.00000003.sdmp	Binary or memory string: Shell_TrayWndReBarWindow32MSTaskSwWClassToolbarWindow32SV

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	12 Process Injection	1 Rundll32	OS Credential Dumping	1 Security Software Discovery	Remote Services	Data from Local System	Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	21 Virtualization/Sandbox Evasion	LSASS Memory	2 Process Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Software Packing	Security Account Manager	21 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	12 Process Injection	NTDS	1 File and Directory Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	1 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Obfuscated Files or Information	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Link
hidapi.dll	11%	ReversingLabs
hidapi.dll	8%	Virustotal	Browse
SAMPLE	100%	Joe Sandbox ML

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1666525
Start date and time:	2025-04-16 17:46:08 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 44s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	42
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	hidapi.dll
Detection:	MAL
Classification:	mal56.winDLL@58/17@0/0
Cookbook Comments:	Found application associated with file extension: .dll

Warnings

Exclude process from analysis (whitelisted): WerFault.exe, SIHClient.exe, SgrmBroker.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.189.173.22, 52.168.117.173, 23.79.182.43, 20.12.23.50, 40.126.28.12, 4.245.163.56
Excluded domains from analysis (whitelisted): onedsblobprdeus16.eastus.cloudapp.azure.com, fs.microsoft.com, slscr.update.microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, onedsblobprdwus17.westus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, c.pki.goog, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.

Simulations

Behavior and APIs

Time	Type	Description
11:47:52	API Interceptor	24x Sleep call for process: rundll32.exe modified
11:47:57	API Interceptor	7x Sleep call for process: loaddll32.exe modified
11:47:59	API Interceptor	4x Sleep call for process: WerFault.exe modified

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_22b1de1da1a1c744f42077ffe7b39ed57c765dd_7522e4b5_87d24227-51de-4654-b404-177066ae5055\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.8945075334372811
Encrypted:	false
SSDEEP:	192:GqXiSOn40BU/wjeTJqdzuiFJZ24IO8dci2:TiznTBU/wjeczuiFJY4IO8dci
MD5:	628A1D5689AFB0492410B72913487D81
SHA1:	68C2F34ACF1CCFD92C9636813A8E9A4DD9D7C584
SHA-256:	615656B92924CD4A5B82EBEF0BE65DD0B60F18E6CEA6D55BF9025DBB151A0604
SHA-512:	19FC9AD286B23F3A5AC8E5FEC67E5CC120D274177FDF42CBE5E49A0AC885B8E086A627C5B9638FE253315D5DF354AB750BDD65F2BB15960381C38FB5E51E1D15
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.9.2.9.2.0.7.8.1.1.1.5.5.0.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.8.9.2.9.2.0.7.8.4.5.5.2.7.1.8.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.7.d.2.4.2.2.7.-.5.1.d.e.-.4.6.5.4.-.b.4.0.4.-.1.7.7.0.6.6.a.e.5.0.5.5.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.7.5.e.7.1.d.1.-.3.5.c.c.-.4.f.f.4.-.9.9.9.5.-.c.7.0.f.d.f.3.2.9.8.c.4.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.f.a.c.-.0.0.0.1.-.0.0.1.8.-.c.3.f.e.-.4.0.d.3.e.6.a.e.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.8.f.a.8.8.9.e.4.5.6.a.a.6.4.6.a.4.d.0.a.4.3.4.9.9.7.7.4.3.0.c.e.5.f.a.5.e.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_26afe25ca778a3fd3cbaf2dcbce7b2d3cdba1037_7522e4b5_8a9cc253-1938-42b3-a616-ad04c3ecfe4d\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.8945934108363021
Encrypted:	false
SSDEEP:	192:gfitOmm0BU/wjeTJqdzuiFJZ24IO8dci:IikmNBU/wjeczuiFJY4IO8dci
MD5:	91BAA6E13CEE27F45DF487E70390F727
SHA1:	263129E7260FF5E32ADDF15A436FBA445F5C3E61
SHA-256:	E08BD33DBE129B0E59A18D31483CEF79B073F36286F874FE7B91EB2ABEC4BAE8
SHA-512:	89AC9DF8FB6243DD30E6CFD6BA838A93BA95966E9F6BF3FCDF6588F6F487F878B9FC01934D3DDC07609646B89870E2A7080E898896B9FEF5C0914364A354123A
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.9.2.9.2.0.7.5.6.2.0.8.9.6.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.8.9.2.9.2.0.7.6.8.7.0.8.9.5.1.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.a.9.c.c.2.5.3.-.1.9.3.8.-.4.2.b.3.-.a.6.1.6.-.a.d.0.4.c.3.e.c.f.e.4.d.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.d.c.8.5.b.5.5.-.0.4.2.8.-.4.d.1.9.-.a.3.a.9.-.5.4.6.6.e.1.3.d.f.8.b.b.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.f.2.0.-.0.0.0.1.-.0.0.1.8.-.8.4.9.1.-.7.1.d.1.e.6.a.e.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.8.f.a.8.8.9.e.4.5.6.a.a.6.4.6.a.4.d.0.a.4.3.4.9.9.7.7.4.3.0.c.e.5.f.a.5.e.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_26afe25ca778a3fd3cbaf2dcbce7b2d3cdba1037_7522e4b5_f172e35a-161e-4548-872e-d4c302cc38f6\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.8941655329832601
Encrypted:	false
SSDEEP:	192:0t6i+Ogm0BU/wjeTJqdzuiFJZ24IO8dci:Pi/gNBU/wjeczuiFJY4IO8dci
MD5:	C2AD854854388F76F0F6BBB763B557EA
SHA1:	CB21E655D470537013321D1E60951E04CCDAB030
SHA-256:	9DD8432864ACA73A66C6F6D010C3DB1C4F3B158E766ECED07B161FD40ED4350C
SHA-512:	47EACB83443F010A980887A7BC47283354D510BB6CAA08928D36B8D0CF26272D25DBE896BDC04F319EA5887F6FFEFDF7C6B42C260E0A59F82F813640994CA774
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.9.2.9.2.0.7.6.5.8.4.0.1.4.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.8.9.2.9.2.0.7.7.1.6.2.1.4.1.4.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.1.7.2.e.3.5.a.-.1.6.1.e.-.4.5.4.8.-.8.7.2.e.-.d.4.c.3.0.2.c.c.3.8.f.6.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.9.c.5.8.c.7.b.-.a.3.f.d.-.4.5.c.0.-.a.e.e.d.-.b.d.3.b.2.f.c.0.a.8.d.6.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.f.2.8.-.0.0.0.1.-.0.0.1.8.-.9.3.0.f.-.7.2.d.1.e.6.a.e.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.8.f.a.8.8.9.e.4.5.6.a.a.6.4.6.a.4.d.0.a.4.3.4.9.9.7.7.4.3.0.c.e.5.f.a.5.e.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_a0880a966f02c92857af0528cfcfa7d44983357_7522e4b5_afd361e3-84c5-4fb3-8df5-6d0fa12a559c\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.8944177255264307
Encrypted:	false
SSDEEP:	192:OYi9O0P0BU/wjeTJqdzuiFJZ24IO8dci:ti008BU/wjeczuiFJY4IO8dci
MD5:	8159F06BF404F5CD418F52399E9394ED
SHA1:	0022B3CC4578083CBFEF09B27200CED8A30661B7
SHA-256:	C52F97E63CCA6AF6CCE34AD55A737292DC326F6CBE7B8690E38979B537177327
SHA-512:	D3B7292F3C05D3183DFCE0F243958C6DC3508E76C7A6C1D2C508371CEF770550C3C909EB039F0A2FC7FA1E5DDDC6C117E6C60FC5654D0D3239E37206F15F59AD
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.9.2.9.2.0.7.9.4.7.7.0.9.1.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.8.9.2.9.2.0.7.9.9.9.2.7.1.6.3.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.f.d.3.6.1.e.3.-.8.4.c.5.-.4.f.b.3.-.8.d.f.5.-.6.d.0.f.a.1.2.a.5.5.9.c.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.e.c.f.c.2.e.d.-.0.c.7.4.-.4.1.8.6.-.8.3.4.b.-.2.7.6.a.9.8.1.0.c.c.e.9.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.f.e.0.-.0.0.0.1.-.0.0.1.8.-.c.9.b.b.-.1.2.d.5.e.6.a.e.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.8.f.a.8.8.9.e.4.5.6.a.a.6.4.6.a.4.d.0.a.4.3.4.9.9.7.7.4.3.0.c.e.5.f.a.5.e.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER69DD.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Wed Apr 16 15:47:55 2025, 0x1205a4 type
Category:	dropped
Size (bytes):	45636
Entropy (8bit):	2.0122781100004654
Encrypted:	false
SSDEEP:	192:E8Y2f19LXRAdc0C9jO5H471RH3FhszhbLpq+wnKLba/5wanXb:zxzE5Hc1Z+tjgjX
MD5:	C41B0552E7C5D1F85C9EF2F40448D82D
SHA1:	5AEEF8C0853F6913962C1EE4E071B97B2B6557EA
SHA-256:	6C463456DF8AA582E1EBCBA679C0B273F29CA5E9FAE2CB7F3AB2BF133D93F528
SHA-512:	865050978C903134983DBFB38ED90DFC88B86883E6719AC30D6DCA4FC7961F30EC7FF6A12445867863E18F0ABBF512D7859B10A9C057904D23945D8C07923901
Malicious:	false
Preview:	MDMP..a..... .......+..g........................P................+..........T.......8...........T...............t.......................................................................................................eJ......p.......GenuineIntel............T....... ......g.............................0..1...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6CDB.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8302
Entropy (8bit):	3.6908153896194227
Encrypted:	false
SSDEEP:	192:R6l7wVeJlK6fP6YcP6Qu22gmfTWHprl89bgxsfXgm:R6lXJ4636Y86X22gmfTWYgqf1
MD5:	64041C375B0F5CDEFCF8483F797FCD76
SHA1:	CFEEABDB0096D27A3BCFE647BC61E1DF7285E061
SHA-256:	915977B2F0624A56FEF941BE468000F208880A31C045AEE7FFD9A18EF2CCE569
SHA-512:	C461B1671903A5CB9D3C2A6BBB9511DC4488D8806892C6E469D32BF2AE3AC86E10F9F05BAF5FFC3DDCD5B37E431C8FC6F58269924D368B5A24EF12D930A0F475
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.9.6.8.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6D1B.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4642
Entropy (8bit):	4.4495461043561635
Encrypted:	false
SSDEEP:	48:cvIwWl8zsdJg77aI9ViWpW8VYE/Ym8M4JCdP5F+H+q8/6/eGScSOd:uIjf3I73j7VziJRH5eJ3Od
MD5:	047A26C1B1838ED526C7AFEC35B86E5A
SHA1:	DF68B4B01D9D2482DB53D666D39885E2380ADE13
SHA-256:	F5895AED3575509BFE3E7395DA122BF4050D89E78246BC1A9D7EA2CBD0ED5F78
SHA-512:	84561926C2619149EBF067ACD7A183CF07FBE916E2D438DE89D90700ACA32AC39C6C583D6507663D17BCAE8C04612D05FAFB6D3E23E5BF2FEA829B3E3D21F40F
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="808250" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6DE4.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Wed Apr 16 15:47:56 2025, 0x1205a4 type
Category:	dropped
Size (bytes):	39996
Entropy (8bit):	2.1233486638486467
Encrypted:	false
SSDEEP:	192:Hs0Km3lZGX9ut2O5H47SKOdxhy7GypPhqpflNYrnDf7j:r53bb5HcnOdxUP+lNYrrX
MD5:	69A6FC16C237835CA8EE5F6715328D5F
SHA1:	E7B4183A70BF9517789312BD0A56FEA07719F640
SHA-256:	9B7E6A40DAA6EF7AD9D9B5E59999AA127E5DB673EDD7F99964E66080F53328D9
SHA-512:	9110F7267F1C0E5A42FEC226EEFF4EB8B6788FF9549B5A550C08068423B75F94A133518FB9B438A94305FFC8D77716066C7C5F31AE688FF7AF6628D304B1D811
Malicious:	false
Preview:	MDMP..a..... .......,..g............d...........P...l............(..........T.......8...........T........... ...........................................................................................................eJ......@.......GenuineIntel............T.......(......g.............................0..1...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6E91.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8278
Entropy (8bit):	3.692179198345257
Encrypted:	false
SSDEEP:	192:R6l7wVeJ6G6sj6YSf6egmfTWHprQ89bgdsfagm:R6lXJT6a6YS6egmfTWngWfc
MD5:	77924EAAC5C36BCD373BD0D56AAF54B3
SHA1:	A220B3AA7EC57F4F31112BED7629CDBD935E34F4
SHA-256:	1AB433FC67A53E5626CC342E04A38419296CA1D8D33C3B3F31B152E4EAABC4FE
SHA-512:	18373D40334CFA83B7F545B9B9A3B2014258DC32B99E1F0A2BEC5DA5F01724AB3CA0FB65739FFC48E16BE1A99755C47319265E6B3EA4CD225FEB4BA8D0580A6A
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.9.7.6.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6EF0.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4642
Entropy (8bit):	4.448204737710838
Encrypted:	false
SSDEEP:	48:cvIwWl8zsdJg77aI9ViWpW8VY4Ym8M4JCdP5Fniz+q8/6HGScSLd:uIjf3I73j7VcJlztJ3Ld
MD5:	9B15AE47166817A82393FF6A83F1A611
SHA1:	7A8E8960B4FD1D9DAEB380FC6997F91E2387621C
SHA-256:	3697617DED7B9C7D3EA595FFBAECB0C96686D18D8ED05002C98E5FBD4266F5D4
SHA-512:	B515268BCD770A51B3AE8A8AB13DBE60300ACFCB03F8D7A0A55365B39B1842D58731027B8E8A3DC01B50D498C67EDCDC9B2650DE422B7B01D77C85808C66999A
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="808250" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7391.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Wed Apr 16 15:47:58 2025, 0x1205a4 type
Category:	dropped
Size (bytes):	44420
Entropy (8bit):	2.0384754236062594
Encrypted:	false
SSDEEP:	192:5Jc2f1rUXRAd8R6sjO5H47JzgIukXv0CE9z:beRU5Hc5BNXvg
MD5:	C0A283AD45899B16F1B318816CF8D215
SHA1:	040F5BB280BF2CF8C0D2A84EC4C6FAD0405B36AA
SHA-256:	7C6DE2922F1ADBBB9E3DE36F42CC3663157F07713123057F32DD4F8B5E8540E6
SHA-512:	5C028B23329DECF17B64FF2611B8C2654721E64A6976D4F95264A65AAF0DF813CAAA137520735346CAA090F7358F634432845ECB5B0D27ECEDEE264CFE202EAE
Malicious:	false
Preview:	MDMP..a..... ..........g........................P................+..........T.......8...........T.......................................................................................................................eJ......p.......GenuineIntel............T..............g.............................0..1...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER73F0.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8302
Entropy (8bit):	3.6904596882451175
Encrypted:	false
SSDEEP:	192:R6l7wVeJkz6WP6Yc069S21gmfT0HprW89buUsfCW6m:R6lXJY6G6YX6c21gmfT0VuHfCS
MD5:	55BC945204EC1B0CEA551F8426120CC5
SHA1:	B27C4A186FA357CAB2E41AA2229615C641657730
SHA-256:	C0F2055BAE68E979034537783F68F5864C05BCAD034446286333102730588C7E
SHA-512:	30F93669035DA1C80D6EAF4070C8DAFDB12AC4DC1255081E2FF348EE8E3D717F9B2B0BC4AF2E31760DD762A208861BDD56BBB2BE3EB73B239DABA070AFE40964
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.8.1.0.8.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7410.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4642
Entropy (8bit):	4.449601654555914
Encrypted:	false
SSDEEP:	48:cvIwWl8zsdJg77aI9ViWpW8VYeDQYm8M4JCdPMKFA+q8/hgXGScSad:uIjf3I73j7Vz5J1j6qJ3ad
MD5:	6EDF443EAE0AF61B1CF22B5477B2ED35
SHA1:	F6953E038AE05C11C2B62972355BDB1126047352
SHA-256:	FF73992D76736E1B35FA0952AE1A20A65B02F41EDB2939776B991EE541ABA2D8
SHA-512:	698E346D12DB52EA2C6EC3296370A9EA9BC80E698ECFB6BC374C9799DBF0F0151BBB1BB967563305039B3CDB1858579BB3B41879CFD831256B564E0D532FE41B
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="808250" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7900.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Wed Apr 16 15:47:59 2025, 0x1205a4 type
Category:	dropped
Size (bytes):	45636
Entropy (8bit):	2.0141043592079986
Encrypted:	false
SSDEEP:	192:QNFQ2f1x3XRAdf5GjO5H47DaVHqLDPrpeJRnX:kvaB5HcDakDProX
MD5:	27536B98ACCF12676E1AD6642A62CF79
SHA1:	6D2F6FB185A873F18DD67EECB06B36EB39EBB982
SHA-256:	2B3006068FBD30176875D525E8C628C3C16E9E85F3FC4AFFA6E0846DBC80E976
SHA-512:	DD877BF3176D2826669C632591B52A6612B292AC27B14AC639FBA689DD2C3FCDF244E1956F0011F60E8193A92A2F863B239D8DEA8A3704A75C73AC92F6F58F4A
Malicious:	false
Preview:	MDMP..a..... ......./..g........................P................+..........T.......8...........T...............t.......................................................................................................eJ......p.......GenuineIntel............T..............g.............................0..1...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER79AD.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8318
Entropy (8bit):	3.6918950204418297
Encrypted:	false
SSDEEP:	192:R6l7wVeJKu6R6Yc269S21gmfTBHprRc89b3qsf0w9m:R6lXJ76R6Yl6c21gmfTB7J3Jfa
MD5:	52762404E13E3A2E7804F5DB1719303D
SHA1:	48F65EDD2AAD553E3C686E76DAFDA7D780AF2E61
SHA-256:	019F683C02307515D1FCCCD3A7B736DC40325A9A1A33AF6BBB05CB1318F32ED5
SHA-512:	87F37D6ACF0BEB04962D38DC93F8DAB725C3B84EB3AFCB2BEF5548718F67B49795695D021741610B71BD84CEA7D242720A05AA534B92A18921BDF71674B6AE74
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.8.1.6.0.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER79EC.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4642
Entropy (8bit):	4.44738059739471
Encrypted:	false
SSDEEP:	48:cvIwWl8zsdJg77aI9ViWpW8VYFYm8M4JCdPEFl+q8/6RGScS4d:uIjf3I73j7VhJ7LJ34d
MD5:	D447DF118B6F47E3CE903C1F6DF2E1B7
SHA1:	0765C7D1711EDD1784F8B68674DCD1B02EC21553
SHA-256:	D16E651B2F71836EC76EB0DC83C2EA8439AD74199E7562B560F8BC7654D691CD
SHA-512:	7FFC50E390A1A3C021E2007155522D4B12BE7F17DC7E68A9F934D4A4A479E64F3FF0CBDE222B6F9A05A1AE47B2DA8CB508B33819FFF2A7722A1B5F23B0E38DE7
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="808250" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.469433541876775
Encrypted:	false
SSDEEP:	6144:xIXfpi67eLPU9skLmb0b4QWSPKaJG8nAgejZMMhA2gX4WABlVuNNdwBCswSbf:SXD94QWlLZMM6YFUX+f
MD5:	42ED2F5367ED54ED70CF023F2A600643
SHA1:	DBDD5F1796F1D2DC2068BCEAC7BBCE05F3525EA2
SHA-256:	1167AF9372FDA7CE5A94BE93BBF2725BF97ABD29EF50E64A694B14114D9E44CA
SHA-512:	3C4160973248F5071DC28181AE8AB04DC6EF568D3B61A7C7B0EBA6C0A7255121308230574FCCA7A57925E5F26C8265C46B4A9AEF39832202F9D45D184E1D78FB
Malicious:	false
Preview:	regf:...:....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.n...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.763069093847304
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 95.32% InstallShield setup (43055/19) 4.10% Win16/32 Executable Delphi generic (2074/23) 0.20% Generic Win/DOS Executable (2004/3) 0.19% DOS Executable Generic (2002/1) 0.19%
File name:	hidapi.dll
File size:	6'084'720 bytes
MD5:	9c97d28644225ca0ceebe0304275c8dd
SHA1:	5b53080de0745d6915d6d42fa1e3ff098640d877
SHA256:	cac6a08b3e3ff515cb372a899fd8e22e286bf23edbb030fc85e4aa1ae3abf13c
SHA512:	b17a0f8bf41794561a544ed9bc9a80845b9154ed4b6f25e24af5407d2ef64df4ea1d544fa7f2393b5652bde69a3213f1a55b134d9503f4638f3b9f78eac0e9cd
SSDEEP:	98304:EgzhjDbtjSAieFFuBhSpASC1vtX1I6+Niut2Op1XpqKzqXkg:Embt22FuBhSpASolILtHwK+Ug
TLSH:	B456AF12A341943FE0671A36482BDBE5693AFF2029219D877BB46E4C1F3B7817C26357
File Content Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

File Icon


Icon Hash:	130b030705070b97

Static PE Info

General

Entrypoint:	0x859f74
Entrypoint Section:	.itext
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, DLL, BYTES_REVERSED_HI
DLL Characteristics:
Time Stamp:	0x62B9A0A7 [Mon Jun 27 12:20:55 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	7eee4081299b202f61503a08a2f75524

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
add esp, FFFFFFF0h
mov eax, 0084E678h
call 00007F39A0AFBBFDh
push 0085A0B0h
call 00007F39A0AFE443h
mov dword ptr [00936F38h], eax
push 0085A0CCh
push FFFFFFFFh
push 00000000h
call 00007F39A0AFD620h
call 00007F39A0AFD78Bh
mov dword ptr [00936F34h], eax
cmp dword ptr [00936F34h], 000000B7h
jne 00007F39A0F4A105h
mov eax, dword ptr [00903220h]
mov eax, dword ptr [eax]
call 00007F39A0AF7E9Eh
push eax
push 0085A104h
call 00007F39A0AFE087h
mov dword ptr [00936F30h], eax
cmp dword ptr [00936F30h], 00000000h
je 00007F39A0F4A09Eh
mov eax, dword ptr [00936F30h]
push eax
call 00007F39A0AFE49Ah
push 00000000h
push 0000F120h
push 00000112h
mov eax, dword ptr [00936F30h]
push eax
call 00007F39A0AFE397h
push 00000000h
mov eax, dword ptr [00903814h]
mov eax, dword ptr [eax]
mov eax, dword ptr [eax+00000170h]
push eax
mov eax, dword ptr [00936F38h]
push eax
mov eax, dword ptr [00936F30h]
push eax
call 00007F39A0AFE376h
xor eax, eax
mov dword ptr [00936F34h], eax
jmp 00007F39A0F4A0CEh
mov eax, dword ptr [00903814h]
mov eax, dword ptr [eax]
call 00007F39A0BF112Dh
push 000001F4h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x601000	0x2a8
IMAGE_DIRECTORY_ENTRY_IMPORT	0x537000	0x4844	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x57d000	0x84000
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x53f000	0x3da44	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x53e000	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x537d84	0xb04	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x53c000	0x3a6	.didata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x45567c	0x455800	c93991bef8e4589c9a5bb8f7de9c8ac2	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.itext	0x457000	0x7111c	0x71200	e2293573d3b40f0aac7aa4b990c8a1eb	False	0.9570981526243094	data	7.925779295024618	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x4c9000	0x3ac08	0x3ae00	180e830735098041efda626fb0789dfc	False	0.6547737526539278	data	7.164366988313948	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.bss	0x504000	0x32f3c	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x537000	0x4844	0x4a00	6e812ceac867b0258afd56846e625be4	False	0.29961993243243246	data	5.155481721739914	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.didata	0x53c000	0x3a6	0x400	be2a9fe500768400b780dbf99588fb70	False	0.4228515625	data	3.6966529837816386	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x53d000	0x48	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x53e000	0x18	0x200	ebf5f32a4a69d0855b7b1d2ad7fcf11b	False	0.05078125	data	0.190488766434666	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x53f000	0x3da44	0x3dc00	8d04197e88ec787f22fd1b332d93d393	False	0.6043221786437247	data	6.7438052898369065	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
	0x57d000	0x842a8	0x84400	40e614b5bc9a55ec889821d4caac0f0b	False	0.19519619860586013	data	5.458345412243698	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_CURSOR	0x57fd00	0x134	Targa image data - Map 64 x 65536 x 1 +32 "\001"	English	United States	0.38636363636363635
RT_CURSOR	0x57fe34	0x134	data	English	United States	0.4642857142857143
RT_CURSOR	0x57ff68	0x134	data	English	United States	0.4805194805194805
RT_CURSOR	0x58009c	0x134	data	English	United States	0.38311688311688313
RT_CURSOR	0x5801d0	0x134	data	English	United States	0.36038961038961037
RT_CURSOR	0x580304	0x134	data	English	United States	0.4090909090909091
RT_CURSOR	0x580438	0x134	Targa image data - RGB 64 x 65536 x 1 +32 "\001"	English	United States	0.4967532467532468
RT_CURSOR	0x58056c	0x134	data	Italian	Italy	0.19805194805194806
RT_CURSOR	0x5806a0	0x134	data	Italian	Italy	0.21428571428571427
RT_CURSOR	0x5807d4	0x134	data	Italian	Italy	0.23376623376623376
RT_CURSOR	0x580908	0x134	AmigaOS bitmap font "(", fc_YSize 4294967169, 3840 elements, 2nd "\377\200\377\377\377\200\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377", 3rd	Italian	Italy	0.3344155844155844
RT_CURSOR	0x580a3c	0x134	AmigaOS bitmap font "(", fc_YSize 4294967280, 3840 elements, 2nd "\377\370?\377\377\374\177\377\377\376\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377", 3rd	Italian	Italy	0.29545454545454547
RT_CURSOR	0x580b70	0x134	AmigaOS bitmap font "(", fc_YSize 4294967295, 3840 elements, 2nd "\377\376\003\377\377\376\003\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377", 3rd	Italian	Italy	0.32142857142857145
RT_CURSOR	0x580ca4	0x134	AmigaOS bitmap font "(", fc_YSize 4294967295, 3840 elements, 2nd "\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377", 3rd	Italian	Italy	0.2564935064935065
RT_CURSOR	0x580dd8	0x134	Targa image data - RGB - RLE 64 x 65536 x 1 +32 "\001"	Italian	Italy	0.44155844155844154
RT_CURSOR	0x580f0c	0x134	data	Italian	Italy	0.237012987012987
RT_CURSOR	0x581040	0x134	data	Italian	Italy	0.14285714285714285
RT_CURSOR	0x581174	0x134	data	Italian	Italy	0.4253246753246753
RT_CURSOR	0x5812a8	0x134	data	Italian	Italy	0.4577922077922078
RT_CURSOR	0x5813dc	0x134	data	Italian	Italy	0.43506493506493504
RT_CURSOR	0x581510	0x134	data	English	United States	0.41883116883116883
RT_CURSOR	0x581644	0xb4	Targa image data - RLE 32 x 65536 x 1 +16 "\001"	English	United States	0.5944444444444444
RT_CURSOR	0x5816f8	0x134	Targa image data - RGB - RLE 64 x 65536 x 1 +32 "\001"	Italian	Italy	0.44805194805194803
RT_CURSOR	0x58182c	0x134	Targa image data - RGB - RLE 64 x 65536 x 1 +32 "\001"	Italian	Italy	0.4805194805194805
RT_CURSOR	0x581960	0x134	data	Italian	Italy	0.24025974025974026
RT_CURSOR	0x581a94	0xcac	data	Italian	Italy	0.028976572133168926
RT_CURSOR	0x582740	0x134	data	Italian	Italy	0.3181818181818182
RT_CURSOR	0x582874	0xcac	data	Italian	Italy	0.034833538840937116
RT_CURSOR	0x583520	0x134	data	Italian	Italy	0.3538961038961039
RT_CURSOR	0x583654	0xcac	data	Italian	Italy	0.03298397040690505
RT_CURSOR	0x584300	0x134	data	Italian	Italy	0.41233766233766234
RT_CURSOR	0x584434	0xcac	AmigaOS bitmap font "(", fc_YSize 0, 3584 elements, 2nd "", 3rd ""	Italian	Italy	0.04901356350184957
RT_CURSOR	0x5850e0	0x134	data	Italian	Italy	0.33116883116883117
RT_CURSOR	0x585214	0xcac	data	Italian	Italy	0.039149198520345256
RT_CURSOR	0x585ec0	0x134	Targa image data - RLE 64 x 65536 x 1 +32 "\001"	Italian	Italy	0.38311688311688313
RT_CURSOR	0x585ff4	0xcac	data	Italian	Italy	0.04099876695437731
RT_CURSOR	0x586ca0	0x134	Targa image data - Mono 64 x 65536 x 1 +32 "\001"	Italian	Italy	0.3051948051948052
RT_CURSOR	0x586dd4	0xcac	Targa image data - Mono 64 x 65536 x 1 +32 "\030"	Italian	Italy	0.03729963008631319
RT_CURSOR	0x587a80	0x134	Targa image data - Map 64 x 65536 x 1 +32 "\001"	Italian	Italy	0.29545454545454547
RT_CURSOR	0x587bb4	0xcac	Targa image data - RGB 64 x 65536 x 1 +32 "\030"	Italian	Italy	0.031442663378545004
RT_CURSOR	0x588860	0x134	Targa image data - Map 64 x 65536 x 1 +32 "\001"	Italian	Italy	0.35714285714285715
RT_CURSOR	0x588994	0xcac	data	Italian	Italy	0.04284833538840937
RT_CURSOR	0x589640	0x134	data	Italian	Italy	0.2824675324675325
RT_CURSOR	0x589774	0x134	data	Italian	Italy	0.3409090909090909
RT_CURSOR	0x5898a8	0xcac	data	Italian	Italy	0.04192355117139334
RT_CURSOR	0x58a554	0x134	Targa image data - Map 64 x 65536 x 1 +32 "\001"	Italian	Italy	0.38311688311688313
RT_CURSOR	0x58a688	0xcac	data	Italian	Italy	0.043773119605425403
RT_CURSOR	0x58b334	0x134	Targa image data - Mono - RLE 64 x 65536 x 1 +32 "\001"	Italian	Italy	0.4253246753246753
RT_CURSOR	0x58b468	0xcac	data	Italian	Italy	0.038532675709001235
RT_CURSOR	0x58c114	0x134	data	Italian	Italy	0.2792207792207792
RT_CURSOR	0x58c248	0x134	Targa image data 64 x 65536 x 1 +32 "\001"	Italian	Italy	0.2564935064935065
RT_CURSOR	0x58c37c	0x134	data	Italian	Italy	0.18506493506493507
RT_CURSOR	0x58c4b0	0x134	Targa image data 64 x 65536 x 1 +32 "\001"	Italian	Italy	0.34415584415584416
RT_CURSOR	0x58c5e4	0x134	Targa image data 64 x 65536 x 1 +32 "\001"	Italian	Italy	0.3538961038961039
RT_CURSOR	0x58c718	0x134	Targa image data 64 x 65536 x 1 +32 "\001"	Italian	Italy	0.3344155844155844
RT_CURSOR	0x58c84c	0x134	Targa image data 64 x 65536 x 1 +32 "\001"	Italian	Italy	0.35714285714285715
RT_BITMAP	0x58c980	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.43103448275862066
RT_BITMAP	0x58cb50	0x1e4	Device independent bitmap graphic, 36 x 19 x 4, image size 380	English	United States	0.46487603305785125
RT_BITMAP	0x58cd34	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.43103448275862066
RT_BITMAP	0x58cf04	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.39870689655172414
RT_BITMAP	0x58d0d4	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.4245689655172414
RT_BITMAP	0x58d2a4	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.5021551724137931
RT_BITMAP	0x58d474	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.5064655172413793
RT_BITMAP	0x58d644	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.39655172413793105
RT_BITMAP	0x58d814	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.5344827586206896
RT_BITMAP	0x58d9e4	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.39655172413793105
RT_BITMAP	0x58dbb4	0xc0	Device independent bitmap graphic, 16 x 11 x 4, image size 88, 16 important colors	English	United States	0.5208333333333334
RT_BITMAP	0x58dc74	0xe0	Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colors	English	United States	0.42857142857142855
RT_BITMAP	0x58dd54	0xe0	Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colors	English	United States	0.4955357142857143
RT_BITMAP	0x58de34	0xe0	Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colors	English	United States	0.38392857142857145
RT_BITMAP	0x58df14	0xc0	Device independent bitmap graphic, 16 x 11 x 4, image size 88, 16 important colors	English	United States	0.4947916666666667
RT_BITMAP	0x58dfd4	0xc0	Device independent bitmap graphic, 16 x 11 x 4, image size 88, 16 important colors	English	United States	0.484375
RT_BITMAP	0x58e094	0xe8	Device independent bitmap graphic, 16 x 16 x 4, image size 128	Italian	Italy	0.4224137931034483
RT_BITMAP	0x58e17c	0xe8	Device independent bitmap graphic, 16 x 16 x 4, image size 128			0.4870689655172414
RT_BITMAP	0x58e264	0xe8	Device independent bitmap graphic, 16 x 16 x 4, image size 128			0.3922413793103448
RT_BITMAP	0x58e34c	0xe0	Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colors	English	United States	0.42410714285714285
RT_BITMAP	0x58e42c	0x328	Device independent bitmap graphic, 16 x 16 x 24, image size 768, resolution 3780 x 3780 px/m	English	United States	0.14975247524752475
RT_BITMAP	0x58e754	0xc0	Device independent bitmap graphic, 16 x 11 x 4, image size 88, 16 important colors	English	United States	0.5104166666666666
RT_BITMAP	0x58e814	0xe0	Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colors	English	United States	0.5
RT_BITMAP	0x58e8f4	0xe8	Device independent bitmap graphic, 16 x 16 x 4, image size 128	English	United States	0.4870689655172414
RT_BITMAP	0x58e9dc	0x328	Device independent bitmap graphic, 16 x 16 x 24, image size 768, resolution 3780 x 3780 px/m	English	United States	0.12995049504950495
RT_BITMAP	0x58ed04	0xc0	Device independent bitmap graphic, 16 x 11 x 4, image size 88, 16 important colors	English	United States	0.4895833333333333
RT_BITMAP	0x58edc4	0x328	Device independent bitmap graphic, 16 x 16 x 24, image size 768, resolution 3780 x 3780 px/m	English	United States	0.12128712871287128
RT_BITMAP	0x58f0ec	0x328	Device independent bitmap graphic, 16 x 16 x 24, image size 768, resolution 3780 x 3780 px/m	English	United States	0.13861386138613863
RT_BITMAP	0x58f414	0x328	Device independent bitmap graphic, 16 x 16 x 24, image size 768, resolution 3780 x 3780 px/m	English	United States	0.07054455445544554
RT_BITMAP	0x58f73c	0xe0	Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colors	English	United States	0.3794642857142857
RT_ICON	0x58f81c	0x1f91	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	Russian	Russia	0.967949511199109
RT_ICON	0x5917b0	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 0	Russian	Russia	0.05487696675736425
RT_ICON	0x5a1fd8	0x94a8	Device independent bitmap graphic, 96 x 192 x 32, image size 0	Russian	Russia	0.07399621610258567
RT_ICON	0x5ab480	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 0	Russian	Russia	0.125
RT_ICON	0x5af6a8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	Russian	Russia	0.17147302904564315
RT_ICON	0x5b1c50	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	Russian	Russia	0.28588180112570355
RT_ICON	0x5b2cf8	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	Russian	Russia	0.4081967213114754
RT_ICON	0x5b3680	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	Russian	Russia	0.6054964539007093
RT_DIALOG	0x5b3ae8	0x52	data			0.7682926829268293
RT_DIALOG	0x5b3b3c	0x50	data			0.7125
RT_DIALOG	0x5b3b8c	0x3e	data			0.8548387096774194
RT_DIALOG	0x5b3bcc	0x52	data			0.7560975609756098
RT_STRING	0x5b3c20	0x4c	data			0.618421052631579
RT_STRING	0x5b3c6c	0x92	data			0.6438356164383562
RT_STRING	0x5b3d00	0x186	data			0.5743589743589743
RT_STRING	0x5b3e88	0x1ce	data			0.5303030303030303
RT_STRING	0x5b4058	0x144	data			0.5555555555555556
RT_STRING	0x5b419c	0x7e	data			0.6666666666666666
RT_STRING	0x5b421c	0x24	data			0.4166666666666667
RT_STRING	0x5b4240	0x320	data			0.38875
RT_STRING	0x5b4560	0x1f4	data			0.504
RT_STRING	0x5b4754	0x200	data			0.48046875
RT_STRING	0x5b4954	0x1d8	data			0.4766949152542373
RT_STRING	0x5b4b2c	0x2a8	data			0.36617647058823527
RT_STRING	0x5b4dd4	0x24c	data			0.4421768707482993
RT_STRING	0x5b5020	0x1cc	data			0.4956521739130435
RT_STRING	0x5b51ec	0x55c	data			0.38994169096209913
RT_STRING	0x5b5748	0xbcc	data			0.2370860927152318
RT_STRING	0x5b6314	0x384	data			0.45555555555555555
RT_STRING	0x5b6698	0x340	data			0.41947115384615385
RT_STRING	0x5b69d8	0x39c	data			0.34523809523809523
RT_STRING	0x5b6d74	0x374	data			0.43552036199095023
RT_STRING	0x5b70e8	0x384	data			0.3788888888888889
RT_STRING	0x5b746c	0x3fc	data			0.41862745098039217
RT_STRING	0x5b7868	0x15c	data			0.5775862068965517
RT_STRING	0x5b79c4	0xd4	data			0.660377358490566
RT_STRING	0x5b7a98	0x114	data			0.6159420289855072
RT_STRING	0x5b7bac	0x2e8	data			0.4368279569892473
RT_STRING	0x5b7e94	0x418	data			0.36927480916030536
RT_STRING	0x5b82ac	0x348	data			0.3976190476190476
RT_STRING	0x5b85f4	0x3f4	data			0.3241106719367589
RT_STRING	0x5b89e8	0x44c	data			0.3618181818181818
RT_STRING	0x5b8e34	0x390	data			0.38596491228070173
RT_STRING	0x5b91c4	0x378	data			0.3310810810810811
RT_STRING	0x5b953c	0x354	data			0.4061032863849765
RT_STRING	0x5b9890	0xd0	data			0.5721153846153846
RT_STRING	0x5b9960	0xa0	data			0.65
RT_STRING	0x5b9a00	0x2ec	data			0.44786096256684493
RT_STRING	0x5b9cec	0x4a8	data			0.28104026845637586
RT_STRING	0x5ba194	0x314	data			0.434010152284264
RT_STRING	0x5ba4a8	0x2e0	data			0.40625
RT_RCDATA	0x5ba788	0xcbf	PNG image data, 60 x 20, 8-bit/color RGBA, non-interlaced	English	United States	1.0033711308611708
RT_RCDATA	0x5bb448	0xd58	PNG image data, 33 x 33, 8-bit/color RGBA, non-interlaced	Russian	Russia	1.0032201405152226
RT_RCDATA	0x5bc1a0	0xd0d	PNG image data, 33 x 33, 8-bit/color RGBA, non-interlaced	Russian	Russia	1.003292427416941
RT_RCDATA	0x5bceb0	0x82e8	data	English	United States	0.11261637622344235
RT_RCDATA	0x5c5198	0x10	data			1.5
RT_RCDATA	0x5c51a8	0xc80	data			0.5996875
RT_RCDATA	0x5c5e28	0x434	PNG image data, 48 x 16, 8-bit/color RGBA, non-interlaced	English	United States	1.0102230483271375
RT_RCDATA	0x5c625c	0x4b1	PNG image data, 48 x 16, 8-bit/color RGBA, non-interlaced	English	United States	1.0091590341382182
RT_RCDATA	0x5c6710	0x1a1	PNG image data, 48 x 16, 8-bit/color RGBA, non-interlaced	English	United States	1.026378896882494
RT_RCDATA	0x5c68b4	0x671	PNG image data, 48 x 16, 8-bit/color RGBA, non-interlaced	English	United States	1.0066707095209217
RT_RCDATA	0x5c6f28	0x7b1	PNG image data, 48 x 16, 8-bit/color RGBA, non-interlaced	English	United States	1.005586592178771
RT_RCDATA	0x5c76dc	0x4ff9	Delphi compiled form 'TfiePrnForm1'			0.14526449470033703
RT_RCDATA	0x5cc6d8	0x42ee	Delphi compiled form 'TfiePrnForm2'			0.13242675382280844
RT_RCDATA	0x5d09c8	0x52e1	Delphi compiled form 'TfiePrnForm3'			0.15360324268275438
RT_RCDATA	0x5d5cac	0x3aa1	Delphi compiled form 'TfIOPreviews'			0.2214671197281631
RT_RCDATA	0x5d9750	0x391	Delphi compiled form 'TFormFinalSave'			0.6111719605695509
RT_RCDATA	0x5d9ae4	0x3ec8	Delphi compiled form 'TFormFormatsEditor'			0.3662269785963166
RT_RCDATA	0x5dd9ac	0x1a0dd	Delphi compiled form 'TFormPrint'			0.25900278306174274
RT_RCDATA	0x5f7a8c	0x4795	Delphi compiled form 'TfPreviews'			0.24327421555252388
RT_RCDATA	0x5fc224	0xb63	Delphi compiled form 'TProgressForm'			0.6274442538593482
RT_RCDATA	0x5fcd88	0x1b07	Delphi compiled form 'TsCalcForm'			0.17762682468564822
RT_RCDATA	0x5fe890	0x1b8b	Delphi compiled form 'TsColorDialogForm'			0.2479080981421075
RT_GROUP_CURSOR	0x60041c	0x22	data	Italian	Italy	0.9705882352941176
RT_GROUP_CURSOR	0x600440	0x22	data	Italian	Italy	1.0588235294117647
RT_GROUP_CURSOR	0x600464	0x22	data	Italian	Italy	0.9705882352941176
RT_GROUP_CURSOR	0x600488	0x22	data	Italian	Italy	1.088235294117647
RT_GROUP_CURSOR	0x6004ac	0x22	data	Italian	Italy	1.088235294117647
RT_GROUP_CURSOR	0x6004d0	0x22	data	Italian	Italy	0.9705882352941176
RT_GROUP_CURSOR	0x6004f4	0x22	data	Italian	Italy	1.088235294117647
RT_GROUP_CURSOR	0x600518	0x22	data	Italian	Italy	0.9705882352941176
RT_GROUP_CURSOR	0x60053c	0x14	data	Italian	Italy	1.4
RT_GROUP_CURSOR	0x600550	0x22	data	Italian	Italy	1.0588235294117647
RT_GROUP_CURSOR	0x600574	0x22	data	Italian	Italy	0.9705882352941176
RT_GROUP_CURSOR	0x600598	0x22	data	Italian	Italy	0.9705882352941176
RT_GROUP_CURSOR	0x6005bc	0x22	data	Italian	Italy	0.9705882352941176
RT_GROUP_CURSOR	0x6005e0	0x14	data			1.4
RT_GROUP_CURSOR	0x6005f4	0x14	data			1.4
RT_GROUP_CURSOR	0x600608	0x14	data			1.4
RT_GROUP_CURSOR	0x60061c	0x14	data	Italian	Italy	1.4
RT_GROUP_CURSOR	0x600630	0x14	data	Italian	Italy	1.4
RT_GROUP_CURSOR	0x600644	0x14	Lotus unknown worksheet or configuration, revision 0x1	Italian	Italy	1.25
RT_GROUP_CURSOR	0x600658	0x14	data			1.4
RT_GROUP_CURSOR	0x60066c	0x14	data			1.4
RT_GROUP_CURSOR	0x600680	0x14	data			1.4
RT_GROUP_CURSOR	0x600694	0x14	data			1.4
RT_GROUP_CURSOR	0x6006a8	0x14	data			1.4
RT_GROUP_CURSOR	0x6006bc	0x14	data			1.4
RT_GROUP_CURSOR	0x6006d0	0x14	data			1.4
RT_GROUP_CURSOR	0x6006e4	0x14	data			1.4
RT_GROUP_CURSOR	0x6006f8	0x14	data			1.4
RT_GROUP_CURSOR	0x60070c	0x14	data			1.4
RT_GROUP_CURSOR	0x600720	0x22	data			1.1176470588235294
RT_GROUP_CURSOR	0x600744	0x14	Lotus unknown worksheet or configuration, revision 0x1	Italian	Italy	1.3
RT_GROUP_CURSOR	0x600758	0x14	Lotus unknown worksheet or configuration, revision 0x1	Italian	Italy	1.3
RT_GROUP_CURSOR	0x60076c	0x14	Lotus unknown worksheet or configuration, revision 0x1	Italian	Italy	1.3
RT_GROUP_CURSOR	0x600780	0x14	Lotus unknown worksheet or configuration, revision 0x1	Italian	Italy	1.3
RT_GROUP_CURSOR	0x600794	0x14	data			1.4
RT_GROUP_CURSOR	0x6007a8	0x14	data			1.4
RT_GROUP_CURSOR	0x6007bc	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.25
RT_GROUP_CURSOR	0x6007d0	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.25
RT_GROUP_CURSOR	0x6007e4	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x6007f8	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x60080c	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x600820	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x600834	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_ICON	0x600848	0x76	data	Russian	Russia	0.7711864406779662
RT_MANIFEST	0x6008c0	0x2f0	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5199468085106383
RT_MANIFEST	0x600bb0	0x352	XML 1.0 document, ASCII text, with CRLF line terminators	Russian	Russia	0.48

Imports

DLL	Import
oleaut32.dll	SysFreeString, SysReAllocStringLen, SysAllocStringLen
advapi32.dll	RegQueryValueExW, RegOpenKeyExW, RegCloseKey
user32.dll	LoadStringW, MessageBoxA, CharNextW
kernel32.dll	lstrcmpiA, LoadLibraryA, LocalFree, LocalAlloc, GetACP, Sleep, VirtualFree, VirtualAlloc, GetSystemInfo, GetTickCount, QueryPerformanceCounter, GetVersion, GetCurrentThreadId, VirtualQuery, WideCharToMultiByte, MultiByteToWideChar, lstrlenW, lstrcpynW, LoadLibraryExW, IsValidLocale, GetSystemDefaultUILanguage, GetStartupInfoA, GetProcAddress, GetModuleHandleW, GetModuleFileNameW, GetUserDefaultUILanguage, GetLocaleInfoW, GetLastError, GetCommandLineW, FreeLibrary, FindFirstFileW, FindClose, CreateDirectoryW, ExitProcess, ExitThread, CreateThread, CompareStringW, WriteFile, UnhandledExceptionFilter, SetFilePointer, SetEndOfFile, RtlUnwind, ReadFile, RaiseException, GetStdHandle, GetFileSize, GetFileType, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, CreateFileW, CloseHandle
kernel32.dll	TlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleW
user32.dll	CreateWindowExW, wvsprintfA, WindowFromPoint, WindowFromDC, WaitMessage, ValidateRect, UpdateWindow, UnregisterClassW, UnionRect, UnhookWindowsHookEx, TranslateMessage, TranslateMDISysAccel, TrackPopupMenu, SystemParametersInfoW, ShowWindow, ShowScrollBar, ShowOwnedPopups, ShowCaret, SetWindowRgn, SetWindowsHookExW, SetWindowTextW, SetWindowPos, SetWindowPlacement, SetWindowLongW, SetTimer, SetScrollRange, SetScrollPos, SetScrollInfo, SetRect, SetPropW, SetParent, SetMenuItemInfoW, SetMenu, SetForegroundWindow, SetFocus, SetCursorPos, SetCursor, SetClipboardData, SetClassLongW, SetCaretPos, SetCapture, SetActiveWindow, SendMessageA, SendMessageW, SendDlgItemMessageW, ScrollWindow, ScrollDC, ScreenToClient, RemovePropW, RemoveMenu, ReleaseDC, ReleaseCapture, RegisterWindowMessageW, RegisterClipboardFormatW, RegisterClassW, RedrawWindow, PtInRect, PostQuitMessage, PostMessageW, PeekMessageA, PeekMessageW, OpenClipboard, OffsetRect, MsgWaitForMultipleObjectsEx, MsgWaitForMultipleObjects, MoveWindow, MessageBoxIndirectW, MessageBoxW, MessageBeep, MapWindowPoints, MapVirtualKeyW, LoadStringW, LoadKeyboardLayoutW, LoadImageA, LoadIconW, LoadCursorW, LoadBitmapW, KillTimer, IsZoomed, IsWindowVisible, IsWindowUnicode, IsWindowEnabled, IsWindow, IsRectEmpty, IsIconic, IsDialogMessageA, IsDialogMessageW, IsClipboardFormatAvailable, IsChild, InvalidateRect, IntersectRect, InsertMenuItemW, InsertMenuW, InflateRect, HideCaret, GetWindowThreadProcessId, GetWindowTextLengthW, GetWindowTextW, GetWindowRgn, GetWindowRect, GetWindowPlacement, GetWindowLongW, GetWindowDC, GetTopWindow, GetSystemMetrics, GetSystemMenu, GetSysColorBrush, GetSysColor, GetSubMenu, GetScrollRange, GetScrollPos, GetScrollInfo, GetPropW, GetParent, GetWindow, GetMessageTime, GetMessagePos, GetMessageExtraInfo, GetMessageW, GetMenuStringW, GetMenuState, GetMenuItemRect, GetMenuItemInfoW, GetMenuItemID, GetMenuItemCount, GetMenu, GetLastActivePopup, GetKeyboardState, GetKeyboardLayoutNameW, GetKeyboardLayoutList, GetKeyboardLayout, GetKeyState, GetKeyNameTextW, GetIconInfo, GetForegroundWindow, GetFocus, GetDlgItemTextA, GetDlgItemTextW, GetDlgItem, GetDesktopWindow, GetDCEx, GetDC, GetCursorPos, GetCursor, GetClipboardFormatNameW, GetClipboardData, GetClientRect, GetClassNameW, GetClassLongW, GetClassInfoW, GetCapture, GetAsyncKeyState, GetActiveWindow, FrameRect, FindWindowExW, FindWindowW, FillRect, EqualRect, EnumWindows, EnumThreadWindows, EnumClipboardFormats, EnumChildWindows, EndPaint, EnableWindow, EnableScrollBar, EnableMenuItem, EmptyClipboard, DrawTextExW, DrawTextW, DrawMenuBar, DrawIconEx, DrawIcon, DrawFrameControl, DrawFocusRect, DrawEdge, DispatchMessageA, DispatchMessageW, DestroyWindow, DestroyMenu, DestroyIcon, DestroyCursor, DestroyCaret, DeleteMenu, DefWindowProcW, DefMDIChildProcW, DefFrameProcW, CreatePopupMenu, CreateMenu, CreateIconIndirect, CreateIcon, CreateCaret, CreateAcceleratorTableW, CopyRect, CopyImage, CopyIcon, CloseClipboard, ClientToScreen, CheckMenuItem, CharUpperBuffW, CharNextW, CharLowerBuffW, CharLowerW, CallWindowProcW, CallNextHookEx, BringWindowToTop, BeginPaint, AdjustWindowRectEx, ActivateKeyboardLayout
msimg32.dll	AlphaBlend
gdi32.dll	UnrealizeObject, TextOutW, StretchDIBits, StretchBlt, StartPage, StartDocW, SetWorldTransform, SetWindowOrgEx, SetWinMetaFileBits, SetViewportOrgEx, SetTextColor, SetTextAlign, SetStretchBltMode, SetROP2, SetPixelV, SetPixel, SetPaletteEntries, SetMapMode, SetGraphicsMode, SetEnhMetaFileBits, SetDIBits, SetDIBColorTable, SetBrushOrgEx, SetBkMode, SetBkColor, SetAbortProc, SelectPalette, SelectObject, SelectClipRgn, SaveDC, RoundRect, RestoreDC, ResizePalette, RemoveFontResourceExW, Rectangle, RectVisible, RealizePalette, Polyline, Polygon, PolyBezierTo, PolyBezier, PlayEnhMetaFile, Pie, PatBlt, OffsetWindowOrgEx, OffsetViewportOrgEx, OffsetRgn, MoveToEx, ModifyWorldTransform, MaskBlt, LineTo, LineDDA, LPtoDP, IntersectClipRect, GetWindowOrgEx, GetWinMetaFileBits, GetViewportOrgEx, GetTextMetricsW, GetTextExtentPointW, GetTextExtentPoint32W, GetSystemPaletteEntries, GetStockObject, GetRgnBox, GetPixel, GetPaletteEntries, GetObjectW, GetNearestPaletteIndex, GetGraphicsMode, GetGlyphOutlineW, GetEnhMetaFilePaletteEntries, GetEnhMetaFileHeader, GetEnhMetaFileDescriptionW, GetEnhMetaFileBits, GetDeviceCaps, GetDIBits, GetDIBColorTable, GetDCOrgEx, GetCurrentPositionEx, GetCurrentObject, GetClipRgn, GetClipBox, GetBrushOrgEx, GetBitmapDimensionEx, GetBitmapBits, GdiFlush, FrameRgn, ExtTextOutW, ExtFloodFill, ExtCreateRegion, ExtCreatePen, ExcludeClipRect, Escape, EnumFontsW, EnumFontFamiliesExW, EndPage, EndDoc, Ellipse, DeleteObject, DeleteEnhMetaFile, DeleteDC, DPtoLP, CreateSolidBrush, CreateRoundRectRgn, CreateRectRgn, CreatePolygonRgn, CreatePenIndirect, CreatePen, CreatePalette, CreateICW, CreateHalftonePalette, CreateFontIndirectA, CreateFontIndirectW, CreateEnhMetaFileW, CreateEllipticRgn, CreateDIBitmap, CreateDIBSection, CreateDCW, CreateCompatibleDC, CreateCompatibleBitmap, CreateBrushIndirect, CreateBitmap, CopyEnhMetaFileW, CombineRgn, CloseEnhMetaFile, Chord, BitBlt, Arc, AddFontResourceExW, AbortDoc
version.dll	VerQueryValueW, GetFileVersionInfoSizeW, GetFileVersionInfoW
kernel32.dll	lstrlenA, lstrcpyW, lstrcmpW, lstrcatA, WritePrivateProfileStringW, WriteFile, WideCharToMultiByte, WaitForSingleObject, WaitForMultipleObjectsEx, VirtualQueryEx, VirtualQuery, VirtualProtect, VirtualFreeEx, VirtualFree, VirtualAllocEx, VirtualAlloc, TryEnterCriticalSection, SwitchToThread, SuspendThread, Sleep, SizeofResource, SignalObjectAndWait, SetThreadPriority, SetThreadLocale, SetLastError, SetFilePointer, SetFileAttributesW, SetEvent, SetErrorMode, SetEndOfFile, ResumeThread, ResetEvent, RemoveDirectoryW, ReadProcessMemory, ReadFile, RaiseException, QueryPerformanceFrequency, QueryPerformanceCounter, IsDebuggerPresent, OutputDebugStringW, OpenProcess, MultiByteToWideChar, MulDiv, LockResource, LocalUnlock, LocalLock, LoadResource, LoadLibraryExW, LoadLibraryA, LoadLibraryW, LeaveCriticalSection, IsBadReadPtr, InitializeCriticalSection, GlobalUnlock, GlobalSize, GlobalMemoryStatus, GlobalLock, GlobalFree, GlobalFindAtomW, GlobalDeleteAtom, GlobalAlloc, GlobalAddAtomW, GetWindowsDirectoryA, GetVersionExW, GetVersion, GetUserDefaultLCID, GetTickCount, GetThreadPriority, GetThreadLocale, GetTempPathW, GetSystemInfo, GetStdHandle, GetProcAddress, GetPrivateProfileStringW, GetModuleHandleW, GetModuleFileNameW, GetLocaleInfoW, GetLocalTime, GetLastError, GetFullPathNameW, GetFileSize, GetFileAttributesA, GetFileAttributesW, GetExitCodeThread, GetDiskFreeSpaceW, GetDateFormatW, GetCurrentThreadId, GetCurrentThread, GetCurrentProcessId, GetCurrentProcess, GetCPInfo, FreeResource, InterlockedIncrement, InterlockedExchangeAdd, InterlockedExchange, InterlockedDecrement, InterlockedCompareExchange, FreeLibrary, FormatMessageW, FindResourceA, FindResourceW, FindNextFileW, FindFirstFileW, FindClose, FileTimeToLocalFileTime, FileTimeToDosDateTime, EnumResourceTypesA, EnumResourceNamesA, EnumCalendarInfoW, EnterCriticalSection, DeleteFileW, DeleteCriticalSection, CreateThread, CreateMutexW, CreateFileA, CreateFileW, CreateEventW, CreateDirectoryW, CopyFileW, CompareStringW, CloseHandle
advapi32.dll	RegUnLoadKeyW, RegSetValueExW, RegSaveKeyW, RegRestoreKeyW, RegReplaceKeyW, RegQueryValueExW, RegQueryInfoKeyW, RegOpenKeyExW, RegLoadKeyW, RegFlushKey, RegEnumValueW, RegEnumKeyExW, RegDeleteValueW, RegDeleteKeyW, RegCreateKeyExW, RegConnectRegistryW, RegCloseKey
oleaut32.dll	GetErrorInfo, SysFreeString
ole32.dll	CreateStreamOnHGlobal, OleRegEnumVerbs, IsAccelerator, OleDraw, OleSetMenuDescriptor, OleUninitialize, OleInitialize, CoTaskMemFree, CoTaskMemAlloc, CoCreateInstance, CoGetClassObject, CoUninitialize, CoInitialize, IsEqualGUID
comctl32.dll	InitializeFlatSB, FlatSB_SetScrollProp, FlatSB_SetScrollPos, FlatSB_SetScrollInfo, FlatSB_GetScrollPos, FlatSB_GetScrollInfo, _TrackMouseEvent, ImageList_GetImageInfo, ImageList_SetIconSize, ImageList_GetIconSize, ImageList_Write, ImageList_Read, ImageList_GetDragImage, ImageList_DragShowNolock, ImageList_DragMove, ImageList_DragLeave, ImageList_DragEnter, ImageList_EndDrag, ImageList_BeginDrag, ImageList_Copy, ImageList_LoadImageW, ImageList_GetIcon, ImageList_Remove, ImageList_DrawEx, ImageList_Replace, ImageList_Draw, ImageList_SetOverlayImage, ImageList_GetBkColor, ImageList_SetBkColor, ImageList_ReplaceIcon, ImageList_Add, ImageList_SetImageCount, ImageList_GetImageCount, ImageList_Destroy, ImageList_Create, InitCommonControls
kernel32.dll	Sleep
ole32.dll	IsEqualGUID, CLSIDFromString
oleaut32.dll	SafeArrayPtrOfIndex, SafeArrayPutElement, SafeArrayGetElement, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayCreate, VariantChangeType, VariantCopyInd, VariantCopy, VariantClear, VariantInit
shell32.dll	SHGetFileInfoW, ShellExecuteW, ExtractIconW
shell32.dll	SHGetSpecialFolderPathW
comdlg32.dll	PrintDlgW, ChooseFontW, ChooseColorW, GetSaveFileNameA, GetSaveFileNameW, GetOpenFileNameA, GetOpenFileNameW
winspool.drv	OpenPrinterW, EnumPrintersW, DocumentPropertiesW, ClosePrinter
winspool.drv	GetDefaultPrinterW
ole32.dll	OleUninitialize, OleInitialize, CoCreateInstance
ole32.dll	CoCreateGuid
ole32.dll	FreePropVariantArray, CoTaskMemFree, OleUninitialize, OleInitialize, CoCreateInstance
ole32.dll	IsEqualGUID, StgCreateDocfile, CoTaskMemFree, OleUninitialize, OleInitialize, CoCreateInstance
Advapi32.dll	CryptReleaseContext, CryptDestroyHash, CryptGetHashParam, CryptHashData, CryptCreateHash, CryptAcquireContextA

Exports

Name	Ordinal	Address
hid_close	1	0x402710
hid_enumerate	2	0x401b10
hid_error	3	0x402bd0
hid_exit	4	0x401420
hid_free_enumeration	5	0x401da0
hid_get_device_info	6	0x402960
hid_get_feature_report	7	0x4026d0
hid_get_indexed_string	8	0x4029a0
hid_get_input_report	9	0x4026f0
hid_get_manufacturer_string	10	0x4027b0
hid_get_product_string	11	0x402840
hid_get_serial_number_string	12	0x4028d0
hid_init	13	0x4013d0
hid_open	14	0x401df0
hid_open_path	15	0x401f00
hid_read	16	0x4024c0
hid_read_timeout	17	0x402320
hid_send_feature_report	18	0x402500
hid_set_nonblocking	19	0x4024e0
hid_version	20	0x4013b0
hid_version_str	21	0x4013c0
hid_winapi_get_container_id	22	0x402a00
hid_write	23	0x4021d0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States
Italian	Italy
Russian	Russia

• loaddll32.exe
• conhost.exe
• cmd.exe
• rundll32.exe
• rundll32.exe
• rundll32.exe
• rundll32.exe
• WerFault.exe
• WerFault.exe
• WerFault.exe
• WerFault.exe
• rundll32.exe
• rundll32.exe
• rundll32.exe
• rundll32.exe
• rundll32.exe
• rundll32.exe
• rundll32.exe
• rundll32.exe
• rundll32.exe
• rundll32.exe
• rundll32.exe
• rundll32.exe
• rundll32.exe
• rundll32.exe
• rundll32.exe
• rundll32.exe
• rundll32.exe
• rundll32.exe
• rundll32.exe

Click to jump to process

Memory Usage

• loaddll32.exe
• conhost.exe
• cmd.exe
• rundll32.exe
• rundll32.exe
• rundll32.exe
• rundll32.exe
• WerFault.exe
• WerFault.exe
• WerFault.exe
• WerFault.exe
• rundll32.exe
• rundll32.exe
• rundll32.exe
• rundll32.exe
• rundll32.exe
• rundll32.exe
• rundll32.exe
• rundll32.exe
• rundll32.exe
• rundll32.exe
• rundll32.exe
• rundll32.exe
• rundll32.exe
• rundll32.exe
• rundll32.exe
• rundll32.exe
• rundll32.exe
• rundll32.exe
• rundll32.exe

Click to jump to process

High Level Behavior Distribution

• File
• Registry

Click to dive into process behavior distribution

Target ID:	0
Start time:	11:47:11
Start date:	16/04/2025
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe "C:\Users\user\Desktop\hidapi.dll"
Imagebase:	0x7a0000
File size:	126'464 bytes
MD5 hash:	51E6071F9CBA48E79F10C84515AAE618
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	11:47:11
Start date:	16/04/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff62fc20000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	11:47:11
Start date:	16/04/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\hidapi.dll",#1
Imagebase:	0xc70000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	11:47:11
Start date:	16/04/2025
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\hidapi.dll,hid_close
Imagebase:	0x1e0000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000003.00000002.1718998180.00000000047B1000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	11:47:11
Start date:	16/04/2025
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\hidapi.dll",#1
Imagebase:	0x1e0000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000004.00000002.1719749651.0000000004221000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	11:47:14
Start date:	16/04/2025
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\hidapi.dll,hid_enumerate
Imagebase:	0x1e0000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000007.00000002.1719038974.0000000004721000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	11:47:17
Start date:	16/04/2025
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\hidapi.dll,hid_error
Imagebase:	0x640000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000008.00000002.1732064823.0000000004571000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	11:47:55
Start date:	16/04/2025
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7968 -s 724
Imagebase:	0x440000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	11:47:55
Start date:	16/04/2025
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7976 -s 716
Imagebase:	0x440000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	11:47:57
Start date:	16/04/2025
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 8108 -s 724
Imagebase:	0x440000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	11:47:59
Start date:	16/04/2025
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 8160 -s 728
Imagebase:	0x440000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	11:48:01
Start date:	16/04/2025
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\hidapi.dll",hid_close
Imagebase:	0x1e0000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000017.00000002.2502551494.0000000004021000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Target ID:	24
Start time:	11:48:01
Start date:	16/04/2025
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\hidapi.dll",hid_enumerate
Imagebase:	0x1e0000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000018.00000002.2500139149.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000018.00000001.1741951778.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Target ID:	25
Start time:	11:48:01
Start date:	16/04/2025
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\hidapi.dll",hid_error
Imagebase:	0x1e0000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000019.00000002.2503289996.0000000003FC1000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Target ID:	26
Start time:	11:48:01
Start date:	16/04/2025
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\hidapi.dll",hid_write
Imagebase:	0x1e0000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 0000001A.00000001.1754659029.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 0000001A.00000002.2500502017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Target ID:	27
Start time:	11:48:02
Start date:	16/04/2025
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\hidapi.dll",hid_winapi_get_container_id
Imagebase:	0x1e0000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 0000001B.00000002.2502924761.00000000044F1000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Target ID:	28
Start time:	11:48:02
Start date:	16/04/2025
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\hidapi.dll",hid_version_str
Imagebase:	0x1e0000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 0000001C.00000002.2503788059.0000000004071000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Target ID:	29
Start time:	11:48:02
Start date:	16/04/2025
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\hidapi.dll",hid_version
Imagebase:	0x1e0000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 0000001D.00000001.1892071164.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 0000001D.00000002.2500737297.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Target ID:	30
Start time:	11:48:02
Start date:	16/04/2025
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\hidapi.dll",hid_set_nonblocking
Imagebase:	0x1e0000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 0000001E.00000001.1817364369.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 0000001E.00000002.2499868685.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Target ID:	31
Start time:	11:48:02
Start date:	16/04/2025
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\hidapi.dll",hid_send_feature_report
Imagebase:	0x1e0000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 0000001F.00000002.2502447548.0000000004271000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Target ID:	32
Start time:	11:48:04
Start date:	16/04/2025
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\hidapi.dll",hid_read_timeout
Imagebase:	0x1e0000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000020.00000001.1892385941.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000020.00000002.2500030056.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Target ID:	33
Start time:	11:48:04
Start date:	16/04/2025
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\hidapi.dll",hid_read
Imagebase:	0x1e0000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000021.00000002.2502750467.0000000004351000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Target ID:	34
Start time:	11:48:04
Start date:	16/04/2025
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\hidapi.dll",hid_open_path
Imagebase:	0x1e0000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000022.00000001.1892139598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000022.00000002.2500040759.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Target ID:	35
Start time:	11:48:04
Start date:	16/04/2025
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\hidapi.dll",hid_open
Imagebase:	0x1e0000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000023.00000001.1892203798.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000023.00000002.2500827944.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Target ID:	36
Start time:	11:48:04
Start date:	16/04/2025
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\hidapi.dll",hid_init
Imagebase:	0x1e0000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000024.00000002.2503362964.0000000004731000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Target ID:	37
Start time:	11:48:04
Start date:	16/04/2025
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\hidapi.dll",hid_get_serial_number_string
Imagebase:	0x1e0000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000025.00000001.1892266397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000025.00000002.2501065568.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Target ID:	38
Start time:	11:48:05
Start date:	16/04/2025
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\hidapi.dll",hid_get_product_string
Imagebase:	0x1e0000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000026.00000002.2500903884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000026.00000001.1892443379.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Target ID:	39
Start time:	11:48:05
Start date:	16/04/2025
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\hidapi.dll",hid_get_manufacturer_string
Imagebase:	0x1e0000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000027.00000002.2503192278.0000000004691000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Target ID:	40
Start time:	11:48:05
Start date:	16/04/2025
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\hidapi.dll",hid_get_input_report
Imagebase:	0x1e0000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000028.00000002.2502925309.00000000041D1000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Target ID:	41
Start time:	11:48:05
Start date:	16/04/2025
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\hidapi.dll",hid_get_indexed_string
Imagebase:	0x1e0000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000029.00000001.1892321944.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000029.00000002.2500138061.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: `rundll32.exe {DLLname, DLLfunction}` ).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report hidapi.dll

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Initial Sample

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_22b1de1da1a1c744f42077ffe7b39ed57c765dd_7522e4b5_87d24227-51de-4654-b404-177066ae5055\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_26afe25ca778a3fd3cbaf2dcbce7b2d3cdba1037_7522e4b5_8a9cc253-1938-42b3-a616-ad04c3ecfe4d\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_26afe25ca778a3fd3cbaf2dcbce7b2d3cdba1037_7522e4b5_f172e35a-161e-4548-872e-d4c302cc38f6\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_a0880a966f02c92857af0528cfcfa7d44983357_7522e4b5_afd361e3-84c5-4fb3-8df5-6d0fa12a559c\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER69DD.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6CDB.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6D1B.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6DE4.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6E91.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6EF0.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7391.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER73F0.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7410.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7900.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER79AD.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER79EC.tmp.xml

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Windows Analysis Report
hidapi.dll